dcrat | 5bdd5d335f1dce7bff7ad597aa12c5c36d2831b58d4a1a37650fab7b070c6e23

Analysis

max time kernel
150s
max time network
150s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
31-10-2024 02:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5bdd5d335f1dce7bff7ad597aa12c5c36d2831b58d4a1a37650fab7b070c6e23.exe
Size

3.2MB
MD5

1554ae8f1316eadf351b3e6f5e7fc9e6
SHA1

1fe722cd6f6e6739a2566c920931bc2f057ac55c
SHA256

5bdd5d335f1dce7bff7ad597aa12c5c36d2831b58d4a1a37650fab7b070c6e23
SHA512

56bf054fa85f534a5b5896a21b4b511c564ffbb0a8b1685054c521d09a9122c848c5818d6518092d33da4c02b79dea6622ef7fd48ab22271522a9d7878a2883d
SSDEEP

49152:UbA30LfTBVuy0VtNUBslYt04P0GliFkO6Uo67iX0bCLuI9+E8Dt:Ub/7nL0jCB6q0goyUonuI998Dt

Score

10^/10

dcrat discovery evasion execution infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 30 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2616	2764	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2668	2764	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2212	2764	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2768	2764	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1260	2764	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	876	2764	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1136	2764	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2884	2764	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	884	2764	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1756	2764	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2844	2764	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2904	2764	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2664	2764	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1772	2764	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2104	2764	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1388	2764	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1908	2764	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2348	2764	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2972	2764	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1636	2764	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2552	2764	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2120	2764	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2248	2764	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	304	2764	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1648	2764	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	348	2764	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3020	2764	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	956	2764	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1608	2764	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	832	2764	schtasks.exe	34

UAC bypass 3 TTPs 30 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

lsm.exelsm.exelsm.exelsm.exelsm.exelsm.exelsm.exeProviderreviewDriver.exelsm.exelsm.exe

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	ProviderreviewDriver.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	ProviderreviewDriver.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ProviderreviewDriver.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe

DCRat payload 15 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral1/files/0x0006000000018634-9.dat	dcrat
behavioral1/memory/584-13-0x0000000000AA0000-0x0000000000D92000-memory.dmp	dcrat
behavioral1/files/0x000600000001a4a0-83.dat	dcrat
behavioral1/files/0x0006000000019bf0-97.dat	dcrat
behavioral1/files/0x0006000000019d69-121.dat	dcrat
behavioral1/files/0x000600000001a05a-127.dat	dcrat
behavioral1/files/0x000900000001a3e4-173.dat	dcrat
behavioral1/memory/1036-234-0x00000000001C0000-0x00000000004B2000-memory.dmp	dcrat
behavioral1/memory/2452-351-0x0000000000140000-0x0000000000432000-memory.dmp	dcrat
behavioral1/memory/2820-470-0x0000000000F80000-0x0000000001272000-memory.dmp	dcrat
behavioral1/memory/2192-589-0x00000000001E0000-0x00000000004D2000-memory.dmp	dcrat
behavioral1/memory/556-709-0x0000000000380000-0x0000000000672000-memory.dmp	dcrat
behavioral1/memory/2480-828-0x0000000000EA0000-0x0000000001192000-memory.dmp	dcrat
behavioral1/memory/2952-947-0x0000000000FE0000-0x00000000012D2000-memory.dmp	dcrat
behavioral1/memory/2308-1066-0x0000000001220000-0x0000000001512000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 11 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	Process
2848	powershell.exe
2640	powershell.exe
2924	powershell.exe
2872	powershell.exe
2808	powershell.exe
2824	powershell.exe
2692	powershell.exe
2612	powershell.exe
2748	powershell.exe
2916	powershell.exe
2628	powershell.exe

Executes dropped EXE 10 IoCs

Processes:

ProviderreviewDriver.exelsm.exelsm.exelsm.exelsm.exelsm.exelsm.exelsm.exelsm.exelsm.exe

pid	Process
584	ProviderreviewDriver.exe
1036	lsm.exe
2452	lsm.exe
2820	lsm.exe
2192	lsm.exe
556	lsm.exe
2480	lsm.exe
2952	lsm.exe
2308	lsm.exe
1992	lsm.exe

Loads dropped DLL 2 IoCs

Processes:

cmd.exe

pid	Process
1268	cmd.exe
1268	cmd.exe

Checks whether UAC is enabled 1 TTPs 20 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

lsm.exelsm.exelsm.exelsm.exelsm.exelsm.exeProviderreviewDriver.exelsm.exelsm.exelsm.exe

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ProviderreviewDriver.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ProviderreviewDriver.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsm.exe

Drops file in Program Files directory 5 IoCs

Processes:

ProviderreviewDriver.exe

description	ioc	Process
File created	C:\Program Files (x86)\Windows NT\spoolsv.exe	ProviderreviewDriver.exe
File created	C:\Program Files (x86)\Windows NT\f3b6ecef712a24	ProviderreviewDriver.exe
File opened for modification	C:\Program Files (x86)\Windows NT\RCXDE02.tmp	ProviderreviewDriver.exe
File opened for modification	C:\Program Files (x86)\Windows NT\RCXDE71.tmp	ProviderreviewDriver.exe
File opened for modification	C:\Program Files (x86)\Windows NT\spoolsv.exe	ProviderreviewDriver.exe

Drops file in Windows directory 5 IoCs

Processes:

ProviderreviewDriver.exe

description	ioc	Process
File created	C:\Windows\fr-FR\69ddcba757bf72	ProviderreviewDriver.exe
File opened for modification	C:\Windows\fr-FR\RCXCA91.tmp	ProviderreviewDriver.exe
File opened for modification	C:\Windows\fr-FR\RCXCA92.tmp	ProviderreviewDriver.exe
File created	C:\Windows\fr-FR\smss.exe	ProviderreviewDriver.exe
File opened for modification	C:\Windows\fr-FR\smss.exe	ProviderreviewDriver.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

5bdd5d335f1dce7bff7ad597aa12c5c36d2831b58d4a1a37650fab7b070c6e23.exeWScript.execmd.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5bdd5d335f1dce7bff7ad597aa12c5c36d2831b58d4a1a37650fab7b070c6e23.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 30 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

pid	Process
2768	schtasks.exe
2664	schtasks.exe
2120	schtasks.exe
1608	schtasks.exe
2616	schtasks.exe
876	schtasks.exe
2904	schtasks.exe
2348	schtasks.exe
1260	schtasks.exe
1636	schtasks.exe
1648	schtasks.exe
2552	schtasks.exe
304	schtasks.exe
832	schtasks.exe
2668	schtasks.exe
884	schtasks.exe
1772	schtasks.exe
1388	schtasks.exe
1136	schtasks.exe
3020	schtasks.exe
2884	schtasks.exe
2972	schtasks.exe
2248	schtasks.exe
956	schtasks.exe
348	schtasks.exe
2212	schtasks.exe
1756	schtasks.exe
2104	schtasks.exe
1908	schtasks.exe
2844	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

ProviderreviewDriver.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exelsm.exe

pid	Process
584	ProviderreviewDriver.exe
584	ProviderreviewDriver.exe
584	ProviderreviewDriver.exe
584	ProviderreviewDriver.exe
584	ProviderreviewDriver.exe
584	ProviderreviewDriver.exe
584	ProviderreviewDriver.exe
584	ProviderreviewDriver.exe
584	ProviderreviewDriver.exe
584	ProviderreviewDriver.exe
584	ProviderreviewDriver.exe
584	ProviderreviewDriver.exe
584	ProviderreviewDriver.exe
584	ProviderreviewDriver.exe
584	ProviderreviewDriver.exe
584	ProviderreviewDriver.exe
584	ProviderreviewDriver.exe
584	ProviderreviewDriver.exe
584	ProviderreviewDriver.exe
584	ProviderreviewDriver.exe
584	ProviderreviewDriver.exe
584	ProviderreviewDriver.exe
584	ProviderreviewDriver.exe
584	ProviderreviewDriver.exe
584	ProviderreviewDriver.exe
584	ProviderreviewDriver.exe
584	ProviderreviewDriver.exe
584	ProviderreviewDriver.exe
584	ProviderreviewDriver.exe
584	ProviderreviewDriver.exe
584	ProviderreviewDriver.exe
584	ProviderreviewDriver.exe
584	ProviderreviewDriver.exe
584	ProviderreviewDriver.exe
584	ProviderreviewDriver.exe
584	ProviderreviewDriver.exe
584	ProviderreviewDriver.exe
2924	powershell.exe
2824	powershell.exe
2848	powershell.exe
2692	powershell.exe
2916	powershell.exe
2872	powershell.exe
2612	powershell.exe
2748	powershell.exe
2808	powershell.exe
2640	powershell.exe
2628	powershell.exe
1036	lsm.exe
1036	lsm.exe
1036	lsm.exe
1036	lsm.exe
1036	lsm.exe
1036	lsm.exe
1036	lsm.exe
1036	lsm.exe
1036	lsm.exe
1036	lsm.exe
1036	lsm.exe
1036	lsm.exe
1036	lsm.exe
1036	lsm.exe
1036	lsm.exe
1036	lsm.exe

Suspicious use of AdjustPrivilegeToken 21 IoCs

Processes:

ProviderreviewDriver.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exelsm.exelsm.exelsm.exelsm.exelsm.exelsm.exelsm.exelsm.exelsm.exe

description	pid	Process
Token: SeDebugPrivilege	584	ProviderreviewDriver.exe
Token: SeDebugPrivilege	2924	powershell.exe
Token: SeDebugPrivilege	2824	powershell.exe
Token: SeDebugPrivilege	2848	powershell.exe
Token: SeDebugPrivilege	2692	powershell.exe
Token: SeDebugPrivilege	2916	powershell.exe
Token: SeDebugPrivilege	2872	powershell.exe
Token: SeDebugPrivilege	2612	powershell.exe
Token: SeDebugPrivilege	2748	powershell.exe
Token: SeDebugPrivilege	2808	powershell.exe
Token: SeDebugPrivilege	2640	powershell.exe
Token: SeDebugPrivilege	2628	powershell.exe
Token: SeDebugPrivilege	1036	lsm.exe
Token: SeDebugPrivilege	2452	lsm.exe
Token: SeDebugPrivilege	2820	lsm.exe
Token: SeDebugPrivilege	2192	lsm.exe
Token: SeDebugPrivilege	556	lsm.exe
Token: SeDebugPrivilege	2480	lsm.exe
Token: SeDebugPrivilege	2952	lsm.exe
Token: SeDebugPrivilege	2308	lsm.exe
Token: SeDebugPrivilege	1992	lsm.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

5bdd5d335f1dce7bff7ad597aa12c5c36d2831b58d4a1a37650fab7b070c6e23.exeWScript.execmd.exeProviderreviewDriver.execmd.exelsm.exeWScript.exelsm.exe

description	pid	Process	procid_target
PID 1688 wrote to memory of 2528	1688	5bdd5d335f1dce7bff7ad597aa12c5c36d2831b58d4a1a37650fab7b070c6e23.exe	30
PID 1688 wrote to memory of 2528	1688	5bdd5d335f1dce7bff7ad597aa12c5c36d2831b58d4a1a37650fab7b070c6e23.exe	30
PID 1688 wrote to memory of 2528	1688	5bdd5d335f1dce7bff7ad597aa12c5c36d2831b58d4a1a37650fab7b070c6e23.exe	30
PID 1688 wrote to memory of 2528	1688	5bdd5d335f1dce7bff7ad597aa12c5c36d2831b58d4a1a37650fab7b070c6e23.exe	30
PID 2528 wrote to memory of 1268	2528	WScript.exe	31
PID 2528 wrote to memory of 1268	2528	WScript.exe	31
PID 2528 wrote to memory of 1268	2528	WScript.exe	31
PID 2528 wrote to memory of 1268	2528	WScript.exe	31
PID 1268 wrote to memory of 584	1268	cmd.exe	33
PID 1268 wrote to memory of 584	1268	cmd.exe	33
PID 1268 wrote to memory of 584	1268	cmd.exe	33
PID 1268 wrote to memory of 584	1268	cmd.exe	33
PID 584 wrote to memory of 2808	584	ProviderreviewDriver.exe	66
PID 584 wrote to memory of 2808	584	ProviderreviewDriver.exe	66
PID 584 wrote to memory of 2808	584	ProviderreviewDriver.exe	66
PID 584 wrote to memory of 2824	584	ProviderreviewDriver.exe	67
PID 584 wrote to memory of 2824	584	ProviderreviewDriver.exe	67
PID 584 wrote to memory of 2824	584	ProviderreviewDriver.exe	67
PID 584 wrote to memory of 2872	584	ProviderreviewDriver.exe	68
PID 584 wrote to memory of 2872	584	ProviderreviewDriver.exe	68
PID 584 wrote to memory of 2872	584	ProviderreviewDriver.exe	68
PID 584 wrote to memory of 2916	584	ProviderreviewDriver.exe	69
PID 584 wrote to memory of 2916	584	ProviderreviewDriver.exe	69
PID 584 wrote to memory of 2916	584	ProviderreviewDriver.exe	69
PID 584 wrote to memory of 2748	584	ProviderreviewDriver.exe	70
PID 584 wrote to memory of 2748	584	ProviderreviewDriver.exe	70
PID 584 wrote to memory of 2748	584	ProviderreviewDriver.exe	70
PID 584 wrote to memory of 2612	584	ProviderreviewDriver.exe	73
PID 584 wrote to memory of 2612	584	ProviderreviewDriver.exe	73
PID 584 wrote to memory of 2612	584	ProviderreviewDriver.exe	73
PID 584 wrote to memory of 2924	584	ProviderreviewDriver.exe	74
PID 584 wrote to memory of 2924	584	ProviderreviewDriver.exe	74
PID 584 wrote to memory of 2924	584	ProviderreviewDriver.exe	74
PID 584 wrote to memory of 2640	584	ProviderreviewDriver.exe	76
PID 584 wrote to memory of 2640	584	ProviderreviewDriver.exe	76
PID 584 wrote to memory of 2640	584	ProviderreviewDriver.exe	76
PID 584 wrote to memory of 2692	584	ProviderreviewDriver.exe	77
PID 584 wrote to memory of 2692	584	ProviderreviewDriver.exe	77
PID 584 wrote to memory of 2692	584	ProviderreviewDriver.exe	77
PID 584 wrote to memory of 2848	584	ProviderreviewDriver.exe	78
PID 584 wrote to memory of 2848	584	ProviderreviewDriver.exe	78
PID 584 wrote to memory of 2848	584	ProviderreviewDriver.exe	78
PID 584 wrote to memory of 2628	584	ProviderreviewDriver.exe	79
PID 584 wrote to memory of 2628	584	ProviderreviewDriver.exe	79
PID 584 wrote to memory of 2628	584	ProviderreviewDriver.exe	79
PID 584 wrote to memory of 1200	584	ProviderreviewDriver.exe	88
PID 584 wrote to memory of 1200	584	ProviderreviewDriver.exe	88
PID 584 wrote to memory of 1200	584	ProviderreviewDriver.exe	88
PID 1200 wrote to memory of 2856	1200	cmd.exe	90
PID 1200 wrote to memory of 2856	1200	cmd.exe	90
PID 1200 wrote to memory of 2856	1200	cmd.exe	90
PID 1200 wrote to memory of 1036	1200	cmd.exe	91
PID 1200 wrote to memory of 1036	1200	cmd.exe	91
PID 1200 wrote to memory of 1036	1200	cmd.exe	91
PID 1036 wrote to memory of 1740	1036	lsm.exe	92
PID 1036 wrote to memory of 1740	1036	lsm.exe	92
PID 1036 wrote to memory of 1740	1036	lsm.exe	92
PID 1036 wrote to memory of 1228	1036	lsm.exe	93
PID 1036 wrote to memory of 1228	1036	lsm.exe	93
PID 1036 wrote to memory of 1228	1036	lsm.exe	93
PID 1740 wrote to memory of 2452	1740	WScript.exe	94
PID 1740 wrote to memory of 2452	1740	WScript.exe	94
PID 1740 wrote to memory of 2452	1740	WScript.exe	94
PID 2452 wrote to memory of 884	2452	lsm.exe	95

System policy modification 1 TTPs 30 IoCs

evasion

Modify Registry

T1112

Processes:

ProviderreviewDriver.exelsm.exelsm.exelsm.exelsm.exelsm.exelsm.exelsm.exelsm.exelsm.exe

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ProviderreviewDriver.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	ProviderreviewDriver.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	ProviderreviewDriver.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\5bdd5d335f1dce7bff7ad597aa12c5c36d2831b58d4a1a37650fab7b070c6e23.exe
"C:\Users\Admin\AppData\Local\Temp\5bdd5d335f1dce7bff7ad597aa12c5c36d2831b58d4a1a37650fab7b070c6e23.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1688
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\BridgeRefruntime\RO6jJbtsE.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2528
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\BridgeRefruntime\AZmwZW66ycOuW7BVkn8W.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1268
  - - C:\BridgeRefruntime\ProviderreviewDriver.exe
      "C:\BridgeRefruntime\ProviderreviewDriver.exe"
      4⤵
      UAC bypass
      Executes dropped EXE
      Checks whether UAC is enabled
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:584
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\BridgeRefruntime\ProviderreviewDriver.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2808
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\fr-FR\smss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2824
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\sppsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2872
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2916
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\lsm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2748
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Documents\lsm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2612
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\BridgeRefruntime\lsm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2924
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\BridgeRefruntime\OSPPSVC.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2640
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Local Settings\audiodg.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2692
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows NT\spoolsv.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2848
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\explorer.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2628
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\s8is5PFJRC.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1200
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:2856
      - C:\Users\All Users\Documents\lsm.exe
        
        "C:\Users\All Users\Documents\lsm.exe"
        6⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1036
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7b0be2a9-b3d5-452e-a82f-94d93c8b2d92.vbs"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:1740
        
        C:\Users\All Users\Documents\lsm.exe
        
        "C:\Users\All Users\Documents\lsm.exe"
        8⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2452
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d3b39786-6efc-4a2c-b207-e371aa310b9a.vbs"
        9⤵
        
        PID:884
        
        C:\Users\All Users\Documents\lsm.exe
        
        "C:\Users\All Users\Documents\lsm.exe"
        10⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2820
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\46d2b35f-071c-48ca-a82e-3f17a575286a.vbs"
        11⤵
        
        PID:2904
        
        C:\Users\All Users\Documents\lsm.exe
        
        "C:\Users\All Users\Documents\lsm.exe"
        12⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2192
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\70d38982-c7ab-4128-b2f9-353682613eed.vbs"
        13⤵
        
        PID:2440
        
        C:\Users\All Users\Documents\lsm.exe
        
        "C:\Users\All Users\Documents\lsm.exe"
        14⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:556
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7759d204-12d7-44ff-84f6-68cfcc5b54b0.vbs"
        15⤵
        
        PID:2276
        
        C:\Users\All Users\Documents\lsm.exe
        
        "C:\Users\All Users\Documents\lsm.exe"
        16⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2480
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fafdc288-2358-4f04-9909-2c8ea26480b4.vbs"
        17⤵
        
        PID:2564
        
        C:\Users\All Users\Documents\lsm.exe
        
        "C:\Users\All Users\Documents\lsm.exe"
        18⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2952
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\79965a9f-ef55-49e8-90da-838e7418613b.vbs"
        19⤵
        
        PID:2844
        
        C:\Users\All Users\Documents\lsm.exe
        
        "C:\Users\All Users\Documents\lsm.exe"
        20⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2308
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2dac63a8-caab-45a1-9399-8faa990ab072.vbs"
        21⤵
        
        PID:1540
        
        C:\Users\All Users\Documents\lsm.exe
        
        "C:\Users\All Users\Documents\lsm.exe"
        22⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1992
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\56eeea80-6255-46b4-90b6-d4829162300c.vbs"
        23⤵
        
        PID:2452
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d04158e4-0550-4697-a2cf-422787b7b265.vbs"
        23⤵
        
        PID:1348
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a30f3c16-c827-4ce9-b106-c6a3c3de53ca.vbs"
        21⤵
        
        PID:2228
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\33409196-ebbb-45cb-91ad-58d889402622.vbs"
        19⤵
        
        PID:1768
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c7de5b2f-2b45-4865-85b6-df8fb536f9fb.vbs"
        17⤵
        
        PID:2912
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b6f9fb24-9154-42e0-9bf6-d810212fd0f0.vbs"
        15⤵
        
        PID:2068
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b66b615b-42ab-44c4-a93a-05d858b0593f.vbs"
        13⤵
        
        PID:1632
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\13892056-c8a0-4f89-9bb8-ffefaf4fee7f.vbs"
        11⤵
        
        PID:3024
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ab2435d9-4aaf-4436-a156-e3fc4acea310.vbs"
        9⤵
        
        PID:992
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d8917c31-01c6-48c0-aa0f-d3319b5faec3.vbs"
        7⤵
        
        PID:1228

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Windows\fr-FR\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\fr-FR\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Windows\fr-FR\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2212

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1260

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1136

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Users\All Users\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\Documents\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Users\All Users\Documents\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\Documents\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 12 /tr "'C:\BridgeRefruntime\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1388

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\BridgeRefruntime\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 5 /tr "'C:\BridgeRefruntime\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2348

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 13 /tr "'C:\BridgeRefruntime\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\BridgeRefruntime\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 10 /tr "'C:\BridgeRefruntime\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 9 /tr "'C:\Users\Default\Local Settings\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2120

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Users\Default\Local Settings\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2248

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 12 /tr "'C:\Users\Default\Local Settings\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:304

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows NT\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:348

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows NT\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:832

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\BridgeRefruntime\AZmwZW66ycOuW7BVkn8W.bat

Filesize
46B

MD5
b634ab06c0798f4284c2fcf23c1fc85a

SHA1
a312a6a8dbd3fdd70e9919ffaa1b777213cf2e93

SHA256
20d420d40ee7aadb457e5a8dba9d099fb66d4810675a985a26ebf36141d8e250

SHA512
ae801ea89737efecc5be1c580bad10c75ee9f31f2685473bbb5512b024c355c62a7d122db5042dbfb96add27041fd2601472c57b075424d12261302804b5733c

Download Submit
C:\BridgeRefruntime\RCXD70A.tmp

Filesize
2.9MB

MD5
00eb103a7953d93b6903d19cd5c61205

SHA1
dc87a3334b43e0cd0db2b28c6b25ad09906bef09

SHA256
399df3d2387e43428195b5718858a343d3a98147f0835bbd9dbaaeb9c767e3eb

SHA512
4e69afc4746abab0a8ce0b75ac61586a908cae952fb66ddd8e41b1cd7ce8074907363de0045a16ce0dc23ff29792863a9506c7a338367b88ab0ae384a9edd462

Download Submit
C:\BridgeRefruntime\RCXD778.tmp

Filesize
2.9MB

MD5
3292f0d230b018b1d0b23c437fe47df3

SHA1
71c7ee2590ad061dfc42a9b09b8c42a282cb18d0

SHA256
829cc6bd3ae5f5c204c5f9f6669a1121c6265265f1623b5e1a485f003ff55f48

SHA512
2ae7956948fa70c7d0ca547aeb1098a1ca70a9db6f667b30a02c32fab5e4a4ef3abcf00294bbe7b1fea3fce930645d696e8848e4487f066450badf207b801938

Download Submit
C:\BridgeRefruntime\RO6jJbtsE.vbe

Filesize
213B

MD5
1217656e699a8ae1e62ad9b7059e215a

SHA1
3e9710cc62fcaf451a305be0fe047dfadd631e45

SHA256
710eab849bf0c066cb136771f1d4dc72bc2b13598c209508db16a3770d54286f

SHA512
ae775b9f675455bbb78a879f38e72e500607a6a22168591a599a04337229316fdbdd0b496d69e97c423a4e917d9174e039e0e4f80b8bc94a7d5b3f99887d3f31

Download Submit
C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\explorer.exe

Filesize
2.9MB

MD5
537929c7015a0ae8708677e543b8538e

SHA1
28a8e7de9d0590cf055f1dc41b5fefe594aa6d4e

SHA256
331e551608afbc46b2dfbea9c58a8afcaf5f7a00c22edf3ed96850b3701530dd

SHA512
11407afe03b20391b946cc54c8a0ec71a9d5b35ffb5d9e0804bff7fd10c2e9575d4860b5ff13d430885df69c33e0644e73bfe0cf7000f430aa1b79783b3831fe

Download Submit
C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\csrss.exe

Filesize
2.9MB

MD5
b5d2193db71bf563dbd7bd10f145afee

SHA1
f39c11aa8e18b7f7cb95301094da1873ea4b80a6

SHA256
b6cd637601e5ed8607e5ca030e266299cc903f8e2d25bf280bf488453f02c8e8

SHA512
24715764be4b4ac4e4f794563a843663864d327268a1b2fc2f9e66da2ac0709bebba087d74f8bcadf4c3003a31f2830ac3f47a59c4f8fac181540d566cc3d17d

Download Submit
C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\RCXCC97.tmp

Filesize
2.9MB

MD5
ecb8a56fde8d50c2fe56a26c033b8a39

SHA1
dd3f7bc75f354915ca4f71b9f2d581b0d8dc9896

SHA256
47d4a340d406fb9c8de309a6457493ea3b4249f7bf3fc21618697466e08e5188

SHA512
5c8ce67ffc7ed3a5e66259a3ae3ed35d4666e75131b4955b002bc96ff92cea6bf939641f7680e44f0edb136bdf2fe788a616cc74e1cf930fb773060ecce72bb0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9088e46d02b08757f70545d03c10823c

SHA1
65d0d0983085ed7a64b27c8d6c6240335aa0335a

SHA256
b92925b1440ed94be74fe74b401e381c47b6d7997a3cc8262937c95442b02c2f

SHA512
2fb0ba8cc01a1e3e1598d2e2fa3edc7c0353c48acf71b72cb5ca261b0973ea5cc513855819abbe6d15e5b63c02f59fc07d6412cd4959e029d3a958076961d9b7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
84f78ba757c576bd1c0f0d0a189b75a5

SHA1
00d2e618bf8c5d2b4088c149f0b738f003d08f6a

SHA256
0d9d35c20fe277c62a0f4f9601d67e08d7a956da92b6949d6cb766f0ede60a56

SHA512
7c8d251a0dca0af9ab6bc456c8ce3d4ed23bb1f0c867498ba47f7ddeb39cc95a8f1bbf43f6b1fd4ec1d562ed484f03de5269fc7f4133a6faca0891b1c39afc03

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
706eebe259bf4c637d190645b97a0a51

SHA1
51a470bc469ba0c4c826422b85e4f4794cd08b0e

SHA256
7d2d4167a3edbc2707d2bc4db2d8233b695147aa623800c2bf0ba8b165382137

SHA512
b872cd3a40ba00431faf5f11d224ec1d4683ad48742378fc206e2d371284067a57c6144e6b6c4560908aae8ef4d4c580a0e0f9aa46e2370389cb05473c8e5c59

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fc7d19123ae909771a823d4ab765b492

SHA1
1704378cda52a7646861dcf531d28f699cbb7d3b

SHA256
78c9d14a90dd3ce06c4490e0e29e2ab517e5a952819338b8ddd55243387ccb27

SHA512
5d3bc4e82cd21753f1c26c7d9b70c83e7046d95c0249af932fe464d4b1bd624101af850dad5508106087f08f4d51e8140580332f06a2c5d7376848b433dee00d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
35ab9b4e1b4c448470ed36f192360a17

SHA1
209e8c8734a2186484c74b20bdc621633ce76cb4

SHA256
bc9854eeaa1a605bfaf17c6bb88fcf58a9e2526dcb6e85f2cf8567d1dfe89522

SHA512
095ee0fa681658adb3c6fc0b0b3ed656be765071cb8029ce78035f7bca693034693c4917b24b0f550ba015280db07644c4a0063bb6850dac4c0d08e55ace7879

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7d2646b48b5c4bf86fb1c8fe5b5d2eaf

SHA1
ba529fa21f4341da99ff103b3b0eed5ab8a1d564

SHA256
d1edca207e95d571e753d7bddfb2b28173b92af89c6e29f3fee576deff97a556

SHA512
f0f4289e42cd5cc9d49b5a18d273abf832ce2e3cb291a6db8d2f3157583b7850482c74bfce042b4476e9675edb1ae594046ffc8ec29262eb45474d146a38d248

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
360732357b1352f912809a2316f18c0b

SHA1
82934f5fb537f275376fc173e82407ace0d4b8b2

SHA256
e516d94187d86c8f79d7b1b167995abbb70e9a688d67d60e8857e3018544c736

SHA512
31179f4738a07789bb7062078fdb434224dbcdf7ca4d8bc95c4af4f63549fc5956bbd3757d30c61ff29951b19ca2e476fc229f414302dadced242b76ed993626

Download Submit
C:\Users\Admin\AppData\Local\Temp\2dac63a8-caab-45a1-9399-8faa990ab072.vbs

Filesize
712B

MD5
39633776a884f132029ec63caae1f243

SHA1
2e8659e6359f71ad972202819c41ac19e4e7703c

SHA256
6936ca2a7cffdaacab455dfb2d261552d3d6b6ac12bf2c5a26f3c1b6260eac5c

SHA512
de863d366157bb439dce64e9ab62fc43467eed2c0dd270f24d786d7124ea7247779d313804b6f99db42238ca74ef466a06a552309aa7f74973ecaca0c074361b

Download Submit
C:\Users\Admin\AppData\Local\Temp\46d2b35f-071c-48ca-a82e-3f17a575286a.vbs

Filesize
712B

MD5
e28fb94c8e827d842f3e33e3529d7c41

SHA1
0cb4a6d21d6660f0df7b1f338592f2a88bf9bd97

SHA256
f544f44bab073e9237555ead77a05a8fdd9f22fecdd8044e4a81ddc320431e8e

SHA512
79d9689155cf1f17a4c593f86c595631e81644a02cc67d6fe5b0ced4e1dec26890eb3f9b1b4cdda6a51ce449959319ecd325ef638225c5f0491413fc56d6b658

Download Submit
C:\Users\Admin\AppData\Local\Temp\56eeea80-6255-46b4-90b6-d4829162300c.vbs

Filesize
712B

MD5
7631efd618ea1b8f424015c0605455be

SHA1
2ebed22c9c640435e6b1d7e2948fcfc523938c49

SHA256
c414dfb04a427609cf21f3ab9cd05343c48ecffcf214adae48da09b82eb89be1

SHA512
491a1c2d90e27155908861c59a8d7dc1beffd0c671db17e7e61d0884b53bd6575b78c58a7f2e9ed33c9f59a4637a740a51535b1fb1723b48b012b00c0bbb471b

Download Submit
C:\Users\Admin\AppData\Local\Temp\70d38982-c7ab-4128-b2f9-353682613eed.vbs

Filesize
712B

MD5
ad9d6ee05fa2043620cbaa0c6caf5e1a

SHA1
7488faa756ad194bd23415080a7eaaae54388c33

SHA256
33f6c7d3dafd6c1e4c96df86949dd3d1f5254eab34025aa1777f162c4d17a2af

SHA512
0f2ee1a19298d6c2c589a64d32e6f4a3247f3adc737dfe7fcfe8f470a1d3a4264efe06a890d36c16fb6f009a80afab2f92b05ec7c3c0bde0e4cf91b9f02b92d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\7759d204-12d7-44ff-84f6-68cfcc5b54b0.vbs

Filesize
711B

MD5
d18f53d361f132985c28009be5f28aba

SHA1
3f9960d5dedd5e3a66cd763c8758a1ea45deb80e

SHA256
55446ea99467cd190d403439844d086cc70a4856677eec6e6cf409641ed49bcd

SHA512
5f2de33f168be4e6687c35bd763bcc8cc1116a1ef7ace2401abf136c5f75a042d42ebee38d92ad58953907a5f3a03ad280509010fd8737fc1699fce3a277232e

Download Submit
C:\Users\Admin\AppData\Local\Temp\79965a9f-ef55-49e8-90da-838e7418613b.vbs

Filesize
712B

MD5
e01f19e7663cd1a3b08886cee654237a

SHA1
df225f09afcf46aac3aa282ae42db3c2773aaff0

SHA256
4bf1b903754aa9cb25d70a3213ad1036c18de305c6727b06d4f2857148d5d775

SHA512
8ebe32f2b08821355ab293e214a0f4314b4bbd228e237aadf63d7032bbb45c68d54b20d1a7545e740f0e89f436c431713f36b09b41f56e8f631e2e9cc3401613

Download Submit
C:\Users\Admin\AppData\Local\Temp\7b0be2a9-b3d5-452e-a82f-94d93c8b2d92.vbs

Filesize
712B

MD5
51f89eb5f695bf0c6b1b2842dd53a8f1

SHA1
11a0eb7befe464c0a652775638d1aede291a8bae

SHA256
6304380c0636897b99f214caef6db6512da0bc3681343aad683246dc35a8b807

SHA512
f4cea8df0596cec1f7f2556f84ba80975c4f83c24e6ec50e7b91193588d57db7c66e8a3805682f8b37ab877b19f19efb0788664087d9f0754e2c7ba250259f2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab2D88.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar2DAA.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\d3b39786-6efc-4a2c-b207-e371aa310b9a.vbs

Filesize
712B

MD5
c6baf936c9bf4e7786c86e7fc3c5f7b6

SHA1
cefcd4f9e0e998e774bdf7bddc6cbecdfab023cd

SHA256
357e0a4f3194544f092f887fe7ad04a6aebd6ab8c1c521bffcab9a5ec2e2e375

SHA512
cbceeae8bb8c31d50ffabc4192fa9b1ffc6c91226f18ae08f5346657867ed88565b81b8459883d73bcf6c796acc967a6f7ec7e793a0c8c5e2b3f5429f05eb8d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\d8917c31-01c6-48c0-aa0f-d3319b5faec3.vbs

Filesize
488B

MD5
98cefe3de80ee7c63656d17b11f18cea

SHA1
dc8888d492199100120c1f7e4e1410a36ef5fa31

SHA256
0075927d71d76f67a319caf6541a5e47277aeea69bafdc53f84cd9ea1f0a286f

SHA512
ce8a17d18538d24e5f11a3ab6a4c1ef3b61af39bcbed8609ae847b73697029a2394a03a5470bc6242c48e7e130f58a2906f5b2ed06f6ec372544716b06df1ddc

Download Submit
C:\Users\Admin\AppData\Local\Temp\fafdc288-2358-4f04-9909-2c8ea26480b4.vbs

Filesize
712B

MD5
eec7608fc19598658397f3f3ff04ee9a

SHA1
454b67460280aa3ace02bfb9ba1f07024a5f655a

SHA256
1dd5de8d9953cf9cdcd158a7aa5e1deed8c7a30e4f0ee04a85ec8411d0529532

SHA512
18cf532ca9ea3b261bd1a06251021958ca2504c24c748536695256672b7fcc52654968a4370adc83dca67a085a4f230f5a3b550e99f389c96c395a8531dfb8d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\s8is5PFJRC.bat

Filesize
201B

MD5
db1b0cf298f404b94211a8058cea683c

SHA1
72202e9c01048f02937fb5a96cb74706e8f8783f

SHA256
c82870d88b91ffeb6ea10264f2d7c97f8a71bd40b936ec7778d5733e8bb64d7d

SHA512
9ec97646af2d4b5e65767daa82ebb9f338e552e26c31a067270a438c6155b3fae1ab4005dae2ba9188ce4c19a4fba9b084dd29a6f37e0bc6698edf6d999b4138

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
f8b7521f51607c4210cdadcbcf536caa

SHA1
22e58296422b436fcf1e396f43b3116f999d35f3

SHA256
e29fca3dddcf6b9dec019a641027a0246bce4cd53b87c370db15b83804c73cd6

SHA512
8920d95aea75b2e6ac2bdb6bd893f110967238e8e02bd79839c715b62012a2e26c44f4a3c596752639595a5818ae264969925d9336635f565c959d6b0192b926

Download Submit
\BridgeRefruntime\ProviderreviewDriver.exe

Filesize
2.9MB

MD5
15462778cb5d131fdbde43b845ca3385

SHA1
e11137a2d3643fa0569e57257f7b673b29f0ee86

SHA256
7082a4ae4749fc09c3b618986952c23aa6db2ee906da896b9a517685e56b8572

SHA512
1f58961f5367153539c8039e8cfafd1f74bcf09550912326d1274ec5b91ff578c0126c4f36c1916384364c74ed2a4b97013a4e6ff6b25567822eac8dabfcde6b

Download Submit
memory/556-709-0x0000000000380000-0x0000000000672000-memory.dmp

Filesize
2.9MB

Download
memory/584-26-0x0000000000820000-0x000000000082C000-memory.dmp

Filesize
48KB

Download
memory/584-25-0x0000000000810000-0x0000000000818000-memory.dmp

Filesize
32KB

Download
memory/584-36-0x000000001AA20000-0x000000001AA2A000-memory.dmp

Filesize
40KB

Download
memory/584-35-0x000000001AA10000-0x000000001AA18000-memory.dmp

Filesize
32KB

Download
memory/584-13-0x0000000000AA0000-0x0000000000D92000-memory.dmp

Filesize
2.9MB

Download
memory/584-14-0x00000000002C0000-0x00000000002CE000-memory.dmp

Filesize
56KB

Download
memory/584-34-0x000000001AA00000-0x000000001AA0C000-memory.dmp

Filesize
48KB

Download
memory/584-15-0x00000000002D0000-0x00000000002D8000-memory.dmp

Filesize
32KB

Download
memory/584-33-0x0000000002300000-0x0000000002308000-memory.dmp

Filesize
32KB

Download
memory/584-31-0x0000000000A00000-0x0000000000A0A000-memory.dmp

Filesize
40KB

Download
memory/584-32-0x00000000022F0000-0x00000000022FE000-memory.dmp

Filesize
56KB

Download
memory/584-30-0x0000000000A10000-0x0000000000A18000-memory.dmp

Filesize
32KB

Download
memory/584-16-0x0000000000570000-0x000000000058C000-memory.dmp

Filesize
112KB

Download
memory/584-29-0x00000000009F0000-0x00000000009FC000-memory.dmp

Filesize
48KB

Download
memory/584-28-0x00000000009E0000-0x00000000009EC000-memory.dmp

Filesize
48KB

Download
memory/584-17-0x00000000002E0000-0x00000000002F0000-memory.dmp

Filesize
64KB

Download
memory/584-27-0x0000000000830000-0x0000000000838000-memory.dmp

Filesize
32KB

Download
memory/584-37-0x000000001AA30000-0x000000001AA3C000-memory.dmp

Filesize
48KB

Download
memory/584-19-0x00000000005B0000-0x00000000005B8000-memory.dmp

Filesize
32KB

Download
memory/584-18-0x0000000000590000-0x00000000005A6000-memory.dmp

Filesize
88KB

Download
memory/584-24-0x00000000005F0000-0x00000000005FC000-memory.dmp

Filesize
48KB

Download
memory/584-23-0x00000000005E0000-0x00000000005EC000-memory.dmp

Filesize
48KB

Download
memory/584-22-0x00000000022A0000-0x00000000022F6000-memory.dmp

Filesize
344KB

Download
memory/584-21-0x00000000005D0000-0x00000000005DA000-memory.dmp

Filesize
40KB

Download
memory/584-20-0x00000000005C0000-0x00000000005D0000-memory.dmp

Filesize
64KB

Download
memory/1036-234-0x00000000001C0000-0x00000000004B2000-memory.dmp

Filesize
2.9MB

Download
memory/2192-590-0x00000000021A0000-0x00000000021F6000-memory.dmp

Filesize
344KB

Download
memory/2192-589-0x00000000001E0000-0x00000000004D2000-memory.dmp

Filesize
2.9MB

Download
memory/2308-1066-0x0000000001220000-0x0000000001512000-memory.dmp

Filesize
2.9MB

Download
memory/2452-351-0x0000000000140000-0x0000000000432000-memory.dmp

Filesize
2.9MB

Download
memory/2480-828-0x0000000000EA0000-0x0000000001192000-memory.dmp

Filesize
2.9MB

Download
memory/2820-470-0x0000000000F80000-0x0000000001272000-memory.dmp

Filesize
2.9MB

Download
memory/2824-195-0x0000000001F00000-0x0000000001F08000-memory.dmp

Filesize
32KB

Download
memory/2924-194-0x000000001B770000-0x000000001BA52000-memory.dmp

Filesize
2.9MB

Download
memory/2952-947-0x0000000000FE0000-0x00000000012D2000-memory.dmp

Filesize
2.9MB

Download