Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
19-12-2024 03:45
Static task
static1
Behavioral task
behavioral1
Sample
2595a5990466d02fc47c374c7835b4d5fe3edb5441f95519c82e23543819c177.exe
Resource
win7-20240903-en
General
-
Target
2595a5990466d02fc47c374c7835b4d5fe3edb5441f95519c82e23543819c177.exe
-
Size
4.9MB
-
MD5
35612ca19890339ff523d7a64dcc546f
-
SHA1
8f6eb8a29167819fbe9b6274b770f2df64381203
-
SHA256
2595a5990466d02fc47c374c7835b4d5fe3edb5441f95519c82e23543819c177
-
SHA512
1ed3e12527195000b086b06fd468e77f6e3364f0ee5de617739c67e7d843e61575d46da91313165b7b21d38e7f7a2587528127e5256c96c1c864ca4d78158b05
-
SSDEEP
49152:jl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8J:J
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 48 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2872 2200 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2852 2200 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2768 2200 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2628 2200 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2936 2200 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2820 2200 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2792 2200 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 532 2200 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2632 2200 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1956 2200 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2680 2200 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1916 2200 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2972 2200 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1040 2200 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3024 2200 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 308 2200 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 692 2200 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2832 2200 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3000 2200 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2956 2200 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3040 2200 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1616 2200 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1984 2200 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 592 2200 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 580 2200 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1408 2200 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1088 2200 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1788 2200 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 236 2200 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2176 2200 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3020 2200 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1452 2200 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2276 2200 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2152 2200 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1072 2200 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1924 2200 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1540 2200 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1896 2200 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1104 2200 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1680 2200 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1708 2200 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1212 2200 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 928 2200 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2576 2200 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2112 2200 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1652 2200 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 536 2200 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1548 2200 schtasks.exe 30 -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 2595a5990466d02fc47c374c7835b4d5fe3edb5441f95519c82e23543819c177.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 2595a5990466d02fc47c374c7835b4d5fe3edb5441f95519c82e23543819c177.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 2595a5990466d02fc47c374c7835b4d5fe3edb5441f95519c82e23543819c177.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" csrss.exe -
resource yara_rule behavioral1/memory/2352-2-0x000000001B3F0000-0x000000001B51E000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 1996 powershell.exe 2936 powershell.exe 2828 powershell.exe 2768 powershell.exe 2248 powershell.exe 1580 powershell.exe 2592 powershell.exe 1752 powershell.exe 2144 powershell.exe 3004 powershell.exe 2388 powershell.exe 2344 powershell.exe -
Executes dropped EXE 11 IoCs
pid Process 1956 csrss.exe 2712 csrss.exe 688 csrss.exe 2880 csrss.exe 2576 csrss.exe 3048 csrss.exe 2580 csrss.exe 1684 csrss.exe 2632 csrss.exe 1976 csrss.exe 2360 csrss.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 2595a5990466d02fc47c374c7835b4d5fe3edb5441f95519c82e23543819c177.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA csrss.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA csrss.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA csrss.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA csrss.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 2595a5990466d02fc47c374c7835b4d5fe3edb5441f95519c82e23543819c177.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA csrss.exe -
Drops file in Program Files directory 12 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Windows NT\RCXB48A.tmp 2595a5990466d02fc47c374c7835b4d5fe3edb5441f95519c82e23543819c177.exe File opened for modification C:\Program Files\Windows Journal\en-US\RCXB68E.tmp 2595a5990466d02fc47c374c7835b4d5fe3edb5441f95519c82e23543819c177.exe File created C:\Program Files\7-Zip\Lang\taskhost.exe 2595a5990466d02fc47c374c7835b4d5fe3edb5441f95519c82e23543819c177.exe File created C:\Program Files\7-Zip\Lang\b75386f1303e64 2595a5990466d02fc47c374c7835b4d5fe3edb5441f95519c82e23543819c177.exe File created C:\Program Files (x86)\Windows NT\explorer.exe 2595a5990466d02fc47c374c7835b4d5fe3edb5441f95519c82e23543819c177.exe File created C:\Program Files (x86)\Windows NT\7a0fd90576e088 2595a5990466d02fc47c374c7835b4d5fe3edb5441f95519c82e23543819c177.exe File opened for modification C:\Program Files\7-Zip\Lang\RCXAA48.tmp 2595a5990466d02fc47c374c7835b4d5fe3edb5441f95519c82e23543819c177.exe File opened for modification C:\Program Files\7-Zip\Lang\taskhost.exe 2595a5990466d02fc47c374c7835b4d5fe3edb5441f95519c82e23543819c177.exe File created C:\Program Files\Windows Journal\en-US\csrss.exe 2595a5990466d02fc47c374c7835b4d5fe3edb5441f95519c82e23543819c177.exe File created C:\Program Files\Windows Journal\en-US\886983d96e3d3e 2595a5990466d02fc47c374c7835b4d5fe3edb5441f95519c82e23543819c177.exe File opened for modification C:\Program Files (x86)\Windows NT\explorer.exe 2595a5990466d02fc47c374c7835b4d5fe3edb5441f95519c82e23543819c177.exe File opened for modification C:\Program Files\Windows Journal\en-US\csrss.exe 2595a5990466d02fc47c374c7835b4d5fe3edb5441f95519c82e23543819c177.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\Fonts\sppsvc.exe 2595a5990466d02fc47c374c7835b4d5fe3edb5441f95519c82e23543819c177.exe File created C:\Windows\Fonts\0a1fd5f707cd16 2595a5990466d02fc47c374c7835b4d5fe3edb5441f95519c82e23543819c177.exe File opened for modification C:\Windows\Fonts\RCXAE50.tmp 2595a5990466d02fc47c374c7835b4d5fe3edb5441f95519c82e23543819c177.exe File opened for modification C:\Windows\Fonts\sppsvc.exe 2595a5990466d02fc47c374c7835b4d5fe3edb5441f95519c82e23543819c177.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Scheduled Task/Job: Scheduled Task 1 TTPs 48 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2852 schtasks.exe 236 schtasks.exe 1104 schtasks.exe 1212 schtasks.exe 928 schtasks.exe 2112 schtasks.exe 3040 schtasks.exe 1616 schtasks.exe 1788 schtasks.exe 1452 schtasks.exe 1540 schtasks.exe 1896 schtasks.exe 2576 schtasks.exe 536 schtasks.exe 1548 schtasks.exe 2936 schtasks.exe 1040 schtasks.exe 1984 schtasks.exe 1408 schtasks.exe 1652 schtasks.exe 2972 schtasks.exe 692 schtasks.exe 2832 schtasks.exe 1088 schtasks.exe 2276 schtasks.exe 2768 schtasks.exe 1956 schtasks.exe 3024 schtasks.exe 3020 schtasks.exe 1708 schtasks.exe 2792 schtasks.exe 532 schtasks.exe 1916 schtasks.exe 308 schtasks.exe 3000 schtasks.exe 592 schtasks.exe 1072 schtasks.exe 2820 schtasks.exe 2632 schtasks.exe 2680 schtasks.exe 2152 schtasks.exe 1924 schtasks.exe 1680 schtasks.exe 2872 schtasks.exe 2628 schtasks.exe 2956 schtasks.exe 580 schtasks.exe 2176 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 24 IoCs
pid Process 2352 2595a5990466d02fc47c374c7835b4d5fe3edb5441f95519c82e23543819c177.exe 2936 powershell.exe 2388 powershell.exe 3004 powershell.exe 2344 powershell.exe 2592 powershell.exe 2144 powershell.exe 2248 powershell.exe 2768 powershell.exe 1752 powershell.exe 2828 powershell.exe 1996 powershell.exe 1580 powershell.exe 1956 csrss.exe 2712 csrss.exe 688 csrss.exe 2880 csrss.exe 2576 csrss.exe 3048 csrss.exe 2580 csrss.exe 1684 csrss.exe 2632 csrss.exe 1976 csrss.exe 2360 csrss.exe -
Suspicious use of AdjustPrivilegeToken 24 IoCs
description pid Process Token: SeDebugPrivilege 2352 2595a5990466d02fc47c374c7835b4d5fe3edb5441f95519c82e23543819c177.exe Token: SeDebugPrivilege 2936 powershell.exe Token: SeDebugPrivilege 2388 powershell.exe Token: SeDebugPrivilege 1956 csrss.exe Token: SeDebugPrivilege 3004 powershell.exe Token: SeDebugPrivilege 2344 powershell.exe Token: SeDebugPrivilege 2592 powershell.exe Token: SeDebugPrivilege 2144 powershell.exe Token: SeDebugPrivilege 2248 powershell.exe Token: SeDebugPrivilege 2768 powershell.exe Token: SeDebugPrivilege 1752 powershell.exe Token: SeDebugPrivilege 2828 powershell.exe Token: SeDebugPrivilege 1996 powershell.exe Token: SeDebugPrivilege 1580 powershell.exe Token: SeDebugPrivilege 2712 csrss.exe Token: SeDebugPrivilege 688 csrss.exe Token: SeDebugPrivilege 2880 csrss.exe Token: SeDebugPrivilege 2576 csrss.exe Token: SeDebugPrivilege 3048 csrss.exe Token: SeDebugPrivilege 2580 csrss.exe Token: SeDebugPrivilege 1684 csrss.exe Token: SeDebugPrivilege 2632 csrss.exe Token: SeDebugPrivilege 1976 csrss.exe Token: SeDebugPrivilege 2360 csrss.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2352 wrote to memory of 1752 2352 2595a5990466d02fc47c374c7835b4d5fe3edb5441f95519c82e23543819c177.exe 79 PID 2352 wrote to memory of 1752 2352 2595a5990466d02fc47c374c7835b4d5fe3edb5441f95519c82e23543819c177.exe 79 PID 2352 wrote to memory of 1752 2352 2595a5990466d02fc47c374c7835b4d5fe3edb5441f95519c82e23543819c177.exe 79 PID 2352 wrote to memory of 2344 2352 2595a5990466d02fc47c374c7835b4d5fe3edb5441f95519c82e23543819c177.exe 80 PID 2352 wrote to memory of 2344 2352 2595a5990466d02fc47c374c7835b4d5fe3edb5441f95519c82e23543819c177.exe 80 PID 2352 wrote to memory of 2344 2352 2595a5990466d02fc47c374c7835b4d5fe3edb5441f95519c82e23543819c177.exe 80 PID 2352 wrote to memory of 1996 2352 2595a5990466d02fc47c374c7835b4d5fe3edb5441f95519c82e23543819c177.exe 81 PID 2352 wrote to memory of 1996 2352 2595a5990466d02fc47c374c7835b4d5fe3edb5441f95519c82e23543819c177.exe 81 PID 2352 wrote to memory of 1996 2352 2595a5990466d02fc47c374c7835b4d5fe3edb5441f95519c82e23543819c177.exe 81 PID 2352 wrote to memory of 2936 2352 2595a5990466d02fc47c374c7835b4d5fe3edb5441f95519c82e23543819c177.exe 83 PID 2352 wrote to memory of 2936 2352 2595a5990466d02fc47c374c7835b4d5fe3edb5441f95519c82e23543819c177.exe 83 PID 2352 wrote to memory of 2936 2352 2595a5990466d02fc47c374c7835b4d5fe3edb5441f95519c82e23543819c177.exe 83 PID 2352 wrote to memory of 2828 2352 2595a5990466d02fc47c374c7835b4d5fe3edb5441f95519c82e23543819c177.exe 84 PID 2352 wrote to memory of 2828 2352 2595a5990466d02fc47c374c7835b4d5fe3edb5441f95519c82e23543819c177.exe 84 PID 2352 wrote to memory of 2828 2352 2595a5990466d02fc47c374c7835b4d5fe3edb5441f95519c82e23543819c177.exe 84 PID 2352 wrote to memory of 2768 2352 2595a5990466d02fc47c374c7835b4d5fe3edb5441f95519c82e23543819c177.exe 85 PID 2352 wrote to memory of 2768 2352 2595a5990466d02fc47c374c7835b4d5fe3edb5441f95519c82e23543819c177.exe 85 PID 2352 wrote to memory of 2768 2352 2595a5990466d02fc47c374c7835b4d5fe3edb5441f95519c82e23543819c177.exe 85 PID 2352 wrote to memory of 2248 2352 2595a5990466d02fc47c374c7835b4d5fe3edb5441f95519c82e23543819c177.exe 86 PID 2352 wrote to memory of 2248 2352 2595a5990466d02fc47c374c7835b4d5fe3edb5441f95519c82e23543819c177.exe 86 PID 2352 wrote to memory of 2248 2352 2595a5990466d02fc47c374c7835b4d5fe3edb5441f95519c82e23543819c177.exe 86 PID 2352 wrote to memory of 1580 2352 2595a5990466d02fc47c374c7835b4d5fe3edb5441f95519c82e23543819c177.exe 87 PID 2352 wrote to memory of 1580 2352 2595a5990466d02fc47c374c7835b4d5fe3edb5441f95519c82e23543819c177.exe 87 PID 2352 wrote to memory of 1580 2352 2595a5990466d02fc47c374c7835b4d5fe3edb5441f95519c82e23543819c177.exe 87 PID 2352 wrote to memory of 3004 2352 2595a5990466d02fc47c374c7835b4d5fe3edb5441f95519c82e23543819c177.exe 88 PID 2352 wrote to memory of 3004 2352 2595a5990466d02fc47c374c7835b4d5fe3edb5441f95519c82e23543819c177.exe 88 PID 2352 wrote to memory of 3004 2352 2595a5990466d02fc47c374c7835b4d5fe3edb5441f95519c82e23543819c177.exe 88 PID 2352 wrote to memory of 2388 2352 2595a5990466d02fc47c374c7835b4d5fe3edb5441f95519c82e23543819c177.exe 89 PID 2352 wrote to memory of 2388 2352 2595a5990466d02fc47c374c7835b4d5fe3edb5441f95519c82e23543819c177.exe 89 PID 2352 wrote to memory of 2388 2352 2595a5990466d02fc47c374c7835b4d5fe3edb5441f95519c82e23543819c177.exe 89 PID 2352 wrote to memory of 2592 2352 2595a5990466d02fc47c374c7835b4d5fe3edb5441f95519c82e23543819c177.exe 90 PID 2352 wrote to memory of 2592 2352 2595a5990466d02fc47c374c7835b4d5fe3edb5441f95519c82e23543819c177.exe 90 PID 2352 wrote to memory of 2592 2352 2595a5990466d02fc47c374c7835b4d5fe3edb5441f95519c82e23543819c177.exe 90 PID 2352 wrote to memory of 2144 2352 2595a5990466d02fc47c374c7835b4d5fe3edb5441f95519c82e23543819c177.exe 91 PID 2352 wrote to memory of 2144 2352 2595a5990466d02fc47c374c7835b4d5fe3edb5441f95519c82e23543819c177.exe 91 PID 2352 wrote to memory of 2144 2352 2595a5990466d02fc47c374c7835b4d5fe3edb5441f95519c82e23543819c177.exe 91 PID 2352 wrote to memory of 1956 2352 2595a5990466d02fc47c374c7835b4d5fe3edb5441f95519c82e23543819c177.exe 103 PID 2352 wrote to memory of 1956 2352 2595a5990466d02fc47c374c7835b4d5fe3edb5441f95519c82e23543819c177.exe 103 PID 2352 wrote to memory of 1956 2352 2595a5990466d02fc47c374c7835b4d5fe3edb5441f95519c82e23543819c177.exe 103 PID 1956 wrote to memory of 2816 1956 csrss.exe 105 PID 1956 wrote to memory of 2816 1956 csrss.exe 105 PID 1956 wrote to memory of 2816 1956 csrss.exe 105 PID 1956 wrote to memory of 2948 1956 csrss.exe 106 PID 1956 wrote to memory of 2948 1956 csrss.exe 106 PID 1956 wrote to memory of 2948 1956 csrss.exe 106 PID 2816 wrote to memory of 2712 2816 WScript.exe 107 PID 2816 wrote to memory of 2712 2816 WScript.exe 107 PID 2816 wrote to memory of 2712 2816 WScript.exe 107 PID 2712 wrote to memory of 2448 2712 csrss.exe 108 PID 2712 wrote to memory of 2448 2712 csrss.exe 108 PID 2712 wrote to memory of 2448 2712 csrss.exe 108 PID 2712 wrote to memory of 1696 2712 csrss.exe 109 PID 2712 wrote to memory of 1696 2712 csrss.exe 109 PID 2712 wrote to memory of 1696 2712 csrss.exe 109 PID 2448 wrote to memory of 688 2448 WScript.exe 110 PID 2448 wrote to memory of 688 2448 WScript.exe 110 PID 2448 wrote to memory of 688 2448 WScript.exe 110 PID 688 wrote to memory of 2344 688 csrss.exe 111 PID 688 wrote to memory of 2344 688 csrss.exe 111 PID 688 wrote to memory of 2344 688 csrss.exe 111 PID 688 wrote to memory of 3056 688 csrss.exe 112 PID 688 wrote to memory of 3056 688 csrss.exe 112 PID 688 wrote to memory of 3056 688 csrss.exe 112 PID 2344 wrote to memory of 2880 2344 WScript.exe 113 -
System policy modification 1 TTPs 36 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 2595a5990466d02fc47c374c7835b4d5fe3edb5441f95519c82e23543819c177.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 2595a5990466d02fc47c374c7835b4d5fe3edb5441f95519c82e23543819c177.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 2595a5990466d02fc47c374c7835b4d5fe3edb5441f95519c82e23543819c177.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2595a5990466d02fc47c374c7835b4d5fe3edb5441f95519c82e23543819c177.exe"C:\Users\Admin\AppData\Local\Temp\2595a5990466d02fc47c374c7835b4d5fe3edb5441f95519c82e23543819c177.exe"1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2352 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1752
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2344
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1996
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2936
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2828
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2768
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2248
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1580
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3004
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2388
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2592
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2144
-
-
C:\Program Files\Windows Journal\en-US\csrss.exe"C:\Program Files\Windows Journal\en-US\csrss.exe"2⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1956 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2f1c13e4-c0c8-4a54-a86a-292f65afca35.vbs"3⤵
- Suspicious use of WriteProcessMemory
PID:2816 -
C:\Program Files\Windows Journal\en-US\csrss.exe"C:\Program Files\Windows Journal\en-US\csrss.exe"4⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2712 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7fe609b4-6da5-49f2-9060-0a9f4a387bea.vbs"5⤵
- Suspicious use of WriteProcessMemory
PID:2448 -
C:\Program Files\Windows Journal\en-US\csrss.exe"C:\Program Files\Windows Journal\en-US\csrss.exe"6⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:688 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\41771fb1-b761-4b9f-b16b-08f342145f90.vbs"7⤵
- Suspicious use of WriteProcessMemory
PID:2344 -
C:\Program Files\Windows Journal\en-US\csrss.exe"C:\Program Files\Windows Journal\en-US\csrss.exe"8⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2880 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1e06c2fc-ca93-46bd-9967-5c4c580d59b6.vbs"9⤵PID:2568
-
C:\Program Files\Windows Journal\en-US\csrss.exe"C:\Program Files\Windows Journal\en-US\csrss.exe"10⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2576 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\82eebeaa-2538-4e5b-be8a-0f74f97d4275.vbs"11⤵PID:3044
-
C:\Program Files\Windows Journal\en-US\csrss.exe"C:\Program Files\Windows Journal\en-US\csrss.exe"12⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:3048 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3dfbb9ce-64bf-4e42-96d1-1560dd7e9d12.vbs"13⤵PID:2556
-
C:\Program Files\Windows Journal\en-US\csrss.exe"C:\Program Files\Windows Journal\en-US\csrss.exe"14⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2580 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c28e1fe7-612c-415a-8774-d421d7d82b02.vbs"15⤵PID:2152
-
C:\Program Files\Windows Journal\en-US\csrss.exe"C:\Program Files\Windows Journal\en-US\csrss.exe"16⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1684 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4f97bf3a-de10-4db3-97de-5b7f101c3927.vbs"17⤵PID:1596
-
C:\Program Files\Windows Journal\en-US\csrss.exe"C:\Program Files\Windows Journal\en-US\csrss.exe"18⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2632 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ad1cc912-6b8e-4056-9915-8f8bf7131697.vbs"19⤵PID:1112
-
C:\Program Files\Windows Journal\en-US\csrss.exe"C:\Program Files\Windows Journal\en-US\csrss.exe"20⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1976 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8f690321-a7dc-4fb3-bd25-59f3a8d67a61.vbs"21⤵PID:2092
-
C:\Program Files\Windows Journal\en-US\csrss.exe"C:\Program Files\Windows Journal\en-US\csrss.exe"22⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2360 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bcd59b35-944e-421b-adf4-154e92bbe218.vbs"23⤵PID:2508
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1f727063-96d9-4a62-b674-283bd2e806d0.vbs"23⤵PID:2160
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cc6be96d-9109-427a-9c49-24958b5c4bc5.vbs"21⤵PID:2640
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7ca53583-2e80-493f-8637-fd9b6f432fac.vbs"19⤵PID:2840
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ddb76530-bc5c-4927-9f58-f2f3fe6813dd.vbs"17⤵PID:740
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d46916bb-3457-40e4-b441-12a687b03dc2.vbs"15⤵PID:2356
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\419e6393-043a-4f40-ab46-5992bc79c588.vbs"13⤵PID:1736
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\26f1ea8d-f96c-4710-b5ac-aedfc0f7cb28.vbs"11⤵PID:448
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ce024d87-9349-433b-bb00-00e0921120d1.vbs"9⤵PID:2756
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e293aee4-160e-4154-a611-dc079d5c4eb1.vbs"7⤵PID:3056
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\81dc88ad-b4e9-43d4-a2d4-25eb65d86612.vbs"5⤵PID:1696
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bcda4d7c-ed9a-4cc7-8740-d33f78c99f20.vbs"3⤵PID:2948
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2872
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2852
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2768
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2628
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2936
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2820
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\Saved Games\services.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2792
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\Admin\Saved Games\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:532
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\Saved Games\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2632
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 11 /tr "'C:\Program Files\7-Zip\Lang\taskhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1956
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2680
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 7 /tr "'C:\Program Files\7-Zip\Lang\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1916
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2972
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1040
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3024
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Windows\Fonts\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:308
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\Fonts\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:692
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\Windows\Fonts\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2832
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3000
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2956
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3040
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\lsm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1616
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Users\Default User\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1984
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:592
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows NT\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:580
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1408
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows NT\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1088
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Journal\en-US\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1788
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Windows Journal\en-US\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:236
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Journal\en-US\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2176
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\OSPPSVC.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3020
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Users\Default User\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1452
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2276
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 13 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\OSPPSVC.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1072
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2152
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 5 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1924
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1540
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1896
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1104
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1680
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1708
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1212
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:928
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2576
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2112
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\Adobe\Updater6\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1652
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\All Users\Adobe\Updater6\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:536
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\Adobe\Updater6\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1548
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4.9MB
MD535612ca19890339ff523d7a64dcc546f
SHA18f6eb8a29167819fbe9b6274b770f2df64381203
SHA2562595a5990466d02fc47c374c7835b4d5fe3edb5441f95519c82e23543819c177
SHA5121ed3e12527195000b086b06fd468e77f6e3364f0ee5de617739c67e7d843e61575d46da91313165b7b21d38e7f7a2587528127e5256c96c1c864ca4d78158b05
-
Filesize
724B
MD5904abfa0540b3e1891e88433d12beba4
SHA1a5bc2951bd8b84ed6ecc8e074367751b760d5dda
SHA256dee6f4b326cc66e7d5285b3082af88ca9ef671d2d7d3cd1a0ff53fb1560eab00
SHA512e4094e137262f011f2d8c1e87fe7b2561d1b3848a86809e817ab8d773478ec3d2fee2b1da3b763eed1ee821d19e7f251aa117acac4c1baf65e02f40c39847b57
-
Filesize
724B
MD5df867dc6c480b8fb54b3d182bdf7a6a5
SHA18ba686aad3adefd17d9af1cd0ef611aa6cc15281
SHA25601115e2e80f52fb0d346b83374ae319e24d44cc4cdd2af24b939f500e8468fc6
SHA5127841129b86e6350f4344c05e85533c998f8c592cd2398e2490b0eec84675ba6b7993b35810b7a2696cb08b3ee8ed0e53a1c2d0e3db8a8516b7d458dea1a45f43
-
Filesize
724B
MD50e3c8c98ab438f8a0911cb7d548e7f84
SHA1361edec27379066cc7080609671b9508cc029006
SHA256d7f16ea0624d0dd1c305d83ca37624642fd43d9d08a50dcb21ba4e69ce993fbf
SHA5129283b0089a15d513c022929cd39ef21c0368d6f09d6b93dee9ab10566ed579e9f7b8e3127ddf089485eda14df59394da59b716be436e65fb582c4977cc5b7f6c
-
Filesize
723B
MD5d05e7b7fd2edd9ef642d1469ff4da932
SHA1c09aff4c366385511bffcffc07be0912835f2c10
SHA256f2756fd109efd37b803b37977cb16dff41d77b00876b377144e1bb47147dea1d
SHA5127f44ecd006bb9eaee6e1e683015065eca1f641419660b751769369d1833a46939b4fb22ec2db5b656a3a04d7e4dd5ea2ece63b457357698cac1ceec4f9823563
-
Filesize
724B
MD595f26621a35290fdbb6543d53793f514
SHA196dfca55a89bc5af17a3f915724ef12f96cff41b
SHA256f5f1d214a3dcf7697cd631d0fd3683c24da047880dac09b4078ab21bfcb596ec
SHA512ad2ad61cc5fac4badefdec9e5233b0a194745ae094faaca2a498af7dba8d447d7283b3f752b8249696f8b57fec6df582de8b4b318069545e938ed8bbe31d0eed
-
Filesize
724B
MD52105b0f1325bbeebe39035aa77c09c77
SHA182e42a175c14d5f81c7e94250fdbbd886f730f55
SHA256006c5315494f1f009aec21aa861eb42c049be08102b3c121323910baebac35d3
SHA5126b8c2a537866216b878c7f6eaf08d60a5d8d8aa732712dd7b336c6c7c3463b0305979916ef9fe9d00ed93f309821ebcdbec0369316e7e191f14bdc1c58dffd10
-
Filesize
724B
MD55eb1230a06ab0db76567459ab6d4f4cd
SHA1f2862a812e0294c4e5f61a0cb3a96e47c8d2bf3a
SHA256edb3356eb095b5faf241ba1ec4c5232fcf445f67cfd13e3c2f4c2c3d5c0b40c3
SHA51272e1f271382100fe78d5ecf06ba29fee939b7eace8f6303f60188580b45ab502a9bf46f5a4e569020c364433834eb6b8574ea31aab635775d9e604382587e55d
-
Filesize
724B
MD552d0648abecbeedc1387977378eff19a
SHA187c628afbed47d071620c0ccbfe4253504ad0c19
SHA256f1cd8971c1884d1d1d96efb202d4e11234966e7b6062753c7085350d5e01e481
SHA512046ab8fc25b59671a8465a2c9183c30af8ec70864a35a8b894353a5181baa103896504d5cabdb9e865a83c882c0202492c0bf74e4fe036624a7ae0154ef1ce8b
-
Filesize
724B
MD5c2600df1047bffaccc87e9c9cbdeeded
SHA16a6d9a4bb4d66865273ead520db72575292c5a52
SHA2561730d5c565736bbef6c9fe6f60af087e561b0cab01e61ef69f865b01303d83bc
SHA512165513a7c58c4608853cf08ac4d439a1487df02ebda2e9a8fdabe70c24c86405b42253b82bb9be02db55112eb28a1c70ea5dd0e52d07bf9b57540b5550d4a64c
-
Filesize
724B
MD5e807b57c8a2a912fd1da9082100df129
SHA10795f36a4dae9d29bed45caba1361a0d91432a8e
SHA25689326908662ab0cda29d0959e2bf0fdcf4f1e79aca79b8026d91c9dce939a1a0
SHA512d87c7d30da4c86466bfc5921bf2e2b1fd5e0a369da88e1f0f5de4ecfbbbe13df0bf59f8593c4d3720facf6250e1f578a41d3500a2200e385b360652726264b3a
-
Filesize
500B
MD5015a0dc1ab5365677054e68172457689
SHA14ee47a594eb6b17a1fded7351c6ee28f024f7ac2
SHA25651d028cfb0f12caaffff27fc32c24f5c68176718822ea54ff422c5c0f89f509d
SHA5128a10a001be649bbcd4cb07050e50cacdf009e6eedb1c3f9700edbb19b9c0e33b3d8033bf235ec1504e63e1fe4fc24c5dcb71181ee02a67db90424815090ef9f3
-
Filesize
724B
MD5e190ffe7ad3940ebaeeb1bf048e3e81f
SHA19a9f6cf1c54284758ad43d8c873bb001590ff57b
SHA25654e269f489a0dd2f10eac3ffb94302fa1f6f7508e787d62e57a42b616a7688af
SHA5121872a9f0677b9ec7e9f91a555341b46dcedfd28053c2babe9c494376c62110453bb4bf1fc1a3fb60d027bbb918d6960bb27d48e29ec31bb63e362297067e76c7
-
Filesize
75KB
MD5e0a68b98992c1699876f818a22b5b907
SHA1d41e8ad8ba51217eb0340f8f69629ccb474484d0
SHA2562b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f
SHA512856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\NKY6FYTH7ERFJFW07Y53.temp
Filesize7KB
MD54f62c4c97beae38e07438745bf27b0bc
SHA18d06034d7f6afd9f166df111459598626fc7a620
SHA2565901173c8e88510c505d5fca87d53b220edbea83e0c8fc0d2b3d163883fe0ffa
SHA512005fa086f2a94988b7b93140ae8ba180771872173f45aefb6343c8c045310214233655e164d3d2812ff944fed4497792d64dc030a1a91c26a7789266a3659c7e
-
Filesize
4.9MB
MD50132bced8ab690c527024097d98b4c42
SHA1eb05307ff7abdc1b32658ef9fd9e56dfa19a0589
SHA256629e30889d3fcc89252e75e3d13f337df7e7966b0a89bee66155fe16d740a4a9
SHA512edf052ec8b916311e8d47939afb43f06ae136a3cdd0c47d45ae63fa7c7554655e5e0627ff71b103f5b2c10527685785265ecb7440ef79044d77cb6178c685d83