dcrat | 5bdd5d335f1dce7bff7ad597aa12c5c36d2831b58d4a1a37650fab7b070c6e23

Analysis

max time kernel
126s
max time network
141s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
30-10-2024 22:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1554ae8f1316eadf351b3e6f5e7fc9e6.exe
Size

3.2MB
MD5

1554ae8f1316eadf351b3e6f5e7fc9e6
SHA1

1fe722cd6f6e6739a2566c920931bc2f057ac55c
SHA256

5bdd5d335f1dce7bff7ad597aa12c5c36d2831b58d4a1a37650fab7b070c6e23
SHA512

56bf054fa85f534a5b5896a21b4b511c564ffbb0a8b1685054c521d09a9122c848c5818d6518092d33da4c02b79dea6622ef7fd48ab22271522a9d7878a2883d
SSDEEP

49152:UbA30LfTBVuy0VtNUBslYt04P0GliFkO6Uo67iX0bCLuI9+E8Dt:Ub/7nL0jCB6q0goyUonuI998Dt

Score

10^/10

dcrat discovery evasion execution infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 6 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2656	1372	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2728	1372	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2300	1372	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2216	1372	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	592	1372	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	756	1372	schtasks.exe	34

UAC bypass 3 TTPs 24 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

services.exeservices.exeProviderreviewDriver.exeservices.exeservices.exeservices.exeservices.exeservices.exe

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	ProviderreviewDriver.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ProviderreviewDriver.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	ProviderreviewDriver.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe

DCRat payload 6 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral1/files/0x000800000001630a-9.dat	dcrat
behavioral1/memory/2320-13-0x0000000000850000-0x0000000000B42000-memory.dmp	dcrat
behavioral1/files/0x00070000000175e7-67.dat	dcrat
behavioral1/memory/2864-92-0x0000000001380000-0x0000000001672000-memory.dmp	dcrat
behavioral1/files/0x0007000000016c56-1036.dat	dcrat
behavioral1/files/0x0009000000017491-1041.dat	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exepowershell.exe

pid	Process
1424	powershell.exe
1072	powershell.exe
1688	powershell.exe

Executes dropped EXE 8 IoCs

Processes:

ProviderreviewDriver.exeservices.exeservices.exeservices.exeservices.exeservices.exeservices.exeservices.exe

pid	Process
2320	ProviderreviewDriver.exe
2864	services.exe
2116	services.exe
2272	services.exe
3036	services.exe
1756	services.exe
2220	services.exe
1668	services.exe

Loads dropped DLL 2 IoCs

Processes:

cmd.exe

pid	Process
2916	cmd.exe
2916	cmd.exe

Checks whether UAC is enabled 1 TTPs 16 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

services.exeProviderreviewDriver.exeservices.exeservices.exeservices.exeservices.exeservices.exeservices.exe

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ProviderreviewDriver.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	services.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	services.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	services.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ProviderreviewDriver.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	services.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	services.exe

Drops file in Program Files directory 10 IoCs

Processes:

ProviderreviewDriver.exe

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Uninstall Information\RCXB32B.tmp	ProviderreviewDriver.exe
File opened for modification	C:\Program Files (x86)\Uninstall Information\RCXB32C.tmp	ProviderreviewDriver.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\RCXB53F.tmp	ProviderreviewDriver.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\services.exe	ProviderreviewDriver.exe
File created	C:\Program Files (x86)\Uninstall Information\ProviderreviewDriver.exe	ProviderreviewDriver.exe
File opened for modification	C:\Program Files (x86)\Uninstall Information\ProviderreviewDriver.exe	ProviderreviewDriver.exe
File created	C:\Program Files (x86)\Uninstall Information\11468b80d01686	ProviderreviewDriver.exe
File created	C:\Program Files (x86)\Microsoft Office\Templates\1033\services.exe	ProviderreviewDriver.exe
File created	C:\Program Files (x86)\Microsoft Office\Templates\1033\c5b4cb5e9653cc	ProviderreviewDriver.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\RCXB540.tmp	ProviderreviewDriver.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

1554ae8f1316eadf351b3e6f5e7fc9e6.exeWScript.execmd.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1554ae8f1316eadf351b3e6f5e7fc9e6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 6 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	Process
2656	schtasks.exe
2728	schtasks.exe
2300	schtasks.exe
2216	schtasks.exe
592	schtasks.exe
756	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

ProviderreviewDriver.exepowershell.exepowershell.exepowershell.exeservices.exe

pid	Process
2320	ProviderreviewDriver.exe
2320	ProviderreviewDriver.exe
2320	ProviderreviewDriver.exe
2320	ProviderreviewDriver.exe
2320	ProviderreviewDriver.exe
2320	ProviderreviewDriver.exe
2320	ProviderreviewDriver.exe
2320	ProviderreviewDriver.exe
2320	ProviderreviewDriver.exe
2320	ProviderreviewDriver.exe
2320	ProviderreviewDriver.exe
2320	ProviderreviewDriver.exe
2320	ProviderreviewDriver.exe
1072	powershell.exe
1688	powershell.exe
1424	powershell.exe
2864	services.exe
2864	services.exe
2864	services.exe
2864	services.exe
2864	services.exe
2864	services.exe
2864	services.exe
2864	services.exe
2864	services.exe
2864	services.exe
2864	services.exe
2864	services.exe
2864	services.exe
2864	services.exe
2864	services.exe
2864	services.exe
2864	services.exe
2864	services.exe
2864	services.exe
2864	services.exe
2864	services.exe
2864	services.exe
2864	services.exe
2864	services.exe
2864	services.exe
2864	services.exe
2864	services.exe
2864	services.exe
2864	services.exe
2864	services.exe
2864	services.exe
2864	services.exe
2864	services.exe
2864	services.exe
2864	services.exe
2864	services.exe
2864	services.exe
2864	services.exe
2864	services.exe
2864	services.exe
2864	services.exe
2864	services.exe
2864	services.exe
2864	services.exe
2864	services.exe
2864	services.exe
2864	services.exe
2864	services.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

Processes:

ProviderreviewDriver.exepowershell.exepowershell.exepowershell.exeservices.exeservices.exeservices.exeservices.exeservices.exeservices.exeservices.exe

description	pid	Process
Token: SeDebugPrivilege	2320	ProviderreviewDriver.exe
Token: SeDebugPrivilege	1072	powershell.exe
Token: SeDebugPrivilege	1688	powershell.exe
Token: SeDebugPrivilege	1424	powershell.exe
Token: SeDebugPrivilege	2864	services.exe
Token: SeDebugPrivilege	2116	services.exe
Token: SeDebugPrivilege	2272	services.exe
Token: SeDebugPrivilege	3036	services.exe
Token: SeDebugPrivilege	1756	services.exe
Token: SeDebugPrivilege	2220	services.exe
Token: SeDebugPrivilege	1668	services.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

1554ae8f1316eadf351b3e6f5e7fc9e6.exeWScript.execmd.exeProviderreviewDriver.exeservices.exeWScript.exeservices.exeWScript.exeservices.exeWScript.exeservices.exeWScript.exeservices.exe

description	pid	Process	procid_target
PID 2100 wrote to memory of 2388	2100	1554ae8f1316eadf351b3e6f5e7fc9e6.exe	30
PID 2100 wrote to memory of 2388	2100	1554ae8f1316eadf351b3e6f5e7fc9e6.exe	30
PID 2100 wrote to memory of 2388	2100	1554ae8f1316eadf351b3e6f5e7fc9e6.exe	30
PID 2100 wrote to memory of 2388	2100	1554ae8f1316eadf351b3e6f5e7fc9e6.exe	30
PID 2388 wrote to memory of 2916	2388	WScript.exe	31
PID 2388 wrote to memory of 2916	2388	WScript.exe	31
PID 2388 wrote to memory of 2916	2388	WScript.exe	31
PID 2388 wrote to memory of 2916	2388	WScript.exe	31
PID 2916 wrote to memory of 2320	2916	cmd.exe	33
PID 2916 wrote to memory of 2320	2916	cmd.exe	33
PID 2916 wrote to memory of 2320	2916	cmd.exe	33
PID 2916 wrote to memory of 2320	2916	cmd.exe	33
PID 2320 wrote to memory of 1424	2320	ProviderreviewDriver.exe	41
PID 2320 wrote to memory of 1424	2320	ProviderreviewDriver.exe	41
PID 2320 wrote to memory of 1424	2320	ProviderreviewDriver.exe	41
PID 2320 wrote to memory of 1072	2320	ProviderreviewDriver.exe	42
PID 2320 wrote to memory of 1072	2320	ProviderreviewDriver.exe	42
PID 2320 wrote to memory of 1072	2320	ProviderreviewDriver.exe	42
PID 2320 wrote to memory of 1688	2320	ProviderreviewDriver.exe	43
PID 2320 wrote to memory of 1688	2320	ProviderreviewDriver.exe	43
PID 2320 wrote to memory of 1688	2320	ProviderreviewDriver.exe	43
PID 2320 wrote to memory of 2864	2320	ProviderreviewDriver.exe	47
PID 2320 wrote to memory of 2864	2320	ProviderreviewDriver.exe	47
PID 2320 wrote to memory of 2864	2320	ProviderreviewDriver.exe	47
PID 2864 wrote to memory of 792	2864	services.exe	48
PID 2864 wrote to memory of 792	2864	services.exe	48
PID 2864 wrote to memory of 792	2864	services.exe	48
PID 2864 wrote to memory of 2040	2864	services.exe	49
PID 2864 wrote to memory of 2040	2864	services.exe	49
PID 2864 wrote to memory of 2040	2864	services.exe	49
PID 792 wrote to memory of 2116	792	WScript.exe	51
PID 792 wrote to memory of 2116	792	WScript.exe	51
PID 792 wrote to memory of 2116	792	WScript.exe	51
PID 2116 wrote to memory of 2852	2116	services.exe	52
PID 2116 wrote to memory of 2852	2116	services.exe	52
PID 2116 wrote to memory of 2852	2116	services.exe	52
PID 2116 wrote to memory of 896	2116	services.exe	53
PID 2116 wrote to memory of 896	2116	services.exe	53
PID 2116 wrote to memory of 896	2116	services.exe	53
PID 2852 wrote to memory of 2272	2852	WScript.exe	54
PID 2852 wrote to memory of 2272	2852	WScript.exe	54
PID 2852 wrote to memory of 2272	2852	WScript.exe	54
PID 2272 wrote to memory of 2540	2272	services.exe	55
PID 2272 wrote to memory of 2540	2272	services.exe	55
PID 2272 wrote to memory of 2540	2272	services.exe	55
PID 2272 wrote to memory of 2376	2272	services.exe	56
PID 2272 wrote to memory of 2376	2272	services.exe	56
PID 2272 wrote to memory of 2376	2272	services.exe	56
PID 2540 wrote to memory of 3036	2540	WScript.exe	57
PID 2540 wrote to memory of 3036	2540	WScript.exe	57
PID 2540 wrote to memory of 3036	2540	WScript.exe	57
PID 3036 wrote to memory of 2496	3036	services.exe	58
PID 3036 wrote to memory of 2496	3036	services.exe	58
PID 3036 wrote to memory of 2496	3036	services.exe	58
PID 3036 wrote to memory of 304	3036	services.exe	59
PID 3036 wrote to memory of 304	3036	services.exe	59
PID 3036 wrote to memory of 304	3036	services.exe	59
PID 2496 wrote to memory of 1756	2496	WScript.exe	60
PID 2496 wrote to memory of 1756	2496	WScript.exe	60
PID 2496 wrote to memory of 1756	2496	WScript.exe	60
PID 1756 wrote to memory of 1740	1756	services.exe	61
PID 1756 wrote to memory of 1740	1756	services.exe	61
PID 1756 wrote to memory of 1740	1756	services.exe	61
PID 1756 wrote to memory of 1676	1756	services.exe	62

System policy modification 1 TTPs 24 IoCs

evasion

Modify Registry

T1112

Processes:

services.exeservices.exeservices.exeservices.exeservices.exeProviderreviewDriver.exeservices.exeservices.exe

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ProviderreviewDriver.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	ProviderreviewDriver.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	ProviderreviewDriver.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\1554ae8f1316eadf351b3e6f5e7fc9e6.exe
"C:\Users\Admin\AppData\Local\Temp\1554ae8f1316eadf351b3e6f5e7fc9e6.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2100
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\BridgeRefruntime\RO6jJbtsE.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2388
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\BridgeRefruntime\AZmwZW66ycOuW7BVkn8W.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2916
  - - C:\BridgeRefruntime\ProviderreviewDriver.exe
      "C:\BridgeRefruntime\ProviderreviewDriver.exe"
      4⤵
      UAC bypass
      Executes dropped EXE
      Checks whether UAC is enabled
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:2320
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\BridgeRefruntime\ProviderreviewDriver.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1424
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Uninstall Information\ProviderreviewDriver.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1072
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Office\Templates\1033\services.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1688
    - - C:\Program Files (x86)\Microsoft Office\Templates\1033\services.exe
        
        "C:\Program Files (x86)\Microsoft Office\Templates\1033\services.exe"
        5⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2864
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\aa675419-12b3-49a3-9460-3fc071513f51.vbs"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:792
        
        C:\Program Files (x86)\Microsoft Office\Templates\1033\services.exe
        
        "C:\Program Files (x86)\Microsoft Office\Templates\1033\services.exe"
        7⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2116
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5674cf83-cc12-4ade-a9a5-a61dcd4f61af.vbs"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:2852
        
        C:\Program Files (x86)\Microsoft Office\Templates\1033\services.exe
        
        "C:\Program Files (x86)\Microsoft Office\Templates\1033\services.exe"
        9⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2272
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9865a2cb-81cd-4b2c-b37f-24ae31e8ae26.vbs"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:2540
        
        C:\Program Files (x86)\Microsoft Office\Templates\1033\services.exe
        
        "C:\Program Files (x86)\Microsoft Office\Templates\1033\services.exe"
        11⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:3036
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\118db6d2-20d0-4c0d-a4a8-7d0766fbca66.vbs"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:2496
        
        C:\Program Files (x86)\Microsoft Office\Templates\1033\services.exe
        
        "C:\Program Files (x86)\Microsoft Office\Templates\1033\services.exe"
        13⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1756
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\431456bf-97d6-49bc-86f8-c7c1297f13a0.vbs"
        14⤵
        
        PID:1740
        
        C:\Program Files (x86)\Microsoft Office\Templates\1033\services.exe
        
        "C:\Program Files (x86)\Microsoft Office\Templates\1033\services.exe"
        15⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2220
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5c304219-ce82-40fa-a627-eda361b70796.vbs"
        16⤵
        
        PID:868
        
        C:\Program Files (x86)\Microsoft Office\Templates\1033\services.exe
        
        "C:\Program Files (x86)\Microsoft Office\Templates\1033\services.exe"
        17⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1668
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e3c2f3b6-e88b-4022-8ef4-cc7970ef1b2a.vbs"
        18⤵
        
        PID:1752
        
        C:\Program Files (x86)\Microsoft Office\Templates\1033\services.exe
        
        "C:\Program Files (x86)\Microsoft Office\Templates\1033\services.exe"
        19⤵
        
        PID:2884
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e36bd49a-cb7f-48f2-b966-9d5a1d776ad6.vbs"
        20⤵
        
        PID:2500
        
        C:\Program Files (x86)\Microsoft Office\Templates\1033\services.exe
        
        "C:\Program Files (x86)\Microsoft Office\Templates\1033\services.exe"
        21⤵
        
        PID:1184
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b1d8f19d-ca79-45fc-a95b-e6cf95f63a5a.vbs"
        22⤵
        
        PID:2408
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fb692ea6-a518-4b99-82cf-28a57af98d35.vbs"
        22⤵
        
        PID:2840
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4049a7c7-2925-4022-beab-5023d01feb29.vbs"
        20⤵
        
        PID:2980
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b29eda75-33ba-4f9a-a3d8-c8ff52c5da8f.vbs"
        18⤵
        
        PID:1124
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0b3dfd4b-b56a-49f8-97b9-51f2fd494833.vbs"
        16⤵
        
        PID:2528
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\011d3b30-451b-40b9-867b-3c4879dddefb.vbs"
        14⤵
        
        PID:1676
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8f5bc300-6d38-4c68-855c-690f8a9f131f.vbs"
        12⤵
        
        PID:304
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\83770a6d-5464-4df5-b1ac-89dbc2374cd4.vbs"
        10⤵
        
        PID:2376
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1103d2a1-89fa-447b-a5c3-4940e17abf6c.vbs"
        8⤵
        
        PID:896
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\923fc49d-338f-4d31-8097-1b6e55b94863.vbs"
        6⤵
        
        PID:2040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ProviderreviewDriverP" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Uninstall Information\ProviderreviewDriver.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ProviderreviewDriver" /sc ONLOGON /tr "'C:\Program Files (x86)\Uninstall Information\ProviderreviewDriver.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ProviderreviewDriverP" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Uninstall Information\ProviderreviewDriver.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2300

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft Office\Templates\1033\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Office\Templates\1033\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft Office\Templates\1033\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:756

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\BridgeRefruntime\AZmwZW66ycOuW7BVkn8W.bat

Filesize
46B

MD5
b634ab06c0798f4284c2fcf23c1fc85a

SHA1
a312a6a8dbd3fdd70e9919ffaa1b777213cf2e93

SHA256
20d420d40ee7aadb457e5a8dba9d099fb66d4810675a985a26ebf36141d8e250

SHA512
ae801ea89737efecc5be1c580bad10c75ee9f31f2685473bbb5512b024c355c62a7d122db5042dbfb96add27041fd2601472c57b075424d12261302804b5733c

Download Submit
C:\BridgeRefruntime\RO6jJbtsE.vbe

Filesize
213B

MD5
1217656e699a8ae1e62ad9b7059e215a

SHA1
3e9710cc62fcaf451a305be0fe047dfadd631e45

SHA256
710eab849bf0c066cb136771f1d4dc72bc2b13598c209508db16a3770d54286f

SHA512
ae775b9f675455bbb78a879f38e72e500607a6a22168591a599a04337229316fdbdd0b496d69e97c423a4e917d9174e039e0e4f80b8bc94a7d5b3f99887d3f31

Download Submit
C:\Program Files (x86)\Microsoft Office\Templates\1033\RCXB540.tmp

Filesize
2.9MB

MD5
ecb8a56fde8d50c2fe56a26c033b8a39

SHA1
dd3f7bc75f354915ca4f71b9f2d581b0d8dc9896

SHA256
47d4a340d406fb9c8de309a6457493ea3b4249f7bf3fc21618697466e08e5188

SHA512
5c8ce67ffc7ed3a5e66259a3ae3ed35d4666e75131b4955b002bc96ff92cea6bf939641f7680e44f0edb136bdf2fe788a616cc74e1cf930fb773060ecce72bb0

Download Submit
C:\Program Files (x86)\Microsoft Office\Templates\1033\services.exe

Filesize
2.4MB

MD5
99997f3ea0b2e078745635d01ee85086

SHA1
518ef69eff3764a7b478020d519bd8b4dff55c29

SHA256
ff5c5a635dcbc8a5fe646941e21ec5cb97605cb476bfeee944646250c5f00763

SHA512
83426c323fae7b711b23c60b99384729b06b0a04c91a93afebce077313e77cfec1cbbd901c3b8efeaa463f0e0528cb5eac34097875cfdef4eb84fab2bffd4ac1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
93d7077612fe0a9aa219f8f31d906284

SHA1
20efc5fb4752c05ef3dfbbbf40b830ee857b96e5

SHA256
20b9466e39f4ac5924d444929d6b2ad8f875e0562aab8d80cc9984424420f31b

SHA512
eb121d42073de98fe0f05d6c89f25aad6fc088adb1a0e33a4a147db22068d29438b8566e97c929e1a9a9b05c32d6504788c5d966fb5ec6b79196f2382a4c1824

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
eb7bc3874809b68a19c2a65e242ec289

SHA1
1c22efe30c6c0604975303d491372df1d4f0f60e

SHA256
b364a5e5cffbab752a043abfb0aa4578646cc88ea8f52feddfc2ed5afe9ff0e3

SHA512
565191798fd190a47a304921bd98582c204a05531bcd3c84e3bfaff0cefbaa3bf0b89da1b49f8238d6cee2bcb5f8af63ac67f22eff56c8466574c10865613675

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
98c3bd895f7271284f80a6773057da4c

SHA1
5608ca43cc3c181ef885a779b3ac646e23c498f5

SHA256
67cd7d7ae187b5fb2e98b5b570310bdea08c5fffb3301d2dfb3566eb1bef84e9

SHA512
fa1e56c99933c00ebaa327115ae12657694829f1048da97bb2453537dbdab4682293ca5d7233280de66a61b72ddcc28d915094a88e4e5b0f0e9a8441d7850f0b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ca9c11c9d767f08afbdd258232698ffc

SHA1
ec28d35144b6fd6db998ac3fa0241897fb11c169

SHA256
29430eb06780789b2cffe0e59ade4dbb2bd0c51c636bbe8031d2460c723bd055

SHA512
db27c51361a4a7fff92fd9a12d775a83eb9efe44897963e30b6b0b82ec9066fa4bce4558a8ee388616cc9c4cabef7a72feed65dc93f9f9f99cfef3771fdaa9f8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9b8b5ba2fcce923eccb5170de2c6359d

SHA1
1ecfa7fc5fa85f98e934df84ef5ac0c35da58c91

SHA256
37e9f309fecacafd77d0998ab7ed1ba6cf426cc31770d8252e9eb67a4438aaa2

SHA512
f5ff243353700754591477c6d03ae9db1828049e8c75fed6e699cc40ebf761dd04588f02ef618ad06b82833c0f6706790de272a88574d9e9e37363fe91392f91

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b6d5ef68e46c1ee350949ac3fd9f7b99

SHA1
2e9611962c778deaf0d1cb0afae5df3b36c64380

SHA256
d20f96861a0c878b9ca06f0c8a511951004eb7b5968f64597793748a38f21e33

SHA512
b1fdbb9e9f956f4ef18f3f158dec4ffa83b4c54919c763c968c4a192f7bfde861be50638382dc247913d0f66a999ed73aa3d8df4021e9ecafbfdd0fe34662bee

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6c4c91244e0af522e58f20afe5831176

SHA1
b543f902f41882f702659ee025647dd8c84ab955

SHA256
c1afc6c316a43dc96722ca8daded119504e7c4454479eb151527cdabc94907bb

SHA512
dd8e691a811def426a9364bdf3b60e2b4a5d8da5c50bce79949589be0ecab9c661ea87b130e63908fbfa1282258c9cb14417e0471cfa68b5e9f30ea7ccc5804c

Download Submit
C:\Users\Admin\AppData\Local\Temp\118db6d2-20d0-4c0d-a4a8-7d0766fbca66.vbs

Filesize
743B

MD5
7f14ce21609625234279a4d226858e92

SHA1
8cb963299a9761b62dbf4367c693f54b1a250b35

SHA256
2972f4b5b720c2539772efe5d622817113d3d5bdc5c5d11beddf8ade43b8b137

SHA512
c3bdb1ceadb1c4cb6dfc6dc4e29a7cd271cab717b6a89ec1df2f094df812db86cd3bcc9480176637f8095a39d82428591d291141347c16eb6464eeeb694f8e27

Download Submit
C:\Users\Admin\AppData\Local\Temp\431456bf-97d6-49bc-86f8-c7c1297f13a0.vbs

Filesize
743B

MD5
f2ce76d1ec0f29b597b99910fabbffb4

SHA1
f3cd2d307f3482a335e6081d1f2cc974dee4e39c

SHA256
9a52ed39ca8123d7af3fe0b590e0ef07417b0360a683b4ed0a405b1a8cf25cf5

SHA512
4f11235ddeec81a34d8212c6b25bbb23ab55ed2e388c09c461bde15e873c4d05d37f5e0cd6c2cc52791fefe4937a7c73c8ffaa3eab194f1f386c7e94521045c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\5674cf83-cc12-4ade-a9a5-a61dcd4f61af.vbs

Filesize
743B

MD5
ebc8f47d7285a3aac7885ac99a1034fb

SHA1
a26ade8e842efb76cafd6fd7c9d58e1fc9e32adf

SHA256
89cae5dc3252e735740ee5676bd76ac0966f5f63008dbcef0e0fbe7b8030ef19

SHA512
0088609a84fbd665afd274f337e61cd1be62c4b304892901c6625879188d2d2fa14b394f38ed6be3ac1f6f9b4785116fc921c5a888c6069966c6ebb9c998de6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\5c304219-ce82-40fa-a627-eda361b70796.vbs

Filesize
743B

MD5
59348d2fd59759c7f398b34eb9f11056

SHA1
417742a52ff3fad07e2db0c17a088d2edebf4ff0

SHA256
ed4ae3e561302b11ae299a6a8cbd055df61a5034f47ae770e73d1dda8db8cf36

SHA512
ba72860adc7140fffa01d60aad03166b5088efd1d0e2057f9f6ff114908d7e9a0d6d74a580f50321cfcfecae7c0fcea25f71f7b19eaa5341a05522499192a773

Download Submit
C:\Users\Admin\AppData\Local\Temp\923fc49d-338f-4d31-8097-1b6e55b94863.vbs

Filesize
519B

MD5
437ee16af53d21832641b0db391739fa

SHA1
b6ea15dc58c87e70197e9ce2d7f689242bae6423

SHA256
1b0389dbbe44395c7288c1e37ad78fac3d95ae0a148388000a3bc46a562832b3

SHA512
60a88603a009aa510ca30dba746849f31d626221c4c1212f33b7aadff00ae7513f997c0144c8839decb604c9ae5368e1ef9c5bf4340fc8a8b868e510e7013dc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\9865a2cb-81cd-4b2c-b37f-24ae31e8ae26.vbs

Filesize
743B

MD5
ad60c743c4ff5e4a4224662d7a33422c

SHA1
653bdf3ba4f307653791299b51d652192de20a80

SHA256
548b18fa1dcd2fbbc177d04430f963bbeb51905f97eb815b4ebff4046e122158

SHA512
c6059f8804830e3d5541af0ac735d8cf5dd73a91ccf645ac8fb7a905d410d99e1275bf50469c4a5d95cf6392effd9dbab053c5291a31347df65949f942ec2634

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabEE09.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarEE1B.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\aa675419-12b3-49a3-9460-3fc071513f51.vbs

Filesize
743B

MD5
b4e5e75f9b72962ef8d01312f208986c

SHA1
bacd038386047319b4e76f3c579a2b40dc7de505

SHA256
e30bd3660177ea329da36ad8e52612b9c34245ac2393f99c50241cee780345b8

SHA512
1eadeb8b0ce3c4832f90237485032ef4bd3f246929d4d05046f675133d54a2b6937f3c40eaaa20cca5188e7620527331abdaedb0b81b246e6ca2c06c77d02f41

Download Submit
C:\Users\Admin\AppData\Local\Temp\b1d8f19d-ca79-45fc-a95b-e6cf95f63a5a.vbs

Filesize
743B

MD5
d315314a0d145423610c02fd7e946353

SHA1
4b66ea395ca26a13be518bc0bbec05111d361b49

SHA256
d532132489264c70a4a2e1f16b0fff2d019d148ca761674b219a0d2cfb569db6

SHA512
d35b53f59692c33118a8af52765c79672c4948bff5904718fb151ea46aa63bafa943018ea92b5280aead6ac1d92fa96cac4a2badc498913a85aa5853151bd3bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\dfbe53075e9256ea58148e7daa12d85a195e1973.exe

Filesize
1.4MB

MD5
c4959da27bf09d288bd8c529ecf6c6c7

SHA1
0bc7b0aeb5412759e40b148645965f3dab938da2

SHA256
27a7789336c425c47028da82c2add4368ca2082f1228df8a3660f925c0841884

SHA512
7dbfcc0d4308983d608fcf345728d3242bebdfbacfad3a4b416856ba5c8b13c761479ce140b7a0b271ea6ac9f3a5384620a1ebe029847b8e17279a564f8b7b4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\e36bd49a-cb7f-48f2-b966-9d5a1d776ad6.vbs

Filesize
743B

MD5
2fd064dabcae34efbd21c10bfeab4ba5

SHA1
1924b19dbbd8346f42acb282f0d6eeea412f3f59

SHA256
78506ce9dd62762a2d6d3b7b55a9189e4c0f7b8cdb56a24b17cae34ad30c7538

SHA512
439c31e3cecf764e22037afa24aa252e1873a2a00803f40f7100a42a0d52a080455b40ec3616531015c58903f767fd78fb1a3d8211295a925312694261bfebad

Download Submit
C:\Users\Admin\AppData\Local\Temp\e3c2f3b6-e88b-4022-8ef4-cc7970ef1b2a.vbs

Filesize
743B

MD5
44b24f25867c472021f6a7884aa83383

SHA1
355ea4234e89c8d85ef29cb1182497db92d07371

SHA256
0dcf629662a690a6f35817b3c54f0c23c3c695c24d4ae03a64a98724c3dca48c

SHA512
4db427321232e58b5c3c5102f5a4c0ee8b2b0b3742608ed6f106d9bc11cf9080d66bea1224217fffbf0267e82fa647878251316bea1ffb5d27b519eac5278621

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
f360df37dc6e079637b0c3637f364478

SHA1
7b90e64422b8e021a592f53558733913521efa79

SHA256
f4a1a27cdff0c3f7b0a219b935c311885221ad5e6c874cbbe1de3a8df7db5a9f

SHA512
85d0347f9c17e044499f3a614ec633fc2afd101938bf5e67f904ab6ac2e7979ebe0f0cf1e9be94fd3bdf7c323781a61965cfadad300e4e15fc491a771aa3e3a3

Download Submit
\BridgeRefruntime\ProviderreviewDriver.exe

Filesize
2.9MB

MD5
15462778cb5d131fdbde43b845ca3385

SHA1
e11137a2d3643fa0569e57257f7b673b29f0ee86

SHA256
7082a4ae4749fc09c3b618986952c23aa6db2ee906da896b9a517685e56b8572

SHA512
1f58961f5367153539c8039e8cfafd1f74bcf09550912326d1274ec5b91ff578c0126c4f36c1916384364c74ed2a4b97013a4e6ff6b25567822eac8dabfcde6b

Download Submit
memory/1072-93-0x000000001B740000-0x000000001BA22000-memory.dmp

Filesize
2.9MB

Download
memory/1072-94-0x00000000027E0000-0x00000000027E8000-memory.dmp

Filesize
32KB

Download
memory/1184-1037-0x00000000004F0000-0x0000000000546000-memory.dmp

Filesize
344KB

Download
memory/2320-23-0x0000000002110000-0x000000000211C000-memory.dmp

Filesize
48KB

Download
memory/2320-26-0x00000000023D0000-0x00000000023DC000-memory.dmp

Filesize
48KB

Download
memory/2320-37-0x000000001B140000-0x000000001B14C000-memory.dmp

Filesize
48KB

Download
memory/2320-36-0x000000001B130000-0x000000001B13A000-memory.dmp

Filesize
40KB

Download
memory/2320-35-0x000000001B120000-0x000000001B128000-memory.dmp

Filesize
32KB

Download
memory/2320-34-0x000000001B110000-0x000000001B11C000-memory.dmp

Filesize
48KB

Download
memory/2320-33-0x000000001B100000-0x000000001B108000-memory.dmp

Filesize
32KB

Download
memory/2320-32-0x000000001B0F0000-0x000000001B0FE000-memory.dmp

Filesize
56KB

Download
memory/2320-31-0x000000001AE40000-0x000000001AE4A000-memory.dmp

Filesize
40KB

Download
memory/2320-30-0x000000001B020000-0x000000001B028000-memory.dmp

Filesize
32KB

Download
memory/2320-29-0x000000001AE30000-0x000000001AE3C000-memory.dmp

Filesize
48KB

Download
memory/2320-28-0x000000001A870000-0x000000001A87C000-memory.dmp

Filesize
48KB

Download
memory/2320-27-0x000000001A860000-0x000000001A868000-memory.dmp

Filesize
32KB

Download
memory/2320-13-0x0000000000850000-0x0000000000B42000-memory.dmp

Filesize
2.9MB

Download
memory/2320-25-0x00000000023C0000-0x00000000023C8000-memory.dmp

Filesize
32KB

Download
memory/2320-24-0x00000000023B0000-0x00000000023BC000-memory.dmp

Filesize
48KB

Download
memory/2320-22-0x000000001AED0000-0x000000001AF26000-memory.dmp

Filesize
344KB

Download
memory/2320-21-0x0000000002100000-0x000000000210A000-memory.dmp

Filesize
40KB

Download
memory/2320-20-0x0000000002120000-0x0000000002130000-memory.dmp

Filesize
64KB

Download
memory/2320-19-0x0000000000430000-0x0000000000438000-memory.dmp

Filesize
32KB

Download
memory/2320-18-0x00000000020E0000-0x00000000020F6000-memory.dmp

Filesize
88KB

Download
memory/2320-17-0x0000000000420000-0x0000000000430000-memory.dmp

Filesize
64KB

Download
memory/2320-16-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2320-15-0x0000000000270000-0x0000000000278000-memory.dmp

Filesize
32KB

Download
memory/2320-14-0x0000000000260000-0x000000000026E000-memory.dmp

Filesize
56KB

Download
memory/2864-92-0x0000000001380000-0x0000000001672000-memory.dmp

Filesize
2.9MB

Download