dcrat | ec9fa98b9c0a55ad5d3b51bf6148b6e2041d1a14c36b4ad98caa9438bc3854e9

Analysis

max time kernel
148s
max time network
145s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22/03/2025, 06:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

feb2c82a6695709d9304734b55a6a350.exe
Size

1.1MB
MD5

feb2c82a6695709d9304734b55a6a350
SHA1

3554b395961de66e5d84c1fc0ba527a0c205d965
SHA256

56d979b2ce2e20c7cb13c3cf49ec8c462f311fe38f2b75e80a4e90dee425c844
SHA512

952f21c0c48c66e5a17c4cd757d107de6d45fff4b2e0e8506e29910287b9888e8f8f5344edda596393d23d300c3048a60b6ae94386daf1acbf4c8032612ac2db
SSDEEP

12288:qmc4TfAkdN7TPPl2Eh8Nv6L1FMCubuoGTeh46qTnnCPQeB89hNuD1hOp1i3l10gR:qh4TbLUEhZL/GspeYhkc9Soh2SfwJ

Score

10^/10

dcrat defense_evasion execution infostealer persistence rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 5 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\AppData\\Local\\Temp\\Kno8F82\\feb2c82a6695709d9304734b55a6a350.exe\", \"C:\\Users\\Admin\\AppData\\Local\\Temp\\lpksetup-20240903-052321-0\\feb2c82a6695709d9304734b55a6a350.exe\""	feb2c82a6695709d9304734b55a6a350.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\AppData\\Local\\Temp\\Kno8F82\\feb2c82a6695709d9304734b55a6a350.exe\", \"C:\\Users\\Admin\\AppData\\Local\\Temp\\lpksetup-20240903-052321-0\\feb2c82a6695709d9304734b55a6a350.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\Idle.exe\""	feb2c82a6695709d9304734b55a6a350.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\AppData\\Local\\Temp\\Kno8F82\\feb2c82a6695709d9304734b55a6a350.exe\", \"C:\\Users\\Admin\\AppData\\Local\\Temp\\lpksetup-20240903-052321-0\\feb2c82a6695709d9304734b55a6a350.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\Idle.exe\", \"C:\\Windows\\System32\\mfc120esn\\wininit.exe\""	feb2c82a6695709d9304734b55a6a350.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\AppData\\Local\\Temp\\Kno8F82\\feb2c82a6695709d9304734b55a6a350.exe\", \"C:\\Users\\Admin\\AppData\\Local\\Temp\\lpksetup-20240903-052321-0\\feb2c82a6695709d9304734b55a6a350.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\Idle.exe\", \"C:\\Windows\\System32\\mfc120esn\\wininit.exe\", \"C:\\Documents and Settings\\winlogon.exe\""	feb2c82a6695709d9304734b55a6a350.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\AppData\\Local\\Temp\\Kno8F82\\feb2c82a6695709d9304734b55a6a350.exe\""	feb2c82a6695709d9304734b55a6a350.exe

Process spawned unexpected child process 5 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2884	2500	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2896	2500	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2252	2500	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1536	2500	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2816	2500	schtasks.exe	31

UAC bypass 3 TTPs 45 IoCs

defense_evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	feb2c82a6695709d9304734b55a6a350.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	feb2c82a6695709d9304734b55a6a350.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	feb2c82a6695709d9304734b55a6a350.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2124	powershell.exe
1668	powershell.exe
1824	powershell.exe
1724	powershell.exe
2944	powershell.exe
1828	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	feb2c82a6695709d9304734b55a6a350.exe

Executes dropped EXE 14 IoCs

pid	Process
892	Idle.exe
2376	Idle.exe
2676	Idle.exe
2996	Idle.exe
3032	Idle.exe
612	Idle.exe
992	Idle.exe
2384	Idle.exe
1992	Idle.exe
2192	Idle.exe
1036	Idle.exe
1292	Idle.exe
2928	Idle.exe
2096	Idle.exe

Adds Run key to start application 2 TTPs 10 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\feb2c82a6695709d9304734b55a6a350 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Kno8F82\\feb2c82a6695709d9304734b55a6a350.exe\""	feb2c82a6695709d9304734b55a6a350.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\feb2c82a6695709d9304734b55a6a350 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Kno8F82\\feb2c82a6695709d9304734b55a6a350.exe\""	feb2c82a6695709d9304734b55a6a350.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\Idle.exe\""	feb2c82a6695709d9304734b55a6a350.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Documents and Settings\\winlogon.exe\""	feb2c82a6695709d9304734b55a6a350.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\feb2c82a6695709d9304734b55a6a350 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\lpksetup-20240903-052321-0\\feb2c82a6695709d9304734b55a6a350.exe\""	feb2c82a6695709d9304734b55a6a350.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\feb2c82a6695709d9304734b55a6a350 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\lpksetup-20240903-052321-0\\feb2c82a6695709d9304734b55a6a350.exe\""	feb2c82a6695709d9304734b55a6a350.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\Idle.exe\""	feb2c82a6695709d9304734b55a6a350.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Windows\\System32\\mfc120esn\\wininit.exe\""	feb2c82a6695709d9304734b55a6a350.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Windows\\System32\\mfc120esn\\wininit.exe\""	feb2c82a6695709d9304734b55a6a350.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Documents and Settings\\winlogon.exe\""	feb2c82a6695709d9304734b55a6a350.exe

Checks whether UAC is enabled 1 TTPs 30 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Idle.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Idle.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	feb2c82a6695709d9304734b55a6a350.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Idle.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Idle.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	feb2c82a6695709d9304734b55a6a350.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Idle.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\mfc120esn\wininit.exe	feb2c82a6695709d9304734b55a6a350.exe
File created	C:\Windows\System32\mfc120esn\wininit.exe	feb2c82a6695709d9304734b55a6a350.exe
File created	C:\Windows\System32\mfc120esn\56085415360792	feb2c82a6695709d9304734b55a6a350.exe
File opened for modification	C:\Windows\System32\mfc120esn\RCXD608.tmp	feb2c82a6695709d9304734b55a6a350.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Idle.exe	feb2c82a6695709d9304734b55a6a350.exe
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\6ccacd8608530f	feb2c82a6695709d9304734b55a6a350.exe
File opened for modification	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\RCXD404.tmp	feb2c82a6695709d9304734b55a6a350.exe
File opened for modification	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Idle.exe	feb2c82a6695709d9304734b55a6a350.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 5 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2816	schtasks.exe
2884	schtasks.exe
2896	schtasks.exe
2252	schtasks.exe
1536	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2516	feb2c82a6695709d9304734b55a6a350.exe
2516	feb2c82a6695709d9304734b55a6a350.exe
2516	feb2c82a6695709d9304734b55a6a350.exe
2516	feb2c82a6695709d9304734b55a6a350.exe
2516	feb2c82a6695709d9304734b55a6a350.exe
2516	feb2c82a6695709d9304734b55a6a350.exe
2516	feb2c82a6695709d9304734b55a6a350.exe
2516	feb2c82a6695709d9304734b55a6a350.exe
2516	feb2c82a6695709d9304734b55a6a350.exe
2516	feb2c82a6695709d9304734b55a6a350.exe
2516	feb2c82a6695709d9304734b55a6a350.exe
2516	feb2c82a6695709d9304734b55a6a350.exe
2516	feb2c82a6695709d9304734b55a6a350.exe
2516	feb2c82a6695709d9304734b55a6a350.exe
2516	feb2c82a6695709d9304734b55a6a350.exe
2516	feb2c82a6695709d9304734b55a6a350.exe
2516	feb2c82a6695709d9304734b55a6a350.exe
1724	powershell.exe
1668	powershell.exe
2944	powershell.exe
1824	powershell.exe
1828	powershell.exe
2124	powershell.exe
892	Idle.exe
892	Idle.exe
892	Idle.exe
892	Idle.exe
892	Idle.exe
892	Idle.exe
892	Idle.exe
892	Idle.exe
892	Idle.exe
892	Idle.exe
892	Idle.exe
892	Idle.exe
892	Idle.exe
892	Idle.exe
892	Idle.exe
892	Idle.exe
892	Idle.exe
892	Idle.exe
892	Idle.exe
892	Idle.exe
892	Idle.exe
892	Idle.exe
892	Idle.exe
892	Idle.exe
892	Idle.exe
892	Idle.exe
892	Idle.exe
892	Idle.exe
892	Idle.exe
892	Idle.exe
892	Idle.exe
892	Idle.exe
892	Idle.exe
892	Idle.exe
892	Idle.exe
892	Idle.exe
892	Idle.exe
892	Idle.exe
892	Idle.exe
892	Idle.exe
892	Idle.exe

Suspicious use of AdjustPrivilegeToken 21 IoCs

description	pid	Process
Token: SeDebugPrivilege	2516	feb2c82a6695709d9304734b55a6a350.exe
Token: SeDebugPrivilege	1724	powershell.exe
Token: SeDebugPrivilege	1668	powershell.exe
Token: SeDebugPrivilege	2944	powershell.exe
Token: SeDebugPrivilege	1824	powershell.exe
Token: SeDebugPrivilege	1828	powershell.exe
Token: SeDebugPrivilege	2124	powershell.exe
Token: SeDebugPrivilege	892	Idle.exe
Token: SeDebugPrivilege	2376	Idle.exe
Token: SeDebugPrivilege	2676	Idle.exe
Token: SeDebugPrivilege	2996	Idle.exe
Token: SeDebugPrivilege	3032	Idle.exe
Token: SeDebugPrivilege	612	Idle.exe
Token: SeDebugPrivilege	992	Idle.exe
Token: SeDebugPrivilege	2384	Idle.exe
Token: SeDebugPrivilege	1992	Idle.exe
Token: SeDebugPrivilege	2192	Idle.exe
Token: SeDebugPrivilege	1036	Idle.exe
Token: SeDebugPrivilege	1292	Idle.exe
Token: SeDebugPrivilege	2928	Idle.exe
Token: SeDebugPrivilege	2096	Idle.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2516 wrote to memory of 2944	2516	feb2c82a6695709d9304734b55a6a350.exe	37
PID 2516 wrote to memory of 2944	2516	feb2c82a6695709d9304734b55a6a350.exe	37
PID 2516 wrote to memory of 2944	2516	feb2c82a6695709d9304734b55a6a350.exe	37
PID 2516 wrote to memory of 1724	2516	feb2c82a6695709d9304734b55a6a350.exe	38
PID 2516 wrote to memory of 1724	2516	feb2c82a6695709d9304734b55a6a350.exe	38
PID 2516 wrote to memory of 1724	2516	feb2c82a6695709d9304734b55a6a350.exe	38
PID 2516 wrote to memory of 1824	2516	feb2c82a6695709d9304734b55a6a350.exe	39
PID 2516 wrote to memory of 1824	2516	feb2c82a6695709d9304734b55a6a350.exe	39
PID 2516 wrote to memory of 1824	2516	feb2c82a6695709d9304734b55a6a350.exe	39
PID 2516 wrote to memory of 1668	2516	feb2c82a6695709d9304734b55a6a350.exe	41
PID 2516 wrote to memory of 1668	2516	feb2c82a6695709d9304734b55a6a350.exe	41
PID 2516 wrote to memory of 1668	2516	feb2c82a6695709d9304734b55a6a350.exe	41
PID 2516 wrote to memory of 2124	2516	feb2c82a6695709d9304734b55a6a350.exe	43
PID 2516 wrote to memory of 2124	2516	feb2c82a6695709d9304734b55a6a350.exe	43
PID 2516 wrote to memory of 2124	2516	feb2c82a6695709d9304734b55a6a350.exe	43
PID 2516 wrote to memory of 1828	2516	feb2c82a6695709d9304734b55a6a350.exe	45
PID 2516 wrote to memory of 1828	2516	feb2c82a6695709d9304734b55a6a350.exe	45
PID 2516 wrote to memory of 1828	2516	feb2c82a6695709d9304734b55a6a350.exe	45
PID 2516 wrote to memory of 1112	2516	feb2c82a6695709d9304734b55a6a350.exe	49
PID 2516 wrote to memory of 1112	2516	feb2c82a6695709d9304734b55a6a350.exe	49
PID 2516 wrote to memory of 1112	2516	feb2c82a6695709d9304734b55a6a350.exe	49
PID 1112 wrote to memory of 1012	1112	cmd.exe	51
PID 1112 wrote to memory of 1012	1112	cmd.exe	51
PID 1112 wrote to memory of 1012	1112	cmd.exe	51
PID 1112 wrote to memory of 892	1112	cmd.exe	52
PID 1112 wrote to memory of 892	1112	cmd.exe	52
PID 1112 wrote to memory of 892	1112	cmd.exe	52
PID 892 wrote to memory of 2276	892	Idle.exe	53
PID 892 wrote to memory of 2276	892	Idle.exe	53
PID 892 wrote to memory of 2276	892	Idle.exe	53
PID 892 wrote to memory of 2432	892	Idle.exe	54
PID 892 wrote to memory of 2432	892	Idle.exe	54
PID 892 wrote to memory of 2432	892	Idle.exe	54
PID 2276 wrote to memory of 2376	2276	WScript.exe	55
PID 2276 wrote to memory of 2376	2276	WScript.exe	55
PID 2276 wrote to memory of 2376	2276	WScript.exe	55
PID 2376 wrote to memory of 2704	2376	Idle.exe	56
PID 2376 wrote to memory of 2704	2376	Idle.exe	56
PID 2376 wrote to memory of 2704	2376	Idle.exe	56
PID 2376 wrote to memory of 3004	2376	Idle.exe	57
PID 2376 wrote to memory of 3004	2376	Idle.exe	57
PID 2376 wrote to memory of 3004	2376	Idle.exe	57
PID 2704 wrote to memory of 2676	2704	WScript.exe	58
PID 2704 wrote to memory of 2676	2704	WScript.exe	58
PID 2704 wrote to memory of 2676	2704	WScript.exe	58
PID 2676 wrote to memory of 2960	2676	Idle.exe	59
PID 2676 wrote to memory of 2960	2676	Idle.exe	59
PID 2676 wrote to memory of 2960	2676	Idle.exe	59
PID 2676 wrote to memory of 1924	2676	Idle.exe	60
PID 2676 wrote to memory of 1924	2676	Idle.exe	60
PID 2676 wrote to memory of 1924	2676	Idle.exe	60
PID 2960 wrote to memory of 2996	2960	WScript.exe	61
PID 2960 wrote to memory of 2996	2960	WScript.exe	61
PID 2960 wrote to memory of 2996	2960	WScript.exe	61
PID 2996 wrote to memory of 1360	2996	Idle.exe	62
PID 2996 wrote to memory of 1360	2996	Idle.exe	62
PID 2996 wrote to memory of 1360	2996	Idle.exe	62
PID 2996 wrote to memory of 1544	2996	Idle.exe	63
PID 2996 wrote to memory of 1544	2996	Idle.exe	63
PID 2996 wrote to memory of 1544	2996	Idle.exe	63
PID 1360 wrote to memory of 3032	1360	WScript.exe	64
PID 1360 wrote to memory of 3032	1360	WScript.exe	64
PID 1360 wrote to memory of 3032	1360	WScript.exe	64
PID 3032 wrote to memory of 2304	3032	Idle.exe	65

System policy modification 1 TTPs 45 IoCs

defense_evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	feb2c82a6695709d9304734b55a6a350.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	feb2c82a6695709d9304734b55a6a350.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	feb2c82a6695709d9304734b55a6a350.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\feb2c82a6695709d9304734b55a6a350.exe
"C:\Users\Admin\AppData\Local\Temp\feb2c82a6695709d9304734b55a6a350.exe"
1⤵
- Modifies WinLogon for persistence
- UAC bypass
- Drops file in Drivers directory
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2516
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\feb2c82a6695709d9304734b55a6a350.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2944
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Kno8F82\feb2c82a6695709d9304734b55a6a350.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1724
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\lpksetup-20240903-052321-0\feb2c82a6695709d9304734b55a6a350.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1824
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Idle.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1668
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\mfc120esn\wininit.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2124
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Documents and Settings\winlogon.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1828
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\stvp1cndoH.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1112
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:1012
- - C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Idle.exe
    "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Idle.exe"
    3⤵
    - UAC bypass
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:892
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\75245ed6-de39-4801-8ada-adee519d0a70.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2276
    - - C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Idle.exe
        
        "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Idle.exe"
        5⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2376
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c1de7c19-2e85-43d3-8a29-abed121bd5fa.vbs"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2704
        
        C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Idle.exe
        
        "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Idle.exe"
        7⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2676
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\95f70807-923b-40db-88e2-96c773c8c69a.vbs"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:2960
        
        C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Idle.exe
        
        "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Idle.exe"
        9⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2996
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5a342e53-8724-41d7-9b3b-8e5b9491cb19.vbs"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:1360
        
        C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Idle.exe
        
        "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Idle.exe"
        11⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:3032
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\beca39d3-75fb-4e37-a2f3-b3e39a648e66.vbs"
        12⤵
        
        PID:2304
        
        C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Idle.exe
        
        "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Idle.exe"
        13⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:612
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0b87c86c-ed94-4e48-87ac-274dde06ebc8.vbs"
        14⤵
        
        PID:876
        
        C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Idle.exe
        
        "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Idle.exe"
        15⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:992
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7785a87b-092a-4ae9-b586-307936554c57.vbs"
        16⤵
        
        PID:2684
        
        C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Idle.exe
        
        "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Idle.exe"
        17⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2384
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9836fd29-0e3a-4c6d-8a8c-fe81e6f765c1.vbs"
        18⤵
        
        PID:1720
        
        C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Idle.exe
        
        "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Idle.exe"
        19⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1992
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a0589d81-30ec-4184-a554-d649a37a1e80.vbs"
        20⤵
        
        PID:2112
        
        C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Idle.exe
        
        "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Idle.exe"
        21⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2192
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\feebd94b-7e7c-43f4-9f00-b744b90d7671.vbs"
        22⤵
        
        PID:1832
        
        C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Idle.exe
        
        "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Idle.exe"
        23⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1036
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d12a162e-6f69-4921-9487-1296723de63a.vbs"
        24⤵
        
        PID:1888
        
        C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Idle.exe
        
        "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Idle.exe"
        25⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1292
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\55f19971-0515-4937-bb35-98b6435568bb.vbs"
        26⤵
        
        PID:496
        
        C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Idle.exe
        
        "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Idle.exe"
        27⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2928
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\575ef709-11b7-42fe-8a4a-4331d0f2a200.vbs"
        28⤵
        
        PID:2480
        
        C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Idle.exe
        
        "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Idle.exe"
        29⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2096
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\36a81997-10e6-405a-b0e9-ce609de7a6a1.vbs"
        30⤵
        
        PID:2812
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a93bc8f4-0afd-449a-a02f-0a1b73077434.vbs"
        30⤵
        
        PID:2184
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0ecf3089-34da-4952-b6d6-91222d98f62e.vbs"
        28⤵
        
        PID:936
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\304dcf20-e1a8-4ace-89d0-88a74dc24e75.vbs"
        26⤵
        
        PID:992
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\729b2a0c-a4f5-4969-88d1-b7e8168cf88f.vbs"
        24⤵
        
        PID:2156
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\78d48197-514f-4405-83fa-16cf906ef6a5.vbs"
        22⤵
        
        PID:2880
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b633e7d3-3873-4e0e-b0e2-227dc2e33058.vbs"
        20⤵
        
        PID:2280
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4f323bbb-a4e1-4f6a-bed7-0329cfaf4f9f.vbs"
        18⤵
        
        PID:2368
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\05f2944c-6a00-4bed-9501-d2742768dcd1.vbs"
        16⤵
        
        PID:1732
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\507e2ced-db01-4400-9ff6-eaaa46e4056c.vbs"
        14⤵
        
        PID:2064
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4d7a735d-3796-4ec8-bc5f-3bee458a4445.vbs"
        12⤵
        
        PID:332
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f46ef9d6-5051-4d86-aa8d-950008e0a5b8.vbs"
        10⤵
        
        PID:1544
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\14106b54-6da8-4002-b31d-02c444a762eb.vbs"
        8⤵
        
        PID:1924
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ed791e9d-9d3c-4a0e-9494-4faec859fdab.vbs"
        6⤵
        
        PID:3004
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3e5ed268-f6a1-4821-a81b-78150ae6519e.vbs"
      4⤵
      PID:2432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "feb2c82a6695709d9304734b55a6a350" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\Kno8F82\feb2c82a6695709d9304734b55a6a350.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "feb2c82a6695709d9304734b55a6a350" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\lpksetup-20240903-052321-0\feb2c82a6695709d9304734b55a6a350.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2252

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\System32\mfc120esn\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Documents and Settings\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2816

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\0b87c86c-ed94-4e48-87ac-274dde06ebc8.vbs

Filesize
751B

MD5
5bdcef2c5b997ae1d1737b828fbb3d5f

SHA1
bba76aa45b2e4dc198bc737c65dc69c954f0224d

SHA256
dbe4ac1f6dcaae4977f379b544a59b2ba9951665478507d40c060cfccb1a5c43

SHA512
3846dac96227a309ea8c283698a9270069e66b6a2c6f98ae69a7b5d5c30c7e691e48c78223da01214ce257b743fde3546a9ba7c9319cec3aae98601bec9561e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\36a81997-10e6-405a-b0e9-ce609de7a6a1.vbs

Filesize
752B

MD5
291881129d5dd4b6e2c84b4b34cdda96

SHA1
0da932a53cacf774bd3a00f350cfa213b23ea206

SHA256
0bb27a41cb0f911394d8e52b845da7b4ee9e9b9096ac2dce1eb7c8cd9fbca3ab

SHA512
d8a42cf9042bdb6540cab80b98f1af4b63b64bd4ad13c9d822a3faf0d367c23071ef31843cc2a6b3ff91750d2ac95d15070d634afdfb89d9d96dfae00c0056f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\3e5ed268-f6a1-4821-a81b-78150ae6519e.vbs

Filesize
528B

MD5
b9ce583cf63d4a859f84bf1ec25463c4

SHA1
78367cfb2bf25d147f56aced9153bc3775a31af7

SHA256
508c5cf6e6d81da9b86d4ba9f1c2fb460e872e8d2b21ef7838c886ce0f36492d

SHA512
8cb98bac608a337e808803e94624a5d8fabd443ba256e99ae4c89bea1e8f07f1e90daf610cc7f252d828c6325b6145f54359d44e67d81634975727a20cbd459b

Download Submit
C:\Users\Admin\AppData\Local\Temp\55f19971-0515-4937-bb35-98b6435568bb.vbs

Filesize
752B

MD5
359c1f09b6426c6f8c86833868409808

SHA1
d252fb050b84617c5220f5e9cbabf7136324140c

SHA256
76f63aa90eb43d3ce48941eaa0b73579771d2d1e07273585498c0b7a7a601354

SHA512
908d6293e8ffd4f9b1d335da6c14fd9e7f4dd8c625ecd609443aedfce4a630e61c316f39edde639bfadaf8ba6daa6dd42d021501bfa1753cd131e1acc130fd11

Download Submit
C:\Users\Admin\AppData\Local\Temp\575ef709-11b7-42fe-8a4a-4331d0f2a200.vbs

Filesize
752B

MD5
0ce3060d6f18e10ee92760fb6a456a49

SHA1
e5adc6c15edf7d765aeaae81edff715d08edc675

SHA256
458e13708759eea7a532b928a783c3f3c193dc0939aad65eb011849def00bbdf

SHA512
12b83813c6700d11b4e3b871f8bd239f9a302ff20e907f0b5714291a5b96e3fde001c4999099cba6d7879119315e262d379d55124df9f98a62655c23730099d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\5a342e53-8724-41d7-9b3b-8e5b9491cb19.vbs

Filesize
752B

MD5
93154e0bcacec8c32988381a0b0016ed

SHA1
bf4554d422cd1a141db266b783c436ad47ddb21e

SHA256
aa08e0feb5b8b12cb2f338e7a62ac1d67df9b3472e9499bdd3dc95d4d079f962

SHA512
2ad43262bd8f06df6f4d394f6b92dc8c9fac2b47abae9ac4392220b7f27764825124e0afd5aaf49507db67401f82039abb6a025da56087118d97ff0125864df8

Download Submit
C:\Users\Admin\AppData\Local\Temp\75245ed6-de39-4801-8ada-adee519d0a70.vbs

Filesize
751B

MD5
704c98f8d63d137b16f924deb791115b

SHA1
6095a69785606fd2adeeb235719820b51b513fe6

SHA256
1a9903b22ebd0e32d56ab925b05b2f726103fb8dff5a032d9e2188dd45f88ca6

SHA512
8fe740f78cce34b2b0c5cc227962c2892a96045ee221fc10d8d42ff392747064422c20f22bc2697ab459d5190197c921746c461f81af7b3dd4b57544e5e6e382

Download Submit
C:\Users\Admin\AppData\Local\Temp\7785a87b-092a-4ae9-b586-307936554c57.vbs

Filesize
751B

MD5
6481323daf45b726d06386693bcca8d6

SHA1
c08ff4ce66b377d920c959fcade0f86545c9e4dd

SHA256
106e3340ef3db9a9265c45b7c4198d85d0de1870a2b87a2cd60034c301827f65

SHA512
b12515315a03e62807015b9e5615681564510cb07aba43ac792c64caad910b6a76a1d41e6c440d4711274fcfaa7993d2e093ecb8176c1990097f3e6c1fae09cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\95f70807-923b-40db-88e2-96c773c8c69a.vbs

Filesize
752B

MD5
f9cecaff152984d77aecce8f044ae387

SHA1
6027afb886a3768a60c90ebfd30c41c00f292a31

SHA256
a5455635c9ba891eb6b17f599112c69fb0a3eb3a78e98f94fb2e1e60250bb974

SHA512
b44c304ec5c7a9542f710f903759172fc0bff05948e7c4980f6317369c4297a16ebb068a920a04d73306fd332da54b7c6fa891f0686f86e09216bd3dad00ab7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\9836fd29-0e3a-4c6d-8a8c-fe81e6f765c1.vbs

Filesize
752B

MD5
5a562cc18d481f1d4dbae0725d990ba3

SHA1
4170e5c101f49b8acd185967ca8776303f7d489c

SHA256
8f752d114c821e1181cef06bf375022b03b9e378e722f49ca2f09206f53f2289

SHA512
2cd287114a559636fb5abb1c413a648a2633315db4f1c812ab8f918ad859a6ec04b33ef13866fef3636b71d2433fd11678741781f65cb1352fcd600461dc5594

Download Submit
C:\Users\Admin\AppData\Local\Temp\a0589d81-30ec-4184-a554-d649a37a1e80.vbs

Filesize
752B

MD5
ca8d75ed861a0e38c464a4066ac94f07

SHA1
da8e5db0b59b6a8a0fc712da6a9467b322708fec

SHA256
5a3f22fa7bb5b7edd367b9222b3652f05fa885be32a412ea76b73b31998876bd

SHA512
3d0d615611920b3408522b655f54c4189b7ce40803f4ecec3ab18941fceb550e6ba774cabb5f0f72b0a3dc6dfac471291e760ba758fa8f56faa1f1c3de15318a

Download Submit
C:\Users\Admin\AppData\Local\Temp\beca39d3-75fb-4e37-a2f3-b3e39a648e66.vbs

Filesize
752B

MD5
9db324659924018797c252bfd1e20494

SHA1
d4b58982231800f34d4905265f02d45e06a288bd

SHA256
04818499a20e619f11702cf1c7ef9ae7b3a036b6e6c2d5206ca9b966a851442c

SHA512
f2a67e48a6aab941cb00e51679059663a5ea2fb81db41e12796a51fe24c8f38c8f9405dba5648fc8ed6909d06654dbcfd7e28cbb7f7ba0df2eec75cd74c77a33

Download Submit
C:\Users\Admin\AppData\Local\Temp\c1de7c19-2e85-43d3-8a29-abed121bd5fa.vbs

Filesize
752B

MD5
3df3553e78d86eb336b7362513fdc79f

SHA1
fa709d6ac7aab26b09fc0bac5a7d126b39a45387

SHA256
24dc3afc16354dbd15cb71e450e4847aea90bcd7cb6172d3fc24ff4dbee476b3

SHA512
2bc629e70828c0d2145500c968bb70e8146fb96c2e2ba51c42e4b154465c9733064487b6f3ecbab0ed6e760ff05bd295fdf34994b5d3996c9c4d59a8978bd2f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\d12a162e-6f69-4921-9487-1296723de63a.vbs

Filesize
752B

MD5
18e5413d7f005f7446ff3e3bf03a31ec

SHA1
f99c86f26e557e56f1212d94bc9cb4fd68068cbe

SHA256
d748154ee7e81fd305c6c484e7d24951ef6d617adee4b7b7221ce47fb1caa372

SHA512
d64ee0a31b593ca3c8923985aff33808cfc583c83951a60f9debc684bcb1ce031a96bd355e04ea7fceb8f71ccd5af9c3b600384543c73d7a06d30ef2a819fe0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\feebd94b-7e7c-43f4-9f00-b744b90d7671.vbs

Filesize
752B

MD5
b37ae241ffa25d189b61e7f4a3cdf2b1

SHA1
82a73f2b9133c89da7cb442542735cdd7d668f8c

SHA256
15ad71498f5715150b128bbf805c96dc88706ff400238ede2725f89ced85a818

SHA512
b935d8ac119a14bce29481aafff5eafc32d083824e91a1b146d0a96cb187264a5287cd017ef81e38ec8ea073a1d2ddff875f7b260c31ce975d2cd25e5d5a70c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\stvp1cndoH.bat

Filesize
240B

MD5
bdfdf92fc10c066a219c62b31c72cede

SHA1
202199762bf933d459514e84c3ed15948a6bdec8

SHA256
838d7cecaaa347eae335c0bcfcbf92c3bae915bab1487da5a7552d7198852a12

SHA512
38ffcc0e9ff5bd9f6d071b585bd10dda7137bf28c2b4d09adb2e93f9de102822d7b1727fa7690027a4eeffb374080446fee1a10a508bf55ceab75ce604805397

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
997a22aa688eedbeb0bf99638c70aecc

SHA1
05a6993b41afb3c5f07fc94de25193b619fc4df7

SHA256
96b85848ab3be5dbf16414b3d609030d8320ddefac405d2965c757c95de1b411

SHA512
feca4c2be55a315a330ded383ce0c68e1f074acc31b1f699748d9f9922ede50e618c6d5f9ad20e007415176c8093a5c0fddf198e5f74a9aa9470c2823f26d8b4

Download Submit
C:\Users\winlogon.exe

Filesize
1.1MB

MD5
feb2c82a6695709d9304734b55a6a350

SHA1
3554b395961de66e5d84c1fc0ba527a0c205d965

SHA256
56d979b2ce2e20c7cb13c3cf49ec8c462f311fe38f2b75e80a4e90dee425c844

SHA512
952f21c0c48c66e5a17c4cd757d107de6d45fff4b2e0e8506e29910287b9888e8f8f5344edda596393d23d300c3048a60b6ae94386daf1acbf4c8032612ac2db

Download Submit
memory/612-171-0x00000000012F0000-0x0000000001404000-memory.dmp

Filesize
1.1MB

Download
memory/892-111-0x0000000000340000-0x0000000000454000-memory.dmp

Filesize
1.1MB

Download
memory/1668-106-0x000000001B730000-0x000000001BA12000-memory.dmp

Filesize
2.9MB

Download
memory/1724-108-0x0000000001F00000-0x0000000001F08000-memory.dmp

Filesize
32KB

Download
memory/2096-264-0x00000000003F0000-0x0000000000402000-memory.dmp

Filesize
72KB

Download
memory/2096-263-0x0000000000EF0000-0x0000000001004000-memory.dmp

Filesize
1.1MB

Download
memory/2376-122-0x0000000000270000-0x0000000000384000-memory.dmp

Filesize
1.1MB

Download
memory/2384-194-0x0000000001310000-0x0000000001424000-memory.dmp

Filesize
1.1MB

Download
memory/2516-7-0x0000000000600000-0x000000000060C000-memory.dmp

Filesize
48KB

Download
memory/2516-5-0x00000000005F0000-0x00000000005FC000-memory.dmp

Filesize
48KB

Download
memory/2516-18-0x0000000000C30000-0x0000000000C38000-memory.dmp

Filesize
32KB

Download
memory/2516-0-0x000007FEF6313000-0x000007FEF6314000-memory.dmp

Filesize
4KB

Download
memory/2516-16-0x0000000000C10000-0x0000000000C18000-memory.dmp

Filesize
32KB

Download
memory/2516-15-0x0000000000BC0000-0x0000000000BCA000-memory.dmp

Filesize
40KB

Download
memory/2516-76-0x000007FEF6310000-0x000007FEF6CFC000-memory.dmp

Filesize
9.9MB

Download
memory/2516-14-0x0000000000670000-0x000000000067C000-memory.dmp

Filesize
48KB

Download
memory/2516-1-0x0000000000ED0000-0x0000000000FE4000-memory.dmp

Filesize
1.1MB

Download
memory/2516-12-0x0000000000650000-0x0000000000658000-memory.dmp

Filesize
32KB

Download
memory/2516-24-0x000007FEF6310000-0x000007FEF6CFC000-memory.dmp

Filesize
9.9MB

Download
memory/2516-13-0x0000000000660000-0x000000000066A000-memory.dmp

Filesize
40KB

Download
memory/2516-20-0x0000000000C40000-0x0000000000C4C000-memory.dmp

Filesize
48KB

Download
memory/2516-2-0x000007FEF6310000-0x000007FEF6CFC000-memory.dmp

Filesize
9.9MB

Download
memory/2516-11-0x0000000000640000-0x0000000000650000-memory.dmp

Filesize
64KB

Download
memory/2516-10-0x0000000000630000-0x0000000000640000-memory.dmp

Filesize
64KB

Download
memory/2516-8-0x0000000000610000-0x0000000000618000-memory.dmp

Filesize
32KB

Download
memory/2516-9-0x0000000000620000-0x000000000062C000-memory.dmp

Filesize
48KB

Download
memory/2516-43-0x000007FEF6310000-0x000007FEF6CFC000-memory.dmp

Filesize
9.9MB

Download
memory/2516-4-0x00000000005D0000-0x00000000005E2000-memory.dmp

Filesize
72KB

Download
memory/2516-6-0x00000000005E0000-0x00000000005EA000-memory.dmp

Filesize
40KB

Download
memory/2516-21-0x0000000000C50000-0x0000000000C58000-memory.dmp

Filesize
32KB

Download
memory/2516-17-0x0000000000C20000-0x0000000000C2C000-memory.dmp

Filesize
48KB

Download
memory/2516-3-0x00000000005C0000-0x00000000005C8000-memory.dmp

Filesize
32KB

Download
memory/2676-134-0x0000000001300000-0x0000000001414000-memory.dmp

Filesize
1.1MB

Download
memory/2928-250-0x0000000000050000-0x0000000000164000-memory.dmp

Filesize
1.1MB

Download
memory/2928-251-0x00000000003F0000-0x0000000000402000-memory.dmp

Filesize
72KB

Download
memory/2996-146-0x0000000000390000-0x00000000004A4000-memory.dmp

Filesize
1.1MB

Download
memory/3032-159-0x00000000002A0000-0x00000000002B2000-memory.dmp

Filesize
72KB

Download
memory/3032-158-0x0000000000910000-0x0000000000A24000-memory.dmp

Filesize
1.1MB

Download