Analysis
-
max time kernel
117s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
18-11-2024 18:42
Behavioral task
behavioral1
Sample
af806de6c621a99efd037e09772f4821a2b385f72f854abd105e3597799806dd.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
af806de6c621a99efd037e09772f4821a2b385f72f854abd105e3597799806dd.exe
Resource
win10v2004-20241007-en
General
-
Target
af806de6c621a99efd037e09772f4821a2b385f72f854abd105e3597799806dd.exe
-
Size
1.7MB
-
MD5
6d41ecedcce80f8c3fa81d06041101e8
-
SHA1
a0c354fc73043792e994309472a61ddb35144a0d
-
SHA256
af806de6c621a99efd037e09772f4821a2b385f72f854abd105e3597799806dd
-
SHA512
874a83462cbc5ac0f71b0b18ab07a284106cdbfb19f170c83bc954cf1b017634e57374971df1f1a4ac33b24d91ebb234fcff80de5bd94a74a144f84c205557d5
-
SSDEEP
24576:N3QwuLyEbVoCtPreIjNLoN/VNGeSQDx1m17zezKOkCzeJGFUJz:NgwuuEpdDLNwVMeXDL0fdSzAGM
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 64 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2920 832 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2908 832 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2772 832 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2880 832 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3004 832 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2644 832 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2784 832 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2672 832 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2636 832 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1696 832 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2180 832 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2168 832 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1856 832 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2708 832 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2812 832 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2000 832 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1656 832 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 796 832 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1720 832 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1064 832 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2856 832 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1908 832 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2012 832 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2960 832 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2956 832 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2832 832 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2288 832 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2076 832 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2208 832 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2188 832 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 944 832 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1516 832 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1036 832 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1088 832 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 960 832 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1032 832 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 572 832 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1732 832 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 468 832 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1780 832 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1624 832 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1816 832 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1404 832 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2880 832 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2672 832 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2456 832 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2852 832 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1632 832 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2000 832 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1592 832 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1568 832 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 304 832 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2560 832 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 840 832 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 872 832 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2192 832 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1360 832 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2676 832 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2572 832 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1088 832 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1764 832 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2216 832 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2860 832 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2356 832 schtasks.exe 31 -
resource yara_rule behavioral1/memory/2364-1-0x0000000000850000-0x0000000000A06000-memory.dmp dcrat behavioral1/files/0x0005000000019426-27.dat dcrat behavioral1/files/0x000a000000019d7b-96.dat dcrat behavioral1/memory/2776-288-0x0000000000190000-0x0000000000346000-memory.dmp dcrat behavioral1/memory/1784-385-0x0000000000890000-0x0000000000A46000-memory.dmp dcrat behavioral1/memory/2644-397-0x0000000000EF0000-0x00000000010A6000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 24 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2584 powershell.exe 2940 powershell.exe 2168 powershell.exe 1868 powershell.exe 2256 powershell.exe 2840 powershell.exe 2584 powershell.exe 2300 powershell.exe 2212 powershell.exe 2440 powershell.exe 2280 powershell.exe 2196 powershell.exe 2252 powershell.exe 1664 powershell.exe 2284 powershell.exe 1652 powershell.exe 1984 powershell.exe 1760 powershell.exe 484 powershell.exe 2592 powershell.exe 900 powershell.exe 2708 powershell.exe 1800 powershell.exe 1308 powershell.exe -
Drops file in Drivers directory 1 IoCs
description ioc Process File opened for modification C:\Windows\System32\drivers\etc\hosts af806de6c621a99efd037e09772f4821a2b385f72f854abd105e3597799806dd.exe -
Executes dropped EXE 3 IoCs
pid Process 2776 af806de6c621a99efd037e09772f4821a2b385f72f854abd105e3597799806dd.exe 1784 audiodg.exe 2644 audiodg.exe -
Drops file in Program Files directory 46 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Windows Defender\de-DE\RCXE7DF.tmp af806de6c621a99efd037e09772f4821a2b385f72f854abd105e3597799806dd.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\RCXEDEC.tmp af806de6c621a99efd037e09772f4821a2b385f72f854abd105e3597799806dd.exe File created C:\Program Files (x86)\Windows Defender\de-DE\24dbde2999530e af806de6c621a99efd037e09772f4821a2b385f72f854abd105e3597799806dd.exe File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\Idle.exe af806de6c621a99efd037e09772f4821a2b385f72f854abd105e3597799806dd.exe File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\6ccacd8608530f af806de6c621a99efd037e09772f4821a2b385f72f854abd105e3597799806dd.exe File created C:\Program Files (x86)\Windows Defender\de-DE\886983d96e3d3e af806de6c621a99efd037e09772f4821a2b385f72f854abd105e3597799806dd.exe File created C:\Program Files (x86)\Windows Photo Viewer\it-IT\cc11b995f2a76d af806de6c621a99efd037e09772f4821a2b385f72f854abd105e3597799806dd.exe File opened for modification C:\Program Files (x86)\Microsoft SQL Server Compact Edition\RCXF469.tmp af806de6c621a99efd037e09772f4821a2b385f72f854abd105e3597799806dd.exe File opened for modification C:\Program Files\Windows Mail\audiodg.exe af806de6c621a99efd037e09772f4821a2b385f72f854abd105e3597799806dd.exe File created C:\Program Files (x86)\Uninstall Information\69ddcba757bf72 af806de6c621a99efd037e09772f4821a2b385f72f854abd105e3597799806dd.exe File created C:\Program Files (x86)\Windows Mail\it-IT\dwm.exe af806de6c621a99efd037e09772f4821a2b385f72f854abd105e3597799806dd.exe File created C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\audiodg.exe af806de6c621a99efd037e09772f4821a2b385f72f854abd105e3597799806dd.exe File opened for modification C:\Program Files (x86)\Uninstall Information\RCXE368.tmp af806de6c621a99efd037e09772f4821a2b385f72f854abd105e3597799806dd.exe File opened for modification C:\Program Files (x86)\Microsoft SQL Server Compact Edition\Idle.exe af806de6c621a99efd037e09772f4821a2b385f72f854abd105e3597799806dd.exe File opened for modification C:\Program Files (x86)\Windows Photo Viewer\it-IT\RCXF66D.tmp af806de6c621a99efd037e09772f4821a2b385f72f854abd105e3597799806dd.exe File created C:\Program Files\Windows Mail\audiodg.exe af806de6c621a99efd037e09772f4821a2b385f72f854abd105e3597799806dd.exe File created C:\Program Files\Microsoft Office\Office14\1033\cc11b995f2a76d af806de6c621a99efd037e09772f4821a2b385f72f854abd105e3597799806dd.exe File created C:\Program Files (x86)\Uninstall Information\smss.exe af806de6c621a99efd037e09772f4821a2b385f72f854abd105e3597799806dd.exe File opened for modification C:\Program Files\Microsoft Office\Office14\1033\RCXDCEB.tmp af806de6c621a99efd037e09772f4821a2b385f72f854abd105e3597799806dd.exe File created C:\Program Files (x86)\Windows Mail\it-IT\6cb0b6c459d5d3 af806de6c621a99efd037e09772f4821a2b385f72f854abd105e3597799806dd.exe File created C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\42af1c969fbb7b af806de6c621a99efd037e09772f4821a2b385f72f854abd105e3597799806dd.exe File opened for modification C:\Program Files (x86)\Windows Defender\de-DE\WmiPrvSE.exe af806de6c621a99efd037e09772f4821a2b385f72f854abd105e3597799806dd.exe File opened for modification C:\Program Files (x86)\Uninstall Information\RCXE367.tmp af806de6c621a99efd037e09772f4821a2b385f72f854abd105e3597799806dd.exe File opened for modification C:\Program Files (x86)\Windows Defender\de-DE\csrss.exe af806de6c621a99efd037e09772f4821a2b385f72f854abd105e3597799806dd.exe File opened for modification C:\Program Files (x86)\Microsoft SQL Server Compact Edition\RCXF468.tmp af806de6c621a99efd037e09772f4821a2b385f72f854abd105e3597799806dd.exe File opened for modification C:\Program Files (x86)\Windows Mail\it-IT\dwm.exe af806de6c621a99efd037e09772f4821a2b385f72f854abd105e3597799806dd.exe File opened for modification C:\Program Files (x86)\Windows Defender\de-DE\RCXE7DE.tmp af806de6c621a99efd037e09772f4821a2b385f72f854abd105e3597799806dd.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\RCXEDED.tmp af806de6c621a99efd037e09772f4821a2b385f72f854abd105e3597799806dd.exe File opened for modification C:\Program Files (x86)\Windows Photo Viewer\it-IT\RCXF66C.tmp af806de6c621a99efd037e09772f4821a2b385f72f854abd105e3597799806dd.exe File created C:\Program Files (x86)\Common Files\microsoft shared\DAO\5940a34987c991 af806de6c621a99efd037e09772f4821a2b385f72f854abd105e3597799806dd.exe File created C:\Program Files (x86)\Windows Photo Viewer\it-IT\winlogon.exe af806de6c621a99efd037e09772f4821a2b385f72f854abd105e3597799806dd.exe File opened for modification C:\Program Files\Microsoft Office\Office14\1033\RCXDCEC.tmp af806de6c621a99efd037e09772f4821a2b385f72f854abd105e3597799806dd.exe File opened for modification C:\Program Files (x86)\Windows Mail\it-IT\RCXE5DA.tmp af806de6c621a99efd037e09772f4821a2b385f72f854abd105e3597799806dd.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\DAO\dllhost.exe af806de6c621a99efd037e09772f4821a2b385f72f854abd105e3597799806dd.exe File opened for modification C:\Program Files (x86)\Windows Defender\de-DE\RCXF1F6.tmp af806de6c621a99efd037e09772f4821a2b385f72f854abd105e3597799806dd.exe File opened for modification C:\Program Files (x86)\Windows Defender\de-DE\RCXF1F7.tmp af806de6c621a99efd037e09772f4821a2b385f72f854abd105e3597799806dd.exe File opened for modification C:\Program Files (x86)\Windows Photo Viewer\it-IT\winlogon.exe af806de6c621a99efd037e09772f4821a2b385f72f854abd105e3597799806dd.exe File opened for modification C:\Program Files\Microsoft Office\Office14\1033\winlogon.exe af806de6c621a99efd037e09772f4821a2b385f72f854abd105e3597799806dd.exe File opened for modification C:\Program Files (x86)\Windows Mail\it-IT\RCXE5D9.tmp af806de6c621a99efd037e09772f4821a2b385f72f854abd105e3597799806dd.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\audiodg.exe af806de6c621a99efd037e09772f4821a2b385f72f854abd105e3597799806dd.exe File opened for modification C:\Program Files (x86)\Uninstall Information\smss.exe af806de6c621a99efd037e09772f4821a2b385f72f854abd105e3597799806dd.exe File created C:\Program Files (x86)\Common Files\microsoft shared\DAO\dllhost.exe af806de6c621a99efd037e09772f4821a2b385f72f854abd105e3597799806dd.exe File created C:\Program Files\Windows Mail\42af1c969fbb7b af806de6c621a99efd037e09772f4821a2b385f72f854abd105e3597799806dd.exe File created C:\Program Files\Microsoft Office\Office14\1033\winlogon.exe af806de6c621a99efd037e09772f4821a2b385f72f854abd105e3597799806dd.exe File created C:\Program Files (x86)\Windows Defender\de-DE\WmiPrvSE.exe af806de6c621a99efd037e09772f4821a2b385f72f854abd105e3597799806dd.exe File created C:\Program Files (x86)\Windows Defender\de-DE\csrss.exe af806de6c621a99efd037e09772f4821a2b385f72f854abd105e3597799806dd.exe -
Drops file in Windows directory 6 IoCs
description ioc Process File created C:\Windows\Web\System.exe af806de6c621a99efd037e09772f4821a2b385f72f854abd105e3597799806dd.exe File created C:\Windows\Web\27d1bcfc3c54e0 af806de6c621a99efd037e09772f4821a2b385f72f854abd105e3597799806dd.exe File created C:\Windows\Offline Web Pages\System.exe af806de6c621a99efd037e09772f4821a2b385f72f854abd105e3597799806dd.exe File created C:\Windows\Offline Web Pages\27d1bcfc3c54e0 af806de6c621a99efd037e09772f4821a2b385f72f854abd105e3597799806dd.exe File opened for modification C:\Windows\Web\System.exe af806de6c621a99efd037e09772f4821a2b385f72f854abd105e3597799806dd.exe File opened for modification C:\Windows\Offline Web Pages\System.exe af806de6c621a99efd037e09772f4821a2b385f72f854abd105e3597799806dd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Scheduled Task/Job: Scheduled Task 1 TTPs 64 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2812 schtasks.exe 796 schtasks.exe 1908 schtasks.exe 2956 schtasks.exe 1404 schtasks.exe 1088 schtasks.exe 2772 schtasks.exe 2880 schtasks.exe 2784 schtasks.exe 2880 schtasks.exe 2672 schtasks.exe 2216 schtasks.exe 2708 schtasks.exe 1656 schtasks.exe 468 schtasks.exe 2180 schtasks.exe 2960 schtasks.exe 1592 schtasks.exe 1816 schtasks.exe 2000 schtasks.exe 1064 schtasks.exe 1036 schtasks.exe 1780 schtasks.exe 1696 schtasks.exe 944 schtasks.exe 1516 schtasks.exe 572 schtasks.exe 1624 schtasks.exe 2128 schtasks.exe 2000 schtasks.exe 2012 schtasks.exe 2288 schtasks.exe 2636 schtasks.exe 872 schtasks.exe 2192 schtasks.exe 2076 schtasks.exe 2208 schtasks.exe 2560 schtasks.exe 2908 schtasks.exe 2672 schtasks.exe 2856 schtasks.exe 2852 schtasks.exe 1632 schtasks.exe 1360 schtasks.exe 1764 schtasks.exe 2356 schtasks.exe 2920 schtasks.exe 2168 schtasks.exe 1088 schtasks.exe 2188 schtasks.exe 2572 schtasks.exe 2860 schtasks.exe 960 schtasks.exe 304 schtasks.exe 268 schtasks.exe 3004 schtasks.exe 2644 schtasks.exe 2676 schtasks.exe 1032 schtasks.exe 1732 schtasks.exe 2456 schtasks.exe 1568 schtasks.exe 840 schtasks.exe 1856 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2364 af806de6c621a99efd037e09772f4821a2b385f72f854abd105e3597799806dd.exe 2364 af806de6c621a99efd037e09772f4821a2b385f72f854abd105e3597799806dd.exe 2364 af806de6c621a99efd037e09772f4821a2b385f72f854abd105e3597799806dd.exe 2364 af806de6c621a99efd037e09772f4821a2b385f72f854abd105e3597799806dd.exe 2364 af806de6c621a99efd037e09772f4821a2b385f72f854abd105e3597799806dd.exe 2364 af806de6c621a99efd037e09772f4821a2b385f72f854abd105e3597799806dd.exe 2364 af806de6c621a99efd037e09772f4821a2b385f72f854abd105e3597799806dd.exe 2364 af806de6c621a99efd037e09772f4821a2b385f72f854abd105e3597799806dd.exe 2364 af806de6c621a99efd037e09772f4821a2b385f72f854abd105e3597799806dd.exe 2364 af806de6c621a99efd037e09772f4821a2b385f72f854abd105e3597799806dd.exe 2364 af806de6c621a99efd037e09772f4821a2b385f72f854abd105e3597799806dd.exe 2364 af806de6c621a99efd037e09772f4821a2b385f72f854abd105e3597799806dd.exe 2364 af806de6c621a99efd037e09772f4821a2b385f72f854abd105e3597799806dd.exe 2364 af806de6c621a99efd037e09772f4821a2b385f72f854abd105e3597799806dd.exe 2364 af806de6c621a99efd037e09772f4821a2b385f72f854abd105e3597799806dd.exe 2364 af806de6c621a99efd037e09772f4821a2b385f72f854abd105e3597799806dd.exe 2364 af806de6c621a99efd037e09772f4821a2b385f72f854abd105e3597799806dd.exe 2364 af806de6c621a99efd037e09772f4821a2b385f72f854abd105e3597799806dd.exe 2364 af806de6c621a99efd037e09772f4821a2b385f72f854abd105e3597799806dd.exe 2364 af806de6c621a99efd037e09772f4821a2b385f72f854abd105e3597799806dd.exe 2364 af806de6c621a99efd037e09772f4821a2b385f72f854abd105e3597799806dd.exe 2364 af806de6c621a99efd037e09772f4821a2b385f72f854abd105e3597799806dd.exe 2364 af806de6c621a99efd037e09772f4821a2b385f72f854abd105e3597799806dd.exe 2364 af806de6c621a99efd037e09772f4821a2b385f72f854abd105e3597799806dd.exe 2364 af806de6c621a99efd037e09772f4821a2b385f72f854abd105e3597799806dd.exe 2364 af806de6c621a99efd037e09772f4821a2b385f72f854abd105e3597799806dd.exe 2364 af806de6c621a99efd037e09772f4821a2b385f72f854abd105e3597799806dd.exe 2364 af806de6c621a99efd037e09772f4821a2b385f72f854abd105e3597799806dd.exe 2364 af806de6c621a99efd037e09772f4821a2b385f72f854abd105e3597799806dd.exe 2364 af806de6c621a99efd037e09772f4821a2b385f72f854abd105e3597799806dd.exe 2364 af806de6c621a99efd037e09772f4821a2b385f72f854abd105e3597799806dd.exe 2364 af806de6c621a99efd037e09772f4821a2b385f72f854abd105e3597799806dd.exe 2364 af806de6c621a99efd037e09772f4821a2b385f72f854abd105e3597799806dd.exe 2364 af806de6c621a99efd037e09772f4821a2b385f72f854abd105e3597799806dd.exe 2364 af806de6c621a99efd037e09772f4821a2b385f72f854abd105e3597799806dd.exe 2364 af806de6c621a99efd037e09772f4821a2b385f72f854abd105e3597799806dd.exe 2364 af806de6c621a99efd037e09772f4821a2b385f72f854abd105e3597799806dd.exe 2364 af806de6c621a99efd037e09772f4821a2b385f72f854abd105e3597799806dd.exe 2364 af806de6c621a99efd037e09772f4821a2b385f72f854abd105e3597799806dd.exe 2364 af806de6c621a99efd037e09772f4821a2b385f72f854abd105e3597799806dd.exe 2364 af806de6c621a99efd037e09772f4821a2b385f72f854abd105e3597799806dd.exe 1984 powershell.exe 2584 powershell.exe 900 powershell.exe 2592 powershell.exe 2440 powershell.exe 484 powershell.exe 2940 powershell.exe 2840 powershell.exe 2168 powershell.exe 2196 powershell.exe 2280 powershell.exe 1308 powershell.exe 2776 af806de6c621a99efd037e09772f4821a2b385f72f854abd105e3597799806dd.exe 2776 af806de6c621a99efd037e09772f4821a2b385f72f854abd105e3597799806dd.exe 2776 af806de6c621a99efd037e09772f4821a2b385f72f854abd105e3597799806dd.exe 2776 af806de6c621a99efd037e09772f4821a2b385f72f854abd105e3597799806dd.exe 2776 af806de6c621a99efd037e09772f4821a2b385f72f854abd105e3597799806dd.exe 2776 af806de6c621a99efd037e09772f4821a2b385f72f854abd105e3597799806dd.exe 2776 af806de6c621a99efd037e09772f4821a2b385f72f854abd105e3597799806dd.exe 2776 af806de6c621a99efd037e09772f4821a2b385f72f854abd105e3597799806dd.exe 2776 af806de6c621a99efd037e09772f4821a2b385f72f854abd105e3597799806dd.exe 2776 af806de6c621a99efd037e09772f4821a2b385f72f854abd105e3597799806dd.exe 2776 af806de6c621a99efd037e09772f4821a2b385f72f854abd105e3597799806dd.exe -
Suspicious use of AdjustPrivilegeToken 28 IoCs
description pid Process Token: SeDebugPrivilege 2364 af806de6c621a99efd037e09772f4821a2b385f72f854abd105e3597799806dd.exe Token: SeDebugPrivilege 1984 powershell.exe Token: SeDebugPrivilege 2584 powershell.exe Token: SeDebugPrivilege 900 powershell.exe Token: SeDebugPrivilege 2592 powershell.exe Token: SeDebugPrivilege 2440 powershell.exe Token: SeDebugPrivilege 484 powershell.exe Token: SeDebugPrivilege 2940 powershell.exe Token: SeDebugPrivilege 2840 powershell.exe Token: SeDebugPrivilege 2168 powershell.exe Token: SeDebugPrivilege 2196 powershell.exe Token: SeDebugPrivilege 2280 powershell.exe Token: SeDebugPrivilege 1308 powershell.exe Token: SeDebugPrivilege 2776 af806de6c621a99efd037e09772f4821a2b385f72f854abd105e3597799806dd.exe Token: SeDebugPrivilege 2584 powershell.exe Token: SeDebugPrivilege 1652 powershell.exe Token: SeDebugPrivilege 1664 powershell.exe Token: SeDebugPrivilege 2252 powershell.exe Token: SeDebugPrivilege 2300 powershell.exe Token: SeDebugPrivilege 2284 powershell.exe Token: SeDebugPrivilege 2212 powershell.exe Token: SeDebugPrivilege 1760 powershell.exe Token: SeDebugPrivilege 1800 powershell.exe Token: SeDebugPrivilege 2256 powershell.exe Token: SeDebugPrivilege 2708 powershell.exe Token: SeDebugPrivilege 1868 powershell.exe Token: SeDebugPrivilege 1784 audiodg.exe Token: SeDebugPrivilege 2644 audiodg.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2364 wrote to memory of 1308 2364 af806de6c621a99efd037e09772f4821a2b385f72f854abd105e3597799806dd.exe 74 PID 2364 wrote to memory of 1308 2364 af806de6c621a99efd037e09772f4821a2b385f72f854abd105e3597799806dd.exe 74 PID 2364 wrote to memory of 1308 2364 af806de6c621a99efd037e09772f4821a2b385f72f854abd105e3597799806dd.exe 74 PID 2364 wrote to memory of 900 2364 af806de6c621a99efd037e09772f4821a2b385f72f854abd105e3597799806dd.exe 75 PID 2364 wrote to memory of 900 2364 af806de6c621a99efd037e09772f4821a2b385f72f854abd105e3597799806dd.exe 75 PID 2364 wrote to memory of 900 2364 af806de6c621a99efd037e09772f4821a2b385f72f854abd105e3597799806dd.exe 75 PID 2364 wrote to memory of 2168 2364 af806de6c621a99efd037e09772f4821a2b385f72f854abd105e3597799806dd.exe 76 PID 2364 wrote to memory of 2168 2364 af806de6c621a99efd037e09772f4821a2b385f72f854abd105e3597799806dd.exe 76 PID 2364 wrote to memory of 2168 2364 af806de6c621a99efd037e09772f4821a2b385f72f854abd105e3597799806dd.exe 76 PID 2364 wrote to memory of 2196 2364 af806de6c621a99efd037e09772f4821a2b385f72f854abd105e3597799806dd.exe 77 PID 2364 wrote to memory of 2196 2364 af806de6c621a99efd037e09772f4821a2b385f72f854abd105e3597799806dd.exe 77 PID 2364 wrote to memory of 2196 2364 af806de6c621a99efd037e09772f4821a2b385f72f854abd105e3597799806dd.exe 77 PID 2364 wrote to memory of 2592 2364 af806de6c621a99efd037e09772f4821a2b385f72f854abd105e3597799806dd.exe 79 PID 2364 wrote to memory of 2592 2364 af806de6c621a99efd037e09772f4821a2b385f72f854abd105e3597799806dd.exe 79 PID 2364 wrote to memory of 2592 2364 af806de6c621a99efd037e09772f4821a2b385f72f854abd105e3597799806dd.exe 79 PID 2364 wrote to memory of 484 2364 af806de6c621a99efd037e09772f4821a2b385f72f854abd105e3597799806dd.exe 80 PID 2364 wrote to memory of 484 2364 af806de6c621a99efd037e09772f4821a2b385f72f854abd105e3597799806dd.exe 80 PID 2364 wrote to memory of 484 2364 af806de6c621a99efd037e09772f4821a2b385f72f854abd105e3597799806dd.exe 80 PID 2364 wrote to memory of 2940 2364 af806de6c621a99efd037e09772f4821a2b385f72f854abd105e3597799806dd.exe 82 PID 2364 wrote to memory of 2940 2364 af806de6c621a99efd037e09772f4821a2b385f72f854abd105e3597799806dd.exe 82 PID 2364 wrote to memory of 2940 2364 af806de6c621a99efd037e09772f4821a2b385f72f854abd105e3597799806dd.exe 82 PID 2364 wrote to memory of 2440 2364 af806de6c621a99efd037e09772f4821a2b385f72f854abd105e3597799806dd.exe 83 PID 2364 wrote to memory of 2440 2364 af806de6c621a99efd037e09772f4821a2b385f72f854abd105e3597799806dd.exe 83 PID 2364 wrote to memory of 2440 2364 af806de6c621a99efd037e09772f4821a2b385f72f854abd105e3597799806dd.exe 83 PID 2364 wrote to memory of 1984 2364 af806de6c621a99efd037e09772f4821a2b385f72f854abd105e3597799806dd.exe 84 PID 2364 wrote to memory of 1984 2364 af806de6c621a99efd037e09772f4821a2b385f72f854abd105e3597799806dd.exe 84 PID 2364 wrote to memory of 1984 2364 af806de6c621a99efd037e09772f4821a2b385f72f854abd105e3597799806dd.exe 84 PID 2364 wrote to memory of 2840 2364 af806de6c621a99efd037e09772f4821a2b385f72f854abd105e3597799806dd.exe 87 PID 2364 wrote to memory of 2840 2364 af806de6c621a99efd037e09772f4821a2b385f72f854abd105e3597799806dd.exe 87 PID 2364 wrote to memory of 2840 2364 af806de6c621a99efd037e09772f4821a2b385f72f854abd105e3597799806dd.exe 87 PID 2364 wrote to memory of 2584 2364 af806de6c621a99efd037e09772f4821a2b385f72f854abd105e3597799806dd.exe 88 PID 2364 wrote to memory of 2584 2364 af806de6c621a99efd037e09772f4821a2b385f72f854abd105e3597799806dd.exe 88 PID 2364 wrote to memory of 2584 2364 af806de6c621a99efd037e09772f4821a2b385f72f854abd105e3597799806dd.exe 88 PID 2364 wrote to memory of 2280 2364 af806de6c621a99efd037e09772f4821a2b385f72f854abd105e3597799806dd.exe 89 PID 2364 wrote to memory of 2280 2364 af806de6c621a99efd037e09772f4821a2b385f72f854abd105e3597799806dd.exe 89 PID 2364 wrote to memory of 2280 2364 af806de6c621a99efd037e09772f4821a2b385f72f854abd105e3597799806dd.exe 89 PID 2364 wrote to memory of 1864 2364 af806de6c621a99efd037e09772f4821a2b385f72f854abd105e3597799806dd.exe 98 PID 2364 wrote to memory of 1864 2364 af806de6c621a99efd037e09772f4821a2b385f72f854abd105e3597799806dd.exe 98 PID 2364 wrote to memory of 1864 2364 af806de6c621a99efd037e09772f4821a2b385f72f854abd105e3597799806dd.exe 98 PID 1864 wrote to memory of 828 1864 cmd.exe 100 PID 1864 wrote to memory of 828 1864 cmd.exe 100 PID 1864 wrote to memory of 828 1864 cmd.exe 100 PID 1864 wrote to memory of 2776 1864 cmd.exe 101 PID 1864 wrote to memory of 2776 1864 cmd.exe 101 PID 1864 wrote to memory of 2776 1864 cmd.exe 101 PID 2776 wrote to memory of 2252 2776 af806de6c621a99efd037e09772f4821a2b385f72f854abd105e3597799806dd.exe 126 PID 2776 wrote to memory of 2252 2776 af806de6c621a99efd037e09772f4821a2b385f72f854abd105e3597799806dd.exe 126 PID 2776 wrote to memory of 2252 2776 af806de6c621a99efd037e09772f4821a2b385f72f854abd105e3597799806dd.exe 126 PID 2776 wrote to memory of 1868 2776 af806de6c621a99efd037e09772f4821a2b385f72f854abd105e3597799806dd.exe 127 PID 2776 wrote to memory of 1868 2776 af806de6c621a99efd037e09772f4821a2b385f72f854abd105e3597799806dd.exe 127 PID 2776 wrote to memory of 1868 2776 af806de6c621a99efd037e09772f4821a2b385f72f854abd105e3597799806dd.exe 127 PID 2776 wrote to memory of 1664 2776 af806de6c621a99efd037e09772f4821a2b385f72f854abd105e3597799806dd.exe 128 PID 2776 wrote to memory of 1664 2776 af806de6c621a99efd037e09772f4821a2b385f72f854abd105e3597799806dd.exe 128 PID 2776 wrote to memory of 1664 2776 af806de6c621a99efd037e09772f4821a2b385f72f854abd105e3597799806dd.exe 128 PID 2776 wrote to memory of 2256 2776 af806de6c621a99efd037e09772f4821a2b385f72f854abd105e3597799806dd.exe 129 PID 2776 wrote to memory of 2256 2776 af806de6c621a99efd037e09772f4821a2b385f72f854abd105e3597799806dd.exe 129 PID 2776 wrote to memory of 2256 2776 af806de6c621a99efd037e09772f4821a2b385f72f854abd105e3597799806dd.exe 129 PID 2776 wrote to memory of 2284 2776 af806de6c621a99efd037e09772f4821a2b385f72f854abd105e3597799806dd.exe 130 PID 2776 wrote to memory of 2284 2776 af806de6c621a99efd037e09772f4821a2b385f72f854abd105e3597799806dd.exe 130 PID 2776 wrote to memory of 2284 2776 af806de6c621a99efd037e09772f4821a2b385f72f854abd105e3597799806dd.exe 130 PID 2776 wrote to memory of 2212 2776 af806de6c621a99efd037e09772f4821a2b385f72f854abd105e3597799806dd.exe 131 PID 2776 wrote to memory of 2212 2776 af806de6c621a99efd037e09772f4821a2b385f72f854abd105e3597799806dd.exe 131 PID 2776 wrote to memory of 2212 2776 af806de6c621a99efd037e09772f4821a2b385f72f854abd105e3597799806dd.exe 131 PID 2776 wrote to memory of 2584 2776 af806de6c621a99efd037e09772f4821a2b385f72f854abd105e3597799806dd.exe 132 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\af806de6c621a99efd037e09772f4821a2b385f72f854abd105e3597799806dd.exe"C:\Users\Admin\AppData\Local\Temp\af806de6c621a99efd037e09772f4821a2b385f72f854abd105e3597799806dd.exe"1⤵
- Drops file in Drivers directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2364 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1308
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:900
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2168
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2196
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2592
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:484
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2940
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2440
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1984
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2840
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2584
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2280
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\eFR6a9mIY7.bat"2⤵
- Suspicious use of WriteProcessMemory
PID:1864 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:23⤵PID:828
-
-
C:\Users\Admin\AppData\Local\Temp\af806de6c621a99efd037e09772f4821a2b385f72f854abd105e3597799806dd.exe"C:\Users\Admin\AppData\Local\Temp\af806de6c621a99efd037e09772f4821a2b385f72f854abd105e3597799806dd.exe"3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2776 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:2252
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:1868
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:1664
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:2256
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:2284
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:2212
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:2584
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:1652
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:2708
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:1760
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:2300
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:1800
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\SqT8hDQfA5.bat"4⤵PID:2720
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:25⤵PID:2188
-
-
C:\Program Files\Windows Mail\audiodg.exe"C:\Program Files\Windows Mail\audiodg.exe"5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1784 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0347e16e-dba5-41a3-879f-8441e5c22c3a.vbs"6⤵PID:268
-
C:\Program Files\Windows Mail\audiodg.exe"C:\Program Files\Windows Mail\audiodg.exe"7⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2644
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b6a36e65-4bc4-4d48-bcc2-b270dca00402.vbs"6⤵PID:3000
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\services.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2908
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2920
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2772
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Program Files\Microsoft Office\Office14\1033\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2880
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\Office14\1033\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3004
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Program Files\Microsoft Office\Office14\1033\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2644
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2784
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Default User\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2672
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2636
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\OSPPSVC.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1696
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2180
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2168
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Uninstall Information\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1856
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Uninstall Information\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2708
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Uninstall Information\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2812
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Mail\it-IT\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2000
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\it-IT\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1656
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Mail\it-IT\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:796
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Defender\de-DE\WmiPrvSE.exe'" /f1⤵
- Process spawned unexpected child process
PID:1720
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\de-DE\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1064
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Defender\de-DE\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2856
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 13 /tr "'C:\Users\Default\Application Data\audiodg.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1908
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Users\Default\Application Data\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2012
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 6 /tr "'C:\Users\Default\Application Data\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2960
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2956
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
PID:2832
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2288
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\audiodg.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2076
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2208
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2188
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\System.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:944
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1516
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1036
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Defender\de-DE\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1088
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\de-DE\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:960
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Defender\de-DE\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1032
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:572
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1732
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:468
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Photo Viewer\it-IT\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1780
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\it-IT\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1624
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Photo Viewer\it-IT\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1816
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "af806de6c621a99efd037e09772f4821a2b385f72f854abd105e3597799806dda" /sc MINUTE /mo 10 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\af806de6c621a99efd037e09772f4821a2b385f72f854abd105e3597799806dd.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1404
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "af806de6c621a99efd037e09772f4821a2b385f72f854abd105e3597799806dd" /sc ONLOGON /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\af806de6c621a99efd037e09772f4821a2b385f72f854abd105e3597799806dd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2880
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "af806de6c621a99efd037e09772f4821a2b385f72f854abd105e3597799806dda" /sc MINUTE /mo 12 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\af806de6c621a99efd037e09772f4821a2b385f72f854abd105e3597799806dd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2672
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Common Files\microsoft shared\DAO\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2456
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\microsoft shared\DAO\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2852
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Common Files\microsoft shared\DAO\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1632
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Windows\Web\System.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2000
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\Web\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1592
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Windows\Web\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1568
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\Documents\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:304
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\Admin\Documents\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2560
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\Documents\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:840
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Mail\audiodg.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:872
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2192
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Mail\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1360
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Windows\Offline Web Pages\System.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2676
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\Offline Web Pages\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2572
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Windows\Offline Web Pages\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1088
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1764
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2216
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2860
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2356
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\sppsvc.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:2128
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\sppsvc.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:268
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.7MB
MD55fa185620ffb9c25240ba05e652c3ce7
SHA14061314c6fa0b72b3952a722fba216ae4dd49a67
SHA2564b898345bd47eb85efb7304b67c66eba8af21e554259766356b1466fbede744f
SHA512f3d92a1f0e9e28ae116624bca989064ee65a2161a247ebef85e7e31a8e4d21b1ee1b5e3f9478d6b1a58aff544be424ae81de4751ec43589907e24e83a91a2c10
-
Filesize
1.7MB
MD56d41ecedcce80f8c3fa81d06041101e8
SHA1a0c354fc73043792e994309472a61ddb35144a0d
SHA256af806de6c621a99efd037e09772f4821a2b385f72f854abd105e3597799806dd
SHA512874a83462cbc5ac0f71b0b18ab07a284106cdbfb19f170c83bc954cf1b017634e57374971df1f1a4ac33b24d91ebb234fcff80de5bd94a74a144f84c205557d5
-
Filesize
717B
MD529f9b8af54da2c477b0f2e9c79e802dd
SHA14378db1b1400c63997196b0411a6eb4bd6f4e04a
SHA256358daa34e7303966783e69847beb01174deb50162e4150216ee97a16192fe32d
SHA512cf153e48bbb396655ea7a63555a347564822a289c01e8a60318ab67dd44e417cd09edc7a061040397b5d6ff7ff29b60a5802eda7ea75f410f43b9db34ab4cd7b
-
Filesize
206B
MD55f8dbab1f65221c0b0a33d55f417a381
SHA13f52b39b25e6be55b00ccfb87de575711a3e1754
SHA2569342404771ac00135aba46d619c9e165488acae879edc61804c0f6aceef11075
SHA512e39f16ae239c8102c794c0e2177d050ea45aaae9f9c5dd580d2d7219876657bcf1ffb2f7c2026825813bfd2df68f66cc34becc55bfedb1d1f883dcfcb90e94a6
-
Filesize
493B
MD53eaa803d8d83c8f5876474faab47528a
SHA18ccd1ea12ed4ab5b679d9f16ee9a975d0f7a0c53
SHA256013e6b93289ae11f11345327b7d007e28faaa7fff2e1c2aea311222f0245a25f
SHA512d77e3d8cc74f5eb5c04b9ee6c7730f91c70123b2dd68c0855072e31e736e1906a8f7ea8c97bfd87c77b7ee2583133cdbaccde725229f53ed9abcb38dae973581
-
Filesize
267B
MD508c3a16410da59745aaf8a5ccbeaefce
SHA1638f169342448ae6b48e6410acb9303df7f01598
SHA25627bddfcc1088a76b60bef8a46989147c2cba8ac152c5d8913769ad5439dae6ba
SHA51296d711ca64f1a859e6f7f51c982e372f72eadd0b0340107465a0b504c1881263e56bc520aad0eb2bf9fdb86d45eb75e44868a58ab876804cd420490d456275d3
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5a4af38896ad6ee89dd490ce49d9c51f7
SHA15a8f57bde07e9bf60e2007602ac85458119e62a8
SHA256c13576236be0e2df417c713102c6b0d73619978a1238b54fbfd7bedfee36d407
SHA512722bfe1ebb1903a548dc1637b97b14c39f0783b14147c3cac1dfcd218e023fac28e979bea87be7f3c785f90ca4adba17c23084a5e7c4f3d195cdc55787400451
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5bcbef662aa351e1163112a709bc3558a
SHA1b51ffd4dba4829e0d085681161bb1f8b07c70c25
SHA256bcc5a02b942cf78d55b68547683527fbe77b9890a46a083dea45a4390b395504
SHA51226047a69fb385a848a69b5261b10c350ee954fe86d5be72db9a4735083866b9e5b8dac28ce3ca20c1d9344091faee86708c167457ec6a006dcc33eef398e6874