colibri | 3854c9ebd49d0c236145f2311fa56bfa5798d227bc73538fc535a9fd3f496e4c

Analysis

max time kernel
149s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
09-11-2024 21:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3854c9ebd49d0c236145f2311fa56bfa5798d227bc73538fc535a9fd3f496e4c.exe
Size

4.9MB
MD5

3da200a28718a69db8ab79214990ad7c
SHA1

b6ed723d194b8ac4b038a79ee1250881695de651
SHA256

3854c9ebd49d0c236145f2311fa56bfa5798d227bc73538fc535a9fd3f496e4c
SHA512

536f668c2c1d006cc5053162d4d10ffd1d7af5728fc7c019c579ce002ebd5e10d3e7232cae85579bcb2078d30e2d0ae53ebf25115a69f42a718b011952c9d71e
SSDEEP

49152:bl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8E:

Score

10^/10

colibri dcrat build1 discovery evasion execution infostealer loader rat trojan

Malware Config

Extracted

Family

colibri

Version

1.2.0

Botnet

Build1

http://zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc/gate.php

http://yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx/gate.php

rc4.plain

Signatures

Colibri Loader
A loader sold as MaaS first seen in August 2021.
loader colibri
Colibri family
colibri
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 36 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4544	3344	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4408	3344	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4164	3344	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4852	3344	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4736	3344	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4184	3344	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3740	3344	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1088	3344	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4936	3344	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3772	3344	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3884	3344	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4152	3344	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2104	3344	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4840	3344	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1008	3344	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2844	3344	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3376	3344	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4776	3344	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1516	3344	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4308	3344	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1672	3344	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2360	3344	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4336	3344	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3712	3344	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4452	3344	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1440	3344	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4944	3344	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2224	3344	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3568	3344	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	724	3344	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2620	3344	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1264	3344	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2008	3344	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4284	3344	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4952	3344	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4524	3344	schtasks.exe

UAC bypass 3 TTPs 45 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

upfc.exeupfc.exeupfc.exeupfc.exeupfc.exeupfc.exeupfc.exe3854c9ebd49d0c236145f2311fa56bfa5798d227bc73538fc535a9fd3f496e4c.exeupfc.exeupfc.exeupfc.exeupfc.exeupfc.exeupfc.exeupfc.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	3854c9ebd49d0c236145f2311fa56bfa5798d227bc73538fc535a9fd3f496e4c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	3854c9ebd49d0c236145f2311fa56bfa5798d227bc73538fc535a9fd3f496e4c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	3854c9ebd49d0c236145f2311fa56bfa5798d227bc73538fc535a9fd3f496e4c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	upfc.exe

DCRat payload 1 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral2/memory/660-3-0x000000001B9D0000-0x000000001BAFE000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 11 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
4368	powershell.exe
1444	powershell.exe
3312	powershell.exe
1928	powershell.exe
2088	powershell.exe
2956	powershell.exe
3012	powershell.exe
3328	powershell.exe
4752	powershell.exe
4308	powershell.exe
3960	powershell.exe

Checks computer location settings 2 TTPs 15 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

upfc.exe3854c9ebd49d0c236145f2311fa56bfa5798d227bc73538fc535a9fd3f496e4c.exeupfc.exeupfc.exeupfc.exeupfc.exeupfc.exeupfc.exeupfc.exeupfc.exeupfc.exeupfc.exeupfc.exeupfc.exeupfc.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	upfc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	3854c9ebd49d0c236145f2311fa56bfa5798d227bc73538fc535a9fd3f496e4c.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	upfc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	upfc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	upfc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	upfc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	upfc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	upfc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	upfc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	upfc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	upfc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	upfc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	upfc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	upfc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	upfc.exe

Executes dropped EXE 48 IoCs

Processes:

tmpAF8C.tmp.exetmpAF8C.tmp.exeupfc.exetmpEA7F.tmp.exetmpEA7F.tmp.exetmpEA7F.tmp.exeupfc.exetmp6F0.tmp.exetmp6F0.tmp.exeupfc.exetmp3786.tmp.exetmp3786.tmp.exeupfc.exetmp682B.tmp.exetmp682B.tmp.exetmp682B.tmp.exeupfc.exetmp84DB.tmp.exetmp84DB.tmp.exetmp84DB.tmp.exeupfc.exetmpA0EE.tmp.exetmpA0EE.tmp.exetmpA0EE.tmp.exeupfc.exetmpD1E1.tmp.exetmpD1E1.tmp.exeupfc.exetmp5F2.tmp.exetmp5F2.tmp.exetmp5F2.tmp.exeupfc.exetmp213A.tmp.exetmp213A.tmp.exeupfc.exetmp3C82.tmp.exetmp3C82.tmp.exeupfc.exeupfc.exetmp87B4.tmp.exetmp87B4.tmp.exeupfc.exetmpB7AE.tmp.exetmpB7AE.tmp.exeupfc.exetmpE7B6.tmp.exetmpE7B6.tmp.exetmpE7B6.tmp.exe

pid	process
1788	tmpAF8C.tmp.exe
5088	tmpAF8C.tmp.exe
3748	upfc.exe
2948	tmpEA7F.tmp.exe
3012	tmpEA7F.tmp.exe
4876	tmpEA7F.tmp.exe
3640	upfc.exe
3756	tmp6F0.tmp.exe
4752	tmp6F0.tmp.exe
3312	upfc.exe
5048	tmp3786.tmp.exe
1404	tmp3786.tmp.exe
1648	upfc.exe
1528	tmp682B.tmp.exe
1020	tmp682B.tmp.exe
3816	tmp682B.tmp.exe
864	upfc.exe
2716	tmp84DB.tmp.exe
2612	tmp84DB.tmp.exe
4452	tmp84DB.tmp.exe
3028	upfc.exe
4332	tmpA0EE.tmp.exe
5100	tmpA0EE.tmp.exe
2892	tmpA0EE.tmp.exe
3816	upfc.exe
4500	tmpD1E1.tmp.exe
3264	tmpD1E1.tmp.exe
4644	upfc.exe
2672	tmp5F2.tmp.exe
3716	tmp5F2.tmp.exe
4120	tmp5F2.tmp.exe
528	upfc.exe
2656	tmp213A.tmp.exe
1264	tmp213A.tmp.exe
2256	upfc.exe
2972	tmp3C82.tmp.exe
4876	tmp3C82.tmp.exe
208	upfc.exe
688	upfc.exe
4156	tmp87B4.tmp.exe
4480	tmp87B4.tmp.exe
1236	upfc.exe
392	tmpB7AE.tmp.exe
4400	tmpB7AE.tmp.exe
3716	upfc.exe
4420	tmpE7B6.tmp.exe
3732	tmpE7B6.tmp.exe
3236	tmpE7B6.tmp.exe

Checks whether UAC is enabled 1 TTPs 30 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

upfc.exeupfc.exeupfc.exeupfc.exeupfc.exe3854c9ebd49d0c236145f2311fa56bfa5798d227bc73538fc535a9fd3f496e4c.exeupfc.exeupfc.exeupfc.exeupfc.exeupfc.exeupfc.exeupfc.exeupfc.exeupfc.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	upfc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	upfc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	upfc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	upfc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	3854c9ebd49d0c236145f2311fa56bfa5798d227bc73538fc535a9fd3f496e4c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	3854c9ebd49d0c236145f2311fa56bfa5798d227bc73538fc535a9fd3f496e4c.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	upfc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	upfc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	upfc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	upfc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	upfc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	upfc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	upfc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	upfc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	upfc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	upfc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	upfc.exe

Suspicious use of SetThreadContext 14 IoCs

Processes:

tmpAF8C.tmp.exetmpEA7F.tmp.exetmp6F0.tmp.exetmp3786.tmp.exetmp682B.tmp.exetmp84DB.tmp.exetmpA0EE.tmp.exetmpD1E1.tmp.exetmp5F2.tmp.exetmp213A.tmp.exetmp3C82.tmp.exetmp87B4.tmp.exetmpB7AE.tmp.exetmpE7B6.tmp.exe

description	pid	process	target process
PID 1788 set thread context of 5088	1788	tmpAF8C.tmp.exe	tmpAF8C.tmp.exe
PID 3012 set thread context of 4876	3012	tmpEA7F.tmp.exe	tmpEA7F.tmp.exe
PID 3756 set thread context of 4752	3756	tmp6F0.tmp.exe	tmp6F0.tmp.exe
PID 5048 set thread context of 1404	5048	tmp3786.tmp.exe	tmp3786.tmp.exe
PID 1020 set thread context of 3816	1020	tmp682B.tmp.exe	tmp682B.tmp.exe
PID 2612 set thread context of 4452	2612	tmp84DB.tmp.exe	tmp84DB.tmp.exe
PID 5100 set thread context of 2892	5100	tmpA0EE.tmp.exe	tmpA0EE.tmp.exe
PID 4500 set thread context of 3264	4500	tmpD1E1.tmp.exe	tmpD1E1.tmp.exe
PID 3716 set thread context of 4120	3716	tmp5F2.tmp.exe	tmp5F2.tmp.exe
PID 2656 set thread context of 1264	2656	tmp213A.tmp.exe	tmp213A.tmp.exe
PID 2972 set thread context of 4876	2972	tmp3C82.tmp.exe	tmp3C82.tmp.exe
PID 4156 set thread context of 4480	4156	tmp87B4.tmp.exe	tmp87B4.tmp.exe
PID 392 set thread context of 4400	392	tmpB7AE.tmp.exe	tmpB7AE.tmp.exe
PID 3732 set thread context of 3236	3732	tmpE7B6.tmp.exe	tmpE7B6.tmp.exe

Drops file in Program Files directory 16 IoCs

Processes:

3854c9ebd49d0c236145f2311fa56bfa5798d227bc73538fc535a9fd3f496e4c.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Microsoft\RCXB0C6.tmp	3854c9ebd49d0c236145f2311fa56bfa5798d227bc73538fc535a9fd3f496e4c.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\sysmon.exe	3854c9ebd49d0c236145f2311fa56bfa5798d227bc73538fc535a9fd3f496e4c.exe
File created	C:\Program Files (x86)\Microsoft\9e8d7a4ca61bd9	3854c9ebd49d0c236145f2311fa56bfa5798d227bc73538fc535a9fd3f496e4c.exe
File opened for modification	C:\Program Files\Microsoft Office 15\ClientX64\RCXAC9C.tmp	3854c9ebd49d0c236145f2311fa56bfa5798d227bc73538fc535a9fd3f496e4c.exe
File opened for modification	C:\Program Files (x86)\Microsoft\RuntimeBroker.exe	3854c9ebd49d0c236145f2311fa56bfa5798d227bc73538fc535a9fd3f496e4c.exe
File opened for modification	C:\Program Files\Microsoft Office 15\ClientX64\upfc.exe	3854c9ebd49d0c236145f2311fa56bfa5798d227bc73538fc535a9fd3f496e4c.exe
File created	C:\Program Files (x86)\Microsoft\RuntimeBroker.exe	3854c9ebd49d0c236145f2311fa56bfa5798d227bc73538fc535a9fd3f496e4c.exe
File created	C:\Program Files\Crashpad\RuntimeBroker.exe	3854c9ebd49d0c236145f2311fa56bfa5798d227bc73538fc535a9fd3f496e4c.exe
File created	C:\Program Files\Crashpad\9e8d7a4ca61bd9	3854c9ebd49d0c236145f2311fa56bfa5798d227bc73538fc535a9fd3f496e4c.exe
File created	C:\Program Files (x86)\Reference Assemblies\sysmon.exe	3854c9ebd49d0c236145f2311fa56bfa5798d227bc73538fc535a9fd3f496e4c.exe
File created	C:\Program Files (x86)\Reference Assemblies\121e5b5079f7c0	3854c9ebd49d0c236145f2311fa56bfa5798d227bc73538fc535a9fd3f496e4c.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\RCXBF54.tmp	3854c9ebd49d0c236145f2311fa56bfa5798d227bc73538fc535a9fd3f496e4c.exe
File created	C:\Program Files\Microsoft Office 15\ClientX64\upfc.exe	3854c9ebd49d0c236145f2311fa56bfa5798d227bc73538fc535a9fd3f496e4c.exe
File created	C:\Program Files\Microsoft Office 15\ClientX64\ea1d8f6d871115	3854c9ebd49d0c236145f2311fa56bfa5798d227bc73538fc535a9fd3f496e4c.exe
File opened for modification	C:\Program Files\Crashpad\RCXBB3B.tmp	3854c9ebd49d0c236145f2311fa56bfa5798d227bc73538fc535a9fd3f496e4c.exe
File opened for modification	C:\Program Files\Crashpad\RuntimeBroker.exe	3854c9ebd49d0c236145f2311fa56bfa5798d227bc73538fc535a9fd3f496e4c.exe

Drops file in Windows directory 8 IoCs

Processes:

3854c9ebd49d0c236145f2311fa56bfa5798d227bc73538fc535a9fd3f496e4c.exe

description	ioc	process
File opened for modification	C:\Windows\Prefetch\ReadyBoot\SearchApp.exe	3854c9ebd49d0c236145f2311fa56bfa5798d227bc73538fc535a9fd3f496e4c.exe
File opened for modification	C:\Windows\twain_32\RCXB926.tmp	3854c9ebd49d0c236145f2311fa56bfa5798d227bc73538fc535a9fd3f496e4c.exe
File opened for modification	C:\Windows\twain_32\csrss.exe	3854c9ebd49d0c236145f2311fa56bfa5798d227bc73538fc535a9fd3f496e4c.exe
File created	C:\Windows\Prefetch\ReadyBoot\SearchApp.exe	3854c9ebd49d0c236145f2311fa56bfa5798d227bc73538fc535a9fd3f496e4c.exe
File created	C:\Windows\Prefetch\ReadyBoot\38384e6a620884	3854c9ebd49d0c236145f2311fa56bfa5798d227bc73538fc535a9fd3f496e4c.exe
File created	C:\Windows\twain_32\csrss.exe	3854c9ebd49d0c236145f2311fa56bfa5798d227bc73538fc535a9fd3f496e4c.exe
File created	C:\Windows\twain_32\886983d96e3d3e	3854c9ebd49d0c236145f2311fa56bfa5798d227bc73538fc535a9fd3f496e4c.exe
File opened for modification	C:\Windows\Prefetch\ReadyBoot\RCXB4EE.tmp	3854c9ebd49d0c236145f2311fa56bfa5798d227bc73538fc535a9fd3f496e4c.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 20 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

tmpAF8C.tmp.exetmpEA7F.tmp.exetmp6F0.tmp.exetmp682B.tmp.exetmpE7B6.tmp.exetmpEA7F.tmp.exetmp3786.tmp.exetmp682B.tmp.exetmp3C82.tmp.exetmpE7B6.tmp.exetmp84DB.tmp.exetmpA0EE.tmp.exetmpD1E1.tmp.exetmp5F2.tmp.exetmp213A.tmp.exetmpB7AE.tmp.exetmp84DB.tmp.exetmpA0EE.tmp.exetmp5F2.tmp.exetmp87B4.tmp.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpAF8C.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpEA7F.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp6F0.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp682B.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpE7B6.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpEA7F.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp3786.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp682B.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp3C82.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpE7B6.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp84DB.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpA0EE.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpD1E1.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp5F2.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp213A.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpB7AE.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp84DB.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpA0EE.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp5F2.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp87B4.tmp.exe

Modifies registry class 15 IoCs

Processes:

upfc.exeupfc.exe3854c9ebd49d0c236145f2311fa56bfa5798d227bc73538fc535a9fd3f496e4c.exeupfc.exeupfc.exeupfc.exeupfc.exeupfc.exeupfc.exeupfc.exeupfc.exeupfc.exeupfc.exeupfc.exeupfc.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	upfc.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	upfc.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	3854c9ebd49d0c236145f2311fa56bfa5798d227bc73538fc535a9fd3f496e4c.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	upfc.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	upfc.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	upfc.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	upfc.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	upfc.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	upfc.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	upfc.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	upfc.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	upfc.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	upfc.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	upfc.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	upfc.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 36 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

pid	process
2360	schtasks.exe
3712	schtasks.exe
4452	schtasks.exe
724	schtasks.exe
4152	schtasks.exe
4840	schtasks.exe
4308	schtasks.exe
4852	schtasks.exe
4736	schtasks.exe
3376	schtasks.exe
4336	schtasks.exe
1516	schtasks.exe
4184	schtasks.exe
3740	schtasks.exe
1088	schtasks.exe
3884	schtasks.exe
2224	schtasks.exe
3568	schtasks.exe
4544	schtasks.exe
4936	schtasks.exe
3772	schtasks.exe
2844	schtasks.exe
1672	schtasks.exe
1440	schtasks.exe
4944	schtasks.exe
1264	schtasks.exe
4408	schtasks.exe
4164	schtasks.exe
2104	schtasks.exe
2008	schtasks.exe
4952	schtasks.exe
4284	schtasks.exe
4524	schtasks.exe
1008	schtasks.exe
4776	schtasks.exe
2620	schtasks.exe

Suspicious behavior: EnumeratesProcesses 59 IoCs

Processes:

3854c9ebd49d0c236145f2311fa56bfa5798d227bc73538fc535a9fd3f496e4c.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeupfc.exeupfc.exeupfc.exeupfc.exeupfc.exeupfc.exeupfc.exeupfc.exeupfc.exeupfc.exeupfc.exeupfc.exeupfc.exeupfc.exe

pid	process
660	3854c9ebd49d0c236145f2311fa56bfa5798d227bc73538fc535a9fd3f496e4c.exe
660	3854c9ebd49d0c236145f2311fa56bfa5798d227bc73538fc535a9fd3f496e4c.exe
660	3854c9ebd49d0c236145f2311fa56bfa5798d227bc73538fc535a9fd3f496e4c.exe
660	3854c9ebd49d0c236145f2311fa56bfa5798d227bc73538fc535a9fd3f496e4c.exe
660	3854c9ebd49d0c236145f2311fa56bfa5798d227bc73538fc535a9fd3f496e4c.exe
660	3854c9ebd49d0c236145f2311fa56bfa5798d227bc73538fc535a9fd3f496e4c.exe
660	3854c9ebd49d0c236145f2311fa56bfa5798d227bc73538fc535a9fd3f496e4c.exe
660	3854c9ebd49d0c236145f2311fa56bfa5798d227bc73538fc535a9fd3f496e4c.exe
660	3854c9ebd49d0c236145f2311fa56bfa5798d227bc73538fc535a9fd3f496e4c.exe
660	3854c9ebd49d0c236145f2311fa56bfa5798d227bc73538fc535a9fd3f496e4c.exe
660	3854c9ebd49d0c236145f2311fa56bfa5798d227bc73538fc535a9fd3f496e4c.exe
2956	powershell.exe
2956	powershell.exe
4752	powershell.exe
4752	powershell.exe
4368	powershell.exe
4368	powershell.exe
4308	powershell.exe
4308	powershell.exe
3312	powershell.exe
3312	powershell.exe
3012	powershell.exe
3012	powershell.exe
3960	powershell.exe
3960	powershell.exe
1444	powershell.exe
1444	powershell.exe
2088	powershell.exe
2088	powershell.exe
3312	powershell.exe
3328	powershell.exe
3328	powershell.exe
3960	powershell.exe
1928	powershell.exe
1928	powershell.exe
2956	powershell.exe
2956	powershell.exe
4368	powershell.exe
4752	powershell.exe
3012	powershell.exe
1444	powershell.exe
4308	powershell.exe
2088	powershell.exe
3328	powershell.exe
1928	powershell.exe
3748	upfc.exe
3640	upfc.exe
3312	upfc.exe
1648	upfc.exe
864	upfc.exe
3028	upfc.exe
3816	upfc.exe
4644	upfc.exe
528	upfc.exe
2256	upfc.exe
208	upfc.exe
688	upfc.exe
1236	upfc.exe
3716	upfc.exe

Suspicious use of AdjustPrivilegeToken 26 IoCs

Processes:

description	pid	process
Token: SeDebugPrivilege	660	3854c9ebd49d0c236145f2311fa56bfa5798d227bc73538fc535a9fd3f496e4c.exe
Token: SeDebugPrivilege	2956	powershell.exe
Token: SeDebugPrivilege	4752	powershell.exe
Token: SeDebugPrivilege	4368	powershell.exe
Token: SeDebugPrivilege	4308	powershell.exe
Token: SeDebugPrivilege	3312	powershell.exe
Token: SeDebugPrivilege	3012	powershell.exe
Token: SeDebugPrivilege	3960	powershell.exe
Token: SeDebugPrivilege	1444	powershell.exe
Token: SeDebugPrivilege	2088	powershell.exe
Token: SeDebugPrivilege	3328	powershell.exe
Token: SeDebugPrivilege	1928	powershell.exe
Token: SeDebugPrivilege	3748	upfc.exe
Token: SeDebugPrivilege	3640	upfc.exe
Token: SeDebugPrivilege	3312	upfc.exe
Token: SeDebugPrivilege	1648	upfc.exe
Token: SeDebugPrivilege	864	upfc.exe
Token: SeDebugPrivilege	3028	upfc.exe
Token: SeDebugPrivilege	3816	upfc.exe
Token: SeDebugPrivilege	4644	upfc.exe
Token: SeDebugPrivilege	528	upfc.exe
Token: SeDebugPrivilege	2256	upfc.exe
Token: SeDebugPrivilege	208	upfc.exe
Token: SeDebugPrivilege	688	upfc.exe
Token: SeDebugPrivilege	1236	upfc.exe
Token: SeDebugPrivilege	3716	upfc.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

3854c9ebd49d0c236145f2311fa56bfa5798d227bc73538fc535a9fd3f496e4c.exetmpAF8C.tmp.execmd.exeupfc.exetmpEA7F.tmp.exetmpEA7F.tmp.exeWScript.exeupfc.exe

description	pid	process	target process
PID 660 wrote to memory of 1788	660	3854c9ebd49d0c236145f2311fa56bfa5798d227bc73538fc535a9fd3f496e4c.exe	tmpAF8C.tmp.exe
PID 660 wrote to memory of 1788	660	3854c9ebd49d0c236145f2311fa56bfa5798d227bc73538fc535a9fd3f496e4c.exe	tmpAF8C.tmp.exe
PID 660 wrote to memory of 1788	660	3854c9ebd49d0c236145f2311fa56bfa5798d227bc73538fc535a9fd3f496e4c.exe	tmpAF8C.tmp.exe
PID 1788 wrote to memory of 5088	1788	tmpAF8C.tmp.exe	tmpAF8C.tmp.exe
PID 1788 wrote to memory of 5088	1788	tmpAF8C.tmp.exe	tmpAF8C.tmp.exe
PID 1788 wrote to memory of 5088	1788	tmpAF8C.tmp.exe	tmpAF8C.tmp.exe
PID 1788 wrote to memory of 5088	1788	tmpAF8C.tmp.exe	tmpAF8C.tmp.exe
PID 1788 wrote to memory of 5088	1788	tmpAF8C.tmp.exe	tmpAF8C.tmp.exe
PID 1788 wrote to memory of 5088	1788	tmpAF8C.tmp.exe	tmpAF8C.tmp.exe
PID 1788 wrote to memory of 5088	1788	tmpAF8C.tmp.exe	tmpAF8C.tmp.exe
PID 660 wrote to memory of 1928	660	3854c9ebd49d0c236145f2311fa56bfa5798d227bc73538fc535a9fd3f496e4c.exe	powershell.exe
PID 660 wrote to memory of 1928	660	3854c9ebd49d0c236145f2311fa56bfa5798d227bc73538fc535a9fd3f496e4c.exe	powershell.exe
PID 660 wrote to memory of 3328	660	3854c9ebd49d0c236145f2311fa56bfa5798d227bc73538fc535a9fd3f496e4c.exe	powershell.exe
PID 660 wrote to memory of 3328	660	3854c9ebd49d0c236145f2311fa56bfa5798d227bc73538fc535a9fd3f496e4c.exe	powershell.exe
PID 660 wrote to memory of 2088	660	3854c9ebd49d0c236145f2311fa56bfa5798d227bc73538fc535a9fd3f496e4c.exe	powershell.exe
PID 660 wrote to memory of 2088	660	3854c9ebd49d0c236145f2311fa56bfa5798d227bc73538fc535a9fd3f496e4c.exe	powershell.exe
PID 660 wrote to memory of 2956	660	3854c9ebd49d0c236145f2311fa56bfa5798d227bc73538fc535a9fd3f496e4c.exe	powershell.exe
PID 660 wrote to memory of 2956	660	3854c9ebd49d0c236145f2311fa56bfa5798d227bc73538fc535a9fd3f496e4c.exe	powershell.exe
PID 660 wrote to memory of 4752	660	3854c9ebd49d0c236145f2311fa56bfa5798d227bc73538fc535a9fd3f496e4c.exe	powershell.exe
PID 660 wrote to memory of 4752	660	3854c9ebd49d0c236145f2311fa56bfa5798d227bc73538fc535a9fd3f496e4c.exe	powershell.exe
PID 660 wrote to memory of 3012	660	3854c9ebd49d0c236145f2311fa56bfa5798d227bc73538fc535a9fd3f496e4c.exe	powershell.exe
PID 660 wrote to memory of 3012	660	3854c9ebd49d0c236145f2311fa56bfa5798d227bc73538fc535a9fd3f496e4c.exe	powershell.exe
PID 660 wrote to memory of 4368	660	3854c9ebd49d0c236145f2311fa56bfa5798d227bc73538fc535a9fd3f496e4c.exe	powershell.exe
PID 660 wrote to memory of 4368	660	3854c9ebd49d0c236145f2311fa56bfa5798d227bc73538fc535a9fd3f496e4c.exe	powershell.exe
PID 660 wrote to memory of 4308	660	3854c9ebd49d0c236145f2311fa56bfa5798d227bc73538fc535a9fd3f496e4c.exe	powershell.exe
PID 660 wrote to memory of 4308	660	3854c9ebd49d0c236145f2311fa56bfa5798d227bc73538fc535a9fd3f496e4c.exe	powershell.exe
PID 660 wrote to memory of 3960	660	3854c9ebd49d0c236145f2311fa56bfa5798d227bc73538fc535a9fd3f496e4c.exe	powershell.exe
PID 660 wrote to memory of 3960	660	3854c9ebd49d0c236145f2311fa56bfa5798d227bc73538fc535a9fd3f496e4c.exe	powershell.exe
PID 660 wrote to memory of 1444	660	3854c9ebd49d0c236145f2311fa56bfa5798d227bc73538fc535a9fd3f496e4c.exe	powershell.exe
PID 660 wrote to memory of 1444	660	3854c9ebd49d0c236145f2311fa56bfa5798d227bc73538fc535a9fd3f496e4c.exe	powershell.exe
PID 660 wrote to memory of 3312	660	3854c9ebd49d0c236145f2311fa56bfa5798d227bc73538fc535a9fd3f496e4c.exe	powershell.exe
PID 660 wrote to memory of 3312	660	3854c9ebd49d0c236145f2311fa56bfa5798d227bc73538fc535a9fd3f496e4c.exe	powershell.exe
PID 660 wrote to memory of 724	660	3854c9ebd49d0c236145f2311fa56bfa5798d227bc73538fc535a9fd3f496e4c.exe	cmd.exe
PID 660 wrote to memory of 724	660	3854c9ebd49d0c236145f2311fa56bfa5798d227bc73538fc535a9fd3f496e4c.exe	cmd.exe
PID 724 wrote to memory of 3216	724	cmd.exe	w32tm.exe
PID 724 wrote to memory of 3216	724	cmd.exe	w32tm.exe
PID 724 wrote to memory of 3748	724	cmd.exe	upfc.exe
PID 724 wrote to memory of 3748	724	cmd.exe	upfc.exe
PID 3748 wrote to memory of 4268	3748	upfc.exe	WScript.exe
PID 3748 wrote to memory of 4268	3748	upfc.exe	WScript.exe
PID 3748 wrote to memory of 5104	3748	upfc.exe	WScript.exe
PID 3748 wrote to memory of 5104	3748	upfc.exe	WScript.exe
PID 3748 wrote to memory of 2948	3748	upfc.exe	tmpEA7F.tmp.exe
PID 3748 wrote to memory of 2948	3748	upfc.exe	tmpEA7F.tmp.exe
PID 3748 wrote to memory of 2948	3748	upfc.exe	tmpEA7F.tmp.exe
PID 2948 wrote to memory of 3012	2948	tmpEA7F.tmp.exe	tmpEA7F.tmp.exe
PID 2948 wrote to memory of 3012	2948	tmpEA7F.tmp.exe	tmpEA7F.tmp.exe
PID 2948 wrote to memory of 3012	2948	tmpEA7F.tmp.exe	tmpEA7F.tmp.exe
PID 3012 wrote to memory of 4876	3012	tmpEA7F.tmp.exe	tmpEA7F.tmp.exe
PID 3012 wrote to memory of 4876	3012	tmpEA7F.tmp.exe	tmpEA7F.tmp.exe
PID 3012 wrote to memory of 4876	3012	tmpEA7F.tmp.exe	tmpEA7F.tmp.exe
PID 3012 wrote to memory of 4876	3012	tmpEA7F.tmp.exe	tmpEA7F.tmp.exe
PID 3012 wrote to memory of 4876	3012	tmpEA7F.tmp.exe	tmpEA7F.tmp.exe
PID 3012 wrote to memory of 4876	3012	tmpEA7F.tmp.exe	tmpEA7F.tmp.exe
PID 3012 wrote to memory of 4876	3012	tmpEA7F.tmp.exe	tmpEA7F.tmp.exe
PID 4268 wrote to memory of 3640	4268	WScript.exe	upfc.exe
PID 4268 wrote to memory of 3640	4268	WScript.exe	upfc.exe
PID 3640 wrote to memory of 1664	3640	upfc.exe	WScript.exe
PID 3640 wrote to memory of 1664	3640	upfc.exe	WScript.exe
PID 3640 wrote to memory of 3276	3640	upfc.exe	WScript.exe
PID 3640 wrote to memory of 3276	3640	upfc.exe	WScript.exe
PID 3640 wrote to memory of 3756	3640	upfc.exe	tmp6F0.tmp.exe
PID 3640 wrote to memory of 3756	3640	upfc.exe	tmp6F0.tmp.exe
PID 3640 wrote to memory of 3756	3640	upfc.exe	tmp6F0.tmp.exe

System policy modification 1 TTPs 45 IoCs

evasion

Modify Registry

T1112

Processes:

upfc.exeupfc.exe3854c9ebd49d0c236145f2311fa56bfa5798d227bc73538fc535a9fd3f496e4c.exeupfc.exeupfc.exeupfc.exeupfc.exeupfc.exeupfc.exeupfc.exeupfc.exeupfc.exeupfc.exeupfc.exeupfc.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	3854c9ebd49d0c236145f2311fa56bfa5798d227bc73538fc535a9fd3f496e4c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	3854c9ebd49d0c236145f2311fa56bfa5798d227bc73538fc535a9fd3f496e4c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	3854c9ebd49d0c236145f2311fa56bfa5798d227bc73538fc535a9fd3f496e4c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	upfc.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\3854c9ebd49d0c236145f2311fa56bfa5798d227bc73538fc535a9fd3f496e4c.exe
"C:\Users\Admin\AppData\Local\Temp\3854c9ebd49d0c236145f2311fa56bfa5798d227bc73538fc535a9fd3f496e4c.exe"
1⤵
- UAC bypass
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:660
- C:\Users\Admin\AppData\Local\Temp\tmpAF8C.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpAF8C.tmp.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1788
- - C:\Users\Admin\AppData\Local\Temp\tmpAF8C.tmp.exe
    "C:\Users\Admin\AppData\Local\Temp\tmpAF8C.tmp.exe"
    3⤵
    - Executes dropped EXE
    PID:5088
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1928
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3328
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2088
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2956
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4752
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3012
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4368
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4308
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3960
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1444
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3312
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tMo44uzS7C.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:724
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:3216
- - C:\Program Files\Microsoft Office 15\ClientX64\upfc.exe
    "C:\Program Files\Microsoft Office 15\ClientX64\upfc.exe"
    3⤵
    - UAC bypass
    - Checks computer location settings
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:3748
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b2a7536e-ddaa-49cf-8c86-a0a02fc392d4.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4268
    - - C:\Program Files\Microsoft Office 15\ClientX64\upfc.exe
        
        "C:\Program Files\Microsoft Office 15\ClientX64\upfc.exe"
        5⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:3640
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3ac283b8-a61c-4dfb-8adb-f6039221f875.vbs"
        6⤵
        
        PID:1664
        
        C:\Program Files\Microsoft Office 15\ClientX64\upfc.exe
        
        "C:\Program Files\Microsoft Office 15\ClientX64\upfc.exe"
        7⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:3312
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\39ff74b8-bb2f-4544-b055-df610b02f1a1.vbs"
        8⤵
        
        PID:4456
        
        C:\Program Files\Microsoft Office 15\ClientX64\upfc.exe
        
        "C:\Program Files\Microsoft Office 15\ClientX64\upfc.exe"
        9⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1648
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\db4071dd-bdc1-41f5-9d1e-c2e89b4ab477.vbs"
        10⤵
        
        PID:1572
        
        C:\Program Files\Microsoft Office 15\ClientX64\upfc.exe
        
        "C:\Program Files\Microsoft Office 15\ClientX64\upfc.exe"
        11⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:864
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6100e2ca-eb03-4202-82fa-2e5d3c9d918a.vbs"
        12⤵
        
        PID:4544
        
        C:\Program Files\Microsoft Office 15\ClientX64\upfc.exe
        
        "C:\Program Files\Microsoft Office 15\ClientX64\upfc.exe"
        13⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:3028
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c0a8a3b2-69e2-43cd-aea8-7db478b2bcd0.vbs"
        14⤵
        
        PID:5072
        
        C:\Program Files\Microsoft Office 15\ClientX64\upfc.exe
        
        "C:\Program Files\Microsoft Office 15\ClientX64\upfc.exe"
        15⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:3816
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b2fa6ced-b8a6-4154-87e5-007895e70059.vbs"
        16⤵
        
        PID:4904
        
        C:\Program Files\Microsoft Office 15\ClientX64\upfc.exe
        
        "C:\Program Files\Microsoft Office 15\ClientX64\upfc.exe"
        17⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:4644
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f701fbec-97eb-4117-8751-5ee34b1bb1b2.vbs"
        18⤵
        
        PID:3672
        
        C:\Program Files\Microsoft Office 15\ClientX64\upfc.exe
        
        "C:\Program Files\Microsoft Office 15\ClientX64\upfc.exe"
        19⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:528
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a2d897b4-75c4-4490-a4a7-9638e4e012ba.vbs"
        20⤵
        
        PID:4560
        
        C:\Program Files\Microsoft Office 15\ClientX64\upfc.exe
        
        "C:\Program Files\Microsoft Office 15\ClientX64\upfc.exe"
        21⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2256
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\63eae7fb-c63a-4221-89bc-bb09339fbd0c.vbs"
        22⤵
        
        PID:1664
        
        C:\Program Files\Microsoft Office 15\ClientX64\upfc.exe
        
        "C:\Program Files\Microsoft Office 15\ClientX64\upfc.exe"
        23⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:208
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28a50a1c-a595-42b8-a123-742e8e0bb60c.vbs"
        24⤵
        
        PID:4508
        
        C:\Program Files\Microsoft Office 15\ClientX64\upfc.exe
        
        "C:\Program Files\Microsoft Office 15\ClientX64\upfc.exe"
        25⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:688
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\25d94ff8-374f-4779-9b07-683551695915.vbs"
        26⤵
        
        PID:3712
        
        C:\Program Files\Microsoft Office 15\ClientX64\upfc.exe
        
        "C:\Program Files\Microsoft Office 15\ClientX64\upfc.exe"
        27⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1236
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\985fb10f-7df9-4143-8545-daadcd31d096.vbs"
        28⤵
        
        PID:2972
        
        C:\Program Files\Microsoft Office 15\ClientX64\upfc.exe
        
        "C:\Program Files\Microsoft Office 15\ClientX64\upfc.exe"
        29⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:3716
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bffce852-ecc4-4ce1-ab0f-6aa00fdbf933.vbs"
        30⤵
        
        PID:3800
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dc34f5fc-d5e4-4421-9e7c-2216653d8239.vbs"
        30⤵
        
        PID:1136
        
        C:\Users\Admin\AppData\Local\Temp\tmpE7B6.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpE7B6.tmp.exe"
        30⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4420
        
        C:\Users\Admin\AppData\Local\Temp\tmpE7B6.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpE7B6.tmp.exe"
        31⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:3732
        
        C:\Users\Admin\AppData\Local\Temp\tmpE7B6.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpE7B6.tmp.exe"
        32⤵
        Executes dropped EXE
        
        PID:3236
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3d9bb1c6-2180-40cc-b1a7-f18374a56509.vbs"
        28⤵
        
        PID:1864
        
        C:\Users\Admin\AppData\Local\Temp\tmpB7AE.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB7AE.tmp.exe"
        28⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:392
        
        C:\Users\Admin\AppData\Local\Temp\tmpB7AE.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB7AE.tmp.exe"
        29⤵
        Executes dropped EXE
        
        PID:4400
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e696f92c-ed6a-421c-820f-56984ec8aa37.vbs"
        26⤵
        
        PID:1192
        
        C:\Users\Admin\AppData\Local\Temp\tmp87B4.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87B4.tmp.exe"
        26⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4156
        
        C:\Users\Admin\AppData\Local\Temp\tmp87B4.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87B4.tmp.exe"
        27⤵
        Executes dropped EXE
        
        PID:4480
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0e083a1f-690f-4354-aca7-4e74801c7a11.vbs"
        24⤵
        
        PID:3360
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3909f22d-26d3-454f-8ac6-4c6b412c8079.vbs"
        22⤵
        
        PID:436
        
        C:\Users\Admin\AppData\Local\Temp\tmp3C82.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp3C82.tmp.exe"
        22⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2972
        
        C:\Users\Admin\AppData\Local\Temp\tmp3C82.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp3C82.tmp.exe"
        23⤵
        Executes dropped EXE
        
        PID:4876
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6a8bba29-c973-4585-8462-afb0cd74d931.vbs"
        20⤵
        
        PID:228
        
        C:\Users\Admin\AppData\Local\Temp\tmp213A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp213A.tmp.exe"
        20⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2656
        
        C:\Users\Admin\AppData\Local\Temp\tmp213A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp213A.tmp.exe"
        21⤵
        Executes dropped EXE
        
        PID:1264
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8daf1137-2a80-454c-ac18-cbd6fb5819e2.vbs"
        18⤵
        
        PID:2296
        
        C:\Users\Admin\AppData\Local\Temp\tmp5F2.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5F2.tmp.exe"
        18⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2672
        
        C:\Users\Admin\AppData\Local\Temp\tmp5F2.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5F2.tmp.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:3716
        
        C:\Users\Admin\AppData\Local\Temp\tmp5F2.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5F2.tmp.exe"
        20⤵
        Executes dropped EXE
        
        PID:4120
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1ba8cec1-7d6b-4076-aada-bc780670df44.vbs"
        16⤵
        
        PID:2616
        
        C:\Users\Admin\AppData\Local\Temp\tmpD1E1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpD1E1.tmp.exe"
        16⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4500
        
        C:\Users\Admin\AppData\Local\Temp\tmpD1E1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpD1E1.tmp.exe"
        17⤵
        Executes dropped EXE
        
        PID:3264
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\553f5a6e-bd08-49b4-9108-028fc56e9922.vbs"
        14⤵
        
        PID:5112
        
        C:\Users\Admin\AppData\Local\Temp\tmpA0EE.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpA0EE.tmp.exe"
        14⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4332
        
        C:\Users\Admin\AppData\Local\Temp\tmpA0EE.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpA0EE.tmp.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:5100
        
        C:\Users\Admin\AppData\Local\Temp\tmpA0EE.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpA0EE.tmp.exe"
        16⤵
        Executes dropped EXE
        
        PID:2892
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\616e1605-dc6d-40e1-b3c5-eeae8dcac9a6.vbs"
        12⤵
        
        PID:1988
        
        C:\Users\Admin\AppData\Local\Temp\tmp84DB.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp84DB.tmp.exe"
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2716
        
        C:\Users\Admin\AppData\Local\Temp\tmp84DB.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp84DB.tmp.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2612
        
        C:\Users\Admin\AppData\Local\Temp\tmp84DB.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp84DB.tmp.exe"
        14⤵
        Executes dropped EXE
        
        PID:4452
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8f0f77dc-740f-49b7-a275-b3b0613cbb6c.vbs"
        10⤵
        
        PID:2208
        
        C:\Users\Admin\AppData\Local\Temp\tmp682B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp682B.tmp.exe"
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1528
        
        C:\Users\Admin\AppData\Local\Temp\tmp682B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp682B.tmp.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1020
        
        C:\Users\Admin\AppData\Local\Temp\tmp682B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp682B.tmp.exe"
        12⤵
        Executes dropped EXE
        
        PID:3816
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bba2f307-4822-4e77-833d-aa33a16d5542.vbs"
        8⤵
        
        PID:1884
        
        C:\Users\Admin\AppData\Local\Temp\tmp3786.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp3786.tmp.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:5048
        
        C:\Users\Admin\AppData\Local\Temp\tmp3786.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp3786.tmp.exe"
        9⤵
        Executes dropped EXE
        
        PID:1404
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c6f3a0a3-b551-4f31-a20e-eeaa1de001e5.vbs"
        6⤵
        
        PID:3276
      - C:\Users\Admin\AppData\Local\Temp\tmp6F0.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp6F0.tmp.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:3756
        
        C:\Users\Admin\AppData\Local\Temp\tmp6F0.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp6F0.tmp.exe"
        7⤵
        Executes dropped EXE
        
        PID:4752
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f37b18d7-cae5-44eb-b075-44e1f928c430.vbs"
      4⤵
      PID:5104
  - - C:\Users\Admin\AppData\Local\Temp\tmpEA7F.tmp.exe
      "C:\Users\Admin\AppData\Local\Temp\tmpEA7F.tmp.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2948
    - - C:\Users\Admin\AppData\Local\Temp\tmpEA7F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpEA7F.tmp.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3012
      - C:\Users\Admin\AppData\Local\Temp\tmpEA7F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpEA7F.tmp.exe"
        6⤵
        Executes dropped EXE
        
        PID:4876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 11 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\upfc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office 15\ClientX64\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4408

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 7 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4164

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4184

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4152

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 6 /tr "'C:\Windows\Prefetch\ReadyBoot\SearchApp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Windows\Prefetch\ReadyBoot\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 8 /tr "'C:\Windows\Prefetch\ReadyBoot\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Windows\twain_32\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\twain_32\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4308

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Windows\twain_32\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Program Files\Crashpad\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2360

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Crashpad\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4336

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Program Files\Crashpad\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Admin\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1440

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Reference Assemblies\sysmon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Reference Assemblies\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\Default User\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4284

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4524

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\upfc.exe.log

Filesize
1KB

MD5
4a667f150a4d1d02f53a9f24d89d53d1

SHA1
306e125c9edce66f28fdb63e6c4ca5c9ad6e8c97

SHA256
414659decfd237dde09625a49811e03b5b30ee06ee2ee97ea8bcfac394d281fd

SHA512
4edd8e73ce03488a6d92750a782cd4042fbb54a5b3f8d8ba3ea227fda0653c2cd84f0c5d64976c7cdc1f518a2fdc8ff10e2a015ec7acf3cd01b0d62bc98542d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6d3e9c29fe44e90aae6ed30ccf799ca8

SHA1
c7974ef72264bbdf13a2793ccf1aed11bc565dce

SHA256
2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d

SHA512
60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
59d97011e091004eaffb9816aa0b9abd

SHA1
1602a56b01dd4b7c577ca27d3117e4bcc1aa657b

SHA256
18f381e0db020a763b8c515c346ef58679ab9c403267eacfef5359e272f7e71d

SHA512
d9ca49c1a17580981e2c1a50d73c0eecaa7a62f8514741512172e395af2a3d80aeb0f71c58bc7f52c18246d57ba67af09b6bff4776877d6cc6f0245c30e092d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
a8e8360d573a4ff072dcc6f09d992c88

SHA1
3446774433ceaf0b400073914facab11b98b6807

SHA256
bf5e284e8f95122bf75ead61c7e2b40f55c96742b05330b5b1cb7915991df13b

SHA512
4ee5167643d82082f57c42616007ef9be57f43f9731921bdf7bca611a914724ad94072d3c8f5b130fa54129e5328ccdebf37ba74339c37deb53e79df5cdf0dbe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6c47b3f4e68eebd47e9332eebfd2dd4e

SHA1
67f0b143336d7db7b281ed3de5e877fa87261834

SHA256
8c48b1f2338e5b24094821f41121d2221f1cb3200338f46df49f64d1c4bc3e0c

SHA512
0acf302a9fc971ef9df65ed42c47ea17828e54dff685f4434f360556fd27cdc26a75069f00dcdc14ba174893c6fd7a2cfd8c6c07be3ce35dafee0a006914eaca

Download Submit
C:\Users\Admin\AppData\Local\Temp\39ff74b8-bb2f-4544-b055-df610b02f1a1.vbs

Filesize
731B

MD5
63015ec97fd608799b60117d667ede9f

SHA1
936fb66595007c4845e853cbf03a119ce325c8c7

SHA256
8610ec0007cc6c39f1cad94abe39f19edf55740f854ffbc2552e1be551f5afd6

SHA512
7280ad1108b15166faa321bfb237a6d079eb3de94d74e05469892d47c94684d8a7a3235e69416cf85f427ff2a862877561f9496c62840b2e9a0ffe5efc1b5dc0

Download Submit
C:\Users\Admin\AppData\Local\Temp\3ac283b8-a61c-4dfb-8adb-f6039221f875.vbs

Filesize
731B

MD5
c83dca1c33085e687a2e8190088078d3

SHA1
f5a1bbbe55d1553c1cef0ea8a484ab6d3fd49e81

SHA256
30de72e986a8b46e0fb7ae60a825e2d39ab184a910fc57c3b932921b50e0ce60

SHA512
813a27167bfc79692119898ca49e0c70caed0e6d65653e6508c23850eb5c7369b26ee281905500499bbb160ddb3a62c821faece9d77d4e4aad4ed978e023f196

Download Submit
C:\Users\Admin\AppData\Local\Temp\6100e2ca-eb03-4202-82fa-2e5d3c9d918a.vbs

Filesize
730B

MD5
5529e19c2033f103fdce110acac7e768

SHA1
e9efbb21c41d0788b6134fca4d0cf69faf286e96

SHA256
9dbc8cfe3087091fa0aac2c70c511c65f0df322803c19772b75a7c2a694e56c5

SHA512
b03c7441b8d8d2fb04068bb3a98f96af243dd3ee014ae78f04025557350210ed460f4fb40b4abc6b5cabc23feeea8443009c589fd91c78bb6ea4b1d466ccd0f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_cyqhx0kw.ag4.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\b2a7536e-ddaa-49cf-8c86-a0a02fc392d4.vbs

Filesize
731B

MD5
602c5f61fc989abe1cbc72e7f59cde8a

SHA1
8385cfc84d43a4f82e4fd1042ef86a862f1bce77

SHA256
190d9a78601eed909eb849c3e46f972153a1fc4e204291a3b2c3f3255cb0ea95

SHA512
d024289537a5a2d78874c2fcfbb6bdad02b3dad4895b1fcd02dcd7876614f46cbbbc9971d8207d3feec27bd3d0724215a4034e3e1bb7481a4a977190c64dd988

Download Submit
C:\Users\Admin\AppData\Local\Temp\c0a8a3b2-69e2-43cd-aea8-7db478b2bcd0.vbs

Filesize
731B

MD5
7e31448fd75ca22ad5fff9202be38df3

SHA1
74b443362bd586e472d69ef59473d05399f7c708

SHA256
cb9bfe97849789bc25778d65e5ab557a5f5d395ca9eba49ca45b442b9e4edc2d

SHA512
f9d9bfa24c199c2d2e7ee1fe6974a9285a3b80f0fe7a16c9701b7bf2f614c34c61acb3f5b7b7220fc4ec697acde4e20825ffe3e46cb1e824eb23153900d48248

Download Submit
C:\Users\Admin\AppData\Local\Temp\db4071dd-bdc1-41f5-9d1e-c2e89b4ab477.vbs

Filesize
731B

MD5
678dd0aa94a1a96894ffbc04a5d5941b

SHA1
72be8557067196196d9761e710b30aa389949463

SHA256
b8e1eff7684ac3636e4f95e66ca3c14de00b6b80a4adae7dfaca9e00feebd9b2

SHA512
fb7263521751023633d1a75148d6e8696f482cc3a61d6fc9c217fe2cf46fd07d49dfdab4e372d4bbe002af4caa0252be27351e1a0a01d6dbe53c8ceffe040194

Download Submit
C:\Users\Admin\AppData\Local\Temp\f37b18d7-cae5-44eb-b075-44e1f928c430.vbs

Filesize
507B

MD5
096e07a2525b529dc451d32be426e85d

SHA1
8c3a722c1b16825b6a98c07107c6d77bf6b6f098

SHA256
10489f48b6fada5e1aa277748a466464fca2ec7af13735f12a77564518b53297

SHA512
9eb03b82dfb4de349efdcc8ae8598be5989e84cbeb8c4211dc0f35675db7c825add569c30b58b0a9a72327ea8daf0c2aee6fe7324d775c48c6b7b72abbe93c82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tMo44uzS7C.bat

Filesize
220B

MD5
aa8a78942a997c802afe50ee99cb754d

SHA1
97cbed73ba50a369440a92b0ded2ff89bed13ef7

SHA256
26642a4687f364b6da08ef5b4bc4f7f6d2c72c9a39669b77668d5fdf871c53d6

SHA512
944cabbe367bbd5988b4d7ba893bc346c2141add842a6fc613b67c4613f9f4b775bbf450e70e3c58046571d42e4fd67b5241c732972317c2bc7b3cf66d7e22a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpAF8C.tmp.exe

Filesize
75KB

MD5
e0a68b98992c1699876f818a22b5b907

SHA1
d41e8ad8ba51217eb0340f8f69629ccb474484d0

SHA256
2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

SHA512
856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

Download Submit
C:\Windows\Prefetch\ReadyBoot\SearchApp.exe

Filesize
4.9MB

MD5
3da200a28718a69db8ab79214990ad7c

SHA1
b6ed723d194b8ac4b038a79ee1250881695de651

SHA256
3854c9ebd49d0c236145f2311fa56bfa5798d227bc73538fc535a9fd3f496e4c

SHA512
536f668c2c1d006cc5053162d4d10ffd1d7af5728fc7c019c579ce002ebd5e10d3e7232cae85579bcb2078d30e2d0ae53ebf25115a69f42a718b011952c9d71e

Download Submit
memory/660-15-0x000000001C140000-0x000000001C14E000-memory.dmp

Filesize
56KB

Download
memory/660-2-0x00007FFFA2C70000-0x00007FFFA3731000-memory.dmp

Filesize
10.8MB

Download
memory/660-0-0x00007FFFA2C73000-0x00007FFFA2C75000-memory.dmp

Filesize
8KB

Download
memory/660-1-0x00000000006D0000-0x0000000000BC4000-memory.dmp

Filesize
5.0MB

Download
memory/660-145-0x00007FFFA2C70000-0x00007FFFA3731000-memory.dmp

Filesize
10.8MB

Download
memory/660-17-0x000000001C160000-0x000000001C168000-memory.dmp

Filesize
32KB

Download
memory/660-16-0x000000001C150000-0x000000001C158000-memory.dmp

Filesize
32KB

Download
memory/660-12-0x000000001C660000-0x000000001CB88000-memory.dmp

Filesize
5.2MB

Download
memory/660-5-0x000000001C0E0000-0x000000001C130000-memory.dmp

Filesize
320KB

Download
memory/660-18-0x000000001C170000-0x000000001C17C000-memory.dmp

Filesize
48KB

Download
memory/660-13-0x000000001C0D0000-0x000000001C0DA000-memory.dmp

Filesize
40KB

Download
memory/660-11-0x000000001C0C0000-0x000000001C0D2000-memory.dmp

Filesize
72KB

Download
memory/660-10-0x000000001C0B0000-0x000000001C0BA000-memory.dmp

Filesize
40KB

Download
memory/660-4-0x0000000002D90000-0x0000000002DAC000-memory.dmp

Filesize
112KB

Download
memory/660-9-0x000000001B9B0000-0x000000001B9C0000-memory.dmp

Filesize
64KB

Download
memory/660-6-0x0000000002DB0000-0x0000000002DB8000-memory.dmp

Filesize
32KB

Download
memory/660-8-0x000000001C090000-0x000000001C0A6000-memory.dmp

Filesize
88KB

Download
memory/660-3-0x000000001B9D0000-0x000000001BAFE000-memory.dmp

Filesize
1.2MB

Download
memory/660-7-0x000000001B9A0000-0x000000001B9B0000-memory.dmp

Filesize
64KB

Download
memory/660-14-0x000000001C130000-0x000000001C13E000-memory.dmp

Filesize
56KB

Download
memory/2956-155-0x0000029C47BD0000-0x0000029C47BF2000-memory.dmp

Filesize
136KB

Download
memory/3640-300-0x000000001C910000-0x000000001C922000-memory.dmp

Filesize
72KB

Download
memory/3816-425-0x000000001B320000-0x000000001B332000-memory.dmp

Filesize
72KB

Download
memory/5088-69-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download