dcrat | 91a5d06a6ddc1dbc0d573871082b21c0ef5d260987d760bff9b1d19966d0c32d

Resubmissions

13/01/2025, 04:14 UTC

250113-etqtlaxqfm 10

12/01/2025, 14:01 UTC

250112-rbjc1svmhs 10

Analysis

max time kernel
900s
max time network
895s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
13/01/2025, 04:14 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d49f9a9a6f4d5c60ae2c35aafe7d105a.exe
Size

4.2MB
MD5

d49f9a9a6f4d5c60ae2c35aafe7d105a
SHA1

8a192f01c06d2b67437c8789bdf564864d11eefc
SHA256

91a5d06a6ddc1dbc0d573871082b21c0ef5d260987d760bff9b1d19966d0c32d
SHA512

fc90ac8848cbc7231bbe6d1c4e974f375d5af137a157d2553e516059270748f5162c1ea51f282850d4572eef6956fc8e6e9cead1a105286c712251ff43d1a440
SSDEEP

98304:hbE+vSZLE4Cj/L7gHNchtcv4zTk24eDeRRXcaiJ:hw+KL6fwscQTk24eWRXhY

Score

10^/10

dcrat discovery evasion infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 15 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1496	2020	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3316	2020	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2960	2020	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1448	2020	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4132	2020	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2408	2020	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3252	2020	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4312	2020	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2924	2020	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4740	2020	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3912	2020	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1052	2020	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1048	2020	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1980	2020	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1004	2020	schtasks.exe	88

UAC bypass 3 TTPs 45 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	ComProviderreview.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ComProviderreview.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	ComProviderreview.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe

DCRat payload 2 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/files/0x0007000000023ce2-11.dat	dcrat
behavioral2/memory/4844-13-0x0000000000310000-0x00000000006C4000-memory.dmp	dcrat

Disables Task Manager via registry modification
evasion

Checks computer location settings 2 TTPs 17 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	d49f9a9a6f4d5c60ae2c35aafe7d105a.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	services.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	services.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	services.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	services.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	services.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	ComProviderreview.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	services.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	services.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	services.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	services.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	services.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	services.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	services.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	services.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	services.exe

Executes dropped EXE 18 IoCs

pid	Process
4844	ComProviderreview.exe
3140	services.exe
5020	services.exe
2272	services.exe
1504	services.exe
3788	services.exe
5084	services.exe
3216	services.exe
2904	services.exe
2124	services.exe
1732	services.exe
1548	ComProviderreview.exe
5000	services.exe
2128	services.exe
2828	RuntimeBroker.exe
4588	services.exe
2136	services.exe
1004	services.exe

Checks whether UAC is enabled 1 TTPs 30 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ComProviderreview.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	services.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	services.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	services.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	services.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ComProviderreview.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	services.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	services.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	services.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	services.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe

Drops file in Program Files directory 6 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\ComProviderreview.exe	ComProviderreview.exe
File created	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\ce5be687612851	ComProviderreview.exe
File created	C:\Program Files (x86)\Windows Portable Devices\services.exe	ComProviderreview.exe
File created	C:\Program Files (x86)\Windows Portable Devices\c5b4cb5e9653cc	ComProviderreview.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\misc\services.exe	ComProviderreview.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\misc\c5b4cb5e9653cc	ComProviderreview.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\IdentityCRL\INT\RuntimeBroker.exe	ComProviderreview.exe
File created	C:\Windows\IdentityCRL\INT\9e8d7a4ca61bd9	ComProviderreview.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d49f9a9a6f4d5c60ae2c35aafe7d105a.exe

Modifies registry class 16 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	services.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	services.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	services.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	services.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	services.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	services.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	services.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	services.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	services.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	d49f9a9a6f4d5c60ae2c35aafe7d105a.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	ComProviderreview.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	services.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	services.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	services.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	services.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	services.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
4996	reg.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 15 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1004	schtasks.exe
1496	schtasks.exe
3316	schtasks.exe
1448	schtasks.exe
4740	schtasks.exe
2924	schtasks.exe
1980	schtasks.exe
1048	schtasks.exe
4132	schtasks.exe
2408	schtasks.exe
3252	schtasks.exe
4312	schtasks.exe
2960	schtasks.exe
3912	schtasks.exe
1052	schtasks.exe

Suspicious behavior: EnumeratesProcesses 17 IoCs

pid	Process
4844	ComProviderreview.exe
4844	ComProviderreview.exe
4844	ComProviderreview.exe
3140	services.exe
5020	services.exe
2272	services.exe
1504	services.exe
3788	services.exe
5084	services.exe
3216	services.exe
2904	services.exe
2124	services.exe
1732	services.exe
5000	services.exe
2128	services.exe
2136	services.exe
1004	services.exe

Suspicious use of AdjustPrivilegeToken 18 IoCs

description	pid	Process
Token: SeDebugPrivilege	4844	ComProviderreview.exe
Token: SeDebugPrivilege	3140	services.exe
Token: SeDebugPrivilege	5020	services.exe
Token: SeDebugPrivilege	2272	services.exe
Token: SeDebugPrivilege	1504	services.exe
Token: SeDebugPrivilege	3788	services.exe
Token: SeDebugPrivilege	5084	services.exe
Token: SeDebugPrivilege	3216	services.exe
Token: SeDebugPrivilege	2904	services.exe
Token: SeDebugPrivilege	2124	services.exe
Token: SeDebugPrivilege	1732	services.exe
Token: SeDebugPrivilege	1548	ComProviderreview.exe
Token: SeDebugPrivilege	5000	services.exe
Token: SeDebugPrivilege	2128	services.exe
Token: SeDebugPrivilege	2828	RuntimeBroker.exe
Token: SeDebugPrivilege	4588	services.exe
Token: SeDebugPrivilege	2136	services.exe
Token: SeDebugPrivilege	1004	services.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 516 wrote to memory of 3992	516	d49f9a9a6f4d5c60ae2c35aafe7d105a.exe	84
PID 516 wrote to memory of 3992	516	d49f9a9a6f4d5c60ae2c35aafe7d105a.exe	84
PID 516 wrote to memory of 3992	516	d49f9a9a6f4d5c60ae2c35aafe7d105a.exe	84
PID 3992 wrote to memory of 4644	3992	WScript.exe	85
PID 3992 wrote to memory of 4644	3992	WScript.exe	85
PID 3992 wrote to memory of 4644	3992	WScript.exe	85
PID 4644 wrote to memory of 4844	4644	cmd.exe	87
PID 4644 wrote to memory of 4844	4644	cmd.exe	87
PID 4844 wrote to memory of 2524	4844	ComProviderreview.exe	104
PID 4844 wrote to memory of 2524	4844	ComProviderreview.exe	104
PID 4644 wrote to memory of 4996	4644	cmd.exe	106
PID 4644 wrote to memory of 4996	4644	cmd.exe	106
PID 4644 wrote to memory of 4996	4644	cmd.exe	106
PID 2524 wrote to memory of 2976	2524	cmd.exe	107
PID 2524 wrote to memory of 2976	2524	cmd.exe	107
PID 2524 wrote to memory of 3140	2524	cmd.exe	111
PID 2524 wrote to memory of 3140	2524	cmd.exe	111
PID 3140 wrote to memory of 2160	3140	services.exe	113
PID 3140 wrote to memory of 2160	3140	services.exe	113
PID 3140 wrote to memory of 2096	3140	services.exe	114
PID 3140 wrote to memory of 2096	3140	services.exe	114
PID 2160 wrote to memory of 5020	2160	WScript.exe	119
PID 2160 wrote to memory of 5020	2160	WScript.exe	119
PID 5020 wrote to memory of 3248	5020	services.exe	120
PID 5020 wrote to memory of 3248	5020	services.exe	120
PID 5020 wrote to memory of 4804	5020	services.exe	121
PID 5020 wrote to memory of 4804	5020	services.exe	121
PID 3248 wrote to memory of 2272	3248	WScript.exe	122
PID 3248 wrote to memory of 2272	3248	WScript.exe	122
PID 2272 wrote to memory of 4888	2272	services.exe	123
PID 2272 wrote to memory of 4888	2272	services.exe	123
PID 2272 wrote to memory of 3428	2272	services.exe	124
PID 2272 wrote to memory of 3428	2272	services.exe	124
PID 4888 wrote to memory of 1504	4888	WScript.exe	125
PID 4888 wrote to memory of 1504	4888	WScript.exe	125
PID 1504 wrote to memory of 5016	1504	services.exe	126
PID 1504 wrote to memory of 5016	1504	services.exe	126
PID 1504 wrote to memory of 2276	1504	services.exe	127
PID 1504 wrote to memory of 2276	1504	services.exe	127
PID 5016 wrote to memory of 3788	5016	WScript.exe	128
PID 5016 wrote to memory of 3788	5016	WScript.exe	128
PID 3788 wrote to memory of 2336	3788	services.exe	129
PID 3788 wrote to memory of 2336	3788	services.exe	129
PID 3788 wrote to memory of 4312	3788	services.exe	130
PID 3788 wrote to memory of 4312	3788	services.exe	130
PID 2336 wrote to memory of 5084	2336	WScript.exe	131
PID 2336 wrote to memory of 5084	2336	WScript.exe	131
PID 5084 wrote to memory of 4800	5084	services.exe	132
PID 5084 wrote to memory of 4800	5084	services.exe	132
PID 5084 wrote to memory of 2548	5084	services.exe	133
PID 5084 wrote to memory of 2548	5084	services.exe	133
PID 4800 wrote to memory of 3216	4800	WScript.exe	134
PID 4800 wrote to memory of 3216	4800	WScript.exe	134
PID 3216 wrote to memory of 3004	3216	services.exe	135
PID 3216 wrote to memory of 3004	3216	services.exe	135
PID 3216 wrote to memory of 1088	3216	services.exe	136
PID 3216 wrote to memory of 1088	3216	services.exe	136
PID 3004 wrote to memory of 2904	3004	WScript.exe	137
PID 3004 wrote to memory of 2904	3004	WScript.exe	137
PID 2904 wrote to memory of 1016	2904	services.exe	138
PID 2904 wrote to memory of 1016	2904	services.exe	138
PID 2904 wrote to memory of 1932	2904	services.exe	139
PID 2904 wrote to memory of 1932	2904	services.exe	139
PID 1016 wrote to memory of 2124	1016	WScript.exe	140

System policy modification 1 TTPs 45 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ComProviderreview.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	ComProviderreview.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	ComProviderreview.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\d49f9a9a6f4d5c60ae2c35aafe7d105a.exe
C:\Users\Admin\AppData\Local\Temp\d49f9a9a6f4d5c60ae2c35aafe7d105a.exe cmd /c %SIGILL% "SIGTERM|DELETE|SIGKILL"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:516
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Bridgebrowserdriversession\8Q1TNfuIkORrb6IwpocDiochN.vbe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3992
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Bridgebrowserdriversession\7RIlKJCBYDYjVU5Wl3rLZ.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4644
  - - C:\Bridgebrowserdriversession\ComProviderreview.exe
      "C:\Bridgebrowserdriversession\ComProviderreview.exe"
      4⤵
      UAC bypass
      Checks computer location settings
      Executes dropped EXE
      Checks whether UAC is enabled
      Drops file in Program Files directory
      Drops file in Windows directory
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:4844
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\rxc6Z07b4w.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2524
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:2976
      - C:\Program Files (x86)\Windows Portable Devices\services.exe
        
        "C:\Program Files (x86)\Windows Portable Devices\services.exe"
        6⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:3140
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c57f3aa8-8d1d-4079-a55f-db4e3c7a2bc7.vbs"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2160
        
        C:\Program Files (x86)\Windows Portable Devices\services.exe
        
        "C:\Program Files (x86)\Windows Portable Devices\services.exe"
        8⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:5020
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\37291806-4895-4ed2-ae18-c437a4a350fb.vbs"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:3248
        
        C:\Program Files (x86)\Windows Portable Devices\services.exe
        
        "C:\Program Files (x86)\Windows Portable Devices\services.exe"
        10⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2272
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5ec9bb26-e0a4-400f-a0e1-fd42eee7ae66.vbs"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:4888
        
        C:\Program Files (x86)\Windows Portable Devices\services.exe
        
        "C:\Program Files (x86)\Windows Portable Devices\services.exe"
        12⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1504
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\701409e5-c60b-4f2d-9ff6-b074b6e4d4b8.vbs"
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:5016
        
        C:\Program Files (x86)\Windows Portable Devices\services.exe
        
        "C:\Program Files (x86)\Windows Portable Devices\services.exe"
        14⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:3788
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9fec192c-9fd9-42e6-a5a9-bd55b6fe52c0.vbs"
        15⤵
        Suspicious use of WriteProcessMemory
        
        PID:2336
        
        C:\Program Files (x86)\Windows Portable Devices\services.exe
        
        "C:\Program Files (x86)\Windows Portable Devices\services.exe"
        16⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:5084
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7134004f-4a86-4eb1-8ac6-483caaea637c.vbs"
        17⤵
        Suspicious use of WriteProcessMemory
        
        PID:4800
        
        C:\Program Files (x86)\Windows Portable Devices\services.exe
        
        "C:\Program Files (x86)\Windows Portable Devices\services.exe"
        18⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:3216
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\52520c5c-1e2f-4533-a42d-65b744f1da6a.vbs"
        19⤵
        Suspicious use of WriteProcessMemory
        
        PID:3004
        
        C:\Program Files (x86)\Windows Portable Devices\services.exe
        
        "C:\Program Files (x86)\Windows Portable Devices\services.exe"
        20⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2904
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a8283e63-e84f-42ff-8c9d-5cb0703a0e58.vbs"
        21⤵
        Suspicious use of WriteProcessMemory
        
        PID:1016
        
        C:\Program Files (x86)\Windows Portable Devices\services.exe
        
        "C:\Program Files (x86)\Windows Portable Devices\services.exe"
        22⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2124
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\52ee5bd7-14b9-41ac-9a7e-408256f6523b.vbs"
        23⤵
        
        PID:3320
        
        C:\Program Files (x86)\Windows Portable Devices\services.exe
        
        "C:\Program Files (x86)\Windows Portable Devices\services.exe"
        24⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1732
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\15c023a7-4ba8-4992-bd38-a1d9274a2126.vbs"
        25⤵
        
        PID:3720
        
        C:\Program Files (x86)\Windows Portable Devices\services.exe
        
        "C:\Program Files (x86)\Windows Portable Devices\services.exe"
        26⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:5000
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cb8ae8cd-a347-4d88-8696-f2b72c3de1bf.vbs"
        27⤵
        
        PID:212
        
        C:\Program Files (x86)\Windows Portable Devices\services.exe
        
        "C:\Program Files (x86)\Windows Portable Devices\services.exe"
        28⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2128
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1f190d1b-bd5a-44c5-a80f-b770ceb3cda1.vbs"
        29⤵
        
        PID:408
        
        C:\Program Files (x86)\Windows Portable Devices\services.exe
        
        "C:\Program Files (x86)\Windows Portable Devices\services.exe"
        30⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4588
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1e25616c-76c0-4cc0-a5c8-688e934fea3f.vbs"
        29⤵
        
        PID:3944
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ddc70f03-8814-4386-9796-f0ac83bd36f3.vbs"
        27⤵
        
        PID:2884
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\80eae688-23fe-4c73-b6ec-fc186c56e3bf.vbs"
        25⤵
        
        PID:2488
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2f8145f4-ccc6-4602-b8f4-7a8fc3268a99.vbs"
        23⤵
        
        PID:2404
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5c886e9e-c491-4986-ac80-9e1c2b54fdd6.vbs"
        21⤵
        
        PID:1932
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b332e42d-28dc-4e62-9c8c-9cd8482f2b23.vbs"
        19⤵
        
        PID:1088
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b00108a2-d9d7-479d-8f6e-e55330db2e73.vbs"
        17⤵
        
        PID:2548
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9c3ad79f-2bec-4722-b119-c40aa7a5c276.vbs"
        15⤵
        
        PID:4312
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ab03519f-1b4d-4f13-a2e5-e048a3675869.vbs"
        13⤵
        
        PID:2276
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a6aca3d1-a59d-4278-8103-b7b67ff3596d.vbs"
        11⤵
        
        PID:3428
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0c5411e5-a353-46c7-bdf8-646a9c64e4f6.vbs"
        9⤵
        
        PID:4804
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0a6029b3-dfcf-40f3-a528-a62f04cec8f2.vbs"
        7⤵
        
        PID:2096
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
      4⤵
      System Location Discovery: System Language Discovery
      Modifies registry key
      PID:4996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\Desktop\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1496

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\All Users\Desktop\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\Desktop\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ComProviderreviewC" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\ComProviderreview.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ComProviderreview" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\ComProviderreview.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4132

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ComProviderreviewC" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\ComProviderreview.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2408

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Windows\IdentityCRL\INT\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3252

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\IdentityCRL\INT\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4312

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Windows\IdentityCRL\INT\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Portable Devices\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Portable Devices\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Program Files\VideoLAN\VLC\plugins\misc\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\plugins\misc\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Program Files\VideoLAN\VLC\plugins\misc\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1004

C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\ComProviderreview.exe
"C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\ComProviderreview.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1548

C:\Windows\IdentityCRL\INT\RuntimeBroker.exe
C:\Windows\IdentityCRL\INT\RuntimeBroker.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2828

C:\Program Files\VideoLAN\VLC\plugins\misc\services.exe
"C:\Program Files\VideoLAN\VLC\plugins\misc\services.exe"
1⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2136
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\581f4070-c43c-4cc6-acfb-09a9900e9635.vbs"
  2⤵
  PID:744
- - C:\Program Files\VideoLAN\VLC\plugins\misc\services.exe
    "C:\Program Files\VideoLAN\VLC\plugins\misc\services.exe"
    3⤵
    - UAC bypass
    - Checks computer location settings
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - System policy modification
    PID:1004
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\66c245d4-f905-4c7d-96ac-c0e089285c70.vbs"
      4⤵
      PID:3048
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f01635ad-4ca8-4002-87ec-79fc8687bc5e.vbs"
      4⤵
      PID:4576
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\56ed87fa-6cf5-45f1-b0fe-22c6ce5d1285.vbs"
  2⤵
  PID:4760

Network

DNS

58.55.71.13.in-addr.arpa

Remote address:

8.8.8.8:53

Request

58.55.71.13.in-addr.arpa

IN PTR

Response
DNS

71.31.126.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

71.31.126.40.in-addr.arpa

IN PTR

Response
DNS

95.221.229.192.in-addr.arpa

Remote address:

8.8.8.8:53

Request

95.221.229.192.in-addr.arpa

IN PTR

Response
DNS

154.239.44.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

154.239.44.20.in-addr.arpa

IN PTR

Response
DNS

ca54823.tw1.ru

services.exe

Remote address:

8.8.8.8:53

Request

ca54823.tw1.ru

IN A

Response

ca54823.tw1.ru

IN A

94.198.223.74
DNS

50.23.12.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

50.23.12.20.in-addr.arpa

IN PTR

Response
DNS

40.134.221.88.in-addr.arpa

Remote address:

8.8.8.8:53

Request

40.134.221.88.in-addr.arpa

IN PTR

Response

40.134.221.88.in-addr.arpa

IN PTR

a88-221-134-40deploystaticakamaitechnologiescom
DNS

172.214.232.199.in-addr.arpa

Remote address:

8.8.8.8:53

Request

172.214.232.199.in-addr.arpa

IN PTR

Response
DNS

208.143.182.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

208.143.182.52.in-addr.arpa

IN PTR

Response
DNS

ca54823.tw1.ru

services.exe

Remote address:

8.8.8.8:53

Request

ca54823.tw1.ru

IN A

Response

ca54823.tw1.ru

IN A

94.198.223.74

94.198.223.74:80

ca54823.tw1.ru

services.exe

260 B
5
94.198.223.74:80

ca54823.tw1.ru

services.exe

260 B
5
94.198.223.74:80

ca54823.tw1.ru

services.exe

260 B
5
94.198.223.74:80

ca54823.tw1.ru

services.exe

260 B
5
94.198.223.74:80

ca54823.tw1.ru

services.exe

260 B
5
94.198.223.74:80

ca54823.tw1.ru

services.exe

260 B
5
94.198.223.74:80

ca54823.tw1.ru

services.exe

260 B
5
94.198.223.74:80

ca54823.tw1.ru

services.exe

260 B
5
94.198.223.74:80

ca54823.tw1.ru

services.exe

260 B
5
94.198.223.74:80

ca54823.tw1.ru

services.exe

260 B
5
94.198.223.74:80

ca54823.tw1.ru

services.exe

260 B
5
94.198.223.74:80

ca54823.tw1.ru

services.exe

260 B
5
94.198.223.74:80

ca54823.tw1.ru

services.exe

260 B
5
94.198.223.74:80

ca54823.tw1.ru

services.exe

260 B
5
94.198.223.74:80

ca54823.tw1.ru

services.exe

260 B
5
94.198.223.74:80

ca54823.tw1.ru

services.exe

260 B
5
94.198.223.74:80

ca54823.tw1.ru

services.exe

260 B
5
94.198.223.74:80

ca54823.tw1.ru

services.exe

260 B
5
94.198.223.74:80

ca54823.tw1.ru

services.exe

260 B
5
94.198.223.74:80

ca54823.tw1.ru

services.exe

260 B
5
94.198.223.74:80

ca54823.tw1.ru

services.exe

260 B
5
94.198.223.74:80

ca54823.tw1.ru

services.exe

260 B
5
94.198.223.74:80

ca54823.tw1.ru

services.exe

260 B
5
94.198.223.74:80

ca54823.tw1.ru

services.exe

260 B
5
94.198.223.74:80

ca54823.tw1.ru

services.exe

260 B
5
94.198.223.74:80

ca54823.tw1.ru

services.exe

260 B
5
94.198.223.74:80

ca54823.tw1.ru

services.exe

260 B
5
94.198.223.74:80

ca54823.tw1.ru

services.exe

208 B
4

8.8.8.8:53

58.55.71.13.in-addr.arpa

dns

70 B
144 B
1
1

DNS Request

58.55.71.13.in-addr.arpa
8.8.8.8:53

71.31.126.40.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

71.31.126.40.in-addr.arpa
8.8.8.8:53

95.221.229.192.in-addr.arpa

dns

73 B
144 B
1
1

DNS Request

95.221.229.192.in-addr.arpa
8.8.8.8:53

154.239.44.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

154.239.44.20.in-addr.arpa
8.8.8.8:53

ca54823.tw1.ru

dns

services.exe

60 B
76 B
1
1

DNS Request

ca54823.tw1.ru

DNS Response

94.198.223.74
8.8.8.8:53

50.23.12.20.in-addr.arpa

dns

70 B
156 B
1
1

DNS Request

50.23.12.20.in-addr.arpa
8.8.8.8:53

40.134.221.88.in-addr.arpa

dns

72 B
137 B
1
1

DNS Request

40.134.221.88.in-addr.arpa
8.8.8.8:53

172.214.232.199.in-addr.arpa

dns

74 B
128 B
1
1

DNS Request

172.214.232.199.in-addr.arpa
8.8.8.8:53

208.143.182.52.in-addr.arpa

dns

73 B
147 B
1
1

DNS Request

208.143.182.52.in-addr.arpa
8.8.8.8:53

ca54823.tw1.ru

dns

services.exe

60 B
76 B
1
1

DNS Request

ca54823.tw1.ru

DNS Response

94.198.223.74

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Bridgebrowserdriversession\7RIlKJCBYDYjVU5Wl3rLZ.bat

Filesize
165B

MD5
03feb686475df3981ff89eaf94c01678

SHA1
d03d6234af5825c397755fd67e32606bab6e7050

SHA256
38e603daba57e1db61b78fbca014e86b0273b43ec6a439d3c5b905679e949862

SHA512
5f277d8988d502373d1b6b723153dd6681f20cbde9d68165bd559a954f60406a1c06a0f583a52c568738becf843236f09b47d3500433bad7fe8363e58846659b

Download Submit
C:\Bridgebrowserdriversession\8Q1TNfuIkORrb6IwpocDiochN.vbe

Filesize
224B

MD5
1382f3e3f9f3a531c081f9216e1f3165

SHA1
63bb2176b3b553f2182fedc1b3e2bcdc33a4691b

SHA256
9f7893fd255de70e98053c1ce04106912a686d110b3ba1034c6690ba7870253d

SHA512
41ad75c7a21967f6463ae5b553088c82097f41aa0ba3ad19f0a65e25a1916e8dd2323e8b9e140170b55b025193d7d670a40b32b6b22ab83d0da4e058c11d9568

Download Submit
C:\Bridgebrowserdriversession\ComProviderreview.exe

Filesize
3.7MB

MD5
8ba0bad0eb7bd09fde9fe57a8c63c884

SHA1
45a00cb30db1dbf2d6548e1a37cb88a304f46649

SHA256
c050c1d626edf24ea41da7f4b74e20e39a3ae6a66f6a4bff685d6a1c308b600c

SHA512
1c3fa87086fb385d753c5ba49245ddba87a343795b049444d9f21d1cd29adc9dc545f5ef3f92c7d89b9b0289af557524fe88411fefadedcfcd94069845b95041

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\ComProviderreview.exe.log

Filesize
1KB

MD5
655010c15ea0ca05a6e5ddcd84986b98

SHA1
120bf7e516aeed462c07625fbfcdab5124ad05d3

SHA256
2b1ffeab025cc7c61c50e3e2e4c9253046d9174cf00181a8c1de733a4c0daa14

SHA512
e52c26718d7d1e979837b5ac626dde26920fe7413b8aa7be6f1be566a1b0f035582f4d313400e3ad6b92552abb1dfaf186b60b875fb955a2a94fd839fe841437

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\services.exe.log

Filesize
1KB

MD5
49b64127208271d8f797256057d0b006

SHA1
b99bd7e2b4e9ed24de47fb3341ea67660b84cca1

SHA256
2a5d403a2e649d8eceef8f785eeb0f6d33888ec6bbf251b3c347e34cb32b1e77

SHA512
f7c728923c893dc9bc88ad2159e0abcda41e1b40ff7e7756e6252d135ed238a2248a2662b3392449836dd1b0b580f0c866cc33e409527484fe4602e3d3f10e3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\0a6029b3-dfcf-40f3-a528-a62f04cec8f2.vbs

Filesize
512B

MD5
acad0c32d8f81547ffb4f6d136ce19be

SHA1
6ab943e31c4493c3e5573ecb2a8442ae82a48c82

SHA256
c60f5edaa88f9ae852bdcfd1ae506e4ddee16dc1384646af485089df60819f54

SHA512
c585310ee8a780bb2f0568b2a06831b9e150c2780536c177561f51850cedfd67a1645e4e331e08eb8c81920ecdd84869836d586f2f8e30a269e633f063a1f857

Download Submit
C:\Users\Admin\AppData\Local\Temp\15c023a7-4ba8-4992-bd38-a1d9274a2126.vbs

Filesize
736B

MD5
97fc3ea2348f7b1261c53fe36c2f89cb

SHA1
7cb4332e73948b615df76eb7f02f11ac921e5ccc

SHA256
a423efe92cedab4ecaa86dd54a779650d2e1d7ac0b54b660892f17c5502f862b

SHA512
5dea2c9aecef8fc8e52a948eb1252817d26f0c8a4819380f60c7c4a323cacf91ea1dec49707681326524530a12062f52b92d69f75da5bffe78e6759bd8a3c9e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\1f190d1b-bd5a-44c5-a80f-b770ceb3cda1.vbs

Filesize
736B

MD5
2b6e00492c3fef8a39fc2262310883a4

SHA1
fdcaae8f895e73fb65df896cb43ef1a3772917b0

SHA256
c14820c10a8087cfb52752c13b80bc36390a5574bf28224ab2dfe6250aad0645

SHA512
2afac6430260dea721ee4885da210a85da43ae13936ce8196866c25cc56092616ca83489e79c91420c876cbe3547f04c7342debf95de4e5aea93871612169855

Download Submit
C:\Users\Admin\AppData\Local\Temp\37291806-4895-4ed2-ae18-c437a4a350fb.vbs

Filesize
736B

MD5
a9f9721d41fe44d70652bae40eeadbbb

SHA1
02bae1ff04780e0535d94d36f6446c49023562ee

SHA256
67400236cbc891cb002d5d5cf07dcc8aed15a64e1bbf5d15491719f69cb84134

SHA512
5ec1e59098321862d86ac58496a7f468179e9034de20bbe88dbda7382927a508177419cd5eb8b496641df7018702d1301f76fe41d5cfb8919dd4b72dc87ac02c

Download Submit
C:\Users\Admin\AppData\Local\Temp\52520c5c-1e2f-4533-a42d-65b744f1da6a.vbs

Filesize
736B

MD5
3296f3a7913dd86868b67a788c5a377c

SHA1
00f8e56f8475d4d5eb905cd70082d74c00b39cd5

SHA256
da54e3604d7bf40853ffe196a4bbc24f15296bc2b90bdab01823240841a18833

SHA512
7ff64572a26622910c61aaaca03d75eea681a3ac9067ff95d95f25da8606f0d48ac3de2976f777cd0847b3cd9eab5283a8188f4adf318fbbb0116c12810a41fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\52ee5bd7-14b9-41ac-9a7e-408256f6523b.vbs

Filesize
736B

MD5
6f576a6496d83487022b4523ac6841ed

SHA1
723363e216808c45bd37e33bfd575e43efa51fed

SHA256
d31214291c0cc883c7d0a9419113c3b33094499fa76073dac9bb13c79fcb3c59

SHA512
4b6133c131e123543c90ed1d092db12cb98cbe550bbd2d11ea09f36f85790a836d86b4b0002db3308a40a61035f1fed033e06830e3cb2adca285b76c0c3f961d

Download Submit
C:\Users\Admin\AppData\Local\Temp\581f4070-c43c-4cc6-acfb-09a9900e9635.vbs

Filesize
731B

MD5
cc91a8b22e50a19febcce677cc8c97b7

SHA1
88545fc1c8076d84a0525af5ff453dbbcc99a3a8

SHA256
9fb49784029075841864309641a8cde5d5a1d9112b2372e6a7fb1f5020e165dc

SHA512
651119faa658e5f3cbe11662b10a7123e50a41237c2726e3db3432eecc75388f9f02c76750d84acef5d029976f2fc8dde2032887e2047d53f09814a46d743abf

Download Submit
C:\Users\Admin\AppData\Local\Temp\5ec9bb26-e0a4-400f-a0e1-fd42eee7ae66.vbs

Filesize
736B

MD5
e7b76e866913d1d0a3b337e31e6dd8a6

SHA1
4907343beb730e32f49aab671818c6fc25a81394

SHA256
793d0a088adda3795c34299287edb839df026ae440dd9cad16c931886ce35bb6

SHA512
65cc861e1c3d55bdbbcb7ce4f0eb10119034a244c2d7529bfe94519d8c73b0eeb50018eac27f81b67a1bcc2438fef9f9221070679c253f2beec426c70ce90b31

Download Submit
C:\Users\Admin\AppData\Local\Temp\701409e5-c60b-4f2d-9ff6-b074b6e4d4b8.vbs

Filesize
736B

MD5
acf261f3d1de881b6f2b8996dda399c1

SHA1
47eb88340a07ba7e2ed96aba87c0a93677d941fa

SHA256
f70f76c4c587d30875cecdab938a978b16089c93fdc0169a7c0fb3b106c86530

SHA512
643b7ecfc514ca9bee076fb21b03f92035186820b97e5021edeb4e25656a028a1c9d8553418f01165b0f304079bc6392d1a37c19ecc9149c639858e63d605c84

Download Submit
C:\Users\Admin\AppData\Local\Temp\7134004f-4a86-4eb1-8ac6-483caaea637c.vbs

Filesize
736B

MD5
969289d6ea95ce256c4dc319747dcf8e

SHA1
63dd773c26069fd5cda6a0314b0fd7ca9dd4357f

SHA256
916843d492c1843a09c3c16bc0f8621bff1a5747cd769e334622b72d7db1a300

SHA512
267657312b13662a1b64c2bae9e83c54a1bff08626b192b561953eabb97f155c4f47e38e7c34ee028b2dfac84cd29360d7432fdb0beb2918b32371648219cc17

Download Submit
C:\Users\Admin\AppData\Local\Temp\9fec192c-9fd9-42e6-a5a9-bd55b6fe52c0.vbs

Filesize
736B

MD5
1c4be6d66098fb7e5c04bdd838008f71

SHA1
dc60dd31a0e30ef82fdd7c4f5c8c78e867b3282a

SHA256
14d66e2a9a4a0a9455f848ea3a288df4ed0755218a8843a4cda86128d44cbbd9

SHA512
2d182c204608da2e87a7230d9a24de465d1c33052e7f0c50362cda1906482a65f333ab71abdbcc5f70145b42d86bb5a1be82159b7eaa5a21dfe3baf9ad07fab0

Download Submit
C:\Users\Admin\AppData\Local\Temp\a8283e63-e84f-42ff-8c9d-5cb0703a0e58.vbs

Filesize
736B

MD5
0c3038d5d3b1434a8667f85b1eaa7d57

SHA1
cdb1436879219674aa68ddb5e7aed5ca3dc2487c

SHA256
136c0accdc4745c339eb67e92a12b339305cc776a64e2634518c12c70d4786ec

SHA512
91b3346a63ab18b582de43b4775f09ead54dd1c916631bcea48e585c8fd33ab7a2cfec0f62954fb5599a50132acf6b71ab43319850a42746664319e7ee290412

Download Submit
C:\Users\Admin\AppData\Local\Temp\c57f3aa8-8d1d-4079-a55f-db4e3c7a2bc7.vbs

Filesize
736B

MD5
f21e1894021fbd453dbc4d41b9ab51c8

SHA1
e8c2a17bfdd2d6381d691ed0a566d298b4ab7530

SHA256
cc54698f367b0c051eec033d551389a57ab00d15e0525c35b22d1f83bb201a66

SHA512
6c22c73a2221710d6b228c90b443ee4ae149a4e123cb0af815f4429ddc8e7861c5c7c1769a84b2b253abba38f083f799ba011363902c3edb574160097dd52509

Download Submit
C:\Users\Admin\AppData\Local\Temp\cb8ae8cd-a347-4d88-8696-f2b72c3de1bf.vbs

Filesize
736B

MD5
c974049589b6febbbc97e0fe6e8cc1b9

SHA1
a0148f6cca0e23e0a71119921891d76afc7c62dc

SHA256
9a9ca28fe004945866a783ee8b48a997832f44615ff65a27077647e9a7b80e3d

SHA512
2bd2fc63e6cdbf9e92e29c0aec5ff2d1ba23118530f703add258a546af12618390d7aca3bd8b74ab8756946ee2d4eebb494f47478d88c127702dc2afb5d5d2fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\f01635ad-4ca8-4002-87ec-79fc8687bc5e.vbs

Filesize
507B

MD5
4fb076e5db466ad9c1cf1d505c230c93

SHA1
ba46caed625226662d476e82d3eaedd3fd794556

SHA256
93a442dc694c0a7deceeadb18acef501c3ed509d2461e3f7ea579995d7c2a010

SHA512
2647964db34ba81dea0af2a500954e9d784ed6db91dc532288ff901db814430987128e32fb1fea47561a56edc62a3a489bc19f3f78a306b768bed884b2dddb13

Download Submit
C:\Users\Admin\AppData\Local\Temp\rxc6Z07b4w.bat

Filesize
225B

MD5
588b36ad0349504f89ab58783e372bbe

SHA1
3d8e552697aede65d76b263eaeadedd348a748d5

SHA256
19e023087d1df320b2cba5d40ba5d4614b29ef40b88c311efc1eb29e215778fd

SHA512
6ee68fd75b2e2e0ad745eb0803902bf072a871737cb025f82e51bd454580fd6d87ac4b0d9c2cdb0228ee965ef5d14ac22e5960e9ea8f51172f32bf49ad821d27

Download Submit
memory/3140-53-0x000000001CDE0000-0x000000001CDF2000-memory.dmp

Filesize
72KB

Download
memory/4844-20-0x000000001B320000-0x000000001B376000-memory.dmp

Filesize
344KB

Download
memory/4844-25-0x000000001BBF0000-0x000000001BBFC000-memory.dmp

Filesize
48KB

Download
memory/4844-32-0x000000001BCC0000-0x000000001BCCA000-memory.dmp

Filesize
40KB

Download
memory/4844-31-0x000000001BCA0000-0x000000001BCAE000-memory.dmp

Filesize
56KB

Download
memory/4844-30-0x000000001BC90000-0x000000001BC98000-memory.dmp

Filesize
32KB

Download
memory/4844-29-0x000000001BC80000-0x000000001BC8E000-memory.dmp

Filesize
56KB

Download
memory/4844-28-0x000000001BC70000-0x000000001BC7A000-memory.dmp

Filesize
40KB

Download
memory/4844-12-0x00007FFC53503000-0x00007FFC53505000-memory.dmp

Filesize
8KB

Download
memory/4844-27-0x000000001BC60000-0x000000001BC68000-memory.dmp

Filesize
32KB

Download
memory/4844-26-0x000000001BC00000-0x000000001BC08000-memory.dmp

Filesize
32KB

Download
memory/4844-24-0x000000001B370000-0x000000001B378000-memory.dmp

Filesize
32KB

Download
memory/4844-33-0x000000001BCD0000-0x000000001BCDC000-memory.dmp

Filesize
48KB

Download
memory/4844-23-0x000000001C120000-0x000000001C648000-memory.dmp

Filesize
5.2MB

Download
memory/4844-22-0x0000000002AD0000-0x0000000002AE2000-memory.dmp

Filesize
72KB

Download
memory/4844-21-0x0000000002A70000-0x0000000002A7C000-memory.dmp

Filesize
48KB

Download
memory/4844-19-0x0000000002A60000-0x0000000002A6A000-memory.dmp

Filesize
40KB

Download
memory/4844-18-0x0000000002A40000-0x0000000002A56000-memory.dmp

Filesize
88KB

Download
memory/4844-17-0x0000000002A30000-0x0000000002A38000-memory.dmp

Filesize
32KB

Download
memory/4844-13-0x0000000000310000-0x00000000006C4000-memory.dmp

Filesize
3.7MB

Download
memory/4844-16-0x0000000002A80000-0x0000000002AD0000-memory.dmp

Filesize
320KB

Download
memory/4844-15-0x00000000028F0000-0x000000000290C000-memory.dmp

Filesize
112KB

Download
memory/4844-14-0x00000000028E0000-0x00000000028EE000-memory.dmp

Filesize
56KB

Download
memory/5000-169-0x000000001D100000-0x000000001D156000-memory.dmp

Filesize
344KB

Download
memory/5020-66-0x000000001C5A0000-0x000000001C5B2000-memory.dmp

Filesize
72KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.