Analysis
-
max time kernel
119s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
17-11-2024 00:41
Static task
static1
Behavioral task
behavioral1
Sample
287526315843ee93b7fa8dd61f37e9d9be0c6eda8115c17e1fb26af5a16a3924.exe
Resource
win7-20240903-en
General
-
Target
287526315843ee93b7fa8dd61f37e9d9be0c6eda8115c17e1fb26af5a16a3924.exe
-
Size
4.9MB
-
MD5
397875ccdde144b8118a6c31e9f2ddf5
-
SHA1
2dd084fb6fcf3f88ec0e377e3d588e72db36a7e7
-
SHA256
287526315843ee93b7fa8dd61f37e9d9be0c6eda8115c17e1fb26af5a16a3924
-
SHA512
d596ef357651886280750397c6d46c2cd67c452dd66181ba6cee487c6b8f2780f6e9d7e313809860ff258507d3c05b6c0a13ecdb5527c8be54fb3e4ff84684d7
-
SSDEEP
49152:bl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8I:Q
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 54 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2804 2132 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2816 2132 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2716 2132 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2788 2132 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2708 2132 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2824 2132 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2760 2132 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2812 2132 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2608 2132 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2712 2132 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2644 2132 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3048 2132 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2580 2132 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1036 2132 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2032 2132 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1724 2132 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2652 2132 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2500 2132 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 620 2132 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1304 2132 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1540 2132 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1584 2132 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1740 2132 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1500 2132 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2768 2132 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2908 2132 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1004 2132 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2200 2132 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1624 2132 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2352 2132 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2576 2132 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1084 2132 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 848 2132 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2572 2132 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2980 2132 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1260 2132 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 956 2132 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1228 2132 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2556 2132 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2224 2132 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1980 2132 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1940 2132 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 896 2132 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1776 2132 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 864 2132 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2868 2132 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2512 2132 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3056 2132 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 868 2132 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 676 2132 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 884 2132 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1560 2132 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1420 2132 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1968 2132 schtasks.exe 30 -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 287526315843ee93b7fa8dd61f37e9d9be0c6eda8115c17e1fb26af5a16a3924.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 287526315843ee93b7fa8dd61f37e9d9be0c6eda8115c17e1fb26af5a16a3924.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 287526315843ee93b7fa8dd61f37e9d9be0c6eda8115c17e1fb26af5a16a3924.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" wininit.exe -
resource yara_rule behavioral1/memory/3016-3-0x000000001B520000-0x000000001B64E000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2000 powershell.exe 2268 powershell.exe 1344 powershell.exe 952 powershell.exe 2768 powershell.exe 1588 powershell.exe 1068 powershell.exe 1292 powershell.exe 1316 powershell.exe 2500 powershell.exe 1072 powershell.exe 404 powershell.exe -
Executes dropped EXE 8 IoCs
pid Process 2336 wininit.exe 2888 wininit.exe 2148 wininit.exe 1568 wininit.exe 2320 wininit.exe 1980 wininit.exe 1068 wininit.exe 2408 wininit.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wininit.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wininit.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wininit.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 287526315843ee93b7fa8dd61f37e9d9be0c6eda8115c17e1fb26af5a16a3924.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wininit.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wininit.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wininit.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 287526315843ee93b7fa8dd61f37e9d9be0c6eda8115c17e1fb26af5a16a3924.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wininit.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wininit.exe -
Drops file in Program Files directory 20 IoCs
description ioc Process File opened for modification C:\Program Files\Windows Defender\ja-JP\explorer.exe 287526315843ee93b7fa8dd61f37e9d9be0c6eda8115c17e1fb26af5a16a3924.exe File opened for modification C:\Program Files\Windows Mail\en-US\RCXE1D7.tmp 287526315843ee93b7fa8dd61f37e9d9be0c6eda8115c17e1fb26af5a16a3924.exe File created C:\Program Files\Java\6ccacd8608530f 287526315843ee93b7fa8dd61f37e9d9be0c6eda8115c17e1fb26af5a16a3924.exe File created C:\Program Files\Windows Defender\ja-JP\7a0fd90576e088 287526315843ee93b7fa8dd61f37e9d9be0c6eda8115c17e1fb26af5a16a3924.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\logs\spoolsv.exe 287526315843ee93b7fa8dd61f37e9d9be0c6eda8115c17e1fb26af5a16a3924.exe File created C:\Program Files (x86)\Mozilla Maintenance Service\logs\spoolsv.exe 287526315843ee93b7fa8dd61f37e9d9be0c6eda8115c17e1fb26af5a16a3924.exe File created C:\Program Files\Java\Idle.exe 287526315843ee93b7fa8dd61f37e9d9be0c6eda8115c17e1fb26af5a16a3924.exe File opened for modification C:\Program Files\Windows Defender\ja-JP\RCXDB9D.tmp 287526315843ee93b7fa8dd61f37e9d9be0c6eda8115c17e1fb26af5a16a3924.exe File opened for modification C:\Program Files\Java\RCXD795.tmp 287526315843ee93b7fa8dd61f37e9d9be0c6eda8115c17e1fb26af5a16a3924.exe File opened for modification C:\Program Files (x86)\Windows Media Player\de-DE\RCXE850.tmp 287526315843ee93b7fa8dd61f37e9d9be0c6eda8115c17e1fb26af5a16a3924.exe File opened for modification C:\Program Files (x86)\Windows Media Player\de-DE\dllhost.exe 287526315843ee93b7fa8dd61f37e9d9be0c6eda8115c17e1fb26af5a16a3924.exe File created C:\Program Files (x86)\Mozilla Maintenance Service\logs\f3b6ecef712a24 287526315843ee93b7fa8dd61f37e9d9be0c6eda8115c17e1fb26af5a16a3924.exe File created C:\Program Files (x86)\Windows Media Player\de-DE\dllhost.exe 287526315843ee93b7fa8dd61f37e9d9be0c6eda8115c17e1fb26af5a16a3924.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\logs\RCXC5D2.tmp 287526315843ee93b7fa8dd61f37e9d9be0c6eda8115c17e1fb26af5a16a3924.exe File created C:\Program Files (x86)\Windows Media Player\de-DE\5940a34987c991 287526315843ee93b7fa8dd61f37e9d9be0c6eda8115c17e1fb26af5a16a3924.exe File opened for modification C:\Program Files\Java\Idle.exe 287526315843ee93b7fa8dd61f37e9d9be0c6eda8115c17e1fb26af5a16a3924.exe File opened for modification C:\Program Files\Windows Mail\en-US\287526315843ee93b7fa8dd61f37e9d9be0c6eda8115c17e1fb26af5a16a3924.exe 287526315843ee93b7fa8dd61f37e9d9be0c6eda8115c17e1fb26af5a16a3924.exe File created C:\Program Files\Windows Defender\ja-JP\explorer.exe 287526315843ee93b7fa8dd61f37e9d9be0c6eda8115c17e1fb26af5a16a3924.exe File created C:\Program Files\Windows Mail\en-US\287526315843ee93b7fa8dd61f37e9d9be0c6eda8115c17e1fb26af5a16a3924.exe 287526315843ee93b7fa8dd61f37e9d9be0c6eda8115c17e1fb26af5a16a3924.exe File created C:\Program Files\Windows Mail\en-US\de6b3eca23e1dc 287526315843ee93b7fa8dd61f37e9d9be0c6eda8115c17e1fb26af5a16a3924.exe -
Drops file in Windows directory 12 IoCs
description ioc Process File created C:\Windows\BitLockerDiscoveryVolumeContents\42af1c969fbb7b 287526315843ee93b7fa8dd61f37e9d9be0c6eda8115c17e1fb26af5a16a3924.exe File created C:\Windows\ja-JP\winlogon.exe 287526315843ee93b7fa8dd61f37e9d9be0c6eda8115c17e1fb26af5a16a3924.exe File opened for modification C:\Windows\BitLockerDiscoveryVolumeContents\audiodg.exe 287526315843ee93b7fa8dd61f37e9d9be0c6eda8115c17e1fb26af5a16a3924.exe File opened for modification C:\Windows\TAPI\RCXDDC0.tmp 287526315843ee93b7fa8dd61f37e9d9be0c6eda8115c17e1fb26af5a16a3924.exe File opened for modification C:\Windows\ja-JP\RCXE3DB.tmp 287526315843ee93b7fa8dd61f37e9d9be0c6eda8115c17e1fb26af5a16a3924.exe File opened for modification C:\Windows\ja-JP\winlogon.exe 287526315843ee93b7fa8dd61f37e9d9be0c6eda8115c17e1fb26af5a16a3924.exe File created C:\Windows\BitLockerDiscoveryVolumeContents\audiodg.exe 287526315843ee93b7fa8dd61f37e9d9be0c6eda8115c17e1fb26af5a16a3924.exe File created C:\Windows\TAPI\services.exe 287526315843ee93b7fa8dd61f37e9d9be0c6eda8115c17e1fb26af5a16a3924.exe File created C:\Windows\TAPI\c5b4cb5e9653cc 287526315843ee93b7fa8dd61f37e9d9be0c6eda8115c17e1fb26af5a16a3924.exe File created C:\Windows\ja-JP\cc11b995f2a76d 287526315843ee93b7fa8dd61f37e9d9be0c6eda8115c17e1fb26af5a16a3924.exe File opened for modification C:\Windows\BitLockerDiscoveryVolumeContents\RCXD37E.tmp 287526315843ee93b7fa8dd61f37e9d9be0c6eda8115c17e1fb26af5a16a3924.exe File opened for modification C:\Windows\TAPI\services.exe 287526315843ee93b7fa8dd61f37e9d9be0c6eda8115c17e1fb26af5a16a3924.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Scheduled Task/Job: Scheduled Task 1 TTPs 54 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2572 schtasks.exe 3056 schtasks.exe 2500 schtasks.exe 1624 schtasks.exe 956 schtasks.exe 1940 schtasks.exe 864 schtasks.exe 2868 schtasks.exe 2708 schtasks.exe 1740 schtasks.exe 2608 schtasks.exe 848 schtasks.exe 2788 schtasks.exe 1036 schtasks.exe 2556 schtasks.exe 2824 schtasks.exe 868 schtasks.exe 2512 schtasks.exe 1968 schtasks.exe 3048 schtasks.exe 2032 schtasks.exe 1500 schtasks.exe 2980 schtasks.exe 2644 schtasks.exe 1776 schtasks.exe 676 schtasks.exe 1560 schtasks.exe 2812 schtasks.exe 2652 schtasks.exe 1304 schtasks.exe 2224 schtasks.exe 884 schtasks.exe 2716 schtasks.exe 2352 schtasks.exe 1584 schtasks.exe 2908 schtasks.exe 2576 schtasks.exe 1228 schtasks.exe 1420 schtasks.exe 2760 schtasks.exe 2712 schtasks.exe 2580 schtasks.exe 1540 schtasks.exe 2816 schtasks.exe 620 schtasks.exe 1724 schtasks.exe 1260 schtasks.exe 896 schtasks.exe 2804 schtasks.exe 2768 schtasks.exe 1980 schtasks.exe 1004 schtasks.exe 2200 schtasks.exe 1084 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 27 IoCs
pid Process 3016 287526315843ee93b7fa8dd61f37e9d9be0c6eda8115c17e1fb26af5a16a3924.exe 3016 287526315843ee93b7fa8dd61f37e9d9be0c6eda8115c17e1fb26af5a16a3924.exe 3016 287526315843ee93b7fa8dd61f37e9d9be0c6eda8115c17e1fb26af5a16a3924.exe 3016 287526315843ee93b7fa8dd61f37e9d9be0c6eda8115c17e1fb26af5a16a3924.exe 3016 287526315843ee93b7fa8dd61f37e9d9be0c6eda8115c17e1fb26af5a16a3924.exe 3016 287526315843ee93b7fa8dd61f37e9d9be0c6eda8115c17e1fb26af5a16a3924.exe 3016 287526315843ee93b7fa8dd61f37e9d9be0c6eda8115c17e1fb26af5a16a3924.exe 404 powershell.exe 2000 powershell.exe 1292 powershell.exe 1344 powershell.exe 1316 powershell.exe 2500 powershell.exe 952 powershell.exe 1588 powershell.exe 1072 powershell.exe 2768 powershell.exe 1068 powershell.exe 2268 powershell.exe 2336 wininit.exe 2888 wininit.exe 2148 wininit.exe 1568 wininit.exe 2320 wininit.exe 1980 wininit.exe 1068 wininit.exe 2408 wininit.exe -
Suspicious use of AdjustPrivilegeToken 21 IoCs
description pid Process Token: SeDebugPrivilege 3016 287526315843ee93b7fa8dd61f37e9d9be0c6eda8115c17e1fb26af5a16a3924.exe Token: SeDebugPrivilege 404 powershell.exe Token: SeDebugPrivilege 2000 powershell.exe Token: SeDebugPrivilege 1292 powershell.exe Token: SeDebugPrivilege 1344 powershell.exe Token: SeDebugPrivilege 1316 powershell.exe Token: SeDebugPrivilege 2500 powershell.exe Token: SeDebugPrivilege 952 powershell.exe Token: SeDebugPrivilege 1588 powershell.exe Token: SeDebugPrivilege 1072 powershell.exe Token: SeDebugPrivilege 2768 powershell.exe Token: SeDebugPrivilege 1068 powershell.exe Token: SeDebugPrivilege 2268 powershell.exe Token: SeDebugPrivilege 2336 wininit.exe Token: SeDebugPrivilege 2888 wininit.exe Token: SeDebugPrivilege 2148 wininit.exe Token: SeDebugPrivilege 1568 wininit.exe Token: SeDebugPrivilege 2320 wininit.exe Token: SeDebugPrivilege 1980 wininit.exe Token: SeDebugPrivilege 1068 wininit.exe Token: SeDebugPrivilege 2408 wininit.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3016 wrote to memory of 2768 3016 287526315843ee93b7fa8dd61f37e9d9be0c6eda8115c17e1fb26af5a16a3924.exe 86 PID 3016 wrote to memory of 2768 3016 287526315843ee93b7fa8dd61f37e9d9be0c6eda8115c17e1fb26af5a16a3924.exe 86 PID 3016 wrote to memory of 2768 3016 287526315843ee93b7fa8dd61f37e9d9be0c6eda8115c17e1fb26af5a16a3924.exe 86 PID 3016 wrote to memory of 1588 3016 287526315843ee93b7fa8dd61f37e9d9be0c6eda8115c17e1fb26af5a16a3924.exe 87 PID 3016 wrote to memory of 1588 3016 287526315843ee93b7fa8dd61f37e9d9be0c6eda8115c17e1fb26af5a16a3924.exe 87 PID 3016 wrote to memory of 1588 3016 287526315843ee93b7fa8dd61f37e9d9be0c6eda8115c17e1fb26af5a16a3924.exe 87 PID 3016 wrote to memory of 404 3016 287526315843ee93b7fa8dd61f37e9d9be0c6eda8115c17e1fb26af5a16a3924.exe 88 PID 3016 wrote to memory of 404 3016 287526315843ee93b7fa8dd61f37e9d9be0c6eda8115c17e1fb26af5a16a3924.exe 88 PID 3016 wrote to memory of 404 3016 287526315843ee93b7fa8dd61f37e9d9be0c6eda8115c17e1fb26af5a16a3924.exe 88 PID 3016 wrote to memory of 2000 3016 287526315843ee93b7fa8dd61f37e9d9be0c6eda8115c17e1fb26af5a16a3924.exe 90 PID 3016 wrote to memory of 2000 3016 287526315843ee93b7fa8dd61f37e9d9be0c6eda8115c17e1fb26af5a16a3924.exe 90 PID 3016 wrote to memory of 2000 3016 287526315843ee93b7fa8dd61f37e9d9be0c6eda8115c17e1fb26af5a16a3924.exe 90 PID 3016 wrote to memory of 1072 3016 287526315843ee93b7fa8dd61f37e9d9be0c6eda8115c17e1fb26af5a16a3924.exe 91 PID 3016 wrote to memory of 1072 3016 287526315843ee93b7fa8dd61f37e9d9be0c6eda8115c17e1fb26af5a16a3924.exe 91 PID 3016 wrote to memory of 1072 3016 287526315843ee93b7fa8dd61f37e9d9be0c6eda8115c17e1fb26af5a16a3924.exe 91 PID 3016 wrote to memory of 1068 3016 287526315843ee93b7fa8dd61f37e9d9be0c6eda8115c17e1fb26af5a16a3924.exe 93 PID 3016 wrote to memory of 1068 3016 287526315843ee93b7fa8dd61f37e9d9be0c6eda8115c17e1fb26af5a16a3924.exe 93 PID 3016 wrote to memory of 1068 3016 287526315843ee93b7fa8dd61f37e9d9be0c6eda8115c17e1fb26af5a16a3924.exe 93 PID 3016 wrote to memory of 1292 3016 287526315843ee93b7fa8dd61f37e9d9be0c6eda8115c17e1fb26af5a16a3924.exe 96 PID 3016 wrote to memory of 1292 3016 287526315843ee93b7fa8dd61f37e9d9be0c6eda8115c17e1fb26af5a16a3924.exe 96 PID 3016 wrote to memory of 1292 3016 287526315843ee93b7fa8dd61f37e9d9be0c6eda8115c17e1fb26af5a16a3924.exe 96 PID 3016 wrote to memory of 952 3016 287526315843ee93b7fa8dd61f37e9d9be0c6eda8115c17e1fb26af5a16a3924.exe 97 PID 3016 wrote to memory of 952 3016 287526315843ee93b7fa8dd61f37e9d9be0c6eda8115c17e1fb26af5a16a3924.exe 97 PID 3016 wrote to memory of 952 3016 287526315843ee93b7fa8dd61f37e9d9be0c6eda8115c17e1fb26af5a16a3924.exe 97 PID 3016 wrote to memory of 1344 3016 287526315843ee93b7fa8dd61f37e9d9be0c6eda8115c17e1fb26af5a16a3924.exe 98 PID 3016 wrote to memory of 1344 3016 287526315843ee93b7fa8dd61f37e9d9be0c6eda8115c17e1fb26af5a16a3924.exe 98 PID 3016 wrote to memory of 1344 3016 287526315843ee93b7fa8dd61f37e9d9be0c6eda8115c17e1fb26af5a16a3924.exe 98 PID 3016 wrote to memory of 2500 3016 287526315843ee93b7fa8dd61f37e9d9be0c6eda8115c17e1fb26af5a16a3924.exe 99 PID 3016 wrote to memory of 2500 3016 287526315843ee93b7fa8dd61f37e9d9be0c6eda8115c17e1fb26af5a16a3924.exe 99 PID 3016 wrote to memory of 2500 3016 287526315843ee93b7fa8dd61f37e9d9be0c6eda8115c17e1fb26af5a16a3924.exe 99 PID 3016 wrote to memory of 2268 3016 287526315843ee93b7fa8dd61f37e9d9be0c6eda8115c17e1fb26af5a16a3924.exe 100 PID 3016 wrote to memory of 2268 3016 287526315843ee93b7fa8dd61f37e9d9be0c6eda8115c17e1fb26af5a16a3924.exe 100 PID 3016 wrote to memory of 2268 3016 287526315843ee93b7fa8dd61f37e9d9be0c6eda8115c17e1fb26af5a16a3924.exe 100 PID 3016 wrote to memory of 1316 3016 287526315843ee93b7fa8dd61f37e9d9be0c6eda8115c17e1fb26af5a16a3924.exe 101 PID 3016 wrote to memory of 1316 3016 287526315843ee93b7fa8dd61f37e9d9be0c6eda8115c17e1fb26af5a16a3924.exe 101 PID 3016 wrote to memory of 1316 3016 287526315843ee93b7fa8dd61f37e9d9be0c6eda8115c17e1fb26af5a16a3924.exe 101 PID 3016 wrote to memory of 2336 3016 287526315843ee93b7fa8dd61f37e9d9be0c6eda8115c17e1fb26af5a16a3924.exe 110 PID 3016 wrote to memory of 2336 3016 287526315843ee93b7fa8dd61f37e9d9be0c6eda8115c17e1fb26af5a16a3924.exe 110 PID 3016 wrote to memory of 2336 3016 287526315843ee93b7fa8dd61f37e9d9be0c6eda8115c17e1fb26af5a16a3924.exe 110 PID 2336 wrote to memory of 1988 2336 wininit.exe 111 PID 2336 wrote to memory of 1988 2336 wininit.exe 111 PID 2336 wrote to memory of 1988 2336 wininit.exe 111 PID 2336 wrote to memory of 1772 2336 wininit.exe 112 PID 2336 wrote to memory of 1772 2336 wininit.exe 112 PID 2336 wrote to memory of 1772 2336 wininit.exe 112 PID 1988 wrote to memory of 2888 1988 WScript.exe 113 PID 1988 wrote to memory of 2888 1988 WScript.exe 113 PID 1988 wrote to memory of 2888 1988 WScript.exe 113 PID 2888 wrote to memory of 1968 2888 wininit.exe 114 PID 2888 wrote to memory of 1968 2888 wininit.exe 114 PID 2888 wrote to memory of 1968 2888 wininit.exe 114 PID 2888 wrote to memory of 1516 2888 wininit.exe 115 PID 2888 wrote to memory of 1516 2888 wininit.exe 115 PID 2888 wrote to memory of 1516 2888 wininit.exe 115 PID 1968 wrote to memory of 2148 1968 WScript.exe 116 PID 1968 wrote to memory of 2148 1968 WScript.exe 116 PID 1968 wrote to memory of 2148 1968 WScript.exe 116 PID 2148 wrote to memory of 2228 2148 wininit.exe 117 PID 2148 wrote to memory of 2228 2148 wininit.exe 117 PID 2148 wrote to memory of 2228 2148 wininit.exe 117 PID 2148 wrote to memory of 1360 2148 wininit.exe 118 PID 2148 wrote to memory of 1360 2148 wininit.exe 118 PID 2148 wrote to memory of 1360 2148 wininit.exe 118 PID 2228 wrote to memory of 1568 2228 WScript.exe 119 -
System policy modification 1 TTPs 27 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 287526315843ee93b7fa8dd61f37e9d9be0c6eda8115c17e1fb26af5a16a3924.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 287526315843ee93b7fa8dd61f37e9d9be0c6eda8115c17e1fb26af5a16a3924.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 287526315843ee93b7fa8dd61f37e9d9be0c6eda8115c17e1fb26af5a16a3924.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wininit.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\287526315843ee93b7fa8dd61f37e9d9be0c6eda8115c17e1fb26af5a16a3924.exe"C:\Users\Admin\AppData\Local\Temp\287526315843ee93b7fa8dd61f37e9d9be0c6eda8115c17e1fb26af5a16a3924.exe"1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3016 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2768
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1588
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:404
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2000
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1072
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1068
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1292
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:952
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1344
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2500
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2268
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1316
-
-
C:\Users\Admin\Application Data\wininit.exe"C:\Users\Admin\Application Data\wininit.exe"2⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2336 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8bd6bf1e-82de-4074-9d3a-2f057b677a82.vbs"3⤵
- Suspicious use of WriteProcessMemory
PID:1988 -
C:\Users\Admin\Application Data\wininit.exe"C:\Users\Admin\Application Data\wininit.exe"4⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2888 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\374262ac-dd5c-47d8-a475-2f7fadbe8def.vbs"5⤵
- Suspicious use of WriteProcessMemory
PID:1968 -
C:\Users\Admin\Application Data\wininit.exe"C:\Users\Admin\Application Data\wininit.exe"6⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2148 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\107b22d1-7c6b-46c8-8e9e-025726b1afb8.vbs"7⤵
- Suspicious use of WriteProcessMemory
PID:2228 -
C:\Users\Admin\Application Data\wininit.exe"C:\Users\Admin\Application Data\wininit.exe"8⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1568 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bdcb3944-405b-4596-ac1d-fdd859fec1ea.vbs"9⤵PID:1532
-
C:\Users\Admin\Application Data\wininit.exe"C:\Users\Admin\Application Data\wininit.exe"10⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2320 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\76a1eac6-3a6c-4384-8fa6-5949679666c9.vbs"11⤵PID:2044
-
C:\Users\Admin\Application Data\wininit.exe"C:\Users\Admin\Application Data\wininit.exe"12⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1980 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\91c5bc0d-3f00-4824-933d-ea3553c7ab32.vbs"13⤵PID:1916
-
C:\Users\Admin\Application Data\wininit.exe"C:\Users\Admin\Application Data\wininit.exe"14⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1068 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4a657ec6-44b2-4ec6-9668-0c4130d1fca1.vbs"15⤵PID:2688
-
C:\Users\Admin\Application Data\wininit.exe"C:\Users\Admin\Application Data\wininit.exe"16⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2408 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a849ba9c-06b8-4add-8f2f-2acd07454c8e.vbs"17⤵PID:2280
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\278454c5-440e-4ec1-addf-2e8ddafcbbca.vbs"17⤵PID:600
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ff84e61a-55a0-4874-9bcf-8ebccc13a840.vbs"15⤵PID:2984
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7a58d0fe-d03a-41e3-b01e-52e23b2fa382.vbs"13⤵PID:2868
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e6033a3c-4160-42f4-bb78-562d5f0dc5bb.vbs"11⤵PID:2656
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0415fb31-567b-4a2c-95cc-fdd050bc24f8.vbs"9⤵PID:1996
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9963650b-c13b-4c17-b360-9a87926a7810.vbs"7⤵PID:1360
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0fa166ea-e88a-4227-9b7f-2d0d17066c5f.vbs"5⤵PID:1516
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5db8d149-89a6-4816-980b-601fef0c9c54.vbs"3⤵PID:1772
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 11 /tr "'C:\Users\Public\OSPPSVC.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2804
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Users\Public\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2816
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 6 /tr "'C:\Users\Public\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2716
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2788
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2708
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2824
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2760
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Default User\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2812
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2608
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Users\Default\Templates\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2712
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Default\Templates\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2644
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Users\Default\Templates\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3048
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "287526315843ee93b7fa8dd61f37e9d9be0c6eda8115c17e1fb26af5a16a39242" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\Microsoft Help\287526315843ee93b7fa8dd61f37e9d9be0c6eda8115c17e1fb26af5a16a3924.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2580
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "287526315843ee93b7fa8dd61f37e9d9be0c6eda8115c17e1fb26af5a16a3924" /sc ONLOGON /tr "'C:\Users\All Users\Microsoft Help\287526315843ee93b7fa8dd61f37e9d9be0c6eda8115c17e1fb26af5a16a3924.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1036
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "287526315843ee93b7fa8dd61f37e9d9be0c6eda8115c17e1fb26af5a16a39242" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\Microsoft Help\287526315843ee93b7fa8dd61f37e9d9be0c6eda8115c17e1fb26af5a16a3924.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2032
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1724
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2652
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2500
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\Application Data\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:620
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Admin\Application Data\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1304
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\Application Data\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1540
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 12 /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\audiodg.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1584
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1740
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 5 /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1500
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "287526315843ee93b7fa8dd61f37e9d9be0c6eda8115c17e1fb26af5a16a39242" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\287526315843ee93b7fa8dd61f37e9d9be0c6eda8115c17e1fb26af5a16a3924.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2768
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "287526315843ee93b7fa8dd61f37e9d9be0c6eda8115c17e1fb26af5a16a3924" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\287526315843ee93b7fa8dd61f37e9d9be0c6eda8115c17e1fb26af5a16a3924.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2908
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "287526315843ee93b7fa8dd61f37e9d9be0c6eda8115c17e1fb26af5a16a39242" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\287526315843ee93b7fa8dd61f37e9d9be0c6eda8115c17e1fb26af5a16a3924.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1004
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Program Files\Java\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2200
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\Java\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1624
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Program Files\Java\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2352
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\System.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2576
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\MSOCache\All Users\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1084
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:848
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Defender\ja-JP\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2572
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\ja-JP\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2980
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Defender\ja-JP\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1260
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Windows\TAPI\services.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:956
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\TAPI\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1228
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Windows\TAPI\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2556
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2224
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1980
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1940
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "287526315843ee93b7fa8dd61f37e9d9be0c6eda8115c17e1fb26af5a16a39242" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Mail\en-US\287526315843ee93b7fa8dd61f37e9d9be0c6eda8115c17e1fb26af5a16a3924.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:896
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "287526315843ee93b7fa8dd61f37e9d9be0c6eda8115c17e1fb26af5a16a3924" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\en-US\287526315843ee93b7fa8dd61f37e9d9be0c6eda8115c17e1fb26af5a16a3924.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1776
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "287526315843ee93b7fa8dd61f37e9d9be0c6eda8115c17e1fb26af5a16a39242" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Mail\en-US\287526315843ee93b7fa8dd61f37e9d9be0c6eda8115c17e1fb26af5a16a3924.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:864
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Windows\ja-JP\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2868
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\ja-JP\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2512
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Windows\ja-JP\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3056
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 12 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\lsm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:868
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:676
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 9 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:884
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Media Player\de-DE\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1560
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\de-DE\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1420
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Media Player\de-DE\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1968
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4.9MB
MD5ee54e451e2874e9bce1b0d2343319f0d
SHA1e8965dc7fa9448bc77160a1d90c6cc03251e8fa3
SHA256f01ce3e5e55c3c5948ce01ceb3884898ac34b90a60c0bf2f08b75a1f326c281e
SHA5124ae99cc7c1483f25951ff3d698cd21bfdab289de66ec10d16178e613e539982f151d4f092ad407cb55e166816fd9e618003ed8044d32660c80bb5edb3296ee1f
-
Filesize
4.9MB
MD5397875ccdde144b8118a6c31e9f2ddf5
SHA12dd084fb6fcf3f88ec0e377e3d588e72db36a7e7
SHA256287526315843ee93b7fa8dd61f37e9d9be0c6eda8115c17e1fb26af5a16a3924
SHA512d596ef357651886280750397c6d46c2cd67c452dd66181ba6cee487c6b8f2780f6e9d7e313809860ff258507d3c05b6c0a13ecdb5527c8be54fb3e4ff84684d7
-
Filesize
719B
MD5e3c7616b65878eb2e2f5ad6f20f7baa0
SHA1892149bea31e2fd65cacc72b4b7c629fcbf50782
SHA2568202175de45b1c60a6080fd24dae8f8a2299b1bc7ea5bd5b4fbb69b5246d0982
SHA512bb83539767953212a936d8f446243e87c5b49b50ff258ab9ce38d649691567f4581635fde12e5a395b19bed1ab64b4d67f1cb008e8cbc55c8ced117d9f77adde
-
Filesize
719B
MD55f330f0626c4f53f705bf48cd3a54418
SHA10dabb32b0928834fda088622ec168d4bd2ffe010
SHA256db88df62a62ccfc1f737d164cd34327904cbc5e3d69bb886b69356c859a5218d
SHA512048a4a5b35c4ed153af9cf9ea60290a74ae531e18538cfdf9413f25ce3e5e03b815681532be76da1e50f23627fc5e57e95d8136d6a272cdbb65faf256334f4f8
-
Filesize
719B
MD55c4166b9e2d44b7696b82de8e0514a83
SHA1c3d9c314e6ef48eb9010d02fa62fb423d6a14961
SHA2562cd425e6fcdcd1675246007c7972a7aa1e21f51aaaee1400bbb7bf42e70ea644
SHA5125afb61032bec34564185f3860a3ca89e4a6169642b22a75219ab055a48850948d1e14fc75105258de1b7b3208486a1e9f364c500d73a6909cea5437dfd3008dd
-
Filesize
495B
MD5a9bb6097d17200080b3825e9fad638ec
SHA18987716ba4f37ad171eec62b1004a790833cba4e
SHA25632dbda849fb5b47c7ea0e3fadade31d5548240dd2fe8a447b6959203457cf329
SHA5124f534afe3b0a29120a64305b580b979dfbff0c6b2d893565a778d5447b23ae398d087d38f2e62354d4b2d596e8042048f3c2f7a7fab3ffe2e0c2c64b277c5493
-
Filesize
719B
MD5ac2dae5fe9829bd17f82c1e9abb10ee8
SHA14e8f9c50266dccf08294b859ed3c8fed211261b7
SHA256cb0d2389c7e27264f561b2bd3957ee4fdc640f7e86b6108ac14b9a93c1f7bdba
SHA51278ea2db51f8ef2bd420cd41d1470e7f7326d424b4cfe5a83247feabafbd67bb5bd7c83eff4981a30b7908113cf6b0e6c5df492fb347ddb3bc9cfc301a4d4b39a
-
Filesize
719B
MD5f8cfc3f9946432a996628333174d264b
SHA1b93256a2b4e8bc423df80913ed3d145e1197cbee
SHA256e5679d2556b1386ed6c5d0cbc81a4689275e40f6c23353d5a7c13e9da2b51870
SHA5126756cdd649ce35dd42f0f205c1858bdd65345bcccdaaa9dda56fc7d6edf60a4b46bf5d3ba4a034438497b82a3814fe7c65ab76210efaba4bb2c833bb402f6c3d
-
Filesize
719B
MD55819be66f4220bdf573614a1e20a7e0b
SHA167dcce478d139d74ebb8719d6d5d51fc3a9af3dd
SHA25635693f3a839e3140e7877c6f31b448030f882c59cc02cdd3b9ef07bfd4728cc6
SHA5122eeaa7c5b01c4e4328d23860987f6a4425f4d5ca908781d84f83f0be4015900b2e4bbc387ea2a138b11aa84d0038741d14a47929c08f930395ab72b7267e8d4a
-
Filesize
719B
MD5c3c6864bbca422079612c035846c14da
SHA190619d30b38931ba93b42b03ce6df43753e3198e
SHA25628ed01cd9bff28482f912c89e27bcbcce2aeb31e49ce55115cf982564455f42f
SHA5120b905585dd00621398548e5f3fea782910f0e48b8ae63d1b752f694214085ebb92456b02f729d0b00bb9ab35b98565df4316680c26bd39c89c22f684e86e7956
-
Filesize
719B
MD55dc71af99b7c08bbdcba45c45882475b
SHA1cfe6bed4a50a124212ea883316f63d12c736859c
SHA2565ef9d1e421d6b08abe28166ede5848681b0a11b593b2f3a19ae7b1a67d8f9974
SHA5125e9ea81393288bf57290d6f86bfa9fd7d5021560da6c458d8b55960dee25a7364241613fc1f06aea74a2cc899f7c10edaf99f38f94af94b8c07cdbfd3975d7ed
-
Filesize
75KB
MD5e0a68b98992c1699876f818a22b5b907
SHA1d41e8ad8ba51217eb0340f8f69629ccb474484d0
SHA2562b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f
SHA512856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\KW616HCW37JRWJER9M4R.temp
Filesize7KB
MD51b0cc943f29854eeae0ae7511a488ad3
SHA1f4d0e988c521b310a52e62d51b23e355b1132125
SHA256dd2ba0472641ebf30f4e9fffc41179e56dee84ce09d3bb59c3d4f37106f38cb1
SHA512dd524fe3db0f8a8a2f61596df26745b5284b1474a33f6c164dbcb47298d52a23b48d5351e0815ec9a3f51d3ceeefeed79b0d7f3ada8eba33d28454bea4a3170f