dcrat | 5bdd5d335f1dce7bff7ad597aa12c5c36d2831b58d4a1a37650fab7b070c6e23

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
30-10-2024 22:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1554ae8f1316eadf351b3e6f5e7fc9e6.exe
Size

3.2MB
MD5

1554ae8f1316eadf351b3e6f5e7fc9e6
SHA1

1fe722cd6f6e6739a2566c920931bc2f057ac55c
SHA256

5bdd5d335f1dce7bff7ad597aa12c5c36d2831b58d4a1a37650fab7b070c6e23
SHA512

56bf054fa85f534a5b5896a21b4b511c564ffbb0a8b1685054c521d09a9122c848c5818d6518092d33da4c02b79dea6622ef7fd48ab22271522a9d7878a2883d
SSDEEP

49152:UbA30LfTBVuy0VtNUBslYt04P0GliFkO6Uo67iX0bCLuI9+E8Dt:Ub/7nL0jCB6q0goyUonuI998Dt

Score

10^/10

dcrat discovery evasion execution infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 9 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3804	2016	schtasks.exe	94
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1184	2016	schtasks.exe	94
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4416	2016	schtasks.exe	94
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2568	2016	schtasks.exe	94
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1008	2016	schtasks.exe	94
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2412	2016	schtasks.exe	94
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4324	2016	schtasks.exe	94
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1708	2016	schtasks.exe	94
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	432	2016	schtasks.exe	94

UAC bypass 3 TTPs 42 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

winlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exeProviderreviewDriver.exe

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	ProviderreviewDriver.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	ProviderreviewDriver.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ProviderreviewDriver.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe

DCRat payload 5 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral2/files/0x0007000000023c87-10.dat	dcrat
behavioral2/memory/3448-13-0x0000000000C70000-0x0000000000F62000-memory.dmp	dcrat
behavioral2/files/0x000a000000023c93-73.dat	dcrat
behavioral2/files/0x0009000000023c94-81.dat	dcrat
behavioral2/memory/4884-141-0x0000000000250000-0x0000000000542000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

pid	Process
3996	powershell.exe
2612	powershell.exe
4968	powershell.exe
3548	powershell.exe

Checks computer location settings 2 TTPs 16 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

winlogon.exewinlogon.exeWScript.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exeProviderreviewDriver.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exe1554ae8f1316eadf351b3e6f5e7fc9e6.exewinlogon.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	winlogon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	winlogon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	winlogon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	winlogon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	winlogon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	winlogon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	ProviderreviewDriver.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	winlogon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	winlogon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	winlogon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	winlogon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	winlogon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	winlogon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	1554ae8f1316eadf351b3e6f5e7fc9e6.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	winlogon.exe

Executes dropped EXE 15 IoCs

Processes:

ProviderreviewDriver.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exe

pid	Process
3448	ProviderreviewDriver.exe
4884	winlogon.exe
3700	winlogon.exe
4304	winlogon.exe
1740	winlogon.exe
4868	winlogon.exe
1528	winlogon.exe
316	winlogon.exe
2348	winlogon.exe
1884	winlogon.exe
1764	winlogon.exe
2112	winlogon.exe
2096	winlogon.exe
4060	winlogon.exe
4404	winlogon.exe

Checks whether UAC is enabled 1 TTPs 28 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

winlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exeProviderreviewDriver.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exe

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	winlogon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ProviderreviewDriver.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	winlogon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	winlogon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	winlogon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	winlogon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	winlogon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ProviderreviewDriver.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

1554ae8f1316eadf351b3e6f5e7fc9e6.exeWScript.execmd.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1554ae8f1316eadf351b3e6f5e7fc9e6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies registry class 15 IoCs

Processes:

ProviderreviewDriver.exewinlogon.exe1554ae8f1316eadf351b3e6f5e7fc9e6.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	ProviderreviewDriver.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	1554ae8f1316eadf351b3e6f5e7fc9e6.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	winlogon.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 9 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	Process
432	schtasks.exe
4416	schtasks.exe
1708	schtasks.exe
2568	schtasks.exe
1008	schtasks.exe
2412	schtasks.exe
4324	schtasks.exe
3804	schtasks.exe
1184	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

ProviderreviewDriver.exepowershell.exepowershell.exepowershell.exepowershell.exewinlogon.exe

pid	Process
3448	ProviderreviewDriver.exe
3448	ProviderreviewDriver.exe
3448	ProviderreviewDriver.exe
3448	ProviderreviewDriver.exe
3448	ProviderreviewDriver.exe
3448	ProviderreviewDriver.exe
3448	ProviderreviewDriver.exe
3448	ProviderreviewDriver.exe
3448	ProviderreviewDriver.exe
3448	ProviderreviewDriver.exe
3448	ProviderreviewDriver.exe
3448	ProviderreviewDriver.exe
3448	ProviderreviewDriver.exe
3448	ProviderreviewDriver.exe
3448	ProviderreviewDriver.exe
2612	powershell.exe
2612	powershell.exe
3548	powershell.exe
3548	powershell.exe
3448	ProviderreviewDriver.exe
3448	ProviderreviewDriver.exe
3448	ProviderreviewDriver.exe
3448	ProviderreviewDriver.exe
4968	powershell.exe
4968	powershell.exe
4968	powershell.exe
3996	powershell.exe
3996	powershell.exe
2612	powershell.exe
3548	powershell.exe
3996	powershell.exe
4884	winlogon.exe
4884	winlogon.exe
4884	winlogon.exe
4884	winlogon.exe
4884	winlogon.exe
4884	winlogon.exe
4884	winlogon.exe
4884	winlogon.exe
4884	winlogon.exe
4884	winlogon.exe
4884	winlogon.exe
4884	winlogon.exe
4884	winlogon.exe
4884	winlogon.exe
4884	winlogon.exe
4884	winlogon.exe
4884	winlogon.exe
4884	winlogon.exe
4884	winlogon.exe
4884	winlogon.exe
4884	winlogon.exe
4884	winlogon.exe
4884	winlogon.exe
4884	winlogon.exe
4884	winlogon.exe
4884	winlogon.exe
4884	winlogon.exe
4884	winlogon.exe
4884	winlogon.exe
4884	winlogon.exe
4884	winlogon.exe
4884	winlogon.exe
4884	winlogon.exe

Suspicious use of AdjustPrivilegeToken 19 IoCs

Processes:

ProviderreviewDriver.exepowershell.exepowershell.exepowershell.exepowershell.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exe

description	pid	Process
Token: SeDebugPrivilege	3448	ProviderreviewDriver.exe
Token: SeDebugPrivilege	2612	powershell.exe
Token: SeDebugPrivilege	4968	powershell.exe
Token: SeDebugPrivilege	3548	powershell.exe
Token: SeDebugPrivilege	3996	powershell.exe
Token: SeDebugPrivilege	4884	winlogon.exe
Token: SeDebugPrivilege	3700	winlogon.exe
Token: SeDebugPrivilege	4304	winlogon.exe
Token: SeDebugPrivilege	1740	winlogon.exe
Token: SeDebugPrivilege	4868	winlogon.exe
Token: SeDebugPrivilege	1528	winlogon.exe
Token: SeDebugPrivilege	316	winlogon.exe
Token: SeDebugPrivilege	2348	winlogon.exe
Token: SeDebugPrivilege	1884	winlogon.exe
Token: SeDebugPrivilege	1764	winlogon.exe
Token: SeDebugPrivilege	2112	winlogon.exe
Token: SeDebugPrivilege	2096	winlogon.exe
Token: SeDebugPrivilege	4060	winlogon.exe
Token: SeDebugPrivilege	4404	winlogon.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

1554ae8f1316eadf351b3e6f5e7fc9e6.exeWScript.execmd.exeProviderreviewDriver.execmd.exewinlogon.exeWScript.exewinlogon.exeWScript.exewinlogon.exeWScript.exewinlogon.exeWScript.exewinlogon.exeWScript.exewinlogon.exeWScript.exewinlogon.exeWScript.exe

description	pid	Process	procid_target
PID 1580 wrote to memory of 2276	1580	1554ae8f1316eadf351b3e6f5e7fc9e6.exe	87
PID 1580 wrote to memory of 2276	1580	1554ae8f1316eadf351b3e6f5e7fc9e6.exe	87
PID 1580 wrote to memory of 2276	1580	1554ae8f1316eadf351b3e6f5e7fc9e6.exe	87
PID 2276 wrote to memory of 2388	2276	WScript.exe	90
PID 2276 wrote to memory of 2388	2276	WScript.exe	90
PID 2276 wrote to memory of 2388	2276	WScript.exe	90
PID 2388 wrote to memory of 3448	2388	cmd.exe	92
PID 2388 wrote to memory of 3448	2388	cmd.exe	92
PID 3448 wrote to memory of 3996	3448	ProviderreviewDriver.exe	105
PID 3448 wrote to memory of 3996	3448	ProviderreviewDriver.exe	105
PID 3448 wrote to memory of 2612	3448	ProviderreviewDriver.exe	106
PID 3448 wrote to memory of 2612	3448	ProviderreviewDriver.exe	106
PID 3448 wrote to memory of 4968	3448	ProviderreviewDriver.exe	107
PID 3448 wrote to memory of 4968	3448	ProviderreviewDriver.exe	107
PID 3448 wrote to memory of 3548	3448	ProviderreviewDriver.exe	108
PID 3448 wrote to memory of 3548	3448	ProviderreviewDriver.exe	108
PID 3448 wrote to memory of 1176	3448	ProviderreviewDriver.exe	113
PID 3448 wrote to memory of 1176	3448	ProviderreviewDriver.exe	113
PID 1176 wrote to memory of 4044	1176	cmd.exe	115
PID 1176 wrote to memory of 4044	1176	cmd.exe	115
PID 1176 wrote to memory of 4884	1176	cmd.exe	118
PID 1176 wrote to memory of 4884	1176	cmd.exe	118
PID 4884 wrote to memory of 4756	4884	winlogon.exe	119
PID 4884 wrote to memory of 4756	4884	winlogon.exe	119
PID 4884 wrote to memory of 1848	4884	winlogon.exe	120
PID 4884 wrote to memory of 1848	4884	winlogon.exe	120
PID 4756 wrote to memory of 3700	4756	WScript.exe	121
PID 4756 wrote to memory of 3700	4756	WScript.exe	121
PID 3700 wrote to memory of 2388	3700	winlogon.exe	123
PID 3700 wrote to memory of 2388	3700	winlogon.exe	123
PID 3700 wrote to memory of 4872	3700	winlogon.exe	124
PID 3700 wrote to memory of 4872	3700	winlogon.exe	124
PID 2388 wrote to memory of 4304	2388	WScript.exe	127
PID 2388 wrote to memory of 4304	2388	WScript.exe	127
PID 4304 wrote to memory of 3432	4304	winlogon.exe	128
PID 4304 wrote to memory of 3432	4304	winlogon.exe	128
PID 4304 wrote to memory of 532	4304	winlogon.exe	129
PID 4304 wrote to memory of 532	4304	winlogon.exe	129
PID 3432 wrote to memory of 1740	3432	WScript.exe	130
PID 3432 wrote to memory of 1740	3432	WScript.exe	130
PID 1740 wrote to memory of 4736	1740	winlogon.exe	131
PID 1740 wrote to memory of 4736	1740	winlogon.exe	131
PID 1740 wrote to memory of 4892	1740	winlogon.exe	132
PID 1740 wrote to memory of 4892	1740	winlogon.exe	132
PID 4736 wrote to memory of 4868	4736	WScript.exe	133
PID 4736 wrote to memory of 4868	4736	WScript.exe	133
PID 4868 wrote to memory of 3636	4868	winlogon.exe	134
PID 4868 wrote to memory of 3636	4868	winlogon.exe	134
PID 4868 wrote to memory of 1684	4868	winlogon.exe	135
PID 4868 wrote to memory of 1684	4868	winlogon.exe	135
PID 3636 wrote to memory of 1528	3636	WScript.exe	136
PID 3636 wrote to memory of 1528	3636	WScript.exe	136
PID 1528 wrote to memory of 3900	1528	winlogon.exe	137
PID 1528 wrote to memory of 3900	1528	winlogon.exe	137
PID 1528 wrote to memory of 2120	1528	winlogon.exe	138
PID 1528 wrote to memory of 2120	1528	winlogon.exe	138
PID 3900 wrote to memory of 316	3900	WScript.exe	140
PID 3900 wrote to memory of 316	3900	WScript.exe	140
PID 316 wrote to memory of 4292	316	winlogon.exe	141
PID 316 wrote to memory of 4292	316	winlogon.exe	141
PID 316 wrote to memory of 932	316	winlogon.exe	142
PID 316 wrote to memory of 932	316	winlogon.exe	142
PID 4292 wrote to memory of 2348	4292	WScript.exe	143
PID 4292 wrote to memory of 2348	4292	WScript.exe	143

System policy modification 1 TTPs 42 IoCs

evasion

Modify Registry

T1112

Processes:

winlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exeProviderreviewDriver.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exe

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	ProviderreviewDriver.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	ProviderreviewDriver.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ProviderreviewDriver.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\1554ae8f1316eadf351b3e6f5e7fc9e6.exe
"C:\Users\Admin\AppData\Local\Temp\1554ae8f1316eadf351b3e6f5e7fc9e6.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1580
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\BridgeRefruntime\RO6jJbtsE.vbe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2276
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\BridgeRefruntime\AZmwZW66ycOuW7BVkn8W.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2388
  - - C:\BridgeRefruntime\ProviderreviewDriver.exe
      "C:\BridgeRefruntime\ProviderreviewDriver.exe"
      4⤵
      UAC bypass
      Checks computer location settings
      Executes dropped EXE
      Checks whether UAC is enabled
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:3448
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\BridgeRefruntime\ProviderreviewDriver.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3996
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\fontdrvhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2612
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\winlogon.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4968
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\BridgeRefruntime\taskhostw.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3548
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\pg6iMfcDeU.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1176
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:4044
      - C:\Users\Default User\winlogon.exe
        
        "C:\Users\Default User\winlogon.exe"
        6⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:4884
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b126be3d-cbee-4532-930d-b35749c77d72.vbs"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:4756
        
        C:\Users\Default User\winlogon.exe
        
        "C:\Users\Default User\winlogon.exe"
        8⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:3700
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9c1b984e-a860-4f4d-bb29-0c2647875aa1.vbs"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:2388
        
        C:\Users\Default User\winlogon.exe
        
        "C:\Users\Default User\winlogon.exe"
        10⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:4304
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c8a97ad1-53e9-4b25-83a4-16f960ab4407.vbs"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:3432
        
        C:\Users\Default User\winlogon.exe
        
        "C:\Users\Default User\winlogon.exe"
        12⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1740
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ea4fe2a8-c4e4-4c9f-b6cd-dfc4fe3586c0.vbs"
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:4736
        
        C:\Users\Default User\winlogon.exe
        
        "C:\Users\Default User\winlogon.exe"
        14⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:4868
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\daa85f5f-f42c-4122-a24b-24c3b1588474.vbs"
        15⤵
        Suspicious use of WriteProcessMemory
        
        PID:3636
        
        C:\Users\Default User\winlogon.exe
        
        "C:\Users\Default User\winlogon.exe"
        16⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1528
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ecd24fe7-77b3-4105-85f7-6a03d3cae0ff.vbs"
        17⤵
        Suspicious use of WriteProcessMemory
        
        PID:3900
        
        C:\Users\Default User\winlogon.exe
        
        "C:\Users\Default User\winlogon.exe"
        18⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:316
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4e6134d8-b346-4c82-b63a-abbb5888dee8.vbs"
        19⤵
        Suspicious use of WriteProcessMemory
        
        PID:4292
        
        C:\Users\Default User\winlogon.exe
        
        "C:\Users\Default User\winlogon.exe"
        20⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2348
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a7a8409c-3b2b-47b6-9f65-b2febcbffb1a.vbs"
        21⤵
        
        PID:3884
        
        C:\Users\Default User\winlogon.exe
        
        "C:\Users\Default User\winlogon.exe"
        22⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1884
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f74315eb-7996-4b54-8e28-430d0de86ba7.vbs"
        23⤵
        
        PID:3200
        
        C:\Users\Default User\winlogon.exe
        
        "C:\Users\Default User\winlogon.exe"
        24⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1764
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1c619604-0dcc-49a0-972d-66961983f052.vbs"
        25⤵
        
        PID:1648
        
        C:\Users\Default User\winlogon.exe
        
        "C:\Users\Default User\winlogon.exe"
        26⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2112
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c27d0453-e11e-45dc-95f1-973fc2aee910.vbs"
        27⤵
        
        PID:3972
        
        C:\Users\Default User\winlogon.exe
        
        "C:\Users\Default User\winlogon.exe"
        28⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2096
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3e72e7f7-214c-45a4-8a73-9a24ec01d46a.vbs"
        29⤵
        
        PID:3544
        
        C:\Users\Default User\winlogon.exe
        
        "C:\Users\Default User\winlogon.exe"
        30⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:4060
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\462af080-526b-4f15-9d25-ca28e5e8fb7d.vbs"
        31⤵
        
        PID:3832
        
        C:\Users\Default User\winlogon.exe
        
        "C:\Users\Default User\winlogon.exe"
        32⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4404
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cda876b6-15b9-4088-a9ae-232cd12b7944.vbs"
        31⤵
        
        PID:1312
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d39125f9-86eb-4b88-a0e4-0e8c4ccb8de2.vbs"
        29⤵
        
        PID:4304
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3288466f-7fd6-4f75-84c2-c728475181f5.vbs"
        27⤵
        
        PID:2080
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b2a9dacb-4d8c-494f-b357-efed22fe6a89.vbs"
        25⤵
        
        PID:3176
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6bb61a67-ff31-451d-b0ca-9d97002f6978.vbs"
        23⤵
        
        PID:4360
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b120795e-257a-42bd-9bf3-880b268f35a5.vbs"
        21⤵
        
        PID:5064
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0f670e36-7832-4a53-93f7-17fa41086394.vbs"
        19⤵
        
        PID:932
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9353f745-2c48-4fde-8f56-9f86f81bf751.vbs"
        17⤵
        
        PID:2120
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\14742e96-eac7-4378-bcfa-e6cf0fc62598.vbs"
        15⤵
        
        PID:1684
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\abf64a61-32ac-40d5-9792-c7acd802c547.vbs"
        13⤵
        
        PID:4892
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ead92bbe-8365-45b6-879c-89a6fbfeaad0.vbs"
        11⤵
        
        PID:532
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\82429b8d-9095-418d-82ab-c2552fa84ec9.vbs"
        9⤵
        
        PID:4872
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\52f28b04-e935-428f-93f5-a09391776d67.vbs"
        7⤵
        
        PID:1848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1184

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4416

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\Default User\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2412

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 10 /tr "'C:\BridgeRefruntime\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\BridgeRefruntime\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 11 /tr "'C:\BridgeRefruntime\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:432

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\BridgeRefruntime\AZmwZW66ycOuW7BVkn8W.bat

Filesize
46B

MD5
b634ab06c0798f4284c2fcf23c1fc85a

SHA1
a312a6a8dbd3fdd70e9919ffaa1b777213cf2e93

SHA256
20d420d40ee7aadb457e5a8dba9d099fb66d4810675a985a26ebf36141d8e250

SHA512
ae801ea89737efecc5be1c580bad10c75ee9f31f2685473bbb5512b024c355c62a7d122db5042dbfb96add27041fd2601472c57b075424d12261302804b5733c

Download Submit
C:\BridgeRefruntime\ProviderreviewDriver.exe

Filesize
2.9MB

MD5
15462778cb5d131fdbde43b845ca3385

SHA1
e11137a2d3643fa0569e57257f7b673b29f0ee86

SHA256
7082a4ae4749fc09c3b618986952c23aa6db2ee906da896b9a517685e56b8572

SHA512
1f58961f5367153539c8039e8cfafd1f74bcf09550912326d1274ec5b91ff578c0126c4f36c1916384364c74ed2a4b97013a4e6ff6b25567822eac8dabfcde6b

Download Submit
C:\BridgeRefruntime\RCXC720.tmp

Filesize
2.9MB

MD5
ecb8a56fde8d50c2fe56a26c033b8a39

SHA1
dd3f7bc75f354915ca4f71b9f2d581b0d8dc9896

SHA256
47d4a340d406fb9c8de309a6457493ea3b4249f7bf3fc21618697466e08e5188

SHA512
5c8ce67ffc7ed3a5e66259a3ae3ed35d4666e75131b4955b002bc96ff92cea6bf939641f7680e44f0edb136bdf2fe788a616cc74e1cf930fb773060ecce72bb0

Download Submit
C:\BridgeRefruntime\RO6jJbtsE.vbe

Filesize
213B

MD5
1217656e699a8ae1e62ad9b7059e215a

SHA1
3e9710cc62fcaf451a305be0fe047dfadd631e45

SHA256
710eab849bf0c066cb136771f1d4dc72bc2b13598c209508db16a3770d54286f

SHA512
ae775b9f675455bbb78a879f38e72e500607a6a22168591a599a04337229316fdbdd0b496d69e97c423a4e917d9174e039e0e4f80b8bc94a7d5b3f99887d3f31

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\winlogon.exe.log

Filesize
1KB

MD5
9b0256da3bf9a5303141361b3da59823

SHA1
d73f34951777136c444eb2c98394f62912ebcdac

SHA256
96cbc3f4e49d7ae13cd46e36ebb4819b6db1eabe5db910902638c1a24947208e

SHA512
9f014fef4b1bb71dbdd1d0bad11bd20437a9801eaa830ab386f901f6b5be374a26f68161d7638ea03483028e9a56bf97023cc24b45356a9c76cb755a53d9c164

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6d3e9c29fe44e90aae6ed30ccf799ca8

SHA1
c7974ef72264bbdf13a2793ccf1aed11bc565dce

SHA256
2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d

SHA512
60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a

Download Submit
C:\Users\Admin\AppData\Local\Temp\1c619604-0dcc-49a0-972d-66961983f052.vbs

Filesize
710B

MD5
e12cd181993c3336430168af2dd8d660

SHA1
4003c60b6ebcdf404b0748e149d73bd13febf945

SHA256
1d6ae8e22d48490201bda3f0fe94f65a1880bf719566bd965be50c1d5caf0bb2

SHA512
99fce4ee5481b45a2ad36450b66c5912269601b190a7e25f6a70cac6b4f4fe200240bcc2596b1c993b0227a276bd7494419767c1348202d8a5667c5dcc3ad323

Download Submit
C:\Users\Admin\AppData\Local\Temp\3e72e7f7-214c-45a4-8a73-9a24ec01d46a.vbs

Filesize
710B

MD5
61803915c9b57a4232809f4155968c28

SHA1
28804d70f7b7e559a7a03314ef771fe420dc3fc9

SHA256
0a5aba19d0b849e3e96f821e0af50613dfdb7c2ac9ebbf54c1725bcbc2453698

SHA512
21cdfff033ede730c219d2bcac9bc43c37b96063344576d9464a19589224d11705403597aa6e6cdfe8457632865e0995e7ce3910fcb64795259ad360483ede6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\462af080-526b-4f15-9d25-ca28e5e8fb7d.vbs

Filesize
710B

MD5
2d1fe5e0dd8d8d518ef01e01dda2eae4

SHA1
e5bad42eb61799e7874cc89c74574a0407c658d9

SHA256
a3f940e5065c447c90e5fd391d0382e2beb902aa9c02fd3a58fa269226b6e242

SHA512
c737def8a6b825bae73847fcc6ee3b1175c495c9ad7ca8ecce3546ab64af1a7cc7fd0130b0f14c56407d67cde8c32db1f151965d37d20113673bd4f74cfc712b

Download Submit
C:\Users\Admin\AppData\Local\Temp\4e6134d8-b346-4c82-b63a-abbb5888dee8.vbs

Filesize
709B

MD5
fad079ed8068da00d8484149fe2d6c4d

SHA1
3b6e4d449fb7e0486f724041e2d9a1ecd04e7847

SHA256
655ac4cc838ae85d90c625363ac07c5f09832b64d23c2633318ef81aeeb065a0

SHA512
6e00347fe21649d4a955bcce4ed03dba200ef5c33a00eeeb80e6d76485630faf2e1766e274801460a897e3ef02ba04d46caacf7bfc742472fed85121b135518c

Download Submit
C:\Users\Admin\AppData\Local\Temp\52f28b04-e935-428f-93f5-a09391776d67.vbs

Filesize
486B

MD5
a78905774a2cc7288bcea24f24458d56

SHA1
5e7d672730cfb7a704b436b5136f2e02aa6fc552

SHA256
047a3e423ce7b5bc966b6592ba5875116cd7f90c4fa040affaf6e63d3679998a

SHA512
9477a218aace5e1dee83dc7a489a5ffb5a2dcc4f0a360662b61b95f2e0453be7d82cc157743be36207ae7610ee4ec4bd6186207e2c8a037c4d41bd56e7fb550c

Download Submit
C:\Users\Admin\AppData\Local\Temp\9c1b984e-a860-4f4d-bb29-0c2647875aa1.vbs

Filesize
710B

MD5
918d89117feeaa4c5dda465eaf1a7603

SHA1
813d219c1a7d3506bd9a40e87c8ae60e88dd9a94

SHA256
981fbe8eb44109bc08d4f60c2f87b973d76a6edb5e4c16580c5ad6e4c152e39b

SHA512
38b462e864df762add27f30a58bad1147020880e689989825b4ecc896f336ede45b5e16eb8602228cf1d48c1b6483fed5d4ada519bae45c40790ba0c20e0651f

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_yhvcq1jo.mg0.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\a7a8409c-3b2b-47b6-9f65-b2febcbffb1a.vbs

Filesize
710B

MD5
2aac058c7913f268ba88db91563313d4

SHA1
c5e66e5b36f921df40e7379c0f4417745f2e3f2f

SHA256
69cfde2ace071bfd5b0e3ea3ebd701fd7c2745cd5a096bc2bed7dc98a79af178

SHA512
85f1bf66d0752db74d9e84cd39fb8323514463202fcf9e1fbd07d6d685797a82739ce2720c47d895e92a302f39c981d5262c4cb801ce2b0023a2b03649da7c1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\b126be3d-cbee-4532-930d-b35749c77d72.vbs

Filesize
710B

MD5
c589cb6685af1ec2ad170d3a7d0bfb4a

SHA1
bb5d8ce8c94fce206ebecf3d4cf77cb7ba938202

SHA256
8bf492af8bc1b9452e1494ebefd7c48527cfe3fcd6f7bfdfee373e121e171b90

SHA512
40e7513ce918ff539e82ecc21ead14ae265829d632435119214c480ac9153079ab0a83ec4a68312e31ed10dfc7ae925794a206dddcf45dc34ee161b8f58f1192

Download Submit
C:\Users\Admin\AppData\Local\Temp\c27d0453-e11e-45dc-95f1-973fc2aee910.vbs

Filesize
710B

MD5
254f20ff1c9c6042952b032745e47f9c

SHA1
c068bc67b18e1810817a2178a304b1b81e787940

SHA256
647bc62a6849b4fe131fcdaaec9cd84288d9a6ddd6fe158f9b57facdd236fa29

SHA512
06df33821dedc757b1edab3026d559c6fc97a85fa32f92968942af5104a40145e60245010a09e719aa98d35b39a55779ec5322ded0af046d70c8255cdca7feca

Download Submit
C:\Users\Admin\AppData\Local\Temp\c8a97ad1-53e9-4b25-83a4-16f960ab4407.vbs

Filesize
710B

MD5
1c9affbef3c570b08a769f705706a5be

SHA1
d0db0c3cf8a35e8330070910e54e0cf7c9c6c359

SHA256
a2d4bfc2d37673e28e03db3b6de4b6deaf5b545659a4dc48035962728123883b

SHA512
8e754433fa4a0572fdafe80da3c5e79e829bae0ee06fd339430873b3306e3abfcefd5509a28f69d87bbc5a536e623d1aa1ab89d437bbeb28fed7128a661a2dd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\daa85f5f-f42c-4122-a24b-24c3b1588474.vbs

Filesize
710B

MD5
bfa9ee7167118b1d33389857c02e9167

SHA1
51c83dd564974e688626fead4db582bf7532252a

SHA256
706ad6cf607dd57de4dbbb4f3982bae7fdab4d5c09caa49f95aaa0e3237011f2

SHA512
4e96ae728d85208e48bdfdb28016b3de931ba44fb1c95297afd99df5acf3e5ea1e5035ce8ab55a84ac0f0b5eb72423400e69b8c6ccfe19c3f4fe425b57223372

Download Submit
C:\Users\Admin\AppData\Local\Temp\ea4fe2a8-c4e4-4c9f-b6cd-dfc4fe3586c0.vbs

Filesize
710B

MD5
622c19720b5330ca80720c288edb9e2e

SHA1
8d4b6c0d45dda448687328146e48bab224fd6902

SHA256
358a71a93a60cae021c2236df6f56c11967599e043c162fdf3376e5ddf8cb3e2

SHA512
765a1d0c3731018fc9f230dd9619585edd59c85dcd3fa96755c6d25947b99997876b5e405cf26060661ad04d6684c8756b054c952c7cf6b7123d09b7bca58fd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\ecd24fe7-77b3-4105-85f7-6a03d3cae0ff.vbs

Filesize
710B

MD5
3fe40eeb8eda9f205f72515f21093363

SHA1
55cedcd5888df92923469a4f4a68ffa4529b3a27

SHA256
573b570d9d5e830358cefc35d236a3a559fff9049b2bb2c41a9d3e4443a01e8f

SHA512
d68f544acb7fee310a18538214a0b5c8b3313e3e45686d3931cbc8b3e3be9086a610d91581c552013b348a860c04e08d8638d45f84474af3f9cb2efc091ac6b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\f74315eb-7996-4b54-8e28-430d0de86ba7.vbs

Filesize
710B

MD5
13a5a089871d8d7bf4e7af8d5ca1d8ea

SHA1
405f76d6592aac7ac62eb6a9c3c74924779d8df3

SHA256
2d60d032a06d5ee8833ecdcbdec695b77a8113685e8970a9a6a884120be1f145

SHA512
5eaa321d8f18214388efaa48ca0241db56e87beef25a04085a8ae78d2b62ccd3295f774590522f0c6d81e46ff9c0068f43526cb5f153d25b37a6a54aef7545ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\pg6iMfcDeU.bat

Filesize
199B

MD5
8d76997afa55dca605b92798a4beae9b

SHA1
77576a7cdeb269cd134e3f5752fa75cc41edda84

SHA256
73b00789d6122c2989fa38e52122e8cd5674e14d65905c2b97ce4acce88df105

SHA512
5f2eb698be1a070af91fef7971481526daddc2bc2ea8849c055aaf5bc032d62176906b59143d71477a6df93dbf0e862002ddff2d4d347252e757f0abe9158cda

Download Submit
C:\Users\Default\winlogon.exe

Filesize
2.9MB

MD5
ab18e85723b8f9f1728e857c09fa453a

SHA1
50773796d9f5c79161ec22ce41311dd7f6156faf

SHA256
419aa87a6b46ae885d0d0235b4365d9a12bf384ccfd0b38efa0a99ec54a98546

SHA512
5cc5ac32e9b996782baff3ee39b166992ca420157a56909eef725241934097d972c2b52c5fa7b4a5ce445e5a9cbb873dc8f661ddfdc2e769aa2f38d77c1f058b

Download Submit
memory/1528-199-0x000000001C090000-0x000000001C0E6000-memory.dmp

Filesize
344KB

Download
memory/2096-266-0x000000001B3D0000-0x000000001B426000-memory.dmp

Filesize
344KB

Download
memory/3448-23-0x000000001C2C0000-0x000000001C316000-memory.dmp

Filesize
344KB

Download
memory/3448-19-0x00000000030B0000-0x00000000030C6000-memory.dmp

Filesize
88KB

Download
memory/3448-36-0x000000001C560000-0x000000001C568000-memory.dmp

Filesize
32KB

Download
memory/3448-38-0x000000001C590000-0x000000001C59C000-memory.dmp

Filesize
48KB

Download
memory/3448-34-0x000000001C540000-0x000000001C548000-memory.dmp

Filesize
32KB

Download
memory/3448-35-0x000000001C550000-0x000000001C55C000-memory.dmp

Filesize
48KB

Download
memory/3448-33-0x000000001C530000-0x000000001C53E000-memory.dmp

Filesize
56KB

Download
memory/3448-12-0x00007FFEBC163000-0x00007FFEBC165000-memory.dmp

Filesize
8KB

Download
memory/3448-32-0x000000001C420000-0x000000001C42A000-memory.dmp

Filesize
40KB

Download
memory/3448-31-0x000000001C570000-0x000000001C578000-memory.dmp

Filesize
32KB

Download
memory/3448-30-0x000000001C310000-0x000000001C31C000-memory.dmp

Filesize
48KB

Download
memory/3448-13-0x0000000000C70000-0x0000000000F62000-memory.dmp

Filesize
2.9MB

Download
memory/3448-29-0x000000001BCA0000-0x000000001BCAC000-memory.dmp

Filesize
48KB

Download
memory/3448-28-0x000000001BC90000-0x000000001BC98000-memory.dmp

Filesize
32KB

Download
memory/3448-27-0x000000001BC80000-0x000000001BC8C000-memory.dmp

Filesize
48KB

Download
memory/3448-14-0x0000000003060000-0x000000000306E000-memory.dmp

Filesize
56KB

Download
memory/3448-26-0x000000001BC60000-0x000000001BC68000-memory.dmp

Filesize
32KB

Download
memory/3448-25-0x0000000003220000-0x000000000322C000-memory.dmp

Filesize
48KB

Download
memory/3448-24-0x0000000003210000-0x000000000321C000-memory.dmp

Filesize
48KB

Download
memory/3448-22-0x00000000030F0000-0x00000000030FA000-memory.dmp

Filesize
40KB

Download
memory/3448-21-0x00000000030E0000-0x00000000030F0000-memory.dmp

Filesize
64KB

Download
memory/3448-20-0x00000000030D0000-0x00000000030D8000-memory.dmp

Filesize
32KB

Download
memory/3448-37-0x000000001C580000-0x000000001C58A000-memory.dmp

Filesize
40KB

Download
memory/3448-18-0x00000000030A0000-0x00000000030B0000-memory.dmp

Filesize
64KB

Download
memory/3448-17-0x000000001BC10000-0x000000001BC60000-memory.dmp

Filesize
320KB

Download
memory/3448-15-0x0000000003070000-0x0000000003078000-memory.dmp

Filesize
32KB

Download
memory/3448-16-0x0000000003080000-0x000000000309C000-memory.dmp

Filesize
112KB

Download
memory/3700-154-0x000000001BC30000-0x000000001BC86000-memory.dmp

Filesize
344KB

Download
memory/4884-141-0x0000000000250000-0x0000000000542000-memory.dmp

Filesize
2.9MB

Download
memory/4968-90-0x0000027D79D90000-0x0000027D79DB2000-memory.dmp

Filesize
136KB

Download