Malware Analysis Report

2025-08-06 01:47

Sample ID 241031-cxl9gaxfkc
Target 5bdd5d335f1dce7bff7ad597aa12c5c36d2831b58d4a1a37650fab7b070c6e23.exe
SHA256 5bdd5d335f1dce7bff7ad597aa12c5c36d2831b58d4a1a37650fab7b070c6e23
Tags
rat dcrat discovery evasion execution infostealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5bdd5d335f1dce7bff7ad597aa12c5c36d2831b58d4a1a37650fab7b070c6e23

Threat Level: Known bad

The file 5bdd5d335f1dce7bff7ad597aa12c5c36d2831b58d4a1a37650fab7b070c6e23.exe was found to be: Known bad.

Malicious Activity Summary

rat dcrat discovery evasion execution infostealer trojan

Dcrat family

DcRat

DCRat payload

Process spawned unexpected child process

UAC bypass

DCRat payload

Command and Scripting Interpreter: PowerShell

Loads dropped DLL

Checks computer location settings

Executes dropped EXE

Checks whether UAC is enabled

Drops file in Windows directory

Drops file in Program Files directory

Enumerates physical storage devices

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Uses Task Scheduler COM API

Modifies registry class

Scheduled Task/Job: Scheduled Task

Suspicious use of AdjustPrivilegeToken

System policy modification

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-31 02:27

Signatures

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Dcrat family

dcrat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-31 02:27

Reported

2024-10-31 02:44

Platform

win7-20240708-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5bdd5d335f1dce7bff7ad597aa12c5c36d2831b58d4a1a37650fab7b070c6e23.exe"

Signatures

DcRat

rat infostealer dcrat

Dcrat family

dcrat

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\All Users\Documents\lsm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\All Users\Documents\lsm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\All Users\Documents\lsm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\All Users\Documents\lsm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\All Users\Documents\lsm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\All Users\Documents\lsm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\All Users\Documents\lsm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\All Users\Documents\lsm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\All Users\Documents\lsm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\BridgeRefruntime\ProviderreviewDriver.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\All Users\Documents\lsm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\All Users\Documents\lsm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\All Users\Documents\lsm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\All Users\Documents\lsm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\All Users\Documents\lsm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\All Users\Documents\lsm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\All Users\Documents\lsm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\All Users\Documents\lsm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\All Users\Documents\lsm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\All Users\Documents\lsm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\BridgeRefruntime\ProviderreviewDriver.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\All Users\Documents\lsm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\All Users\Documents\lsm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\All Users\Documents\lsm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\BridgeRefruntime\ProviderreviewDriver.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\All Users\Documents\lsm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\All Users\Documents\lsm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\All Users\Documents\lsm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\All Users\Documents\lsm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\All Users\Documents\lsm.exe N/A

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\All Users\Documents\lsm.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\All Users\Documents\lsm.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\All Users\Documents\lsm.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\All Users\Documents\lsm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\All Users\Documents\lsm.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\All Users\Documents\lsm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\All Users\Documents\lsm.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\BridgeRefruntime\ProviderreviewDriver.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\BridgeRefruntime\ProviderreviewDriver.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\All Users\Documents\lsm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\All Users\Documents\lsm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\All Users\Documents\lsm.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\All Users\Documents\lsm.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\All Users\Documents\lsm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\All Users\Documents\lsm.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\All Users\Documents\lsm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\All Users\Documents\lsm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\All Users\Documents\lsm.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\All Users\Documents\lsm.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\All Users\Documents\lsm.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Windows NT\spoolsv.exe C:\BridgeRefruntime\ProviderreviewDriver.exe N/A
File created C:\Program Files (x86)\Windows NT\f3b6ecef712a24 C:\BridgeRefruntime\ProviderreviewDriver.exe N/A
File opened for modification C:\Program Files (x86)\Windows NT\RCXDE02.tmp C:\BridgeRefruntime\ProviderreviewDriver.exe N/A
File opened for modification C:\Program Files (x86)\Windows NT\RCXDE71.tmp C:\BridgeRefruntime\ProviderreviewDriver.exe N/A
File opened for modification C:\Program Files (x86)\Windows NT\spoolsv.exe C:\BridgeRefruntime\ProviderreviewDriver.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\fr-FR\69ddcba757bf72 C:\BridgeRefruntime\ProviderreviewDriver.exe N/A
File opened for modification C:\Windows\fr-FR\RCXCA91.tmp C:\BridgeRefruntime\ProviderreviewDriver.exe N/A
File opened for modification C:\Windows\fr-FR\RCXCA92.tmp C:\BridgeRefruntime\ProviderreviewDriver.exe N/A
File created C:\Windows\fr-FR\smss.exe C:\BridgeRefruntime\ProviderreviewDriver.exe N/A
File opened for modification C:\Windows\fr-FR\smss.exe C:\BridgeRefruntime\ProviderreviewDriver.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\5bdd5d335f1dce7bff7ad597aa12c5c36d2831b58d4a1a37650fab7b070c6e23.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WScript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\BridgeRefruntime\ProviderreviewDriver.exe N/A
N/A N/A C:\BridgeRefruntime\ProviderreviewDriver.exe N/A
N/A N/A C:\BridgeRefruntime\ProviderreviewDriver.exe N/A
N/A N/A C:\BridgeRefruntime\ProviderreviewDriver.exe N/A
N/A N/A C:\BridgeRefruntime\ProviderreviewDriver.exe N/A
N/A N/A C:\BridgeRefruntime\ProviderreviewDriver.exe N/A
N/A N/A C:\BridgeRefruntime\ProviderreviewDriver.exe N/A
N/A N/A C:\BridgeRefruntime\ProviderreviewDriver.exe N/A
N/A N/A C:\BridgeRefruntime\ProviderreviewDriver.exe N/A
N/A N/A C:\BridgeRefruntime\ProviderreviewDriver.exe N/A
N/A N/A C:\BridgeRefruntime\ProviderreviewDriver.exe N/A
N/A N/A C:\BridgeRefruntime\ProviderreviewDriver.exe N/A
N/A N/A C:\BridgeRefruntime\ProviderreviewDriver.exe N/A
N/A N/A C:\BridgeRefruntime\ProviderreviewDriver.exe N/A
N/A N/A C:\BridgeRefruntime\ProviderreviewDriver.exe N/A
N/A N/A C:\BridgeRefruntime\ProviderreviewDriver.exe N/A
N/A N/A C:\BridgeRefruntime\ProviderreviewDriver.exe N/A
N/A N/A C:\BridgeRefruntime\ProviderreviewDriver.exe N/A
N/A N/A C:\BridgeRefruntime\ProviderreviewDriver.exe N/A
N/A N/A C:\BridgeRefruntime\ProviderreviewDriver.exe N/A
N/A N/A C:\BridgeRefruntime\ProviderreviewDriver.exe N/A
N/A N/A C:\BridgeRefruntime\ProviderreviewDriver.exe N/A
N/A N/A C:\BridgeRefruntime\ProviderreviewDriver.exe N/A
N/A N/A C:\BridgeRefruntime\ProviderreviewDriver.exe N/A
N/A N/A C:\BridgeRefruntime\ProviderreviewDriver.exe N/A
N/A N/A C:\BridgeRefruntime\ProviderreviewDriver.exe N/A
N/A N/A C:\BridgeRefruntime\ProviderreviewDriver.exe N/A
N/A N/A C:\BridgeRefruntime\ProviderreviewDriver.exe N/A
N/A N/A C:\BridgeRefruntime\ProviderreviewDriver.exe N/A
N/A N/A C:\BridgeRefruntime\ProviderreviewDriver.exe N/A
N/A N/A C:\BridgeRefruntime\ProviderreviewDriver.exe N/A
N/A N/A C:\BridgeRefruntime\ProviderreviewDriver.exe N/A
N/A N/A C:\BridgeRefruntime\ProviderreviewDriver.exe N/A
N/A N/A C:\BridgeRefruntime\ProviderreviewDriver.exe N/A
N/A N/A C:\BridgeRefruntime\ProviderreviewDriver.exe N/A
N/A N/A C:\BridgeRefruntime\ProviderreviewDriver.exe N/A
N/A N/A C:\BridgeRefruntime\ProviderreviewDriver.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\All Users\Documents\lsm.exe N/A
N/A N/A C:\Users\All Users\Documents\lsm.exe N/A
N/A N/A C:\Users\All Users\Documents\lsm.exe N/A
N/A N/A C:\Users\All Users\Documents\lsm.exe N/A
N/A N/A C:\Users\All Users\Documents\lsm.exe N/A
N/A N/A C:\Users\All Users\Documents\lsm.exe N/A
N/A N/A C:\Users\All Users\Documents\lsm.exe N/A
N/A N/A C:\Users\All Users\Documents\lsm.exe N/A
N/A N/A C:\Users\All Users\Documents\lsm.exe N/A
N/A N/A C:\Users\All Users\Documents\lsm.exe N/A
N/A N/A C:\Users\All Users\Documents\lsm.exe N/A
N/A N/A C:\Users\All Users\Documents\lsm.exe N/A
N/A N/A C:\Users\All Users\Documents\lsm.exe N/A
N/A N/A C:\Users\All Users\Documents\lsm.exe N/A
N/A N/A C:\Users\All Users\Documents\lsm.exe N/A
N/A N/A C:\Users\All Users\Documents\lsm.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\BridgeRefruntime\ProviderreviewDriver.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\All Users\Documents\lsm.exe N/A
Token: SeDebugPrivilege N/A C:\Users\All Users\Documents\lsm.exe N/A
Token: SeDebugPrivilege N/A C:\Users\All Users\Documents\lsm.exe N/A
Token: SeDebugPrivilege N/A C:\Users\All Users\Documents\lsm.exe N/A
Token: SeDebugPrivilege N/A C:\Users\All Users\Documents\lsm.exe N/A
Token: SeDebugPrivilege N/A C:\Users\All Users\Documents\lsm.exe N/A
Token: SeDebugPrivilege N/A C:\Users\All Users\Documents\lsm.exe N/A
Token: SeDebugPrivilege N/A C:\Users\All Users\Documents\lsm.exe N/A
Token: SeDebugPrivilege N/A C:\Users\All Users\Documents\lsm.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1688 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\5bdd5d335f1dce7bff7ad597aa12c5c36d2831b58d4a1a37650fab7b070c6e23.exe C:\Windows\SysWOW64\WScript.exe
PID 1688 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\5bdd5d335f1dce7bff7ad597aa12c5c36d2831b58d4a1a37650fab7b070c6e23.exe C:\Windows\SysWOW64\WScript.exe
PID 1688 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\5bdd5d335f1dce7bff7ad597aa12c5c36d2831b58d4a1a37650fab7b070c6e23.exe C:\Windows\SysWOW64\WScript.exe
PID 1688 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\5bdd5d335f1dce7bff7ad597aa12c5c36d2831b58d4a1a37650fab7b070c6e23.exe C:\Windows\SysWOW64\WScript.exe
PID 2528 wrote to memory of 1268 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2528 wrote to memory of 1268 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2528 wrote to memory of 1268 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2528 wrote to memory of 1268 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 1268 wrote to memory of 584 N/A C:\Windows\SysWOW64\cmd.exe C:\BridgeRefruntime\ProviderreviewDriver.exe
PID 1268 wrote to memory of 584 N/A C:\Windows\SysWOW64\cmd.exe C:\BridgeRefruntime\ProviderreviewDriver.exe
PID 1268 wrote to memory of 584 N/A C:\Windows\SysWOW64\cmd.exe C:\BridgeRefruntime\ProviderreviewDriver.exe
PID 1268 wrote to memory of 584 N/A C:\Windows\SysWOW64\cmd.exe C:\BridgeRefruntime\ProviderreviewDriver.exe
PID 584 wrote to memory of 2808 N/A C:\BridgeRefruntime\ProviderreviewDriver.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 584 wrote to memory of 2808 N/A C:\BridgeRefruntime\ProviderreviewDriver.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 584 wrote to memory of 2808 N/A C:\BridgeRefruntime\ProviderreviewDriver.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 584 wrote to memory of 2824 N/A C:\BridgeRefruntime\ProviderreviewDriver.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 584 wrote to memory of 2824 N/A C:\BridgeRefruntime\ProviderreviewDriver.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 584 wrote to memory of 2824 N/A C:\BridgeRefruntime\ProviderreviewDriver.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 584 wrote to memory of 2872 N/A C:\BridgeRefruntime\ProviderreviewDriver.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 584 wrote to memory of 2872 N/A C:\BridgeRefruntime\ProviderreviewDriver.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 584 wrote to memory of 2872 N/A C:\BridgeRefruntime\ProviderreviewDriver.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 584 wrote to memory of 2916 N/A C:\BridgeRefruntime\ProviderreviewDriver.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 584 wrote to memory of 2916 N/A C:\BridgeRefruntime\ProviderreviewDriver.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 584 wrote to memory of 2916 N/A C:\BridgeRefruntime\ProviderreviewDriver.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 584 wrote to memory of 2748 N/A C:\BridgeRefruntime\ProviderreviewDriver.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 584 wrote to memory of 2748 N/A C:\BridgeRefruntime\ProviderreviewDriver.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 584 wrote to memory of 2748 N/A C:\BridgeRefruntime\ProviderreviewDriver.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 584 wrote to memory of 2612 N/A C:\BridgeRefruntime\ProviderreviewDriver.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 584 wrote to memory of 2612 N/A C:\BridgeRefruntime\ProviderreviewDriver.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 584 wrote to memory of 2612 N/A C:\BridgeRefruntime\ProviderreviewDriver.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 584 wrote to memory of 2924 N/A C:\BridgeRefruntime\ProviderreviewDriver.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 584 wrote to memory of 2924 N/A C:\BridgeRefruntime\ProviderreviewDriver.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 584 wrote to memory of 2924 N/A C:\BridgeRefruntime\ProviderreviewDriver.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 584 wrote to memory of 2640 N/A C:\BridgeRefruntime\ProviderreviewDriver.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 584 wrote to memory of 2640 N/A C:\BridgeRefruntime\ProviderreviewDriver.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 584 wrote to memory of 2640 N/A C:\BridgeRefruntime\ProviderreviewDriver.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 584 wrote to memory of 2692 N/A C:\BridgeRefruntime\ProviderreviewDriver.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 584 wrote to memory of 2692 N/A C:\BridgeRefruntime\ProviderreviewDriver.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 584 wrote to memory of 2692 N/A C:\BridgeRefruntime\ProviderreviewDriver.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 584 wrote to memory of 2848 N/A C:\BridgeRefruntime\ProviderreviewDriver.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 584 wrote to memory of 2848 N/A C:\BridgeRefruntime\ProviderreviewDriver.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 584 wrote to memory of 2848 N/A C:\BridgeRefruntime\ProviderreviewDriver.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 584 wrote to memory of 2628 N/A C:\BridgeRefruntime\ProviderreviewDriver.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 584 wrote to memory of 2628 N/A C:\BridgeRefruntime\ProviderreviewDriver.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 584 wrote to memory of 2628 N/A C:\BridgeRefruntime\ProviderreviewDriver.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 584 wrote to memory of 1200 N/A C:\BridgeRefruntime\ProviderreviewDriver.exe C:\Windows\System32\cmd.exe
PID 584 wrote to memory of 1200 N/A C:\BridgeRefruntime\ProviderreviewDriver.exe C:\Windows\System32\cmd.exe
PID 584 wrote to memory of 1200 N/A C:\BridgeRefruntime\ProviderreviewDriver.exe C:\Windows\System32\cmd.exe
PID 1200 wrote to memory of 2856 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 1200 wrote to memory of 2856 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 1200 wrote to memory of 2856 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 1200 wrote to memory of 1036 N/A C:\Windows\System32\cmd.exe C:\Users\All Users\Documents\lsm.exe
PID 1200 wrote to memory of 1036 N/A C:\Windows\System32\cmd.exe C:\Users\All Users\Documents\lsm.exe
PID 1200 wrote to memory of 1036 N/A C:\Windows\System32\cmd.exe C:\Users\All Users\Documents\lsm.exe
PID 1036 wrote to memory of 1740 N/A C:\Users\All Users\Documents\lsm.exe C:\Windows\System32\WScript.exe
PID 1036 wrote to memory of 1740 N/A C:\Users\All Users\Documents\lsm.exe C:\Windows\System32\WScript.exe
PID 1036 wrote to memory of 1740 N/A C:\Users\All Users\Documents\lsm.exe C:\Windows\System32\WScript.exe
PID 1036 wrote to memory of 1228 N/A C:\Users\All Users\Documents\lsm.exe C:\Windows\System32\WScript.exe
PID 1036 wrote to memory of 1228 N/A C:\Users\All Users\Documents\lsm.exe C:\Windows\System32\WScript.exe
PID 1036 wrote to memory of 1228 N/A C:\Users\All Users\Documents\lsm.exe C:\Windows\System32\WScript.exe
PID 1740 wrote to memory of 2452 N/A C:\Windows\System32\WScript.exe C:\Users\All Users\Documents\lsm.exe
PID 1740 wrote to memory of 2452 N/A C:\Windows\System32\WScript.exe C:\Users\All Users\Documents\lsm.exe
PID 1740 wrote to memory of 2452 N/A C:\Windows\System32\WScript.exe C:\Users\All Users\Documents\lsm.exe
PID 2452 wrote to memory of 884 N/A C:\Users\All Users\Documents\lsm.exe C:\Windows\System32\WScript.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\BridgeRefruntime\ProviderreviewDriver.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\All Users\Documents\lsm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\All Users\Documents\lsm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\All Users\Documents\lsm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\BridgeRefruntime\ProviderreviewDriver.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\All Users\Documents\lsm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\All Users\Documents\lsm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\All Users\Documents\lsm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\All Users\Documents\lsm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\All Users\Documents\lsm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\All Users\Documents\lsm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\All Users\Documents\lsm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\All Users\Documents\lsm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\All Users\Documents\lsm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\All Users\Documents\lsm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\All Users\Documents\lsm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\All Users\Documents\lsm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\All Users\Documents\lsm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\All Users\Documents\lsm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\All Users\Documents\lsm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\All Users\Documents\lsm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\All Users\Documents\lsm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\All Users\Documents\lsm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\All Users\Documents\lsm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\All Users\Documents\lsm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\All Users\Documents\lsm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\BridgeRefruntime\ProviderreviewDriver.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\All Users\Documents\lsm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\All Users\Documents\lsm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\All Users\Documents\lsm.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\5bdd5d335f1dce7bff7ad597aa12c5c36d2831b58d4a1a37650fab7b070c6e23.exe

"C:\Users\Admin\AppData\Local\Temp\5bdd5d335f1dce7bff7ad597aa12c5c36d2831b58d4a1a37650fab7b070c6e23.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\BridgeRefruntime\RO6jJbtsE.vbe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\BridgeRefruntime\AZmwZW66ycOuW7BVkn8W.bat" "

C:\BridgeRefruntime\ProviderreviewDriver.exe

"C:\BridgeRefruntime\ProviderreviewDriver.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Windows\fr-FR\smss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\fr-FR\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Windows\fr-FR\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\sppsvc.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsml" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\lsm.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Users\All Users\lsm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsml" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\lsm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsml" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\Documents\lsm.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Users\All Users\Documents\lsm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsml" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\Documents\lsm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsml" /sc MINUTE /mo 12 /tr "'C:\BridgeRefruntime\lsm.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\BridgeRefruntime\lsm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsml" /sc MINUTE /mo 5 /tr "'C:\BridgeRefruntime\lsm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 13 /tr "'C:\BridgeRefruntime\OSPPSVC.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\BridgeRefruntime\OSPPSVC.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 10 /tr "'C:\BridgeRefruntime\OSPPSVC.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 9 /tr "'C:\Users\Default\Local Settings\audiodg.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Users\Default\Local Settings\audiodg.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 12 /tr "'C:\Users\Default\Local Settings\audiodg.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows NT\spoolsv.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows NT\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\explorer.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\explorer.exe'" /rl HIGHEST /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\BridgeRefruntime\ProviderreviewDriver.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\fr-FR\smss.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\sppsvc.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\csrss.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\lsm.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Documents\lsm.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\BridgeRefruntime\lsm.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\BridgeRefruntime\OSPPSVC.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Local Settings\audiodg.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows NT\spoolsv.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\explorer.exe'

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\s8is5PFJRC.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\All Users\Documents\lsm.exe

"C:\Users\All Users\Documents\lsm.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7b0be2a9-b3d5-452e-a82f-94d93c8b2d92.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d8917c31-01c6-48c0-aa0f-d3319b5faec3.vbs"

C:\Users\All Users\Documents\lsm.exe

"C:\Users\All Users\Documents\lsm.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d3b39786-6efc-4a2c-b207-e371aa310b9a.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ab2435d9-4aaf-4436-a156-e3fc4acea310.vbs"

C:\Users\All Users\Documents\lsm.exe

"C:\Users\All Users\Documents\lsm.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\46d2b35f-071c-48ca-a82e-3f17a575286a.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\13892056-c8a0-4f89-9bb8-ffefaf4fee7f.vbs"

C:\Users\All Users\Documents\lsm.exe

"C:\Users\All Users\Documents\lsm.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\70d38982-c7ab-4128-b2f9-353682613eed.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b66b615b-42ab-44c4-a93a-05d858b0593f.vbs"

C:\Users\All Users\Documents\lsm.exe

"C:\Users\All Users\Documents\lsm.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7759d204-12d7-44ff-84f6-68cfcc5b54b0.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b6f9fb24-9154-42e0-9bf6-d810212fd0f0.vbs"

C:\Users\All Users\Documents\lsm.exe

"C:\Users\All Users\Documents\lsm.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fafdc288-2358-4f04-9909-2c8ea26480b4.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c7de5b2f-2b45-4865-85b6-df8fb536f9fb.vbs"

C:\Users\All Users\Documents\lsm.exe

"C:\Users\All Users\Documents\lsm.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\79965a9f-ef55-49e8-90da-838e7418613b.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\33409196-ebbb-45cb-91ad-58d889402622.vbs"

C:\Users\All Users\Documents\lsm.exe

"C:\Users\All Users\Documents\lsm.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2dac63a8-caab-45a1-9399-8faa990ab072.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a30f3c16-c827-4ce9-b106-c6a3c3de53ca.vbs"

C:\Users\All Users\Documents\lsm.exe

"C:\Users\All Users\Documents\lsm.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\56eeea80-6255-46b4-90b6-d4829162300c.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d04158e4-0550-4697-a2cf-422787b7b265.vbs"

Network

Country Destination Domain Proto
US 8.8.8.8:53 cz15171.tw1.ru udp
RU 185.114.245.123:80 cz15171.tw1.ru tcp
US 8.8.8.8:53 vh438.timeweb.ru udp
RU 185.114.245.123:443 vh438.timeweb.ru tcp
RU 185.114.245.123:443 vh438.timeweb.ru tcp
RU 185.114.245.123:80 vh438.timeweb.ru tcp
RU 185.114.245.123:443 vh438.timeweb.ru tcp
RU 185.114.245.123:443 vh438.timeweb.ru tcp
RU 185.114.245.123:80 vh438.timeweb.ru tcp
RU 185.114.245.123:443 vh438.timeweb.ru tcp
RU 185.114.245.123:443 vh438.timeweb.ru tcp
RU 185.114.245.123:80 vh438.timeweb.ru tcp
RU 185.114.245.123:443 vh438.timeweb.ru tcp
RU 185.114.245.123:443 vh438.timeweb.ru tcp
RU 185.114.245.123:80 vh438.timeweb.ru tcp
RU 185.114.245.123:443 vh438.timeweb.ru tcp
RU 185.114.245.123:443 vh438.timeweb.ru tcp
RU 185.114.245.123:80 vh438.timeweb.ru tcp
US 8.8.8.8:53 vh438.timeweb.ru udp
RU 185.114.245.123:443 vh438.timeweb.ru tcp
RU 185.114.245.123:443 vh438.timeweb.ru tcp
RU 185.114.245.123:80 vh438.timeweb.ru tcp
RU 185.114.245.123:443 vh438.timeweb.ru tcp
RU 185.114.245.123:443 vh438.timeweb.ru tcp
RU 185.114.245.123:80 vh438.timeweb.ru tcp
RU 185.114.245.123:443 vh438.timeweb.ru tcp
RU 185.114.245.123:443 vh438.timeweb.ru tcp

Files

C:\BridgeRefruntime\RO6jJbtsE.vbe

MD5 1217656e699a8ae1e62ad9b7059e215a
SHA1 3e9710cc62fcaf451a305be0fe047dfadd631e45
SHA256 710eab849bf0c066cb136771f1d4dc72bc2b13598c209508db16a3770d54286f
SHA512 ae775b9f675455bbb78a879f38e72e500607a6a22168591a599a04337229316fdbdd0b496d69e97c423a4e917d9174e039e0e4f80b8bc94a7d5b3f99887d3f31

C:\BridgeRefruntime\AZmwZW66ycOuW7BVkn8W.bat

MD5 b634ab06c0798f4284c2fcf23c1fc85a
SHA1 a312a6a8dbd3fdd70e9919ffaa1b777213cf2e93
SHA256 20d420d40ee7aadb457e5a8dba9d099fb66d4810675a985a26ebf36141d8e250
SHA512 ae801ea89737efecc5be1c580bad10c75ee9f31f2685473bbb5512b024c355c62a7d122db5042dbfb96add27041fd2601472c57b075424d12261302804b5733c

\BridgeRefruntime\ProviderreviewDriver.exe

MD5 15462778cb5d131fdbde43b845ca3385
SHA1 e11137a2d3643fa0569e57257f7b673b29f0ee86
SHA256 7082a4ae4749fc09c3b618986952c23aa6db2ee906da896b9a517685e56b8572
SHA512 1f58961f5367153539c8039e8cfafd1f74bcf09550912326d1274ec5b91ff578c0126c4f36c1916384364c74ed2a4b97013a4e6ff6b25567822eac8dabfcde6b

memory/584-13-0x0000000000AA0000-0x0000000000D92000-memory.dmp

memory/584-14-0x00000000002C0000-0x00000000002CE000-memory.dmp

memory/584-15-0x00000000002D0000-0x00000000002D8000-memory.dmp

memory/584-16-0x0000000000570000-0x000000000058C000-memory.dmp

memory/584-17-0x00000000002E0000-0x00000000002F0000-memory.dmp

memory/584-19-0x00000000005B0000-0x00000000005B8000-memory.dmp

memory/584-18-0x0000000000590000-0x00000000005A6000-memory.dmp

memory/584-20-0x00000000005C0000-0x00000000005D0000-memory.dmp

memory/584-21-0x00000000005D0000-0x00000000005DA000-memory.dmp

memory/584-22-0x00000000022A0000-0x00000000022F6000-memory.dmp

memory/584-23-0x00000000005E0000-0x00000000005EC000-memory.dmp

memory/584-24-0x00000000005F0000-0x00000000005FC000-memory.dmp

memory/584-25-0x0000000000810000-0x0000000000818000-memory.dmp

memory/584-26-0x0000000000820000-0x000000000082C000-memory.dmp

memory/584-27-0x0000000000830000-0x0000000000838000-memory.dmp

memory/584-28-0x00000000009E0000-0x00000000009EC000-memory.dmp

memory/584-29-0x00000000009F0000-0x00000000009FC000-memory.dmp

memory/584-30-0x0000000000A10000-0x0000000000A18000-memory.dmp

memory/584-32-0x00000000022F0000-0x00000000022FE000-memory.dmp

memory/584-31-0x0000000000A00000-0x0000000000A0A000-memory.dmp

memory/584-33-0x0000000002300000-0x0000000002308000-memory.dmp

memory/584-34-0x000000001AA00000-0x000000001AA0C000-memory.dmp

memory/584-35-0x000000001AA10000-0x000000001AA18000-memory.dmp

memory/584-36-0x000000001AA20000-0x000000001AA2A000-memory.dmp

memory/584-37-0x000000001AA30000-0x000000001AA3C000-memory.dmp

C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\RCXCC97.tmp

MD5 ecb8a56fde8d50c2fe56a26c033b8a39
SHA1 dd3f7bc75f354915ca4f71b9f2d581b0d8dc9896
SHA256 47d4a340d406fb9c8de309a6457493ea3b4249f7bf3fc21618697466e08e5188
SHA512 5c8ce67ffc7ed3a5e66259a3ae3ed35d4666e75131b4955b002bc96ff92cea6bf939641f7680e44f0edb136bdf2fe788a616cc74e1cf930fb773060ecce72bb0

C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\csrss.exe

MD5 b5d2193db71bf563dbd7bd10f145afee
SHA1 f39c11aa8e18b7f7cb95301094da1873ea4b80a6
SHA256 b6cd637601e5ed8607e5ca030e266299cc903f8e2d25bf280bf488453f02c8e8
SHA512 24715764be4b4ac4e4f794563a843663864d327268a1b2fc2f9e66da2ac0709bebba087d74f8bcadf4c3003a31f2830ac3f47a59c4f8fac181540d566cc3d17d

C:\BridgeRefruntime\RCXD70A.tmp

MD5 00eb103a7953d93b6903d19cd5c61205
SHA1 dc87a3334b43e0cd0db2b28c6b25ad09906bef09
SHA256 399df3d2387e43428195b5718858a343d3a98147f0835bbd9dbaaeb9c767e3eb
SHA512 4e69afc4746abab0a8ce0b75ac61586a908cae952fb66ddd8e41b1cd7ce8074907363de0045a16ce0dc23ff29792863a9506c7a338367b88ab0ae384a9edd462

C:\BridgeRefruntime\RCXD778.tmp

MD5 3292f0d230b018b1d0b23c437fe47df3
SHA1 71c7ee2590ad061dfc42a9b09b8c42a282cb18d0
SHA256 829cc6bd3ae5f5c204c5f9f6669a1121c6265265f1623b5e1a485f003ff55f48
SHA512 2ae7956948fa70c7d0ca547aeb1098a1ca70a9db6f667b30a02c32fab5e4a4ef3abcf00294bbe7b1fea3fce930645d696e8848e4487f066450badf207b801938

C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\explorer.exe

MD5 537929c7015a0ae8708677e543b8538e
SHA1 28a8e7de9d0590cf055f1dc41b5fefe594aa6d4e
SHA256 331e551608afbc46b2dfbea9c58a8afcaf5f7a00c22edf3ed96850b3701530dd
SHA512 11407afe03b20391b946cc54c8a0ec71a9d5b35ffb5d9e0804bff7fd10c2e9575d4860b5ff13d430885df69c33e0644e73bfe0cf7000f430aa1b79783b3831fe

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 f8b7521f51607c4210cdadcbcf536caa
SHA1 22e58296422b436fcf1e396f43b3116f999d35f3
SHA256 e29fca3dddcf6b9dec019a641027a0246bce4cd53b87c370db15b83804c73cd6
SHA512 8920d95aea75b2e6ac2bdb6bd893f110967238e8e02bd79839c715b62012a2e26c44f4a3c596752639595a5818ae264969925d9336635f565c959d6b0192b926

memory/2824-195-0x0000000001F00000-0x0000000001F08000-memory.dmp

memory/2924-194-0x000000001B770000-0x000000001BA52000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\s8is5PFJRC.bat

MD5 db1b0cf298f404b94211a8058cea683c
SHA1 72202e9c01048f02937fb5a96cb74706e8f8783f
SHA256 c82870d88b91ffeb6ea10264f2d7c97f8a71bd40b936ec7778d5733e8bb64d7d
SHA512 9ec97646af2d4b5e65767daa82ebb9f338e552e26c31a067270a438c6155b3fae1ab4005dae2ba9188ce4c19a4fba9b084dd29a6f37e0bc6698edf6d999b4138

memory/1036-234-0x00000000001C0000-0x00000000004B2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7b0be2a9-b3d5-452e-a82f-94d93c8b2d92.vbs

MD5 51f89eb5f695bf0c6b1b2842dd53a8f1
SHA1 11a0eb7befe464c0a652775638d1aede291a8bae
SHA256 6304380c0636897b99f214caef6db6512da0bc3681343aad683246dc35a8b807
SHA512 f4cea8df0596cec1f7f2556f84ba80975c4f83c24e6ec50e7b91193588d57db7c66e8a3805682f8b37ab877b19f19efb0788664087d9f0754e2c7ba250259f2b

C:\Users\Admin\AppData\Local\Temp\d8917c31-01c6-48c0-aa0f-d3319b5faec3.vbs

MD5 98cefe3de80ee7c63656d17b11f18cea
SHA1 dc8888d492199100120c1f7e4e1410a36ef5fa31
SHA256 0075927d71d76f67a319caf6541a5e47277aeea69bafdc53f84cd9ea1f0a286f
SHA512 ce8a17d18538d24e5f11a3ab6a4c1ef3b61af39bcbed8609ae847b73697029a2394a03a5470bc6242c48e7e130f58a2906f5b2ed06f6ec372544716b06df1ddc

C:\Users\Admin\AppData\Local\Temp\Cab2D88.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\Tar2DAA.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

memory/2452-351-0x0000000000140000-0x0000000000432000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\d3b39786-6efc-4a2c-b207-e371aa310b9a.vbs

MD5 c6baf936c9bf4e7786c86e7fc3c5f7b6
SHA1 cefcd4f9e0e998e774bdf7bddc6cbecdfab023cd
SHA256 357e0a4f3194544f092f887fe7ad04a6aebd6ab8c1c521bffcab9a5ec2e2e375
SHA512 cbceeae8bb8c31d50ffabc4192fa9b1ffc6c91226f18ae08f5346657867ed88565b81b8459883d73bcf6c796acc967a6f7ec7e793a0c8c5e2b3f5429f05eb8d7

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 84f78ba757c576bd1c0f0d0a189b75a5
SHA1 00d2e618bf8c5d2b4088c149f0b738f003d08f6a
SHA256 0d9d35c20fe277c62a0f4f9601d67e08d7a956da92b6949d6cb766f0ede60a56
SHA512 7c8d251a0dca0af9ab6bc456c8ce3d4ed23bb1f0c867498ba47f7ddeb39cc95a8f1bbf43f6b1fd4ec1d562ed484f03de5269fc7f4133a6faca0891b1c39afc03

memory/2820-470-0x0000000000F80000-0x0000000001272000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\46d2b35f-071c-48ca-a82e-3f17a575286a.vbs

MD5 e28fb94c8e827d842f3e33e3529d7c41
SHA1 0cb4a6d21d6660f0df7b1f338592f2a88bf9bd97
SHA256 f544f44bab073e9237555ead77a05a8fdd9f22fecdd8044e4a81ddc320431e8e
SHA512 79d9689155cf1f17a4c593f86c595631e81644a02cc67d6fe5b0ced4e1dec26890eb3f9b1b4cdda6a51ce449959319ecd325ef638225c5f0491413fc56d6b658

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 706eebe259bf4c637d190645b97a0a51
SHA1 51a470bc469ba0c4c826422b85e4f4794cd08b0e
SHA256 7d2d4167a3edbc2707d2bc4db2d8233b695147aa623800c2bf0ba8b165382137
SHA512 b872cd3a40ba00431faf5f11d224ec1d4683ad48742378fc206e2d371284067a57c6144e6b6c4560908aae8ef4d4c580a0e0f9aa46e2370389cb05473c8e5c59

memory/2192-589-0x00000000001E0000-0x00000000004D2000-memory.dmp

memory/2192-590-0x00000000021A0000-0x00000000021F6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\70d38982-c7ab-4128-b2f9-353682613eed.vbs

MD5 ad9d6ee05fa2043620cbaa0c6caf5e1a
SHA1 7488faa756ad194bd23415080a7eaaae54388c33
SHA256 33f6c7d3dafd6c1e4c96df86949dd3d1f5254eab34025aa1777f162c4d17a2af
SHA512 0f2ee1a19298d6c2c589a64d32e6f4a3247f3adc737dfe7fcfe8f470a1d3a4264efe06a890d36c16fb6f009a80afab2f92b05ec7c3c0bde0e4cf91b9f02b92d9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 fc7d19123ae909771a823d4ab765b492
SHA1 1704378cda52a7646861dcf531d28f699cbb7d3b
SHA256 78c9d14a90dd3ce06c4490e0e29e2ab517e5a952819338b8ddd55243387ccb27
SHA512 5d3bc4e82cd21753f1c26c7d9b70c83e7046d95c0249af932fe464d4b1bd624101af850dad5508106087f08f4d51e8140580332f06a2c5d7376848b433dee00d

memory/556-709-0x0000000000380000-0x0000000000672000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7759d204-12d7-44ff-84f6-68cfcc5b54b0.vbs

MD5 d18f53d361f132985c28009be5f28aba
SHA1 3f9960d5dedd5e3a66cd763c8758a1ea45deb80e
SHA256 55446ea99467cd190d403439844d086cc70a4856677eec6e6cf409641ed49bcd
SHA512 5f2de33f168be4e6687c35bd763bcc8cc1116a1ef7ace2401abf136c5f75a042d42ebee38d92ad58953907a5f3a03ad280509010fd8737fc1699fce3a277232e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 35ab9b4e1b4c448470ed36f192360a17
SHA1 209e8c8734a2186484c74b20bdc621633ce76cb4
SHA256 bc9854eeaa1a605bfaf17c6bb88fcf58a9e2526dcb6e85f2cf8567d1dfe89522
SHA512 095ee0fa681658adb3c6fc0b0b3ed656be765071cb8029ce78035f7bca693034693c4917b24b0f550ba015280db07644c4a0063bb6850dac4c0d08e55ace7879

memory/2480-828-0x0000000000EA0000-0x0000000001192000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\fafdc288-2358-4f04-9909-2c8ea26480b4.vbs

MD5 eec7608fc19598658397f3f3ff04ee9a
SHA1 454b67460280aa3ace02bfb9ba1f07024a5f655a
SHA256 1dd5de8d9953cf9cdcd158a7aa5e1deed8c7a30e4f0ee04a85ec8411d0529532
SHA512 18cf532ca9ea3b261bd1a06251021958ca2504c24c748536695256672b7fcc52654968a4370adc83dca67a085a4f230f5a3b550e99f389c96c395a8531dfb8d0

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7d2646b48b5c4bf86fb1c8fe5b5d2eaf
SHA1 ba529fa21f4341da99ff103b3b0eed5ab8a1d564
SHA256 d1edca207e95d571e753d7bddfb2b28173b92af89c6e29f3fee576deff97a556
SHA512 f0f4289e42cd5cc9d49b5a18d273abf832ce2e3cb291a6db8d2f3157583b7850482c74bfce042b4476e9675edb1ae594046ffc8ec29262eb45474d146a38d248

memory/2952-947-0x0000000000FE0000-0x00000000012D2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\79965a9f-ef55-49e8-90da-838e7418613b.vbs

MD5 e01f19e7663cd1a3b08886cee654237a
SHA1 df225f09afcf46aac3aa282ae42db3c2773aaff0
SHA256 4bf1b903754aa9cb25d70a3213ad1036c18de305c6727b06d4f2857148d5d775
SHA512 8ebe32f2b08821355ab293e214a0f4314b4bbd228e237aadf63d7032bbb45c68d54b20d1a7545e740f0e89f436c431713f36b09b41f56e8f631e2e9cc3401613

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 360732357b1352f912809a2316f18c0b
SHA1 82934f5fb537f275376fc173e82407ace0d4b8b2
SHA256 e516d94187d86c8f79d7b1b167995abbb70e9a688d67d60e8857e3018544c736
SHA512 31179f4738a07789bb7062078fdb434224dbcdf7ca4d8bc95c4af4f63549fc5956bbd3757d30c61ff29951b19ca2e476fc229f414302dadced242b76ed993626

memory/2308-1066-0x0000000001220000-0x0000000001512000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2dac63a8-caab-45a1-9399-8faa990ab072.vbs

MD5 39633776a884f132029ec63caae1f243
SHA1 2e8659e6359f71ad972202819c41ac19e4e7703c
SHA256 6936ca2a7cffdaacab455dfb2d261552d3d6b6ac12bf2c5a26f3c1b6260eac5c
SHA512 de863d366157bb439dce64e9ab62fc43467eed2c0dd270f24d786d7124ea7247779d313804b6f99db42238ca74ef466a06a552309aa7f74973ecaca0c074361b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9088e46d02b08757f70545d03c10823c
SHA1 65d0d0983085ed7a64b27c8d6c6240335aa0335a
SHA256 b92925b1440ed94be74fe74b401e381c47b6d7997a3cc8262937c95442b02c2f
SHA512 2fb0ba8cc01a1e3e1598d2e2fa3edc7c0353c48acf71b72cb5ca261b0973ea5cc513855819abbe6d15e5b63c02f59fc07d6412cd4959e029d3a958076961d9b7

C:\Users\Admin\AppData\Local\Temp\56eeea80-6255-46b4-90b6-d4829162300c.vbs

MD5 7631efd618ea1b8f424015c0605455be
SHA1 2ebed22c9c640435e6b1d7e2948fcfc523938c49
SHA256 c414dfb04a427609cf21f3ab9cd05343c48ecffcf214adae48da09b82eb89be1
SHA512 491a1c2d90e27155908861c59a8d7dc1beffd0c671db17e7e61d0884b53bd6575b78c58a7f2e9ed33c9f59a4637a740a51535b1fb1723b48b012b00c0bbb471b

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-31 02:27

Reported

2024-10-31 02:45

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5bdd5d335f1dce7bff7ad597aa12c5c36d2831b58d4a1a37650fab7b070c6e23.exe"

Signatures

DcRat

rat infostealer dcrat

Dcrat family

dcrat

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\fontdrvhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\WindowsRE\fontdrvhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\WindowsRE\fontdrvhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\fontdrvhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\WindowsRE\fontdrvhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\WindowsRE\fontdrvhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\WindowsRE\fontdrvhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\WindowsRE\fontdrvhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\WindowsRE\fontdrvhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\WindowsRE\fontdrvhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\WindowsRE\fontdrvhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\WindowsRE\fontdrvhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\WindowsRE\fontdrvhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\fontdrvhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\fontdrvhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\fontdrvhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\WindowsRE\fontdrvhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\WindowsRE\fontdrvhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\fontdrvhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\WindowsRE\fontdrvhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\fontdrvhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\WindowsRE\fontdrvhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\WindowsRE\fontdrvhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\BridgeRefruntime\ProviderreviewDriver.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\fontdrvhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\WindowsRE\fontdrvhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\WindowsRE\fontdrvhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\WindowsRE\fontdrvhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\fontdrvhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\WindowsRE\fontdrvhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\fontdrvhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\WindowsRE\fontdrvhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\WindowsRE\fontdrvhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\fontdrvhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\BridgeRefruntime\ProviderreviewDriver.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\fontdrvhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\WindowsRE\fontdrvhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\WindowsRE\fontdrvhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\fontdrvhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\WindowsRE\fontdrvhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\WindowsRE\fontdrvhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\WindowsRE\fontdrvhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\BridgeRefruntime\ProviderreviewDriver.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\WindowsRE\fontdrvhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\fontdrvhost.exe N/A

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation C:\Recovery\WindowsRE\fontdrvhost.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation C:\Recovery\WindowsRE\fontdrvhost.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation C:\Recovery\WindowsRE\fontdrvhost.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation C:\Recovery\WindowsRE\fontdrvhost.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation C:\Recovery\WindowsRE\fontdrvhost.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation C:\Recovery\WindowsRE\fontdrvhost.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\5bdd5d335f1dce7bff7ad597aa12c5c36d2831b58d4a1a37650fab7b070c6e23.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation C:\Recovery\WindowsRE\fontdrvhost.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation C:\Recovery\WindowsRE\fontdrvhost.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation C:\Recovery\WindowsRE\fontdrvhost.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation C:\BridgeRefruntime\ProviderreviewDriver.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation C:\Recovery\WindowsRE\fontdrvhost.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation C:\Recovery\WindowsRE\fontdrvhost.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation C:\Recovery\WindowsRE\fontdrvhost.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation C:\Recovery\WindowsRE\fontdrvhost.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\BridgeRefruntime\ProviderreviewDriver.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Recovery\WindowsRE\fontdrvhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\fontdrvhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\fontdrvhost.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Recovery\WindowsRE\fontdrvhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\fontdrvhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\BridgeRefruntime\ProviderreviewDriver.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Recovery\WindowsRE\fontdrvhost.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Recovery\WindowsRE\fontdrvhost.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Recovery\WindowsRE\fontdrvhost.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Recovery\WindowsRE\fontdrvhost.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Recovery\WindowsRE\fontdrvhost.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Recovery\WindowsRE\fontdrvhost.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Recovery\WindowsRE\fontdrvhost.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Recovery\WindowsRE\fontdrvhost.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Recovery\WindowsRE\fontdrvhost.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Recovery\WindowsRE\fontdrvhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\fontdrvhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\fontdrvhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\fontdrvhost.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Recovery\WindowsRE\fontdrvhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\fontdrvhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\fontdrvhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\fontdrvhost.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Recovery\WindowsRE\fontdrvhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\fontdrvhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\fontdrvhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\fontdrvhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\fontdrvhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\fontdrvhost.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Windows Defender\it-IT\TextInputHost.exe C:\BridgeRefruntime\ProviderreviewDriver.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\System\RCX9644.tmp C:\BridgeRefruntime\ProviderreviewDriver.exe N/A
File opened for modification C:\Program Files (x86)\Windows Defender\it-IT\RCX9ADC.tmp C:\BridgeRefruntime\ProviderreviewDriver.exe N/A
File opened for modification C:\Program Files (x86)\Windows Defender\it-IT\RCX9ADB.tmp C:\BridgeRefruntime\ProviderreviewDriver.exe N/A
File opened for modification C:\Program Files (x86)\Windows Defender\it-IT\TextInputHost.exe C:\BridgeRefruntime\ProviderreviewDriver.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\fontdrvhost.exe C:\BridgeRefruntime\ProviderreviewDriver.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\System\RCX9633.tmp C:\BridgeRefruntime\ProviderreviewDriver.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\RCX9849.tmp C:\BridgeRefruntime\ProviderreviewDriver.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\5b884080fd4f94 C:\BridgeRefruntime\ProviderreviewDriver.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\fontdrvhost.exe C:\BridgeRefruntime\ProviderreviewDriver.exe N/A
File created C:\Program Files (x86)\Windows Defender\it-IT\22eafd247d37c3 C:\BridgeRefruntime\ProviderreviewDriver.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\System\conhost.exe C:\BridgeRefruntime\ProviderreviewDriver.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\RCX98C7.tmp C:\BridgeRefruntime\ProviderreviewDriver.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.StorePurchaseApp_11811.1001.18.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-black\services.exe C:\BridgeRefruntime\ProviderreviewDriver.exe N/A
File created C:\Program Files (x86)\Common Files\System\conhost.exe C:\BridgeRefruntime\ProviderreviewDriver.exe N/A
File created C:\Program Files (x86)\Common Files\System\088424020bedd6 C:\BridgeRefruntime\ProviderreviewDriver.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\SoftwareDistribution\SLS\9482F4B4-E343-43B6-B170-9A65BC822C77\RCX9CF0.tmp C:\BridgeRefruntime\ProviderreviewDriver.exe N/A
File opened for modification C:\Windows\SoftwareDistribution\SLS\9482F4B4-E343-43B6-B170-9A65BC822C77\RCX9D01.tmp C:\BridgeRefruntime\ProviderreviewDriver.exe N/A
File opened for modification C:\Windows\SoftwareDistribution\SLS\9482F4B4-E343-43B6-B170-9A65BC822C77\explorer.exe C:\BridgeRefruntime\ProviderreviewDriver.exe N/A
File created C:\Windows\SoftwareDistribution\SLS\9482F4B4-E343-43B6-B170-9A65BC822C77\explorer.exe C:\BridgeRefruntime\ProviderreviewDriver.exe N/A
File created C:\Windows\SoftwareDistribution\SLS\9482F4B4-E343-43B6-B170-9A65BC822C77\7a0fd90576e088 C:\BridgeRefruntime\ProviderreviewDriver.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\5bdd5d335f1dce7bff7ad597aa12c5c36d2831b58d4a1a37650fab7b070c6e23.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WScript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings C:\Recovery\WindowsRE\fontdrvhost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings C:\Recovery\WindowsRE\fontdrvhost.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\BridgeRefruntime\ProviderreviewDriver.exe N/A
Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings C:\Recovery\WindowsRE\fontdrvhost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings C:\Recovery\WindowsRE\fontdrvhost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\5bdd5d335f1dce7bff7ad597aa12c5c36d2831b58d4a1a37650fab7b070c6e23.exe N/A
Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings C:\Recovery\WindowsRE\fontdrvhost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings C:\Recovery\WindowsRE\fontdrvhost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings C:\Recovery\WindowsRE\fontdrvhost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings C:\Recovery\WindowsRE\fontdrvhost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings C:\Recovery\WindowsRE\fontdrvhost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings C:\Recovery\WindowsRE\fontdrvhost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings C:\Recovery\WindowsRE\fontdrvhost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings C:\Recovery\WindowsRE\fontdrvhost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings C:\Recovery\WindowsRE\fontdrvhost.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\BridgeRefruntime\ProviderreviewDriver.exe N/A
N/A N/A C:\BridgeRefruntime\ProviderreviewDriver.exe N/A
N/A N/A C:\BridgeRefruntime\ProviderreviewDriver.exe N/A
N/A N/A C:\BridgeRefruntime\ProviderreviewDriver.exe N/A
N/A N/A C:\BridgeRefruntime\ProviderreviewDriver.exe N/A
N/A N/A C:\BridgeRefruntime\ProviderreviewDriver.exe N/A
N/A N/A C:\BridgeRefruntime\ProviderreviewDriver.exe N/A
N/A N/A C:\BridgeRefruntime\ProviderreviewDriver.exe N/A
N/A N/A C:\BridgeRefruntime\ProviderreviewDriver.exe N/A
N/A N/A C:\BridgeRefruntime\ProviderreviewDriver.exe N/A
N/A N/A C:\BridgeRefruntime\ProviderreviewDriver.exe N/A
N/A N/A C:\BridgeRefruntime\ProviderreviewDriver.exe N/A
N/A N/A C:\BridgeRefruntime\ProviderreviewDriver.exe N/A
N/A N/A C:\BridgeRefruntime\ProviderreviewDriver.exe N/A
N/A N/A C:\BridgeRefruntime\ProviderreviewDriver.exe N/A
N/A N/A C:\BridgeRefruntime\ProviderreviewDriver.exe N/A
N/A N/A C:\BridgeRefruntime\ProviderreviewDriver.exe N/A
N/A N/A C:\BridgeRefruntime\ProviderreviewDriver.exe N/A
N/A N/A C:\BridgeRefruntime\ProviderreviewDriver.exe N/A
N/A N/A C:\BridgeRefruntime\ProviderreviewDriver.exe N/A
N/A N/A C:\BridgeRefruntime\ProviderreviewDriver.exe N/A
N/A N/A C:\BridgeRefruntime\ProviderreviewDriver.exe N/A
N/A N/A C:\BridgeRefruntime\ProviderreviewDriver.exe N/A
N/A N/A C:\BridgeRefruntime\ProviderreviewDriver.exe N/A
N/A N/A C:\BridgeRefruntime\ProviderreviewDriver.exe N/A
N/A N/A C:\BridgeRefruntime\ProviderreviewDriver.exe N/A
N/A N/A C:\BridgeRefruntime\ProviderreviewDriver.exe N/A
N/A N/A C:\BridgeRefruntime\ProviderreviewDriver.exe N/A
N/A N/A C:\BridgeRefruntime\ProviderreviewDriver.exe N/A
N/A N/A C:\BridgeRefruntime\ProviderreviewDriver.exe N/A
N/A N/A C:\BridgeRefruntime\ProviderreviewDriver.exe N/A
N/A N/A C:\BridgeRefruntime\ProviderreviewDriver.exe N/A
N/A N/A C:\BridgeRefruntime\ProviderreviewDriver.exe N/A
N/A N/A C:\BridgeRefruntime\ProviderreviewDriver.exe N/A
N/A N/A C:\BridgeRefruntime\ProviderreviewDriver.exe N/A
N/A N/A C:\BridgeRefruntime\ProviderreviewDriver.exe N/A
N/A N/A C:\BridgeRefruntime\ProviderreviewDriver.exe N/A
N/A N/A C:\BridgeRefruntime\ProviderreviewDriver.exe N/A
N/A N/A C:\BridgeRefruntime\ProviderreviewDriver.exe N/A
N/A N/A C:\BridgeRefruntime\ProviderreviewDriver.exe N/A
N/A N/A C:\BridgeRefruntime\ProviderreviewDriver.exe N/A
N/A N/A C:\BridgeRefruntime\ProviderreviewDriver.exe N/A
N/A N/A C:\BridgeRefruntime\ProviderreviewDriver.exe N/A
N/A N/A C:\BridgeRefruntime\ProviderreviewDriver.exe N/A
N/A N/A C:\BridgeRefruntime\ProviderreviewDriver.exe N/A
N/A N/A C:\BridgeRefruntime\ProviderreviewDriver.exe N/A
N/A N/A C:\BridgeRefruntime\ProviderreviewDriver.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\BridgeRefruntime\ProviderreviewDriver.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\WindowsRE\fontdrvhost.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\WindowsRE\fontdrvhost.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\WindowsRE\fontdrvhost.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\WindowsRE\fontdrvhost.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\WindowsRE\fontdrvhost.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\WindowsRE\fontdrvhost.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\WindowsRE\fontdrvhost.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\WindowsRE\fontdrvhost.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\WindowsRE\fontdrvhost.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\WindowsRE\fontdrvhost.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\WindowsRE\fontdrvhost.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\WindowsRE\fontdrvhost.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\WindowsRE\fontdrvhost.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\WindowsRE\fontdrvhost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 736 wrote to memory of 4284 N/A C:\Users\Admin\AppData\Local\Temp\5bdd5d335f1dce7bff7ad597aa12c5c36d2831b58d4a1a37650fab7b070c6e23.exe C:\Windows\SysWOW64\WScript.exe
PID 736 wrote to memory of 4284 N/A C:\Users\Admin\AppData\Local\Temp\5bdd5d335f1dce7bff7ad597aa12c5c36d2831b58d4a1a37650fab7b070c6e23.exe C:\Windows\SysWOW64\WScript.exe
PID 736 wrote to memory of 4284 N/A C:\Users\Admin\AppData\Local\Temp\5bdd5d335f1dce7bff7ad597aa12c5c36d2831b58d4a1a37650fab7b070c6e23.exe C:\Windows\SysWOW64\WScript.exe
PID 4284 wrote to memory of 4844 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 4284 wrote to memory of 4844 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 4284 wrote to memory of 4844 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 4844 wrote to memory of 3100 N/A C:\Windows\SysWOW64\cmd.exe C:\BridgeRefruntime\ProviderreviewDriver.exe
PID 4844 wrote to memory of 3100 N/A C:\Windows\SysWOW64\cmd.exe C:\BridgeRefruntime\ProviderreviewDriver.exe
PID 3100 wrote to memory of 2160 N/A C:\BridgeRefruntime\ProviderreviewDriver.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3100 wrote to memory of 2160 N/A C:\BridgeRefruntime\ProviderreviewDriver.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3100 wrote to memory of 1608 N/A C:\BridgeRefruntime\ProviderreviewDriver.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3100 wrote to memory of 1608 N/A C:\BridgeRefruntime\ProviderreviewDriver.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3100 wrote to memory of 2288 N/A C:\BridgeRefruntime\ProviderreviewDriver.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3100 wrote to memory of 2288 N/A C:\BridgeRefruntime\ProviderreviewDriver.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3100 wrote to memory of 2916 N/A C:\BridgeRefruntime\ProviderreviewDriver.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3100 wrote to memory of 2916 N/A C:\BridgeRefruntime\ProviderreviewDriver.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3100 wrote to memory of 4840 N/A C:\BridgeRefruntime\ProviderreviewDriver.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3100 wrote to memory of 4840 N/A C:\BridgeRefruntime\ProviderreviewDriver.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3100 wrote to memory of 4328 N/A C:\BridgeRefruntime\ProviderreviewDriver.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3100 wrote to memory of 4328 N/A C:\BridgeRefruntime\ProviderreviewDriver.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3100 wrote to memory of 4972 N/A C:\BridgeRefruntime\ProviderreviewDriver.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3100 wrote to memory of 4972 N/A C:\BridgeRefruntime\ProviderreviewDriver.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3100 wrote to memory of 1500 N/A C:\BridgeRefruntime\ProviderreviewDriver.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3100 wrote to memory of 1500 N/A C:\BridgeRefruntime\ProviderreviewDriver.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3100 wrote to memory of 4012 N/A C:\BridgeRefruntime\ProviderreviewDriver.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3100 wrote to memory of 4012 N/A C:\BridgeRefruntime\ProviderreviewDriver.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3100 wrote to memory of 944 N/A C:\BridgeRefruntime\ProviderreviewDriver.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3100 wrote to memory of 944 N/A C:\BridgeRefruntime\ProviderreviewDriver.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3100 wrote to memory of 1468 N/A C:\BridgeRefruntime\ProviderreviewDriver.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3100 wrote to memory of 1468 N/A C:\BridgeRefruntime\ProviderreviewDriver.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3100 wrote to memory of 5192 N/A C:\BridgeRefruntime\ProviderreviewDriver.exe C:\Recovery\WindowsRE\fontdrvhost.exe
PID 3100 wrote to memory of 5192 N/A C:\BridgeRefruntime\ProviderreviewDriver.exe C:\Recovery\WindowsRE\fontdrvhost.exe
PID 5192 wrote to memory of 5556 N/A C:\Recovery\WindowsRE\fontdrvhost.exe C:\Windows\System32\WScript.exe
PID 5192 wrote to memory of 5556 N/A C:\Recovery\WindowsRE\fontdrvhost.exe C:\Windows\System32\WScript.exe
PID 5192 wrote to memory of 5600 N/A C:\Recovery\WindowsRE\fontdrvhost.exe C:\Windows\System32\WScript.exe
PID 5192 wrote to memory of 5600 N/A C:\Recovery\WindowsRE\fontdrvhost.exe C:\Windows\System32\WScript.exe
PID 5556 wrote to memory of 5760 N/A C:\Windows\System32\WScript.exe C:\Recovery\WindowsRE\fontdrvhost.exe
PID 5556 wrote to memory of 5760 N/A C:\Windows\System32\WScript.exe C:\Recovery\WindowsRE\fontdrvhost.exe
PID 5760 wrote to memory of 5944 N/A C:\Recovery\WindowsRE\fontdrvhost.exe C:\Windows\System32\WScript.exe
PID 5760 wrote to memory of 5944 N/A C:\Recovery\WindowsRE\fontdrvhost.exe C:\Windows\System32\WScript.exe
PID 5760 wrote to memory of 5988 N/A C:\Recovery\WindowsRE\fontdrvhost.exe C:\Windows\System32\WScript.exe
PID 5760 wrote to memory of 5988 N/A C:\Recovery\WindowsRE\fontdrvhost.exe C:\Windows\System32\WScript.exe
PID 5944 wrote to memory of 1920 N/A C:\Windows\System32\WScript.exe C:\Recovery\WindowsRE\fontdrvhost.exe
PID 5944 wrote to memory of 1920 N/A C:\Windows\System32\WScript.exe C:\Recovery\WindowsRE\fontdrvhost.exe
PID 1920 wrote to memory of 5396 N/A C:\Recovery\WindowsRE\fontdrvhost.exe C:\Windows\System32\WScript.exe
PID 1920 wrote to memory of 5396 N/A C:\Recovery\WindowsRE\fontdrvhost.exe C:\Windows\System32\WScript.exe
PID 1920 wrote to memory of 2344 N/A C:\Recovery\WindowsRE\fontdrvhost.exe C:\Windows\System32\WScript.exe
PID 1920 wrote to memory of 2344 N/A C:\Recovery\WindowsRE\fontdrvhost.exe C:\Windows\System32\WScript.exe
PID 5396 wrote to memory of 4368 N/A C:\Windows\System32\WScript.exe C:\Recovery\WindowsRE\fontdrvhost.exe
PID 5396 wrote to memory of 4368 N/A C:\Windows\System32\WScript.exe C:\Recovery\WindowsRE\fontdrvhost.exe
PID 4368 wrote to memory of 2788 N/A C:\Recovery\WindowsRE\fontdrvhost.exe C:\Windows\System32\WScript.exe
PID 4368 wrote to memory of 2788 N/A C:\Recovery\WindowsRE\fontdrvhost.exe C:\Windows\System32\WScript.exe
PID 4368 wrote to memory of 5148 N/A C:\Recovery\WindowsRE\fontdrvhost.exe C:\Windows\System32\WScript.exe
PID 4368 wrote to memory of 5148 N/A C:\Recovery\WindowsRE\fontdrvhost.exe C:\Windows\System32\WScript.exe
PID 2788 wrote to memory of 2912 N/A C:\Windows\System32\WScript.exe C:\Recovery\WindowsRE\fontdrvhost.exe
PID 2788 wrote to memory of 2912 N/A C:\Windows\System32\WScript.exe C:\Recovery\WindowsRE\fontdrvhost.exe
PID 2912 wrote to memory of 4636 N/A C:\Recovery\WindowsRE\fontdrvhost.exe C:\Windows\System32\WScript.exe
PID 2912 wrote to memory of 4636 N/A C:\Recovery\WindowsRE\fontdrvhost.exe C:\Windows\System32\WScript.exe
PID 2912 wrote to memory of 1732 N/A C:\Recovery\WindowsRE\fontdrvhost.exe C:\Windows\System32\WScript.exe
PID 2912 wrote to memory of 1732 N/A C:\Recovery\WindowsRE\fontdrvhost.exe C:\Windows\System32\WScript.exe
PID 4636 wrote to memory of 5496 N/A C:\Windows\System32\WScript.exe C:\Recovery\WindowsRE\fontdrvhost.exe
PID 4636 wrote to memory of 5496 N/A C:\Windows\System32\WScript.exe C:\Recovery\WindowsRE\fontdrvhost.exe
PID 5496 wrote to memory of 5720 N/A C:\Recovery\WindowsRE\fontdrvhost.exe C:\Windows\System32\WScript.exe
PID 5496 wrote to memory of 5720 N/A C:\Recovery\WindowsRE\fontdrvhost.exe C:\Windows\System32\WScript.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\WindowsRE\fontdrvhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\WindowsRE\fontdrvhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\WindowsRE\fontdrvhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\fontdrvhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\WindowsRE\fontdrvhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\fontdrvhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\BridgeRefruntime\ProviderreviewDriver.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\WindowsRE\fontdrvhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\fontdrvhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\WindowsRE\fontdrvhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\fontdrvhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\WindowsRE\fontdrvhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\WindowsRE\fontdrvhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\WindowsRE\fontdrvhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\fontdrvhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\fontdrvhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\WindowsRE\fontdrvhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\WindowsRE\fontdrvhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\BridgeRefruntime\ProviderreviewDriver.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\fontdrvhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\WindowsRE\fontdrvhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\WindowsRE\fontdrvhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\WindowsRE\fontdrvhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\WindowsRE\fontdrvhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\WindowsRE\fontdrvhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\WindowsRE\fontdrvhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\fontdrvhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\fontdrvhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\WindowsRE\fontdrvhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\WindowsRE\fontdrvhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\WindowsRE\fontdrvhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\BridgeRefruntime\ProviderreviewDriver.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\WindowsRE\fontdrvhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\fontdrvhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\WindowsRE\fontdrvhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\fontdrvhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\fontdrvhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\WindowsRE\fontdrvhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\fontdrvhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\WindowsRE\fontdrvhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\WindowsRE\fontdrvhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\fontdrvhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\WindowsRE\fontdrvhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\WindowsRE\fontdrvhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\WindowsRE\fontdrvhost.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\5bdd5d335f1dce7bff7ad597aa12c5c36d2831b58d4a1a37650fab7b070c6e23.exe

"C:\Users\Admin\AppData\Local\Temp\5bdd5d335f1dce7bff7ad597aa12c5c36d2831b58d4a1a37650fab7b070c6e23.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\BridgeRefruntime\RO6jJbtsE.vbe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\BridgeRefruntime\AZmwZW66ycOuW7BVkn8W.bat" "

C:\BridgeRefruntime\ProviderreviewDriver.exe

"C:\BridgeRefruntime\ProviderreviewDriver.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WaaSMedicAgentW" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\WaaSMedicAgent.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WaaSMedicAgent" /sc ONLOGON /tr "'C:\Users\Default User\WaaSMedicAgent.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WaaSMedicAgentW" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\WaaSMedicAgent.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 5 /tr "'C:\Program Files\Google\Chrome\Application\SetupMetrics\TextInputHost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Program Files\Google\Chrome\Application\SetupMetrics\TextInputHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 9 /tr "'C:\Program Files\Google\Chrome\Application\SetupMetrics\TextInputHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "ProviderreviewDriverP" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\Documents\My Videos\ProviderreviewDriver.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "ProviderreviewDriver" /sc ONLOGON /tr "'C:\Users\Admin\Documents\My Videos\ProviderreviewDriver.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "ProviderreviewDriverP" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\Documents\My Videos\ProviderreviewDriver.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Common Files\System\conhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\System\conhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Common Files\System\conhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\fontdrvhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\fontdrvhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\fontdrvhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Defender\it-IT\TextInputHost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\it-IT\TextInputHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Defender\it-IT\TextInputHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Windows\SoftwareDistribution\SLS\9482F4B4-E343-43B6-B170-9A65BC822C77\explorer.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\SoftwareDistribution\SLS\9482F4B4-E343-43B6-B170-9A65BC822C77\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Windows\SoftwareDistribution\SLS\9482F4B4-E343-43B6-B170-9A65BC822C77\explorer.exe'" /rl HIGHEST /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\BridgeRefruntime\ProviderreviewDriver.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\WaaSMedicAgent.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\csrss.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Google\Chrome\Application\SetupMetrics\TextInputHost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\spoolsv.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Documents\My Videos\ProviderreviewDriver.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\fontdrvhost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Common Files\System\conhost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\fontdrvhost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Defender\it-IT\TextInputHost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\SoftwareDistribution\SLS\9482F4B4-E343-43B6-B170-9A65BC822C77\explorer.exe'

C:\Recovery\WindowsRE\fontdrvhost.exe

"C:\Recovery\WindowsRE\fontdrvhost.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e10f02ef-4be8-4bfc-a80d-af601b180d3d.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\987b6889-e43b-41e2-8350-665e8a10f65f.vbs"

C:\Recovery\WindowsRE\fontdrvhost.exe

C:\Recovery\WindowsRE\fontdrvhost.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f13aa553-337d-4e25-96e4-c01ebe05171f.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ca041e0e-2d6a-4402-ae0b-41381dd10c8e.vbs"

C:\Recovery\WindowsRE\fontdrvhost.exe

C:\Recovery\WindowsRE\fontdrvhost.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\de31eab7-886e-44aa-9c8a-e7a0e343b7a0.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\24bf69a0-b123-4567-8e4b-54c635bb41c4.vbs"

C:\Recovery\WindowsRE\fontdrvhost.exe

C:\Recovery\WindowsRE\fontdrvhost.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f9196f47-6d47-4a04-ae07-27c1c69da3f5.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6608d572-5055-4767-aa9c-7dfab5c4ab08.vbs"

C:\Recovery\WindowsRE\fontdrvhost.exe

C:\Recovery\WindowsRE\fontdrvhost.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8cc36c1c-2d10-433e-832e-aecce4322396.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\47c7650d-17e3-499e-b7af-b0b65802a8b3.vbs"

C:\Recovery\WindowsRE\fontdrvhost.exe

C:\Recovery\WindowsRE\fontdrvhost.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0b831e14-6ab0-4b5a-9a65-e6580bd313a7.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7932aea5-142c-41f8-b4df-95fb435c6577.vbs"

C:\Recovery\WindowsRE\fontdrvhost.exe

C:\Recovery\WindowsRE\fontdrvhost.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\55bdcac5-81b1-4401-b5db-7aee53231dd0.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f105fb0c-f27f-434e-a2e3-c005e95c895f.vbs"

C:\Recovery\WindowsRE\fontdrvhost.exe

C:\Recovery\WindowsRE\fontdrvhost.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a46976c8-27f8-46e2-9952-9154f8793c40.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4a7d4024-16ff-4fd1-97f8-df96207b16e5.vbs"

C:\Recovery\WindowsRE\fontdrvhost.exe

C:\Recovery\WindowsRE\fontdrvhost.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cba271f5-15dc-4c9e-9968-526eec5a214e.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\eb77ee23-00d1-4fac-aecd-f544a1dadf8b.vbs"

C:\Recovery\WindowsRE\fontdrvhost.exe

C:\Recovery\WindowsRE\fontdrvhost.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\32911c0c-a225-45a0-af75-c319e54a9ddc.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\71777e4a-fa48-4952-bad4-07c82dc1b3c5.vbs"

C:\Recovery\WindowsRE\fontdrvhost.exe

C:\Recovery\WindowsRE\fontdrvhost.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\51f58b5c-20fa-477b-b254-87df1cf128c8.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\aabd2a57-5f2e-46a2-8c6d-831591a48b4e.vbs"

C:\Recovery\WindowsRE\fontdrvhost.exe

C:\Recovery\WindowsRE\fontdrvhost.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\37f32bd9-f629-455e-9832-334cd7b66f7d.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d09fb4f1-3aa8-4053-b8d4-a47dabfc9efe.vbs"

C:\Recovery\WindowsRE\fontdrvhost.exe

C:\Recovery\WindowsRE\fontdrvhost.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d62eece2-9499-4b6b-8242-8266cd4d0bc2.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c4e86e4d-ff5a-470f-8f71-0261dbb89bba.vbs"

C:\Recovery\WindowsRE\fontdrvhost.exe

C:\Recovery\WindowsRE\fontdrvhost.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\157488bd-23cf-455d-b5fb-3792dfc681ca.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b57206b1-e16c-4d4f-b4b1-52ff628939cf.vbs"

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 cz15171.tw1.ru udp
RU 185.114.245.123:80 cz15171.tw1.ru tcp
US 8.8.8.8:53 vh438.timeweb.ru udp
RU 185.114.245.123:443 vh438.timeweb.ru tcp
US 8.8.8.8:53 123.245.114.185.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
RU 185.114.245.123:80 vh438.timeweb.ru tcp
RU 185.114.245.123:443 vh438.timeweb.ru tcp
RU 185.114.245.123:80 vh438.timeweb.ru tcp
RU 185.114.245.123:443 vh438.timeweb.ru tcp
RU 185.114.245.123:80 vh438.timeweb.ru tcp
RU 185.114.245.123:443 vh438.timeweb.ru tcp
RU 185.114.245.123:80 vh438.timeweb.ru tcp
US 8.8.8.8:53 vh438.timeweb.ru udp
RU 185.114.245.123:443 vh438.timeweb.ru tcp
RU 185.114.245.123:80 vh438.timeweb.ru tcp
RU 185.114.245.123:443 vh438.timeweb.ru tcp
RU 185.114.245.123:80 vh438.timeweb.ru tcp
RU 185.114.245.123:443 vh438.timeweb.ru tcp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
RU 185.114.245.123:80 vh438.timeweb.ru tcp
RU 185.114.245.123:443 vh438.timeweb.ru tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
RU 185.114.245.123:80 vh438.timeweb.ru tcp
RU 185.114.245.123:443 vh438.timeweb.ru tcp
RU 185.114.245.123:80 vh438.timeweb.ru tcp
RU 185.114.245.123:443 vh438.timeweb.ru tcp
RU 185.114.245.123:80 vh438.timeweb.ru tcp
RU 185.114.245.123:443 vh438.timeweb.ru tcp
RU 185.114.245.123:80 vh438.timeweb.ru tcp
RU 185.114.245.123:443 vh438.timeweb.ru tcp
RU 185.114.245.123:80 vh438.timeweb.ru tcp
RU 185.114.245.123:443 vh438.timeweb.ru tcp

Files

C:\BridgeRefruntime\RO6jJbtsE.vbe

MD5 1217656e699a8ae1e62ad9b7059e215a
SHA1 3e9710cc62fcaf451a305be0fe047dfadd631e45
SHA256 710eab849bf0c066cb136771f1d4dc72bc2b13598c209508db16a3770d54286f
SHA512 ae775b9f675455bbb78a879f38e72e500607a6a22168591a599a04337229316fdbdd0b496d69e97c423a4e917d9174e039e0e4f80b8bc94a7d5b3f99887d3f31

C:\BridgeRefruntime\AZmwZW66ycOuW7BVkn8W.bat

MD5 b634ab06c0798f4284c2fcf23c1fc85a
SHA1 a312a6a8dbd3fdd70e9919ffaa1b777213cf2e93
SHA256 20d420d40ee7aadb457e5a8dba9d099fb66d4810675a985a26ebf36141d8e250
SHA512 ae801ea89737efecc5be1c580bad10c75ee9f31f2685473bbb5512b024c355c62a7d122db5042dbfb96add27041fd2601472c57b075424d12261302804b5733c

C:\BridgeRefruntime\ProviderreviewDriver.exe

MD5 15462778cb5d131fdbde43b845ca3385
SHA1 e11137a2d3643fa0569e57257f7b673b29f0ee86
SHA256 7082a4ae4749fc09c3b618986952c23aa6db2ee906da896b9a517685e56b8572
SHA512 1f58961f5367153539c8039e8cfafd1f74bcf09550912326d1274ec5b91ff578c0126c4f36c1916384364c74ed2a4b97013a4e6ff6b25567822eac8dabfcde6b

memory/3100-12-0x00007FFB40923000-0x00007FFB40925000-memory.dmp

memory/3100-13-0x0000000000ED0000-0x00000000011C2000-memory.dmp

memory/3100-14-0x0000000003350000-0x000000000335E000-memory.dmp

memory/3100-15-0x00000000033C0000-0x00000000033C8000-memory.dmp

memory/3100-16-0x000000001C420000-0x000000001C43C000-memory.dmp

memory/3100-18-0x00000000033D0000-0x00000000033E0000-memory.dmp

memory/3100-17-0x000000001C490000-0x000000001C4E0000-memory.dmp

memory/3100-19-0x000000001C440000-0x000000001C456000-memory.dmp

memory/3100-20-0x000000001BDC0000-0x000000001BDC8000-memory.dmp

memory/3100-21-0x000000001C460000-0x000000001C470000-memory.dmp

memory/3100-22-0x000000001C470000-0x000000001C47A000-memory.dmp

memory/3100-23-0x000000001C4E0000-0x000000001C536000-memory.dmp

memory/3100-24-0x000000001C480000-0x000000001C48C000-memory.dmp

memory/3100-25-0x000000001C530000-0x000000001C53C000-memory.dmp

memory/3100-26-0x000000001C540000-0x000000001C548000-memory.dmp

memory/3100-27-0x000000001C550000-0x000000001C55C000-memory.dmp

memory/3100-28-0x000000001C560000-0x000000001C568000-memory.dmp

memory/3100-29-0x000000001C570000-0x000000001C57C000-memory.dmp

memory/3100-30-0x000000001C580000-0x000000001C58C000-memory.dmp

memory/3100-31-0x000000001C7F0000-0x000000001C7F8000-memory.dmp

memory/3100-33-0x000000001C7A0000-0x000000001C7AE000-memory.dmp

memory/3100-32-0x000000001C790000-0x000000001C79A000-memory.dmp

memory/3100-35-0x000000001C7C0000-0x000000001C7CC000-memory.dmp

memory/3100-34-0x000000001C7B0000-0x000000001C7B8000-memory.dmp

memory/3100-36-0x000000001C7D0000-0x000000001C7D8000-memory.dmp

memory/3100-37-0x000000001C7E0000-0x000000001C7EA000-memory.dmp

memory/3100-38-0x000000001C800000-0x000000001C80C000-memory.dmp

C:\Users\Default\WaaSMedicAgent.exe

MD5 f5bd1e479ef89a259891b9ac0c676c07
SHA1 c5e0e9d8fed70b794d1d3e465380608ebd7f74c1
SHA256 61d0d2c36a9f7c0f9d56ea5cb2b81c6d88a8f56137c4b72c72eb1b75fd4dcd6d
SHA512 7b7b45ec4813d4cf1714fc04dab96594fb269de7338ecaf888c697997a6b57d5948e9c98eee763e86ad2c13454cec8042a193beeae4d58028f180fcd63a24ed9

C:\Recovery\WindowsRE\RCX8F0A.tmp

MD5 ecb8a56fde8d50c2fe56a26c033b8a39
SHA1 dd3f7bc75f354915ca4f71b9f2d581b0d8dc9896
SHA256 47d4a340d406fb9c8de309a6457493ea3b4249f7bf3fc21618697466e08e5188
SHA512 5c8ce67ffc7ed3a5e66259a3ae3ed35d4666e75131b4955b002bc96ff92cea6bf939641f7680e44f0edb136bdf2fe788a616cc74e1cf930fb773060ecce72bb0

C:\Recovery\WindowsRE\RCX941E.tmp

MD5 02979aee54ff7db809115b084ce50394
SHA1 5edc73bca50e0b436a22d675431d52d991da074b
SHA256 18ab195cb6cff78d55d9eb5600810faad921c7a117c14f52ee727c4094395863
SHA512 de4417386a6b2351f6e7cd20979c1d016d68f3cfebb84b65a8384004cb541c6e2280eb1b4a0a4f552929fe556d87ce871fc606e4d81eb5d403527e2992ac6426

C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\fontdrvhost.exe

MD5 d564140757d8e8d6d92cd602ef162f7a
SHA1 07be37c34e7f8c1a02e35c3e5baac70dd7d2a0d4
SHA256 f0a22af1e81cb1bed9dd096eee11fdedf88cbcc77e92a66537072753961b3d86
SHA512 65cddd42f2ac216f5294bc9f0fec84984c94abf8b8e34786a31ac549c1039624d0280be1bfab6d0fdbc167df2cdc69d3a5c554c7fdb0a2ebc1df854dc72e0b33

memory/4328-231-0x000001F1F6810000-0x000001F1F6832000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_5njpgxnv.str.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 d28a889fd956d5cb3accfbaf1143eb6f
SHA1 157ba54b365341f8ff06707d996b3635da8446f7
SHA256 21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45
SHA512 0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 59d97011e091004eaffb9816aa0b9abd
SHA1 1602a56b01dd4b7c577ca27d3117e4bcc1aa657b
SHA256 18f381e0db020a763b8c515c346ef58679ab9c403267eacfef5359e272f7e71d
SHA512 d9ca49c1a17580981e2c1a50d73c0eecaa7a62f8514741512172e395af2a3d80aeb0f71c58bc7f52c18246d57ba67af09b6bff4776877d6cc6f0245c30e092d6

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 bd5940f08d0be56e65e5f2aaf47c538e
SHA1 d7e31b87866e5e383ab5499da64aba50f03e8443
SHA256 2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6
SHA512 c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 3a6bad9528f8e23fb5c77fbd81fa28e8
SHA1 f127317c3bc6407f536c0f0600dcbcf1aabfba36
SHA256 986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05
SHA512 846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 e243a38635ff9a06c87c2a61a2200656
SHA1 ecd95ed5bf1a9fbe96a8448fc2814a0210fa2afc
SHA256 af5782703f3f2d5a29fb313dae6680a64134db26064d4a321a3f23b75f6ca00f
SHA512 4418957a1b10eee44cf270c81816ae707352411c4f5ac14b6b61ab537c91480e24e0a0a2c276a6291081b4984c123cf673a45dcedb0ceeef682054ba0fc19cb4

C:\Users\Admin\AppData\Local\Temp\e10f02ef-4be8-4bfc-a80d-af601b180d3d.vbs

MD5 6a1d44007f6e467348a74204f55eb961
SHA1 fafe5ecf27f8a95c25ba255c44b6091d30017258
SHA256 72ed0e85b3a48e8b69deee3f86afc5b0ea4d736bc7f70f98a24f98f220297aa2
SHA512 687e592aa2dc8f0fc41b246ea93b5ec540f5aa6a80593f96aba344f64b31891e5f42908384f7346d94ba7807813dc5f9f3546d2593f4f2451517edefb3cb984f

C:\Users\Admin\AppData\Local\Temp\987b6889-e43b-41e2-8350-665e8a10f65f.vbs

MD5 6868c8d5bdd695363937a5d7fdc33b82
SHA1 b1b1f7f0f2ab44bdd4ad8c44a77276909c16c5d9
SHA256 97e1347ba3b994ea0a12c29e4e793dc97faaf37be2cdead91befd114bec9dade
SHA512 8e356acce2dfd11febfebc46e85836ee5081e897bfe4d2ae99c632fad3f79dd2d706069f66777fe604da9fafd08a57928a19a2f312ee9014ca9045643b7206fd

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\fontdrvhost.exe.log

MD5 9b0256da3bf9a5303141361b3da59823
SHA1 d73f34951777136c444eb2c98394f62912ebcdac
SHA256 96cbc3f4e49d7ae13cd46e36ebb4819b6db1eabe5db910902638c1a24947208e
SHA512 9f014fef4b1bb71dbdd1d0bad11bd20437a9801eaa830ab386f901f6b5be374a26f68161d7638ea03483028e9a56bf97023cc24b45356a9c76cb755a53d9c164

C:\Users\Admin\AppData\Local\Temp\f13aa553-337d-4e25-96e4-c01ebe05171f.vbs

MD5 de05e8a02337eef56ee0eea53b1027eb
SHA1 6b943cff13cd7179af6689d825972148dfaa379f
SHA256 ccdae614a98392fd2c8edb15c7d298964e642772310fb1f16d182238ab596b9d
SHA512 11973a4785cda28d61a32e3195eeea14778758c11f929b94040d20ab2511bd6bf88b0e5bfed8ba3ddd084cc0d509eae6cf64be806085c56109426fdfc1f9bf24

C:\Users\Admin\AppData\Local\Temp\de31eab7-886e-44aa-9c8a-e7a0e343b7a0.vbs

MD5 9d39529432769b607fcce6abc18c2eff
SHA1 04840cc9abec3ceaae0ba8015ea7965bc495b06b
SHA256 0261f761b2934db8eda6e3a8ee016b18278bc557dd841ac4b83e96db60c4c91e
SHA512 ee23336d1f9ce3b2466ee75a91b42360d6ed2254181a86f70add861fc3e2cf278978373668ff938a21d9ef08d91ee878f97dfd5ca4cfbb8f085ee8fdf9bd8f23

C:\Users\Admin\AppData\Local\Temp\f9196f47-6d47-4a04-ae07-27c1c69da3f5.vbs

MD5 85d19f2be1d1ba027c4c92814be44919
SHA1 cbc22d80c36f235ba177e011d652ba6758d091dc
SHA256 f9977f9f53ce6883f9ca81433cf63cb91c8a08dc795e7be3cc7ad61ba0727b21
SHA512 50e510dd1e3a211633318523ceaae94bb1d67d50e4a1345ed2e14c189771a13d9b0f8bd0c5a55ba086a80c803575f8579e03d9da6a02726e5dddd05529001ecf

memory/2912-390-0x000000001B5B0000-0x000000001B606000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\8cc36c1c-2d10-433e-832e-aecce4322396.vbs

MD5 a61337f14513b8c41696fe6832247893
SHA1 a32824f297a516fceb7805a7574732b86ddb397f
SHA256 a6f0fad035e57bafdc9bb03aaeb4d40810978c72216d0697b21c27a4f6052a87
SHA512 3572ce6c2d64769d41d7e7ef59f5024126111af639e466ca052f4713c3b4e9757e80d3d2445230d3c0fdb6d3ed69fb521d94598be86d02b6859397696a1dd142

C:\Users\Admin\AppData\Local\Temp\0b831e14-6ab0-4b5a-9a65-e6580bd313a7.vbs

MD5 70dcb420e3957b10bf8f2e71ddf3989f
SHA1 870e64068d0ff26dd6b0ef4425488dcec1ab5cb1
SHA256 b8bc1fb7506c9bfd65359d50b6e0b7d517000257a80d0547674af4eccf8c38f4
SHA512 193d55c670694949baa2f5468dab2606d7f84453c498638d3d3b38b0bee59024cfe8e0781a07ce0518851fa8f31c0aab3ee1878430fb6cfb4e223f74e03a635f

C:\Users\Admin\AppData\Local\Temp\55bdcac5-81b1-4401-b5db-7aee53231dd0.vbs

MD5 8687931860be55b12adadf686ec82331
SHA1 b788225e52227dfdc159e7f40f87ca767d3e2d60
SHA256 3b5792e54b0ea75bda19a5904aee88f2499b5ceef046349caa21c5821e65e57e
SHA512 f6b7a8dc10c452f1e662aa423960071f32de571ae03e78d99d2b2398c6aa887b6cd8ee9aa614d0d0ffaeaa52b264de43ea36733520b8e138c1743fe5ec797f25

C:\Users\Admin\AppData\Local\Temp\a46976c8-27f8-46e2-9952-9154f8793c40.vbs

MD5 d62ef4cc6345b2b1641df283d7587b87
SHA1 7379da051c722165b9e7be5934a11db635411c20
SHA256 9aa64a18584c963b10c8f9490218ba575e463b1ba5d6128a561fe0929a34916d
SHA512 e02ed40ed8c2d6861410e88a324d09c4ad52abfa36d07d969b75415909730aa17b93092cb11772ebe7338ea367a67588ba2ce22b3da79696388c9c980e047fe0

C:\Users\Admin\AppData\Local\Temp\cba271f5-15dc-4c9e-9968-526eec5a214e.vbs

MD5 351c2175ea4a56abe56ec0e6f9fb6bfe
SHA1 926c1af9bac0a5281e9491cd997a5ffd8efcb05a
SHA256 89bb0b6128f4aad0783f4864070e5020806d9f13ba78b6854add4df11f30fdb4
SHA512 e6fa72f600f4ea6cad2a1053bbda50920b28bdaefc505d8d4856b278dd2142a53039fe754c43870f0c98dc25fe2cc5f5e8a2b9176493dfca5ad98223ec7e4f9c

C:\Users\Admin\AppData\Local\Temp\32911c0c-a225-45a0-af75-c319e54a9ddc.vbs

MD5 c1cfd738412fa8acd3ed33c65dc1da4d
SHA1 4ef6b7f79f1178f77b5fb9da280443b22194db02
SHA256 db2ac6f844dc02cd5a41d3a909ea4ec823e471f6cb851a5a2c0fd9c9970a87cf
SHA512 cee42c962a2605e5f0a3acc337e4f31877b4dd02d6a774b7427b644530ace79cffe8ac97433e8c6d513e57e9da7db01858841f5cc0f2ffa72aad39a0759e7cb5

memory/5576-457-0x000000001BAF0000-0x000000001BB46000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\51f58b5c-20fa-477b-b254-87df1cf128c8.vbs

MD5 a160a07988d0e00bad9c42b3dce4a19c
SHA1 4e5adc3316d5049c1e29e02d778a93832b90eefa
SHA256 1fc15ead9b68d03dd4f51a7d9a1b3423ebda0f8b57658ecd3f4ee5d0bc8fd2c1
SHA512 fdcb2f28f8a77319b01d34d14bd8a097792149b80d2972c3fb98ae563a126fa1dface5cf27e763c5549935b3314c8cf4f453f8170a0cca9d5a036edfdc5de845

C:\Users\Admin\AppData\Local\Temp\37f32bd9-f629-455e-9832-334cd7b66f7d.vbs

MD5 4dd0193388b41cd5730bb76e2c10ebd8
SHA1 e341a67f6c526bfdacab95b7a53d89c9603f821b
SHA256 be0cd9d02c73a660559d14640be0848f7b9bae5a8fa72b070b1b21c39dd0b2d4
SHA512 bbc6c0cdf0e5d0cf392af7c5bf6d9ed174e272885846987dbf438df71c4662468c78a9758ee9a01c9433519dc186826475bed8e79400e50f8185047f2ba6497e

C:\Users\Admin\AppData\Local\Temp\d62eece2-9499-4b6b-8242-8266cd4d0bc2.vbs

MD5 b52dac8021d8ba3462dcad2462d2834c
SHA1 6966ecee12b9afdb4a70f4408764345a1ce2382c
SHA256 31f22e5a318efae80d23dfe713bd5792af35940949d0304bc52d7b0a72cd2b0f
SHA512 21a03feec5f8b12192eb09ad15bb633b361158a6fa0e80f541a1cf8abc992f0baaf25b9a98356afd9443580f640def414aa8134b5056319ddbb7553f3bf43bf3