Analysis
-
max time kernel
148s -
max time network
148s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
02-12-2024 21:31
Static task
static1
Behavioral task
behavioral1
Sample
456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe
Resource
win7-20240903-en
General
-
Target
456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe
-
Size
4.9MB
-
MD5
bc6d8c1824fbce3832a86042be6ce8ec
-
SHA1
5c750a20d9ddeb5be64ba89d220a8657adbce18b
-
SHA256
456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30
-
SHA512
abdc44b1d6694dea890128229b6bab2dbddd8bbf34d4413afefa84147f91b8dc855b6797d41505842fc181fa09b08cb79abaa720c23ceb1f06dd36a3e7676292
-
SSDEEP
49152:jl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8E:
Malware Config
Signatures
-
DcRat 64 IoCs
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
description ioc pid Process 2608 schtasks.exe 316 schtasks.exe 552 schtasks.exe 1396 schtasks.exe 2136 schtasks.exe 2832 schtasks.exe 1932 schtasks.exe 2744 schtasks.exe 992 schtasks.exe 2392 schtasks.exe 316 schtasks.exe 1236 schtasks.exe 1456 schtasks.exe 2172 schtasks.exe 3056 schtasks.exe 3028 schtasks.exe 1016 schtasks.exe 1548 schtasks.exe 1300 schtasks.exe 692 schtasks.exe 1100 schtasks.exe 1404 schtasks.exe 2908 schtasks.exe 2952 schtasks.exe 1252 schtasks.exe 2892 schtasks.exe 1236 schtasks.exe 2852 schtasks.exe 2364 schtasks.exe 2896 schtasks.exe 2120 schtasks.exe 2728 schtasks.exe File created C:\Windows\Microsoft.NET\authman\24dbde2999530e 456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe 920 schtasks.exe 2716 schtasks.exe 2316 schtasks.exe 2324 schtasks.exe 1516 schtasks.exe 1956 schtasks.exe 1888 schtasks.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe 1952 schtasks.exe 1208 schtasks.exe 2784 schtasks.exe 844 schtasks.exe 2484 schtasks.exe 1968 schtasks.exe 1440 schtasks.exe 2916 schtasks.exe 2124 schtasks.exe 2676 schtasks.exe 1976 schtasks.exe 1528 schtasks.exe File created C:\Program Files\Reference Assemblies\886983d96e3d3e 456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe 1448 schtasks.exe File created C:\Windows\AppCompat\Programs\886983d96e3d3e 456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe 2588 schtasks.exe 2792 schtasks.exe 2476 schtasks.exe 1964 schtasks.exe 2256 schtasks.exe 1572 schtasks.exe 2108 schtasks.exe 2572 schtasks.exe -
Dcrat family
-
Process spawned unexpected child process 60 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2744 2040 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2832 2040 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2896 2040 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2728 2040 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2916 2040 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2792 2040 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2908 2040 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1932 2040 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2608 2040 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2676 2040 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1548 2040 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2124 2040 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1404 2040 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 316 2040 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1888 2040 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1456 2040 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2136 2040 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1956 2040 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1448 2040 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 692 2040 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1300 2040 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2852 2040 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1100 2040 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1440 2040 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1236 2040 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1016 2040 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3056 2040 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2172 2040 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2952 2040 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2108 2040 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1208 2040 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2364 2040 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 552 2040 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1572 2040 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 844 2040 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2784 2040 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1976 2040 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1252 2040 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 920 2040 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2120 2040 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2484 2040 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 992 2040 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3028 2040 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2476 2040 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1528 2040 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2716 2040 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2392 2040 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2572 2040 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2316 2040 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2892 2040 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1964 2040 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2324 2040 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1396 2040 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2256 2040 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 316 2040 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1952 2040 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1968 2040 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1236 2040 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1516 2040 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2588 2040 schtasks.exe 30 -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" conhost.exe -
resource yara_rule behavioral1/memory/2388-3-0x000000001BCE0000-0x000000001BE0E000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 24 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 1416 powershell.exe 1524 powershell.exe 848 powershell.exe 2404 powershell.exe 2756 powershell.exe 1524 powershell.exe 1744 powershell.exe 2908 powershell.exe 2160 powershell.exe 2088 powershell.exe 2400 powershell.exe 2412 powershell.exe 2184 powershell.exe 2360 powershell.exe 2672 powershell.exe 1196 powershell.exe 2304 powershell.exe 1532 powershell.exe 1664 powershell.exe 2840 powershell.exe 2984 powershell.exe 2988 powershell.exe 2536 powershell.exe 2684 powershell.exe -
Executes dropped EXE 12 IoCs
pid Process 2656 456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe 2524 conhost.exe 3064 conhost.exe 2752 conhost.exe 1616 conhost.exe 1680 conhost.exe 2684 conhost.exe 592 conhost.exe 2904 conhost.exe 936 conhost.exe 2152 conhost.exe 1184 conhost.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA conhost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" conhost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" conhost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA conhost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" conhost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA conhost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA conhost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" conhost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA conhost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA conhost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA conhost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" conhost.exe -
Drops file in Program Files directory 10 IoCs
description ioc Process File created C:\Program Files\Reference Assemblies\csrss.exe 456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe File created C:\Program Files\Reference Assemblies\886983d96e3d3e 456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe File created C:\Program Files (x86)\Windows Photo Viewer\conhost.exe 456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe File opened for modification C:\Program Files (x86)\Windows Photo Viewer\conhost.exe 456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe File opened for modification C:\Program Files (x86)\Windows Photo Viewer\de-DE\conhost.exe 456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe File opened for modification C:\Program Files\Reference Assemblies\RCXB3BA.tmp 456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe File opened for modification C:\Program Files\Reference Assemblies\csrss.exe 456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe File created C:\Program Files (x86)\Windows Photo Viewer\088424020bedd6 456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe File created C:\Program Files (x86)\Windows Photo Viewer\de-DE\conhost.exe 456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe File created C:\Program Files (x86)\Windows Photo Viewer\de-DE\088424020bedd6 456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe -
Drops file in Windows directory 17 IoCs
description ioc Process File created C:\Windows\Microsoft.NET\authman\24dbde2999530e 456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe File created C:\Windows\L2Schemas\conhost.exe 456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe File created C:\Windows\Web\Wallpaper\Architecture\088424020bedd6 456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe File created C:\Windows\addins\powershell.exe 456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe File opened for modification C:\Windows\AppCompat\Programs\RCXBC56.tmp 456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe File opened for modification C:\Windows\AppCompat\Programs\csrss.exe 456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe File opened for modification C:\Windows\Microsoft.NET\authman\RCXC0DA.tmp 456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe File created C:\Windows\L2Schemas\088424020bedd6 456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe File created C:\Windows\addins\e978f868350d50 456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe File created C:\Windows\AppCompat\Programs\csrss.exe 456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe File created C:\Windows\AppCompat\Programs\886983d96e3d3e 456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe File created C:\Windows\Microsoft.NET\authman\WmiPrvSE.exe 456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe File opened for modification C:\Windows\addins\powershell.exe 456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe File opened for modification C:\Windows\Microsoft.NET\authman\WmiPrvSE.exe 456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe File created C:\Windows\Web\Wallpaper\Architecture\conhost.exe 456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe File opened for modification C:\Windows\L2Schemas\conhost.exe 456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe File opened for modification C:\Windows\Web\Wallpaper\Architecture\conhost.exe 456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Scheduled Task/Job: Scheduled Task 1 TTPs 60 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2392 schtasks.exe 2832 schtasks.exe 692 schtasks.exe 1976 schtasks.exe 1396 schtasks.exe 1968 schtasks.exe 1456 schtasks.exe 2484 schtasks.exe 2716 schtasks.exe 2172 schtasks.exe 2792 schtasks.exe 1548 schtasks.exe 1236 schtasks.exe 1572 schtasks.exe 316 schtasks.exe 1440 schtasks.exe 1208 schtasks.exe 1956 schtasks.exe 3056 schtasks.exe 844 schtasks.exe 2608 schtasks.exe 2852 schtasks.exe 2324 schtasks.exe 1300 schtasks.exe 2364 schtasks.exe 3028 schtasks.exe 2316 schtasks.exe 1952 schtasks.exe 2136 schtasks.exe 2108 schtasks.exe 992 schtasks.exe 2676 schtasks.exe 1448 schtasks.exe 2120 schtasks.exe 2572 schtasks.exe 2892 schtasks.exe 2256 schtasks.exe 2744 schtasks.exe 1236 schtasks.exe 2952 schtasks.exe 2896 schtasks.exe 2728 schtasks.exe 1016 schtasks.exe 1528 schtasks.exe 1964 schtasks.exe 1516 schtasks.exe 1932 schtasks.exe 1100 schtasks.exe 2476 schtasks.exe 316 schtasks.exe 2588 schtasks.exe 2908 schtasks.exe 2784 schtasks.exe 920 schtasks.exe 2916 schtasks.exe 1888 schtasks.exe 1252 schtasks.exe 2124 schtasks.exe 1404 schtasks.exe 552 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2388 456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe 2388 456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe 2388 456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe 2388 456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe 2388 456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe 848 powershell.exe 2840 powershell.exe 2756 powershell.exe 1524 powershell.exe 2404 powershell.exe 2684 powershell.exe 2536 powershell.exe 2400 powershell.exe 2088 powershell.exe 1664 powershell.exe 2412 powershell.exe 2656 456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe 1532 powershell.exe 2656 456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe 2656 456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe 2656 456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe 2656 456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe 2656 456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe 2656 456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe 2656 456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe 2656 456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe 2656 456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe 2656 456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe 2656 456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe 2656 456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe 2656 456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe 2656 456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe 2656 456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe 2656 456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe 2656 456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe 2656 456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe 2656 456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe 2656 456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe 2656 456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe 2656 456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe 2656 456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe 2656 456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe 2304 powershell.exe 1196 powershell.exe 2988 powershell.exe 2672 powershell.exe 1744 powershell.exe 2184 powershell.exe 2360 powershell.exe 2984 powershell.exe 2908 powershell.exe 1524 powershell.exe 2160 powershell.exe 1416 powershell.exe 2524 conhost.exe 3064 conhost.exe 2752 conhost.exe 1616 conhost.exe 1680 conhost.exe 2684 conhost.exe 592 conhost.exe 2904 conhost.exe 936 conhost.exe 2152 conhost.exe -
Suspicious use of AdjustPrivilegeToken 37 IoCs
description pid Process Token: SeDebugPrivilege 2388 456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe Token: SeDebugPrivilege 848 powershell.exe Token: SeDebugPrivilege 2840 powershell.exe Token: SeDebugPrivilege 2756 powershell.exe Token: SeDebugPrivilege 1524 powershell.exe Token: SeDebugPrivilege 2404 powershell.exe Token: SeDebugPrivilege 2656 456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe Token: SeDebugPrivilege 2684 powershell.exe Token: SeDebugPrivilege 2536 powershell.exe Token: SeDebugPrivilege 2400 powershell.exe Token: SeDebugPrivilege 2088 powershell.exe Token: SeDebugPrivilege 1664 powershell.exe Token: SeDebugPrivilege 2412 powershell.exe Token: SeDebugPrivilege 1532 powershell.exe Token: SeDebugPrivilege 2304 powershell.exe Token: SeDebugPrivilege 1196 powershell.exe Token: SeDebugPrivilege 2988 powershell.exe Token: SeDebugPrivilege 2672 powershell.exe Token: SeDebugPrivilege 1744 powershell.exe Token: SeDebugPrivilege 2184 powershell.exe Token: SeDebugPrivilege 2360 powershell.exe Token: SeDebugPrivilege 2984 powershell.exe Token: SeDebugPrivilege 2908 powershell.exe Token: SeDebugPrivilege 1524 powershell.exe Token: SeDebugPrivilege 2160 powershell.exe Token: SeDebugPrivilege 1416 powershell.exe Token: SeDebugPrivilege 2524 conhost.exe Token: SeDebugPrivilege 3064 conhost.exe Token: SeDebugPrivilege 2752 conhost.exe Token: SeDebugPrivilege 1616 conhost.exe Token: SeDebugPrivilege 1680 conhost.exe Token: SeDebugPrivilege 2684 conhost.exe Token: SeDebugPrivilege 592 conhost.exe Token: SeDebugPrivilege 2904 conhost.exe Token: SeDebugPrivilege 936 conhost.exe Token: SeDebugPrivilege 2152 conhost.exe Token: SeDebugPrivilege 1184 conhost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2388 wrote to memory of 1532 2388 456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe 68 PID 2388 wrote to memory of 1532 2388 456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe 68 PID 2388 wrote to memory of 1532 2388 456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe 68 PID 2388 wrote to memory of 1524 2388 456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe 69 PID 2388 wrote to memory of 1524 2388 456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe 69 PID 2388 wrote to memory of 1524 2388 456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe 69 PID 2388 wrote to memory of 2088 2388 456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe 70 PID 2388 wrote to memory of 2088 2388 456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe 70 PID 2388 wrote to memory of 2088 2388 456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe 70 PID 2388 wrote to memory of 2536 2388 456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe 71 PID 2388 wrote to memory of 2536 2388 456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe 71 PID 2388 wrote to memory of 2536 2388 456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe 71 PID 2388 wrote to memory of 2400 2388 456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe 72 PID 2388 wrote to memory of 2400 2388 456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe 72 PID 2388 wrote to memory of 2400 2388 456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe 72 PID 2388 wrote to memory of 1664 2388 456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe 73 PID 2388 wrote to memory of 1664 2388 456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe 73 PID 2388 wrote to memory of 1664 2388 456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe 73 PID 2388 wrote to memory of 2684 2388 456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe 74 PID 2388 wrote to memory of 2684 2388 456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe 74 PID 2388 wrote to memory of 2684 2388 456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe 74 PID 2388 wrote to memory of 848 2388 456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe 75 PID 2388 wrote to memory of 848 2388 456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe 75 PID 2388 wrote to memory of 848 2388 456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe 75 PID 2388 wrote to memory of 2404 2388 456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe 76 PID 2388 wrote to memory of 2404 2388 456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe 76 PID 2388 wrote to memory of 2404 2388 456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe 76 PID 2388 wrote to memory of 2412 2388 456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe 77 PID 2388 wrote to memory of 2412 2388 456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe 77 PID 2388 wrote to memory of 2412 2388 456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe 77 PID 2388 wrote to memory of 2840 2388 456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe 81 PID 2388 wrote to memory of 2840 2388 456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe 81 PID 2388 wrote to memory of 2840 2388 456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe 81 PID 2388 wrote to memory of 2756 2388 456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe 83 PID 2388 wrote to memory of 2756 2388 456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe 83 PID 2388 wrote to memory of 2756 2388 456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe 83 PID 2388 wrote to memory of 2656 2388 456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe 86 PID 2388 wrote to memory of 2656 2388 456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe 86 PID 2388 wrote to memory of 2656 2388 456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe 86 PID 2656 wrote to memory of 2184 2656 456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe 118 PID 2656 wrote to memory of 2184 2656 456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe 118 PID 2656 wrote to memory of 2184 2656 456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe 118 PID 2656 wrote to memory of 2360 2656 456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe 119 PID 2656 wrote to memory of 2360 2656 456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe 119 PID 2656 wrote to memory of 2360 2656 456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe 119 PID 2656 wrote to memory of 1744 2656 456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe 120 PID 2656 wrote to memory of 1744 2656 456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe 120 PID 2656 wrote to memory of 1744 2656 456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe 120 PID 2656 wrote to memory of 2984 2656 456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe 121 PID 2656 wrote to memory of 2984 2656 456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe 121 PID 2656 wrote to memory of 2984 2656 456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe 121 PID 2656 wrote to memory of 2908 2656 456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe 122 PID 2656 wrote to memory of 2908 2656 456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe 122 PID 2656 wrote to memory of 2908 2656 456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe 122 PID 2656 wrote to memory of 2160 2656 456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe 123 PID 2656 wrote to memory of 2160 2656 456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe 123 PID 2656 wrote to memory of 2160 2656 456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe 123 PID 2656 wrote to memory of 2672 2656 456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe 126 PID 2656 wrote to memory of 2672 2656 456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe 126 PID 2656 wrote to memory of 2672 2656 456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe 126 PID 2656 wrote to memory of 2988 2656 456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe 127 PID 2656 wrote to memory of 2988 2656 456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe 127 PID 2656 wrote to memory of 2988 2656 456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe 127 PID 2656 wrote to memory of 1524 2656 456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe 128 -
System policy modification 1 TTPs 39 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" conhost.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe"C:\Users\Admin\AppData\Local\Temp\456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe"1⤵
- DcRat
- UAC bypass
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2388 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1532
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1524
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2088
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2536
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2400
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1664
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2684
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:848
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2404
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2412
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2840
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2756
-
-
C:\Users\Admin\AppData\Local\Temp\456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe"C:\Users\Admin\AppData\Local\Temp\456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe"2⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2656 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2184
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2360
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1744
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2984
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2908
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2160
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2672
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2988
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1524
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1416
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1196
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2304
-
-
C:\Program Files (x86)\Windows Photo Viewer\de-DE\conhost.exe"C:\Program Files (x86)\Windows Photo Viewer\de-DE\conhost.exe"3⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2524 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\354bfacf-06f0-4152-9f7c-b1a77dd53ff0.vbs"4⤵PID:2224
-
C:\Program Files (x86)\Windows Photo Viewer\de-DE\conhost.exe"C:\Program Files (x86)\Windows Photo Viewer\de-DE\conhost.exe"5⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:3064 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f260e15c-1c3f-4e8f-b9d7-406d47dc240a.vbs"6⤵PID:1664
-
C:\Program Files (x86)\Windows Photo Viewer\de-DE\conhost.exe"C:\Program Files (x86)\Windows Photo Viewer\de-DE\conhost.exe"7⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2752 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6354b907-5a0e-425e-9cb6-8ababfb61a28.vbs"8⤵PID:1440
-
C:\Program Files (x86)\Windows Photo Viewer\de-DE\conhost.exe"C:\Program Files (x86)\Windows Photo Viewer\de-DE\conhost.exe"9⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1616 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d8f2fbc8-b7b1-44e4-9a4e-b60c3d7e6657.vbs"10⤵PID:1524
-
C:\Program Files (x86)\Windows Photo Viewer\de-DE\conhost.exe"C:\Program Files (x86)\Windows Photo Viewer\de-DE\conhost.exe"11⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1680 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\75d995d1-ba5d-4e93-b318-a0d04ca8e468.vbs"12⤵PID:920
-
C:\Program Files (x86)\Windows Photo Viewer\de-DE\conhost.exe"C:\Program Files (x86)\Windows Photo Viewer\de-DE\conhost.exe"13⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2684 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e862102d-2a37-4ee0-b2b9-07b8974c3c07.vbs"14⤵PID:3032
-
C:\Program Files (x86)\Windows Photo Viewer\de-DE\conhost.exe"C:\Program Files (x86)\Windows Photo Viewer\de-DE\conhost.exe"15⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:592 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5e89509d-6c17-4bd3-8d2a-ddb9c4c2fe20.vbs"16⤵PID:2316
-
C:\Program Files (x86)\Windows Photo Viewer\de-DE\conhost.exe"C:\Program Files (x86)\Windows Photo Viewer\de-DE\conhost.exe"17⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2904 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1a01589e-33a7-4409-809f-d240d359a159.vbs"18⤵PID:628
-
C:\Program Files (x86)\Windows Photo Viewer\de-DE\conhost.exe"C:\Program Files (x86)\Windows Photo Viewer\de-DE\conhost.exe"19⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:936 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4f5eae70-f3c0-442a-a3aa-5e674df4c189.vbs"20⤵PID:3048
-
C:\Program Files (x86)\Windows Photo Viewer\de-DE\conhost.exe"C:\Program Files (x86)\Windows Photo Viewer\de-DE\conhost.exe"21⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2152 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bf5fecf9-f2ac-4eb9-8ef8-c6e62ccb4322.vbs"22⤵PID:1180
-
C:\Program Files (x86)\Windows Photo Viewer\de-DE\conhost.exe"C:\Program Files (x86)\Windows Photo Viewer\de-DE\conhost.exe"23⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1184 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fa3e8d23-32a3-40d3-86cb-50bbdef5577c.vbs"24⤵PID:592
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8979e7ff-708e-47cf-9373-1f410fd16f0d.vbs"24⤵PID:1472
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cc7f2509-2c12-4b79-a6be-1c15ebf4d2ff.vbs"22⤵PID:1644
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e4b1db13-6486-4bd7-acbb-2b7a7fd434af.vbs"20⤵PID:2700
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c06224fb-a27d-4e25-8dea-1372a8e0a168.vbs"18⤵PID:1440
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3fe7d63e-1c0e-4400-99af-8285f2dbe595.vbs"16⤵PID:2976
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6d38ece4-f46a-4185-871d-2f46108ee645.vbs"14⤵PID:2536
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2765e86c-8aea-4132-a16d-be2b1be0fcf7.vbs"12⤵PID:2616
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f2179b7a-2276-4dde-bc5a-6fd89b518472.vbs"10⤵PID:1100
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\58fbb9cb-13f6-4b20-92a1-b4c9cbf73a5c.vbs"8⤵PID:2280
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dc57696f-8517-4324-9cb3-fb773eec6c55.vbs"6⤵PID:900
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c3439e6d-c6c1-40c5-a54c-f554d28e761e.vbs"4⤵PID:2800
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\lsm.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2744
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Users\All Users\lsm.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2832
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\lsm.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2896
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\Desktop\lsass.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2728
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\All Users\Desktop\lsass.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2916
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\Desktop\lsass.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2792
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\sppsvc.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2908
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\sppsvc.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1932
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\sppsvc.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2608
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Program Files\Reference Assemblies\csrss.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2676
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\csrss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1548
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Program Files\Reference Assemblies\csrss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2124
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a304" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1404
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:316
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a304" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1888
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\audiodg.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1456
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\audiodg.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2136
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\audiodg.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1956
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\services.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1448
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\services.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:692
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\services.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1300
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Windows\AppCompat\Programs\csrss.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2852
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\AppCompat\Programs\csrss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1100
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Windows\AppCompat\Programs\csrss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1440
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\Links\services.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1236
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\Admin\Links\services.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1016
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\Links\services.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3056
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 7 /tr "'C:\Windows\Microsoft.NET\authman\WmiPrvSE.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2172
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Windows\Microsoft.NET\authman\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2952
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 13 /tr "'C:\Windows\Microsoft.NET\authman\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2108
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\services.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1208
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\services.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2364
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\services.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:552
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\wininit.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1572
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\wininit.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:844
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\wininit.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2784
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 10 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\WmiPrvSE.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1976
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1252
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:920
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 12 /tr "'C:\Windows\L2Schemas\conhost.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2120
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Windows\L2Schemas\conhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2484
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\Windows\L2Schemas\conhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:992
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\WMIADAP.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3028
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\WMIADAP.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2476
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\WMIADAP.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1528
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\System.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2716
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\System.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2392
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\System.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2572
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Photo Viewer\conhost.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2316
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\conhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2892
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Photo Viewer\conhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1964
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Photo Viewer\de-DE\conhost.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2324
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\de-DE\conhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1396
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Photo Viewer\de-DE\conhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2256
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 13 /tr "'C:\Windows\Web\Wallpaper\Architecture\conhost.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:316
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Windows\Web\Wallpaper\Architecture\conhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1952
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 5 /tr "'C:\Windows\Web\Wallpaper\Architecture\conhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1968
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "powershellp" /sc MINUTE /mo 13 /tr "'C:\Windows\addins\powershell.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1236
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\Windows\addins\powershell.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1516
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "powershellp" /sc MINUTE /mo 5 /tr "'C:\Windows\addins\powershell.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2588
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe
Filesize4.9MB
MD5bc6d8c1824fbce3832a86042be6ce8ec
SHA15c750a20d9ddeb5be64ba89d220a8657adbce18b
SHA256456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30
SHA512abdc44b1d6694dea890128229b6bab2dbddd8bbf34d4413afefa84147f91b8dc855b6797d41505842fc181fa09b08cb79abaa720c23ceb1f06dd36a3e7676292
-
Filesize
737B
MD58a7e782facb9687bc938370c792c9af5
SHA1ea24b2a85199d1177c8addd75b07ec9091d7d9ae
SHA25643a6bf5afc483a791d318aacf557a4b674aac1af101f6dbacda53bb1362aaa1a
SHA512d8845e1cc482a4300f51eb93ac3af2a671f2f86f831171dbe0bf222e55397c6f2d8b27c865397a92373943cda09879553c0904f3123437c83d011656d74dbff1
-
Filesize
737B
MD536673862516eebed17726179f0426dfe
SHA14389b9e67a4c64c6b5a1f608476aa6f7606d66de
SHA2562e3af1e7a1c625d29020881745084d8bb174b01191c549a95ccdf9d56b91e7c3
SHA51257dea71ac01eb4dce6eaeec0c73b913879ecafcd955e935313e0e39147263969bb0fc0dc1b69b4c49fd8a51f1373cb99008318887f6a3ce128443d3d35cba54e
-
Filesize
736B
MD504891fcb5bb3c65e17728bb182d9874f
SHA1e159333d162314b372f524081d79dcc970b1c52f
SHA256c0fb449c724cfe93a7a32842e469089beff7fe0e04f4bdd064e3ae4b9759f91b
SHA5122b0fd4866c024da84bdaddd31d02a79bdda23ab56fc9bfd3b05445c22968e7acee9fafd0bce669e5a3693216252f155b3bd0e2971974a15a6cf9af70285a25f3
-
Filesize
736B
MD503d3aab2a5206084aa593f71712ed4f3
SHA18125e80db923fe71ce9d3d7d18bdcfc8852daf4c
SHA2567c11f3b8f25b326fe15df56dbd40dd797b6ad70eb4a497396ad3d2ed7cd9e09b
SHA512b84074394d05526eeb5ffe960403f60fae66fcd08dccbd46b0d07d1a5b79e9775a25e4ac9ecfc99e0a56773ac149b96c9136a7ecd207a370e2dd9b3603242f11
-
Filesize
737B
MD5af0c9ed2f98d0e1ce87838911a959d93
SHA1545197447282321f464d00d22de4ddd13863431a
SHA256b63a96059807131a009ca2ea44f58ab2aecc583c40142e11516971b8605f1e57
SHA512800164e77af8bd1bab568df87b1411b582b7e9667326f2b20f2858ffa30cfb0c08aa5068a8b978a76357deeab03c5fb0dce4e3457eb4627bbe2fb1376d78cef3
-
Filesize
737B
MD5ffcf3af890f0b5f7b6d354f88cea00b8
SHA13f6df174304d43132cd944278a24265f5fb008ba
SHA256014d641895dc36350cedaaf6652a4d44771bc89c8f12d8c08cd1f9a0354e29da
SHA512782ddf4c596263540da831aa779a0741b7f375b15afcf8bba4cbb700b582bc528f022a4dd92941286184904a195caa9b5b4c8ea5316ee830e7e042cd5c700a25
-
Filesize
737B
MD5d0d26af29f1cdf6c67ef14db68ea7bce
SHA1c92d089615bd3b0f29f620f40a3c0f59bca02ab6
SHA2560810b4cc23292f2b3c75596a9ab78379a340d07b063b8d647b82715de5700f68
SHA512e993d604782945bdd08ae3bf2db6c45e379b408f9510d25fb4df986cbc1a5424f13671c367f3cc95d49c36f2d549d33b20adc2543ac9ec8ff71bbc0b71b08686
-
Filesize
513B
MD5a07d26bdcc704b8a6c9d713ff5722053
SHA15c0f5fac032978ab49c38a036e7bc71f42f66fed
SHA256db040ae08c77ab5b7aa35c8be5764d9b80c9e3a31e3d21d64d37ba25b6d4b216
SHA5129099f6ac1aca99a6a4bec7cffe4365d3d3aee26751bebb568ca3a501d5fa93c8b8fa0c7ce47f3ea79fed7696e483c5ca8d357e45a50804b472123b02f19ed44d
-
Filesize
737B
MD55a3291bb08e384d00d4c62ba627c108a
SHA171e985d530c6259ce7d773b7afe33ef002763c9f
SHA256e8356bca13c23573c7395699b6cb0ad8c8a1942cf356099153e3c1a95d46e381
SHA512a6c15e6468f6f948aa20f1be77a1410970b81c287730fa4ab8c0306571e627db19fb4e15d90fcb41dc6f46ddc2f8ac05d34608f3efdc45e90cfe23ab807a3a91
-
Filesize
737B
MD532bbff66dfd7bb8ba8be0ed87f02a537
SHA1c80df9fb965730a8b09254a5e4612ed06012b79b
SHA25627b2283272cf60e9691f9e27f4710e55421dbf567debce6c492841ca30e791e0
SHA512071b912c0c0e928a7217662e93c1588b3c0fb75bf24052557ea2de68ae7f69e46823f265b74341c1c0a1047d6164529634338be1c9b8ccc0d132f129b78d881e
-
Filesize
737B
MD547bc2b49abd48d40d54b62da3e2fb352
SHA16930a0f2c9a1812689b8e5a8db2f950d311a721c
SHA2563fe34c6bef2b3017526de7a473baf723dcd92cff3615ec46d146257e4ac4b900
SHA512cbb47abd915c3c79b56e8eca171ceda468764b77c190e707048c2576d0e26e4091c677a9f8f5628882ecf1d1556b0fa4b457f2cc498255a3e7a10fe7d5e78d14
-
Filesize
75KB
MD5e0a68b98992c1699876f818a22b5b907
SHA1d41e8ad8ba51217eb0340f8f69629ccb474484d0
SHA2562b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f
SHA512856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\JU6D1ZFJINZWE4VAUJ3F.temp
Filesize7KB
MD5db9e986f0941f0ebd716af3e03fbb30f
SHA1dac080a72ed1d1852e47fc77040bd79b411d7642
SHA256bded16012941dd9b2fc930e1da8cbcede8fddda6c430282fa3e8179295bd0be6
SHA512bc4e5fe8f277a3422504234df4e6f122be5ed3bb40338ed2d85255df4f5d1daf70c8a4c87c5cbad4ada5bcd62fc6370a22b44d27943c1669847a05cfd5cb152d