Analysis
-
max time kernel
149s -
max time network
154s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
13-11-2024 19:26
Static task
static1
Behavioral task
behavioral1
Sample
c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe
Resource
win7-20240903-en
General
-
Target
c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe
-
Size
4.9MB
-
MD5
6980bcd5d7d665f70f434120a1d20549
-
SHA1
8104f0c2f92ecb1ab9c6700f14d56059a93a9465
-
SHA256
c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16
-
SHA512
2eb62827b55c986e2f6a076e9b5fb880bbcccc938d6581293f56ce9f2970a55f6bd27112486ccf20b792ef493cc7b1351a73a8bdda478af9b5c50e8ba0b00de3
-
SSDEEP
49152:jl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8E:
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 45 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2616 2864 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2660 2864 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3064 2864 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 264 2864 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 528 2864 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1020 2864 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1288 2864 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2624 2864 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2204 2864 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1928 2864 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1444 2864 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 836 2864 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2940 2864 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1512 2864 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2804 2864 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1824 2864 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2128 2864 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1956 2864 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2936 2864 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2056 2864 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1752 2864 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1144 2864 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2200 2864 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1796 2864 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3004 2864 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2208 2864 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2328 2864 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2252 2864 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2268 2864 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1496 2864 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 468 2864 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1996 2864 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1784 2864 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2376 2864 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1808 2864 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2004 2864 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1284 2864 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2468 2864 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1848 2864 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2040 2864 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1836 2864 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2380 2864 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 844 2864 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2104 2864 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 560 2864 schtasks.exe 30 -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" taskhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" taskhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" taskhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" taskhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" taskhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" taskhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" taskhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" taskhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" taskhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" taskhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" taskhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" taskhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" taskhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" taskhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" taskhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" taskhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" taskhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" taskhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" taskhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" taskhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" taskhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" taskhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" taskhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" taskhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" taskhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" taskhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" taskhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" taskhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" taskhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" taskhost.exe -
resource yara_rule behavioral1/memory/2904-2-0x000000001B890000-0x000000001B9BE000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 1648 powershell.exe 2556 powershell.exe 1076 powershell.exe 2412 powershell.exe 2320 powershell.exe 528 powershell.exe 1308 powershell.exe 2944 powershell.exe 2960 powershell.exe 2768 powershell.exe 1728 powershell.exe 2780 powershell.exe -
Executes dropped EXE 10 IoCs
pid Process 668 taskhost.exe 300 taskhost.exe 1796 taskhost.exe 1920 taskhost.exe 2560 taskhost.exe 1908 taskhost.exe 1468 taskhost.exe 2648 taskhost.exe 2284 taskhost.exe 2524 taskhost.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA taskhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" taskhost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA taskhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" taskhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" taskhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" taskhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" taskhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA taskhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" taskhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" taskhost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA taskhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" taskhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" taskhost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA taskhost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA taskhost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA taskhost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" taskhost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA taskhost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA taskhost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA taskhost.exe -
Drops file in Program Files directory 12 IoCs
description ioc Process File created C:\Program Files\Windows Media Player\69ddcba757bf72 c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe File created C:\Program Files (x86)\Internet Explorer\5940a34987c991 c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe File opened for modification C:\Program Files\Windows Media Player\RCX7B69.tmp c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe File opened for modification C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\RCX8629.tmp c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe File opened for modification C:\Program Files\Windows Media Player\smss.exe c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe File opened for modification C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\audiodg.exe c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe File opened for modification C:\Program Files (x86)\Internet Explorer\RCX8C53.tmp c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe File opened for modification C:\Program Files (x86)\Internet Explorer\dllhost.exe c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe File created C:\Program Files\Windows Media Player\smss.exe c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe File created C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\audiodg.exe c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe File created C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\42af1c969fbb7b c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe File created C:\Program Files (x86)\Internet Explorer\dllhost.exe c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe -
Drops file in Windows directory 17 IoCs
description ioc Process File created C:\Windows\rescache\taskhost.exe c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe File created C:\Windows\ShellNew\lsm.exe c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe File created C:\Windows\system\Idle.exe c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe File created C:\Windows\Tasks\System.exe c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe File created C:\Windows\Tasks\27d1bcfc3c54e0 c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe File opened for modification C:\Windows\ShellNew\RCX8A40.tmp c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe File created C:\Windows\system\6ccacd8608530f c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe File created C:\Windows\Performance\WinSAT\DataStore\Idle.exe c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe File opened for modification C:\Windows\Tasks\System.exe c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe File created C:\Windows\ShellNew\101b941d020240 c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe File opened for modification C:\Windows\ShellNew\lsm.exe c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe File opened for modification C:\Windows\system\RCX8E67.tmp c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe File created C:\Windows\Performance\WinSAT\DataStore\6ccacd8608530f c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe File opened for modification C:\Windows\system\Idle.exe c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe File opened for modification C:\Windows\Performance\WinSAT\DataStore\RCX90E7.tmp c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe File opened for modification C:\Windows\Performance\WinSAT\DataStore\Idle.exe c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe File opened for modification C:\Windows\Tasks\RCX930A.tmp c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Scheduled Task/Job: Scheduled Task 1 TTPs 45 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2616 schtasks.exe 264 schtasks.exe 2200 schtasks.exe 1796 schtasks.exe 2208 schtasks.exe 1996 schtasks.exe 2468 schtasks.exe 836 schtasks.exe 2056 schtasks.exe 1848 schtasks.exe 1836 schtasks.exe 2380 schtasks.exe 560 schtasks.exe 1288 schtasks.exe 1824 schtasks.exe 1144 schtasks.exe 2004 schtasks.exe 2624 schtasks.exe 1444 schtasks.exe 1956 schtasks.exe 3004 schtasks.exe 1284 schtasks.exe 2104 schtasks.exe 1928 schtasks.exe 1512 schtasks.exe 2128 schtasks.exe 2328 schtasks.exe 2252 schtasks.exe 2268 schtasks.exe 1496 schtasks.exe 1020 schtasks.exe 2804 schtasks.exe 1784 schtasks.exe 2940 schtasks.exe 2936 schtasks.exe 1752 schtasks.exe 2040 schtasks.exe 844 schtasks.exe 2660 schtasks.exe 3064 schtasks.exe 528 schtasks.exe 2204 schtasks.exe 468 schtasks.exe 2376 schtasks.exe 1808 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 27 IoCs
pid Process 2904 c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe 2904 c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe 2904 c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe 2904 c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe 2904 c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe 2556 powershell.exe 2320 powershell.exe 2768 powershell.exe 2412 powershell.exe 2780 powershell.exe 1728 powershell.exe 2944 powershell.exe 2960 powershell.exe 1076 powershell.exe 528 powershell.exe 1308 powershell.exe 1648 powershell.exe 668 taskhost.exe 300 taskhost.exe 1796 taskhost.exe 1920 taskhost.exe 2560 taskhost.exe 1908 taskhost.exe 1468 taskhost.exe 2648 taskhost.exe 2284 taskhost.exe 2524 taskhost.exe -
Suspicious use of AdjustPrivilegeToken 23 IoCs
description pid Process Token: SeDebugPrivilege 2904 c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe Token: SeDebugPrivilege 2556 powershell.exe Token: SeDebugPrivilege 2320 powershell.exe Token: SeDebugPrivilege 2768 powershell.exe Token: SeDebugPrivilege 2412 powershell.exe Token: SeDebugPrivilege 2780 powershell.exe Token: SeDebugPrivilege 1728 powershell.exe Token: SeDebugPrivilege 2944 powershell.exe Token: SeDebugPrivilege 2960 powershell.exe Token: SeDebugPrivilege 668 taskhost.exe Token: SeDebugPrivilege 1076 powershell.exe Token: SeDebugPrivilege 528 powershell.exe Token: SeDebugPrivilege 1308 powershell.exe Token: SeDebugPrivilege 1648 powershell.exe Token: SeDebugPrivilege 300 taskhost.exe Token: SeDebugPrivilege 1796 taskhost.exe Token: SeDebugPrivilege 1920 taskhost.exe Token: SeDebugPrivilege 2560 taskhost.exe Token: SeDebugPrivilege 1908 taskhost.exe Token: SeDebugPrivilege 1468 taskhost.exe Token: SeDebugPrivilege 2648 taskhost.exe Token: SeDebugPrivilege 2284 taskhost.exe Token: SeDebugPrivilege 2524 taskhost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2904 wrote to memory of 2320 2904 c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe 76 PID 2904 wrote to memory of 2320 2904 c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe 76 PID 2904 wrote to memory of 2320 2904 c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe 76 PID 2904 wrote to memory of 2768 2904 c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe 77 PID 2904 wrote to memory of 2768 2904 c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe 77 PID 2904 wrote to memory of 2768 2904 c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe 77 PID 2904 wrote to memory of 2412 2904 c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe 79 PID 2904 wrote to memory of 2412 2904 c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe 79 PID 2904 wrote to memory of 2412 2904 c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe 79 PID 2904 wrote to memory of 2556 2904 c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe 80 PID 2904 wrote to memory of 2556 2904 c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe 80 PID 2904 wrote to memory of 2556 2904 c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe 80 PID 2904 wrote to memory of 1648 2904 c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe 82 PID 2904 wrote to memory of 1648 2904 c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe 82 PID 2904 wrote to memory of 1648 2904 c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe 82 PID 2904 wrote to memory of 2960 2904 c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe 83 PID 2904 wrote to memory of 2960 2904 c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe 83 PID 2904 wrote to memory of 2960 2904 c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe 83 PID 2904 wrote to memory of 1308 2904 c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe 84 PID 2904 wrote to memory of 1308 2904 c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe 84 PID 2904 wrote to memory of 1308 2904 c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe 84 PID 2904 wrote to memory of 2944 2904 c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe 85 PID 2904 wrote to memory of 2944 2904 c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe 85 PID 2904 wrote to memory of 2944 2904 c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe 85 PID 2904 wrote to memory of 2780 2904 c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe 86 PID 2904 wrote to memory of 2780 2904 c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe 86 PID 2904 wrote to memory of 2780 2904 c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe 86 PID 2904 wrote to memory of 1076 2904 c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe 88 PID 2904 wrote to memory of 1076 2904 c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe 88 PID 2904 wrote to memory of 1076 2904 c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe 88 PID 2904 wrote to memory of 1728 2904 c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe 89 PID 2904 wrote to memory of 1728 2904 c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe 89 PID 2904 wrote to memory of 1728 2904 c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe 89 PID 2904 wrote to memory of 528 2904 c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe 90 PID 2904 wrote to memory of 528 2904 c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe 90 PID 2904 wrote to memory of 528 2904 c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe 90 PID 2904 wrote to memory of 668 2904 c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe 100 PID 2904 wrote to memory of 668 2904 c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe 100 PID 2904 wrote to memory of 668 2904 c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe 100 PID 668 wrote to memory of 2964 668 taskhost.exe 101 PID 668 wrote to memory of 2964 668 taskhost.exe 101 PID 668 wrote to memory of 2964 668 taskhost.exe 101 PID 668 wrote to memory of 3068 668 taskhost.exe 102 PID 668 wrote to memory of 3068 668 taskhost.exe 102 PID 668 wrote to memory of 3068 668 taskhost.exe 102 PID 2964 wrote to memory of 300 2964 WScript.exe 103 PID 2964 wrote to memory of 300 2964 WScript.exe 103 PID 2964 wrote to memory of 300 2964 WScript.exe 103 PID 300 wrote to memory of 2104 300 taskhost.exe 105 PID 300 wrote to memory of 2104 300 taskhost.exe 105 PID 300 wrote to memory of 2104 300 taskhost.exe 105 PID 300 wrote to memory of 1688 300 taskhost.exe 106 PID 300 wrote to memory of 1688 300 taskhost.exe 106 PID 300 wrote to memory of 1688 300 taskhost.exe 106 PID 2104 wrote to memory of 1796 2104 WScript.exe 107 PID 2104 wrote to memory of 1796 2104 WScript.exe 107 PID 2104 wrote to memory of 1796 2104 WScript.exe 107 PID 1796 wrote to memory of 2664 1796 taskhost.exe 108 PID 1796 wrote to memory of 2664 1796 taskhost.exe 108 PID 1796 wrote to memory of 2664 1796 taskhost.exe 108 PID 1796 wrote to memory of 1844 1796 taskhost.exe 109 PID 1796 wrote to memory of 1844 1796 taskhost.exe 109 PID 1796 wrote to memory of 1844 1796 taskhost.exe 109 PID 2664 wrote to memory of 1920 2664 WScript.exe 110 -
System policy modification 1 TTPs 33 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" taskhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" taskhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" taskhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" taskhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" taskhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" taskhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" taskhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" taskhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" taskhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" taskhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" taskhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" taskhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" taskhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" taskhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" taskhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" taskhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" taskhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" taskhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" taskhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" taskhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" taskhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" taskhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" taskhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" taskhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" taskhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" taskhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" taskhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" taskhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" taskhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" taskhost.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe"C:\Users\Admin\AppData\Local\Temp\c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe"1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2904 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2320
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2768
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2412
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2556
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1648
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2960
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1308
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2944
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2780
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1076
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1728
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:528
-
-
C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\taskhost.exe"C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\taskhost.exe"2⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:668 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9d015806-a357-46e9-9d1b-16d3edf85489.vbs"3⤵
- Suspicious use of WriteProcessMemory
PID:2964 -
C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\taskhost.exe"C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\taskhost.exe"4⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:300 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\13e41770-5c20-4680-8ff0-71ce6e21c519.vbs"5⤵
- Suspicious use of WriteProcessMemory
PID:2104 -
C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\taskhost.exe"C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\taskhost.exe"6⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1796 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\17981d84-f810-4536-85d0-eb56b47e4f35.vbs"7⤵
- Suspicious use of WriteProcessMemory
PID:2664 -
C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\taskhost.exe"C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\taskhost.exe"8⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1920 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b6686a49-e032-409a-b57a-b6e61def7fb6.vbs"9⤵PID:316
-
C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\taskhost.exe"C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\taskhost.exe"10⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2560 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\490eef33-e19c-4b6c-aaa1-2b454d8988c9.vbs"11⤵PID:2172
-
C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\taskhost.exe"C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\taskhost.exe"12⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1908 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dae1d1f8-f02d-4e1f-85a8-54a7966966f2.vbs"13⤵PID:2760
-
C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\taskhost.exe"C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\taskhost.exe"14⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1468 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c8a1d704-0eb4-4818-a1fd-6e9aa8193e1e.vbs"15⤵PID:1048
-
C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\taskhost.exe"C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\taskhost.exe"16⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2648 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\23295970-298a-4652-b9cd-fbe1b6993b84.vbs"17⤵PID:1480
-
C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\taskhost.exe"C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\taskhost.exe"18⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2284 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2bbba736-84ec-469c-9497-b95e724624ba.vbs"19⤵PID:316
-
C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\taskhost.exe"C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\taskhost.exe"20⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2524 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ed3d9d57-4e4b-43d9-b649-a7db4b94461c.vbs"21⤵PID:1736
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\01e90a16-9586-462c-955c-b906aa2e6342.vbs"21⤵PID:2620
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2d50a2d7-d0f3-4d84-a14b-35fc3be5eb83.vbs"19⤵PID:3040
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3700dc96-d3fb-4d1b-b5c0-4ec8553663e1.vbs"17⤵PID:1840
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a1e48d94-b213-4bab-90cd-27a852085ed0.vbs"15⤵PID:2468
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\18770b3b-c631-4969-bc34-783a1b7da434.vbs"13⤵PID:1808
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\be4e3d29-ac56-4b55-862b-148e0710945c.vbs"11⤵PID:668
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\210f373b-d67b-4778-b3f8-2fabcc98e34a.vbs"9⤵PID:468
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\22c0b2a5-cfa8-4e21-875c-b552d8c490ff.vbs"7⤵PID:1844
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\15267901-d11d-4df9-8e90-7e27654c7037.vbs"5⤵PID:1688
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e5bfbfab-660b-4418-a64f-d73fb2673cd0.vbs"3⤵PID:3068
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\Microsoft\services.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2616
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\All Users\Microsoft\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2660
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\Microsoft\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3064
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Media Player\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:264
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:528
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Media Player\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1020
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\taskhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1288
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2624
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2204
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1928
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1444
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:836
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\Favorites\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2940
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Admin\Favorites\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1512
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\Favorites\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2804
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1824
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2128
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1956
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 10 /tr "'C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\audiodg.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2936
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2056
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 5 /tr "'C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1752
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1144
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1796
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2200
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 5 /tr "'C:\Windows\ShellNew\lsm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3004
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Windows\ShellNew\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2208
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 9 /tr "'C:\Windows\ShellNew\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2328
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Internet Explorer\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2252
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2268
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Internet Explorer\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1496
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Windows\system\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:468
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Windows\system\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1996
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Windows\system\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1784
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Windows\Performance\WinSAT\DataStore\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1808
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Windows\Performance\WinSAT\DataStore\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2376
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Windows\Performance\WinSAT\DataStore\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2004
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\Windows\Tasks\System.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1284
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\Tasks\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2468
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Windows\Tasks\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1848
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1836
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Default User\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2040
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2380
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\Package Cache\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:844
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\All Users\Package Cache\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2104
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\Package Cache\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:560
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
750B
MD5d6b1930553caadbf4ad4ec30682f48ea
SHA1ffc7caa53b981f9a6f336a9ff667be5b3523f202
SHA25681fe3459ef47fcf9a0192e2962f7831ff16e1d379dff4c6369730d7401f57726
SHA51223df6db49e16cde0dbe3e27871b21decd9763252d809cf36d58d91f0ccf4b1e4425064d99ca81256cb298b26b29b502c2ad136fa7c7afcdf643777aeaadd3b3f
-
Filesize
751B
MD5829be590a9f02dd076799e1efdbf8c4d
SHA1d6aabdc4b5a54fb29dcecb2000860f2e2091ea14
SHA2564804a88760dbf728cc1441e66b23712e944db607f12b7d73812fcebe2a7832ae
SHA51221ec6a91bbbb2c5b68a5afff39a5cef0cc9f75002cc6fed70ecb8630bc08934f327d210d923fe2aca09418990ffb481388a077c8ec3272a33ddcb3281a8db689
-
Filesize
751B
MD593095064ad33ec101bd1f0f1e03e1765
SHA19ecd76f254c5cc0ac3e7447da8123e3249bfd2c6
SHA256e06ae8f03ad2f19215b67e16ce223d08e5265b4631c846c302e9bc2ff04efc3a
SHA51271a461aa42e27a2333a339d86bf0d7d4ecad98475ccb1fc7f873317f61df628eeb3ac5d7f8ce241c2db4138b5cf36b298679dde51b4b582e9748df0d42837efc
-
Filesize
751B
MD59d4b3d32fe9c0c3d439a7e32eef79613
SHA109451dad06e5c1611028d4abb761500e76b5950e
SHA256b4eeac0639e751ac1b3e7c602538400b5ccb9a8ee655e56c90c7fd257b9f92ff
SHA512f076ffb749da67376f404ed57ddfeaf944a0e1d3fd7d0d5ec87907ead8eef1ae7b00245c239f5e73683b813f4361eeee05c3549f8ae2976ed4a4bce1dc4eacc9
-
Filesize
751B
MD539ec88b941b774cf580a96847bfb61c4
SHA1d6e511fcfe4f13612c789af968dc72dbfa6aead6
SHA256cc0538762e259811c2a01e0c4b5fcaf5cdff29593c416b0dfbb2d5e6955bc6d2
SHA512e6ff022901bacd24f905a118a1f14a7c89cb18b54587990d2046248a97f7a1ddf695db20fd0ffa22c8a32563c388624eaa2efeac26a0e6ed9945c1eb8661fe13
-
Filesize
750B
MD5c9fd9a5e2c26b66700586bc13f58f848
SHA1acee7d8f1eadb3fa0b4bcb1cccb50c058c8f9f90
SHA256863049cdb928b1f3a40d132bace579ff08beb0e91cc6621f4ea2c315880af661
SHA5123120606f0a4796f7cafd4f9ea2dfc0c929ebec3fff76ae3b858a89c5ff313ad4d628b838c49706de8e2abdf9b0738303d659bd34dc20ac728e8bf8f079c8c382
-
Filesize
751B
MD54c4ce0c55102fe7766190e840dd3f28f
SHA1f29ec3efc7727e5e1ff16d39c8932d47345c8369
SHA256715cdd396d333cbe2f3732cddbdbade60f42a1055d5ee4e96962701b74e40052
SHA5120aea6c30f2dd8022eb3e4868cf1dcdcc171f9a1de11e6a9e7bd9d21bd3202f183f853fb5917782b43349c761fc82d2673dc87341d897169b9caa39a93960b38e
-
Filesize
751B
MD5fbe493f3aef976ee908ca10241235544
SHA1f2f054a13ff3ad881971a1a24571f25a6848a32a
SHA25620896c3ef736d509a489f746976d51d1c7602821510950810f75b61cbb617d27
SHA5128b518e9ba0aac2595924b9ace192b1565051dcc4be6b85218e46e1a315adc33b8e4c46bdc87747c1245811ab8af523fb89b3ef7c53f9d54ec1754f4234258011
-
Filesize
751B
MD52139f93c5ed738f886729d9d0d810d27
SHA1ccdaade2c28c279007339b815478c76a972f0750
SHA25605797b4efc3a11e69077f0dd49f9e4f7554895884afa6dae016849394a1ad726
SHA512d9d1439016d2a11d920bd8ee6e34b2a516311de1923f3c942f1e15e91f2461490b07f506c459ccf68cff0b0e1ae92ae5d9f2e5cc3880e076f987412917586f29
-
Filesize
527B
MD558a6d1d5c81bdd5f2188560ef1003e79
SHA1f623b4d7f096eefb44607b74f91637538c9e7031
SHA256477e51a539911a8a64c34cb4cc37efe21c115c9c18bc108c8c87f5cebf57fa87
SHA51247c03a4352a236743e10f581b66f2c2f0dfdbff88de2f31b1120a7eb9e7a5a7f92eb26fe3972b62ed7aa2c8d8b136a0e9a906134306bc5db7ea2514324fee0b7
-
Filesize
751B
MD51b3a0693fb105d56a87ae9b3096e3f6d
SHA1938d0fbc9a383ad0cf3d282784ad4edeba23cb69
SHA256cbe28645a9d76cc00b2195b8f83ed1522c99cb83cfa3551072d007e6a364c8fc
SHA5129a6dbc78f69979a654fe643cfde8bb20b7a905cc178404be52a60ca1fe2162b9042b1f9eced273470ea3c28de97345d55dbaafb6ca01c7fcf3bc39be3748f139
-
Filesize
75KB
MD5e0a68b98992c1699876f818a22b5b907
SHA1d41e8ad8ba51217eb0340f8f69629ccb474484d0
SHA2562b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f
SHA512856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5b9a5c2c0012fc51f67c53da8fa128e38
SHA1ff3ebc84d779fabedeb2534878706bb211d31456
SHA256841223e56b4400680484f011d9a52a42c28bdbcaeee403d243f2586f70ad951a
SHA5125bf848beb5735f9027b66da8e7b558b35c8a4ec23681688170fe1a93f9ee6aa38a2fbd0090cb129c0d83c4099ec63335856dbabaa22be0173c19987d8ae01ef4
-
Filesize
4.9MB
MD56980bcd5d7d665f70f434120a1d20549
SHA18104f0c2f92ecb1ab9c6700f14d56059a93a9465
SHA256c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16
SHA5122eb62827b55c986e2f6a076e9b5fb880bbcccc938d6581293f56ce9f2970a55f6bd27112486ccf20b792ef493cc7b1351a73a8bdda478af9b5c50e8ba0b00de3
-
Filesize
4.9MB
MD51833db530ce6d386c2ea880ca1de5a41
SHA1cb7445a257398f83b9b27b61005b80004cab230b
SHA256e867bb19a7d3519ea7a5eb3ad5163d6744e6ddb9e222fb24bda6431f8f4d14d8
SHA5123cc731f86d8b285ac0f4bc13d870429aafbf3d388efa2c2908faba4a545c5de6c1836f664d19702c55dff8f0c78c8d5d0bccf1e6d111f3739bed025b68164558