Analysis
-
max time kernel
149s -
max time network
136s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
18/01/2025, 12:05
Static task
static1
Behavioral task
behavioral1
Sample
e83194ac6af90662225fd216fae289c52a2d8392bbc35a2b1e131bef7ae354f1.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
e83194ac6af90662225fd216fae289c52a2d8392bbc35a2b1e131bef7ae354f1.exe
Resource
win10v2004-20241007-en
General
-
Target
e83194ac6af90662225fd216fae289c52a2d8392bbc35a2b1e131bef7ae354f1.exe
-
Size
1.5MB
-
MD5
d36cc4a093e0bc7ca5a9342ab6012419
-
SHA1
ce5387ec8626e899804182655ad84ed339771ed1
-
SHA256
e83194ac6af90662225fd216fae289c52a2d8392bbc35a2b1e131bef7ae354f1
-
SHA512
df08e46279f1726a78b73b2191b7e878512e84520eed04f5b45aa14553447e216bf9b3a44d0478947d340ced9c434b7526266b4380f0fe16196eb8da5c8206be
-
SSDEEP
24576:UNNUtQhWhtqDfDXQdy+N+gfQqRsgFlDRluQ70eJiVbWpR:kzhWhCXQFN+0IEuQgyiVK
Malware Config
Signatures
-
DcRat 8 IoCs
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
description ioc pid Process 2764 schtasks.exe 2680 schtasks.exe 2656 schtasks.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA e83194ac6af90662225fd216fae289c52a2d8392bbc35a2b1e131bef7ae354f1.exe File created C:\Windows\System32\recovery\6203df4a6bafc7 e83194ac6af90662225fd216fae289c52a2d8392bbc35a2b1e131bef7ae354f1.exe 2760 schtasks.exe 2808 schtasks.exe 2660 schtasks.exe -
Dcrat family
-
Modifies WinLogon for persistence 2 TTPs 6 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\recovery\\lsass.exe\"" e83194ac6af90662225fd216fae289c52a2d8392bbc35a2b1e131bef7ae354f1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\recovery\\lsass.exe\", \"C:\\Windows\\System32\\sdengin2\\taskhost.exe\"" e83194ac6af90662225fd216fae289c52a2d8392bbc35a2b1e131bef7ae354f1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\recovery\\lsass.exe\", \"C:\\Windows\\System32\\sdengin2\\taskhost.exe\", \"C:\\Program Files\\Windows Journal\\it-IT\\csrss.exe\"" e83194ac6af90662225fd216fae289c52a2d8392bbc35a2b1e131bef7ae354f1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\recovery\\lsass.exe\", \"C:\\Windows\\System32\\sdengin2\\taskhost.exe\", \"C:\\Program Files\\Windows Journal\\it-IT\\csrss.exe\", \"C:\\Windows\\System32\\SearchProtocolHost\\taskhost.exe\"" e83194ac6af90662225fd216fae289c52a2d8392bbc35a2b1e131bef7ae354f1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\recovery\\lsass.exe\", \"C:\\Windows\\System32\\sdengin2\\taskhost.exe\", \"C:\\Program Files\\Windows Journal\\it-IT\\csrss.exe\", \"C:\\Windows\\System32\\SearchProtocolHost\\taskhost.exe\", \"C:\\Users\\All Users\\lsass.exe\"" e83194ac6af90662225fd216fae289c52a2d8392bbc35a2b1e131bef7ae354f1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\recovery\\lsass.exe\", \"C:\\Windows\\System32\\sdengin2\\taskhost.exe\", \"C:\\Program Files\\Windows Journal\\it-IT\\csrss.exe\", \"C:\\Windows\\System32\\SearchProtocolHost\\taskhost.exe\", \"C:\\Users\\All Users\\lsass.exe\", \"C:\\Program Files\\Common Files\\Microsoft Shared\\OfficeSoftwareProtectionPlatform\\OSPPWMI\\OSPPSVC.exe\"" e83194ac6af90662225fd216fae289c52a2d8392bbc35a2b1e131bef7ae354f1.exe -
Process spawned unexpected child process 6 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2760 2820 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2808 2820 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2660 2820 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2764 2820 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2680 2820 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2656 2820 schtasks.exe 30 -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" taskhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" taskhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" taskhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" taskhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" taskhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" taskhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" taskhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" taskhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" taskhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" taskhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" taskhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" taskhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" taskhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" taskhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" taskhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" taskhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" taskhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" taskhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" taskhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" taskhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" taskhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" taskhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" taskhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" taskhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" taskhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" taskhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" e83194ac6af90662225fd216fae289c52a2d8392bbc35a2b1e131bef7ae354f1.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" taskhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" taskhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" taskhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" taskhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" taskhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" taskhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e83194ac6af90662225fd216fae289c52a2d8392bbc35a2b1e131bef7ae354f1.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" taskhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" taskhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" taskhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" taskhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" taskhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" taskhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" taskhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" taskhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" taskhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" e83194ac6af90662225fd216fae289c52a2d8392bbc35a2b1e131bef7ae354f1.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" taskhost.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 596 powershell.exe 328 powershell.exe 2612 powershell.exe 2916 powershell.exe 2036 powershell.exe 2164 powershell.exe 1084 powershell.exe -
Drops file in Drivers directory 1 IoCs
description ioc Process File opened for modification C:\Windows\System32\drivers\etc\hosts e83194ac6af90662225fd216fae289c52a2d8392bbc35a2b1e131bef7ae354f1.exe -
Executes dropped EXE 14 IoCs
pid Process 1560 taskhost.exe 2460 taskhost.exe 668 taskhost.exe 2264 taskhost.exe 1392 taskhost.exe 2692 taskhost.exe 2688 taskhost.exe 2368 taskhost.exe 1652 taskhost.exe 1436 taskhost.exe 2268 taskhost.exe 2828 taskhost.exe 1640 taskhost.exe 3048 taskhost.exe -
Adds Run key to start application 2 TTPs 12 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Windows\\System32\\recovery\\lsass.exe\"" e83194ac6af90662225fd216fae289c52a2d8392bbc35a2b1e131bef7ae354f1.exe Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files\\Windows Journal\\it-IT\\csrss.exe\"" e83194ac6af90662225fd216fae289c52a2d8392bbc35a2b1e131bef7ae354f1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files\\Windows Journal\\it-IT\\csrss.exe\"" e83194ac6af90662225fd216fae289c52a2d8392bbc35a2b1e131bef7ae354f1.exe Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Users\\All Users\\lsass.exe\"" e83194ac6af90662225fd216fae289c52a2d8392bbc35a2b1e131bef7ae354f1.exe Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\OSPPSVC = "\"C:\\Program Files\\Common Files\\Microsoft Shared\\OfficeSoftwareProtectionPlatform\\OSPPWMI\\OSPPSVC.exe\"" e83194ac6af90662225fd216fae289c52a2d8392bbc35a2b1e131bef7ae354f1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OSPPSVC = "\"C:\\Program Files\\Common Files\\Microsoft Shared\\OfficeSoftwareProtectionPlatform\\OSPPWMI\\OSPPSVC.exe\"" e83194ac6af90662225fd216fae289c52a2d8392bbc35a2b1e131bef7ae354f1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Windows\\System32\\recovery\\lsass.exe\"" e83194ac6af90662225fd216fae289c52a2d8392bbc35a2b1e131bef7ae354f1.exe Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Windows\\System32\\sdengin2\\taskhost.exe\"" e83194ac6af90662225fd216fae289c52a2d8392bbc35a2b1e131bef7ae354f1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Windows\\System32\\sdengin2\\taskhost.exe\"" e83194ac6af90662225fd216fae289c52a2d8392bbc35a2b1e131bef7ae354f1.exe Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Windows\\System32\\SearchProtocolHost\\taskhost.exe\"" e83194ac6af90662225fd216fae289c52a2d8392bbc35a2b1e131bef7ae354f1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Windows\\System32\\SearchProtocolHost\\taskhost.exe\"" e83194ac6af90662225fd216fae289c52a2d8392bbc35a2b1e131bef7ae354f1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Users\\All Users\\lsass.exe\"" e83194ac6af90662225fd216fae289c52a2d8392bbc35a2b1e131bef7ae354f1.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" taskhost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA taskhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" taskhost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA taskhost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA taskhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" taskhost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA taskhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" taskhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" taskhost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA taskhost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA taskhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" taskhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" taskhost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA e83194ac6af90662225fd216fae289c52a2d8392bbc35a2b1e131bef7ae354f1.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA taskhost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA taskhost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA taskhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" taskhost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA taskhost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA taskhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" taskhost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA taskhost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA taskhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" taskhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e83194ac6af90662225fd216fae289c52a2d8392bbc35a2b1e131bef7ae354f1.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" taskhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" taskhost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA taskhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" taskhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" taskhost.exe -
Drops file in System32 directory 12 IoCs
description ioc Process File opened for modification C:\Windows\System32\recovery\RCXBB45.tmp e83194ac6af90662225fd216fae289c52a2d8392bbc35a2b1e131bef7ae354f1.exe File opened for modification C:\Windows\System32\sdengin2\RCXBD49.tmp e83194ac6af90662225fd216fae289c52a2d8392bbc35a2b1e131bef7ae354f1.exe File opened for modification C:\Windows\System32\SearchProtocolHost\RCXC150.tmp e83194ac6af90662225fd216fae289c52a2d8392bbc35a2b1e131bef7ae354f1.exe File opened for modification C:\Windows\System32\recovery\lsass.exe e83194ac6af90662225fd216fae289c52a2d8392bbc35a2b1e131bef7ae354f1.exe File created C:\Windows\System32\recovery\6203df4a6bafc7 e83194ac6af90662225fd216fae289c52a2d8392bbc35a2b1e131bef7ae354f1.exe File created C:\Windows\System32\sdengin2\taskhost.exe e83194ac6af90662225fd216fae289c52a2d8392bbc35a2b1e131bef7ae354f1.exe File created C:\Windows\System32\sdengin2\b75386f1303e64 e83194ac6af90662225fd216fae289c52a2d8392bbc35a2b1e131bef7ae354f1.exe File created C:\Windows\System32\SearchProtocolHost\b75386f1303e64 e83194ac6af90662225fd216fae289c52a2d8392bbc35a2b1e131bef7ae354f1.exe File opened for modification C:\Windows\System32\SearchProtocolHost\taskhost.exe e83194ac6af90662225fd216fae289c52a2d8392bbc35a2b1e131bef7ae354f1.exe File created C:\Windows\System32\recovery\lsass.exe e83194ac6af90662225fd216fae289c52a2d8392bbc35a2b1e131bef7ae354f1.exe File created C:\Windows\System32\SearchProtocolHost\taskhost.exe e83194ac6af90662225fd216fae289c52a2d8392bbc35a2b1e131bef7ae354f1.exe File opened for modification C:\Windows\System32\sdengin2\taskhost.exe e83194ac6af90662225fd216fae289c52a2d8392bbc35a2b1e131bef7ae354f1.exe -
Drops file in Program Files directory 8 IoCs
description ioc Process File created C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPWMI\1610b97d3ab4a7 e83194ac6af90662225fd216fae289c52a2d8392bbc35a2b1e131bef7ae354f1.exe File opened for modification C:\Program Files\Windows Journal\it-IT\RCXBF4C.tmp e83194ac6af90662225fd216fae289c52a2d8392bbc35a2b1e131bef7ae354f1.exe File opened for modification C:\Program Files\Windows Journal\it-IT\csrss.exe e83194ac6af90662225fd216fae289c52a2d8392bbc35a2b1e131bef7ae354f1.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPWMI\RCXC5C5.tmp e83194ac6af90662225fd216fae289c52a2d8392bbc35a2b1e131bef7ae354f1.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPWMI\OSPPSVC.exe e83194ac6af90662225fd216fae289c52a2d8392bbc35a2b1e131bef7ae354f1.exe File created C:\Program Files\Windows Journal\it-IT\csrss.exe e83194ac6af90662225fd216fae289c52a2d8392bbc35a2b1e131bef7ae354f1.exe File created C:\Program Files\Windows Journal\it-IT\886983d96e3d3e e83194ac6af90662225fd216fae289c52a2d8392bbc35a2b1e131bef7ae354f1.exe File created C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPWMI\OSPPSVC.exe e83194ac6af90662225fd216fae289c52a2d8392bbc35a2b1e131bef7ae354f1.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Scheduled Task/Job: Scheduled Task 1 TTPs 6 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2760 schtasks.exe 2808 schtasks.exe 2660 schtasks.exe 2764 schtasks.exe 2680 schtasks.exe 2656 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1872 e83194ac6af90662225fd216fae289c52a2d8392bbc35a2b1e131bef7ae354f1.exe 1872 e83194ac6af90662225fd216fae289c52a2d8392bbc35a2b1e131bef7ae354f1.exe 1872 e83194ac6af90662225fd216fae289c52a2d8392bbc35a2b1e131bef7ae354f1.exe 1872 e83194ac6af90662225fd216fae289c52a2d8392bbc35a2b1e131bef7ae354f1.exe 1872 e83194ac6af90662225fd216fae289c52a2d8392bbc35a2b1e131bef7ae354f1.exe 1872 e83194ac6af90662225fd216fae289c52a2d8392bbc35a2b1e131bef7ae354f1.exe 1872 e83194ac6af90662225fd216fae289c52a2d8392bbc35a2b1e131bef7ae354f1.exe 1872 e83194ac6af90662225fd216fae289c52a2d8392bbc35a2b1e131bef7ae354f1.exe 1872 e83194ac6af90662225fd216fae289c52a2d8392bbc35a2b1e131bef7ae354f1.exe 1872 e83194ac6af90662225fd216fae289c52a2d8392bbc35a2b1e131bef7ae354f1.exe 1872 e83194ac6af90662225fd216fae289c52a2d8392bbc35a2b1e131bef7ae354f1.exe 1872 e83194ac6af90662225fd216fae289c52a2d8392bbc35a2b1e131bef7ae354f1.exe 1872 e83194ac6af90662225fd216fae289c52a2d8392bbc35a2b1e131bef7ae354f1.exe 1872 e83194ac6af90662225fd216fae289c52a2d8392bbc35a2b1e131bef7ae354f1.exe 1872 e83194ac6af90662225fd216fae289c52a2d8392bbc35a2b1e131bef7ae354f1.exe 1872 e83194ac6af90662225fd216fae289c52a2d8392bbc35a2b1e131bef7ae354f1.exe 1872 e83194ac6af90662225fd216fae289c52a2d8392bbc35a2b1e131bef7ae354f1.exe 1872 e83194ac6af90662225fd216fae289c52a2d8392bbc35a2b1e131bef7ae354f1.exe 1872 e83194ac6af90662225fd216fae289c52a2d8392bbc35a2b1e131bef7ae354f1.exe 1872 e83194ac6af90662225fd216fae289c52a2d8392bbc35a2b1e131bef7ae354f1.exe 1872 e83194ac6af90662225fd216fae289c52a2d8392bbc35a2b1e131bef7ae354f1.exe 328 powershell.exe 2916 powershell.exe 596 powershell.exe 1084 powershell.exe 2036 powershell.exe 2612 powershell.exe 2164 powershell.exe 1560 taskhost.exe 1560 taskhost.exe 1560 taskhost.exe 1560 taskhost.exe 1560 taskhost.exe 1560 taskhost.exe 1560 taskhost.exe 1560 taskhost.exe 1560 taskhost.exe 1560 taskhost.exe 1560 taskhost.exe 1560 taskhost.exe 1560 taskhost.exe 1560 taskhost.exe 1560 taskhost.exe 1560 taskhost.exe 1560 taskhost.exe 1560 taskhost.exe 1560 taskhost.exe 1560 taskhost.exe 1560 taskhost.exe 1560 taskhost.exe 1560 taskhost.exe 1560 taskhost.exe 1560 taskhost.exe 1560 taskhost.exe 1560 taskhost.exe 1560 taskhost.exe 1560 taskhost.exe 1560 taskhost.exe 1560 taskhost.exe 1560 taskhost.exe 1560 taskhost.exe 1560 taskhost.exe 1560 taskhost.exe 1560 taskhost.exe -
Suspicious use of AdjustPrivilegeToken 22 IoCs
description pid Process Token: SeDebugPrivilege 1872 e83194ac6af90662225fd216fae289c52a2d8392bbc35a2b1e131bef7ae354f1.exe Token: SeDebugPrivilege 328 powershell.exe Token: SeDebugPrivilege 2916 powershell.exe Token: SeDebugPrivilege 1084 powershell.exe Token: SeDebugPrivilege 596 powershell.exe Token: SeDebugPrivilege 2036 powershell.exe Token: SeDebugPrivilege 1560 taskhost.exe Token: SeDebugPrivilege 2612 powershell.exe Token: SeDebugPrivilege 2164 powershell.exe Token: SeDebugPrivilege 2460 taskhost.exe Token: SeDebugPrivilege 668 taskhost.exe Token: SeDebugPrivilege 2264 taskhost.exe Token: SeDebugPrivilege 1392 taskhost.exe Token: SeDebugPrivilege 2692 taskhost.exe Token: SeDebugPrivilege 2688 taskhost.exe Token: SeDebugPrivilege 2368 taskhost.exe Token: SeDebugPrivilege 1652 taskhost.exe Token: SeDebugPrivilege 1436 taskhost.exe Token: SeDebugPrivilege 2268 taskhost.exe Token: SeDebugPrivilege 2828 taskhost.exe Token: SeDebugPrivilege 1640 taskhost.exe Token: SeDebugPrivilege 3048 taskhost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1872 wrote to memory of 2036 1872 e83194ac6af90662225fd216fae289c52a2d8392bbc35a2b1e131bef7ae354f1.exe 37 PID 1872 wrote to memory of 2036 1872 e83194ac6af90662225fd216fae289c52a2d8392bbc35a2b1e131bef7ae354f1.exe 37 PID 1872 wrote to memory of 2036 1872 e83194ac6af90662225fd216fae289c52a2d8392bbc35a2b1e131bef7ae354f1.exe 37 PID 1872 wrote to memory of 2164 1872 e83194ac6af90662225fd216fae289c52a2d8392bbc35a2b1e131bef7ae354f1.exe 38 PID 1872 wrote to memory of 2164 1872 e83194ac6af90662225fd216fae289c52a2d8392bbc35a2b1e131bef7ae354f1.exe 38 PID 1872 wrote to memory of 2164 1872 e83194ac6af90662225fd216fae289c52a2d8392bbc35a2b1e131bef7ae354f1.exe 38 PID 1872 wrote to memory of 1084 1872 e83194ac6af90662225fd216fae289c52a2d8392bbc35a2b1e131bef7ae354f1.exe 39 PID 1872 wrote to memory of 1084 1872 e83194ac6af90662225fd216fae289c52a2d8392bbc35a2b1e131bef7ae354f1.exe 39 PID 1872 wrote to memory of 1084 1872 e83194ac6af90662225fd216fae289c52a2d8392bbc35a2b1e131bef7ae354f1.exe 39 PID 1872 wrote to memory of 596 1872 e83194ac6af90662225fd216fae289c52a2d8392bbc35a2b1e131bef7ae354f1.exe 40 PID 1872 wrote to memory of 596 1872 e83194ac6af90662225fd216fae289c52a2d8392bbc35a2b1e131bef7ae354f1.exe 40 PID 1872 wrote to memory of 596 1872 e83194ac6af90662225fd216fae289c52a2d8392bbc35a2b1e131bef7ae354f1.exe 40 PID 1872 wrote to memory of 328 1872 e83194ac6af90662225fd216fae289c52a2d8392bbc35a2b1e131bef7ae354f1.exe 41 PID 1872 wrote to memory of 328 1872 e83194ac6af90662225fd216fae289c52a2d8392bbc35a2b1e131bef7ae354f1.exe 41 PID 1872 wrote to memory of 328 1872 e83194ac6af90662225fd216fae289c52a2d8392bbc35a2b1e131bef7ae354f1.exe 41 PID 1872 wrote to memory of 2612 1872 e83194ac6af90662225fd216fae289c52a2d8392bbc35a2b1e131bef7ae354f1.exe 42 PID 1872 wrote to memory of 2612 1872 e83194ac6af90662225fd216fae289c52a2d8392bbc35a2b1e131bef7ae354f1.exe 42 PID 1872 wrote to memory of 2612 1872 e83194ac6af90662225fd216fae289c52a2d8392bbc35a2b1e131bef7ae354f1.exe 42 PID 1872 wrote to memory of 2916 1872 e83194ac6af90662225fd216fae289c52a2d8392bbc35a2b1e131bef7ae354f1.exe 43 PID 1872 wrote to memory of 2916 1872 e83194ac6af90662225fd216fae289c52a2d8392bbc35a2b1e131bef7ae354f1.exe 43 PID 1872 wrote to memory of 2916 1872 e83194ac6af90662225fd216fae289c52a2d8392bbc35a2b1e131bef7ae354f1.exe 43 PID 1872 wrote to memory of 1560 1872 e83194ac6af90662225fd216fae289c52a2d8392bbc35a2b1e131bef7ae354f1.exe 51 PID 1872 wrote to memory of 1560 1872 e83194ac6af90662225fd216fae289c52a2d8392bbc35a2b1e131bef7ae354f1.exe 51 PID 1872 wrote to memory of 1560 1872 e83194ac6af90662225fd216fae289c52a2d8392bbc35a2b1e131bef7ae354f1.exe 51 PID 1560 wrote to memory of 2540 1560 taskhost.exe 53 PID 1560 wrote to memory of 2540 1560 taskhost.exe 53 PID 1560 wrote to memory of 2540 1560 taskhost.exe 53 PID 1560 wrote to memory of 2500 1560 taskhost.exe 54 PID 1560 wrote to memory of 2500 1560 taskhost.exe 54 PID 1560 wrote to memory of 2500 1560 taskhost.exe 54 PID 2540 wrote to memory of 2460 2540 WScript.exe 55 PID 2540 wrote to memory of 2460 2540 WScript.exe 55 PID 2540 wrote to memory of 2460 2540 WScript.exe 55 PID 2460 wrote to memory of 2632 2460 taskhost.exe 56 PID 2460 wrote to memory of 2632 2460 taskhost.exe 56 PID 2460 wrote to memory of 2632 2460 taskhost.exe 56 PID 2460 wrote to memory of 2364 2460 taskhost.exe 57 PID 2460 wrote to memory of 2364 2460 taskhost.exe 57 PID 2460 wrote to memory of 2364 2460 taskhost.exe 57 PID 2632 wrote to memory of 668 2632 WScript.exe 58 PID 2632 wrote to memory of 668 2632 WScript.exe 58 PID 2632 wrote to memory of 668 2632 WScript.exe 58 PID 668 wrote to memory of 2108 668 taskhost.exe 59 PID 668 wrote to memory of 2108 668 taskhost.exe 59 PID 668 wrote to memory of 2108 668 taskhost.exe 59 PID 668 wrote to memory of 1440 668 taskhost.exe 60 PID 668 wrote to memory of 1440 668 taskhost.exe 60 PID 668 wrote to memory of 1440 668 taskhost.exe 60 PID 2108 wrote to memory of 2264 2108 WScript.exe 61 PID 2108 wrote to memory of 2264 2108 WScript.exe 61 PID 2108 wrote to memory of 2264 2108 WScript.exe 61 PID 2264 wrote to memory of 1748 2264 taskhost.exe 62 PID 2264 wrote to memory of 1748 2264 taskhost.exe 62 PID 2264 wrote to memory of 1748 2264 taskhost.exe 62 PID 2264 wrote to memory of 2996 2264 taskhost.exe 63 PID 2264 wrote to memory of 2996 2264 taskhost.exe 63 PID 2264 wrote to memory of 2996 2264 taskhost.exe 63 PID 1748 wrote to memory of 1392 1748 WScript.exe 64 PID 1748 wrote to memory of 1392 1748 WScript.exe 64 PID 1748 wrote to memory of 1392 1748 WScript.exe 64 PID 1392 wrote to memory of 1048 1392 taskhost.exe 65 PID 1392 wrote to memory of 1048 1392 taskhost.exe 65 PID 1392 wrote to memory of 1048 1392 taskhost.exe 65 PID 1392 wrote to memory of 1596 1392 taskhost.exe 66 -
System policy modification 1 TTPs 45 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" taskhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" taskhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" taskhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" taskhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" taskhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" taskhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" taskhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" taskhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" taskhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" e83194ac6af90662225fd216fae289c52a2d8392bbc35a2b1e131bef7ae354f1.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" taskhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" taskhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" taskhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" taskhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e83194ac6af90662225fd216fae289c52a2d8392bbc35a2b1e131bef7ae354f1.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" taskhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" taskhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" e83194ac6af90662225fd216fae289c52a2d8392bbc35a2b1e131bef7ae354f1.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" taskhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" taskhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" taskhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" taskhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" taskhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" taskhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" taskhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" taskhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" taskhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" taskhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" taskhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" taskhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" taskhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" taskhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" taskhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" taskhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" taskhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" taskhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" taskhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" taskhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" taskhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" taskhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" taskhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" taskhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" taskhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" taskhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" taskhost.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\e83194ac6af90662225fd216fae289c52a2d8392bbc35a2b1e131bef7ae354f1.exe"C:\Users\Admin\AppData\Local\Temp\e83194ac6af90662225fd216fae289c52a2d8392bbc35a2b1e131bef7ae354f1.exe"1⤵
- DcRat
- Modifies WinLogon for persistence
- UAC bypass
- Drops file in Drivers directory
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1872 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\e83194ac6af90662225fd216fae289c52a2d8392bbc35a2b1e131bef7ae354f1.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2036
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\recovery\lsass.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2164
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\sdengin2\taskhost.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1084
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Journal\it-IT\csrss.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:596
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\SearchProtocolHost\taskhost.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:328
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\lsass.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2612
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPWMI\OSPPSVC.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2916
-
-
C:\Windows\System32\sdengin2\taskhost.exe"C:\Windows\System32\sdengin2\taskhost.exe"2⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1560 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ed56dd5f-b624-4bad-bdc7-31e2fa8db77a.vbs"3⤵
- Suspicious use of WriteProcessMemory
PID:2540 -
C:\Windows\System32\sdengin2\taskhost.exeC:\Windows\System32\sdengin2\taskhost.exe4⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2460 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1a982427-2912-4480-8cf6-77cccfe4a1c6.vbs"5⤵
- Suspicious use of WriteProcessMemory
PID:2632 -
C:\Windows\System32\sdengin2\taskhost.exeC:\Windows\System32\sdengin2\taskhost.exe6⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:668 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\69435a10-2962-4a3e-90f4-82c9a00eb21c.vbs"7⤵
- Suspicious use of WriteProcessMemory
PID:2108 -
C:\Windows\System32\sdengin2\taskhost.exeC:\Windows\System32\sdengin2\taskhost.exe8⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2264 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d76f1b4e-2014-4ca3-9042-048123548d67.vbs"9⤵
- Suspicious use of WriteProcessMemory
PID:1748 -
C:\Windows\System32\sdengin2\taskhost.exeC:\Windows\System32\sdengin2\taskhost.exe10⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1392 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\439c28c0-4602-4032-b5ca-78f8a374d8e4.vbs"11⤵PID:1048
-
C:\Windows\System32\sdengin2\taskhost.exeC:\Windows\System32\sdengin2\taskhost.exe12⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2692 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\89cb4f6f-3e79-4e43-af2b-6f9914244354.vbs"13⤵PID:3052
-
C:\Windows\System32\sdengin2\taskhost.exeC:\Windows\System32\sdengin2\taskhost.exe14⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2688 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1a45811b-9da9-4ec7-9ab5-df08298dc830.vbs"15⤵PID:2824
-
C:\Windows\System32\sdengin2\taskhost.exeC:\Windows\System32\sdengin2\taskhost.exe16⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2368 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\400902c3-2834-4df9-98b8-161884ba6e51.vbs"17⤵PID:1660
-
C:\Windows\System32\sdengin2\taskhost.exeC:\Windows\System32\sdengin2\taskhost.exe18⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1652 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0fce44b0-81d2-419b-82bf-b7ed8c9fb92c.vbs"19⤵PID:2964
-
C:\Windows\System32\sdengin2\taskhost.exeC:\Windows\System32\sdengin2\taskhost.exe20⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1436 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4311002d-500a-4246-b85d-75a805b6f785.vbs"21⤵PID:1764
-
C:\Windows\System32\sdengin2\taskhost.exeC:\Windows\System32\sdengin2\taskhost.exe22⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2268 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\67732edb-db2e-463e-8d39-e39d4a2541e7.vbs"23⤵PID:1708
-
C:\Windows\System32\sdengin2\taskhost.exeC:\Windows\System32\sdengin2\taskhost.exe24⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2828 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a8e46a4a-9dd8-4f72-a8cd-cb60649be199.vbs"25⤵PID:2976
-
C:\Windows\System32\sdengin2\taskhost.exeC:\Windows\System32\sdengin2\taskhost.exe26⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1640 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3f47ba78-b36a-4c55-a324-d8e26620060e.vbs"27⤵PID:596
-
C:\Windows\System32\sdengin2\taskhost.exeC:\Windows\System32\sdengin2\taskhost.exe28⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:3048 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e248c018-1c06-41a3-872d-d0398e8c1028.vbs"29⤵PID:2736
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e530b9e7-d23a-4b0f-b49a-4bad55a0d19d.vbs"29⤵PID:1972
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\aea21bac-cff9-417f-969e-9154e9592729.vbs"27⤵PID:404
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\01bdd3fa-b8f3-4875-a02b-9aad2225762e.vbs"25⤵PID:2452
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6060ea0e-84d3-4153-8eb6-7dacb066575f.vbs"23⤵PID:2764
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fb3c41e6-21f0-4ca0-938e-a41a16563c4d.vbs"21⤵PID:1028
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\94c678fb-abaf-479f-a069-df4987faad45.vbs"19⤵PID:1248
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f191819a-5ee7-4de9-a190-e2e829a7cb72.vbs"17⤵PID:2448
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5b0fef7d-8ff9-4c7b-8305-2966653688cc.vbs"15⤵PID:2480
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\418a2d1c-a2f8-4f4e-9a47-4cb9bb76db11.vbs"13⤵PID:2880
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6b3a3616-8b98-4154-bd60-b2e2d55e1bec.vbs"11⤵PID:1596
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\74664bfd-70d6-421c-9796-7f414ccae981.vbs"9⤵PID:2996
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ca7d13fb-df7f-4b3b-a76a-c219e5e4c139.vbs"7⤵PID:1440
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d0bc5f22-a532-4e98-9063-92e49722a0ff.vbs"5⤵PID:2364
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6cb5e7e5-0a1b-4563-9296-6de8ced1860a.vbs"3⤵PID:2500
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\System32\recovery\lsass.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2760
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Windows\System32\sdengin2\taskhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2808
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Windows Journal\it-IT\csrss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2660
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Windows\System32\SearchProtocolHost\taskhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2764
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\All Users\lsass.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2680
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPWMI\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2656
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.5MB
MD5d36cc4a093e0bc7ca5a9342ab6012419
SHA1ce5387ec8626e899804182655ad84ed339771ed1
SHA256e83194ac6af90662225fd216fae289c52a2d8392bbc35a2b1e131bef7ae354f1
SHA512df08e46279f1726a78b73b2191b7e878512e84520eed04f5b45aa14553447e216bf9b3a44d0478947d340ced9c434b7526266b4380f0fe16196eb8da5c8206be
-
Filesize
1.5MB
MD542dc5367be2730a142529d9b1b21e2c2
SHA184a7d4eb523597b5bdcc20ca6821ea556f99f4e8
SHA25660af05ae81e2e6947064eae1062debfcdb969bedc120971bc6f42a78bed5cfab
SHA512e8d7d6e3d71ab00d15571bbd593adbf624dce7c9dbd7f997c0539407e7acbd269db85317f3da5609c284645ced94bb4c15571c0fda0de795d9b0143907a80d61
-
Filesize
717B
MD51dc8d4bd02c873c5065a295d1c29e07c
SHA1ae9747e1fe6553726be4f254009fc1ed20426a55
SHA256d12034f3bfc9c6b656f9b9249e058f89e7fed3f98266b13acb101bd7c523f3cd
SHA51253b096b48dc1c2ba47abd1cc66f0952f6b56b8fc76697973154e0b9e35047ee46cfd5ade18915067098d88c87403516b5ec3d6ea9ac88c995f3c0b1a64f1016f
-
Filesize
717B
MD59bc0f9b35b7123b0c5997e0b99c38690
SHA1144202d712c4267c3c23de38efc2543521645630
SHA25693c502023e8ab0aaf82c42c9998e4817d11f2a4f3e7f664b2b0fe6742e8a760a
SHA512cf84e37917d27cfed463afd3f3a7a7a6fcce775532872ad05029203789c7ec9308d195d067ba6c386f735df479aa4b773275c75163a26aca38e328dd0bf3ee59
-
Filesize
717B
MD5b3fc9c22dc71aa11c3f5012de1d8c3ab
SHA1dbd442521761f8f21c3ad1e8b38f67d1e78612fc
SHA25631915684b1123bb5ec373615bb3f81fc0440a8450dbe13d58922f92177764187
SHA5124d5a109d94009e8bce25bd11fe68518272db2f6e2a8076880aa208504966612ca059071945400435b8e5d755b9c51b47c4ab6b293e905af790c8d8402134853b
-
Filesize
717B
MD55363863b0433598e1b05dc1a5507900c
SHA10c4bc4faa1f3bd436715547f31cfaa9cadb40dd4
SHA256820c7107205c1f820dfef39003fafa774579929d84324641131f8d3abf327200
SHA51228fbab9ffc386def05bb687b76d161d0cf28040cf319da6e364fe1fc77e6f0a44648058d80d78bb620cd22863738293724b0365cb3c24a871077c86a5f832dd5
-
Filesize
717B
MD5044df3aa7c92f32229b4927049728aec
SHA13bf0c2d4ba5cd5e6fb73fa9585c627ae04c607e4
SHA256c87b2087a8fa3c02078d1ea64b88a6998ccf06449634d0b89cbb6d24adb1ef4e
SHA512361f8709578387316f5ef38b584f80f08e7296529533fa4dbf6fa399a99f908e17262683a50c7a1e4384e553ce1fd1bb7b17772e92883e551e42d921d5b95552
-
Filesize
717B
MD51754f94da45f01202af59eac9a515476
SHA19a772010f00db69d9e759713d9be7caf28f99f10
SHA256f5068bde5f19dc0975e16a5c553246538dc33e47b50a3bdeaf8a0f8f639506bd
SHA51240a0c57566fbe0424751ed12e6947705b0b2f47973afd2f38a66c9b361d8281338053804130e932ca14a7c4d3e08d355174cef2472f89c87b445ee1264891c54
-
Filesize
717B
MD51244c3948a591754701ea6f0e0fbe638
SHA1995e09dc05d87ba846cdbe19ef16f8663183bbbc
SHA2560e34ee99dce3f9590e5567264510e9224570714238d0c0195c105dbd0b26cef1
SHA512d586c728856b269778b7a0c1abe5d25ced7c717cf3a967692d702c08cf43ff2908d1da76138714e0ec298b5e9be5acec47a9a6312cfa1a68ad736accefc6fc28
-
Filesize
717B
MD5ba66bed1b81813b180ab15f205a7ec70
SHA116361f68df01470b3456082abb920d2cc5500339
SHA256a2e18a9724f6ae5d2f41065fa07e472040509ef040f0c2145436693321e32b97
SHA51287c5edce0f6a13ab9d1d92627a1f412e00b4cb901730e04d6e0080cc82b11347e49406bd7ae04da68cba8768afa0c8dd21fe0c3f3c259e940bec79e8bff75387
-
Filesize
716B
MD51c187b68c6a9e5224ad159583cfb620f
SHA112ea455820cf4e7fcf33d65524dc5311218194c9
SHA256eb312415546bc670ee1de100f2e16614b210787a844d9151de4de32fe9f5be51
SHA51202db6bbd6dd768206a991087a47c63241a6c38f2261f3f2826bdf8bd55a1f0e257096f509b9ee901419310f080e863124a8bfc7fc4b9be39b5fbb90c609fd536
-
Filesize
493B
MD57cbebf525a6bf4695e3db6dfa9201484
SHA1ca1f3fc7a6c4799154a70a137a53ba69fd97da43
SHA256614c03831c982d894ad35b231b219c0a216e9f9f44f12cb29a77f85a5eb3f9fd
SHA5129e6cf90f26a28aaeccddc93576b1fb910eab4ca413890d9072965630dd40c9b8705eab6be8e2574b53771731ae48610a6591f8b216e2015769399810ea52f1f2
-
Filesize
717B
MD5046909918a4e69b4d3303de7a7242dc2
SHA19a45e4c037d6b29872b2fd89778dd13c881837e6
SHA256c40ad8cc7b12c12145c0e99bb82594133ae235ec257c9c3593cfcd5363b26ccf
SHA512d8300dc7accbaf00f643bdfaecb2bd4e9e8ee0337dbdb19f3f228ec15ad1f6b8e1bae6cce601ad93554892b48497382a2917793ed0b043c45da86b5f0805d98e
-
Filesize
717B
MD5f644bba7b4d633fa713d3389e1157ee5
SHA162b9dd7906b5619bdad90118ccb88ca0cbd84fd4
SHA2564a5a2c557befe660bdf4d1c143396aefa88e4f7a2b1a3e2a92c0d796c341a8aa
SHA51229d21c0ba5789bffea48c57a79352cb600327419a9025774cb2c52d81f1ab74a6185db9a62fb5f82c7af8e509e46ecd4d5b4b15189334373f10bf5ece54080e4
-
Filesize
717B
MD55d7f61eb8f822995e472dcdcd6eb0558
SHA1fcd57e59b4b5e05f84136287f689d4a647b09040
SHA2568e80da241d6268dd6cbfd55ad82e5b7279da09608cffec1a05becb4682f81684
SHA512b0d587792e15f1426a4ac32bf8e1da773ea0ac6c6ff8256528f325f58daec926016dedc8570287521116522dcc50d9df81ef9832763d72f59cdf861065e8459f
-
Filesize
717B
MD5ded76fdee4d73258e732be207abbe14d
SHA1a0b442c4d0faa6e8ad54bb20f59f9da42d91fef7
SHA25675d2437fe81a5480579a09813152c841d422fc9365fb30a601290c7332848bdf
SHA512513fb19eb4fcb1219f32ce72e44423b96476c594660a2ab5fb2fba473d00fa56c50f61ec7a0461961b93f16d7f2eeec870342ebd76d6a2cf0a445bde2ef6673c
-
Filesize
717B
MD5c22d242e2b7c3b3e8bcf42cca0c00931
SHA1e0fc83d4b6b6c8b3d3d4f36675102bd8b963f8f6
SHA2561050d24a2958e6c80c4aabaad322261ab1f84ec664100b06a44fd28a3c2ad170
SHA5120d8c627ead780ec53901e2cf220a42e49a92e5533655f643a294729efa0c3d09d09ccf20efbfa381ef6c6ca3ec79d689914657bb0d802930a6ceb291e895213c
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD53abf60a3500067830997d162cfaffddd
SHA129d4fb425a7b44443e766dba490dfdad9c58aafd
SHA256e86ca20e61c8cad8a906ea1e0afdc42e187fc8e1d1041fed20b416718fbe45b6
SHA512ebb1ecbc3828f4ad9b1783353db4a60c718024be02566ba566ea695c93aceebd6a69fa14ec019246b19c5c9a37c89d733eb3a431431dc77e215b1223116120fc