Analysis
-
max time kernel
70s -
max time network
75s -
platform
windows10-ltsc 2021_x64 -
resource
win10ltsc2021-20241023-en -
resource tags
arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system -
submitted
27-10-2024 18:59
Static task
static1
Behavioral task
behavioral1
Sample
Crypt.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral2
Sample
Crypt.exe
Resource
win10ltsc2021-20241023-en
Behavioral task
behavioral3
Sample
Crypt.exe
Resource
win11-20241007-en
General
-
Target
Crypt.exe
-
Size
6.9MB
-
MD5
d047cd9c503a1b062486d0425688fd16
-
SHA1
dee8b8024a66ffdf3502a9827fef45493f2644ed
-
SHA256
8b114ae5d486948a5f4078f2e724d55e0a56014320af07f0f9228e0e77ae6be0
-
SHA512
5c986ee4c367b8288a7e1ba18d6695b4e8afc40d88d9a4c257f301f38b405ec1d7771efabb189f583be979a02093d841ae510d5f002e3684ae7a8225d27bef28
-
SSDEEP
196608:hsXGMtKkuX5P62xscItG5gPxioJEhslCM19l+RDIk:hsXGMIkuX5XmcI45gPkgpz1eZIk
Malware Config
Extracted
gurcu
https://api.telegram.org/bot7756158094:AAEpUpUPcNX1ZlZzM558SewExaq3m8CuOnA/sendPhot
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Gurcu family
-
Modifies WinLogon for persistence 2 TTPs 18 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Defender Advanced Threat Protection\\es-ES\\RunShell.exe\"" RunShell.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Defender Advanced Threat Protection\\es-ES\\RunShell.exe\", \"C:\\BrowserSvc\\csrss.exe\", \"C:\\Program Files\\Windows Sidebar\\RuntimeBroker.exe\", \"C:\\BrowserSvc\\RunShell.exe\", \"C:\\Users\\Public\\Libraries\\sppsvc.exe\", \"C:\\Users\\Admin\\AppData\\Roaming\\Windows\\Defender\\RunShell.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\System.exe\"" msAgentreviewCommon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Defender Advanced Threat Protection\\es-ES\\RunShell.exe\", \"C:\\BrowserSvc\\csrss.exe\", \"C:\\Program Files\\Windows Sidebar\\RuntimeBroker.exe\", \"C:\\BrowserSvc\\RunShell.exe\", \"C:\\Users\\Public\\Libraries\\sppsvc.exe\", \"C:\\Users\\Admin\\AppData\\Roaming\\Windows\\Defender\\RunShell.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\System.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\dllhost.exe\", \"C:\\Windows\\Performance\\WinSAT\\DataStore\\explorer.exe\", \"C:\\Program Files\\7-Zip\\Lang\\upfc.exe\", \"C:\\Program Files\\Windows Portable Devices\\wininit.exe\"" msAgentreviewCommon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Defender Advanced Threat Protection\\es-ES\\RunShell.exe\", \"C:\\BrowserSvc\\csrss.exe\", \"C:\\Program Files\\Windows Sidebar\\RuntimeBroker.exe\", \"C:\\BrowserSvc\\RunShell.exe\", \"C:\\Users\\Public\\Libraries\\sppsvc.exe\", \"C:\\Users\\Admin\\AppData\\Roaming\\Windows\\Defender\\RunShell.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\System.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\dllhost.exe\", \"C:\\Windows\\Performance\\WinSAT\\DataStore\\explorer.exe\", \"C:\\Program Files\\7-Zip\\Lang\\upfc.exe\", \"C:\\Program Files\\Windows Portable Devices\\wininit.exe\", \"C:\\BrowserSvc\\msAgentreviewCommon.exe\", \"C:\\Program Files (x86)\\Windows Multimedia Platform\\WmiPrvSE.exe\", \"C:\\Program Files\\Uninstall Information\\upfc.exe\", \"C:\\Windows\\Containers\\unsecapp.exe\", \"C:\\Program Files\\Windows Mail\\sihost.exe\", \"C:\\BrowserSvc\\dllhost.exe\", \"C:\\BrowserSvc\\csrss.exe.exe\"" csrss.exe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Defender Advanced Threat Protection\\es-ES\\RunShell.exe\", \"C:\\BrowserSvc\\csrss.exe\", \"C:\\Program Files\\Windows Sidebar\\RuntimeBroker.exe\"" RunShell.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Defender Advanced Threat Protection\\es-ES\\RunShell.exe\", \"C:\\BrowserSvc\\csrss.exe\", \"C:\\Program Files\\Windows Sidebar\\RuntimeBroker.exe\", \"C:\\BrowserSvc\\RunShell.exe\", \"C:\\Users\\Public\\Libraries\\sppsvc.exe\"" RunShell.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Defender Advanced Threat Protection\\es-ES\\RunShell.exe\", \"C:\\BrowserSvc\\csrss.exe\", \"C:\\Program Files\\Windows Sidebar\\RuntimeBroker.exe\", \"C:\\BrowserSvc\\RunShell.exe\", \"C:\\Users\\Public\\Libraries\\sppsvc.exe\", \"C:\\Users\\Admin\\AppData\\Roaming\\Windows\\Defender\\RunShell.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\System.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\dllhost.exe\"" msAgentreviewCommon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Defender Advanced Threat Protection\\es-ES\\RunShell.exe\", \"C:\\BrowserSvc\\csrss.exe\", \"C:\\Program Files\\Windows Sidebar\\RuntimeBroker.exe\", \"C:\\BrowserSvc\\RunShell.exe\", \"C:\\Users\\Public\\Libraries\\sppsvc.exe\", \"C:\\Users\\Admin\\AppData\\Roaming\\Windows\\Defender\\RunShell.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\System.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\dllhost.exe\", \"C:\\Windows\\Performance\\WinSAT\\DataStore\\explorer.exe\"" msAgentreviewCommon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Defender Advanced Threat Protection\\es-ES\\RunShell.exe\", \"C:\\BrowserSvc\\csrss.exe\", \"C:\\Program Files\\Windows Sidebar\\RuntimeBroker.exe\", \"C:\\BrowserSvc\\RunShell.exe\", \"C:\\Users\\Public\\Libraries\\sppsvc.exe\", \"C:\\Users\\Admin\\AppData\\Roaming\\Windows\\Defender\\RunShell.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\System.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\dllhost.exe\", \"C:\\Windows\\Performance\\WinSAT\\DataStore\\explorer.exe\", \"C:\\Program Files\\7-Zip\\Lang\\upfc.exe\", \"C:\\Program Files\\Windows Portable Devices\\wininit.exe\", \"C:\\BrowserSvc\\msAgentreviewCommon.exe\", \"C:\\Program Files (x86)\\Windows Multimedia Platform\\WmiPrvSE.exe\", \"C:\\Program Files\\Uninstall Information\\upfc.exe\"" csrss.exe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Defender Advanced Threat Protection\\es-ES\\RunShell.exe\", \"C:\\BrowserSvc\\csrss.exe\", \"C:\\Program Files\\Windows Sidebar\\RuntimeBroker.exe\", \"C:\\BrowserSvc\\RunShell.exe\", \"C:\\Users\\Public\\Libraries\\sppsvc.exe\", \"C:\\Users\\Admin\\AppData\\Roaming\\Windows\\Defender\\RunShell.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\System.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\dllhost.exe\", \"C:\\Windows\\Performance\\WinSAT\\DataStore\\explorer.exe\", \"C:\\Program Files\\7-Zip\\Lang\\upfc.exe\", \"C:\\Program Files\\Windows Portable Devices\\wininit.exe\", \"C:\\BrowserSvc\\msAgentreviewCommon.exe\", \"C:\\Program Files (x86)\\Windows Multimedia Platform\\WmiPrvSE.exe\", \"C:\\Program Files\\Uninstall Information\\upfc.exe\", \"C:\\Windows\\Containers\\unsecapp.exe\", \"C:\\Program Files\\Windows Mail\\sihost.exe\"" csrss.exe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Defender Advanced Threat Protection\\es-ES\\RunShell.exe\", \"C:\\BrowserSvc\\csrss.exe\", \"C:\\Program Files\\Windows Sidebar\\RuntimeBroker.exe\", \"C:\\BrowserSvc\\RunShell.exe\"" RunShell.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Defender Advanced Threat Protection\\es-ES\\RunShell.exe\", \"C:\\BrowserSvc\\csrss.exe\", \"C:\\Program Files\\Windows Sidebar\\RuntimeBroker.exe\", \"C:\\BrowserSvc\\RunShell.exe\", \"C:\\Users\\Public\\Libraries\\sppsvc.exe\", \"C:\\Users\\Admin\\AppData\\Roaming\\Windows\\Defender\\RunShell.exe\"" RunShell.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Defender Advanced Threat Protection\\es-ES\\RunShell.exe\", \"C:\\BrowserSvc\\csrss.exe\", \"C:\\Program Files\\Windows Sidebar\\RuntimeBroker.exe\", \"C:\\BrowserSvc\\RunShell.exe\", \"C:\\Users\\Public\\Libraries\\sppsvc.exe\", \"C:\\Users\\Admin\\AppData\\Roaming\\Windows\\Defender\\RunShell.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\System.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\dllhost.exe\", \"C:\\Windows\\Performance\\WinSAT\\DataStore\\explorer.exe\", \"C:\\Program Files\\7-Zip\\Lang\\upfc.exe\", \"C:\\Program Files\\Windows Portable Devices\\wininit.exe\", \"C:\\BrowserSvc\\msAgentreviewCommon.exe\", \"C:\\Program Files (x86)\\Windows Multimedia Platform\\WmiPrvSE.exe\"" csrss.exe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Defender Advanced Threat Protection\\es-ES\\RunShell.exe\", \"C:\\BrowserSvc\\csrss.exe\", \"C:\\Program Files\\Windows Sidebar\\RuntimeBroker.exe\", \"C:\\BrowserSvc\\RunShell.exe\", \"C:\\Users\\Public\\Libraries\\sppsvc.exe\", \"C:\\Users\\Admin\\AppData\\Roaming\\Windows\\Defender\\RunShell.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\System.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\dllhost.exe\", \"C:\\Windows\\Performance\\WinSAT\\DataStore\\explorer.exe\", \"C:\\Program Files\\7-Zip\\Lang\\upfc.exe\", \"C:\\Program Files\\Windows Portable Devices\\wininit.exe\", \"C:\\BrowserSvc\\msAgentreviewCommon.exe\", \"C:\\Program Files (x86)\\Windows Multimedia Platform\\WmiPrvSE.exe\", \"C:\\Program Files\\Uninstall Information\\upfc.exe\", \"C:\\Windows\\Containers\\unsecapp.exe\", \"C:\\Program Files\\Windows Mail\\sihost.exe\", \"C:\\BrowserSvc\\dllhost.exe\"" csrss.exe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Defender Advanced Threat Protection\\es-ES\\RunShell.exe\", \"C:\\BrowserSvc\\csrss.exe\"" RunShell.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Defender Advanced Threat Protection\\es-ES\\RunShell.exe\", \"C:\\BrowserSvc\\csrss.exe\", \"C:\\Program Files\\Windows Sidebar\\RuntimeBroker.exe\", \"C:\\BrowserSvc\\RunShell.exe\", \"C:\\Users\\Public\\Libraries\\sppsvc.exe\", \"C:\\Users\\Admin\\AppData\\Roaming\\Windows\\Defender\\RunShell.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\System.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\dllhost.exe\", \"C:\\Windows\\Performance\\WinSAT\\DataStore\\explorer.exe\", \"C:\\Program Files\\7-Zip\\Lang\\upfc.exe\"" msAgentreviewCommon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Defender Advanced Threat Protection\\es-ES\\RunShell.exe\", \"C:\\BrowserSvc\\csrss.exe\", \"C:\\Program Files\\Windows Sidebar\\RuntimeBroker.exe\", \"C:\\BrowserSvc\\RunShell.exe\", \"C:\\Users\\Public\\Libraries\\sppsvc.exe\", \"C:\\Users\\Admin\\AppData\\Roaming\\Windows\\Defender\\RunShell.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\System.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\dllhost.exe\", \"C:\\Windows\\Performance\\WinSAT\\DataStore\\explorer.exe\", \"C:\\Program Files\\7-Zip\\Lang\\upfc.exe\", \"C:\\Program Files\\Windows Portable Devices\\wininit.exe\", \"C:\\BrowserSvc\\msAgentreviewCommon.exe\"" msAgentreviewCommon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Defender Advanced Threat Protection\\es-ES\\RunShell.exe\", \"C:\\BrowserSvc\\csrss.exe\", \"C:\\Program Files\\Windows Sidebar\\RuntimeBroker.exe\", \"C:\\BrowserSvc\\RunShell.exe\", \"C:\\Users\\Public\\Libraries\\sppsvc.exe\", \"C:\\Users\\Admin\\AppData\\Roaming\\Windows\\Defender\\RunShell.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\System.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\dllhost.exe\", \"C:\\Windows\\Performance\\WinSAT\\DataStore\\explorer.exe\", \"C:\\Program Files\\7-Zip\\Lang\\upfc.exe\", \"C:\\Program Files\\Windows Portable Devices\\wininit.exe\", \"C:\\BrowserSvc\\msAgentreviewCommon.exe\", \"C:\\Program Files (x86)\\Windows Multimedia Platform\\WmiPrvSE.exe\", \"C:\\Program Files\\Uninstall Information\\upfc.exe\", \"C:\\Windows\\Containers\\unsecapp.exe\"" csrss.exe.exe -
Process spawned unexpected child process 54 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2572 2072 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2152 2072 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1156 2072 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3336 2072 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3692 2072 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1880 2072 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1796 2072 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4608 2072 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3056 2072 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4844 2072 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 240 2072 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4444 2072 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3428 2072 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1040 2072 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1844 2072 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1984 2072 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4284 2072 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4128 2072 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5088 2072 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4648 2072 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4816 2072 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3380 2072 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2864 2072 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1512 2072 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 832 2072 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 388 2072 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1704 2072 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3888 2072 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2688 2072 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3568 2072 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3164 2072 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3388 2072 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1788 2072 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2316 2072 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2076 2072 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 548 2072 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4076 2072 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2732 2072 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4780 2072 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1880 2072 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 904 2072 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1000 2072 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4816 2072 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1872 2072 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3992 2072 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3972 2072 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5116 2072 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 472 2072 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1936 2072 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3484 2072 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4740 2072 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2964 2072 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1724 2072 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 236 2072 schtasks.exe 86 -
Command and Scripting Interpreter: PowerShell 1 TTPs 14 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 4944 powershell.exe 4616 powershell.exe 2936 powershell.exe 4076 powershell.exe 4348 powershell.exe 3784 powershell.exe 2648 powershell.exe 2444 powershell.exe 5056 powershell.exe 1020 powershell.exe 3600 powershell.exe 4160 powershell.exe 1600 powershell.exe 4924 powershell.exe -
Sets file to hidden 1 TTPs 1 IoCs
Modifies file attributes to stop it showing in Explorer etc.
pid Process 2836 attrib.exe -
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion reg.exe -
Checks computer location settings 2 TTPs 7 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-641261377-2215826147-608237349-1000\Control Panel\International\Geo\Nation WinSFX.exe Key value queried \REGISTRY\USER\S-1-5-21-641261377-2215826147-608237349-1000\Control Panel\International\Geo\Nation Checker.exe Key value queried \REGISTRY\USER\S-1-5-21-641261377-2215826147-608237349-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-641261377-2215826147-608237349-1000\Control Panel\International\Geo\Nation RunShell.exe Key value queried \REGISTRY\USER\S-1-5-21-641261377-2215826147-608237349-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-641261377-2215826147-608237349-1000\Control Panel\International\Geo\Nation csrss.exe.exe Key value queried \REGISTRY\USER\S-1-5-21-641261377-2215826147-608237349-1000\Control Panel\International\Geo\Nation msAgentreviewCommon.exe -
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WinSFX.exe javaw.exe -
Executes dropped EXE 7 IoCs
pid Process 4044 WinSFX.exe 860 Checker.exe 2432 RunShell.exe 2616 msAgentreviewCommon.exe 456 csrss.exe.exe 3768 msAgentreviewCommon.exe 3152 sihost.exe -
Loads dropped DLL 1 IoCs
pid Process 4864 javaw.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 36 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-641261377-2215826147-608237349-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\BrowserSvc\\csrss.exe\"" RunShell.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Program Files\\Windows Portable Devices\\wininit.exe\"" msAgentreviewCommon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss.exe = "\"C:\\BrowserSvc\\csrss.exe.exe\"" csrss.exe.exe Set value (str) \REGISTRY\USER\S-1-5-21-641261377-2215826147-608237349-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RunShell = "\"C:\\BrowserSvc\\RunShell.exe\"" RunShell.exe Set value (str) \REGISTRY\USER\S-1-5-21-641261377-2215826147-608237349-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\Program Files (x86)\\Windows Multimedia Platform\\WmiPrvSE.exe\"" csrss.exe.exe Set value (str) \REGISTRY\USER\S-1-5-21-641261377-2215826147-608237349-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\System.exe\"" msAgentreviewCommon.exe Set value (str) \REGISTRY\USER\S-1-5-21-641261377-2215826147-608237349-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\dllhost.exe\"" msAgentreviewCommon.exe Set value (str) \REGISTRY\USER\S-1-5-21-641261377-2215826147-608237349-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\unsecapp = "\"C:\\Windows\\Containers\\unsecapp.exe\"" csrss.exe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sihost = "\"C:\\Program Files\\Windows Mail\\sihost.exe\"" csrss.exe.exe Set value (str) \REGISTRY\USER\S-1-5-21-641261377-2215826147-608237349-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\BrowserSvc\\dllhost.exe\"" csrss.exe.exe Set value (str) \REGISTRY\USER\S-1-5-21-641261377-2215826147-608237349-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RunShell = "\"C:\\Program Files\\Windows Defender Advanced Threat Protection\\es-ES\\RunShell.exe\"" RunShell.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Program Files\\Windows Sidebar\\RuntimeBroker.exe\"" RunShell.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RunShell = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windows\\Defender\\RunShell.exe\"" RunShell.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\BrowserSvc\\dllhost.exe\"" csrss.exe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Windows\\Performance\\WinSAT\\DataStore\\explorer.exe\"" msAgentreviewCommon.exe Set value (str) \REGISTRY\USER\S-1-5-21-641261377-2215826147-608237349-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\upfc = "\"C:\\Program Files\\7-Zip\\Lang\\upfc.exe\"" msAgentreviewCommon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\upfc = "\"C:\\Program Files\\7-Zip\\Lang\\upfc.exe\"" msAgentreviewCommon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\unsecapp = "\"C:\\Windows\\Containers\\unsecapp.exe\"" csrss.exe.exe Set value (str) \REGISTRY\USER\S-1-5-21-641261377-2215826147-608237349-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RunShell = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windows\\Defender\\RunShell.exe\"" RunShell.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\System.exe\"" msAgentreviewCommon.exe Set value (str) \REGISTRY\USER\S-1-5-21-641261377-2215826147-608237349-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Windows\\Performance\\WinSAT\\DataStore\\explorer.exe\"" msAgentreviewCommon.exe Set value (str) \REGISTRY\USER\S-1-5-21-641261377-2215826147-608237349-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sihost = "\"C:\\Program Files\\Windows Mail\\sihost.exe\"" csrss.exe.exe Set value (str) \REGISTRY\USER\S-1-5-21-641261377-2215826147-608237349-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Program Files\\Windows Sidebar\\RuntimeBroker.exe\"" RunShell.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Users\\Public\\Libraries\\sppsvc.exe\"" RunShell.exe Set value (str) \REGISTRY\USER\S-1-5-21-641261377-2215826147-608237349-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Program Files\\Windows Portable Devices\\wininit.exe\"" msAgentreviewCommon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\BrowserSvc\\csrss.exe\"" RunShell.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\Program Files (x86)\\Windows Multimedia Platform\\WmiPrvSE.exe\"" csrss.exe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msAgentreviewCommon = "\"C:\\BrowserSvc\\msAgentreviewCommon.exe\"" msAgentreviewCommon.exe Set value (str) \REGISTRY\USER\S-1-5-21-641261377-2215826147-608237349-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\upfc = "\"C:\\Program Files\\Uninstall Information\\upfc.exe\"" csrss.exe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\upfc = "\"C:\\Program Files\\Uninstall Information\\upfc.exe\"" csrss.exe.exe Set value (str) \REGISTRY\USER\S-1-5-21-641261377-2215826147-608237349-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss.exe = "\"C:\\BrowserSvc\\csrss.exe.exe\"" csrss.exe.exe Set value (str) \REGISTRY\USER\S-1-5-21-641261377-2215826147-608237349-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Users\\Public\\Libraries\\sppsvc.exe\"" RunShell.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\dllhost.exe\"" msAgentreviewCommon.exe Set value (str) \REGISTRY\USER\S-1-5-21-641261377-2215826147-608237349-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msAgentreviewCommon = "\"C:\\BrowserSvc\\msAgentreviewCommon.exe\"" msAgentreviewCommon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RunShell = "\"C:\\Program Files\\Windows Defender Advanced Threat Protection\\es-ES\\RunShell.exe\"" RunShell.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RunShell = "\"C:\\BrowserSvc\\RunShell.exe\"" RunShell.exe -
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\F: javaw.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs
flow ioc 12 discord.com 13 discord.com 16 discord.com 19 raw.githubusercontent.com 20 raw.githubusercontent.com -
Looks up external IP address via web service 5 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 7 api.ipify.org 8 api.ipify.org 10 ip-api.com 23 ipinfo.io 24 ipinfo.io -
Drops file in System32 directory 2 IoCs
description ioc Process File created \??\c:\Windows\System32\CSC818ECAC0E9674922A8EE3130EB93E743.TMP csc.exe File created \??\c:\Windows\System32\efyliz.exe csc.exe -
Drops file in Program Files directory 26 IoCs
description ioc Process File created C:\Program Files (x86)\Mozilla Maintenance Service\logs\27d1bcfc3c54e0 msAgentreviewCommon.exe File created C:\Program Files\Windows Mail\66fc9ff0ee96c2 csrss.exe.exe File created C:\Program Files\Uninstall Information\upfc.exe csrss.exe.exe File created C:\Program Files (x86)\Windows Multimedia Platform\WmiPrvSE.exe csrss.exe.exe File created \??\c:\Program Files (x86)\Mozilla Maintenance Service\logs\CSC169D1B416A0945A2B07D87BF10FEE94.TMP csc.exe File created \??\c:\Program Files\7-Zip\Lang\CSCF6F963EDEA904B06ADC6543D8E6DB0E5.TMP csc.exe File created C:\Program Files\Windows Defender Advanced Threat Protection\es-ES\503474ccfa3ef7 RunShell.exe File created C:\Program Files\7-Zip\Lang\upfc.exe msAgentreviewCommon.exe File created C:\Program Files\Windows Mail\sihost.exe csrss.exe.exe File created C:\Program Files (x86)\Windows Multimedia Platform\24dbde2999530e csrss.exe.exe File created C:\Program Files\Windows Sidebar\9e8d7a4ca61bd9 RunShell.exe File created C:\Program Files\Windows Defender Advanced Threat Protection\es-ES\RunShell.exe RunShell.exe File created C:\Program Files\Windows Portable Devices\wininit.exe msAgentreviewCommon.exe File created C:\Program Files\Windows Portable Devices\56085415360792 msAgentreviewCommon.exe File created C:\Program Files (x86)\Mozilla Maintenance Service\logs\dllhost.exe msAgentreviewCommon.exe File created C:\Program Files (x86)\Mozilla Maintenance Service\logs\System.exe msAgentreviewCommon.exe File created \??\c:\Program Files\Windows Sidebar\RuntimeBroker.exe csc.exe File created C:\Program Files\Uninstall Information\ea1d8f6d871115 csrss.exe.exe File created \??\c:\Program Files (x86)\Mozilla Maintenance Service\logs\CSCAD21581396A44296B041FFFD103C5F68.TMP csc.exe File created \??\c:\Program Files (x86)\Mozilla Maintenance Service\logs\dllhost.exe csc.exe File created C:\Program Files\Windows Sidebar\RuntimeBroker.exe RunShell.exe File created C:\Program Files\7-Zip\Lang\ea1d8f6d871115 msAgentreviewCommon.exe File created C:\Program Files (x86)\Mozilla Maintenance Service\logs\5940a34987c991 msAgentreviewCommon.exe File created \??\c:\Program Files\Windows Sidebar\CSC78B64155219E4C4782296F921D13FB71.TMP csc.exe File created \??\c:\Program Files (x86)\Mozilla Maintenance Service\logs\System.exe csc.exe File created \??\c:\Program Files\7-Zip\Lang\upfc.exe csc.exe -
Drops file in Windows directory 6 IoCs
description ioc Process File created C:\Windows\Performance\WinSAT\DataStore\explorer.exe msAgentreviewCommon.exe File created C:\Windows\Performance\WinSAT\DataStore\7a0fd90576e088 msAgentreviewCommon.exe File created C:\Windows\Containers\unsecapp.exe csrss.exe.exe File created C:\Windows\Containers\29c1c3cc0f7685 csrss.exe.exe File created \??\c:\Windows\Performance\WinSAT\DataStore\CSCD46752269BF74CDD8973DA2CAFD5872D.TMP csc.exe File created \??\c:\Windows\Performance\WinSAT\DataStore\explorer.exe csc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Checker.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Crypt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WinSFX.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 3344 PING.EXE -
Modifies registry class 5 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-641261377-2215826147-608237349-1000_Classes\Local Settings WinSFX.exe Key created \REGISTRY\USER\S-1-5-21-641261377-2215826147-608237349-1000_Classes\Local Settings Checker.exe Key created \REGISTRY\USER\S-1-5-21-641261377-2215826147-608237349-1000_Classes\Local Settings RunShell.exe Key created \REGISTRY\USER\S-1-5-21-641261377-2215826147-608237349-1000_Classes\Local Settings csrss.exe.exe Key created \REGISTRY\USER\S-1-5-21-641261377-2215826147-608237349-1000_Classes\Local Settings msAgentreviewCommon.exe -
Modifies registry key 1 TTPs 1 IoCs
pid Process 3356 reg.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 3344 PING.EXE -
Scheduled Task/Job: Scheduled Task 1 TTPs 54 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3568 schtasks.exe 4076 schtasks.exe 4284 schtasks.exe 4128 schtasks.exe 832 schtasks.exe 4844 schtasks.exe 3428 schtasks.exe 472 schtasks.exe 3164 schtasks.exe 1788 schtasks.exe 4780 schtasks.exe 1872 schtasks.exe 3336 schtasks.exe 3692 schtasks.exe 5088 schtasks.exe 1880 schtasks.exe 3380 schtasks.exe 1704 schtasks.exe 2152 schtasks.exe 1844 schtasks.exe 4816 schtasks.exe 548 schtasks.exe 1156 schtasks.exe 4444 schtasks.exe 4740 schtasks.exe 1040 schtasks.exe 3056 schtasks.exe 4648 schtasks.exe 3484 schtasks.exe 1724 schtasks.exe 1796 schtasks.exe 236 schtasks.exe 1984 schtasks.exe 3888 schtasks.exe 2076 schtasks.exe 1936 schtasks.exe 2688 schtasks.exe 2732 schtasks.exe 3972 schtasks.exe 2864 schtasks.exe 1000 schtasks.exe 3388 schtasks.exe 1880 schtasks.exe 904 schtasks.exe 2964 schtasks.exe 2572 schtasks.exe 240 schtasks.exe 3992 schtasks.exe 5116 schtasks.exe 4816 schtasks.exe 4608 schtasks.exe 1512 schtasks.exe 388 schtasks.exe 2316 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4864 javaw.exe 4864 javaw.exe 4864 javaw.exe 4864 javaw.exe 4864 javaw.exe 4864 javaw.exe 4864 javaw.exe 4864 javaw.exe 4864 javaw.exe 4864 javaw.exe 4864 javaw.exe 4864 javaw.exe 4864 javaw.exe 4864 javaw.exe 4864 javaw.exe 4864 javaw.exe 4864 javaw.exe 4864 javaw.exe 4864 javaw.exe 4864 javaw.exe 4616 powershell.exe 2936 powershell.exe 4616 powershell.exe 2936 powershell.exe 2432 RunShell.exe 2432 RunShell.exe 2432 RunShell.exe 2432 RunShell.exe 2432 RunShell.exe 2432 RunShell.exe 2432 RunShell.exe 2432 RunShell.exe 2432 RunShell.exe 2432 RunShell.exe 2432 RunShell.exe 2432 RunShell.exe 2432 RunShell.exe 2432 RunShell.exe 2432 RunShell.exe 2432 RunShell.exe 2432 RunShell.exe 2432 RunShell.exe 2432 RunShell.exe 2432 RunShell.exe 2432 RunShell.exe 2432 RunShell.exe 2432 RunShell.exe 2432 RunShell.exe 2432 RunShell.exe 2432 RunShell.exe 2432 RunShell.exe 2432 RunShell.exe 2432 RunShell.exe 2432 RunShell.exe 2432 RunShell.exe 2432 RunShell.exe 2432 RunShell.exe 2432 RunShell.exe 2432 RunShell.exe 2432 RunShell.exe 2432 RunShell.exe 2432 RunShell.exe 2432 RunShell.exe 2432 RunShell.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeBackupPrivilege 4864 javaw.exe Token: SeBackupPrivilege 4864 javaw.exe Token: SeSecurityPrivilege 4864 javaw.exe Token: SeDebugPrivilege 4864 javaw.exe Token: SeDebugPrivilege 4616 powershell.exe Token: SeDebugPrivilege 2936 powershell.exe Token: SeIncreaseQuotaPrivilege 2936 powershell.exe Token: SeSecurityPrivilege 2936 powershell.exe Token: SeTakeOwnershipPrivilege 2936 powershell.exe Token: SeLoadDriverPrivilege 2936 powershell.exe Token: SeSystemProfilePrivilege 2936 powershell.exe Token: SeSystemtimePrivilege 2936 powershell.exe Token: SeProfSingleProcessPrivilege 2936 powershell.exe Token: SeIncBasePriorityPrivilege 2936 powershell.exe Token: SeCreatePagefilePrivilege 2936 powershell.exe Token: SeBackupPrivilege 2936 powershell.exe Token: SeRestorePrivilege 2936 powershell.exe Token: SeShutdownPrivilege 2936 powershell.exe Token: SeDebugPrivilege 2936 powershell.exe Token: SeSystemEnvironmentPrivilege 2936 powershell.exe Token: SeRemoteShutdownPrivilege 2936 powershell.exe Token: SeUndockPrivilege 2936 powershell.exe Token: SeManageVolumePrivilege 2936 powershell.exe Token: 33 2936 powershell.exe Token: 34 2936 powershell.exe Token: 35 2936 powershell.exe Token: 36 2936 powershell.exe Token: SeIncreaseQuotaPrivilege 4616 powershell.exe Token: SeSecurityPrivilege 4616 powershell.exe Token: SeTakeOwnershipPrivilege 4616 powershell.exe Token: SeLoadDriverPrivilege 4616 powershell.exe Token: SeSystemProfilePrivilege 4616 powershell.exe Token: SeSystemtimePrivilege 4616 powershell.exe Token: SeProfSingleProcessPrivilege 4616 powershell.exe Token: SeIncBasePriorityPrivilege 4616 powershell.exe Token: SeCreatePagefilePrivilege 4616 powershell.exe Token: SeBackupPrivilege 4616 powershell.exe Token: SeRestorePrivilege 4616 powershell.exe Token: SeShutdownPrivilege 4616 powershell.exe Token: SeDebugPrivilege 4616 powershell.exe Token: SeSystemEnvironmentPrivilege 4616 powershell.exe Token: SeRemoteShutdownPrivilege 4616 powershell.exe Token: SeUndockPrivilege 4616 powershell.exe Token: SeManageVolumePrivilege 4616 powershell.exe Token: 33 4616 powershell.exe Token: 34 4616 powershell.exe Token: 35 4616 powershell.exe Token: 36 4616 powershell.exe Token: SeRestorePrivilege 4864 javaw.exe Token: SeDebugPrivilege 2432 RunShell.exe Token: SeDebugPrivilege 4076 powershell.exe Token: SeDebugPrivilege 4944 powershell.exe Token: SeDebugPrivilege 4348 powershell.exe Token: SeDebugPrivilege 5056 powershell.exe Token: SeDebugPrivilege 4160 powershell.exe Token: SeDebugPrivilege 3784 powershell.exe Token: SeIncreaseQuotaPrivilege 4944 powershell.exe Token: SeSecurityPrivilege 4944 powershell.exe Token: SeTakeOwnershipPrivilege 4944 powershell.exe Token: SeLoadDriverPrivilege 4944 powershell.exe Token: SeSystemProfilePrivilege 4944 powershell.exe Token: SeSystemtimePrivilege 4944 powershell.exe Token: SeProfSingleProcessPrivilege 4944 powershell.exe Token: SeIncBasePriorityPrivilege 4944 powershell.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4864 javaw.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2704 wrote to memory of 4864 2704 Crypt.exe 82 PID 2704 wrote to memory of 4864 2704 Crypt.exe 82 PID 4864 wrote to memory of 3356 4864 javaw.exe 84 PID 4864 wrote to memory of 3356 4864 javaw.exe 84 PID 4864 wrote to memory of 4616 4864 javaw.exe 87 PID 4864 wrote to memory of 4616 4864 javaw.exe 87 PID 4864 wrote to memory of 2936 4864 javaw.exe 88 PID 4864 wrote to memory of 2936 4864 javaw.exe 88 PID 4864 wrote to memory of 4044 4864 javaw.exe 92 PID 4864 wrote to memory of 4044 4864 javaw.exe 92 PID 4864 wrote to memory of 4044 4864 javaw.exe 92 PID 4044 wrote to memory of 4704 4044 WinSFX.exe 93 PID 4044 wrote to memory of 4704 4044 WinSFX.exe 93 PID 4044 wrote to memory of 4704 4044 WinSFX.exe 93 PID 4044 wrote to memory of 860 4044 WinSFX.exe 94 PID 4044 wrote to memory of 860 4044 WinSFX.exe 94 PID 4044 wrote to memory of 860 4044 WinSFX.exe 94 PID 4864 wrote to memory of 568 4864 javaw.exe 96 PID 4864 wrote to memory of 568 4864 javaw.exe 96 PID 568 wrote to memory of 2836 568 cmd.exe 98 PID 568 wrote to memory of 2836 568 cmd.exe 98 PID 860 wrote to memory of 4100 860 Checker.exe 99 PID 860 wrote to memory of 4100 860 Checker.exe 99 PID 860 wrote to memory of 4100 860 Checker.exe 99 PID 4704 wrote to memory of 2120 4704 WScript.exe 100 PID 4704 wrote to memory of 2120 4704 WScript.exe 100 PID 4704 wrote to memory of 2120 4704 WScript.exe 100 PID 2120 wrote to memory of 2432 2120 cmd.exe 102 PID 2120 wrote to memory of 2432 2120 cmd.exe 102 PID 2432 wrote to memory of 3712 2432 RunShell.exe 106 PID 2432 wrote to memory of 3712 2432 RunShell.exe 106 PID 3712 wrote to memory of 4020 3712 csc.exe 108 PID 3712 wrote to memory of 4020 3712 csc.exe 108 PID 2432 wrote to memory of 3784 2432 RunShell.exe 124 PID 2432 wrote to memory of 3784 2432 RunShell.exe 124 PID 2432 wrote to memory of 4944 2432 RunShell.exe 125 PID 2432 wrote to memory of 4944 2432 RunShell.exe 125 PID 2432 wrote to memory of 4160 2432 RunShell.exe 126 PID 2432 wrote to memory of 4160 2432 RunShell.exe 126 PID 2432 wrote to memory of 4348 2432 RunShell.exe 127 PID 2432 wrote to memory of 4348 2432 RunShell.exe 127 PID 2432 wrote to memory of 4076 2432 RunShell.exe 128 PID 2432 wrote to memory of 4076 2432 RunShell.exe 128 PID 2432 wrote to memory of 5056 2432 RunShell.exe 129 PID 2432 wrote to memory of 5056 2432 RunShell.exe 129 PID 2432 wrote to memory of 1672 2432 RunShell.exe 136 PID 2432 wrote to memory of 1672 2432 RunShell.exe 136 PID 1672 wrote to memory of 4132 1672 cmd.exe 138 PID 1672 wrote to memory of 4132 1672 cmd.exe 138 PID 1672 wrote to memory of 988 1672 cmd.exe 139 PID 1672 wrote to memory of 988 1672 cmd.exe 139 PID 4100 wrote to memory of 3416 4100 WScript.exe 140 PID 4100 wrote to memory of 3416 4100 WScript.exe 140 PID 4100 wrote to memory of 3416 4100 WScript.exe 140 PID 3416 wrote to memory of 2616 3416 cmd.exe 142 PID 3416 wrote to memory of 2616 3416 cmd.exe 142 PID 2616 wrote to memory of 3420 2616 msAgentreviewCommon.exe 146 PID 2616 wrote to memory of 3420 2616 msAgentreviewCommon.exe 146 PID 3420 wrote to memory of 2392 3420 csc.exe 148 PID 3420 wrote to memory of 2392 3420 csc.exe 148 PID 2616 wrote to memory of 2268 2616 msAgentreviewCommon.exe 149 PID 2616 wrote to memory of 2268 2616 msAgentreviewCommon.exe 149 PID 2268 wrote to memory of 1612 2268 csc.exe 151 PID 2268 wrote to memory of 1612 2268 csc.exe 151 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Views/modifies file attributes 1 TTPs 1 IoCs
pid Process 2836 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Crypt.exe"C:\Users\Admin\AppData\Local\Temp\Crypt.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2704 -
C:\Program Files\Java\jre-1.8\bin\javaw.exe"C:\Program Files\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Local\Temp\Crypt.exe"2⤵
- Drops startup file
- Loads dropped DLL
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4864 -
C:\Windows\SYSTEM32\reg.exereg query HKLM\HARDWARE\DESCRIPTION\System /v SystemBiosVersion3⤵
- Checks BIOS information in registry
- Modifies registry key
PID:3356
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:SystemDrive) -Force3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4616
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:SystemDrive) -Force3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2936
-
-
C:\Users\Admin\AppData\Roaming\WinSFXConnectDevicesPlatform\WinSFX.exeC:\Users\Admin\AppData\Roaming\WinSFXConnectDevicesPlatform\WinSFX.exe3⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4044 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Windows\Defender\yjJlDaeiCtZ3rPY3voT8EfypAtNWVOHqwTO.vbe"4⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4704 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Windows\Defender\zHxvwMPtXsd9EflNyF6bR38DTMh313hvK806W5p8W9mTT85g.bat" "5⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2120 -
C:\Users\Admin\AppData\Roaming\Windows\Defender\RunShell.exe"C:\Users\Admin\AppData\Roaming\Windows/Defender/RunShell.exe"6⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2432 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\2s3cv4ko\2s3cv4ko.cmdline"7⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3712 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB3EE.tmp" "c:\Windows\System32\CSC818ECAC0E9674922A8EE3130EB93E743.TMP"8⤵PID:4020
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Defender Advanced Threat Protection\es-ES\RunShell.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:3784
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\BrowserSvc\csrss.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:4944
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Sidebar\RuntimeBroker.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:4160
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\BrowserSvc\RunShell.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:4348
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Libraries\sppsvc.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:4076
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Windows\Defender\RunShell.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:5056
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ZKbbXbE2GP.bat"7⤵
- Suspicious use of WriteProcessMemory
PID:1672 -
C:\Windows\system32\chcp.comchcp 650018⤵PID:4132
-
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:28⤵PID:988
-
-
C:\BrowserSvc\csrss.exe.exe"C:\BrowserSvc\csrss.exe"8⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
PID:456 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ls0eecgn\ls0eecgn.cmdline"9⤵
- Drops file in Program Files directory
PID:3468 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD0CD.tmp" "c:\Program Files (x86)\Mozilla Maintenance Service\logs\CSCAD21581396A44296B041FFFD103C5F68.TMP"10⤵PID:1972
-
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ui0jiwxd\ui0jiwxd.cmdline"9⤵
- Drops file in Program Files directory
PID:3352 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD169.tmp" "c:\Program Files (x86)\Mozilla Maintenance Service\logs\CSC169D1B416A0945A2B07D87BF10FEE94.TMP"10⤵PID:4160
-
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\qtjxdwe3\qtjxdwe3.cmdline"9⤵
- Drops file in Windows directory
PID:2812 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD244.tmp" "c:\Windows\Performance\WinSAT\DataStore\CSCD46752269BF74CDD8973DA2CAFD5872D.TMP"10⤵PID:2496
-
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\wmv0nvaz\wmv0nvaz.cmdline"9⤵
- Drops file in Program Files directory
PID:3784 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD31F.tmp" "c:\Program Files\7-Zip\Lang\CSCF6F963EDEA904B06ADC6543D8E6DB0E5.TMP"10⤵PID:3572
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Multimedia Platform\WmiPrvSE.exe'9⤵
- Command and Scripting Interpreter: PowerShell
PID:4924
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Uninstall Information\upfc.exe'9⤵
- Command and Scripting Interpreter: PowerShell
PID:2444
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Containers\unsecapp.exe'9⤵
- Command and Scripting Interpreter: PowerShell
PID:3600
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Mail\sihost.exe'9⤵
- Command and Scripting Interpreter: PowerShell
PID:2648
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\BrowserSvc\dllhost.exe'9⤵
- Command and Scripting Interpreter: PowerShell
PID:1600
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\BrowserSvc\csrss.exe.exe'9⤵
- Command and Scripting Interpreter: PowerShell
PID:1020
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\25XxjPubmd.bat"9⤵PID:2364
-
C:\Windows\system32\chcp.comchcp 6500110⤵PID:2248
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost10⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3344
-
-
C:\Program Files\Windows Mail\sihost.exe"C:\Program Files\Windows Mail\sihost.exe"10⤵
- Executes dropped EXE
PID:3152
-
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Windows\Defender\Checker.exe"C:\Users\Admin\AppData\Roaming\Windows\Defender\Checker.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:860 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\BrowserSvc\9jir1hGrtyuZOLHcOuhj8HZKZgcsvyzwZ1xbryhIf2ZdpzOmWWf.vbe"5⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4100 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\BrowserSvc\O41KRElzpOO.bat" "6⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3416 -
C:\BrowserSvc\msAgentreviewCommon.exe"C:\BrowserSvc/msAgentreviewCommon.exe"7⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2616 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\2bz0fka2\2bz0fka2.cmdline"8⤵
- Suspicious use of WriteProcessMemory
PID:3420 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCC1A.tmp" "c:\Users\Admin\AppData\Roaming\Windows\Defender\CSCF09BEBF939504B6E8589ECB748E8D1D.TMP"9⤵PID:2392
-
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\un1sidsf\un1sidsf.cmdline"8⤵
- Suspicious use of WriteProcessMemory
PID:2268 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCD14.tmp" "c:\BrowserSvc\CSC76E1D21A1D0C436AB82823A49E5CC29.TMP"9⤵PID:1612
-
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\w0d25ls4\w0d25ls4.cmdline"8⤵
- Drops file in Program Files directory
PID:1944 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCDC0.tmp" "c:\Program Files\Windows Sidebar\CSC78B64155219E4C4782296F921D13FB71.TMP"9⤵PID:2648
-
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\vje4vslr\vje4vslr.cmdline"8⤵PID:4316
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCE6C.tmp" "c:\Users\Public\Libraries\CSC61FDEA9B4AC444B7B26390FFD17C8080.TMP"9⤵PID:1980
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\yTUgJb9cQC.bat"8⤵PID:3256
-
C:\Windows\system32\chcp.comchcp 650019⤵PID:2972
-
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:29⤵PID:3532
-
-
C:\BrowserSvc\msAgentreviewCommon.exe"C:\BrowserSvc\msAgentreviewCommon.exe"9⤵
- Executes dropped EXE
PID:3768
-
-
-
-
-
-
-
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c attrib "+h " "+s " C:\Users\Admin\AppData\Roaming\WinSFXConnectDevicesPlatform3⤵
- Suspicious use of WriteProcessMemory
PID:568 -
C:\Windows\system32\attrib.exeattrib "+h " "+s " C:\Users\Admin\AppData\Roaming\WinSFXConnectDevicesPlatform4⤵
- Sets file to hidden
- Views/modifies file attributes
PID:2836
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RunShellR" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Defender Advanced Threat Protection\es-ES\RunShell.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2572
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RunShell" /sc ONLOGON /tr "'C:\Program Files\Windows Defender Advanced Threat Protection\es-ES\RunShell.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2152
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RunShellR" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Defender Advanced Threat Protection\es-ES\RunShell.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1156
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\BrowserSvc\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3336
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\BrowserSvc\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3692
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\BrowserSvc\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1880
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Sidebar\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1796
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4608
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Sidebar\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3056
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RunShellR" /sc MINUTE /mo 8 /tr "'C:\BrowserSvc\RunShell.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4844
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RunShell" /sc ONLOGON /tr "'C:\BrowserSvc\RunShell.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:240
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RunShellR" /sc MINUTE /mo 11 /tr "'C:\BrowserSvc\RunShell.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4444
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Users\Public\Libraries\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3428
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\Public\Libraries\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1040
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Users\Public\Libraries\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1844
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RunShellR" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\AppData\Roaming\Windows\Defender\RunShell.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1984
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RunShell" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Roaming\Windows\Defender\RunShell.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4284
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RunShellR" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\AppData\Roaming\Windows\Defender\RunShell.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4128
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\System.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5088
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4648
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4816
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3380
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2864
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1512
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Windows\Performance\WinSAT\DataStore\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:832
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\Performance\WinSAT\DataStore\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:388
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Windows\Performance\WinSAT\DataStore\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1704
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfcu" /sc MINUTE /mo 5 /tr "'C:\Program Files\7-Zip\Lang\upfc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3888
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\upfc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2688
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\WmiPrvSE.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3568
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfcu" /sc MINUTE /mo 9 /tr "'C:\Program Files\7-Zip\Lang\upfc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3164
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Multimedia Platform\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3388
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Portable Devices\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1788
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2076
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2316
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Portable Devices\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:548
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "msAgentreviewCommonm" /sc MINUTE /mo 11 /tr "'C:\BrowserSvc\msAgentreviewCommon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4076
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "msAgentreviewCommon" /sc ONLOGON /tr "'C:\BrowserSvc\msAgentreviewCommon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2732
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "msAgentreviewCommonm" /sc MINUTE /mo 12 /tr "'C:\BrowserSvc\msAgentreviewCommon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4780
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfcu" /sc MINUTE /mo 7 /tr "'C:\Program Files\Uninstall Information\upfc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1880
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\upfc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:904
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfcu" /sc MINUTE /mo 12 /tr "'C:\Program Files\Uninstall Information\upfc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1000
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 5 /tr "'C:\Windows\Containers\unsecapp.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4816
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Windows\Containers\unsecapp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1872
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 11 /tr "'C:\Windows\Containers\unsecapp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3992
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihosts" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Mail\sihost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3972
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\sihost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5116
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihosts" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Mail\sihost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:472
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\BrowserSvc\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1936
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\BrowserSvc\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3484
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\BrowserSvc\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4740
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss.exec" /sc MINUTE /mo 13 /tr "'C:\BrowserSvc\csrss.exe.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2964
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss.exe" /sc ONLOGON /tr "'C:\BrowserSvc\csrss.exe.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1724
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss.exec" /sc MINUTE /mo 10 /tr "'C:\BrowserSvc\csrss.exe.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:236
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Modify Registry
3Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
200B
MD58bb10502019ed38b3210cb6192c6a04b
SHA1125f17b9c2f4ffcccc1f19bcc9000c80bbc2dfe3
SHA2567ed5d362059760b6119ecf42b7a79bbbc6b8490c451bbffc6149632bd07877be
SHA512286d36ccf686d9c14612a949729bbde0881ff2993a854a1be8118a546fffcff515e48dd24639894a1d289a973939809874efdad1cf67391cf4f51deb85320637
-
Filesize
86B
MD5d6da62e1a07048cb1764846ff9e5991f
SHA116630a915028d374ef42fea0d1f34c8fae292e17
SHA256b34c0cb821817355a7cb807108bd0251e40c8492f76f24240047ee1df5dc9897
SHA512fcc21fac84eedb5229f1dfb79b4962b322e231dbbcf5c538d64c724dae8447f2c4f6dd55bb5faa5a854f90dd5ca24c3d332cf611af85104af8d33fb219bb5744
-
Filesize
1.9MB
MD5fe563f1526b6875781652660d9b2421a
SHA18ebcf5aa7bd3ce98ea7ea7825e23a27c4830b937
SHA256fb736b85b9d5efddda3a9c5997ec99582cf1167e64680a0dc469d59ab168fcf2
SHA51242ccb6127cfc2751dc82b89fab33c28db2cfc071d1adec6ddc2c77beef6ced390501bdae8dca4005d0f2377946d116e16cece8c0d7f0e56dd8119561ba01f1ed
-
Filesize
3KB
MD53eb3833f769dd890afc295b977eab4b4
SHA1e857649b037939602c72ad003e5d3698695f436f
SHA256c485a6e2fd17c342fca60060f47d6a5655a65a412e35e001bb5bf88d96e6e485
SHA512c24bbc8f278478d43756807b8c584d4e3fb2289db468bc92986a489f74a8da386a667a758360a397e77e018e363be8912ac260072fa3e31117ad0599ac749e72
-
Filesize
1KB
MD560b3262c3163ee3d466199160b9ed07d
SHA1994ece4ea4e61de0be2fdd580f87e3415f9e1ff6
SHA256e3b30f16d41f94cba2b8a75f35c91ae7418465abfbfe5477ec0551d1952b2fdb
SHA512081d2015cb94477eb0fbc38f44b6d9b4a3204fb3ad0b7d0e146a88ab4ab9a0d475207f1adae03f4a81ccc5beb7568dc8be1249f69e32fe56efd9ee2f6ee3b1af
-
Filesize
1KB
MD50a7659689953440f3514b1d28c8f9f34
SHA1b1b55772861d570bd775de92ef4071e0860bd2a1
SHA25693a54f95d3b335652f4c7a7f06ed56a70ee7e3c5fae94ebe847f791355559a34
SHA512c4831d281fa90227f267b4a765175065c700c565f1dfa4dc5301e6e5fff55e3aab042347905baee7f4ccd2f25137b8fd7224b559aad940be8ed965b08c818260
-
Filesize
1KB
MD597a238abc377e658963315ce2b9d649e
SHA10085a1d17585837eb0dd08cb4d2b1fd682b52124
SHA256ced0963d38ae1c3129794bfe13ba146fef9b1762205f122f8cfa90b9d2808f0e
SHA51258e4625cf9b15ac71a0d810686f266c44bfdf0f2757bd1d0e27bd51296d3118b95f4bebe8c145f9512056e23d39116dfc180f6142dab785eda41307da19865cc
-
Filesize
1KB
MD5e9cbadd015e163088091b6594c44d175
SHA1fc470a95404bfcd390356021502d8693e83912b3
SHA256b035fa4df3aec70c234962fde9539498ead53511be4738e26f299e60a46aac00
SHA512c27362346399b334972f9700c9a8b4cc7551364eab179e5ce07a35ed97380008aada4106ac2596b669474c9f56967a23eab4a5488cfe5812257c1039384f254c
-
Filesize
1KB
MD5452e60ef28961bb887ae86b5ac76daca
SHA104be9209a5d0e211a421bd9dc760708f6d98bf77
SHA2567fdc29cae80b887d2c2820beb80f9eb69124e8109486ffe0d4608578c6732270
SHA51213943bd2bfa8552410ee2d5053f407f630aebe5b76d75b61b47e3ee0f87fca78bc0203cff48d5c57c4dc546129ee743edfaad0c58d607e1737695b0663f7238e
-
Filesize
168B
MD5e588b62ec4d9d7663dff1012ae8be627
SHA1399849dd98c5abd590532e0b3b29ef9880945560
SHA2561e42bdcb522b7846fdce0cc60a1da362c95dd37b154913c88055722e095a7dbe
SHA5125b7d0843a4d15e67ddce44de8eef49f19600039d55c4551f056b45bb482155f9396419c5ec648135039a80a18f6a93164e227a0fe9edd372079f76ebd5ea5883
-
Filesize
1KB
MD515b26793210192a1590d72f2ec5d3f58
SHA1a235ca32ef85730700cde5c9327d0a0b5e0affad
SHA256e310fa846ac068d4ce3a78f16651a668bff4002550bcfceec53368f7efdd7086
SHA512b73226be8e3e4ad957edea4580174b203524b8d5eef217a602a693dd4bc1678b7e3df2b664718f98d21a25503f5373ef1880d06aef502221051e97a1897504bd
-
Filesize
1KB
MD55392fdbabaa1c3919fb5510561e0c18a
SHA115aa32f66b5e690967a64ace894ab6d65875937a
SHA256102cdb173f3fd0ecf6387fbd8e72b2e0bcc295bcc2ba28fba6390cd95d307ffc
SHA512fc356f972134371267b665b019fa5d962e4575956099c575f0bd490fc7a908ef5a1ba4f7c122f568a0f7fa0e1287768c531b5d919cc3df395cc98b9658b69376
-
Filesize
1KB
MD50cd3a0a25a917df4790a4860b7e25655
SHA193dd7e559fac5ce1e55863168446c2262c10b377
SHA2567f4a12c403119be538d33b736a1d618a88140007f8ad40bfa3971fa7493ad1f1
SHA51282488cec814e8248e91ff75cdac07a2fa535048b74f2acef5dd19b67375c449939f0045c59a18819b5059397fd9868b390a082ecda7ceb924cd3ad14e26367e8
-
Filesize
1KB
MD56235cbe2cc34c43d067c07db3373cdc3
SHA1efa311526d23713493ab5c7017fecf29fbb5775a
SHA2567a1131cec932fa72d50f9b8bcdee5ff44b27540d313875dabbc885d1234d34e7
SHA5129434b058c2a8aaa7a8ca09c2c8abafb7cbd7b1c5c1f2613c5f4cbf51e1b812ca88c449e141c174a6c22229f6ad17aa1e829bcd062fdfb35bc7acaec9ae179773
-
Filesize
1KB
MD53d5baa3421491d3244e3ce889adcfdc8
SHA166d4fe56bf40a68d2429cd49699ecf04667ba3ce
SHA256cec6bd54a2e7c9e0f6205975e41c6bf22ef53872ed68c52465d6754121ce84f3
SHA51272c15dc5d4a8d2a55324545c1be11eaa56d3833085c55fe01e6412c127def7926584b296608c0596e86051605ea6628adf2d0ce27e735fb14cb77b5f28a7f495
-
Filesize
1KB
MD581bfec81e243c198294ff6f7b6cb19ce
SHA110f489290170a6b5e97140a7a6c3af4a091a8561
SHA25694bd42c3eecc8aaf3b4cd398729e4a690e70473bbe6c1d49c12d31b8cce0ace5
SHA512a0c944f43c5298b4310d47ba7db2879b5253a746902631b03b2274c052052982887d12f2ed231b2b1a4076fa767e5f423e73b14044cdb7fcb741b8f3bbdbf937
-
Filesize
1KB
MD5cd20ffb8d2ee4a1728cf422f0bbc8832
SHA1bf0140ded29f261e4bce312cea41de1484320198
SHA256b6380d568155524657dc2b7b2de9c4878b91c41b8059562349c10ebadf09e78a
SHA512afea9f2f5da67890edfa7602100eec99a7e62f0a89aa8b1dd77701ea484ee48ec952592cdbc4c979e78d817a6b8c21029d37c9047a6c415dfe6e7c4844713244
-
Filesize
1KB
MD5f150a8fae58943d7be8614f635b7d121
SHA1f113d5eb25b76cfa93bafc71629e60e808c00fa6
SHA25649bf91a6dbf5f520b3b2ef29a6ea94aa1f708921c8de37bb65593a938a176255
SHA51202a2f0a6776f0eb3f549cf63db921b63e56b9f6261bd46c4d4a2a49d9414a675067bf0429c44cc1d8b29ff7f94b019100ed01bc15ad9df3cae04335d968407f3
-
Filesize
1KB
MD584cf61ab2563deaf89659fcd9fc3431a
SHA1a7262b8321cca3c8959b139877b630e2c0b49c84
SHA256789c1b0ede08c0a4e04e97a48b2fa446b8268f4b45511dbb9f8455188d117646
SHA5128c5385fc626a074dcdacf63ed2648e59537a07b67c2de9c264ad20efc90621020194fb75508cdd75b62ec71c49b52931045c54433f2869caf094d7ab1e2d94e0
-
Filesize
199B
MD55e1eab061ead3dfe36a6e1160d16ecb5
SHA16045bd77904989f0f47afaa90c2b2959374912c2
SHA2567e1b46c0e971ea752a00f5c27fbec05ddfd278e459c01487b11eac38c8688ab9
SHA512eb33abbe867abf6db8bf0ad38bc927567fd3145a373ad4afb7b44fc544b9748ac93f991e4ebed8e37e7733735ae3f1f1d5c90625c22985285e7f71cfe8d6503b
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
248KB
MD5719d6ba1946c25aa61ce82f90d77ffd5
SHA194d2191378cac5719daecc826fc116816284c406
SHA25669c45175ecfd25af023f96ac0bb2c45e6a95e3ba8a5a50ee7969ccab14825c44
SHA512119152b624948b76921aa91a5024006ef7c8fdbfe5f6fe71b1ec9f2c0e504b22508ff438c4183e60fa8de93eb35a8c7ccdda3a686e3c2f65c8185f1dd2ef248b
-
Filesize
213B
MD5ff04c53410c267f6893af9826ddc6d18
SHA1998d5378c1f991f10ece0cb7c124d48e8d5172b4
SHA256f0980bcc32205049170f1f781c55ad47320e9df2ebb218d8b649de90452ffe11
SHA5122b94608030605f337c6500bdca887d8308e634f402c555fc7a187c14767d59af8eaa1ad8da481f85aacbf666d6b5b050abd2274ec670e4c7834e0b4812f1dfd2
-
Filesize
2.3MB
MD5deb9f64ee23f25627884a143d411fb9c
SHA1448f5388c390ec401d0551e5da97c2b9e24cfbf0
SHA256613716c888bffcb5668886335c326e276511267d8f4040afa420ccf65de51d7e
SHA512d4472ec02c355d76afcbacc51967adced80b3e3bb2cff25d34193d5cd5277baf451ec9149cf836d1647f60cf2c9bce70fb41d79ca76ff1c4dd7773be62447346
-
Filesize
2.2MB
MD5cbf28a22d6c61a0937b1bf15b3d22a1a
SHA1c414807315dfd5c33d91c783d168f417c7ca80fc
SHA256dfa13a2024f7bbdeebaa243a5b9a60736860d61e5ad1abfda61502df8f2e4d04
SHA512cb2a6e72c4a70150c10f7e84057b520dba2253e3a62b36cead3c1057a8b320d69414b99a99b4b160755437134b871de4f72fd3ccc885dc17951b5223eecbd4e0
-
Filesize
427KB
MD58d860de39a47014bb85432844205defc
SHA116b6485662cc4b57af26f1ee2fe5e5595156264d
SHA2566f64566b9adc350458221bc7312acaa09290c58241659336b9921c3dcf27fbbb
SHA512c76408b4390d9aeae243f7333c5acdc68b6fe08efd1694c774069627d09e91e97ab1a5ccf55b60a247f3b00e8b95166d3dfcc41ac92150f00dfb897480a5a539
-
Filesize
249B
MD55299f191d092a082374029620d0184cd
SHA1154c0f2d892c0dde9914e1d2e114995ab5f1a8cb
SHA2569c46745f3776d8f344029103da41e060516a4bf324e7238b112a3069abececf9
SHA512670159a1352e91ad4739903c7d5bbca2b91e81ab542ac6b4532db8701d5bf01b900909812164db6ce4dbdc2fc1af59593d9abc84daff835de07eb7d383869e39
-
C:\Users\Admin\AppData\Roaming\Windows\Defender\zHxvwMPtXsd9EflNyF6bR38DTMh313hvK806W5p8W9mTT85g.bat
Filesize104B
MD5b33c8997ecd39b1b7e8af929abd526c7
SHA1e30e21ca9e74d508cfc35e9affd57a7fbc089a77
SHA25671340cb564242cd1454892eaa33aae6eaf8e444d9301731753a9aa993bb9785c
SHA512394a9df69628162228d6a8934d6df532d5055a65a41788ef7d2b8170fae3bd586d80c8592ebc10e32650b81d43efd2eefdef865523d687b6def20fe4374afefc
-
Filesize
1KB
MD52dde0a04b3cfc5bca956764d6cdcb81f
SHA109131c520d3d3ffdfc0e0d9b0d3bac0631610dd7
SHA2560a4c68c7293e89a8a3cbf968d3fa776410dd1aa531483b9f33774f95b243146a
SHA5127a0975ec6b525af8822c739cfaaeee51d1fd0b5b9cb08fd1836096f3b76370f9e9476ee4a3dba4a0c4177e892ba145b690668d2d2592c3b5c5c7d38daeb1c799
-
Filesize
1KB
MD50b8c597c544ca92a39ba973ae92df58a
SHA1f5a2a3cf7f9b62ccb95455253946805b6440551e
SHA256295af82088d5d6637fd37d87140b4f0958bf444e5da19a2eed83a82b33263caf
SHA512f2aa858673620208198072d60cd348dd43284e23093ea9b718de83113a92d36ba9a7d5de540d99213f466017dcbbdea558a9bf80da5e49cc1bb6650944688c97
-
Filesize
1KB
MD55d4ffb23667ba9f0de0308a633855f3e
SHA139eba6e719ba5bb394aa586bcd81b117c16017ea
SHA2566179b859cc3981ea950bb32dd4baa006257db4ff799e1c9757ed5330718e09ab
SHA512ed5b35d15f0a21ccf3771654a99424ed8f9ff95d336642bd881d5368f5ecedbd39fc7cedd2617a1e713af70c4a7ad012e02d6ce9e725ee22e3fa62085cb66ddd
-
Filesize
1KB
MD5ea7b1e3bff59c5c21f8ccc2d3afbaac7
SHA1053b86d6dfb26ccedca35401d6ea88a481f97361
SHA256db68b31d332dca2d0b33f52e6a75b9ad5b2677e2d2078883b0010404c7aa1ed7
SHA5128bbefbfeb456af568e50d3ac0336ff12b1ad421de53d190c3f08c6f1f565a53424da84f03261ee10497dbb42464f3eee8d93d643bd4b852ab591634e203555c9
-
Filesize
1KB
MD58cb2d1f69e2730b5de634f6b6c12005f
SHA11f9496195f09f58a4e382994717a5da34086d770
SHA256f5d616663ac61dc843c8663f2ceaaf6939b974ffd74e6e1be232b3fe8c6667ea
SHA512d035c16a8d8f09abedc94e10d46983e371d2862b277128fe00184d3a1cbb8a69367c08e150c63b07729938bea6644af4e3913e629969d38978b0d934e9e61eda
-
Filesize
428B
MD50f255d529494c757ef9eeb4bebe99ed1
SHA164eecf4cb41b1016d8ce4fa610189b60a3d9f0a1
SHA25642d258557251ab37d7c7b363fef9723cc77b4a1881879a4c777e9669d5bb4205
SHA5121e05b4daff59a6fc86ae2bdf1724a9c1896888dfdd6a9600a19ff68075e52266bdd071a9cc640ec1ecdab156e03ea7d5043e2ecb66f5fd693bbb834dd2ac6a8d
-
Filesize
265B
MD5ec1cd981d2cb384c1882308df3a42dd2
SHA18905007498ea00311c5163123ce695fef4c094c5
SHA256b8345f2cfcdc6461f5674efdbd8848dd985bec83e4da4096dbe439db6883296b
SHA5123ede285ebf70082e5fe3b246de29a6d094f97a736b518174dc1f66b8bbcdc7eff5fb009c7e0ec4dd6cf6f14ae23f729bda413a62bdb86b2f8aaf15cefe2ddde8
-
Filesize
411B
MD586f922442e77fb4c73b09bcc23f43b63
SHA1eb992b3a6bb0db5ed699713b851bae998499b6f4
SHA256f34ec5f2a82c97e56c3b5463a3e83bc644777505025a154b753edca3e2278045
SHA5121e015a574eedbf5b80ee7d06b18de20166f6a913acfedb313ce03f23601b3197c4c559653912a1d499cf695df5e8d2f928ebda9865effc9c46b1d04486ccefda
-
Filesize
235B
MD58e7e7b8844367cec089456c11c9696b5
SHA1e30c9abf779335954bb135a1c47c1a71bbd4aa72
SHA256a6fb191e9b9e465fe66334487cb7bf4c7c12878b0be643c788859b88fe7bee39
SHA512f4a84ba33a27033dcbecf86083e7e6333a744a6e3bfdee1a7ddc5c2fb0dbbee592f0b78b71c638bd12ca041d24ebd0ded9c2a8fc20964ef093ad1065600e389e
-
Filesize
431B
MD5f4776efddb164e9bb76695418a6e010f
SHA1cc66db6a8e0cbdc5deb96fb3a52ed514e51d5edb
SHA256cf1dd885d8d6c223930c451baba8d5612ff0f08466f8b49712133e4f13870f6f
SHA51209063fb804aec6e13ece97a7b9c9d3c7985b27152234ad4e82263ac221cc0906227203a80eb94ee18ee642989bcf7536fc3e031fb288aaf870c44566aa6783f7
-
Filesize
271B
MD5e1577001a0f2d3abd4c054cece66ef4b
SHA1f9b27a4c9747e9e0a321b47887475abe8bc34a4d
SHA2561c210308a43159b875c0792b28e742d92f1a7094f97389e50414b7fd68939a92
SHA51287e8277501ea5288eb2be535425a27e1221a45f9d54acdb16190f8f6185fce152638f9a697790d8442429e36c8f9a75bf094ec78006934dd1834956a42c60014
-
Filesize
417B
MD5f79977b875900f6f088beb0d0e1b0797
SHA1efea4933e2f3c8f42e82fc7c7651331b9c94ea0e
SHA25620e9be287e5a5742fcb13d2e1bda8a0f2c2eeebfceaad575c4a8552302988819
SHA51245395c9c7ae88f2a8f69f91005b972a061cc1ce357f5e3d1e875b90b244415084f88e11a144ba23dbd4b6710821c852a28bd4df0bc4b73f3144e579d4a9824de
-
Filesize
257B
MD5319cd37b6ab7395819f29dcd5f26fdc7
SHA1785fd9041bb2c7603f4ee3ee121cdc09e727bae3
SHA2568d6fa251bb08500428af457e29c2670df5382f6a9f3560b80ed655ff458f8176
SHA512c4865d8d2ff013f38c66c8188c6bcf69e54258f55559e006bd080d0f8688cca142dab463bfd5692a1e227107dc4b44b133cc466808bd41182207c83a8af40cb7
-
Filesize
432B
MD56e18eedd77104d3a14d0b83189dbaaf0
SHA15d5f666851bfce8cf93c7f52410c9eebe97b1dae
SHA256333e461f890aed03238da4c99244e9adf8f36501c0e072b320cd0420eb161218
SHA512b475b07d41a9ab3b272da1ab4c2230ba7f1bcd7b18f28d15f57d2b19defabb0867c079b44545b81950b2790df142037258245469b66e5fb7e5429f0d0ad06155
-
Filesize
272B
MD520ca87463cb7c627a08fb14d9ecd0669
SHA1b503aef824e91fe0b4d10b4555ab3193032afef2
SHA256aad92af9f70d9c74f50d64e71b9ba71a10ef44ebac85e62f1443373676eb4890
SHA5123b4c7d817a67f80af2b48a72526711a79a709335153da0b12f7ad3943bb9b444e2ddccb3dfb06c27469745e7169413d2889e07cd1f51ea7e94c12d5115d01f3b
-
Filesize
391B
MD58f53c4c5bbfb21afaaa7078f8115c41c
SHA1280703bf190fc1f6e29f4c1472ed076240403792
SHA2560ad149c79bd6d8a373c08c6276176a40f338695d344239e8dc695a3f09ccfc08
SHA512fc84e66787f9dbc591a1e50d68fdc5c2abfb33f5e077a258926e297bb25f85c3a2b075aac78c1045d84e0ee56a96cd9cd70efc7e94899f564f72455b055d1db0
-
Filesize
228B
MD54af22931edddd37fb3a3b0f2e8208a29
SHA1fbb73f863c12e50dc0a1b501d6be5517f9f0be43
SHA2562f81d7c626dcab0bc5a15eb23bdcbf44b27d39b70075ab7ec5a530c74e6221a9
SHA512a459d549d8bc436a002bbac8129458303d1d1d9967d3fb3bb434b9c1706fe6f0ea185154933cba46cdbf5bb3b07fde2028662b3ef45ce05b4df6aa13251edf84
-
Filesize
404B
MD55018b618ebc6f9381b82f14cffc87fd7
SHA158dd53d42ceb1cf557dddf4aee34bdd47189344e
SHA256d03f38038b894338e4bcd8ca48f40c60b1f008badc240b97cece837cc552f2d8
SHA5127dbf99a2be8c1c6bf7c3f96068390e75a1210749a6f244277c6d6d45b1c8755f6cc371f7cc86d7092fcff8e3427e913efe04fd25aa5c596924343752e7ec19a8
-
Filesize
241B
MD56692498d3096df6f38898a96ed3ea9fe
SHA1f7bfd78e2a48bd08c3ea5ae956267a4bea8c3e24
SHA2560c468eb20bb4859267a43649f0e90395ec6a45dc5fec71e578599582ac08743e
SHA51265f0f7f3c281d1a86926270c17d1e9c4e5495df73c5ae970c325492d06b2233978fa11ea2bcf9cbc78403092e5dceef8ab5b22bc9e3ca1371fb731635d6875d0
-
Filesize
418B
MD5aadb85574924b601398aeddb930c2849
SHA1f707a057aa5d1d3013cf267d004159eee2e8a3ea
SHA25665ac579712f53d4727c870c1fd6a2e45da085db92f1d6dc8317ed5eafbd40e23
SHA5122e34fbb6c060a2d504189029f8262c730f5516eee05747d4c9a4eec5d043efed7839af3f4603e9857ba3f746960783424fe03e3580f36e16bad1fa66c051f58d
-
Filesize
255B
MD54fca7501d4eaeac1b4f33570001e1b5e
SHA1234b468dfbfa232806e9153099ad273cc0478d99
SHA256facfd32787ff12b7e4f8080231d4746fd10b4cf7f0d65b830e6e1843b5eeb9a8
SHA512a0386a2896f1825173b1f73b463ce37e72ef1f81441d067901d87dabb5cfed030396b9836dc3ff2a51e38b4ccd9b638b4fbf712b33fc2eb095edbee84e6cfba9
-
Filesize
401B
MD5a80f01351cd202c61d41a281dc2b6865
SHA1fe49d52ef4578982c977356b610f054f69a9630b
SHA256593f6eaef0809939832da3753be9017b4af9470fac49bd872dae04579e79bbfb
SHA5129dbd9cf8464203b63b88442b06a4611fcfb339f19c24d19dca842f010ec55fed8c8a34becdf2cf566e5592cfd177741720ada1b6404d48566e45e4e4150d34ae
-
Filesize
241B
MD5c3ade55b141415c64aa6aac823f4c2be
SHA1bfcee01701a53e8fbf54b979f798e73b5ec3d187
SHA256826d6c63f8d13d4db132d2f1c1f0d85053776b7f50d390ba0ea87c394ac3d2a2
SHA512665a35c00e956ede8eded4b0126c183256906246faab93679810f196a92ae409c3881e2f03bfa095895a68bfbb3d0a669ee3ef9002eaf91bfcd6126f333f7ad8
-
Filesize
1KB
MD5819218476efff19538c5e47775890416
SHA144268f9a7b24e4477c5a6917ca26b1e9d4938bcd
SHA256adfdb51bd795924a67fd2310d33e40f21f7dde44168e85dd416784cb6b1f5cd2
SHA512fc1d1655478034e6c2ac8082e00397f1a3c6b527714fc1576b52bef7b2a9faa5ff1d89b1501d598bbeac943e899631007237071ddb73242438aa375ab74d3bcd
-
Filesize
1KB
MD5e945f36170127c3704425f9c178abdd2
SHA1517a98aad94d18a9a974aeda2b00bba9aea923d4
SHA256b2100fef7a003afda3b790877da96c85004f623c87fb2b2c1cb8031c0b8569bf
SHA5123f55e9869cd5e2947e17e4db4322be403a63b59689ace8491987ed02a4834e5901198ce63a61b808b81069d0cd5de58000b4059e4c2deb9de4758236cb487e9b
-
Filesize
1KB
MD524ddc362e8473a13bb30f177c6ea6a64
SHA11ed07e313ff2c661adcfd0972d87f30abed92919
SHA25611079c0a166ad0def6a6296df3a834dd5ab35b2cec50dcc70437178de250400d
SHA5122889f83edbdcd874931f4f271c459c287df2e2bc45414117577b40ac4160dce11c0f10cb455b29f6cd26ffa9e693a7c9b05293e7e33d736ac5231e459f9c6bf3
-
Filesize
1KB
MD57f5a99b73bc2f54b87adcbabdbd154b6
SHA14f36b714e88423822ad621b953316959e4daea04
SHA256bbbf732eb476941c61919cbfe6ee039a5515ff472bc09874096f641e287cf0fc
SHA5128c62f8fce3c3e6e1b635032ef108927582c54295ab0c6b69a9e09898aaea2a85d46406a8f943997f92a1c7ecdd5f8695cd091666b6fea30c0029f618d5c0feb5