dcrat | 5bdd5d335f1dce7bff7ad597aa12c5c36d2831b58d4a1a37650fab7b070c6e23

Analysis

max time kernel
145s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
30-10-2024 22:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1554ae8f1316eadf351b3e6f5e7fc9e6.exe
Size

3.2MB
MD5

1554ae8f1316eadf351b3e6f5e7fc9e6
SHA1

1fe722cd6f6e6739a2566c920931bc2f057ac55c
SHA256

5bdd5d335f1dce7bff7ad597aa12c5c36d2831b58d4a1a37650fab7b070c6e23
SHA512

56bf054fa85f534a5b5896a21b4b511c564ffbb0a8b1685054c521d09a9122c848c5818d6518092d33da4c02b79dea6622ef7fd48ab22271522a9d7878a2883d
SSDEEP

49152:UbA30LfTBVuy0VtNUBslYt04P0GliFkO6Uo67iX0bCLuI9+E8Dt:Ub/7nL0jCB6q0goyUonuI998Dt

Score

10^/10

dcrat discovery evasion execution infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 45 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	880	3984	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4872	3984	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3836	3984	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3204	3984	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3248	3984	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4608	3984	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4128	3984	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3188	3984	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3024	3984	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2372	3984	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2576	3984	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3968	3984	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2976	3984	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5024	3984	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2016	3984	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	400	3984	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4436	3984	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2476	3984	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1556	3984	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2312	3984	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	684	3984	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2972	3984	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4340	3984	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2916	3984	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	760	3984	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1788	3984	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2260	3984	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3112	3984	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3136	3984	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2732	3984	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4844	3984	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	848	3984	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	920	3984	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4796	3984	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1848	3984	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1076	3984	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1996	3984	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2764	3984	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1604	3984	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3584	3984	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1908	3984	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3368	3984	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	752	3984	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4476	3984	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1436	3984	schtasks.exe	95

UAC bypass 3 TTPs 39 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

smss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exeProviderreviewDriver.exesmss.exesmss.exesmss.exesmss.exe

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	ProviderreviewDriver.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	ProviderreviewDriver.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ProviderreviewDriver.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe

DCRat payload 11 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral2/files/0x0007000000023c8c-10.dat	dcrat
behavioral2/memory/3108-13-0x0000000000470000-0x0000000000762000-memory.dmp	dcrat
behavioral2/files/0x000a000000023cc3-95.dat	dcrat
behavioral2/files/0x0008000000023cc4-113.dat	dcrat
behavioral2/files/0x000a000000023c9b-134.dat	dcrat
behavioral2/files/0x0009000000023ca2-150.dat	dcrat
behavioral2/files/0x0007000000023cc8-158.dat	dcrat
behavioral2/files/0x0008000000023cad-172.dat	dcrat
behavioral2/files/0x0009000000023cd2-223.dat	dcrat
behavioral2/files/0x0008000000023cbf-242.dat	dcrat
behavioral2/memory/5628-446-0x0000000000E10000-0x0000000001102000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 16 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	Process
864	powershell.exe
2244	powershell.exe
960	powershell.exe
4724	powershell.exe
1488	powershell.exe
3648	powershell.exe
1392	powershell.exe
4444	powershell.exe
2096	powershell.exe
2044	powershell.exe
1032	powershell.exe
1784	powershell.exe
3788	powershell.exe
4388	powershell.exe
4492	powershell.exe
2292	powershell.exe

Checks computer location settings 2 TTPs 14 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

smss.exesmss.exesmss.exesmss.exeProviderreviewDriver.exesmss.exesmss.exesmss.exesmss.exe1554ae8f1316eadf351b3e6f5e7fc9e6.exeWScript.exesmss.exesmss.exesmss.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	smss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	smss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	smss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	smss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	ProviderreviewDriver.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	smss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	smss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	smss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	smss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	1554ae8f1316eadf351b3e6f5e7fc9e6.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	smss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	smss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	smss.exe

Executes dropped EXE 13 IoCs

Processes:

ProviderreviewDriver.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exe

pid	Process
3108	ProviderreviewDriver.exe
5628	smss.exe
856	smss.exe
3764	smss.exe
5336	smss.exe
2860	smss.exe
5832	smss.exe
5340	smss.exe
6008	smss.exe
3068	smss.exe
5848	smss.exe
628	smss.exe
3096	smss.exe

Checks whether UAC is enabled 1 TTPs 26 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

ProviderreviewDriver.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ProviderreviewDriver.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	smss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ProviderreviewDriver.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	smss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	smss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	smss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	smss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	smss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe

Drops file in Program Files directory 30 IoCs

Processes:

ProviderreviewDriver.exe

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\de\RCXCCC2.tmp	ProviderreviewDriver.exe
File created	C:\Program Files\Windows Security\BrowserCore\csrss.exe	ProviderreviewDriver.exe
File created	C:\Program Files\VideoLAN\VLC\skins\fonts\sppsvc.exe	ProviderreviewDriver.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\de\Registry.exe	ProviderreviewDriver.exe
File opened for modification	C:\Program Files (x86)\Windows Portable Devices\dllhost.exe	ProviderreviewDriver.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\ja-JP\RCXB454.tmp	ProviderreviewDriver.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\fr\29c1c3cc0f7685	ProviderreviewDriver.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\fr\unsecapp.exe	ProviderreviewDriver.exe
File opened for modification	C:\Program Files\Windows Security\BrowserCore\RCXBC59.tmp	ProviderreviewDriver.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\skins\fonts\RCXCAAD.tmp	ProviderreviewDriver.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\de\Registry.exe	ProviderreviewDriver.exe
File created	C:\Program Files (x86)\Windows Portable Devices\5940a34987c991	ProviderreviewDriver.exe
File created	C:\Program Files\Windows Security\BrowserCore\886983d96e3d3e	ProviderreviewDriver.exe
File opened for modification	C:\Program Files (x86)\Windows Portable Devices\RCXB22F.tmp	ProviderreviewDriver.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\fr\RCXB6D7.tmp	ProviderreviewDriver.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\de\ee2ad38f3d4382	ProviderreviewDriver.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\ja-JP\RCXB4D2.tmp	ProviderreviewDriver.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\ja-JP\taskhostw.exe	ProviderreviewDriver.exe
File opened for modification	C:\Program Files\Windows Security\BrowserCore\RCXBCD7.tmp	ProviderreviewDriver.exe
File opened for modification	C:\Program Files\Windows Security\BrowserCore\csrss.exe	ProviderreviewDriver.exe
File created	C:\Program Files\Windows Photo Viewer\ja-JP\ea9f0e6c9e2dcd	ProviderreviewDriver.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\fr\unsecapp.exe	ProviderreviewDriver.exe
File created	C:\Program Files\Windows Photo Viewer\ja-JP\taskhostw.exe	ProviderreviewDriver.exe
File opened for modification	C:\Program Files (x86)\Windows Portable Devices\RCXB240.tmp	ProviderreviewDriver.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\fr\RCXB755.tmp	ProviderreviewDriver.exe
File created	C:\Program Files (x86)\Windows Portable Devices\dllhost.exe	ProviderreviewDriver.exe
File created	C:\Program Files\VideoLAN\VLC\skins\fonts\0a1fd5f707cd16	ProviderreviewDriver.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\skins\fonts\RCXCAAE.tmp	ProviderreviewDriver.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\skins\fonts\sppsvc.exe	ProviderreviewDriver.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\de\RCXCCC3.tmp	ProviderreviewDriver.exe

Drops file in Windows directory 15 IoCs

Processes:

ProviderreviewDriver.exe

description	ioc	Process
File created	C:\Windows\Logs\HomeGroup\69ddcba757bf72	ProviderreviewDriver.exe
File created	C:\Windows\SKB\LanguageModels\unsecapp.exe	ProviderreviewDriver.exe
File opened for modification	C:\Windows\Logs\HomeGroup\RCXBEDC.tmp	ProviderreviewDriver.exe
File opened for modification	C:\Windows\SKB\LanguageModels\RCXC400.tmp	ProviderreviewDriver.exe
File created	C:\Windows\ModemLogs\smss.exe	ProviderreviewDriver.exe
File created	C:\Windows\ModemLogs\69ddcba757bf72	ProviderreviewDriver.exe
File opened for modification	C:\Windows\Logs\HomeGroup\RCXBEEC.tmp	ProviderreviewDriver.exe
File opened for modification	C:\Windows\SKB\LanguageModels\unsecapp.exe	ProviderreviewDriver.exe
File created	C:\Windows\Logs\HomeGroup\smss.exe	ProviderreviewDriver.exe
File opened for modification	C:\Windows\ModemLogs\RCXBA54.tmp	ProviderreviewDriver.exe
File opened for modification	C:\Windows\ModemLogs\smss.exe	ProviderreviewDriver.exe
File opened for modification	C:\Windows\Logs\HomeGroup\smss.exe	ProviderreviewDriver.exe
File created	C:\Windows\SKB\LanguageModels\29c1c3cc0f7685	ProviderreviewDriver.exe
File opened for modification	C:\Windows\ModemLogs\RCXB9D6.tmp	ProviderreviewDriver.exe
File opened for modification	C:\Windows\SKB\LanguageModels\RCXC401.tmp	ProviderreviewDriver.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

1554ae8f1316eadf351b3e6f5e7fc9e6.exeWScript.execmd.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1554ae8f1316eadf351b3e6f5e7fc9e6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies registry class 13 IoCs

Processes:

smss.exeProviderreviewDriver.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exe1554ae8f1316eadf351b3e6f5e7fc9e6.exesmss.exesmss.exesmss.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	ProviderreviewDriver.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	1554ae8f1316eadf351b3e6f5e7fc9e6.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	smss.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 45 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

pid	Process
3368	schtasks.exe
1436	schtasks.exe
3204	schtasks.exe
4436	schtasks.exe
2972	schtasks.exe
1908	schtasks.exe
2976	schtasks.exe
2476	schtasks.exe
760	schtasks.exe
880	schtasks.exe
4872	schtasks.exe
3024	schtasks.exe
2576	schtasks.exe
1556	schtasks.exe
4340	schtasks.exe
1076	schtasks.exe
3584	schtasks.exe
3968	schtasks.exe
1848	schtasks.exe
1604	schtasks.exe
4608	schtasks.exe
1788	schtasks.exe
3112	schtasks.exe
3136	schtasks.exe
2312	schtasks.exe
684	schtasks.exe
2916	schtasks.exe
2260	schtasks.exe
3836	schtasks.exe
3248	schtasks.exe
4128	schtasks.exe
3188	schtasks.exe
2732	schtasks.exe
848	schtasks.exe
752	schtasks.exe
4796	schtasks.exe
5024	schtasks.exe
400	schtasks.exe
4844	schtasks.exe
920	schtasks.exe
4476	schtasks.exe
2372	schtasks.exe
2016	schtasks.exe
1996	schtasks.exe
2764	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

ProviderreviewDriver.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	Process
3108	ProviderreviewDriver.exe
3108	ProviderreviewDriver.exe
3108	ProviderreviewDriver.exe
3108	ProviderreviewDriver.exe
3108	ProviderreviewDriver.exe
3108	ProviderreviewDriver.exe
3108	ProviderreviewDriver.exe
3108	ProviderreviewDriver.exe
3108	ProviderreviewDriver.exe
3108	ProviderreviewDriver.exe
3108	ProviderreviewDriver.exe
3108	ProviderreviewDriver.exe
3108	ProviderreviewDriver.exe
3108	ProviderreviewDriver.exe
3108	ProviderreviewDriver.exe
3108	ProviderreviewDriver.exe
3108	ProviderreviewDriver.exe
3108	ProviderreviewDriver.exe
3108	ProviderreviewDriver.exe
3108	ProviderreviewDriver.exe
3108	ProviderreviewDriver.exe
3108	ProviderreviewDriver.exe
3108	ProviderreviewDriver.exe
3108	ProviderreviewDriver.exe
3108	ProviderreviewDriver.exe
3108	ProviderreviewDriver.exe
3108	ProviderreviewDriver.exe
3108	ProviderreviewDriver.exe
3108	ProviderreviewDriver.exe
3108	ProviderreviewDriver.exe
3108	ProviderreviewDriver.exe
3108	ProviderreviewDriver.exe
3108	ProviderreviewDriver.exe
3108	ProviderreviewDriver.exe
3108	ProviderreviewDriver.exe
3108	ProviderreviewDriver.exe
3108	ProviderreviewDriver.exe
3108	ProviderreviewDriver.exe
3108	ProviderreviewDriver.exe
3108	ProviderreviewDriver.exe
3108	ProviderreviewDriver.exe
3108	ProviderreviewDriver.exe
3108	ProviderreviewDriver.exe
3108	ProviderreviewDriver.exe
3108	ProviderreviewDriver.exe
3108	ProviderreviewDriver.exe
3108	ProviderreviewDriver.exe
3108	ProviderreviewDriver.exe
3108	ProviderreviewDriver.exe
3108	ProviderreviewDriver.exe
3108	ProviderreviewDriver.exe
3108	ProviderreviewDriver.exe
3108	ProviderreviewDriver.exe
3108	ProviderreviewDriver.exe
3108	ProviderreviewDriver.exe
4724	powershell.exe
4724	powershell.exe
2096	powershell.exe
2096	powershell.exe
864	powershell.exe
864	powershell.exe
1392	powershell.exe
1392	powershell.exe
1032	powershell.exe

Suspicious use of AdjustPrivilegeToken 29 IoCs

Processes:

ProviderreviewDriver.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exe

description	pid	Process
Token: SeDebugPrivilege	3108	ProviderreviewDriver.exe
Token: SeDebugPrivilege	4724	powershell.exe
Token: SeDebugPrivilege	2096	powershell.exe
Token: SeDebugPrivilege	864	powershell.exe
Token: SeDebugPrivilege	1392	powershell.exe
Token: SeDebugPrivilege	1032	powershell.exe
Token: SeDebugPrivilege	2292	powershell.exe
Token: SeDebugPrivilege	4492	powershell.exe
Token: SeDebugPrivilege	1488	powershell.exe
Token: SeDebugPrivilege	2244	powershell.exe
Token: SeDebugPrivilege	3648	powershell.exe
Token: SeDebugPrivilege	960	powershell.exe
Token: SeDebugPrivilege	1784	powershell.exe
Token: SeDebugPrivilege	3788	powershell.exe
Token: SeDebugPrivilege	4444	powershell.exe
Token: SeDebugPrivilege	4388	powershell.exe
Token: SeDebugPrivilege	2044	powershell.exe
Token: SeDebugPrivilege	5628	smss.exe
Token: SeDebugPrivilege	856	smss.exe
Token: SeDebugPrivilege	3764	smss.exe
Token: SeDebugPrivilege	5336	smss.exe
Token: SeDebugPrivilege	2860	smss.exe
Token: SeDebugPrivilege	5832	smss.exe
Token: SeDebugPrivilege	5340	smss.exe
Token: SeDebugPrivilege	6008	smss.exe
Token: SeDebugPrivilege	3068	smss.exe
Token: SeDebugPrivilege	5848	smss.exe
Token: SeDebugPrivilege	628	smss.exe
Token: SeDebugPrivilege	3096	smss.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

1554ae8f1316eadf351b3e6f5e7fc9e6.exeWScript.execmd.exeProviderreviewDriver.execmd.exesmss.exeWScript.exesmss.exeWScript.exesmss.exeWScript.exe

description	pid	Process	procid_target
PID 1952 wrote to memory of 1708	1952	1554ae8f1316eadf351b3e6f5e7fc9e6.exe	86
PID 1952 wrote to memory of 1708	1952	1554ae8f1316eadf351b3e6f5e7fc9e6.exe	86
PID 1952 wrote to memory of 1708	1952	1554ae8f1316eadf351b3e6f5e7fc9e6.exe	86
PID 1708 wrote to memory of 3172	1708	WScript.exe	89
PID 1708 wrote to memory of 3172	1708	WScript.exe	89
PID 1708 wrote to memory of 3172	1708	WScript.exe	89
PID 3172 wrote to memory of 3108	3172	cmd.exe	93
PID 3172 wrote to memory of 3108	3172	cmd.exe	93
PID 3108 wrote to memory of 2044	3108	ProviderreviewDriver.exe	147
PID 3108 wrote to memory of 2044	3108	ProviderreviewDriver.exe	147
PID 3108 wrote to memory of 864	3108	ProviderreviewDriver.exe	148
PID 3108 wrote to memory of 864	3108	ProviderreviewDriver.exe	148
PID 3108 wrote to memory of 2096	3108	ProviderreviewDriver.exe	149
PID 3108 wrote to memory of 2096	3108	ProviderreviewDriver.exe	149
PID 3108 wrote to memory of 1488	3108	ProviderreviewDriver.exe	150
PID 3108 wrote to memory of 1488	3108	ProviderreviewDriver.exe	150
PID 3108 wrote to memory of 4724	3108	ProviderreviewDriver.exe	152
PID 3108 wrote to memory of 4724	3108	ProviderreviewDriver.exe	152
PID 3108 wrote to memory of 3788	3108	ProviderreviewDriver.exe	153
PID 3108 wrote to memory of 3788	3108	ProviderreviewDriver.exe	153
PID 3108 wrote to memory of 4444	3108	ProviderreviewDriver.exe	154
PID 3108 wrote to memory of 4444	3108	ProviderreviewDriver.exe	154
PID 3108 wrote to memory of 2292	3108	ProviderreviewDriver.exe	156
PID 3108 wrote to memory of 2292	3108	ProviderreviewDriver.exe	156
PID 3108 wrote to memory of 1784	3108	ProviderreviewDriver.exe	157
PID 3108 wrote to memory of 1784	3108	ProviderreviewDriver.exe	157
PID 3108 wrote to memory of 960	3108	ProviderreviewDriver.exe	158
PID 3108 wrote to memory of 960	3108	ProviderreviewDriver.exe	158
PID 3108 wrote to memory of 1392	3108	ProviderreviewDriver.exe	159
PID 3108 wrote to memory of 1392	3108	ProviderreviewDriver.exe	159
PID 3108 wrote to memory of 4492	3108	ProviderreviewDriver.exe	160
PID 3108 wrote to memory of 4492	3108	ProviderreviewDriver.exe	160
PID 3108 wrote to memory of 2244	3108	ProviderreviewDriver.exe	161
PID 3108 wrote to memory of 2244	3108	ProviderreviewDriver.exe	161
PID 3108 wrote to memory of 3648	3108	ProviderreviewDriver.exe	162
PID 3108 wrote to memory of 3648	3108	ProviderreviewDriver.exe	162
PID 3108 wrote to memory of 1032	3108	ProviderreviewDriver.exe	163
PID 3108 wrote to memory of 1032	3108	ProviderreviewDriver.exe	163
PID 3108 wrote to memory of 4388	3108	ProviderreviewDriver.exe	164
PID 3108 wrote to memory of 4388	3108	ProviderreviewDriver.exe	164
PID 3108 wrote to memory of 752	3108	ProviderreviewDriver.exe	178
PID 3108 wrote to memory of 752	3108	ProviderreviewDriver.exe	178
PID 752 wrote to memory of 5760	752	cmd.exe	181
PID 752 wrote to memory of 5760	752	cmd.exe	181
PID 752 wrote to memory of 5628	752	cmd.exe	183
PID 752 wrote to memory of 5628	752	cmd.exe	183
PID 5628 wrote to memory of 5880	5628	smss.exe	185
PID 5628 wrote to memory of 5880	5628	smss.exe	185
PID 5628 wrote to memory of 5908	5628	smss.exe	186
PID 5628 wrote to memory of 5908	5628	smss.exe	186
PID 5880 wrote to memory of 856	5880	WScript.exe	188
PID 5880 wrote to memory of 856	5880	WScript.exe	188
PID 856 wrote to memory of 6004	856	smss.exe	192
PID 856 wrote to memory of 6004	856	smss.exe	192
PID 856 wrote to memory of 2316	856	smss.exe	193
PID 856 wrote to memory of 2316	856	smss.exe	193
PID 6004 wrote to memory of 3764	6004	WScript.exe	197
PID 6004 wrote to memory of 3764	6004	WScript.exe	197
PID 3764 wrote to memory of 1376	3764	smss.exe	199
PID 3764 wrote to memory of 1376	3764	smss.exe	199
PID 3764 wrote to memory of 4888	3764	smss.exe	200
PID 3764 wrote to memory of 4888	3764	smss.exe	200
PID 1376 wrote to memory of 5336	1376	WScript.exe	202
PID 1376 wrote to memory of 5336	1376	WScript.exe	202

System policy modification 1 TTPs 39 IoCs

evasion

Modify Registry

T1112

Processes:

smss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exeProviderreviewDriver.exesmss.exe

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	ProviderreviewDriver.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ProviderreviewDriver.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	ProviderreviewDriver.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\1554ae8f1316eadf351b3e6f5e7fc9e6.exe
"C:\Users\Admin\AppData\Local\Temp\1554ae8f1316eadf351b3e6f5e7fc9e6.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1952
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\BridgeRefruntime\RO6jJbtsE.vbe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1708
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\BridgeRefruntime\AZmwZW66ycOuW7BVkn8W.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3172
  - - C:\BridgeRefruntime\ProviderreviewDriver.exe
      "C:\BridgeRefruntime\ProviderreviewDriver.exe"
      4⤵
      UAC bypass
      Checks computer location settings
      Executes dropped EXE
      Checks whether UAC is enabled
      Drops file in Program Files directory
      Drops file in Windows directory
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:3108
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\BridgeRefruntime\ProviderreviewDriver.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2044
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\sihost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:864
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\conhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2096
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Portable Devices\dllhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1488
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Photo Viewer\ja-JP\taskhostw.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4724
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\fr\unsecapp.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:3788
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\ModemLogs\smss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:4444
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Security\BrowserCore\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2292
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Logs\HomeGroup\smss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1784
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\Registry.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:960
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\SKB\LanguageModels\unsecapp.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1392
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\BridgeRefruntime\SearchApp.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:4492
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\BridgeRefruntime\conhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2244
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\VideoLAN\VLC\skins\fonts\sppsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:3648
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\de\Registry.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1032
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Microsoft\WinMSIPC\Server\sysmon.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:4388
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\KbwrwrG91g.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:752
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:5760
      - C:\Windows\ModemLogs\smss.exe
        
        "C:\Windows\ModemLogs\smss.exe"
        6⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:5628
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4f1999c6-c5e3-4c20-8268-3061362dd30a.vbs"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:5880
        
        C:\Windows\ModemLogs\smss.exe
        
        C:\Windows\ModemLogs\smss.exe
        8⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:856
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d90a15f0-82ca-4d40-8046-748167ea30dc.vbs"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:6004
        
        C:\Windows\ModemLogs\smss.exe
        
        C:\Windows\ModemLogs\smss.exe
        10⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:3764
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c14dc9c5-b5eb-422f-9cf6-6a70f82526dc.vbs"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:1376
        
        C:\Windows\ModemLogs\smss.exe
        
        C:\Windows\ModemLogs\smss.exe
        12⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:5336
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\aef473fc-3590-4f63-a8ea-6ead7d2fe884.vbs"
        13⤵
        
        PID:5364
        
        C:\Windows\ModemLogs\smss.exe
        
        C:\Windows\ModemLogs\smss.exe
        14⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2860
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d99606d5-5e24-4307-8f2a-1684fac1c4db.vbs"
        15⤵
        
        PID:5416
        
        C:\Windows\ModemLogs\smss.exe
        
        C:\Windows\ModemLogs\smss.exe
        16⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:5832
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c2ccb6d9-1e53-414e-951b-bfb4ef0cd035.vbs"
        17⤵
        
        PID:5952
        
        C:\Windows\ModemLogs\smss.exe
        
        C:\Windows\ModemLogs\smss.exe
        18⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:5340
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0914afee-16ac-4394-8d91-ce15ee3aeccc.vbs"
        19⤵
        
        PID:2768
        
        C:\Windows\ModemLogs\smss.exe
        
        C:\Windows\ModemLogs\smss.exe
        20⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:6008
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1af428d9-314b-41ba-8f06-02c3e74bc324.vbs"
        21⤵
        
        PID:5128
        
        C:\Windows\ModemLogs\smss.exe
        
        C:\Windows\ModemLogs\smss.exe
        22⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:3068
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9a829238-8004-4f67-a0d1-07a7b652bafd.vbs"
        23⤵
        
        PID:5476
        
        C:\Windows\ModemLogs\smss.exe
        
        C:\Windows\ModemLogs\smss.exe
        24⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:5848
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ceb43140-a4fa-4a7d-8b93-8555f37eb2b4.vbs"
        25⤵
        
        PID:5996
        
        C:\Windows\ModemLogs\smss.exe
        
        C:\Windows\ModemLogs\smss.exe
        26⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:628
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4f4e513e-f20e-4202-82d3-ce377bae1314.vbs"
        27⤵
        
        PID:3616
        
        C:\Windows\ModemLogs\smss.exe
        
        C:\Windows\ModemLogs\smss.exe
        28⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:3096
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f145175c-cdaf-4cc5-917a-0cead5213701.vbs"
        29⤵
        
        PID:3768
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\304572c6-eef0-4af4-ab44-9056d1bccf31.vbs"
        29⤵
        
        PID:2656
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f0b75574-b521-461f-8775-7e9a4f8abfe6.vbs"
        27⤵
        
        PID:3024
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5e306908-0990-4ab4-9d5f-16ff03fa64aa.vbs"
        25⤵
        
        PID:6020
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0c746c2a-4755-40ab-ba3f-84ab95042d15.vbs"
        23⤵
        
        PID:5608
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7cfbb930-1d15-46d0-8406-aed28db89a57.vbs"
        21⤵
        
        PID:1848
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\91053755-8669-45ac-85c2-c213f02ca1d5.vbs"
        19⤵
        
        PID:5392
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bc2be21d-3e0a-4e35-a338-3ed000f7618a.vbs"
        17⤵
        
        PID:544
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\37c7604f-8a7a-4c59-b5d0-bf390c563f0b.vbs"
        15⤵
        
        PID:2324
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\945d477d-2508-494b-9bdc-232b01e39971.vbs"
        13⤵
        
        PID:832
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d1e79a05-c7c0-4bcd-b402-20dfa2d76c08.vbs"
        11⤵
        
        PID:4888
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8cd30163-28a4-4a00-a765-892b55f24b14.vbs"
        9⤵
        
        PID:2316
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ecd6936c-9548-44b0-953a-aa33f89a2e86.vbs"
        7⤵
        
        PID:5908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4476

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Portable Devices\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3368

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Portable Devices\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3204

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Photo Viewer\ja-JP\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\ja-JP\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Photo Viewer\ja-JP\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\fr\unsecapp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\fr\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\fr\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3248

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Windows\ModemLogs\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\ModemLogs\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Windows\ModemLogs\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Security\BrowserCore\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Windows Security\BrowserCore\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4128

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Security\BrowserCore\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Windows\Logs\HomeGroup\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\Logs\HomeGroup\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Windows\Logs\HomeGroup\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3188

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\Registry.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3136

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Users\Default User\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2260

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 6 /tr "'C:\Windows\SKB\LanguageModels\unsecapp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Windows\SKB\LanguageModels\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 12 /tr "'C:\Windows\SKB\LanguageModels\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 13 /tr "'C:\BridgeRefruntime\SearchApp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\BridgeRefruntime\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4340

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 14 /tr "'C:\BridgeRefruntime\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\BridgeRefruntime\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2372

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\BridgeRefruntime\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 5 /tr "'C:\BridgeRefruntime\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Program Files\VideoLAN\VLC\skins\fonts\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2312

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\skins\fonts\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Program Files\VideoLAN\VLC\skins\fonts\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\de\Registry.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\de\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2476

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\de\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\Microsoft\WinMSIPC\Server\sysmon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Users\All Users\Microsoft\WinMSIPC\Server\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\Microsoft\WinMSIPC\Server\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:400

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\BridgeRefruntime\AZmwZW66ycOuW7BVkn8W.bat

Filesize
46B

MD5
b634ab06c0798f4284c2fcf23c1fc85a

SHA1
a312a6a8dbd3fdd70e9919ffaa1b777213cf2e93

SHA256
20d420d40ee7aadb457e5a8dba9d099fb66d4810675a985a26ebf36141d8e250

SHA512
ae801ea89737efecc5be1c580bad10c75ee9f31f2685473bbb5512b024c355c62a7d122db5042dbfb96add27041fd2601472c57b075424d12261302804b5733c

Download Submit
C:\BridgeRefruntime\ProviderreviewDriver.exe

Filesize
2.9MB

MD5
15462778cb5d131fdbde43b845ca3385

SHA1
e11137a2d3643fa0569e57257f7b673b29f0ee86

SHA256
7082a4ae4749fc09c3b618986952c23aa6db2ee906da896b9a517685e56b8572

SHA512
1f58961f5367153539c8039e8cfafd1f74bcf09550912326d1274ec5b91ff578c0126c4f36c1916384364c74ed2a4b97013a4e6ff6b25567822eac8dabfcde6b

Download Submit
C:\BridgeRefruntime\RO6jJbtsE.vbe

Filesize
213B

MD5
1217656e699a8ae1e62ad9b7059e215a

SHA1
3e9710cc62fcaf451a305be0fe047dfadd631e45

SHA256
710eab849bf0c066cb136771f1d4dc72bc2b13598c209508db16a3770d54286f

SHA512
ae775b9f675455bbb78a879f38e72e500607a6a22168591a599a04337229316fdbdd0b496d69e97c423a4e917d9174e039e0e4f80b8bc94a7d5b3f99887d3f31

Download Submit
C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\de\RCXCCC2.tmp

Filesize
2.9MB

MD5
228dd9ef16e757e0dfe2adb280c9a53c

SHA1
d67f931d93d2cd0754cea26ed445ab1860f5b934

SHA256
b9b02143b150ab52b2b73664aa3f5fd8de258e54d92dcb168c1cb4d654dd26d5

SHA512
35e85465fbd5fad59e76c41b777d4168aea22837a699322c20aab283b4cab30d9522da3e13ac2a933a05ee413bbc139b39e1c4a743ad18014c4f764821d2b419

Download Submit
C:\Program Files\Windows Photo Viewer\ja-JP\taskhostw.exe

Filesize
2.9MB

MD5
6278a0c4beb99c1f179df048c7ed5091

SHA1
726807f948381adf1c5b9672860857bdebe3f0ba

SHA256
6fc0bb9e7f1fd895b36819a3d4bedb42d73c8478d1890a5a44e4860738376bc4

SHA512
660196d989798ae710aea421852d42232c54a7d6b0a5af5aaa1a3fe93fb7db192c00031a93f8ab4f1cd16e5ce616361f267fbd9c4a6255c81001b14d1f40cb2c

Download Submit
C:\Program Files\Windows Security\BrowserCore\csrss.exe

Filesize
2.9MB

MD5
4944afb067134c96c1a09b3a520e2384

SHA1
15e32b65604fe3020485c62c2d33c0636d34a721

SHA256
9829bd641bb4e3e49229194bac7d2321e509b9ec8baf7eba9fa1103b816c4121

SHA512
5a1d463d0fdbcfcade5055a444959f6fbb541c40a7865da604eb29a59e4a0fd6470a17dcb699e2f2e6c9a7bc67702d3fcacf10fc6f34a75ce6a9747176b73f76

Download Submit
C:\ProgramData\Microsoft\WinMSIPC\Server\sysmon.exe

Filesize
2.9MB

MD5
b2d5013fa46a1ba87b4946ca8f0b676b

SHA1
09714ed3f777ad31fbe42a4006b915cdb97cf757

SHA256
cd19c5216b9cd620ec47db018eca81c94e7caa57c39505503570a74ec988a9f0

SHA512
d8015bf9cb4ac80c2dd8abb7f7b04e35d3db6709f66fb162f8633a4e4ca33c06298d73551594f109a510c601dd9f5477ed4bb5e04d715069d1ef273cca4f47e9

Download Submit
C:\Recovery\WindowsRE\conhost.exe

Filesize
2.9MB

MD5
7be3bf374a209ee91a8a8f82af9b847f

SHA1
830d969a1ded7d921a241a8fbe522b53780996cf

SHA256
d88af9827391cb313f72e96aa3b76a77d2042601f96d03bad2bd59e114a5b0c4

SHA512
81ddf87bf4c7e9f90ca11171c57298b8163e812f22a23136e946925320cbcaa71bf624f108d87f8fc61fea8dbe6904c18b94e341e994b6e927ddb38a9f2ac8cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\smss.exe.log

Filesize
1KB

MD5
9b0256da3bf9a5303141361b3da59823

SHA1
d73f34951777136c444eb2c98394f62912ebcdac

SHA256
96cbc3f4e49d7ae13cd46e36ebb4819b6db1eabe5db910902638c1a24947208e

SHA512
9f014fef4b1bb71dbdd1d0bad11bd20437a9801eaa830ab386f901f6b5be374a26f68161d7638ea03483028e9a56bf97023cc24b45356a9c76cb755a53d9c164

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
62623d22bd9e037191765d5083ce16a3

SHA1
4a07da6872672f715a4780513d95ed8ddeefd259

SHA256
95d79fd575bbd21540e378fcbc1cd00d16f51af62ce15bae7080bb72c24e2010

SHA512
9a448b7a0d867466c2ea04ab84d2a9485d5fd20ab53b2b854f491831ee3f1d781b94d2635f7b0b35cb9f2d373cd52c67570879a56a42ed66bc9db06962ed4992

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
59d97011e091004eaffb9816aa0b9abd

SHA1
1602a56b01dd4b7c577ca27d3117e4bcc1aa657b

SHA256
18f381e0db020a763b8c515c346ef58679ab9c403267eacfef5359e272f7e71d

SHA512
d9ca49c1a17580981e2c1a50d73c0eecaa7a62f8514741512172e395af2a3d80aeb0f71c58bc7f52c18246d57ba67af09b6bff4776877d6cc6f0245c30e092d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3a6bad9528f8e23fb5c77fbd81fa28e8

SHA1
f127317c3bc6407f536c0f0600dcbcf1aabfba36

SHA256
986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05

SHA512
846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\0914afee-16ac-4394-8d91-ce15ee3aeccc.vbs

Filesize
705B

MD5
e8c6fc07693724c413683d4bd5f2f534

SHA1
93b0071b82dcdd6b041be916dd08c2f10f0fb31d

SHA256
45690f650fe6370e82e280dafd020d2623175489119e1ab3e35b0de74e243325

SHA512
a0e91bdc22872bb572e240ac21f1d9e10e02ccefcab3ef089cfe3e47dbcbc0283976a0cdcb5b8923bf37a48ecb3ed2f683128eaa66d2e3a6fde8a966547cebab

Download Submit
C:\Users\Admin\AppData\Local\Temp\1af428d9-314b-41ba-8f06-02c3e74bc324.vbs

Filesize
705B

MD5
1c732e69d3f6b43a35b3233d07f3bb2b

SHA1
57ab86daa00f5992f04bdcbb9d3fcf31d97ee6f1

SHA256
a3eb78a14c661e8d81ddefbc99103f8f2b6fcc346aaee9351d044647b8f4808f

SHA512
69fd0bf3fd643e4a3131a52ae613c67462672697c21fc9f9f8e7c2866a1b1f1a869e8e67a096753d01151fa359ec87e86013a75080aad63024076106b80fb5ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\4f1999c6-c5e3-4c20-8268-3061362dd30a.vbs

Filesize
705B

MD5
460c42c69aafb481eba71619c9335a08

SHA1
f55a9ab1a2c6bea2191f32e3657ac53d24d4520f

SHA256
b362fa89c90dbefe4de3cd42a66af93cf1ba0f51ff49c7dcd148f469eb3b28bc

SHA512
9d063a61f8edbeb5ee707f1debffe4d43d72537e6ca9821e76a38c728c8cb8a0700bdaf40764ee1aaf14560595bdf2a32d01de2840562914ed2e806160a22876

Download Submit
C:\Users\Admin\AppData\Local\Temp\9a829238-8004-4f67-a0d1-07a7b652bafd.vbs

Filesize
705B

MD5
f5895a0985094263c2117b64a484293d

SHA1
2a79e4158b633d14c674c76d4b165244b0ce4a34

SHA256
3813fc49217be82e39cb9ca13f54210486059d263fe4200c16d820368d1455eb

SHA512
8e0035154f65245b006502484492be0a0b0800817b066e8a9b4da425570d0d9fc18758a3bd9baaf4f984bf3c59d87ae7a8be11391ea20eb0f37991ed46d61d71

Download Submit
C:\Users\Admin\AppData\Local\Temp\KbwrwrG91g.bat

Filesize
194B

MD5
5961189a506761b15032391b659c8972

SHA1
c5a35d7c520a3cd8af8323d12e179211317f050c

SHA256
37eaafeb57bddcbc804d76210c89bf818d056cba4c3b658bf9b29ba20b32741a

SHA512
ee248f1b455acd7e27fdfd214f19b26463826168fd1447c3bda034667dfcf09dcc0e686b2035e5ce2dca9b8dc66b9b94fffb5f323c6ae98a8a21b11113cfe4b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_amclawz4.14k.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\aef473fc-3590-4f63-a8ea-6ead7d2fe884.vbs

Filesize
705B

MD5
b96a30cfcc5e05eb4de2e41b93fd27b9

SHA1
de761c8232e50402c6c5fa1ec1ff9c833922ae62

SHA256
96cd923aee08f4b6fa1eb34978a91cf07cb8d89d721cff7b8defc0208fe1675b

SHA512
6624aaa1645d949662b877d0d39f99b3b3ab8f153f8db0c81139d94e8d43bbf6e8d153f1d28d6f45450dc6ec7edbcc1319292235ea92f263a6b2a4ef351d2419

Download Submit
C:\Users\Admin\AppData\Local\Temp\c14dc9c5-b5eb-422f-9cf6-6a70f82526dc.vbs

Filesize
705B

MD5
5dec63baedf84654b662bcdd15155eb4

SHA1
f184c4780527d364f57956b755e0048ea29ab6f5

SHA256
e30675219ea3047efa07db6f569a873aac31a09d52cd9c2aee919fbdae18b5fa

SHA512
dd2e01736646b0c0278cc7f9b2b15d167f89bce504c28a0ef3ac51be3059b96a2e38a1d8ee9f42aa47d4208fbc949a8602908984c261fcbd284f7373dff284d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\c2ccb6d9-1e53-414e-951b-bfb4ef0cd035.vbs

Filesize
705B

MD5
9b174247cf29227047e56612af5a19a1

SHA1
8ffed1495f971ff57f5b15ff219f14234498592a

SHA256
9ad648941e8e886610343f10e9875031fd009c6d0f880b7f0de97b18c37ccf51

SHA512
8695ede8246e2c7418d130e9f46befbe641d225519fec354f539b015fe091230c6cd9974030736cf9250aca0a081362f98ede8044a20a4e4dd3f72cb4e8acde5

Download Submit
C:\Users\Admin\AppData\Local\Temp\ceb43140-a4fa-4a7d-8b93-8555f37eb2b4.vbs

Filesize
705B

MD5
efc79fc0629f257bddda32273294ce35

SHA1
e686dbf68994d1d7a033447bf6370008b9d9bca9

SHA256
cff7cdaf89d35884d7a1e3de6e4aad1d655df853c422daa28fc9ef5dad601642

SHA512
377f9095085a1ed90d1b98a3ace0078384b68e83f00381a48ab0f0f31414aa2ba411991441e057ed8f3e73b9005659bc77a508c5a7b71d4c43d1d2ff732eed96

Download Submit
C:\Users\Admin\AppData\Local\Temp\d90a15f0-82ca-4d40-8046-748167ea30dc.vbs

Filesize
704B

MD5
4860b339be6dcc7945347375b660f7ab

SHA1
f91d463025aafe52d2da601f545289713dd7485a

SHA256
284994094741341328ae43287adda7b0a0b3ce5e1dc44442c424fdb20a0f2a90

SHA512
1733e5a36ed9a2f229e6551b4db79cc72156f4e25c39044d702afb7382612f532ff890099bcf8519512395285c3f6f26a06d06ff896774d34d8f5208f47fcd17

Download Submit
C:\Users\Admin\AppData\Local\Temp\d99606d5-5e24-4307-8f2a-1684fac1c4db.vbs

Filesize
705B

MD5
3102276e4bd8f228506710cd5f1c88d0

SHA1
a6e20cf6190e12ed9366c6f641bf6ebc4be557e3

SHA256
0c454a29beab606d444aa10d52a6a48ad1ec009c9f96d67d858c6e184f6d936d

SHA512
b4c08e522141afd0737901ded33bbe42fcee588bca73ed2252a751f13b9381855e8f09a129f516cf47fafd3af4d786189ef6878b737b153c530ef9f28b33dae5

Download Submit
C:\Users\Admin\AppData\Local\Temp\ecd6936c-9548-44b0-953a-aa33f89a2e86.vbs

Filesize
481B

MD5
5a40265819e92bc6425382d8d749629c

SHA1
99a735554f98b3392c48b8fe80159f9e5042969a

SHA256
7bb3b7bc2d72ce24c7195447334d55cfd0fcf5b6c39435f799b5be382cc0df64

SHA512
33718e0a7e6b4c573dfc12902b1ce5b567bfca68ef8797e6cacff93b41d116c0286b9dcf4542b4ebf22024051d05d9d47e33ef955f688555c7a9ff5049e478e2

Download Submit
C:\Users\Default\Registry.exe

Filesize
2.9MB

MD5
c5afb735c12d08e9fc8dd8b5e99b4d8e

SHA1
4e1b194bde44dc64e1236a12bce17376ce771009

SHA256
3ac0f8ccfcaf5a7918f2db16ed5c004895d0000897b1ae967b3802a5f159813e

SHA512
9b3127d97e7d29a728f80c95e39bfcad888c4d3462671700c1ce2f3fee86be44925926c779217015df6731971e98fe705479a56f1068cd1735420004e91173c4

Download Submit
C:\Windows\Logs\HomeGroup\RCXBEEC.tmp

Filesize
2.9MB

MD5
ecb8a56fde8d50c2fe56a26c033b8a39

SHA1
dd3f7bc75f354915ca4f71b9f2d581b0d8dc9896

SHA256
47d4a340d406fb9c8de309a6457493ea3b4249f7bf3fc21618697466e08e5188

SHA512
5c8ce67ffc7ed3a5e66259a3ae3ed35d4666e75131b4955b002bc96ff92cea6bf939641f7680e44f0edb136bdf2fe788a616cc74e1cf930fb773060ecce72bb0

Download Submit
C:\Windows\ModemLogs\smss.exe

Filesize
2.9MB

MD5
063e5317389fd8ac52c7b7cba81fab5c

SHA1
b47f97eeabc307a8a593ba4f363dbe835783ced0

SHA256
70d41a35492be4f6a5e87c9e797d9bce526362a46f0f1c50b9980f5c550f484d

SHA512
1cab3c8ee5b3fcdfaebd3ab8bd7e44a7fcd9a785a231a4df88d642b4d93fbc34f28b2a06a18ae11a756dd099775df771d3ac214cef5bb255987db37366b43c60

Download Submit
memory/864-420-0x00000182E6220000-0x00000182E636E000-memory.dmp

Filesize
1.3MB

Download
memory/960-421-0x000001925E9A0000-0x000001925EAEE000-memory.dmp

Filesize
1.3MB

Download
memory/1032-419-0x0000024F5FA60000-0x0000024F5FBAE000-memory.dmp

Filesize
1.3MB

Download
memory/1392-414-0x00000267703C0000-0x000002677050E000-memory.dmp

Filesize
1.3MB

Download
memory/1488-442-0x0000022DC0D50000-0x0000022DC0E9E000-memory.dmp

Filesize
1.3MB

Download
memory/1784-408-0x0000018B225B0000-0x0000018B226FE000-memory.dmp

Filesize
1.3MB

Download
memory/2044-426-0x000001CE519E0000-0x000001CE51B2E000-memory.dmp

Filesize
1.3MB

Download
memory/2096-399-0x0000012FBD6F0000-0x0000012FBD83E000-memory.dmp

Filesize
1.3MB

Download
memory/2096-256-0x0000012FBD5C0000-0x0000012FBD5E2000-memory.dmp

Filesize
136KB

Download
memory/2244-411-0x0000025DD5CA0000-0x0000025DD5DEE000-memory.dmp

Filesize
1.3MB

Download
memory/2292-427-0x00000176D77A0000-0x00000176D78EE000-memory.dmp

Filesize
1.3MB

Download
memory/3108-31-0x000000001BC30000-0x000000001BC38000-memory.dmp

Filesize
32KB

Download
memory/3108-38-0x000000001BDA0000-0x000000001BDAC000-memory.dmp

Filesize
48KB

Download
memory/3108-28-0x000000001BB00000-0x000000001BB08000-memory.dmp

Filesize
32KB

Download
memory/3108-12-0x00007FFF5FC23000-0x00007FFF5FC25000-memory.dmp

Filesize
8KB

Download
memory/3108-30-0x000000001BB20000-0x000000001BB2C000-memory.dmp

Filesize
48KB

Download
memory/3108-207-0x00007FFF5FC23000-0x00007FFF5FC25000-memory.dmp

Filesize
8KB

Download
memory/3108-13-0x0000000000470000-0x0000000000762000-memory.dmp

Filesize
2.9MB

Download
memory/3108-14-0x0000000000FE0000-0x0000000000FEE000-memory.dmp

Filesize
56KB

Download
memory/3108-19-0x000000001B3C0000-0x000000001B3D6000-memory.dmp

Filesize
88KB

Download
memory/3108-26-0x000000001BAE0000-0x000000001BAE8000-memory.dmp

Filesize
32KB

Download
memory/3108-25-0x000000001B420000-0x000000001B42C000-memory.dmp

Filesize
48KB

Download
memory/3108-32-0x000000001BC40000-0x000000001BC4A000-memory.dmp

Filesize
40KB

Download
memory/3108-34-0x000000001BD60000-0x000000001BD68000-memory.dmp

Filesize
32KB

Download
memory/3108-35-0x000000001BD70000-0x000000001BD7C000-memory.dmp

Filesize
48KB

Download
memory/3108-37-0x000000001BD90000-0x000000001BD9A000-memory.dmp

Filesize
40KB

Download
memory/3108-16-0x00000000029B0000-0x00000000029CC000-memory.dmp

Filesize
112KB

Download
memory/3108-36-0x000000001BD80000-0x000000001BD88000-memory.dmp

Filesize
32KB

Download
memory/3108-27-0x000000001BAF0000-0x000000001BAFC000-memory.dmp

Filesize
48KB

Download
memory/3108-21-0x000000001B410000-0x000000001B420000-memory.dmp

Filesize
64KB

Download
memory/3108-22-0x000000001B3F0000-0x000000001B3FA000-memory.dmp

Filesize
40KB

Download
memory/3108-15-0x00000000029A0000-0x00000000029A8000-memory.dmp

Filesize
32KB

Download
memory/3108-33-0x000000001BC50000-0x000000001BC5E000-memory.dmp

Filesize
56KB

Download
memory/3108-23-0x000000001BA90000-0x000000001BAE6000-memory.dmp

Filesize
344KB

Download
memory/3108-29-0x000000001BB10000-0x000000001BB1C000-memory.dmp

Filesize
48KB

Download
memory/3108-17-0x000000001BA40000-0x000000001BA90000-memory.dmp

Filesize
320KB

Download
memory/3108-18-0x00000000029D0000-0x00000000029E0000-memory.dmp

Filesize
64KB

Download
memory/3108-24-0x000000001B400000-0x000000001B40C000-memory.dmp

Filesize
48KB

Download
memory/3108-20-0x000000001B3E0000-0x000000001B3E8000-memory.dmp

Filesize
32KB

Download
memory/3648-407-0x000002121B7A0000-0x000002121B8EE000-memory.dmp

Filesize
1.3MB

Download
memory/3788-441-0x0000019722570000-0x00000197226BE000-memory.dmp

Filesize
1.3MB

Download
memory/4388-440-0x00000254B3280000-0x00000254B33CE000-memory.dmp

Filesize
1.3MB

Download
memory/4444-437-0x000001F66AB30000-0x000001F66AC7E000-memory.dmp

Filesize
1.3MB

Download
memory/4492-434-0x000002B2BE270000-0x000002B2BE3BE000-memory.dmp

Filesize
1.3MB

Download
memory/4724-406-0x000001E4DD250000-0x000001E4DD39E000-memory.dmp

Filesize
1.3MB

Download
memory/5628-446-0x0000000000E10000-0x0000000001102000-memory.dmp

Filesize
2.9MB

Download