Analysis
-
max time kernel
97s -
max time network
99s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
27-10-2024 18:59
Static task
static1
Behavioral task
behavioral1
Sample
Crypt.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral2
Sample
Crypt.exe
Resource
win10ltsc2021-20241023-en
Behavioral task
behavioral3
Sample
Crypt.exe
Resource
win11-20241007-en
General
-
Target
Crypt.exe
-
Size
6.9MB
-
MD5
d047cd9c503a1b062486d0425688fd16
-
SHA1
dee8b8024a66ffdf3502a9827fef45493f2644ed
-
SHA256
8b114ae5d486948a5f4078f2e724d55e0a56014320af07f0f9228e0e77ae6be0
-
SHA512
5c986ee4c367b8288a7e1ba18d6695b4e8afc40d88d9a4c257f301f38b405ec1d7771efabb189f583be979a02093d841ae510d5f002e3684ae7a8225d27bef28
-
SSDEEP
196608:hsXGMtKkuX5P62xscItG5gPxioJEhslCM19l+RDIk:hsXGMIkuX5XmcI45gPkgpz1eZIk
Malware Config
Extracted
gurcu
https://api.telegram.org/bot7756158094:AAEpUpUPcNX1ZlZzM558SewExaq3m8CuOnA/sendPhot
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Gurcu family
-
Modifies WinLogon for persistence 2 TTPs 24 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\", \"C:\\Windows\\SKB\\wininit.exe\", \"C:\\Program Files\\Windows Media Player\\cmd.exe\", \"C:\\Program Files\\Common Files\\microsoft shared\\csrss.exe\", \"C:\\Windows\\Speech_OneCore\\Engines\\SR\\en-US-N\\Idle.exe\", \"C:\\Users\\Admin\\AppData\\Roaming\\Windows\\Defender\\RunShell.exe\", \"C:\\Windows\\Cursors\\dllhost.exe\", \"C:\\Program Files\\Windows Portable Devices\\WmiPrvSE.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\MoUsoCoreWorker.exe\", \"C:\\Program Files (x86)\\Common Files\\System\\es-ES\\Registry.exe\"" msAgentreviewCommon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\", \"C:\\Windows\\SKB\\wininit.exe\", \"C:\\Program Files\\Windows Media Player\\cmd.exe\", \"C:\\Program Files\\Common Files\\microsoft shared\\csrss.exe\", \"C:\\Windows\\Speech_OneCore\\Engines\\SR\\en-US-N\\Idle.exe\", \"C:\\Users\\Admin\\AppData\\Roaming\\Windows\\Defender\\RunShell.exe\", \"C:\\Windows\\Cursors\\dllhost.exe\", \"C:\\Program Files\\Windows Portable Devices\\WmiPrvSE.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\MoUsoCoreWorker.exe\", \"C:\\Program Files (x86)\\Common Files\\System\\es-ES\\Registry.exe\", \"C:\\Program Files (x86)\\Microsoft\\EdgeUpdate_bk\\Install\\TrustedInstaller.exe\", \"C:\\BrowserSvc\\msAgentreviewCommon.exe\", \"C:\\BrowserSvc\\MoUsoCoreWorker.exe\", \"C:\\BrowserSvc\\sppsvc.exe\", \"C:\\Recovery\\WindowsRE\\taskhostw.exe\", \"C:\\Program Files (x86)\\Windows NT\\Accessories\\en-US\\WmiPrvSE.exe\", \"C:\\BrowserSvc\\WmiPrvSE.exe\"" RunShell.exe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\", \"C:\\Windows\\SKB\\wininit.exe\", \"C:\\Program Files\\Windows Media Player\\cmd.exe\", \"C:\\Program Files\\Common Files\\microsoft shared\\csrss.exe\", \"C:\\Windows\\Speech_OneCore\\Engines\\SR\\en-US-N\\Idle.exe\", \"C:\\Users\\Admin\\AppData\\Roaming\\Windows\\Defender\\RunShell.exe\", \"C:\\Windows\\Cursors\\dllhost.exe\", \"C:\\Program Files\\Windows Portable Devices\\WmiPrvSE.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\MoUsoCoreWorker.exe\", \"C:\\Program Files (x86)\\Common Files\\System\\es-ES\\Registry.exe\", \"C:\\Program Files (x86)\\Microsoft\\EdgeUpdate_bk\\Install\\TrustedInstaller.exe\", \"C:\\BrowserSvc\\msAgentreviewCommon.exe\", \"C:\\BrowserSvc\\MoUsoCoreWorker.exe\", \"C:\\BrowserSvc\\sppsvc.exe\", \"C:\\Recovery\\WindowsRE\\taskhostw.exe\", \"C:\\Program Files (x86)\\Windows NT\\Accessories\\en-US\\WmiPrvSE.exe\", \"C:\\BrowserSvc\\WmiPrvSE.exe\", \"C:\\Users\\Admin\\AppData\\Roaming\\Windows\\Defender\\RunShell.exe.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Windows\\SKB\\csrss.exe\", \"C:\\Program Files\\Windows Media Player\\unsecapp.exe\", \"C:\\Program Files\\Common Files\\microsoft shared\\csrss.exe\"" Registry.exe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\", \"C:\\Windows\\SKB\\wininit.exe\"" RunShell.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\", \"C:\\Windows\\SKB\\wininit.exe\", \"C:\\Program Files\\Windows Media Player\\cmd.exe\", \"C:\\Program Files\\Common Files\\microsoft shared\\csrss.exe\", \"C:\\Windows\\Speech_OneCore\\Engines\\SR\\en-US-N\\Idle.exe\", \"C:\\Users\\Admin\\AppData\\Roaming\\Windows\\Defender\\RunShell.exe\"" RunShell.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\", \"C:\\Windows\\SKB\\wininit.exe\", \"C:\\Program Files\\Windows Media Player\\cmd.exe\", \"C:\\Program Files\\Common Files\\microsoft shared\\csrss.exe\", \"C:\\Windows\\Speech_OneCore\\Engines\\SR\\en-US-N\\Idle.exe\", \"C:\\Users\\Admin\\AppData\\Roaming\\Windows\\Defender\\RunShell.exe\", \"C:\\Windows\\Cursors\\dllhost.exe\"" msAgentreviewCommon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\", \"C:\\Windows\\SKB\\wininit.exe\", \"C:\\Program Files\\Windows Media Player\\cmd.exe\", \"C:\\Program Files\\Common Files\\microsoft shared\\csrss.exe\", \"C:\\Windows\\Speech_OneCore\\Engines\\SR\\en-US-N\\Idle.exe\", \"C:\\Users\\Admin\\AppData\\Roaming\\Windows\\Defender\\RunShell.exe\", \"C:\\Windows\\Cursors\\dllhost.exe\", \"C:\\Program Files\\Windows Portable Devices\\WmiPrvSE.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\MoUsoCoreWorker.exe\", \"C:\\Program Files (x86)\\Common Files\\System\\es-ES\\Registry.exe\", \"C:\\Program Files (x86)\\Microsoft\\EdgeUpdate_bk\\Install\\TrustedInstaller.exe\", \"C:\\BrowserSvc\\msAgentreviewCommon.exe\", \"C:\\BrowserSvc\\MoUsoCoreWorker.exe\", \"C:\\BrowserSvc\\sppsvc.exe\", \"C:\\Recovery\\WindowsRE\\taskhostw.exe\", \"C:\\Program Files (x86)\\Windows NT\\Accessories\\en-US\\WmiPrvSE.exe\", \"C:\\BrowserSvc\\WmiPrvSE.exe\", \"C:\\Users\\Admin\\AppData\\Roaming\\Windows\\Defender\\RunShell.exe.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Windows\\SKB\\csrss.exe\", \"C:\\Program Files\\Windows Media Player\\unsecapp.exe\"" Registry.exe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\", \"C:\\Windows\\SKB\\wininit.exe\", \"C:\\Program Files\\Windows Media Player\\cmd.exe\", \"C:\\Program Files\\Common Files\\microsoft shared\\csrss.exe\", \"C:\\Windows\\Speech_OneCore\\Engines\\SR\\en-US-N\\Idle.exe\", \"C:\\Users\\Admin\\AppData\\Roaming\\Windows\\Defender\\RunShell.exe\", \"C:\\Windows\\Cursors\\dllhost.exe\", \"C:\\Program Files\\Windows Portable Devices\\WmiPrvSE.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\MoUsoCoreWorker.exe\", \"C:\\Program Files (x86)\\Common Files\\System\\es-ES\\Registry.exe\", \"C:\\Program Files (x86)\\Microsoft\\EdgeUpdate_bk\\Install\\TrustedInstaller.exe\", \"C:\\BrowserSvc\\msAgentreviewCommon.exe\", \"C:\\BrowserSvc\\MoUsoCoreWorker.exe\", \"C:\\BrowserSvc\\sppsvc.exe\", \"C:\\Recovery\\WindowsRE\\taskhostw.exe\", \"C:\\Program Files (x86)\\Windows NT\\Accessories\\en-US\\WmiPrvSE.exe\", \"C:\\BrowserSvc\\WmiPrvSE.exe\", \"C:\\Users\\Admin\\AppData\\Roaming\\Windows\\Defender\\RunShell.exe.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Windows\\SKB\\csrss.exe\", \"C:\\Program Files\\Windows Media Player\\unsecapp.exe\", \"C:\\Program Files\\Common Files\\microsoft shared\\csrss.exe\", \"C:\\Windows\\Speech_OneCore\\Engines\\SR\\en-US-N\\Idle.exe\"" Registry.exe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\", \"C:\\Windows\\SKB\\wininit.exe\", \"C:\\Program Files\\Windows Media Player\\cmd.exe\", \"C:\\Program Files\\Common Files\\microsoft shared\\csrss.exe\", \"C:\\Windows\\Speech_OneCore\\Engines\\SR\\en-US-N\\Idle.exe\", \"C:\\Users\\Admin\\AppData\\Roaming\\Windows\\Defender\\RunShell.exe\", \"C:\\Windows\\Cursors\\dllhost.exe\", \"C:\\Program Files\\Windows Portable Devices\\WmiPrvSE.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\MoUsoCoreWorker.exe\"" msAgentreviewCommon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\", \"C:\\Windows\\SKB\\wininit.exe\", \"C:\\Program Files\\Windows Media Player\\cmd.exe\", \"C:\\Program Files\\Common Files\\microsoft shared\\csrss.exe\", \"C:\\Windows\\Speech_OneCore\\Engines\\SR\\en-US-N\\Idle.exe\", \"C:\\Users\\Admin\\AppData\\Roaming\\Windows\\Defender\\RunShell.exe\", \"C:\\Windows\\Cursors\\dllhost.exe\", \"C:\\Program Files\\Windows Portable Devices\\WmiPrvSE.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\MoUsoCoreWorker.exe\", \"C:\\Program Files (x86)\\Common Files\\System\\es-ES\\Registry.exe\", \"C:\\Program Files (x86)\\Microsoft\\EdgeUpdate_bk\\Install\\TrustedInstaller.exe\", \"C:\\BrowserSvc\\msAgentreviewCommon.exe\"" msAgentreviewCommon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\", \"C:\\Windows\\SKB\\wininit.exe\", \"C:\\Program Files\\Windows Media Player\\cmd.exe\", \"C:\\Program Files\\Common Files\\microsoft shared\\csrss.exe\", \"C:\\Windows\\Speech_OneCore\\Engines\\SR\\en-US-N\\Idle.exe\", \"C:\\Users\\Admin\\AppData\\Roaming\\Windows\\Defender\\RunShell.exe\", \"C:\\Windows\\Cursors\\dllhost.exe\", \"C:\\Program Files\\Windows Portable Devices\\WmiPrvSE.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\MoUsoCoreWorker.exe\", \"C:\\Program Files (x86)\\Common Files\\System\\es-ES\\Registry.exe\", \"C:\\Program Files (x86)\\Microsoft\\EdgeUpdate_bk\\Install\\TrustedInstaller.exe\", \"C:\\BrowserSvc\\msAgentreviewCommon.exe\", \"C:\\BrowserSvc\\MoUsoCoreWorker.exe\", \"C:\\BrowserSvc\\sppsvc.exe\", \"C:\\Recovery\\WindowsRE\\taskhostw.exe\", \"C:\\Program Files (x86)\\Windows NT\\Accessories\\en-US\\WmiPrvSE.exe\", \"C:\\BrowserSvc\\WmiPrvSE.exe\", \"C:\\Users\\Admin\\AppData\\Roaming\\Windows\\Defender\\RunShell.exe.exe\"" RunShell.exe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\", \"C:\\Windows\\SKB\\wininit.exe\", \"C:\\Program Files\\Windows Media Player\\cmd.exe\", \"C:\\Program Files\\Common Files\\microsoft shared\\csrss.exe\", \"C:\\Windows\\Speech_OneCore\\Engines\\SR\\en-US-N\\Idle.exe\", \"C:\\Users\\Admin\\AppData\\Roaming\\Windows\\Defender\\RunShell.exe\", \"C:\\Windows\\Cursors\\dllhost.exe\", \"C:\\Program Files\\Windows Portable Devices\\WmiPrvSE.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\MoUsoCoreWorker.exe\", \"C:\\Program Files (x86)\\Common Files\\System\\es-ES\\Registry.exe\", \"C:\\Program Files (x86)\\Microsoft\\EdgeUpdate_bk\\Install\\TrustedInstaller.exe\"" msAgentreviewCommon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\", \"C:\\Windows\\SKB\\wininit.exe\", \"C:\\Program Files\\Windows Media Player\\cmd.exe\", \"C:\\Program Files\\Common Files\\microsoft shared\\csrss.exe\", \"C:\\Windows\\Speech_OneCore\\Engines\\SR\\en-US-N\\Idle.exe\", \"C:\\Users\\Admin\\AppData\\Roaming\\Windows\\Defender\\RunShell.exe\", \"C:\\Windows\\Cursors\\dllhost.exe\", \"C:\\Program Files\\Windows Portable Devices\\WmiPrvSE.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\MoUsoCoreWorker.exe\", \"C:\\Program Files (x86)\\Common Files\\System\\es-ES\\Registry.exe\", \"C:\\Program Files (x86)\\Microsoft\\EdgeUpdate_bk\\Install\\TrustedInstaller.exe\", \"C:\\BrowserSvc\\msAgentreviewCommon.exe\", \"C:\\BrowserSvc\\MoUsoCoreWorker.exe\"" RunShell.exe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\", \"C:\\Windows\\SKB\\wininit.exe\", \"C:\\Program Files\\Windows Media Player\\cmd.exe\", \"C:\\Program Files\\Common Files\\microsoft shared\\csrss.exe\", \"C:\\Windows\\Speech_OneCore\\Engines\\SR\\en-US-N\\Idle.exe\", \"C:\\Users\\Admin\\AppData\\Roaming\\Windows\\Defender\\RunShell.exe\", \"C:\\Windows\\Cursors\\dllhost.exe\", \"C:\\Program Files\\Windows Portable Devices\\WmiPrvSE.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\MoUsoCoreWorker.exe\", \"C:\\Program Files (x86)\\Common Files\\System\\es-ES\\Registry.exe\", \"C:\\Program Files (x86)\\Microsoft\\EdgeUpdate_bk\\Install\\TrustedInstaller.exe\", \"C:\\BrowserSvc\\msAgentreviewCommon.exe\", \"C:\\BrowserSvc\\MoUsoCoreWorker.exe\", \"C:\\BrowserSvc\\sppsvc.exe\"" RunShell.exe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\", \"C:\\Windows\\SKB\\wininit.exe\", \"C:\\Program Files\\Windows Media Player\\cmd.exe\", \"C:\\Program Files\\Common Files\\microsoft shared\\csrss.exe\", \"C:\\Windows\\Speech_OneCore\\Engines\\SR\\en-US-N\\Idle.exe\", \"C:\\Users\\Admin\\AppData\\Roaming\\Windows\\Defender\\RunShell.exe\", \"C:\\Windows\\Cursors\\dllhost.exe\", \"C:\\Program Files\\Windows Portable Devices\\WmiPrvSE.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\MoUsoCoreWorker.exe\", \"C:\\Program Files (x86)\\Common Files\\System\\es-ES\\Registry.exe\", \"C:\\Program Files (x86)\\Microsoft\\EdgeUpdate_bk\\Install\\TrustedInstaller.exe\", \"C:\\BrowserSvc\\msAgentreviewCommon.exe\", \"C:\\BrowserSvc\\MoUsoCoreWorker.exe\", \"C:\\BrowserSvc\\sppsvc.exe\", \"C:\\Recovery\\WindowsRE\\taskhostw.exe\", \"C:\\Program Files (x86)\\Windows NT\\Accessories\\en-US\\WmiPrvSE.exe\", \"C:\\BrowserSvc\\WmiPrvSE.exe\", \"C:\\Users\\Admin\\AppData\\Roaming\\Windows\\Defender\\RunShell.exe.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\"" Registry.exe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\", \"C:\\Windows\\SKB\\wininit.exe\", \"C:\\Program Files\\Windows Media Player\\cmd.exe\", \"C:\\Program Files\\Common Files\\microsoft shared\\csrss.exe\", \"C:\\Windows\\Speech_OneCore\\Engines\\SR\\en-US-N\\Idle.exe\", \"C:\\Users\\Admin\\AppData\\Roaming\\Windows\\Defender\\RunShell.exe\", \"C:\\Windows\\Cursors\\dllhost.exe\", \"C:\\Program Files\\Windows Portable Devices\\WmiPrvSE.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\MoUsoCoreWorker.exe\", \"C:\\Program Files (x86)\\Common Files\\System\\es-ES\\Registry.exe\", \"C:\\Program Files (x86)\\Microsoft\\EdgeUpdate_bk\\Install\\TrustedInstaller.exe\", \"C:\\BrowserSvc\\msAgentreviewCommon.exe\", \"C:\\BrowserSvc\\MoUsoCoreWorker.exe\", \"C:\\BrowserSvc\\sppsvc.exe\", \"C:\\Recovery\\WindowsRE\\taskhostw.exe\", \"C:\\Program Files (x86)\\Windows NT\\Accessories\\en-US\\WmiPrvSE.exe\", \"C:\\BrowserSvc\\WmiPrvSE.exe\", \"C:\\Users\\Admin\\AppData\\Roaming\\Windows\\Defender\\RunShell.exe.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Windows\\SKB\\csrss.exe\"" Registry.exe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\"" RunShell.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\", \"C:\\Windows\\SKB\\wininit.exe\", \"C:\\Program Files\\Windows Media Player\\cmd.exe\", \"C:\\Program Files\\Common Files\\microsoft shared\\csrss.exe\"" RunShell.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\", \"C:\\Windows\\SKB\\wininit.exe\", \"C:\\Program Files\\Windows Media Player\\cmd.exe\", \"C:\\Program Files\\Common Files\\microsoft shared\\csrss.exe\", \"C:\\Windows\\Speech_OneCore\\Engines\\SR\\en-US-N\\Idle.exe\"" RunShell.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\", \"C:\\Windows\\SKB\\wininit.exe\", \"C:\\Program Files\\Windows Media Player\\cmd.exe\", \"C:\\Program Files\\Common Files\\microsoft shared\\csrss.exe\", \"C:\\Windows\\Speech_OneCore\\Engines\\SR\\en-US-N\\Idle.exe\", \"C:\\Users\\Admin\\AppData\\Roaming\\Windows\\Defender\\RunShell.exe\", \"C:\\Windows\\Cursors\\dllhost.exe\", \"C:\\Program Files\\Windows Portable Devices\\WmiPrvSE.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\MoUsoCoreWorker.exe\", \"C:\\Program Files (x86)\\Common Files\\System\\es-ES\\Registry.exe\", \"C:\\Program Files (x86)\\Microsoft\\EdgeUpdate_bk\\Install\\TrustedInstaller.exe\", \"C:\\BrowserSvc\\msAgentreviewCommon.exe\", \"C:\\BrowserSvc\\MoUsoCoreWorker.exe\", \"C:\\BrowserSvc\\sppsvc.exe\", \"C:\\Recovery\\WindowsRE\\taskhostw.exe\", \"C:\\Program Files (x86)\\Windows NT\\Accessories\\en-US\\WmiPrvSE.exe\"" RunShell.exe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\", \"C:\\Windows\\SKB\\wininit.exe\", \"C:\\Program Files\\Windows Media Player\\cmd.exe\", \"C:\\Program Files\\Common Files\\microsoft shared\\csrss.exe\", \"C:\\Windows\\Speech_OneCore\\Engines\\SR\\en-US-N\\Idle.exe\", \"C:\\Users\\Admin\\AppData\\Roaming\\Windows\\Defender\\RunShell.exe\", \"C:\\Windows\\Cursors\\dllhost.exe\", \"C:\\Program Files\\Windows Portable Devices\\WmiPrvSE.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\MoUsoCoreWorker.exe\", \"C:\\Program Files (x86)\\Common Files\\System\\es-ES\\Registry.exe\", \"C:\\Program Files (x86)\\Microsoft\\EdgeUpdate_bk\\Install\\TrustedInstaller.exe\", \"C:\\BrowserSvc\\msAgentreviewCommon.exe\", \"C:\\BrowserSvc\\MoUsoCoreWorker.exe\", \"C:\\BrowserSvc\\sppsvc.exe\", \"C:\\Recovery\\WindowsRE\\taskhostw.exe\", \"C:\\Program Files (x86)\\Windows NT\\Accessories\\en-US\\WmiPrvSE.exe\", \"C:\\BrowserSvc\\WmiPrvSE.exe\", \"C:\\Users\\Admin\\AppData\\Roaming\\Windows\\Defender\\RunShell.exe.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Windows\\SKB\\csrss.exe\", \"C:\\Program Files\\Windows Media Player\\unsecapp.exe\", \"C:\\Program Files\\Common Files\\microsoft shared\\csrss.exe\", \"C:\\Windows\\Speech_OneCore\\Engines\\SR\\en-US-N\\Idle.exe\", \"C:\\Program Files (x86)\\Common Files\\System\\es-ES\\Registry.exe.exe\"" Registry.exe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\", \"C:\\Windows\\SKB\\wininit.exe\", \"C:\\Program Files\\Windows Media Player\\cmd.exe\"" RunShell.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\", \"C:\\Windows\\SKB\\wininit.exe\", \"C:\\Program Files\\Windows Media Player\\cmd.exe\", \"C:\\Program Files\\Common Files\\microsoft shared\\csrss.exe\", \"C:\\Windows\\Speech_OneCore\\Engines\\SR\\en-US-N\\Idle.exe\", \"C:\\Users\\Admin\\AppData\\Roaming\\Windows\\Defender\\RunShell.exe\", \"C:\\Windows\\Cursors\\dllhost.exe\", \"C:\\Program Files\\Windows Portable Devices\\WmiPrvSE.exe\"" msAgentreviewCommon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\", \"C:\\Windows\\SKB\\wininit.exe\", \"C:\\Program Files\\Windows Media Player\\cmd.exe\", \"C:\\Program Files\\Common Files\\microsoft shared\\csrss.exe\", \"C:\\Windows\\Speech_OneCore\\Engines\\SR\\en-US-N\\Idle.exe\", \"C:\\Users\\Admin\\AppData\\Roaming\\Windows\\Defender\\RunShell.exe\", \"C:\\Windows\\Cursors\\dllhost.exe\", \"C:\\Program Files\\Windows Portable Devices\\WmiPrvSE.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\MoUsoCoreWorker.exe\", \"C:\\Program Files (x86)\\Common Files\\System\\es-ES\\Registry.exe\", \"C:\\Program Files (x86)\\Microsoft\\EdgeUpdate_bk\\Install\\TrustedInstaller.exe\", \"C:\\BrowserSvc\\msAgentreviewCommon.exe\", \"C:\\BrowserSvc\\MoUsoCoreWorker.exe\", \"C:\\BrowserSvc\\sppsvc.exe\", \"C:\\Recovery\\WindowsRE\\taskhostw.exe\"" RunShell.exe.exe -
Process spawned unexpected child process 64 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4384 1404 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3816 1404 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2920 1404 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5100 1404 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1896 1404 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1276 1404 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1292 1404 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2228 1404 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1376 1404 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4916 1404 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1240 1404 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3616 1404 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3256 1404 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3444 1404 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1564 1404 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4856 1404 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2440 1404 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4952 1404 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3664 1404 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1828 1404 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4764 1404 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4232 1404 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 752 1404 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4656 1404 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4344 1404 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4520 1404 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4492 1404 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3388 1404 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4360 1404 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2816 1404 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4752 1404 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2408 1404 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1880 1404 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4872 1404 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1752 1404 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 264 1404 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3616 1404 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3292 1404 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4812 1404 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4548 1404 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4860 1404 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3932 1404 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4952 1404 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3840 1404 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3964 1404 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3468 1404 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3620 1404 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1760 1404 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4940 1404 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4492 1404 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1828 1404 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4232 1404 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4752 1404 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4596 1404 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2788 1404 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2680 1404 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3652 1404 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3596 1404 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3708 1404 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2680 1404 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1200 1404 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1648 1404 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3664 1404 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3292 1404 schtasks.exe 90 -
Command and Scripting Interpreter: PowerShell 1 TTPs 14 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 1240 powershell.exe 1424 powershell.exe 1836 powershell.exe 4832 powershell.exe 4024 powershell.exe 4720 powershell.exe 4416 powershell.exe 2532 powershell.exe 4060 powershell.exe 4080 powershell.exe 1684 powershell.exe 2436 powershell.exe 3444 powershell.exe 1424 powershell.exe -
Sets file to hidden 1 TTPs 1 IoCs
Modifies file attributes to stop it showing in Explorer etc.
pid Process 208 attrib.exe -
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion reg.exe -
Checks computer location settings 2 TTPs 11 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation sppsvc.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation WinSFX.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation Checker.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation msAgentreviewCommon.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation RunShell.exe.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation Registry.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation RunShell.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation RunShell.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation Registry.exe.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WinSFX.exe javaw.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WinSFX.exe javaw.exe -
Executes dropped EXE 14 IoCs
pid Process 1564 WinSFX.exe 4488 Checker.exe 1200 RunShell.exe 1996 msAgentreviewCommon.exe 312 RunShell.exe 2528 RunShell.exe.exe 1376 dllhost.exe 4916 Registry.exe 4320 MoUsoCoreWorker.exe 4764 Registry.exe.exe 4116 sppsvc.exe 1484 sppsvc.exe.exe 3652 RuntimeBroker.exe 2872 Registry.exe.exe -
Loads dropped DLL 1 IoCs
pid Process 4836 javaw.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 48 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\Program Files\\Windows Portable Devices\\WmiPrvSE.exe\"" msAgentreviewCommon.exe Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Registry = "\"C:\\Program Files (x86)\\Common Files\\System\\es-ES\\Registry.exe\"" msAgentreviewCommon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msAgentreviewCommon = "\"C:\\BrowserSvc\\msAgentreviewCommon.exe\"" msAgentreviewCommon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\BrowserSvc\\sppsvc.exe\"" RunShell.exe.exe Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\BrowserSvc\\WmiPrvSE.exe\"" RunShell.exe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\BrowserSvc\\WmiPrvSE.exe\"" RunShell.exe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\SKB\\csrss.exe\"" Registry.exe.exe Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files\\Common Files\\microsoft shared\\csrss.exe\"" RunShell.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Windows\\Speech_OneCore\\Engines\\SR\\en-US-N\\Idle.exe\"" Registry.exe.exe Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MoUsoCoreWorker = "\"C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\MoUsoCoreWorker.exe\"" msAgentreviewCommon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MoUsoCoreWorker = "\"C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\MoUsoCoreWorker.exe\"" msAgentreviewCommon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MoUsoCoreWorker = "\"C:\\BrowserSvc\\MoUsoCoreWorker.exe\"" RunShell.exe.exe Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RunShell.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windows\\Defender\\RunShell.exe.exe\"" RunShell.exe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files\\Common Files\\microsoft shared\\csrss.exe\"" Registry.exe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files\\Common Files\\microsoft shared\\csrss.exe\"" RunShell.exe Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RunShell = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windows\\Defender\\RunShell.exe\"" RunShell.exe Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\Program Files\\Windows Portable Devices\\WmiPrvSE.exe\"" msAgentreviewCommon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TrustedInstaller = "\"C:\\Program Files (x86)\\Microsoft\\EdgeUpdate_bk\\Install\\TrustedInstaller.exe\"" msAgentreviewCommon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\unsecapp = "\"C:\\Program Files\\Windows Media Player\\unsecapp.exe\"" Registry.exe.exe Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files\\Common Files\\microsoft shared\\csrss.exe\"" Registry.exe.exe Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cmd = "\"C:\\Program Files\\Windows Media Player\\cmd.exe\"" RunShell.exe Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\BrowserSvc\\sppsvc.exe\"" RunShell.exe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhostw = "\"C:\\Recovery\\WindowsRE\\taskhostw.exe\"" RunShell.exe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\"" Registry.exe.exe Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\SKB\\csrss.exe\"" Registry.exe.exe Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\unsecapp = "\"C:\\Program Files\\Windows Media Player\\unsecapp.exe\"" Registry.exe.exe Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Windows\\Cursors\\dllhost.exe\"" msAgentreviewCommon.exe Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msAgentreviewCommon = "\"C:\\BrowserSvc\\msAgentreviewCommon.exe\"" msAgentreviewCommon.exe Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\Program Files (x86)\\Windows NT\\Accessories\\en-US\\WmiPrvSE.exe\"" RunShell.exe.exe Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Windows\\Speech_OneCore\\Engines\\SR\\en-US-N\\Idle.exe\"" Registry.exe.exe Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Windows\\Speech_OneCore\\Engines\\SR\\en-US-N\\Idle.exe\"" RunShell.exe Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Windows\\SKB\\wininit.exe\"" RunShell.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Windows\\SKB\\wininit.exe\"" RunShell.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cmd = "\"C:\\Program Files\\Windows Media Player\\cmd.exe\"" RunShell.exe Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TrustedInstaller = "\"C:\\Program Files (x86)\\Microsoft\\EdgeUpdate_bk\\Install\\TrustedInstaller.exe\"" msAgentreviewCommon.exe Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MoUsoCoreWorker = "\"C:\\BrowserSvc\\MoUsoCoreWorker.exe\"" RunShell.exe.exe Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhostw = "\"C:\\Recovery\\WindowsRE\\taskhostw.exe\"" RunShell.exe.exe Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\"" RunShell.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Windows\\Cursors\\dllhost.exe\"" msAgentreviewCommon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\Program Files (x86)\\Windows NT\\Accessories\\en-US\\WmiPrvSE.exe\"" RunShell.exe.exe Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\"" Registry.exe.exe Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Registry.exe = "\"C:\\Program Files (x86)\\Common Files\\System\\es-ES\\Registry.exe.exe\"" Registry.exe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Registry.exe = "\"C:\\Program Files (x86)\\Common Files\\System\\es-ES\\Registry.exe.exe\"" Registry.exe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RunShell = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windows\\Defender\\RunShell.exe\"" RunShell.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Windows\\Speech_OneCore\\Engines\\SR\\en-US-N\\Idle.exe\"" RunShell.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Registry = "\"C:\\Program Files (x86)\\Common Files\\System\\es-ES\\Registry.exe\"" msAgentreviewCommon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RunShell.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windows\\Defender\\RunShell.exe.exe\"" RunShell.exe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\"" RunShell.exe -
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\F: javaw.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs
flow ioc 22 discord.com 23 discord.com 29 discord.com 37 raw.githubusercontent.com 38 raw.githubusercontent.com -
Looks up external IP address via web service 6 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 48 ipinfo.io 70 ipinfo.io 15 api.ipify.org 16 api.ipify.org 17 ip-api.com 47 ipinfo.io -
Drops file in System32 directory 2 IoCs
description ioc Process File created \??\c:\Windows\System32\CSCDAB0C82D6DC240E6AB3AD644A8240D6.TMP csc.exe File created \??\c:\Windows\System32\ip2t47.exe csc.exe -
Drops file in Program Files directory 32 IoCs
description ioc Process File created \??\c:\Program Files\Windows Media Player\cmd.exe csc.exe File created \??\c:\Program Files\Windows Portable Devices\WmiPrvSE.exe csc.exe File created C:\Program Files\Windows Media Player\unsecapp.exe Registry.exe.exe File created C:\Program Files\Common Files\microsoft shared\886983d96e3d3e RunShell.exe File created C:\Program Files (x86)\Microsoft.NET\RedistList\MoUsoCoreWorker.exe msAgentreviewCommon.exe File created C:\Program Files (x86)\Microsoft.NET\RedistList\1f93f77a7f4778 msAgentreviewCommon.exe File created C:\Program Files\Windows Portable Devices\WmiPrvSE.exe msAgentreviewCommon.exe File created C:\Program Files\Windows Portable Devices\24dbde2999530e msAgentreviewCommon.exe File created \??\c:\Program Files\Windows Portable Devices\CSC44A94A97D98E444ABF94F9A12D399F5.TMP csc.exe File created \??\c:\Program Files (x86)\Microsoft.NET\RedistList\CSCFF2D2584BA0C43D997DFDB4F97E812A7.TMP csc.exe File created C:\Program Files (x86)\Common Files\System\es-ES\Registry.exe msAgentreviewCommon.exe File created C:\Program Files (x86)\Common Files\System\es-ES\ee2ad38f3d4382 msAgentreviewCommon.exe File opened for modification C:\Program Files\Common Files\microsoft shared\886983d96e3d3e Registry.exe.exe File created C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Install\TrustedInstaller.exe msAgentreviewCommon.exe File created C:\Program Files (x86)\Common Files\System\es-ES\94d77bf28707a6 Registry.exe.exe File created C:\Program Files\Windows Media Player\cmd.exe RunShell.exe File created C:\Program Files (x86)\Windows NT\Accessories\en-US\WmiPrvSE.exe RunShell.exe.exe File created C:\Program Files (x86)\Windows NT\Accessories\en-US\24dbde2999530e RunShell.exe.exe File created \??\c:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Install\TrustedInstaller.exe csc.exe File created C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Install\04c1e7795967e4 msAgentreviewCommon.exe File created \??\c:\Program Files (x86)\Common Files\System\es-ES\Registry.exe csc.exe File created C:\Program Files\Windows Media Player\29c1c3cc0f7685 Registry.exe.exe File created \??\c:\Program Files (x86)\Microsoft.NET\RedistList\MoUsoCoreWorker.exe csc.exe File created C:\Program Files\Common Files\microsoft shared\csrss.exe RunShell.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Install\TrustedInstaller.exe msAgentreviewCommon.exe File created \??\c:\Program Files\Windows Media Player\CSC4A7A29637B5347CC92783939E3599644.TMP csc.exe File created \??\c:\Program Files\Common Files\microsoft shared\csrss.exe csc.exe File opened for modification C:\Program Files\Common Files\microsoft shared\csrss.exe Registry.exe.exe File created C:\Program Files\Windows Media Player\ebf1f9fa8afd6d RunShell.exe File created \??\c:\Program Files\Common Files\microsoft shared\CSCB7B2881DED7748729985DE94F4FA31F6.TMP csc.exe File created \??\c:\Program Files (x86)\Common Files\System\es-ES\CSCB58EFA2575354E608FD769DC4B4FA965.TMP csc.exe File created \??\c:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Install\CSCE7A3034261164A17A05B38667F4C1211.TMP csc.exe -
Drops file in Windows directory 17 IoCs
description ioc Process File created C:\Windows\Speech_OneCore\Engines\SR\en-US-N\6ccacd8608530f RunShell.exe File created \??\c:\Windows\SKB\wininit.exe csc.exe File created \??\c:\Windows\Speech_OneCore\Engines\SR\en-US-N\Idle.exe csc.exe File created \??\c:\Windows\Cursors\dllhost.exe csc.exe File created C:\Windows\SKB\csrss.exe Registry.exe.exe File created \??\c:\Windows\Speech_OneCore\Engines\SR\en-US-N\CSC21D2B88B8DAE4046A0C182F0213A10DD.TMP csc.exe File opened for modification C:\Windows\Speech_OneCore\Engines\SR\en-US-N\Idle.exe Registry.exe.exe File opened for modification C:\Windows\Speech_OneCore\Engines\SR\en-US-N\6ccacd8608530f Registry.exe.exe File created C:\Windows\SKB\886983d96e3d3e Registry.exe.exe File created C:\Windows\SKB\56085415360792 RunShell.exe File created \??\c:\Windows\SKB\CSC550AC95555DB481FA0234D7E7A9F1359.TMP csc.exe File created \??\c:\Windows\Cursors\CSC3210341C95A049039A94FE9F4B82FB0.TMP csc.exe File created C:\Windows\Speech_OneCore\Engines\SR\en-US-N\Idle.exe RunShell.exe File opened for modification C:\Windows\Speech_OneCore\Engines\SR\en-US-N\Idle.exe RunShell.exe File created C:\Windows\SKB\wininit.exe RunShell.exe File created C:\Windows\Cursors\dllhost.exe msAgentreviewCommon.exe File created C:\Windows\Cursors\5940a34987c991 msAgentreviewCommon.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Crypt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WinSFX.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Checker.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 1048 PING.EXE -
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 taskmgr.exe -
Modifies registry class 7 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings WinSFX.exe Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings Checker.exe Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings taskmgr.exe Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings RunShell.exe Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings msAgentreviewCommon.exe Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings RunShell.exe.exe Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings Registry.exe.exe -
Modifies registry key 1 TTPs 1 IoCs
pid Process 4944 reg.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 1048 PING.EXE -
Scheduled Task/Job: Scheduled Task 1 TTPs 64 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4812 schtasks.exe 3664 schtasks.exe 4384 schtasks.exe 3256 schtasks.exe 1880 schtasks.exe 4872 schtasks.exe 3620 schtasks.exe 2680 schtasks.exe 4596 schtasks.exe 3652 schtasks.exe 4916 schtasks.exe 1240 schtasks.exe 4856 schtasks.exe 4520 schtasks.exe 1760 schtasks.exe 4232 schtasks.exe 2716 schtasks.exe 3664 schtasks.exe 4656 schtasks.exe 3964 schtasks.exe 2920 schtasks.exe 1828 schtasks.exe 3932 schtasks.exe 2788 schtasks.exe 2272 schtasks.exe 1896 schtasks.exe 3444 schtasks.exe 2816 schtasks.exe 4752 schtasks.exe 4308 schtasks.exe 1292 schtasks.exe 3616 schtasks.exe 264 schtasks.exe 3292 schtasks.exe 2448 schtasks.exe 3528 schtasks.exe 1200 schtasks.exe 5100 schtasks.exe 2228 schtasks.exe 4492 schtasks.exe 3388 schtasks.exe 4952 schtasks.exe 3468 schtasks.exe 4952 schtasks.exe 1648 schtasks.exe 4764 schtasks.exe 4232 schtasks.exe 4860 schtasks.exe 1836 schtasks.exe 1276 schtasks.exe 4752 schtasks.exe 372 schtasks.exe 3180 schtasks.exe 2440 schtasks.exe 3616 schtasks.exe 2680 schtasks.exe 3596 schtasks.exe 3292 schtasks.exe 1828 schtasks.exe 3708 schtasks.exe 3816 schtasks.exe 1564 schtasks.exe 752 schtasks.exe 4360 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4836 javaw.exe 4836 javaw.exe 4836 javaw.exe 4836 javaw.exe 4836 javaw.exe 4836 javaw.exe 4836 javaw.exe 4836 javaw.exe 4836 javaw.exe 4836 javaw.exe 4836 javaw.exe 4836 javaw.exe 4836 javaw.exe 4836 javaw.exe 4836 javaw.exe 4836 javaw.exe 4836 javaw.exe 4836 javaw.exe 4836 javaw.exe 4836 javaw.exe 4836 javaw.exe 3444 powershell.exe 3444 powershell.exe 3444 powershell.exe 2532 powershell.exe 2532 powershell.exe 2532 powershell.exe 3664 taskmgr.exe 3664 taskmgr.exe 3664 taskmgr.exe 3664 taskmgr.exe 3664 taskmgr.exe 3664 taskmgr.exe 3664 taskmgr.exe 1200 RunShell.exe 1200 RunShell.exe 1200 RunShell.exe 1200 RunShell.exe 1200 RunShell.exe 1200 RunShell.exe 1200 RunShell.exe 1200 RunShell.exe 1200 RunShell.exe 1200 RunShell.exe 1200 RunShell.exe 1200 RunShell.exe 1200 RunShell.exe 1200 RunShell.exe 1200 RunShell.exe 1200 RunShell.exe 1200 RunShell.exe 1200 RunShell.exe 1200 RunShell.exe 1200 RunShell.exe 1200 RunShell.exe 1200 RunShell.exe 1200 RunShell.exe 1200 RunShell.exe 1200 RunShell.exe 1200 RunShell.exe 1200 RunShell.exe 1200 RunShell.exe 1200 RunShell.exe 1200 RunShell.exe -
Suspicious use of AdjustPrivilegeToken 36 IoCs
description pid Process Token: SeBackupPrivilege 4836 javaw.exe Token: SeBackupPrivilege 4836 javaw.exe Token: SeSecurityPrivilege 4836 javaw.exe Token: SeDebugPrivilege 4836 javaw.exe Token: SeDebugPrivilege 3444 powershell.exe Token: SeDebugPrivilege 2532 powershell.exe Token: SeRestorePrivilege 4836 javaw.exe Token: SeDebugPrivilege 3664 taskmgr.exe Token: SeSystemProfilePrivilege 3664 taskmgr.exe Token: SeCreateGlobalPrivilege 3664 taskmgr.exe Token: SeDebugPrivilege 1200 RunShell.exe Token: SeDebugPrivilege 4060 powershell.exe Token: SeDebugPrivilege 1684 powershell.exe Token: SeDebugPrivilege 4024 powershell.exe Token: SeDebugPrivilege 1836 powershell.exe Token: SeDebugPrivilege 4832 powershell.exe Token: SeDebugPrivilege 1424 powershell.exe Token: 33 3664 taskmgr.exe Token: SeIncBasePriorityPrivilege 3664 taskmgr.exe Token: SeDebugPrivilege 1996 msAgentreviewCommon.exe Token: SeDebugPrivilege 64 taskmgr.exe Token: SeSystemProfilePrivilege 64 taskmgr.exe Token: SeCreateGlobalPrivilege 64 taskmgr.exe Token: SeDebugPrivilege 2528 RunShell.exe.exe Token: SeDebugPrivilege 1376 dllhost.exe Token: SeDebugPrivilege 1240 powershell.exe Token: SeDebugPrivilege 1424 powershell.exe Token: SeDebugPrivilege 4416 powershell.exe Token: SeDebugPrivilege 2436 powershell.exe Token: SeDebugPrivilege 4080 powershell.exe Token: SeDebugPrivilege 4720 powershell.exe Token: SeDebugPrivilege 4320 MoUsoCoreWorker.exe Token: SeDebugPrivilege 4764 Registry.exe.exe Token: SeDebugPrivilege 1484 sppsvc.exe.exe Token: SeDebugPrivilege 3652 RuntimeBroker.exe Token: SeDebugPrivilege 2872 Registry.exe.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 3664 taskmgr.exe 3664 taskmgr.exe 3664 taskmgr.exe 3664 taskmgr.exe 3664 taskmgr.exe 3664 taskmgr.exe 3664 taskmgr.exe 3664 taskmgr.exe 3664 taskmgr.exe 3664 taskmgr.exe 3664 taskmgr.exe 3664 taskmgr.exe 3664 taskmgr.exe 3664 taskmgr.exe 3664 taskmgr.exe 3664 taskmgr.exe 3664 taskmgr.exe 3664 taskmgr.exe 3664 taskmgr.exe 3664 taskmgr.exe 3664 taskmgr.exe 3664 taskmgr.exe 3664 taskmgr.exe 3664 taskmgr.exe 3664 taskmgr.exe 3664 taskmgr.exe 3664 taskmgr.exe 3664 taskmgr.exe 3664 taskmgr.exe 3664 taskmgr.exe 3664 taskmgr.exe 3664 taskmgr.exe 3664 taskmgr.exe 3664 taskmgr.exe 3664 taskmgr.exe 3664 taskmgr.exe 64 taskmgr.exe 64 taskmgr.exe 64 taskmgr.exe 64 taskmgr.exe 64 taskmgr.exe 64 taskmgr.exe 64 taskmgr.exe 64 taskmgr.exe 64 taskmgr.exe 64 taskmgr.exe 64 taskmgr.exe 64 taskmgr.exe 64 taskmgr.exe 64 taskmgr.exe 64 taskmgr.exe 64 taskmgr.exe 64 taskmgr.exe 64 taskmgr.exe 64 taskmgr.exe 64 taskmgr.exe 64 taskmgr.exe 64 taskmgr.exe 64 taskmgr.exe 64 taskmgr.exe 64 taskmgr.exe 64 taskmgr.exe 64 taskmgr.exe 64 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 3664 taskmgr.exe 3664 taskmgr.exe 3664 taskmgr.exe 3664 taskmgr.exe 3664 taskmgr.exe 3664 taskmgr.exe 3664 taskmgr.exe 3664 taskmgr.exe 3664 taskmgr.exe 3664 taskmgr.exe 3664 taskmgr.exe 3664 taskmgr.exe 3664 taskmgr.exe 3664 taskmgr.exe 3664 taskmgr.exe 3664 taskmgr.exe 3664 taskmgr.exe 3664 taskmgr.exe 3664 taskmgr.exe 3664 taskmgr.exe 3664 taskmgr.exe 3664 taskmgr.exe 3664 taskmgr.exe 3664 taskmgr.exe 3664 taskmgr.exe 3664 taskmgr.exe 3664 taskmgr.exe 3664 taskmgr.exe 3664 taskmgr.exe 3664 taskmgr.exe 3664 taskmgr.exe 3664 taskmgr.exe 3664 taskmgr.exe 3664 taskmgr.exe 3664 taskmgr.exe 64 taskmgr.exe 64 taskmgr.exe 64 taskmgr.exe 64 taskmgr.exe 64 taskmgr.exe 64 taskmgr.exe 64 taskmgr.exe 64 taskmgr.exe 64 taskmgr.exe 64 taskmgr.exe 64 taskmgr.exe 64 taskmgr.exe 64 taskmgr.exe 64 taskmgr.exe 64 taskmgr.exe 64 taskmgr.exe 64 taskmgr.exe 64 taskmgr.exe 64 taskmgr.exe 64 taskmgr.exe 64 taskmgr.exe 64 taskmgr.exe 64 taskmgr.exe 64 taskmgr.exe 64 taskmgr.exe 64 taskmgr.exe 64 taskmgr.exe 64 taskmgr.exe 64 taskmgr.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4836 javaw.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1248 wrote to memory of 4836 1248 Crypt.exe 83 PID 1248 wrote to memory of 4836 1248 Crypt.exe 83 PID 4836 wrote to memory of 4944 4836 javaw.exe 88 PID 4836 wrote to memory of 4944 4836 javaw.exe 88 PID 4836 wrote to memory of 2532 4836 javaw.exe 95 PID 4836 wrote to memory of 2532 4836 javaw.exe 95 PID 4836 wrote to memory of 3444 4836 javaw.exe 96 PID 4836 wrote to memory of 3444 4836 javaw.exe 96 PID 4836 wrote to memory of 1564 4836 javaw.exe 100 PID 4836 wrote to memory of 1564 4836 javaw.exe 100 PID 4836 wrote to memory of 1564 4836 javaw.exe 100 PID 1564 wrote to memory of 3620 1564 WinSFX.exe 103 PID 1564 wrote to memory of 3620 1564 WinSFX.exe 103 PID 1564 wrote to memory of 3620 1564 WinSFX.exe 103 PID 1564 wrote to memory of 4488 1564 WinSFX.exe 104 PID 1564 wrote to memory of 4488 1564 WinSFX.exe 104 PID 1564 wrote to memory of 4488 1564 WinSFX.exe 104 PID 4836 wrote to memory of 3412 4836 javaw.exe 107 PID 4836 wrote to memory of 3412 4836 javaw.exe 107 PID 3412 wrote to memory of 208 3412 cmd.exe 109 PID 3412 wrote to memory of 208 3412 cmd.exe 109 PID 4488 wrote to memory of 3644 4488 Checker.exe 110 PID 4488 wrote to memory of 3644 4488 Checker.exe 110 PID 4488 wrote to memory of 3644 4488 Checker.exe 110 PID 3620 wrote to memory of 3652 3620 WScript.exe 115 PID 3620 wrote to memory of 3652 3620 WScript.exe 115 PID 3620 wrote to memory of 3652 3620 WScript.exe 115 PID 3652 wrote to memory of 1200 3652 cmd.exe 117 PID 3652 wrote to memory of 1200 3652 cmd.exe 117 PID 1200 wrote to memory of 3432 1200 RunShell.exe 121 PID 1200 wrote to memory of 3432 1200 RunShell.exe 121 PID 3432 wrote to memory of 5068 3432 csc.exe 123 PID 3432 wrote to memory of 5068 3432 csc.exe 123 PID 1200 wrote to memory of 4060 1200 RunShell.exe 139 PID 1200 wrote to memory of 4060 1200 RunShell.exe 139 PID 1200 wrote to memory of 1424 1200 RunShell.exe 140 PID 1200 wrote to memory of 1424 1200 RunShell.exe 140 PID 1200 wrote to memory of 1684 1200 RunShell.exe 141 PID 1200 wrote to memory of 1684 1200 RunShell.exe 141 PID 1200 wrote to memory of 1836 1200 RunShell.exe 142 PID 1200 wrote to memory of 1836 1200 RunShell.exe 142 PID 1200 wrote to memory of 4832 1200 RunShell.exe 146 PID 1200 wrote to memory of 4832 1200 RunShell.exe 146 PID 1200 wrote to memory of 4024 1200 RunShell.exe 148 PID 1200 wrote to memory of 4024 1200 RunShell.exe 148 PID 1200 wrote to memory of 4880 1200 RunShell.exe 151 PID 1200 wrote to memory of 4880 1200 RunShell.exe 151 PID 4880 wrote to memory of 1948 4880 cmd.exe 154 PID 4880 wrote to memory of 1948 4880 cmd.exe 154 PID 4880 wrote to memory of 1876 4880 cmd.exe 155 PID 4880 wrote to memory of 1876 4880 cmd.exe 155 PID 3644 wrote to memory of 4836 3644 WScript.exe 157 PID 3644 wrote to memory of 4836 3644 WScript.exe 157 PID 3644 wrote to memory of 4836 3644 WScript.exe 157 PID 4836 wrote to memory of 1996 4836 cmd.exe 159 PID 4836 wrote to memory of 1996 4836 cmd.exe 159 PID 1996 wrote to memory of 5056 1996 msAgentreviewCommon.exe 163 PID 1996 wrote to memory of 5056 1996 msAgentreviewCommon.exe 163 PID 5056 wrote to memory of 3640 5056 csc.exe 165 PID 5056 wrote to memory of 3640 5056 csc.exe 165 PID 1996 wrote to memory of 4444 1996 msAgentreviewCommon.exe 166 PID 1996 wrote to memory of 4444 1996 msAgentreviewCommon.exe 166 PID 4444 wrote to memory of 2004 4444 csc.exe 212 PID 4444 wrote to memory of 2004 4444 csc.exe 212 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Views/modifies file attributes 1 TTPs 1 IoCs
pid Process 208 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Crypt.exe"C:\Users\Admin\AppData\Local\Temp\Crypt.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1248 -
C:\Program Files\Java\jre-1.8\bin\javaw.exe"C:\Program Files\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Local\Temp\Crypt.exe"2⤵
- Drops startup file
- Loads dropped DLL
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4836 -
C:\Windows\SYSTEM32\reg.exereg query HKLM\HARDWARE\DESCRIPTION\System /v SystemBiosVersion3⤵
- Checks BIOS information in registry
- Modifies registry key
PID:4944
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:SystemDrive) -Force3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2532
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:SystemDrive) -Force3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3444
-
-
C:\Users\Admin\AppData\Roaming\WinSFXConnectDevicesPlatform\WinSFX.exeC:\Users\Admin\AppData\Roaming\WinSFXConnectDevicesPlatform\WinSFX.exe3⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1564 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Windows\Defender\yjJlDaeiCtZ3rPY3voT8EfypAtNWVOHqwTO.vbe"4⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3620 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Windows\Defender\zHxvwMPtXsd9EflNyF6bR38DTMh313hvK806W5p8W9mTT85g.bat" "5⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3652 -
C:\Users\Admin\AppData\Roaming\Windows\Defender\RunShell.exe"C:\Users\Admin\AppData\Roaming\Windows/Defender/RunShell.exe"6⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1200 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\pmrohu2v\pmrohu2v.cmdline"7⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3432 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB258.tmp" "c:\Windows\System32\CSCDAB0C82D6DC240E6AB3AD644A8240D6.TMP"8⤵PID:5068
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\fontdrvhost.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:4060
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\SKB\wininit.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:1424
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Media Player\cmd.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:1684
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\microsoft shared\csrss.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:1836
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Speech_OneCore\Engines\SR\en-US-N\Idle.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:4832
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Windows\Defender\RunShell.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:4024
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\gbxtWhUzb5.bat"7⤵
- Suspicious use of WriteProcessMemory
PID:4880 -
C:\Windows\system32\chcp.comchcp 650018⤵PID:1948
-
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:28⤵PID:1876
-
-
C:\Users\Admin\AppData\Roaming\Windows\Defender\RunShell.exe"C:\Users\Admin\AppData\Roaming\Windows\Defender\RunShell.exe"8⤵
- Checks computer location settings
- Executes dropped EXE
PID:312 -
C:\Users\Admin\AppData\Roaming\Windows\Defender\RunShell.exe.exe"C:\Users\Admin\AppData\Roaming\Windows\Defender\RunShell.exe.exe"9⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:2528 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\pzo0mgpm\pzo0mgpm.cmdline"10⤵
- Drops file in Windows directory
PID:2548 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDA33.tmp" "c:\Windows\Cursors\CSC3210341C95A049039A94FE9F4B82FB0.TMP"11⤵PID:1560
-
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\qxsh5lef\qxsh5lef.cmdline"10⤵
- Drops file in Program Files directory
PID:4308 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDAEF.tmp" "c:\Program Files\Windows Portable Devices\CSC44A94A97D98E444ABF94F9A12D399F5.TMP"11⤵PID:2908
-
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\k510jryq\k510jryq.cmdline"10⤵
- Drops file in Program Files directory
PID:4492 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDBBA.tmp" "c:\Program Files (x86)\Microsoft.NET\RedistList\CSCFF2D2584BA0C43D997DFDB4F97E812A7.TMP"11⤵PID:2004
-
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\nwidwm3e\nwidwm3e.cmdline"10⤵
- Drops file in Program Files directory
PID:2032 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDC85.tmp" "c:\Program Files (x86)\Common Files\System\es-ES\CSCB58EFA2575354E608FD769DC4B4FA965.TMP"11⤵PID:3880
-
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\xzk0bwlc\xzk0bwlc.cmdline"10⤵
- Drops file in Program Files directory
PID:4116 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDD50.tmp" "c:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Install\CSCE7A3034261164A17A05B38667F4C1211.TMP"11⤵PID:3096
-
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\kndnibrv\kndnibrv.cmdline"10⤵PID:1896
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDE2B.tmp" "c:\BrowserSvc\CSCC0FB615AD2D5448DAA47B309BE0D039.TMP"11⤵PID:5104
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\BrowserSvc\MoUsoCoreWorker.exe'10⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:4720
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\BrowserSvc\sppsvc.exe'10⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:4080 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV111⤵PID:4180
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\taskhostw.exe'10⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:1424
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows NT\Accessories\en-US\WmiPrvSE.exe'10⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:1240
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\BrowserSvc\WmiPrvSE.exe'10⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:4416 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV111⤵PID:3148
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Windows\Defender\RunShell.exe.exe'10⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:2436
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\obIrg7Wrp7.bat"10⤵PID:2384
-
C:\Windows\system32\chcp.comchcp 6500111⤵PID:636
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost11⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1048
-
-
C:\BrowserSvc\sppsvc.exe"C:\BrowserSvc\sppsvc.exe"11⤵
- Checks computer location settings
- Executes dropped EXE
PID:4116 -
C:\Recovery\WindowsRE\RuntimeBroker.exe"C:\Recovery\WindowsRE\RuntimeBroker.exe"12⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3652
-
-
C:\BrowserSvc\sppsvc.exe.exe"C:\BrowserSvc\sppsvc.exe.exe"12⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1484
-
-
-
-
-
C:\Windows\Cursors\dllhost.exe"C:\Windows\Cursors\dllhost.exe"9⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1376
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Windows\Defender\Checker.exe"C:\Users\Admin\AppData\Roaming\Windows\Defender\Checker.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4488 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\BrowserSvc\9jir1hGrtyuZOLHcOuhj8HZKZgcsvyzwZ1xbryhIf2ZdpzOmWWf.vbe"5⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3644 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\BrowserSvc\O41KRElzpOO.bat" "6⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4836 -
C:\BrowserSvc\msAgentreviewCommon.exe"C:\BrowserSvc/msAgentreviewCommon.exe"7⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1996 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\wjyghyvu\wjyghyvu.cmdline"8⤵
- Suspicious use of WriteProcessMemory
PID:5056 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCB2F.tmp" "c:\Recovery\WindowsRE\CSC314167F962D047A2946CD2D9703C5FB5.TMP"9⤵PID:3640
-
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\byijjqcr\byijjqcr.cmdline"8⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4444 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCC58.tmp" "c:\Windows\SKB\CSC550AC95555DB481FA0234D7E7A9F1359.TMP"9⤵PID:2004
-
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\5ornkey5\5ornkey5.cmdline"8⤵
- Drops file in Program Files directory
PID:404 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCD43.tmp" "c:\Program Files\Windows Media Player\CSC4A7A29637B5347CC92783939E3599644.TMP"9⤵PID:3520
-
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\fa1alyom\fa1alyom.cmdline"8⤵
- Drops file in Program Files directory
PID:4180 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCE4C.tmp" "c:\Program Files\Common Files\microsoft shared\CSCB7B2881DED7748729985DE94F4FA31F6.TMP"9⤵PID:2924
-
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\oapqslab\oapqslab.cmdline"8⤵
- Drops file in Windows directory
PID:3432 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCF37.tmp" "c:\Windows\Speech_OneCore\Engines\SR\en-US-N\CSC21D2B88B8DAE4046A0C182F0213A10DD.TMP"9⤵PID:3148
-
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\btodfhus\btodfhus.cmdline"8⤵PID:3952
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD011.tmp" "c:\Users\Admin\AppData\Roaming\Windows\Defender\CSC30F2FF52F54E480B87B16BA9BCC1432.TMP"9⤵PID:2548
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\dTJaMsHUZm.bat"8⤵PID:512
-
C:\Windows\system32\chcp.comchcp 650019⤵PID:2888
-
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:29⤵PID:3528
-
-
C:\Program Files (x86)\Common Files\System\es-ES\Registry.exe"C:\Program Files (x86)\Common Files\System\es-ES\Registry.exe"9⤵
- Checks computer location settings
- Executes dropped EXE
PID:4916 -
C:\Program Files (x86)\Common Files\System\es-ES\Registry.exe.exe"C:\Program Files (x86)\Common Files\System\es-ES\Registry.exe.exe"10⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:4764 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\gsvaomkc\gsvaomkc.cmdline"11⤵PID:1944
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV112⤵PID:1560
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFB58.tmp" "c:\BrowserSvc\CSC813E5974C09F48148658FBB16C38C84A.TMP"12⤵PID:2140
-
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\0zatt3xz\0zatt3xz.cmdline"11⤵PID:1876
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFC23.tmp" "c:\BrowserSvc\CSC813494DA2181467F80BA788BCF3F6C4B.TMP"12⤵PID:2944
-
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\x3tpzmhy\x3tpzmhy.cmdline"11⤵PID:4992
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFCAF.tmp" "c:\BrowserSvc\CSCBACBDE4D2CB14410818085DAA8C64F3B.TMP"12⤵PID:1248
-
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ku1fsnz2\ku1fsnz2.cmdline"11⤵PID:3460
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFD3C.tmp" "c:\Recovery\WindowsRE\CSC5B0469961AF34077B06028B42C613F0.TMP"12⤵PID:512
-
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ljwis5vy\ljwis5vy.cmdline"11⤵PID:4812
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFDD8.tmp" "c:\Users\Admin\AppData\Roaming\Windows\Defender\CSCAB228C9225ED4223B1E844C3E27F316B.TMP"12⤵PID:4416
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\gbxtWhUzb5.bat"11⤵PID:4856
-
C:\Windows\system32\chcp.comchcp 6500112⤵PID:2804
-
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:212⤵PID:3412
-
-
C:\Program Files (x86)\Common Files\System\es-ES\Registry.exe.exe"C:\Program Files (x86)\Common Files\System\es-ES\Registry.exe.exe"12⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2872
-
-
-
-
C:\BrowserSvc\MoUsoCoreWorker.exe"C:\BrowserSvc\MoUsoCoreWorker.exe"10⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4320
-
-
-
-
-
-
-
-
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c attrib "+h " "+s " C:\Users\Admin\AppData\Roaming\WinSFXConnectDevicesPlatform3⤵
- Suspicious use of WriteProcessMemory
PID:3412 -
C:\Windows\system32\attrib.exeattrib "+h " "+s " C:\Users\Admin\AppData\Roaming\WinSFXConnectDevicesPlatform4⤵
- Sets file to hidden
- Views/modifies file attributes
PID:208
-
-
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3664
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4384
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3816
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2920
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Windows\SKB\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5100
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\SKB\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1896
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Windows\SKB\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1276
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Media Player\cmd.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1292
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2228
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Media Player\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
PID:1376
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Program Files\Common Files\microsoft shared\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4916
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Common Files\microsoft shared\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1240
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Program Files\Common Files\microsoft shared\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3616
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Windows\Speech_OneCore\Engines\SR\en-US-N\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3256
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Windows\Speech_OneCore\Engines\SR\en-US-N\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3444
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Windows\Speech_OneCore\Engines\SR\en-US-N\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1564
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RunShellR" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\AppData\Roaming\Windows\Defender\RunShell.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4856
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RunShell" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Roaming\Windows\Defender\RunShell.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2440
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RunShellR" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\AppData\Roaming\Windows\Defender\RunShell.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4952
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:752
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Windows\Cursors\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3664
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\Cursors\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1828
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Windows\Cursors\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4764
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:64
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Portable Devices\WmiPrvSE.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4232
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:752
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Portable Devices\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4656
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "MoUsoCoreWorkerM" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\MoUsoCoreWorker.exe'" /f1⤵
- Process spawned unexpected child process
PID:4344
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "MoUsoCoreWorker" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\MoUsoCoreWorker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4520
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "MoUsoCoreWorkerM" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\MoUsoCoreWorker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4492
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Common Files\System\es-ES\Registry.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3388
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\System\es-ES\Registry.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4360
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Common Files\System\es-ES\Registry.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2816
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TrustedInstallerT" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Install\TrustedInstaller.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4752
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TrustedInstaller" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Install\TrustedInstaller.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
PID:2408
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TrustedInstallerT" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Install\TrustedInstaller.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1880
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "msAgentreviewCommonm" /sc MINUTE /mo 14 /tr "'C:\BrowserSvc\msAgentreviewCommon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4872
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "MoUsoCoreWorkerM" /sc MINUTE /mo 13 /tr "'C:\BrowserSvc\MoUsoCoreWorker.exe'" /f1⤵
- Process spawned unexpected child process
PID:1752
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "msAgentreviewCommon" /sc ONLOGON /tr "'C:\BrowserSvc\msAgentreviewCommon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:264
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "MoUsoCoreWorker" /sc ONLOGON /tr "'C:\BrowserSvc\MoUsoCoreWorker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3616
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "msAgentreviewCommonm" /sc MINUTE /mo 7 /tr "'C:\BrowserSvc\msAgentreviewCommon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3292
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "MoUsoCoreWorkerM" /sc MINUTE /mo 8 /tr "'C:\BrowserSvc\MoUsoCoreWorker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4812
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\BrowserSvc\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
PID:4548
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\BrowserSvc\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4860
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\BrowserSvc\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3932
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4952
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
PID:3840
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3964
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows NT\Accessories\en-US\WmiPrvSE.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3468
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\Accessories\en-US\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3620
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows NT\Accessories\en-US\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1760
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\BrowserSvc\WmiPrvSE.exe'" /f1⤵
- Process spawned unexpected child process
PID:4940
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\BrowserSvc\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
PID:4492
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\BrowserSvc\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1828
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RunShell.exeR" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\AppData\Roaming\Windows\Defender\RunShell.exe.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4232
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RunShell.exe" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Roaming\Windows\Defender\RunShell.exe.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4752
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:2032
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RunShell.exeR" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\AppData\Roaming\Windows\Defender\RunShell.exe.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4596
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2788
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2680
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3652
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Windows\SKB\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3596
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\SKB\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3708
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Windows\SKB\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2680
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Media Player\unsecapp.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1200
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\unsecapp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1648
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Media Player\unsecapp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3664
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Program Files\Common Files\microsoft shared\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3292
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Common Files\microsoft shared\csrss.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:2448
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Program Files\Common Files\microsoft shared\csrss.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:372
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Windows\Speech_OneCore\Engines\SR\en-US-N\Idle.exe'" /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:3180
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Windows\Speech_OneCore\Engines\SR\en-US-N\Idle.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:4308
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Windows\Speech_OneCore\Engines\SR\en-US-N\Idle.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:1836
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Registry.exeR" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Common Files\System\es-ES\Registry.exe.exe'" /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:2716
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Registry.exe" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\System\es-ES\Registry.exe.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:2272
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Registry.exeR" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Common Files\System\es-ES\Registry.exe.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:3528
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:3096
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Modify Registry
3Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
200B
MD58bb10502019ed38b3210cb6192c6a04b
SHA1125f17b9c2f4ffcccc1f19bcc9000c80bbc2dfe3
SHA2567ed5d362059760b6119ecf42b7a79bbbc6b8490c451bbffc6149632bd07877be
SHA512286d36ccf686d9c14612a949729bbde0881ff2993a854a1be8118a546fffcff515e48dd24639894a1d289a973939809874efdad1cf67391cf4f51deb85320637
-
Filesize
86B
MD5d6da62e1a07048cb1764846ff9e5991f
SHA116630a915028d374ef42fea0d1f34c8fae292e17
SHA256b34c0cb821817355a7cb807108bd0251e40c8492f76f24240047ee1df5dc9897
SHA512fcc21fac84eedb5229f1dfb79b4962b322e231dbbcf5c538d64c724dae8447f2c4f6dd55bb5faa5a854f90dd5ca24c3d332cf611af85104af8d33fb219bb5744
-
Filesize
1.9MB
MD5fe563f1526b6875781652660d9b2421a
SHA18ebcf5aa7bd3ce98ea7ea7825e23a27c4830b937
SHA256fb736b85b9d5efddda3a9c5997ec99582cf1167e64680a0dc469d59ab168fcf2
SHA51242ccb6127cfc2751dc82b89fab33c28db2cfc071d1adec6ddc2c77beef6ced390501bdae8dca4005d0f2377946d116e16cece8c0d7f0e56dd8119561ba01f1ed
-
Filesize
4KB
MD5b595bf36aceef87b56d9527e7c3bf4b7
SHA146c036566dc78e13bd4173aa5be0a50202c52036
SHA256ba9ec5caa3e71fef5ead71855524477a4cabf8354984b6e94e37b6116cbb75c9
SHA512369bcfbb9ad14e151fd7dcebec19bbf842c37681f3ec7abf41ae79157f1a02dbbad30ed5f1f07175cb61656ce8be576bd7c6ae0e457a4283a8e421445ecf4f43
-
Filesize
4KB
MD51a34054a06d529e14b13e2cd19a78bdc
SHA1fa1016c20d4be5419adaa135b7043efc0dfb2334
SHA2569a5e89c7aabbd7236601223cb31b3ccd3e41462f7b40bc04739bd9ccf22e4973
SHA512240d6a4a05feb4db4c6647f9097a0a778abaa0fb7acd764887ba2f3a41c20d0c5e6d639dd11f59c8fcec9992029d24c792d607e3a9ccaf9e23c7ec5d8b684293
-
Filesize
4KB
MD5965a19cff691e39d2ea9f7c39774ddf3
SHA186e9e6214ca5312d8f90bb6f5821dffae7ebd24f
SHA256c218c86fe2484e525ed0fe4514e1517964e95f8edc4d8705c9c1066405c49367
SHA512530787cae8ff6e2235b60f7cbc85eb1612a711dd22a24a78851e5359bd60811c71dae1e5a9c100db93f8ab38c11ac935eec5789ff157e92316bbea7fb21b61c2
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
944B
MD56d42b6da621e8df5674e26b799c8e2aa
SHA1ab3ce1327ea1eeedb987ec823d5e0cb146bafa48
SHA2565ab6a1726f425c6d0158f55eb8d81754ddedd51e651aa0a899a29b7a58619c4c
SHA51253faffbda8a835bc1143e894c118c15901a5fd09cfc2224dd2f754c06dc794897315049a579b9a8382d4564f071576045aaaf824019b7139d939152dca38ce29
-
Filesize
944B
MD5499298c8da8c8b6e630c889b60905388
SHA1b3b519bebf9861bcdad6e2e6426c2e8a96fd8056
SHA2562e5392338aeb35e2d1ca8c95cde814389a76808da33de106e860c5659c6823ca
SHA5129da91784102b7fcd981d9cd84e787b4609d6c55f359df1bc8bf27759233a8be461552c370f13a21dd953c3f1254b15fe33b6ab89745cb36e7b382934487eb069
-
Filesize
944B
MD559e827c060ce8c91b96a4a788230d8c5
SHA1f866d8778359132dd42db3ce6d1e891cb3ce5bd0
SHA25649931b500f7231f99ed8ad7c7b183d32d9dd7c07f0f64b35594c4abd8399fc90
SHA51242fc6d7947bc424fdba2dd35d0c2af949fe48b055903be48af77420794cb076df976dfe287c2c1267be1329c5d146feb348ceb44ae09d8b94c74442f94f66f6c
-
Filesize
944B
MD5405185bc0ea52b588b936aee6b9bbe3f
SHA1485209c45e9f4ecfbb07096e5cacc1a359d577c6
SHA25635cf92b2f431bc23642c047e98da70737e01d924d7c69df6a6ecca82cb7ad40a
SHA512ac235e45fcf5e0b220c25e249366adf7b306fd3337d2eb1367a7168a6d45c0b434a3dc06f80c133e0119e65fc267bc274a9900ad86485b72c9126174ebd7d74e
-
Filesize
944B
MD5a1bdb6c69c2808932dce4a253127284b
SHA1097fa26afbbd1399caaaeb34244fa99c535924fe
SHA2568eaa32e6a0405e86d319a95187958e1bbfe43b05a0258d01019860cfb4ae38fb
SHA512e5b1d6af305984f53e422ca30d6304e1b0334b9eea62cbd953f5e699a06a84482a8fa0e72aace82bde6483db531c56ad681fd863fc9719a45437edee42cc7e42
-
Filesize
1KB
MD54b5a651fa60cc52eadd340acb1e28e14
SHA19852cae1561ee316b1c170b43361475019712d2f
SHA2561b151f91ce36ae28d6056fcd6a44b727683debfae2a236226492226bfc9f0e00
SHA5129409e2e93a508fc0edf715a8cdecf61d54f03dc46e75543cee9e434d7d7c80aa8d2827bb2c97d38267b55ff400d79db6859b7943a5ea0d921a685170ea4a4ae1
-
Filesize
1KB
MD5d1f3517cd2b3c0a019fd72a879536eb1
SHA1ac1e04a847df05a022eac2e361c79d2e8a9d5dc5
SHA256aaa59855ec15106f067cbb6116fadc2e3636eb1128b6bc2ed001a91cc6f2da64
SHA512966bcfb64dff298761816028fdfd79a705719881144a92c1a5daa288a6f08f9be5bc73588f43bffc8dceaacbec2c83f807aac32e7be59dc996711fc324a77a8e
-
Filesize
1KB
MD5c1d00361bfe8b0fbc7ce13c5da4ffb83
SHA1d0e2472a11c19fd19f59930541a640a72682aacb
SHA25663640e0b10c80bd9d5163a6b9e7699035c3d40b95df2e2a2867d21697a425412
SHA51248973c73f2608c81756e51263c2ecf89c491d6ce4ff5ed53039726157c7a59d187c69c58964726b87f86dd03f9b7f3cf2f430045accbd17184d4e9d70bb01337
-
Filesize
1KB
MD5eff3d011a59ff67e253522d5bc3f2cdb
SHA100d30676dbfe32e95782279dbc4de1793557368c
SHA256da3f518f1c895056e644fda123bedbdf4f9b3345dea80b423b5c1a3a6932b729
SHA512da99265424c919c873c5acaa9e6ffb611064da154fbda4cf0cd2ae140f12895b6d6504ff6236e44136ab0fbd963ae196a14feceedc2b6a9fda3c175fd98a819b
-
Filesize
1KB
MD54f6daa377b6f11eeca988131913a7e99
SHA1761da7a12b82379a5f916e511a91b1f038f62320
SHA256679784f75e9cf91186d4337dec2d22dd0bd28926351c68dd8452e44f2e95a712
SHA5124ba5cfc2f63ffa98d0babce3034ae1ef82bbb7fd5907ade58f8d9966ccb91242d5fd5092a70fb850d77cad600b3967c4fb288c25da5ec8c96cb003d3059541e6
-
Filesize
1KB
MD518e50aef430a5954201fb1ffbccb8017
SHA1f470d798965f3b5bcbaa3964bfac60cb77f506dd
SHA256387bcf1d19edeb701420c984f4d91912eeff3ed3c9d6cb1f7431b67a93f11ebb
SHA512adb0b91aa004b71a844f950c8c1259095c22d2c384371d87c4f510b81bdc2a008938205cfb99489f58a0a1a44cdfe33440da0f91d69553415ce8c99934691c6a
-
Filesize
1KB
MD55b3a006c60a6ede4304326e9d8965bf0
SHA14c959ad7194a5754552efac46e389ba984261bb0
SHA2563188332a159d5c12536efc24c1fbdf8bdcf74f4ffb1cb7cadf167f72f07b2825
SHA512c6d5d2286e30094030f789465c67cdb5ee735f54c194936996d09cca1e252792c563a1c6b50d8589bcff1cad80fb1317e1084b5e4357ea8e8b7f750797c010d2
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
236B
MD55990df6e0929e3435ea5935edce97e98
SHA16389c26038418abe936f40dc029278401d35a0d3
SHA256b38b96077fe0a78b75943eb15817bc5fa6aa6fe56d48a8cd472cafa61a01e205
SHA5129f5bfd48505fad9ca78c9a7d1b1d802686efe4ea213d0ee9a6cfb085da0e1956f34ef6ea9497471f20afae84cb2120737c6a78183b2fdc29e6ec3204c141ea91
-
Filesize
248KB
MD5719d6ba1946c25aa61ce82f90d77ffd5
SHA194d2191378cac5719daecc826fc116816284c406
SHA25669c45175ecfd25af023f96ac0bb2c45e6a95e3ba8a5a50ee7969ccab14825c44
SHA512119152b624948b76921aa91a5024006ef7c8fdbfe5f6fe71b1ec9f2c0e504b22508ff438c4183e60fa8de93eb35a8c7ccdda3a686e3c2f65c8185f1dd2ef248b
-
Filesize
2.3MB
MD5deb9f64ee23f25627884a143d411fb9c
SHA1448f5388c390ec401d0551e5da97c2b9e24cfbf0
SHA256613716c888bffcb5668886335c326e276511267d8f4040afa420ccf65de51d7e
SHA512d4472ec02c355d76afcbacc51967adced80b3e3bb2cff25d34193d5cd5277baf451ec9149cf836d1647f60cf2c9bce70fb41d79ca76ff1c4dd7773be62447346
-
Filesize
2.2MB
MD5cbf28a22d6c61a0937b1bf15b3d22a1a
SHA1c414807315dfd5c33d91c783d168f417c7ca80fc
SHA256dfa13a2024f7bbdeebaa243a5b9a60736860d61e5ad1abfda61502df8f2e4d04
SHA512cb2a6e72c4a70150c10f7e84057b520dba2253e3a62b36cead3c1057a8b320d69414b99a99b4b160755437134b871de4f72fd3ccc885dc17951b5223eecbd4e0
-
Filesize
4KB
MD5e3d7807c07d7ec001ab63e277a31eaf4
SHA1586fa270b0dd1714eb05973d8d0563ffe589ed36
SHA2565387bea8629639710dab0f119f57885f0a012f0212cfd8975783cb2d4a2f1c2b
SHA51277455fec399496a753451d01903ab781d1d8a691f704e6a46a66012a859933a1028f1fc9875f568312a15fd8b50d4c34c567cb0f1e54d5e848b02d93fe9e5c4d
-
Filesize
427KB
MD58d860de39a47014bb85432844205defc
SHA116b6485662cc4b57af26f1ee2fe5e5595156264d
SHA2566f64566b9adc350458221bc7312acaa09290c58241659336b9921c3dcf27fbbb
SHA512c76408b4390d9aeae243f7333c5acdc68b6fe08efd1694c774069627d09e91e97ab1a5ccf55b60a247f3b00e8b95166d3dfcc41ac92150f00dfb897480a5a539
-
Filesize
249B
MD55299f191d092a082374029620d0184cd
SHA1154c0f2d892c0dde9914e1d2e114995ab5f1a8cb
SHA2569c46745f3776d8f344029103da41e060516a4bf324e7238b112a3069abececf9
SHA512670159a1352e91ad4739903c7d5bbca2b91e81ab542ac6b4532db8701d5bf01b900909812164db6ce4dbdc2fc1af59593d9abc84daff835de07eb7d383869e39
-
C:\Users\Admin\AppData\Roaming\Windows\Defender\zHxvwMPtXsd9EflNyF6bR38DTMh313hvK806W5p8W9mTT85g.bat
Filesize104B
MD5b33c8997ecd39b1b7e8af929abd526c7
SHA1e30e21ca9e74d508cfc35e9affd57a7fbc089a77
SHA25671340cb564242cd1454892eaa33aae6eaf8e444d9301731753a9aa993bb9785c
SHA512394a9df69628162228d6a8934d6df532d5055a65a41788ef7d2b8170fae3bd586d80c8592ebc10e32650b81d43efd2eefdef865523d687b6def20fe4374afefc
-
Filesize
4KB
MD58031c835103497b33e6e275ae61d659b
SHA18fa2f631e790e599b19d95e3c722c64146c6db4c
SHA256849e518cce57c1517316791cf82c26a61bc619215663993295d1c3cbe3df9ba4
SHA5120a75bbd87ff1d3f3f6f024446996d457b4a35c1f682ee0a25cf0a1566da92716d17cc98b44ef3da56c1fc8194367e28770e7dcb7663ca61c7b778f88af30afc6
-
Filesize
4KB
MD5db563ae4c42e48632edbd1950efea5fc
SHA1f0aa1ce201a71e640fe34f6360428defac5f2d37
SHA256581920fc612e83ea5c803d63150651bb2a30c74ed443f772998c5464cd2df05e
SHA5127add7c7635389d64fcff91f1227083d8344b3e7015b24c10332b3bb56fbd6a225627f7f1e59d3bc274b17a0bf3ff8e1d98655626acb48d645c2a4be3eab82b2e
-
Filesize
4KB
MD5b7d5c568f22a99a9dbad7eaf83b6d8fc
SHA1c6c48427e3ed7cbe37f25dd92232b1edf4740914
SHA2564f6cd0c43ff1299a6876483e933bda86bda9c9f211f3c1204e147ac4a58e603a
SHA5123c8a59e2e9a0f33cee2487fc5e43a6a293f045140c1030d4d609197488c2b0aa50936158f25bdd0a15e937efe67933db5d0b0c682bfd1f73e725a4bd96d0db23
-
Filesize
1KB
MD52dde0a04b3cfc5bca956764d6cdcb81f
SHA109131c520d3d3ffdfc0e0d9b0d3bac0631610dd7
SHA2560a4c68c7293e89a8a3cbf968d3fa776410dd1aa531483b9f33774f95b243146a
SHA5127a0975ec6b525af8822c739cfaaeee51d1fd0b5b9cb08fd1836096f3b76370f9e9476ee4a3dba4a0c4177e892ba145b690668d2d2592c3b5c5c7d38daeb1c799
-
Filesize
1KB
MD5987ffb806ae972d4d819462882de79b5
SHA1f83a142a5257aeaf4e4b1a6890a4a3dc5bc742af
SHA256ccbc1d568bc16cfcacaf127122b7ffeacb1cf5c1237e0c5f3bc6921d9ab82496
SHA51269c6c8bd9b3ddc4196d1d92e7e224d51d814aeed0c674790480ab321e5564b398c8fae97154e2ae508928e51066bef58a6cdcbd2528de71953facaa360f10937
-
Filesize
1KB
MD5521714d2285e7a08176a625501a63dbd
SHA1bdbea9d1689eaec992ebb4d18da17ac11d23a5ba
SHA2562321cb3263522d960a807655a7be4d661407f2130d32d40d756876d0b28cfbcd
SHA512fd0c59e354652acc36bc7e72f570117c46e3fc0b6f80499f1f335418e6980c774e13917619319108c14c9fd06637d3dc97c47b292c3e2ba44a314dfbee430128
-
Filesize
377B
MD5b2bff2bbb561d9a80370b35d769f037f
SHA145d0a988a974a7da562ebef248d3f114ae596c80
SHA25621c4e866c50c3799dd117e15d9d3cb25f1b795e5587101128ebab007283241b8
SHA5125118ac07a78bbff7d0000fd3bf403c99e912a97981c6e9394de9c6a22493f7841112a69597e012f3fb99840f9b83c379268b854f6fe5f52a61c72f874e41c435
-
Filesize
250B
MD5b3ec3e6fcff8c1ca75b83092a8b8a958
SHA1499b334334c51a418086bac402573444b7610b84
SHA2563751a0a332a5a56aa5d77030392424bfaf0c055f2d38cd72252c6378b23567e2
SHA512408b725f20de582542301da52956545a4dc71522851ff48372f17f41cd5aff83e89073fd63e2174e3263f7ec8f700338f4a7b3ac02bbd433834898a94f114613
-
Filesize
392B
MD57e4fe14106b396db43bb51381e495182
SHA1417b8adcef59a87da055a66357d366a6ff093c2a
SHA256c2402ba45077b2b62114730860ab108f0960cbbfdedc701e997a5f86c7fea1f1
SHA512d72f788407ec994d7961a332931fa796e27f2ed60969959a4f9a41824f05d7aca877043f42bebfac8dc9e7eb55708f214f4cc616042935006cb4fe3d41796466
-
Filesize
265B
MD5cfc586cabbc28c7910feb0b659cbc59c
SHA1e125c8dae7d94bffe36b36703021ab373891fe47
SHA25696639e073ee0241e9684c900331f52c1cb3b613013336d1960164b8bec09a35f
SHA51292c6283cad8289592f68d18ca34055c0c18f8408685b79d46313410b89de20235a50571822485c8cc2489af1e5cdb71cbb83d93b5fc16a5297a7a28137599b1c
-
Filesize
358B
MD55349fa899d2e94c40c6a31c5c0e336e1
SHA1f8f9ded9ee8376756bd2112df537aa1720c2aa04
SHA256f349f05c2b4a386f26a430af3a20a0e6771d5b83c3c7ddc7e29327840bb5df1f
SHA51203ea42c7776fe7db6720b538a4e7c4f4a6bff78bd6331f935636e39e5d5bf8f19c63fa183ea270060bd58bb9d34583d80f0d0f8e0091084e9aeebcc968b16d8f
-
Filesize
231B
MD5754785b57fd1d8b496b76f90deff4ce3
SHA1b5c3365db94bb3cb24a675b0e3b461ad2a47a3ff
SHA2569521948dcde2b87c533181479950f719461ee21cf7fd8e6dd62d1b55a56a1309
SHA512adfafbfb05eb225f51a374c96e61f151fc34183d6db2cabbcf90e0ffc434c6aa91b5a08406d689883b4528fa203c08eb9ec501f5cc369be5cdd3b138ad59ea85
-
Filesize
388B
MD5784bc3c19dfb59ef45de3bdf0d904a6a
SHA14cb5a03f4651624426e7c06eadb5f869fcf8dc34
SHA256c35084d15479735040cc4c8df2de7dfc9b216afd547d0a7ec90fdf4a60ca076c
SHA51233874a1e75ebc237e140b6874eddd3674e8dc9b40fbb6ce4a89a093b697a97b4e5b8dfa1a49ffe8978658dd67bb7b5b7050cfe71bf8be50cd63ad26fd166f6ce
-
Filesize
261B
MD566cec322666085e456c845e29e6f0e6e
SHA1bd5f678f99d7d22a077d6dca890c8a99accc043c
SHA256cc56dbfa371f8b6f66cf792fb7aea7cb2d5f992327b82bce6cea3493789ffe7f
SHA51236f7239fd45135184515568a24de1315e73c57665031e0a805186b766568d6b5e83a21a5b39d0a0686cebcb00e6da17d02e86a22d4cc76eb1ffd6115c131100a
-
Filesize
385B
MD51813628518721a37c7059de4f252b54a
SHA178ac8537624a45e88501c815acef7fa73456cc56
SHA2561889c48ffae37be5b267aa7fed8d88ed108f285194375cb6ccdad1b604b80163
SHA512ffca10f1ade4075b814f37bcbe7ebb4c100b9938bd5e9a37180e8079b6d3b0f7e52c1d07bda5f42240780ec47f4ac04e756f24f351a3950b49afbfd2d35c6eaf
-
Filesize
258B
MD5825bc925c56921713d943193661af27e
SHA16eeb7070bb57a1048ba7ad1057cb40f7c266d921
SHA256897cf1b0f9611c07658a0253f8537f9c8bcb167cbf6e0cebe5b0d354cdb74545
SHA512413e93fabc8b1eaa23cf89d491e02fa7c33351c31e90db6f63e5e1ac656d9c5e68e79d5da3754617b3f722b2aff79164496e01d463cfa4842164c52d69f38af2
-
Filesize
369B
MD59dcfc558e7d3c2816cafaf7bdfa7267c
SHA1a710ee7b7c2e92d310e614d59b37c5353f59e1b2
SHA25606e2b18995859aadf59046858c003569735a6975f7085d1cf4d26a1ddc312c25
SHA512fdbf4f14d76374bc1dd0802acd45c08c7f5421a4997535f94e6de8c0d57b2301ff071e38d7b1af5aa71107c77a1e8e8865eb51d68c8df392378ed963e4af62b0
-
Filesize
235B
MD5c4ce0cae50e0ba59c28e30c18850b2cc
SHA17f2bcf2eb83b75ed4f2da8b9a9ab42499a0506d9
SHA256610a4f754d825914985fba3f5a299325143bf513dd1a022093fabba0bf19113c
SHA5128eaa15a06bd620ddf5a0b6a46f2ca06d9af7f02c5a2306f91f5ec3323dada72c0f60ca3b23afcdd17bf3014a636590f25929e0b43876bcc0abfa094534a4d247
-
Filesize
369B
MD52374b502c1b9ab754267105b6e33efb5
SHA129862e5d4436646e5cb9c45ae4df9c02c05e8147
SHA256177e63d96296b33b3aa052a27f32c0d29b09bd48105b00ec0d6f6275bbe87741
SHA51202a7357265f2f208ab496082a94a6544a0ed031f5ff960c0c2b1b208c9b7d5d17aae04259a51cdef58a43adaa037ae2dcb67ca93bcfe8816ab042916a7936f87
-
Filesize
242B
MD50f0856322447a941840802a161d1b784
SHA17e14d7f72af70efe9ef6330d0242d44575f2f9ea
SHA2561968e23854405ebdaae7cbe280697ee627ec2b77aefb99d9b221fbad3830dc9d
SHA5127b73d41f37c1572ac2b149d26d1cfa225db9b4d8929289b416b80e98e418306d169383dd474afc866587ef3cc2e13e62b90625b39d9df38167891cc0cb7255fe
-
Filesize
1KB
MD5819218476efff19538c5e47775890416
SHA144268f9a7b24e4477c5a6917ca26b1e9d4938bcd
SHA256adfdb51bd795924a67fd2310d33e40f21f7dde44168e85dd416784cb6b1f5cd2
SHA512fc1d1655478034e6c2ac8082e00397f1a3c6b527714fc1576b52bef7b2a9faa5ff1d89b1501d598bbeac943e899631007237071ddb73242438aa375ab74d3bcd
-
Filesize
1KB
MD598a623d6e4c56b306a3b42f1948114d0
SHA1a79220202bc1c0d79f1b7bc3256cadb601a29e1c
SHA25657cf957f0266a6fb92da87a0e2380cb1419e513f4e68f5cb63dc512308b107c1
SHA512af3980513eba3b7d3e76cdbf3e1aec543a7e142bfd610a09b2b0b26b479841ac916ba98e025e68e14da379a04f4f4e56b52f4d28ca7fe1235ae5d46336c9bfad
-
Filesize
1KB
MD5c4f2ef9fd36b6a1052f5786bfa6dce81
SHA1b29de5f454f7e07981bd8fe21bbe79e782c3fbbc
SHA256caac8c5ccbcefbacff668e563dd5a415529d1c026d8c9395eaaec6cbd60159e3
SHA5129fe6e9919a7e04e267d3d184e1c37cbc1c4c0a976442fd2dcb64b85d0838649bc022f06864ce1a916654aa606533e6d84f204888d8682f003264a4a6b6afaacf
-
Filesize
1KB
MD5034b083b6729ade0b138a24cbdd66c6d
SHA1299c5a9dd91498cfc4226a5fe6d52ea633c2d148
SHA2568e3aa7a68c0bfea6cae11fe40e79aa1483bc2e43c4c3fd11fcebca1f7bcea0d2
SHA51243f68ec3211f2d1eb3a095713b3988a5b45a6fb03136876431edd3b25b628f904079557cbb60d0107c0444551db274c8e6817d63a543e8a7e390206af64d1cc3