Analysis
-
max time kernel
306s -
max time network
312s -
platform
windows10-2004_x64 -
resource
win10v2004-20250129-en -
resource tags
-
submitted
01-02-2025 14:33
General
-
Target
iiu21398e8ydsa.exe
-
Size
1.7MB
-
MD5
402413f48045d5217eb19c3ca703b3b9
-
SHA1
bcb9c54c86f677958d5acbd5d4cd5eb6de639340
-
SHA256
19b45d7e3ede011ff54ba5dc54705a38f030bfc70afc6dec3a5931f3f8d01a75
-
SHA512
c4fde3b1fbe2a98fa118f052cc668a6c5321cf8855d33e4b709c082ce086e6fd0e62872be056d8e3a4b73e0f7357e455cc3e7e053885e1404084b3628fda3811
-
SSDEEP
24576:U2G/nvxW3Ww0t60jeAbFDuiYq2hszeo9/gqHriQcU4bobxAgedn6CrRNe2ONaPx7:UbA3060jSReaNqLz4bifed6ERNFXx7
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 24 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
UAC bypass 3 TTPs 6 IoCs
-
DCRat payload 2 IoCs
Detects payload of DCRat, commonly dropped by NSIS installers.
-
Disables Task Manager via registry modification
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 2 IoCs
-
Checks whether UAC is enabled 1 TTPs 4 IoCs
-
Drops file in System32 directory 1 IoCs
-
Drops file in Program Files directory 2 IoCs
-
Drops file in Windows directory 59 IoCs
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Checks SCSI registry key(s) 3 TTPs 20 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies registry class 3 IoCs
-
Modifies registry key 1 TTPs 1 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 24 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 12 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
-
Suspicious use of AdjustPrivilegeToken 8 IoCs
-
Suspicious use of FindShellTrayWindow 26 IoCs
-
Suspicious use of SendNotifyMessage 24 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
System policy modification 1 TTPs 6 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\iiu21398e8ydsa.exe"C:\Users\Admin\AppData\Local\Temp\iiu21398e8ydsa.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ChainblockWinRuntimenet\i5qxHYu1uyqqnmGIFh.vbe"2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\ChainblockWinRuntimenet\oyqWCLFHNhsk.bat" "3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\ChainblockWinRuntimenet\Chainhostcrt.exe"C:\ChainblockWinRuntimenet\Chainhostcrt.exe"4⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2EHgxdaT4D.bat"5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:26⤵
-
-
C:\Program Files\Java\jre-1.8\bin\services.exe"C:\Program Files\Java\jre-1.8\bin\services.exe"6⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f4⤵
- System Location Discovery: System Language Discovery
- Modifies registry key
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\conhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Program Files\Java\jre-1.8\bin\services.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\Java\jre-1.8\bin\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Program Files\Java\jre-1.8\bin\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Windows\ShellComponents\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\ShellComponents\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Windows\ShellComponents\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\ChainblockWinRuntimenet\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\ChainblockWinRuntimenet\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\ChainblockWinRuntimenet\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\ChainblockWinRuntimenet\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\ChainblockWinRuntimenet\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\ChainblockWinRuntimenet\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 7 /tr "'C:\Users\Default\Music\backgroundTaskHost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Users\Default\Music\backgroundTaskHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 12 /tr "'C:\Users\Default\Music\backgroundTaskHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /01⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefaulta86b181eh9071h43e7ha6c7h500257a042041⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ffe08bb46f8,0x7ffe08bb4708,0x7ffe08bb47182⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2052,8249073959172842445,14307758019496823875,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2092 /prefetch:22⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2052,8249073959172842445,14307758019496823875,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2164 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2052,8249073959172842445,14307758019496823875,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2740 /prefetch:82⤵
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe08bb46f8,0x7ffe08bb4708,0x7ffe08bb47182⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2140,11737606510622681222,10717017255570865582,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2164 /prefetch:22⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2140,11737606510622681222,10717017255570865582,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2220 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2140,11737606510622681222,10717017255570865582,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2780 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,11737606510622681222,10717017255570865582,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3360 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,11737606510622681222,10717017255570865582,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3376 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,11737606510622681222,10717017255570865582,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5032 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,11737606510622681222,10717017255570865582,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5072 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,11737606510622681222,10717017255570865582,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3648 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,11737606510622681222,10717017255570865582,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3436 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,11737606510622681222,10717017255570865582,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5352 /prefetch:12⤵
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\system32\control.exe"C:\Windows\system32\control.exe" /name Microsoft.DeviceManager1⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\mmc.exe"C:\Windows\system32\mmc.exe" C:\Windows\system32\devmgmt.msc2⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}1⤵
- System Location Discovery: System Language Discovery
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.4MB
MD52f036365e4d7d5dde1b2ff833005c195
SHA1d20104cf56ed61aefc5718543a7d1f2a4a972b1d
SHA2560a460c969588acc4942c37e7bd65b40b885d1c85f957269f0af95c1909bac322
SHA512a324efb66c19c3adf89ff7fef7e0c6b9d9559310aa37a7ed2d581449135affc8f076ce1c8bb1b6cec9acbd6fa9b3e517aebe81e4ba6ecfae38aadb71280997f7
-
Filesize
212B
MD5a370367e6e1ebe2e9f2bbacac556025b
SHA1237a9422c2e40e3c669f4d82c5f934359dbe8f39
SHA256533464137dffa58349e6ab2f0cb93ac4925e84fa5c69acf643f6007718a63580
SHA512284979b6b7d215ee54297a861095c9ad67d62501ccfb5212765457c86a132d2f73deed72abccd71b1e5f810e0379c8bf2f7e3972154f098611b7c7773934535f
-
Filesize
157B
MD5df84f59bb86e610ce6c9be8808512267
SHA159ea48410321e05e5a6602ee26ee87c7520d2e36
SHA25697029f30cb4653eb30ebaca3f28cf7c4d3c4495148a8ee873d3959ba1e9913bd
SHA512fa1548972f4f7c4ef2b1bbad4ba605078a6383045fc0b9f28ff618d15800ea85029ce39ee9af2db20ddd7534bc99636f3a09ae4edf4037b686c5b769929afe6c
-
Filesize
152B
MD577b5bcdc49ef9862aa7be45dd54c9356
SHA12baf63796448a148dbf89ddeb655c2ec0ab87e42
SHA2563390d824f21c5a75b7e20b86cc392b61651cc1cdeda32606fdc21f312ff1836c
SHA512d7005b84795cfa9ca21b7112bfaa19190a2f52862cb3862cfdc7992b164d3c293d2e145b452795a3965443ef98bbbcc31a6f538de07259536b4a9b82f5a3c841
-
Filesize
152B
MD5e8cb3a8ae72d4143c46a67827ca0b7df
SHA1171c2c090300f33f67510e38358077155a664f99
SHA2567bf198a75746d630643056ad1571f0d46f6d069f7813a39888f7519b4b843e9e
SHA512917d6ac30c1975f5266aa380baf9842575ad565c4399ef7da499e8f78d7300f6b1c4d3c5846d46b5c39fbbcd76097fe356274ce44eb35e8ca5c09522def6758e
-
Filesize
152B
MD5bf0b2725c0cd068b0f67eb62cbc3244f
SHA154ee5cd3bd0ae55707020bf40c4342736e310caf
SHA2565dff0f70a7691805910a88ef91c9ecc338c6a27b818ff6b0c8bc6e0e8e381d36
SHA512f622f17ddcf1a364bbe926fe427b1544c3bea200b65f24aee14a5eaa7b260e33f396ef07f2a0a53540dc4c0f5beebf431b6d7d0a9032890de13b99a2089b852e
-
Filesize
62KB
MD5c813a1b87f1651d642cdcad5fca7a7d8
SHA10e6628997674a7dfbeb321b59a6e829d0c2f4478
SHA256df670e09f278fea1d0684afdcd0392a83d7041585ba5996f7b527974d7d98ec3
SHA512af0d024ba1faafbd6f950c67977ed126827180a47cea9758ee51a95d13436f753eb5a7aa12a9090048a70328f6e779634c612aebde89b06740ffd770751e1c5b
-
Filesize
67KB
MD569df804d05f8b29a88278b7d582dd279
SHA1d9560905612cf656d5dd0e741172fb4cd9c60688
SHA256b885987a52236f56ce7a5ca18b18533e64f62ab64eb14050ede93c93b5bd5608
SHA5120ef49eeeeb463da832f7d5b11f6418baa65963de62c00e71d847183e0035be03e63c097103d30329582fe806d246e3c0e3ecab8b2498799abbb21d8b7febdc0e
-
Filesize
63KB
MD5226541550a51911c375216f718493f65
SHA1f6e608468401f9384cabdef45ca19e2afacc84bd
SHA256caecff4179910ce0ff470f9fa9eb4349e8fb717fa1432cf19987450a4e1ef4a5
SHA5122947b309f15e0e321beb9506861883fde8391c6f6140178c7e6ee7750d6418266360c335477cae0b067a6a6d86935ec5f7acdfdacc9edffa8b04ec71be210516
-
Filesize
19KB
MD51bd4ae71ef8e69ad4b5ffd8dc7d2dcb5
SHA16dd8803e59949c985d6a9df2f26c833041a5178c
SHA256af18b3681e8e2a1e8dc34c2aa60530dc8d8a9258c4d562cbe20c898d5de98725
SHA512b3ff083b669aca75549396250e05344ba2f1c021468589f2bd6f1b977b7f11df00f958bbbd22f07708b5d30d0260f39d8de57e75382b3ab8e78a2c41ef428863
-
Filesize
1KB
MD5752c4e635b0e0de1603cc060d466f5bb
SHA1f981bab96ac183457d9be9c50bbe55da3ccd8ee6
SHA2567bb806bfc6464d992ae6c9e40837979b98e2fc89572636d048d3d6ad6291ff92
SHA5122060865eff6f5773ff9262e656f7eb119e5cca7caa6885b91c43c2e378096b1c998de4488503564c559e90cd27fb0773d6163f1aa7516de70fb4a0992eda2e8c
-
Filesize
1KB
MD59445fae6f6b124883db47ea78889d070
SHA167c2cf3d69546c3210ba1c25a3de713c786cbf99
SHA256fb4a826bc3df8c62f4b12784f1bbfd2344d766c7987b54a55d0fb113eaf94e27
SHA51232aa1210f3be49480da054ebe0c7c89caea5528a7fa126f7faae217281e60c2959306a1551c9a4fd1df399ca8aad4c4efc99df935d03ed62dba48e52ae504064
-
Filesize
264KB
MD556685c5da95f4c8556699425190ee56c
SHA1c5c867398224a257c65edfbf2e0a03b52f089671
SHA2565cb3544ea0210e37ef570f56b90ac899fc96eed8e717a297322b24095dc44dc2
SHA512b29d1bb0296771722f4a1f22531c451238ca8bfed8b7b41bb238cfdbb282d93ee6aee7509c1390d15b23202262268eec60d0b92264b7e6213c8342a45b9f878a
-
Filesize
331B
MD5f29befc4a9cfbf308f6fedb9f9656db1
SHA1c93a5a99315a223841ed83b0e1f265bc9f69ed68
SHA2563a24b600c58b418d09dc3062e9efbe3c9adeeb597f7ea9a01b7e96e8966a0be0
SHA51209d9cbb02fe18ef9e2852e08f59d582c0f1b6a33df8679c3498d7262b592884d5bd9e79cb4c328fb27b75e91885633ae05f2ba9a50a5bbe2c249f24bb9100945
-
Filesize
111B
MD5807419ca9a4734feaf8d8563a003b048
SHA1a723c7d60a65886ffa068711f1e900ccc85922a6
SHA256aa10bf07b0d265bed28f2a475f3564d8ddb5e4d4ffee0ab6f3a0cc564907b631
SHA512f10d496ae75db5ba412bd9f17bf0c7da7632db92a3fabf7f24071e40f5759c6a875ad8f3a72bad149da58b3da3b816077df125d0d9f3544adba68c66353d206c
-
Filesize
248B
MD563f42f1c79e98255682111419bced474
SHA1392a69cc46c562c9e64eca8816292a2fa62fabea
SHA256b4961ea15fb968ed3aaa6eb5241233e07e85721d48a2448648f641f433064362
SHA512fd54189b134af5d282743f6572bc86af41ff43e8f5c034c9c58cb96c3bb9160c8fe356c8d833ae96019b9834c5ac4c00043a91b97e8d3da6cac055605fa2e7e9
-
Filesize
6KB
MD5c0ef335f1980e6060e29379020925c3c
SHA18f6d50df1c44b842c4b611641bcb467ecde4534f
SHA256d84b77a1ff6c5b08271e7e66e593ae3c93c161f4d742e76cd6a25016aa7478e4
SHA51280d20f61ecac0847bcc354bf38d0969c6ecdbfc47ff07bb30cd2e98641111ccbb27d9dedccfc58c0bc7f899e9c65567003097cc96946573d1132641f3cb94902
-
Filesize
6KB
MD5e336301a1b4cc617fabd3bc2382e250a
SHA1a1b4104497fe61b2749a05619f2798330441b007
SHA2561642819fbc50b9e8b387ea0954effdf017251fdd8786fd6100dfcee90ae589df
SHA512e86817646ac2e3710d294188a3e9542b515f00818e2ddac85d8f730b634df3cf1d17433c21c5c3fc2cae983cce2db3952e42e3ddcbc221b258d9e28171695dc0
-
Filesize
6KB
MD564ec2adbc322e076a7bd5d3d80e835da
SHA1f5cd3daa6829844ea8c45ef2f9b84ca547551570
SHA2562cf4288250a51fc809318de288f7c74d4ebcc37869cb135f5644f5b1b557fa24
SHA5127e00bc1b563c066824939bf7985e1447ee77ef9c2c4c559b1f84faf61eefc03c6b4a503a113d1a5196429a5d3d43cee8abd762d0c85115b2bb72a2001da0fa69
-
Filesize
6KB
MD569d1152030dcbd106fad237cd7f25d66
SHA198551922576b35559e4d0254dbc709d27dc14751
SHA25699d2c7e78ecdac642911fa1efee6d06fa007b56e46fa121ff26a2b2fa8833473
SHA5122139491ce4669a2d9244d707b29c7fe3ef3e427862ce4a607d75522f03ef25aca1fd0f527bc40bb7edac35b40d3e6c80d538618d368354654a0785aace3241b5
-
Filesize
6KB
MD5c75230757229307012b4b47a7681eff5
SHA18e73f785fd622ca63cf66b60e93654a0ce281a85
SHA256bb25a850bc1cbe48d32171cd45ad22fdcf93c052424c516bb8310675e692ba57
SHA512ce5b0dcad5d32f84880e5dee6df0e9368b6f9b76ea0e53f451275b7ce6914cb828bc5c57297fc09b0c2973e32e687897b54839b4722a5268367781c1f94c130e
-
Filesize
347B
MD578111d281bd735418b32f499bb407959
SHA13128048280ec281e433374208a052a69b28530bf
SHA25622d57533349918834e345a3e7aac530817cb406c6822b6ec35bf82bafa7cae1f
SHA512421f850bc0f5f418659ae733cdc54c905d06690ba9268886690339820fbbfc15ec1c75eb61415cc94c8e19967040522430ab34687380b0005b21f44b2bc6fe56
-
Filesize
323B
MD5b67a55164aaf50416968fd9e54298288
SHA1f8bc684cbda22bff88c8186b41a6e8c84b21b6cc
SHA2565b626ccdf9112573e51262541407951251208f146971702ec03eec364e0e9366
SHA512a6db1edeb78cffb17335caa51fec8c5183613283baed0f7135bd9c45e8245ea68251225cee64318cf21bdb9c977060fac4d35bbda31f29b80060716afba7a855
-
Filesize
11B
MD5838a7b32aefb618130392bc7d006aa2e
SHA15159e0f18c9e68f0e75e2239875aa994847b8290
SHA256ac3dd2221d90b09b795f1f72e72e4860342a4508fe336c4b822476eb25a55eaa
SHA5129e350f0565cc726f66146838f9cebaaa38dd01892ffab9a45fe4f72e5be5459c0442e99107293a7c6f2412c71f668242c5e5a502124bc57cbf3b6ad8940cb3e9
-
Filesize
10KB
MD55610e2dc78daa1f7d7d70ff4b762ff79
SHA1711f240a0ad3a54b1e07ac105a7144adb787c4f4
SHA256f41e43f2a8c5141d1e8942cc7b37551d8f4b6d983d7c84db19f6f23d686ec65e
SHA512677c6102eeea2ca98d199a85ad11d80250f9b8e993e2f0b16689f019a8043c65ce7f66fe12cdf3d4a84e3eab6224a6505033683cde604b1e7fbbda2cad5f9220
-
Filesize
8KB
MD5a0e735be6c5e99f4e3ebf5d9e44361f4
SHA1c00d2b90f658b5092abe96444de4377f90251473
SHA256a6d28f64f156016bbdf2b2a64c2d11cf6451e1d06fc6b33f1016e88954ace6b8
SHA512f8766f4bf7746bf4b8cfbfe660793235b050bbc8f2c4dae52c586d1d175acbe92a46549dd2678bbe078ee6b54885d77c8b10b6b4b6a2df63ac2614a0d3c02e61
-
Filesize
10KB
MD5e960b30cc33ef636e1196dc6e3fdd47d
SHA14684745343de2eefbb69b3b17ab6c57113f90545
SHA256cb858ce17e7dd89fad539702065eed7a67f1168027058b32977bfc7d810df235
SHA512742d94a07c09b5ebd087fddc43a2dd4429ac687bd2b5222ff8edc4bd63009cc84346e5ed20096a616bb6f86bafe61b84a9772ae3ef38713b5b373b7c54286f05
-
Filesize
264KB
MD5f50f89a0a91564d0b8a211f8921aa7de
SHA1112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58
-
Filesize
211B
MD555f5e4249c5a8b12fcc429afdf45dea0
SHA15989548a6fe9f4d8858071ce2e16669e86c89a4b
SHA2564e53a1b1a5e7eca58f7a089c770834e4d870a53920bda9e065af4608e80608ba
SHA5122819bf76b20c3c50652fd04e0360cb0dfa52d8c03c6f7336a682e31decc2bf5f12fed9d0fc8210b6ef57902a403032d886145efefc9501f2f7bab457fed56a56
-
Filesize
88KB
-
Filesize
40KB
-
Filesize
32KB
-
Filesize
32KB
-
Filesize
320KB
-
Filesize
112KB
-
Filesize
56KB
-
Filesize
48KB
-
Filesize
1.4MB
-
Filesize
56KB
-
Filesize
56KB
-
Filesize
8KB