dcrat | 5bdd5d335f1dce7bff7ad597aa12c5c36d2831b58d4a1a37650fab7b070c6e23

Analysis

max time kernel
150s
max time network
155s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
30-10-2024 22:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1554ae8f1316eadf351b3e6f5e7fc9e6.exe
Size

3.2MB
MD5

1554ae8f1316eadf351b3e6f5e7fc9e6
SHA1

1fe722cd6f6e6739a2566c920931bc2f057ac55c
SHA256

5bdd5d335f1dce7bff7ad597aa12c5c36d2831b58d4a1a37650fab7b070c6e23
SHA512

56bf054fa85f534a5b5896a21b4b511c564ffbb0a8b1685054c521d09a9122c848c5818d6518092d33da4c02b79dea6622ef7fd48ab22271522a9d7878a2883d
SSDEEP

49152:UbA30LfTBVuy0VtNUBslYt04P0GliFkO6Uo67iX0bCLuI9+E8Dt:Ub/7nL0jCB6q0goyUonuI998Dt

Score

10^/10

dcrat discovery evasion execution infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 48 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2844	2720	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2376	2720	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2352	2720	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1796	2720	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2324	2720	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2420	2720	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1316	2720	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2976	2720	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3056	2720	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1876	2720	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1900	2720	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1576	2720	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2288	2720	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	556	2720	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1948	2720	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	848	2720	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1688	2720	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2076	2720	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1612	2720	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2144	2720	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2172	2720	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2180	2720	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1720	2720	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	600	2720	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	520	2720	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2128	2720	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1976	2720	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1508	2720	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	788	2720	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2064	2720	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1704	2720	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2688	2720	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1004	2720	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2440	2720	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	112	2720	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2504	2720	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1960	2720	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2192	2720	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2824	2720	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2208	2720	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2312	2720	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1036	2720	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1544	2720	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1536	2720	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2580	2720	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1640	2720	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2396	2720	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	928	2720	schtasks.exe	34

UAC bypass 3 TTPs 27 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

sppsvc.exesppsvc.exesppsvc.exeProviderreviewDriver.exesppsvc.exesppsvc.exesppsvc.exesppsvc.exesppsvc.exe

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	ProviderreviewDriver.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	ProviderreviewDriver.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ProviderreviewDriver.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe

DCRat payload 12 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral1/files/0x0007000000019820-9.dat	dcrat
behavioral1/memory/2576-13-0x0000000000350000-0x0000000000642000-memory.dmp	dcrat
behavioral1/files/0x000500000001c864-95.dat	dcrat
behavioral1/files/0x000500000001c86c-110.dat	dcrat
behavioral1/files/0x000800000001a438-121.dat	dcrat
behavioral1/files/0x000600000001a479-201.dat	dcrat
behavioral1/files/0x000700000001a493-212.dat	dcrat
behavioral1/memory/2956-352-0x00000000011B0000-0x00000000014A2000-memory.dmp	dcrat
behavioral1/memory/1852-469-0x0000000000110000-0x0000000000402000-memory.dmp	dcrat
behavioral1/memory/1280-588-0x0000000001110000-0x0000000001402000-memory.dmp	dcrat
behavioral1/memory/756-1180-0x00000000011C0000-0x00000000014B2000-memory.dmp	dcrat
behavioral1/files/0x000800000001a438-1298.dat	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 17 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	Process
2496	powershell.exe
2652	powershell.exe
2180	powershell.exe
1948	powershell.exe
320	powershell.exe
1460	powershell.exe
1504	powershell.exe
2560	powershell.exe
1072	powershell.exe
1032	powershell.exe
2296	powershell.exe
2516	powershell.exe
2976	powershell.exe
1900	powershell.exe
2112	powershell.exe
576	powershell.exe
2144	powershell.exe

Executes dropped EXE 9 IoCs

Processes:

ProviderreviewDriver.exesppsvc.exesppsvc.exesppsvc.exesppsvc.exesppsvc.exesppsvc.exesppsvc.exesppsvc.exe

pid	Process
2576	ProviderreviewDriver.exe
2956	sppsvc.exe
1852	sppsvc.exe
1280	sppsvc.exe
2368	sppsvc.exe
2304	sppsvc.exe
2688	sppsvc.exe
2752	sppsvc.exe
756	sppsvc.exe

Loads dropped DLL 2 IoCs

Processes:

cmd.exe

pid	Process
2816	cmd.exe
2816	cmd.exe

Checks whether UAC is enabled 1 TTPs 18 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

ProviderreviewDriver.exesppsvc.exesppsvc.exesppsvc.exesppsvc.exesppsvc.exesppsvc.exesppsvc.exesppsvc.exe

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ProviderreviewDriver.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sppsvc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sppsvc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sppsvc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sppsvc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ProviderreviewDriver.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sppsvc.exe

Drops file in Program Files directory 30 IoCs

Processes:

ProviderreviewDriver.exe

description	ioc	Process
File opened for modification	C:\Program Files\Microsoft Games\Purble Place\ja-JP\RCX24A3.tmp	ProviderreviewDriver.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\explorer.exe	ProviderreviewDriver.exe
File opened for modification	C:\Program Files\Windows Media Player\Network Sharing\services.exe	ProviderreviewDriver.exe
File created	C:\Program Files\Microsoft Games\Purble Place\ja-JP\6cb0b6c459d5d3	ProviderreviewDriver.exe
File created	C:\Program Files\Windows Sidebar\Idle.exe	ProviderreviewDriver.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\fr-FR\csrss.exe	ProviderreviewDriver.exe
File opened for modification	C:\Program Files\Windows Sidebar\RCX2EB9.tmp	ProviderreviewDriver.exe
File opened for modification	C:\Program Files\Microsoft Games\Purble Place\ja-JP\RCX24B3.tmp	ProviderreviewDriver.exe
File opened for modification	C:\Program Files\Windows Sidebar\en-US\RCX2968.tmp	ProviderreviewDriver.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\RCX2CA5.tmp	ProviderreviewDriver.exe
File created	C:\Program Files\Windows Media Player\Network Sharing\services.exe	ProviderreviewDriver.exe
File opened for modification	C:\Program Files\Microsoft Games\Purble Place\ja-JP\dwm.exe	ProviderreviewDriver.exe
File opened for modification	C:\Program Files\Windows Sidebar\Idle.exe	ProviderreviewDriver.exe
File opened for modification	C:\Program Files\Windows Sidebar\en-US\ProviderreviewDriver.exe	ProviderreviewDriver.exe
File opened for modification	C:\Program Files\Windows Media Player\Network Sharing\RCX30FD.tmp	ProviderreviewDriver.exe
File created	C:\Program Files (x86)\Windows Mail\fr-FR\csrss.exe	ProviderreviewDriver.exe
File created	C:\Program Files (x86)\Windows Mail\fr-FR\886983d96e3d3e	ProviderreviewDriver.exe
File created	C:\Program Files\Windows Sidebar\en-US\11468b80d01686	ProviderreviewDriver.exe
File created	C:\Program Files (x86)\Windows Sidebar\explorer.exe	ProviderreviewDriver.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\fr-FR\RCX121E.tmp	ProviderreviewDriver.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\RCX2C18.tmp	ProviderreviewDriver.exe
File created	C:\Program Files (x86)\Windows Sidebar\7a0fd90576e088	ProviderreviewDriver.exe
File opened for modification	C:\Program Files\Windows Sidebar\en-US\RCX2A05.tmp	ProviderreviewDriver.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\fr-FR\RCX123E.tmp	ProviderreviewDriver.exe
File opened for modification	C:\Program Files\Windows Media Player\Network Sharing\RCX30EC.tmp	ProviderreviewDriver.exe
File created	C:\Program Files\Microsoft Games\Purble Place\ja-JP\dwm.exe	ProviderreviewDriver.exe
File created	C:\Program Files\Windows Sidebar\en-US\ProviderreviewDriver.exe	ProviderreviewDriver.exe
File created	C:\Program Files\Windows Media Player\Network Sharing\c5b4cb5e9653cc	ProviderreviewDriver.exe
File created	C:\Program Files\Windows Sidebar\6ccacd8608530f	ProviderreviewDriver.exe
File opened for modification	C:\Program Files\Windows Sidebar\RCX2EC9.tmp	ProviderreviewDriver.exe

Drops file in Windows directory 5 IoCs

Processes:

ProviderreviewDriver.exe

description	ioc	Process
File created	C:\Windows\L2Schemas\dllhost.exe	ProviderreviewDriver.exe
File created	C:\Windows\L2Schemas\5940a34987c991	ProviderreviewDriver.exe
File opened for modification	C:\Windows\L2Schemas\RCX226F.tmp	ProviderreviewDriver.exe
File opened for modification	C:\Windows\L2Schemas\RCX228F.tmp	ProviderreviewDriver.exe
File opened for modification	C:\Windows\L2Schemas\dllhost.exe	ProviderreviewDriver.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

1554ae8f1316eadf351b3e6f5e7fc9e6.exeWScript.execmd.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1554ae8f1316eadf351b3e6f5e7fc9e6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 48 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

pid	Process
1004	schtasks.exe
2440	schtasks.exe
2192	schtasks.exe
1796	schtasks.exe
1900	schtasks.exe
2288	schtasks.exe
1720	schtasks.exe
600	schtasks.exe
520	schtasks.exe
2688	schtasks.exe
2312	schtasks.exe
3056	schtasks.exe
1576	schtasks.exe
2144	schtasks.exe
1544	schtasks.exe
848	schtasks.exe
2128	schtasks.exe
1508	schtasks.exe
1036	schtasks.exe
2580	schtasks.exe
2352	schtasks.exe
1688	schtasks.exe
2172	schtasks.exe
1976	schtasks.exe
2504	schtasks.exe
1640	schtasks.exe
2324	schtasks.exe
1876	schtasks.exe
556	schtasks.exe
2208	schtasks.exe
788	schtasks.exe
1704	schtasks.exe
2824	schtasks.exe
2076	schtasks.exe
112	schtasks.exe
2396	schtasks.exe
928	schtasks.exe
2376	schtasks.exe
2420	schtasks.exe
1316	schtasks.exe
1612	schtasks.exe
2180	schtasks.exe
2064	schtasks.exe
1960	schtasks.exe
1536	schtasks.exe
2844	schtasks.exe
2976	schtasks.exe
1948	schtasks.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

Processes:

sppsvc.exe

pid	Process
2956	sppsvc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

ProviderreviewDriver.exe

pid	Process
2576	ProviderreviewDriver.exe
2576	ProviderreviewDriver.exe
2576	ProviderreviewDriver.exe
2576	ProviderreviewDriver.exe
2576	ProviderreviewDriver.exe
2576	ProviderreviewDriver.exe
2576	ProviderreviewDriver.exe
2576	ProviderreviewDriver.exe
2576	ProviderreviewDriver.exe
2576	ProviderreviewDriver.exe
2576	ProviderreviewDriver.exe
2576	ProviderreviewDriver.exe
2576	ProviderreviewDriver.exe
2576	ProviderreviewDriver.exe
2576	ProviderreviewDriver.exe
2576	ProviderreviewDriver.exe
2576	ProviderreviewDriver.exe
2576	ProviderreviewDriver.exe
2576	ProviderreviewDriver.exe
2576	ProviderreviewDriver.exe
2576	ProviderreviewDriver.exe
2576	ProviderreviewDriver.exe
2576	ProviderreviewDriver.exe
2576	ProviderreviewDriver.exe
2576	ProviderreviewDriver.exe
2576	ProviderreviewDriver.exe
2576	ProviderreviewDriver.exe
2576	ProviderreviewDriver.exe
2576	ProviderreviewDriver.exe
2576	ProviderreviewDriver.exe
2576	ProviderreviewDriver.exe
2576	ProviderreviewDriver.exe
2576	ProviderreviewDriver.exe
2576	ProviderreviewDriver.exe
2576	ProviderreviewDriver.exe
2576	ProviderreviewDriver.exe
2576	ProviderreviewDriver.exe
2576	ProviderreviewDriver.exe
2576	ProviderreviewDriver.exe
2576	ProviderreviewDriver.exe
2576	ProviderreviewDriver.exe
2576	ProviderreviewDriver.exe
2576	ProviderreviewDriver.exe
2576	ProviderreviewDriver.exe
2576	ProviderreviewDriver.exe
2576	ProviderreviewDriver.exe
2576	ProviderreviewDriver.exe
2576	ProviderreviewDriver.exe
2576	ProviderreviewDriver.exe
2576	ProviderreviewDriver.exe
2576	ProviderreviewDriver.exe
2576	ProviderreviewDriver.exe
2576	ProviderreviewDriver.exe
2576	ProviderreviewDriver.exe
2576	ProviderreviewDriver.exe
2576	ProviderreviewDriver.exe
2576	ProviderreviewDriver.exe
2576	ProviderreviewDriver.exe
2576	ProviderreviewDriver.exe
2576	ProviderreviewDriver.exe
2576	ProviderreviewDriver.exe
2576	ProviderreviewDriver.exe
2576	ProviderreviewDriver.exe
2576	ProviderreviewDriver.exe

Suspicious use of AdjustPrivilegeToken 26 IoCs

Processes:

ProviderreviewDriver.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exesppsvc.exesppsvc.exesppsvc.exesppsvc.exesppsvc.exesppsvc.exesppsvc.exesppsvc.exe

description	pid	Process
Token: SeDebugPrivilege	2576	ProviderreviewDriver.exe
Token: SeDebugPrivilege	576	powershell.exe
Token: SeDebugPrivilege	1072	powershell.exe
Token: SeDebugPrivilege	2180	powershell.exe
Token: SeDebugPrivilege	1032	powershell.exe
Token: SeDebugPrivilege	2516	powershell.exe
Token: SeDebugPrivilege	1504	powershell.exe
Token: SeDebugPrivilege	2296	powershell.exe
Token: SeDebugPrivilege	2496	powershell.exe
Token: SeDebugPrivilege	2652	powershell.exe
Token: SeDebugPrivilege	2560	powershell.exe
Token: SeDebugPrivilege	320	powershell.exe
Token: SeDebugPrivilege	1900	powershell.exe
Token: SeDebugPrivilege	2976	powershell.exe
Token: SeDebugPrivilege	2144	powershell.exe
Token: SeDebugPrivilege	2112	powershell.exe
Token: SeDebugPrivilege	1460	powershell.exe
Token: SeDebugPrivilege	1948	powershell.exe
Token: SeDebugPrivilege	2956	sppsvc.exe
Token: SeDebugPrivilege	1852	sppsvc.exe
Token: SeDebugPrivilege	1280	sppsvc.exe
Token: SeDebugPrivilege	2368	sppsvc.exe
Token: SeDebugPrivilege	2304	sppsvc.exe
Token: SeDebugPrivilege	2688	sppsvc.exe
Token: SeDebugPrivilege	2752	sppsvc.exe
Token: SeDebugPrivilege	756	sppsvc.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

1554ae8f1316eadf351b3e6f5e7fc9e6.exeWScript.execmd.exeProviderreviewDriver.exe

description	pid	Process	procid_target
PID 2116 wrote to memory of 2292	2116	1554ae8f1316eadf351b3e6f5e7fc9e6.exe	30
PID 2116 wrote to memory of 2292	2116	1554ae8f1316eadf351b3e6f5e7fc9e6.exe	30
PID 2116 wrote to memory of 2292	2116	1554ae8f1316eadf351b3e6f5e7fc9e6.exe	30
PID 2116 wrote to memory of 2292	2116	1554ae8f1316eadf351b3e6f5e7fc9e6.exe	30
PID 2292 wrote to memory of 2816	2292	WScript.exe	31
PID 2292 wrote to memory of 2816	2292	WScript.exe	31
PID 2292 wrote to memory of 2816	2292	WScript.exe	31
PID 2292 wrote to memory of 2816	2292	WScript.exe	31
PID 2816 wrote to memory of 2576	2816	cmd.exe	33
PID 2816 wrote to memory of 2576	2816	cmd.exe	33
PID 2816 wrote to memory of 2576	2816	cmd.exe	33
PID 2816 wrote to memory of 2576	2816	cmd.exe	33
PID 2576 wrote to memory of 2976	2576	ProviderreviewDriver.exe	83
PID 2576 wrote to memory of 2976	2576	ProviderreviewDriver.exe	83
PID 2576 wrote to memory of 2976	2576	ProviderreviewDriver.exe	83
PID 2576 wrote to memory of 2516	2576	ProviderreviewDriver.exe	84
PID 2576 wrote to memory of 2516	2576	ProviderreviewDriver.exe	84
PID 2576 wrote to memory of 2516	2576	ProviderreviewDriver.exe	84
PID 2576 wrote to memory of 2144	2576	ProviderreviewDriver.exe	85
PID 2576 wrote to memory of 2144	2576	ProviderreviewDriver.exe	85
PID 2576 wrote to memory of 2144	2576	ProviderreviewDriver.exe	85
PID 2576 wrote to memory of 576	2576	ProviderreviewDriver.exe	87
PID 2576 wrote to memory of 576	2576	ProviderreviewDriver.exe	87
PID 2576 wrote to memory of 576	2576	ProviderreviewDriver.exe	87
PID 2576 wrote to memory of 2296	2576	ProviderreviewDriver.exe	88
PID 2576 wrote to memory of 2296	2576	ProviderreviewDriver.exe	88
PID 2576 wrote to memory of 2296	2576	ProviderreviewDriver.exe	88
PID 2576 wrote to memory of 2180	2576	ProviderreviewDriver.exe	89
PID 2576 wrote to memory of 2180	2576	ProviderreviewDriver.exe	89
PID 2576 wrote to memory of 2180	2576	ProviderreviewDriver.exe	89
PID 2576 wrote to memory of 1504	2576	ProviderreviewDriver.exe	90
PID 2576 wrote to memory of 1504	2576	ProviderreviewDriver.exe	90
PID 2576 wrote to memory of 1504	2576	ProviderreviewDriver.exe	90
PID 2576 wrote to memory of 2112	2576	ProviderreviewDriver.exe	91
PID 2576 wrote to memory of 2112	2576	ProviderreviewDriver.exe	91
PID 2576 wrote to memory of 2112	2576	ProviderreviewDriver.exe	91
PID 2576 wrote to memory of 1032	2576	ProviderreviewDriver.exe	92
PID 2576 wrote to memory of 1032	2576	ProviderreviewDriver.exe	92
PID 2576 wrote to memory of 1032	2576	ProviderreviewDriver.exe	92
PID 2576 wrote to memory of 2652	2576	ProviderreviewDriver.exe	93
PID 2576 wrote to memory of 2652	2576	ProviderreviewDriver.exe	93
PID 2576 wrote to memory of 2652	2576	ProviderreviewDriver.exe	93
PID 2576 wrote to memory of 1072	2576	ProviderreviewDriver.exe	94
PID 2576 wrote to memory of 1072	2576	ProviderreviewDriver.exe	94
PID 2576 wrote to memory of 1072	2576	ProviderreviewDriver.exe	94
PID 2576 wrote to memory of 1900	2576	ProviderreviewDriver.exe	96
PID 2576 wrote to memory of 1900	2576	ProviderreviewDriver.exe	96
PID 2576 wrote to memory of 1900	2576	ProviderreviewDriver.exe	96
PID 2576 wrote to memory of 1460	2576	ProviderreviewDriver.exe	97
PID 2576 wrote to memory of 1460	2576	ProviderreviewDriver.exe	97
PID 2576 wrote to memory of 1460	2576	ProviderreviewDriver.exe	97
PID 2576 wrote to memory of 2560	2576	ProviderreviewDriver.exe	98
PID 2576 wrote to memory of 2560	2576	ProviderreviewDriver.exe	98
PID 2576 wrote to memory of 2560	2576	ProviderreviewDriver.exe	98
PID 2576 wrote to memory of 320	2576	ProviderreviewDriver.exe	100
PID 2576 wrote to memory of 320	2576	ProviderreviewDriver.exe	100
PID 2576 wrote to memory of 320	2576	ProviderreviewDriver.exe	100
PID 2576 wrote to memory of 1948	2576	ProviderreviewDriver.exe	101
PID 2576 wrote to memory of 1948	2576	ProviderreviewDriver.exe	101
PID 2576 wrote to memory of 1948	2576	ProviderreviewDriver.exe	101
PID 2576 wrote to memory of 2496	2576	ProviderreviewDriver.exe	104
PID 2576 wrote to memory of 2496	2576	ProviderreviewDriver.exe	104
PID 2576 wrote to memory of 2496	2576	ProviderreviewDriver.exe	104
PID 2576 wrote to memory of 456	2576	ProviderreviewDriver.exe	117

System policy modification 1 TTPs 27 IoCs

evasion

Modify Registry

T1112

Processes:

ProviderreviewDriver.exesppsvc.exesppsvc.exesppsvc.exesppsvc.exesppsvc.exesppsvc.exesppsvc.exesppsvc.exe

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	ProviderreviewDriver.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ProviderreviewDriver.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	ProviderreviewDriver.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\1554ae8f1316eadf351b3e6f5e7fc9e6.exe
"C:\Users\Admin\AppData\Local\Temp\1554ae8f1316eadf351b3e6f5e7fc9e6.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2116
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\BridgeRefruntime\RO6jJbtsE.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2292
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\BridgeRefruntime\AZmwZW66ycOuW7BVkn8W.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2816
  - - C:\BridgeRefruntime\ProviderreviewDriver.exe
      "C:\BridgeRefruntime\ProviderreviewDriver.exe"
      4⤵
      UAC bypass
      Executes dropped EXE
      Checks whether UAC is enabled
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:2576
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\BridgeRefruntime\ProviderreviewDriver.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2976
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\BridgeRefruntime\dwm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2516
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Mail\fr-FR\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2144
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\WmiPrvSE.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:576
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\sppsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2296
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\spoolsv.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2180
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\dwm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1504
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\lsm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2112
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\L2Schemas\dllhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1032
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Games\Purble Place\ja-JP\dwm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2652
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\OSPPSVC.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1072
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Sidebar\en-US\ProviderreviewDriver.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1900
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Sidebar\explorer.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1460
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Sidebar\Idle.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2560
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Media Player\Network Sharing\services.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:320
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\BridgeRefruntime\explorer.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1948
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Idle.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2496
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\XVup0LT16q.bat"
        5⤵
        
        PID:456
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:2540
      - C:\MSOCache\All Users\sppsvc.exe
        
        "C:\MSOCache\All Users\sppsvc.exe"
        6⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2956
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9f2450a2-429c-450d-a4df-f31f7f74022e.vbs"
        7⤵
        
        PID:1680
        
        C:\MSOCache\All Users\sppsvc.exe
        
        "C:\MSOCache\All Users\sppsvc.exe"
        8⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1852
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e239dfdf-12eb-427c-a594-700b8e08cbf6.vbs"
        9⤵
        
        PID:2856
        
        C:\MSOCache\All Users\sppsvc.exe
        
        "C:\MSOCache\All Users\sppsvc.exe"
        10⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1280
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5756891a-8a8d-45ce-8178-5ed84b42db38.vbs"
        11⤵
        
        PID:2616
        
        C:\MSOCache\All Users\sppsvc.exe
        
        "C:\MSOCache\All Users\sppsvc.exe"
        12⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2368
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9236b467-9b7a-486e-9f5d-0c72a62b83df.vbs"
        13⤵
        
        PID:1844
        
        C:\MSOCache\All Users\sppsvc.exe
        
        "C:\MSOCache\All Users\sppsvc.exe"
        14⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2304
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0c6d9c61-ad1d-4faf-b41e-de3facad8183.vbs"
        15⤵
        
        PID:764
        
        C:\MSOCache\All Users\sppsvc.exe
        
        "C:\MSOCache\All Users\sppsvc.exe"
        16⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2688
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4dcdea1c-6676-4c35-8267-ca07871f6928.vbs"
        17⤵
        
        PID:1520
        
        C:\MSOCache\All Users\sppsvc.exe
        
        "C:\MSOCache\All Users\sppsvc.exe"
        18⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2752
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a5b91342-f1e7-4e9f-8c88-ad69f3152527.vbs"
        19⤵
        
        PID:1620
        
        C:\MSOCache\All Users\sppsvc.exe
        
        "C:\MSOCache\All Users\sppsvc.exe"
        20⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:756
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\be976de1-975e-4fe0-a8db-6e0163016dcc.vbs"
        21⤵
        
        PID:2516
        
        C:\MSOCache\All Users\sppsvc.exe
        
        "C:\MSOCache\All Users\sppsvc.exe"
        22⤵
        
        PID:2036
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\11b0b4ff-2893-4079-b9a4-8ce56ac4dead.vbs"
        21⤵
        
        PID:2384
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2ee0a3f8-9e25-4e6b-8196-fbda7e52f668.vbs"
        19⤵
        
        PID:1952
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ac8d11d0-58f9-42e2-8567-948cb801edb9.vbs"
        17⤵
        
        PID:2136
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6e82cf54-5882-4b32-ba3d-00f840e73dcf.vbs"
        15⤵
        
        PID:1628
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\76b018f4-1293-4ba9-a737-ef4876ad6e1a.vbs"
        13⤵
        
        PID:1932
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\56c5e454-3403-4e7b-bc8b-95756d7455aa.vbs"
        11⤵
        
        PID:2184
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\922250b4-69a7-4d91-82a0-9d82cdc12735.vbs"
        9⤵
        
        PID:2976
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4aa135d4-449d-4175-be64-5b8ff565b373.vbs"
        7⤵
        
        PID:2424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\BridgeRefruntime\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\BridgeRefruntime\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\BridgeRefruntime\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2352

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Mail\fr-FR\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\fr-FR\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Mail\fr-FR\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2420

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\MSOCache\All Users\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2288

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\Default User\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\MSOCache\All Users\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2144

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2172

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Windows\L2Schemas\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2180

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\L2Schemas\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Windows\L2Schemas\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Program Files\Microsoft Games\Purble Place\ja-JP\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\Microsoft Games\Purble Place\ja-JP\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2128

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Program Files\Microsoft Games\Purble Place\ja-JP\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 14 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 6 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ProviderreviewDriverP" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Sidebar\en-US\ProviderreviewDriver.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ProviderreviewDriver" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\en-US\ProviderreviewDriver.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ProviderreviewDriverP" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Sidebar\en-US\ProviderreviewDriver.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Sidebar\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2440

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Sidebar\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2504

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Sidebar\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2192

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Sidebar\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Media Player\Network Sharing\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\Network Sharing\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2312

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Media Player\Network Sharing\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\BridgeRefruntime\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\BridgeRefruntime\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\BridgeRefruntime\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:928

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\BridgeRefruntime\AZmwZW66ycOuW7BVkn8W.bat

Filesize
46B

MD5
b634ab06c0798f4284c2fcf23c1fc85a

SHA1
a312a6a8dbd3fdd70e9919ffaa1b777213cf2e93

SHA256
20d420d40ee7aadb457e5a8dba9d099fb66d4810675a985a26ebf36141d8e250

SHA512
ae801ea89737efecc5be1c580bad10c75ee9f31f2685473bbb5512b024c355c62a7d122db5042dbfb96add27041fd2601472c57b075424d12261302804b5733c

Download Submit
C:\BridgeRefruntime\RO6jJbtsE.vbe

Filesize
213B

MD5
1217656e699a8ae1e62ad9b7059e215a

SHA1
3e9710cc62fcaf451a305be0fe047dfadd631e45

SHA256
710eab849bf0c066cb136771f1d4dc72bc2b13598c209508db16a3770d54286f

SHA512
ae775b9f675455bbb78a879f38e72e500607a6a22168591a599a04337229316fdbdd0b496d69e97c423a4e917d9174e039e0e4f80b8bc94a7d5b3f99887d3f31

Download Submit
C:\MSOCache\All Users\sppsvc.exe

Filesize
2.9MB

MD5
003b3c4961f942e65d074239be4c9159

SHA1
d2b271ac3bcf6c5278bd171424ce191935634848

SHA256
3e4a3715635db275a46bdee61deb27d4f49437ea6023fc039f13ed1f9e84cbc2

SHA512
7656a7300b720e569c6034b30a6be6f096446ed4e8dd0fb759cd0bfd11b9dcc2bcf8ed652b67549fb346e71614dc9b5fde87c33ba1ccb3ae3cfd7e6e6df49bca

Download Submit
C:\MSOCache\All Users\sppsvc.exe

Filesize
1.1MB

MD5
09ed82e44118e26bbe1519a7e25d4637

SHA1
08ef1d70249f4092320d2a6126ad232de3890af7

SHA256
61e743b549f19ee866b54f47acb04e564da6bff5f92eb844a159dd7b6b8dca13

SHA512
102095211c08ce08f6c22be77ca4d0f8f57320ab38e830ba35b8b27154cd1dbab24eb07593c8eef82ac4357ff741deb303de4be30c0461846a83ca22eec3207c

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\WmiPrvSE.exe

Filesize
2.9MB

MD5
094f623e5c54e3e0a95fd4157b3d3fba

SHA1
aabfd234d895a813eb0f307fb8b3fab7d6b22599

SHA256
e9bf6fb84b2d577294653fdfd8d1bfa23a0a9502ede2fef7594d2a36e0e55de7

SHA512
d0dbdeb248e35558e6240e0863efc80efe8b0a1d025179f4923aa0c7722c867ac97c0a149b7db6ea3e3f3d953d5adc000fb74c7dd03f491693849b243ddcc8a8

Download Submit
C:\Program Files (x86)\Windows Mail\fr-FR\RCX123E.tmp

Filesize
2.9MB

MD5
ecb8a56fde8d50c2fe56a26c033b8a39

SHA1
dd3f7bc75f354915ca4f71b9f2d581b0d8dc9896

SHA256
47d4a340d406fb9c8de309a6457493ea3b4249f7bf3fc21618697466e08e5188

SHA512
5c8ce67ffc7ed3a5e66259a3ae3ed35d4666e75131b4955b002bc96ff92cea6bf939641f7680e44f0edb136bdf2fe788a616cc74e1cf930fb773060ecce72bb0

Download Submit
C:\Program Files (x86)\Windows Sidebar\explorer.exe

Filesize
2.9MB

MD5
e18a719fa89c1316bbc70adccedafe22

SHA1
01c1b252e976632bf39193146b1cee0e027a4053

SHA256
faf4d85fa68ced23a3732463b9730202666deb4019c290bf411dca155170c818

SHA512
45a64a3a45ffc0a23a879d28f156b386e834b2961c2c49e9e361f5a1206a1e9d9580baefaa58045af4421bae670c89a4970001632943da24031fe674743058f2

Download Submit
C:\Program Files\Windows Sidebar\en-US\ProviderreviewDriver.exe

Filesize
2.9MB

MD5
e21f8e77dc970e6d6e82786d1c393d3b

SHA1
af9e7297a27b0c13038c2de50eb26a2aa6498876

SHA256
c44faed29904e8c6da44a2c534a70cd7a1c6eb50369b4078372855e4cbd9125c

SHA512
e293d2064c1876bc851ed375232e79e52c5b0ea0c6f484cdfb048040f5df994a3530f065681474bb27b7b67eebc9aa9fbb988ddc05b34066c553522767f8b644

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
521e69b7f6b35ca7018a85cf814985ae

SHA1
7d253e8a30e5da3758aeba1abf5996acb88f82cc

SHA256
93019f67dc0fe0fa708e14c9307e2ed9d10ee00e6c112102fa1718fa152d20fa

SHA512
0ed8f127f7ec8b459ed3bf80824ea73a8f1eaf99cbf8555e7b989bdae40291d32ec7ce240cc8f3ae96f35ea2bfbed296e3852958090f7099ed5a129479bdfe45

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a5d2a7815e18afe804c935ee81c8b8bc

SHA1
98855f00b0458efb017ef5b218d130fe3b7fe961

SHA256
48c3daf23cd1ecc910dde03450f7b5d1460dd99ef21f98382877d449175e420b

SHA512
9ce651b34f7eb1ece554b018e95fa41ec2439036ec708587772e5c460c1f6fe5d36994a6fc15da2d2158ab6c46f5f6a749e30a72eeac3c83256fd8800594bd65

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d0b429d7f4ea69073d87e0564aa13ea1

SHA1
30c8257820c60f026be5cae4ccc1b6e48603ea9d

SHA256
3208e7122cedcacdcecf34a7b10b385d9c319dea9fa6bfc61255522ee43c4e06

SHA512
c847a1cef6e37650c905a119020a1e8a9074cd96caeaf565b79e15f232a7c980b7aca800213370a82ddbf0b8ab0ec5afaaee3a37d2945f997929d0ce8be9aa4b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f1bd42a34db9c9fa877104d30059cdc9

SHA1
f9f2bb6404f7257c603d0b2ba62bf80ae9c36932

SHA256
8f7f34270621452b910efca3fdd602ec040801a99f40b49a6da72cf8ccc92cf7

SHA512
258064478ee2cbcc76d5baf1ccdca598c53605a1096feca71f8d7bac8edd1ddbceb3e329fe88c8c1516bda560d7cc0c230c8606b15f16a53151c290016d71ae4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ea6f3867c8f24545f580fed190fbd7c3

SHA1
009c064aeef24f9d44173fc34dc6e9f97d8f5eab

SHA256
d22518a306dda4611d60ef97e7a3f5e5945728c37618df30de891558f34e8ee3

SHA512
6d57f3aebe6ca69490459428c0022f26363370eda19a22a9680001d250a09a6559c71edb26d1a010bb0d313b530d3153855184ba03cb0e289dd8af247e66cd86

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e1a4f07680d49e474a982bcc6bc83c39

SHA1
841db05e2708434be51699a509c6ed604fec69bc

SHA256
35136930b9efb7ab2bdd7eeababac52041f80b9686529b06cfb0d7d64d4a823d

SHA512
0f3f7fb61668e5cba04fac29d5b0c9e3dfbd78b7e965cd5bfc4a1e35158b417634bd4cea80fef9cb4ca31e15f7d8eda27c1467283c0fd8cb416de709440992a3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ceafda00b3e5ae7119138b6612f739b3

SHA1
5d329718c5c79da61b691fff7a64fadf150dcbb1

SHA256
1e8de9ea281b3de8df87afc05b01a0502a35bc578e914f5467ff2e8104c2a010

SHA512
95ae63ec13352840b1ca57eba208a59afb2fb315decbb7da162b83c74de735ac447d9a6482bc7ee5acdd515fdbdea860a1b62c2cedc59047e2f5bfbaf3d18f80

Download Submit
C:\Users\Admin\AppData\Local\Temp\0c6d9c61-ad1d-4faf-b41e-de3facad8183.vbs

Filesize
708B

MD5
010a47dcb7710079a5cf3c49519cfe9a

SHA1
069996b771a1a6dc1853ace20775f8aa10df2760

SHA256
e80002acb0d09a65fb8b1ac391957fe5867008aa36700a16fc05e1698fecd456

SHA512
5de8fe2364e11b70648744ba0d43b17cc33dd73b469998f65df690a2ed3dcb9c05b8303c201b9cdcf6d0ae6521f4ae431a0193c1fc6235f2915782f15de99c1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\4aa135d4-449d-4175-be64-5b8ff565b373.vbs

Filesize
484B

MD5
0448c61b7aa62a473a8b3730221e51cb

SHA1
6cc2f5f5a8fdc22c80de1b2df18d52a56ce6b799

SHA256
e0de0c947c8d555e7b68b013006adf3e232a15133a3a72a24a5350c72b174e8f

SHA512
f0dea7c0f594679d85e98857f5a81c811f5751d4aba9b22f146a326e464a15858e209bd2e4667c917dc1bfac61f7964dc64cbd82d2e6fba51c851bafa076ffa3

Download Submit
C:\Users\Admin\AppData\Local\Temp\4dcdea1c-6676-4c35-8267-ca07871f6928.vbs

Filesize
708B

MD5
88bf4b7b786c2e19b238f002890de2b7

SHA1
ab9442171bae8ad5264ac57b5244248bb6e35316

SHA256
924ed54ee8fbddbff3e6f1411727b55982e7b0f7fd979bddd75d1d88cfda55a1

SHA512
99e4bdf94fe5d15e72689e9fca7388b3a63a1a772ab11f72cc087de1bea77a0b3d6f397a6903881b0b2a85baa561aec3bffe6f588a366b314f44d3f7288c40d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\5756891a-8a8d-45ce-8178-5ed84b42db38.vbs

Filesize
708B

MD5
d37d8a6c05b5bf2e909029fd49cfdbc3

SHA1
8a5e47f2023ac37d5b3cdab10c55cee11ac3cb5e

SHA256
9a770982c4baf04139a35212d9edbd9378e806f2ee0ce5a7247550195c6f02d9

SHA512
b392b4ef2956bd8c132ebe198d190edd2c7794ef8c9e5161a78546b5d7de4f0912a1997818df178628cb426b8021b9588201a4f90a039885f3d5816bc53fb217

Download Submit
C:\Users\Admin\AppData\Local\Temp\9236b467-9b7a-486e-9f5d-0c72a62b83df.vbs

Filesize
708B

MD5
65a73ecfca5d40e431940312bd7b9c57

SHA1
9e29aab872e281523844ff40fe6467647fcf9813

SHA256
623350cb6267082168f4e1d6ca7c86e6573ad939023fa9a44daca521284cdd64

SHA512
c1cdec7041e56204b94f19ccaa04816b217c6f10f2837d9bd498c6ca1a6885219341674352faf5cc1f3dfbe0e18d9c13232ea9e2d8a633e1a12a7a83e29eae99

Download Submit
C:\Users\Admin\AppData\Local\Temp\9f2450a2-429c-450d-a4df-f31f7f74022e.vbs

Filesize
708B

MD5
674e017c09c49bfba12b803421faa6a4

SHA1
50e496bf60ff3a5f14596a1542ddd0ff8ab4087b

SHA256
c824885f24c42ed2f7d9d2e56a3589a6313479179bbc2a032e08567d210091e0

SHA512
93aecc240c29ca7297f0a07a2ec888398bef99320582a32538647c09b45cda9e6b486b267228966f0bd4e3c80dad1568ab5b43de1fd696f6d8de0014dcb9da6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab6D84.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar6DC6.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\XVup0LT16q.bat

Filesize
197B

MD5
6f3523c8bb5227aa0578d877d0ab0327

SHA1
72a43197a7ec99c49ef165db2b33aaf575ae1f2d

SHA256
32c8943958adae4f6027e82fe8ca52c6748d44bb0c4feb633643e999523b1a3a

SHA512
ea2aecd6519fdb5cd601497554ed20387222d0a8ce01ecbb5a23a64c139034ff24734cbed8d39708edca26f4478d55dc6a343d25cab880dd81f26799f7c0ca25

Download Submit
C:\Users\Admin\AppData\Local\Temp\a5b91342-f1e7-4e9f-8c88-ad69f3152527.vbs

Filesize
708B

MD5
e3904758f4025e9c17e198e3b1d69090

SHA1
42fbd3015ee319e137a50fab318c696d2858e2e4

SHA256
16c7a838f7db64578a6283e530f68e81e64d0cd9895c8d578bbf0b12b458fc9f

SHA512
5d5205e9b534d388e94ecb019d4fa345206e2e50a837da46d877aac2119cd2b809d800ea2b4d2dd7f11ce4719f0a0ebe37ccf85e30963c685e61e89fb8dc01f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\be976de1-975e-4fe0-a8db-6e0163016dcc.vbs

Filesize
707B

MD5
47e7f962df09437d78dfad2a99192a18

SHA1
8b12deb59ab3e3bc07ff1728695df9dc70785e34

SHA256
cd2c0e319a4a262da9dd39ffcdf4b4e1a634b705f548617301a7bf3facf9cfb9

SHA512
ac4a66749ad545b4d69221729683b74b789cb02db37168b4cdbe4c064e7e25fd7be23d4732bf6d9c4ac6bf521360375999d81185ebaed03d980339add905b87a

Download Submit
C:\Users\Admin\AppData\Local\Temp\e239dfdf-12eb-427c-a594-700b8e08cbf6.vbs

Filesize
708B

MD5
f57cfb95e533e882f41aae34685df5dc

SHA1
b401b39728d01138bad0094755c63041967ceb5f

SHA256
8a7f914c4c80513dc3d4cf531294ca58e6236922e15b8a48b0737d56ccfe90e8

SHA512
c1dda0966d3342096c5b932c09f312d37fce668dacfa9807844b2ad10b4f7295c0c698685effe7349a1b48dd654b081729387254171dff7f85f707fbb25d4540

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\8LWG3K1QC806UN79YGD1.temp

Filesize
7KB

MD5
b1ac2fee6c7ce5bc59c742a16f403f19

SHA1
f60644dfba2b0c703a6ffa988151c74a89070e58

SHA256
283d70a591928cac3d4ca3320e0660f592ebaa9d4a51b7be156e696f357ade01

SHA512
58f83983d72865965fe7d884dd475d683090fd913c3c445e66d198513708363b303e7ac8c0c5fae1f276db76dfcbd9d04f3fab496457f94fadf5151f2b59d3c5

Download Submit
\BridgeRefruntime\ProviderreviewDriver.exe

Filesize
2.9MB

MD5
15462778cb5d131fdbde43b845ca3385

SHA1
e11137a2d3643fa0569e57257f7b673b29f0ee86

SHA256
7082a4ae4749fc09c3b618986952c23aa6db2ee906da896b9a517685e56b8572

SHA512
1f58961f5367153539c8039e8cfafd1f74bcf09550912326d1274ec5b91ff578c0126c4f36c1916384364c74ed2a4b97013a4e6ff6b25567822eac8dabfcde6b

Download Submit
memory/576-349-0x0000000001E30000-0x0000000001E38000-memory.dmp

Filesize
32KB

Download
memory/756-1180-0x00000000011C0000-0x00000000014B2000-memory.dmp

Filesize
2.9MB

Download
memory/1032-346-0x000000001B370000-0x000000001B652000-memory.dmp

Filesize
2.9MB

Download
memory/1280-588-0x0000000001110000-0x0000000001402000-memory.dmp

Filesize
2.9MB

Download
memory/1280-589-0x0000000000C40000-0x0000000000C96000-memory.dmp

Filesize
344KB

Download
memory/1852-469-0x0000000000110000-0x0000000000402000-memory.dmp

Filesize
2.9MB

Download
memory/2576-26-0x0000000002290000-0x000000000229C000-memory.dmp

Filesize
48KB

Download
memory/2576-19-0x00000000007C0000-0x00000000007C8000-memory.dmp

Filesize
32KB

Download
memory/2576-25-0x00000000021B0000-0x00000000021B8000-memory.dmp

Filesize
32KB

Download
memory/2576-24-0x00000000021A0000-0x00000000021AC000-memory.dmp

Filesize
48KB

Download
memory/2576-32-0x0000000002370000-0x000000000237E000-memory.dmp

Filesize
56KB

Download
memory/2576-31-0x0000000002360000-0x000000000236A000-memory.dmp

Filesize
40KB

Download
memory/2576-30-0x0000000002350000-0x0000000002358000-memory.dmp

Filesize
32KB

Download
memory/2576-35-0x00000000023A0000-0x00000000023A8000-memory.dmp

Filesize
32KB

Download
memory/2576-29-0x0000000002340000-0x000000000234C000-memory.dmp

Filesize
48KB

Download
memory/2576-28-0x0000000002330000-0x000000000233C000-memory.dmp

Filesize
48KB

Download
memory/2576-27-0x00000000022A0000-0x00000000022A8000-memory.dmp

Filesize
32KB

Download
memory/2576-36-0x00000000023B0000-0x00000000023BA000-memory.dmp

Filesize
40KB

Download
memory/2576-13-0x0000000000350000-0x0000000000642000-memory.dmp

Filesize
2.9MB

Download
memory/2576-37-0x00000000023C0000-0x00000000023CC000-memory.dmp

Filesize
48KB

Download
memory/2576-33-0x0000000002380000-0x0000000002388000-memory.dmp

Filesize
32KB

Download
memory/2576-23-0x0000000002180000-0x000000000218C000-memory.dmp

Filesize
48KB

Download
memory/2576-22-0x0000000002240000-0x0000000002296000-memory.dmp

Filesize
344KB

Download
memory/2576-21-0x0000000002170000-0x000000000217A000-memory.dmp

Filesize
40KB

Download
memory/2576-20-0x0000000002190000-0x00000000021A0000-memory.dmp

Filesize
64KB

Download
memory/2576-34-0x0000000002390000-0x000000000239C000-memory.dmp

Filesize
48KB

Download
memory/2576-18-0x00000000007A0000-0x00000000007B6000-memory.dmp

Filesize
88KB

Download
memory/2576-17-0x0000000000790000-0x00000000007A0000-memory.dmp

Filesize
64KB

Download
memory/2576-16-0x0000000000770000-0x000000000078C000-memory.dmp

Filesize
112KB

Download
memory/2576-15-0x00000000006E0000-0x00000000006E8000-memory.dmp

Filesize
32KB

Download
memory/2576-14-0x00000000006D0000-0x00000000006DE000-memory.dmp

Filesize
56KB

Download
memory/2956-352-0x00000000011B0000-0x00000000014A2000-memory.dmp

Filesize
2.9MB

Download