colibri | c24f2fb77a06cdfe4e9c074b1e2accb305b0ad091c1668372cc1f5249612b8b2

Analysis

max time kernel
148s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
20-11-2024 05:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c24f2fb77a06cdfe4e9c074b1e2accb305b0ad091c1668372cc1f5249612b8b2.exe
Size

4.9MB
MD5

7bcee51d69d6f7f7872dade20a2c5916
SHA1

4ad1278f8368527aa02d08c6ee86da5b22be2cab
SHA256

c24f2fb77a06cdfe4e9c074b1e2accb305b0ad091c1668372cc1f5249612b8b2
SHA512

8da8506093074361776f8b1693a2058fc6775be636034237c8ef7f5a03d422b881a9c8ea047b8d89bc314c649ba0c3bd7a16ac8dcd4c41d788135845bd151e34
SSDEEP

49152:bl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8u:G

Score

10^/10

colibri dcrat build1 discovery evasion execution infostealer loader rat trojan

Malware Config

Extracted

Family

colibri

Version

1.2.0

Botnet

Build1

http://zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc/gate.php

http://yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx/gate.php

rc4.plain

Signatures

Colibri Loader
A loader sold as MaaS first seen in August 2021.
loader colibri
Colibri family
colibri
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 30 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3352	1476	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1876	1476	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3968	1476	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1480	1476	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3848	1476	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	112	1476	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3844	1476	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3540	1476	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1380	1476	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4928	1476	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2352	1476	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	436	1476	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2316	1476	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3740	1476	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2448	1476	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	264	1476	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4880	1476	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2804	1476	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1780	1476	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1808	1476	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4720	1476	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	896	1476	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4032	1476	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2692	1476	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4796	1476	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3652	1476	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1352	1476	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2836	1476	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1980	1476	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1824	1476	schtasks.exe

UAC bypass 3 TTPs 42 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

upfc.exeupfc.exeupfc.exeupfc.exeupfc.exeupfc.exeupfc.exeupfc.exeupfc.exeupfc.exeupfc.exeupfc.exeupfc.exec24f2fb77a06cdfe4e9c074b1e2accb305b0ad091c1668372cc1f5249612b8b2.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	c24f2fb77a06cdfe4e9c074b1e2accb305b0ad091c1668372cc1f5249612b8b2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	c24f2fb77a06cdfe4e9c074b1e2accb305b0ad091c1668372cc1f5249612b8b2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	c24f2fb77a06cdfe4e9c074b1e2accb305b0ad091c1668372cc1f5249612b8b2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	upfc.exe

DCRat payload 1 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral2/memory/3200-2-0x000000001BE40000-0x000000001BF6E000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 11 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
4300	powershell.exe
4936	powershell.exe
3488	powershell.exe
4000	powershell.exe
4208	powershell.exe
3496	powershell.exe
1844	powershell.exe
1444	powershell.exe
1236	powershell.exe
1788	powershell.exe
1068	powershell.exe

Checks computer location settings 2 TTPs 14 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

upfc.exeupfc.exeupfc.exeupfc.exeupfc.exeupfc.exeupfc.exec24f2fb77a06cdfe4e9c074b1e2accb305b0ad091c1668372cc1f5249612b8b2.exeupfc.exeupfc.exeupfc.exeupfc.exeupfc.exeupfc.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	upfc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	upfc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	upfc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	upfc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	upfc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	upfc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	upfc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	c24f2fb77a06cdfe4e9c074b1e2accb305b0ad091c1668372cc1f5249612b8b2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	upfc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	upfc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	upfc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	upfc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	upfc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	upfc.exe

Executes dropped EXE 47 IoCs

Processes:

tmpC43B.tmp.exetmpC43B.tmp.exeupfc.exetmpEE96.tmp.exetmpEE96.tmp.exeupfc.exetmp1102.tmp.exetmp1102.tmp.exeupfc.exetmp4263.tmp.exetmp4263.tmp.exeupfc.exetmp778C.tmp.exetmp778C.tmp.exeupfc.exetmpAB2F.tmp.exetmpAB2F.tmp.exeupfc.exetmpC9D3.tmp.exetmpC9D3.tmp.exeupfc.exetmpFD95.tmp.exetmpFD95.tmp.exetmpFD95.tmp.exeupfc.exetmp1A35.tmp.exetmp1A35.tmp.exeupfc.exetmp4B86.tmp.exetmp4B86.tmp.exetmp4B86.tmp.exeupfc.exetmp7D44.tmp.exetmp7D44.tmp.exetmp7D44.tmp.exeupfc.exetmp9B4C.tmp.exetmp9B4C.tmp.exetmp9B4C.tmp.exetmp9B4C.tmp.exetmp9B4C.tmp.exeupfc.exetmpCB93.tmp.exetmpCB93.tmp.exeupfc.exetmpE97C.tmp.exetmpE97C.tmp.exe

pid	process
5044	tmpC43B.tmp.exe
4204	tmpC43B.tmp.exe
4028	upfc.exe
2988	tmpEE96.tmp.exe
1332	tmpEE96.tmp.exe
3416	upfc.exe
2696	tmp1102.tmp.exe
4544	tmp1102.tmp.exe
3700	upfc.exe
2876	tmp4263.tmp.exe
452	tmp4263.tmp.exe
4420	upfc.exe
4924	tmp778C.tmp.exe
1988	tmp778C.tmp.exe
5104	upfc.exe
3908	tmpAB2F.tmp.exe
2640	tmpAB2F.tmp.exe
1344	upfc.exe
3136	tmpC9D3.tmp.exe
752	tmpC9D3.tmp.exe
2416	upfc.exe
4876	tmpFD95.tmp.exe
4228	tmpFD95.tmp.exe
4920	tmpFD95.tmp.exe
4080	upfc.exe
1068	tmp1A35.tmp.exe
1964	tmp1A35.tmp.exe
1988	upfc.exe
3576	tmp4B86.tmp.exe
2148	tmp4B86.tmp.exe
2568	tmp4B86.tmp.exe
376	upfc.exe
912	tmp7D44.tmp.exe
4072	tmp7D44.tmp.exe
3628	tmp7D44.tmp.exe
1068	upfc.exe
4544	tmp9B4C.tmp.exe
2812	tmp9B4C.tmp.exe
4616	tmp9B4C.tmp.exe
3756	tmp9B4C.tmp.exe
3192	tmp9B4C.tmp.exe
3504	upfc.exe
1968	tmpCB93.tmp.exe
2368	tmpCB93.tmp.exe
740	upfc.exe
3612	tmpE97C.tmp.exe
2740	tmpE97C.tmp.exe

Checks whether UAC is enabled 1 TTPs 28 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

upfc.exeupfc.exeupfc.exeupfc.exeupfc.exeupfc.exeupfc.exeupfc.exeupfc.exeupfc.exeupfc.exeupfc.exeupfc.exec24f2fb77a06cdfe4e9c074b1e2accb305b0ad091c1668372cc1f5249612b8b2.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	upfc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	upfc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	upfc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	upfc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	upfc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	upfc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	upfc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	upfc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	upfc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	c24f2fb77a06cdfe4e9c074b1e2accb305b0ad091c1668372cc1f5249612b8b2.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	upfc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	upfc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	upfc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	upfc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	c24f2fb77a06cdfe4e9c074b1e2accb305b0ad091c1668372cc1f5249612b8b2.exe

Suspicious use of SetThreadContext 14 IoCs

Processes:

tmpC43B.tmp.exetmpEE96.tmp.exetmp1102.tmp.exetmp4263.tmp.exetmp778C.tmp.exetmpAB2F.tmp.exetmpC9D3.tmp.exetmpFD95.tmp.exetmp1A35.tmp.exetmp4B86.tmp.exetmp7D44.tmp.exetmp9B4C.tmp.exetmpCB93.tmp.exetmpE97C.tmp.exe

description	pid	process	target process
PID 5044 set thread context of 4204	5044	tmpC43B.tmp.exe	tmpC43B.tmp.exe
PID 2988 set thread context of 1332	2988	tmpEE96.tmp.exe	tmpEE96.tmp.exe
PID 2696 set thread context of 4544	2696	tmp1102.tmp.exe	tmp1102.tmp.exe
PID 2876 set thread context of 452	2876	tmp4263.tmp.exe	tmp4263.tmp.exe
PID 4924 set thread context of 1988	4924	tmp778C.tmp.exe	tmp778C.tmp.exe
PID 3908 set thread context of 2640	3908	tmpAB2F.tmp.exe	tmpAB2F.tmp.exe
PID 3136 set thread context of 752	3136	tmpC9D3.tmp.exe	tmpC9D3.tmp.exe
PID 4228 set thread context of 4920	4228	tmpFD95.tmp.exe	tmpFD95.tmp.exe
PID 1068 set thread context of 1964	1068	tmp1A35.tmp.exe	tmp1A35.tmp.exe
PID 2148 set thread context of 2568	2148	tmp4B86.tmp.exe	tmp4B86.tmp.exe
PID 4072 set thread context of 3628	4072	tmp7D44.tmp.exe	tmp7D44.tmp.exe
PID 3756 set thread context of 3192	3756	tmp9B4C.tmp.exe	tmp9B4C.tmp.exe
PID 1968 set thread context of 2368	1968	tmpCB93.tmp.exe	tmpCB93.tmp.exe
PID 3612 set thread context of 2740	3612	tmpE97C.tmp.exe	tmpE97C.tmp.exe

Drops file in Program Files directory 16 IoCs

Processes:

c24f2fb77a06cdfe4e9c074b1e2accb305b0ad091c1668372cc1f5249612b8b2.exe

description	ioc	process
File created	C:\Program Files\Common Files\System\27d1bcfc3c54e0	c24f2fb77a06cdfe4e9c074b1e2accb305b0ad091c1668372cc1f5249612b8b2.exe
File opened for modification	C:\Program Files\dotnet\host\fxr\8.0.2\System.exe	c24f2fb77a06cdfe4e9c074b1e2accb305b0ad091c1668372cc1f5249612b8b2.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\RCXD009.tmp	c24f2fb77a06cdfe4e9c074b1e2accb305b0ad091c1668372cc1f5249612b8b2.exe
File opened for modification	C:\Program Files\Common Files\System\System.exe	c24f2fb77a06cdfe4e9c074b1e2accb305b0ad091c1668372cc1f5249612b8b2.exe
File created	C:\Program Files\dotnet\host\fxr\8.0.2\System.exe	c24f2fb77a06cdfe4e9c074b1e2accb305b0ad091c1668372cc1f5249612b8b2.exe
File created	C:\Program Files\Windows Security\BrowserCore\en-US\121e5b5079f7c0	c24f2fb77a06cdfe4e9c074b1e2accb305b0ad091c1668372cc1f5249612b8b2.exe
File opened for modification	C:\Program Files\dotnet\host\fxr\8.0.2\RCXC779.tmp	c24f2fb77a06cdfe4e9c074b1e2accb305b0ad091c1668372cc1f5249612b8b2.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\ea1d8f6d871115	c24f2fb77a06cdfe4e9c074b1e2accb305b0ad091c1668372cc1f5249612b8b2.exe
File opened for modification	C:\Program Files\Windows Security\BrowserCore\en-US\sysmon.exe	c24f2fb77a06cdfe4e9c074b1e2accb305b0ad091c1668372cc1f5249612b8b2.exe
File created	C:\Program Files\Common Files\System\System.exe	c24f2fb77a06cdfe4e9c074b1e2accb305b0ad091c1668372cc1f5249612b8b2.exe
File created	C:\Program Files\dotnet\host\fxr\8.0.2\27d1bcfc3c54e0	c24f2fb77a06cdfe4e9c074b1e2accb305b0ad091c1668372cc1f5249612b8b2.exe
File created	C:\Program Files\Windows Security\BrowserCore\en-US\sysmon.exe	c24f2fb77a06cdfe4e9c074b1e2accb305b0ad091c1668372cc1f5249612b8b2.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\upfc.exe	c24f2fb77a06cdfe4e9c074b1e2accb305b0ad091c1668372cc1f5249612b8b2.exe
File opened for modification	C:\Program Files\Common Files\System\RCXC546.tmp	c24f2fb77a06cdfe4e9c074b1e2accb305b0ad091c1668372cc1f5249612b8b2.exe
File opened for modification	C:\Program Files\Windows Security\BrowserCore\en-US\RCXCDE5.tmp	c24f2fb77a06cdfe4e9c074b1e2accb305b0ad091c1668372cc1f5249612b8b2.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\upfc.exe	c24f2fb77a06cdfe4e9c074b1e2accb305b0ad091c1668372cc1f5249612b8b2.exe

Drops file in Windows directory 8 IoCs

Processes:

c24f2fb77a06cdfe4e9c074b1e2accb305b0ad091c1668372cc1f5249612b8b2.exe

description	ioc	process
File created	C:\Windows\Media\Sonata\ea1d8f6d871115	c24f2fb77a06cdfe4e9c074b1e2accb305b0ad091c1668372cc1f5249612b8b2.exe
File created	C:\Windows\Prefetch\ReadyBoot\upfc.exe	c24f2fb77a06cdfe4e9c074b1e2accb305b0ad091c1668372cc1f5249612b8b2.exe
File created	C:\Windows\Prefetch\ReadyBoot\ea1d8f6d871115	c24f2fb77a06cdfe4e9c074b1e2accb305b0ad091c1668372cc1f5249612b8b2.exe
File opened for modification	C:\Windows\Media\Sonata\RCXCBC1.tmp	c24f2fb77a06cdfe4e9c074b1e2accb305b0ad091c1668372cc1f5249612b8b2.exe
File opened for modification	C:\Windows\Media\Sonata\upfc.exe	c24f2fb77a06cdfe4e9c074b1e2accb305b0ad091c1668372cc1f5249612b8b2.exe
File opened for modification	C:\Windows\Prefetch\ReadyBoot\RCXD869.tmp	c24f2fb77a06cdfe4e9c074b1e2accb305b0ad091c1668372cc1f5249612b8b2.exe
File opened for modification	C:\Windows\Prefetch\ReadyBoot\upfc.exe	c24f2fb77a06cdfe4e9c074b1e2accb305b0ad091c1668372cc1f5249612b8b2.exe
File created	C:\Windows\Media\Sonata\upfc.exe	c24f2fb77a06cdfe4e9c074b1e2accb305b0ad091c1668372cc1f5249612b8b2.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 20 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

tmp9B4C.tmp.exetmpEE96.tmp.exetmp1102.tmp.exetmp778C.tmp.exetmp4B86.tmp.exetmp7D44.tmp.exetmp7D44.tmp.exetmp9B4C.tmp.exetmp9B4C.tmp.exetmpC9D3.tmp.exetmpCB93.tmp.exetmp4263.tmp.exetmpAB2F.tmp.exetmpFD95.tmp.exetmpFD95.tmp.exetmp9B4C.tmp.exetmpC43B.tmp.exetmp1A35.tmp.exetmp4B86.tmp.exetmpE97C.tmp.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp9B4C.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpEE96.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp1102.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp778C.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp4B86.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp7D44.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp7D44.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp9B4C.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp9B4C.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpC9D3.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpCB93.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp4263.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpAB2F.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpFD95.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpFD95.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp9B4C.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpC43B.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp1A35.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp4B86.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpE97C.tmp.exe

Modifies registry class 14 IoCs

Processes:

upfc.exeupfc.exeupfc.exec24f2fb77a06cdfe4e9c074b1e2accb305b0ad091c1668372cc1f5249612b8b2.exeupfc.exeupfc.exeupfc.exeupfc.exeupfc.exeupfc.exeupfc.exeupfc.exeupfc.exeupfc.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	upfc.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	upfc.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	upfc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	c24f2fb77a06cdfe4e9c074b1e2accb305b0ad091c1668372cc1f5249612b8b2.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	upfc.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	upfc.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	upfc.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	upfc.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	upfc.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	upfc.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	upfc.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	upfc.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	upfc.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	upfc.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 30 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

pid	process
3968	schtasks.exe
112	schtasks.exe
1380	schtasks.exe
2316	schtasks.exe
2692	schtasks.exe
4796	schtasks.exe
1824	schtasks.exe
3352	schtasks.exe
1876	schtasks.exe
3740	schtasks.exe
264	schtasks.exe
4880	schtasks.exe
2804	schtasks.exe
4032	schtasks.exe
3540	schtasks.exe
4720	schtasks.exe
896	schtasks.exe
3652	schtasks.exe
3848	schtasks.exe
436	schtasks.exe
1780	schtasks.exe
2836	schtasks.exe
3844	schtasks.exe
4928	schtasks.exe
2352	schtasks.exe
2448	schtasks.exe
1808	schtasks.exe
1980	schtasks.exe
1480	schtasks.exe
1352	schtasks.exe

Suspicious behavior: EnumeratesProcesses 58 IoCs

Processes:

c24f2fb77a06cdfe4e9c074b1e2accb305b0ad091c1668372cc1f5249612b8b2.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeupfc.exeupfc.exeupfc.exeupfc.exeupfc.exeupfc.exeupfc.exeupfc.exeupfc.exeupfc.exeupfc.exeupfc.exeupfc.exe

pid	process
3200	c24f2fb77a06cdfe4e9c074b1e2accb305b0ad091c1668372cc1f5249612b8b2.exe
3200	c24f2fb77a06cdfe4e9c074b1e2accb305b0ad091c1668372cc1f5249612b8b2.exe
3200	c24f2fb77a06cdfe4e9c074b1e2accb305b0ad091c1668372cc1f5249612b8b2.exe
3200	c24f2fb77a06cdfe4e9c074b1e2accb305b0ad091c1668372cc1f5249612b8b2.exe
3200	c24f2fb77a06cdfe4e9c074b1e2accb305b0ad091c1668372cc1f5249612b8b2.exe
3200	c24f2fb77a06cdfe4e9c074b1e2accb305b0ad091c1668372cc1f5249612b8b2.exe
3200	c24f2fb77a06cdfe4e9c074b1e2accb305b0ad091c1668372cc1f5249612b8b2.exe
3200	c24f2fb77a06cdfe4e9c074b1e2accb305b0ad091c1668372cc1f5249612b8b2.exe
3200	c24f2fb77a06cdfe4e9c074b1e2accb305b0ad091c1668372cc1f5249612b8b2.exe
3200	c24f2fb77a06cdfe4e9c074b1e2accb305b0ad091c1668372cc1f5249612b8b2.exe
3200	c24f2fb77a06cdfe4e9c074b1e2accb305b0ad091c1668372cc1f5249612b8b2.exe
3488	powershell.exe
3488	powershell.exe
1236	powershell.exe
1236	powershell.exe
1068	powershell.exe
1068	powershell.exe
1444	powershell.exe
1444	powershell.exe
4936	powershell.exe
4936	powershell.exe
1844	powershell.exe
1844	powershell.exe
4300	powershell.exe
4300	powershell.exe
4000	powershell.exe
4000	powershell.exe
3496	powershell.exe
3496	powershell.exe
1788	powershell.exe
1788	powershell.exe
4208	powershell.exe
4208	powershell.exe
1236	powershell.exe
1444	powershell.exe
4000	powershell.exe
3488	powershell.exe
1068	powershell.exe
4936	powershell.exe
1788	powershell.exe
3496	powershell.exe
4300	powershell.exe
1844	powershell.exe
4208	powershell.exe
4028	upfc.exe
4028	upfc.exe
3416	upfc.exe
3700	upfc.exe
4420	upfc.exe
5104	upfc.exe
1344	upfc.exe
2416	upfc.exe
4080	upfc.exe
1988	upfc.exe
376	upfc.exe
1068	upfc.exe
3504	upfc.exe
740	upfc.exe

Suspicious use of AdjustPrivilegeToken 25 IoCs

Processes:

description	pid	process
Token: SeDebugPrivilege	3200	c24f2fb77a06cdfe4e9c074b1e2accb305b0ad091c1668372cc1f5249612b8b2.exe
Token: SeDebugPrivilege	3488	powershell.exe
Token: SeDebugPrivilege	1236	powershell.exe
Token: SeDebugPrivilege	1068	powershell.exe
Token: SeDebugPrivilege	4000	powershell.exe
Token: SeDebugPrivilege	1444	powershell.exe
Token: SeDebugPrivilege	4936	powershell.exe
Token: SeDebugPrivilege	1788	powershell.exe
Token: SeDebugPrivilege	1844	powershell.exe
Token: SeDebugPrivilege	3496	powershell.exe
Token: SeDebugPrivilege	4300	powershell.exe
Token: SeDebugPrivilege	4208	powershell.exe
Token: SeDebugPrivilege	4028	upfc.exe
Token: SeDebugPrivilege	3416	upfc.exe
Token: SeDebugPrivilege	3700	upfc.exe
Token: SeDebugPrivilege	4420	upfc.exe
Token: SeDebugPrivilege	5104	upfc.exe
Token: SeDebugPrivilege	1344	upfc.exe
Token: SeDebugPrivilege	2416	upfc.exe
Token: SeDebugPrivilege	4080	upfc.exe
Token: SeDebugPrivilege	1988	upfc.exe
Token: SeDebugPrivilege	376	upfc.exe
Token: SeDebugPrivilege	1068	upfc.exe
Token: SeDebugPrivilege	3504	upfc.exe
Token: SeDebugPrivilege	740	upfc.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

c24f2fb77a06cdfe4e9c074b1e2accb305b0ad091c1668372cc1f5249612b8b2.exetmpC43B.tmp.exeupfc.exetmpEE96.tmp.exeWScript.exeupfc.exetmp1102.tmp.exe

description	pid	process	target process
PID 3200 wrote to memory of 5044	3200	c24f2fb77a06cdfe4e9c074b1e2accb305b0ad091c1668372cc1f5249612b8b2.exe	tmpC43B.tmp.exe
PID 3200 wrote to memory of 5044	3200	c24f2fb77a06cdfe4e9c074b1e2accb305b0ad091c1668372cc1f5249612b8b2.exe	tmpC43B.tmp.exe
PID 3200 wrote to memory of 5044	3200	c24f2fb77a06cdfe4e9c074b1e2accb305b0ad091c1668372cc1f5249612b8b2.exe	tmpC43B.tmp.exe
PID 5044 wrote to memory of 4204	5044	tmpC43B.tmp.exe	tmpC43B.tmp.exe
PID 5044 wrote to memory of 4204	5044	tmpC43B.tmp.exe	tmpC43B.tmp.exe
PID 5044 wrote to memory of 4204	5044	tmpC43B.tmp.exe	tmpC43B.tmp.exe
PID 5044 wrote to memory of 4204	5044	tmpC43B.tmp.exe	tmpC43B.tmp.exe
PID 5044 wrote to memory of 4204	5044	tmpC43B.tmp.exe	tmpC43B.tmp.exe
PID 5044 wrote to memory of 4204	5044	tmpC43B.tmp.exe	tmpC43B.tmp.exe
PID 5044 wrote to memory of 4204	5044	tmpC43B.tmp.exe	tmpC43B.tmp.exe
PID 3200 wrote to memory of 4208	3200	c24f2fb77a06cdfe4e9c074b1e2accb305b0ad091c1668372cc1f5249612b8b2.exe	powershell.exe
PID 3200 wrote to memory of 4208	3200	c24f2fb77a06cdfe4e9c074b1e2accb305b0ad091c1668372cc1f5249612b8b2.exe	powershell.exe
PID 3200 wrote to memory of 3496	3200	c24f2fb77a06cdfe4e9c074b1e2accb305b0ad091c1668372cc1f5249612b8b2.exe	powershell.exe
PID 3200 wrote to memory of 3496	3200	c24f2fb77a06cdfe4e9c074b1e2accb305b0ad091c1668372cc1f5249612b8b2.exe	powershell.exe
PID 3200 wrote to memory of 1068	3200	c24f2fb77a06cdfe4e9c074b1e2accb305b0ad091c1668372cc1f5249612b8b2.exe	powershell.exe
PID 3200 wrote to memory of 1068	3200	c24f2fb77a06cdfe4e9c074b1e2accb305b0ad091c1668372cc1f5249612b8b2.exe	powershell.exe
PID 3200 wrote to memory of 4000	3200	c24f2fb77a06cdfe4e9c074b1e2accb305b0ad091c1668372cc1f5249612b8b2.exe	powershell.exe
PID 3200 wrote to memory of 4000	3200	c24f2fb77a06cdfe4e9c074b1e2accb305b0ad091c1668372cc1f5249612b8b2.exe	powershell.exe
PID 3200 wrote to memory of 1788	3200	c24f2fb77a06cdfe4e9c074b1e2accb305b0ad091c1668372cc1f5249612b8b2.exe	powershell.exe
PID 3200 wrote to memory of 1788	3200	c24f2fb77a06cdfe4e9c074b1e2accb305b0ad091c1668372cc1f5249612b8b2.exe	powershell.exe
PID 3200 wrote to memory of 1236	3200	c24f2fb77a06cdfe4e9c074b1e2accb305b0ad091c1668372cc1f5249612b8b2.exe	powershell.exe
PID 3200 wrote to memory of 1236	3200	c24f2fb77a06cdfe4e9c074b1e2accb305b0ad091c1668372cc1f5249612b8b2.exe	powershell.exe
PID 3200 wrote to memory of 3488	3200	c24f2fb77a06cdfe4e9c074b1e2accb305b0ad091c1668372cc1f5249612b8b2.exe	powershell.exe
PID 3200 wrote to memory of 3488	3200	c24f2fb77a06cdfe4e9c074b1e2accb305b0ad091c1668372cc1f5249612b8b2.exe	powershell.exe
PID 3200 wrote to memory of 4300	3200	c24f2fb77a06cdfe4e9c074b1e2accb305b0ad091c1668372cc1f5249612b8b2.exe	powershell.exe
PID 3200 wrote to memory of 4300	3200	c24f2fb77a06cdfe4e9c074b1e2accb305b0ad091c1668372cc1f5249612b8b2.exe	powershell.exe
PID 3200 wrote to memory of 1844	3200	c24f2fb77a06cdfe4e9c074b1e2accb305b0ad091c1668372cc1f5249612b8b2.exe	powershell.exe
PID 3200 wrote to memory of 1844	3200	c24f2fb77a06cdfe4e9c074b1e2accb305b0ad091c1668372cc1f5249612b8b2.exe	powershell.exe
PID 3200 wrote to memory of 4936	3200	c24f2fb77a06cdfe4e9c074b1e2accb305b0ad091c1668372cc1f5249612b8b2.exe	powershell.exe
PID 3200 wrote to memory of 4936	3200	c24f2fb77a06cdfe4e9c074b1e2accb305b0ad091c1668372cc1f5249612b8b2.exe	powershell.exe
PID 3200 wrote to memory of 1444	3200	c24f2fb77a06cdfe4e9c074b1e2accb305b0ad091c1668372cc1f5249612b8b2.exe	powershell.exe
PID 3200 wrote to memory of 1444	3200	c24f2fb77a06cdfe4e9c074b1e2accb305b0ad091c1668372cc1f5249612b8b2.exe	powershell.exe
PID 3200 wrote to memory of 4028	3200	c24f2fb77a06cdfe4e9c074b1e2accb305b0ad091c1668372cc1f5249612b8b2.exe	upfc.exe
PID 3200 wrote to memory of 4028	3200	c24f2fb77a06cdfe4e9c074b1e2accb305b0ad091c1668372cc1f5249612b8b2.exe	upfc.exe
PID 4028 wrote to memory of 2988	4028	upfc.exe	tmpEE96.tmp.exe
PID 4028 wrote to memory of 2988	4028	upfc.exe	tmpEE96.tmp.exe
PID 4028 wrote to memory of 2988	4028	upfc.exe	tmpEE96.tmp.exe
PID 4028 wrote to memory of 440	4028	upfc.exe	WScript.exe
PID 4028 wrote to memory of 440	4028	upfc.exe	WScript.exe
PID 4028 wrote to memory of 4452	4028	upfc.exe	WScript.exe
PID 4028 wrote to memory of 4452	4028	upfc.exe	WScript.exe
PID 2988 wrote to memory of 1332	2988	tmpEE96.tmp.exe	tmpEE96.tmp.exe
PID 2988 wrote to memory of 1332	2988	tmpEE96.tmp.exe	tmpEE96.tmp.exe
PID 2988 wrote to memory of 1332	2988	tmpEE96.tmp.exe	tmpEE96.tmp.exe
PID 2988 wrote to memory of 1332	2988	tmpEE96.tmp.exe	tmpEE96.tmp.exe
PID 2988 wrote to memory of 1332	2988	tmpEE96.tmp.exe	tmpEE96.tmp.exe
PID 2988 wrote to memory of 1332	2988	tmpEE96.tmp.exe	tmpEE96.tmp.exe
PID 2988 wrote to memory of 1332	2988	tmpEE96.tmp.exe	tmpEE96.tmp.exe
PID 440 wrote to memory of 3416	440	WScript.exe	upfc.exe
PID 440 wrote to memory of 3416	440	WScript.exe	upfc.exe
PID 3416 wrote to memory of 1536	3416	upfc.exe	WScript.exe
PID 3416 wrote to memory of 1536	3416	upfc.exe	WScript.exe
PID 3416 wrote to memory of 4908	3416	upfc.exe	WScript.exe
PID 3416 wrote to memory of 4908	3416	upfc.exe	WScript.exe
PID 3416 wrote to memory of 2696	3416	upfc.exe	tmp1102.tmp.exe
PID 3416 wrote to memory of 2696	3416	upfc.exe	tmp1102.tmp.exe
PID 3416 wrote to memory of 2696	3416	upfc.exe	tmp1102.tmp.exe
PID 2696 wrote to memory of 4544	2696	tmp1102.tmp.exe	tmp1102.tmp.exe
PID 2696 wrote to memory of 4544	2696	tmp1102.tmp.exe	tmp1102.tmp.exe
PID 2696 wrote to memory of 4544	2696	tmp1102.tmp.exe	tmp1102.tmp.exe
PID 2696 wrote to memory of 4544	2696	tmp1102.tmp.exe	tmp1102.tmp.exe
PID 2696 wrote to memory of 4544	2696	tmp1102.tmp.exe	tmp1102.tmp.exe
PID 2696 wrote to memory of 4544	2696	tmp1102.tmp.exe	tmp1102.tmp.exe
PID 2696 wrote to memory of 4544	2696	tmp1102.tmp.exe	tmp1102.tmp.exe

System policy modification 1 TTPs 42 IoCs

evasion

Modify Registry

T1112

Processes:

upfc.exeupfc.exeupfc.exec24f2fb77a06cdfe4e9c074b1e2accb305b0ad091c1668372cc1f5249612b8b2.exeupfc.exeupfc.exeupfc.exeupfc.exeupfc.exeupfc.exeupfc.exeupfc.exeupfc.exeupfc.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	c24f2fb77a06cdfe4e9c074b1e2accb305b0ad091c1668372cc1f5249612b8b2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	c24f2fb77a06cdfe4e9c074b1e2accb305b0ad091c1668372cc1f5249612b8b2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	c24f2fb77a06cdfe4e9c074b1e2accb305b0ad091c1668372cc1f5249612b8b2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	upfc.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\c24f2fb77a06cdfe4e9c074b1e2accb305b0ad091c1668372cc1f5249612b8b2.exe
"C:\Users\Admin\AppData\Local\Temp\c24f2fb77a06cdfe4e9c074b1e2accb305b0ad091c1668372cc1f5249612b8b2.exe"
1⤵
- UAC bypass
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3200
- C:\Users\Admin\AppData\Local\Temp\tmpC43B.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpC43B.tmp.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:5044
- - C:\Users\Admin\AppData\Local\Temp\tmpC43B.tmp.exe
    "C:\Users\Admin\AppData\Local\Temp\tmpC43B.tmp.exe"
    3⤵
    - Executes dropped EXE
    PID:4204
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4208
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3496
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1068
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4000
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1788
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1236
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3488
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4300
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1844
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4936
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1444
- C:\Program Files (x86)\Windows Sidebar\Gadgets\upfc.exe
  "C:\Program Files (x86)\Windows Sidebar\Gadgets\upfc.exe"
  2⤵
  - UAC bypass
  - Checks computer location settings
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:4028
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ed7010aa-abb3-4df2-bd7b-ab3773fca7c8.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:440
  - - C:\Program Files (x86)\Windows Sidebar\Gadgets\upfc.exe
      "C:\Program Files (x86)\Windows Sidebar\Gadgets\upfc.exe"
      4⤵
      UAC bypass
      Checks computer location settings
      Executes dropped EXE
      Checks whether UAC is enabled
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:3416
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9e59fac9-ffc4-42c4-a615-98c38a2ef24c.vbs"
        5⤵
        
        PID:1536
      - C:\Program Files (x86)\Windows Sidebar\Gadgets\upfc.exe
        
        "C:\Program Files (x86)\Windows Sidebar\Gadgets\upfc.exe"
        6⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:3700
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e1a3d146-5d6d-4d01-9849-2e7532f44bd5.vbs"
        7⤵
        
        PID:4644
        
        C:\Program Files (x86)\Windows Sidebar\Gadgets\upfc.exe
        
        "C:\Program Files (x86)\Windows Sidebar\Gadgets\upfc.exe"
        8⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:4420
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\04826599-0ec8-47af-9b2d-342b22dc74c6.vbs"
        9⤵
        
        PID:2408
        
        C:\Program Files (x86)\Windows Sidebar\Gadgets\upfc.exe
        
        "C:\Program Files (x86)\Windows Sidebar\Gadgets\upfc.exe"
        10⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:5104
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\813dc571-0411-4896-a85c-d1a691e61fdc.vbs"
        11⤵
        
        PID:3032
        
        C:\Program Files (x86)\Windows Sidebar\Gadgets\upfc.exe
        
        "C:\Program Files (x86)\Windows Sidebar\Gadgets\upfc.exe"
        12⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1344
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fc0fc10e-b346-46f1-9b66-d6ff386be244.vbs"
        13⤵
        
        PID:4980
        
        C:\Program Files (x86)\Windows Sidebar\Gadgets\upfc.exe
        
        "C:\Program Files (x86)\Windows Sidebar\Gadgets\upfc.exe"
        14⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2416
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\db1be781-f711-47d5-812d-f4abae4cbad0.vbs"
        15⤵
        
        PID:4936
        
        C:\Program Files (x86)\Windows Sidebar\Gadgets\upfc.exe
        
        "C:\Program Files (x86)\Windows Sidebar\Gadgets\upfc.exe"
        16⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:4080
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1b8c5ad7-07b9-478d-b900-2c19f81e04b1.vbs"
        17⤵
        
        PID:2876
        
        C:\Program Files (x86)\Windows Sidebar\Gadgets\upfc.exe
        
        "C:\Program Files (x86)\Windows Sidebar\Gadgets\upfc.exe"
        18⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1988
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e6720a32-b4af-477d-b16c-e41d4194cd7e.vbs"
        19⤵
        
        PID:1536
        
        C:\Program Files (x86)\Windows Sidebar\Gadgets\upfc.exe
        
        "C:\Program Files (x86)\Windows Sidebar\Gadgets\upfc.exe"
        20⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:376
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1c4c2222-5585-4c5b-a9e6-23cf6af492e1.vbs"
        21⤵
        
        PID:3992
        
        C:\Program Files (x86)\Windows Sidebar\Gadgets\upfc.exe
        
        "C:\Program Files (x86)\Windows Sidebar\Gadgets\upfc.exe"
        22⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1068
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\486ee761-1f70-4093-9727-7a32692bee0d.vbs"
        23⤵
        
        PID:808
        
        C:\Program Files (x86)\Windows Sidebar\Gadgets\upfc.exe
        
        "C:\Program Files (x86)\Windows Sidebar\Gadgets\upfc.exe"
        24⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:3504
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e31e9a17-1186-4b9b-b485-63bc3ce3f351.vbs"
        25⤵
        
        PID:4920
        
        C:\Program Files (x86)\Windows Sidebar\Gadgets\upfc.exe
        
        "C:\Program Files (x86)\Windows Sidebar\Gadgets\upfc.exe"
        26⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:740
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\50b1a4d8-e33d-42a2-b708-3a4ac38394b6.vbs"
        27⤵
        
        PID:320
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\491a568d-9597-4a23-a806-00338fe1debf.vbs"
        27⤵
        
        PID:4076
        
        C:\Users\Admin\AppData\Local\Temp\tmpE97C.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpE97C.tmp.exe"
        27⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:3612
        
        C:\Users\Admin\AppData\Local\Temp\tmpE97C.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpE97C.tmp.exe"
        28⤵
        Executes dropped EXE
        
        PID:2740
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f84a0ca2-06fe-40f2-94fc-93c91eb00049.vbs"
        25⤵
        
        PID:4968
        
        C:\Users\Admin\AppData\Local\Temp\tmpCB93.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpCB93.tmp.exe"
        25⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1968
        
        C:\Users\Admin\AppData\Local\Temp\tmpCB93.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpCB93.tmp.exe"
        26⤵
        Executes dropped EXE
        
        PID:2368
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f87494ac-f63c-4761-8f91-0931281a9210.vbs"
        23⤵
        
        PID:4912
        
        C:\Users\Admin\AppData\Local\Temp\tmp9B4C.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9B4C.tmp.exe"
        23⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4544
        
        C:\Users\Admin\AppData\Local\Temp\tmp9B4C.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9B4C.tmp.exe"
        24⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2812
        
        C:\Users\Admin\AppData\Local\Temp\tmp9B4C.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9B4C.tmp.exe"
        25⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4616
        
        C:\Users\Admin\AppData\Local\Temp\tmp9B4C.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9B4C.tmp.exe"
        26⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:3756
        
        C:\Users\Admin\AppData\Local\Temp\tmp9B4C.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9B4C.tmp.exe"
        27⤵
        Executes dropped EXE
        
        PID:3192
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\62d220ca-c916-410a-81c1-f03bb7a91775.vbs"
        21⤵
        
        PID:2520
        
        C:\Users\Admin\AppData\Local\Temp\tmp7D44.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp7D44.tmp.exe"
        21⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:912
        
        C:\Users\Admin\AppData\Local\Temp\tmp7D44.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp7D44.tmp.exe"
        22⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4072
        
        C:\Users\Admin\AppData\Local\Temp\tmp7D44.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp7D44.tmp.exe"
        23⤵
        Executes dropped EXE
        
        PID:3628
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bee7fd67-bfe5-463b-8a89-6ee59451a703.vbs"
        19⤵
        
        PID:4712
        
        C:\Users\Admin\AppData\Local\Temp\tmp4B86.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp4B86.tmp.exe"
        19⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3576
        
        C:\Users\Admin\AppData\Local\Temp\tmp4B86.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp4B86.tmp.exe"
        20⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2148
        
        C:\Users\Admin\AppData\Local\Temp\tmp4B86.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp4B86.tmp.exe"
        21⤵
        Executes dropped EXE
        
        PID:2568
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c521201a-6785-4dbd-bf5d-ff95476d405a.vbs"
        17⤵
        
        PID:4596
        
        C:\Users\Admin\AppData\Local\Temp\tmp1A35.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp1A35.tmp.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1068
        
        C:\Users\Admin\AppData\Local\Temp\tmp1A35.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp1A35.tmp.exe"
        18⤵
        Executes dropped EXE
        
        PID:1964
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\063fa55f-4581-4b60-8423-6c506532aecb.vbs"
        15⤵
        
        PID:4312
        
        C:\Users\Admin\AppData\Local\Temp\tmpFD95.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpFD95.tmp.exe"
        15⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4876
        
        C:\Users\Admin\AppData\Local\Temp\tmpFD95.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpFD95.tmp.exe"
        16⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4228
        
        C:\Users\Admin\AppData\Local\Temp\tmpFD95.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpFD95.tmp.exe"
        17⤵
        Executes dropped EXE
        
        PID:4920
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2c593207-658d-4299-b61b-fb1cbd933427.vbs"
        13⤵
        
        PID:1560
        
        C:\Users\Admin\AppData\Local\Temp\tmpC9D3.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpC9D3.tmp.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:3136
        
        C:\Users\Admin\AppData\Local\Temp\tmpC9D3.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpC9D3.tmp.exe"
        14⤵
        Executes dropped EXE
        
        PID:752
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\93d243f9-309f-4fcf-99d1-90e8fd0500aa.vbs"
        11⤵
        
        PID:872
        
        C:\Users\Admin\AppData\Local\Temp\tmpAB2F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpAB2F.tmp.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:3908
        
        C:\Users\Admin\AppData\Local\Temp\tmpAB2F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpAB2F.tmp.exe"
        12⤵
        Executes dropped EXE
        
        PID:2640
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\707cd320-34d8-4d04-a897-8cb7aabb5953.vbs"
        9⤵
        
        PID:5028
        
        C:\Users\Admin\AppData\Local\Temp\tmp778C.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp778C.tmp.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4924
        
        C:\Users\Admin\AppData\Local\Temp\tmp778C.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp778C.tmp.exe"
        10⤵
        Executes dropped EXE
        
        PID:1988
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a6eee02a-3c5c-4adb-b5e9-0a6a38291816.vbs"
        7⤵
        
        PID:5016
        
        C:\Users\Admin\AppData\Local\Temp\tmp4263.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp4263.tmp.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2876
        
        C:\Users\Admin\AppData\Local\Temp\tmp4263.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp4263.tmp.exe"
        8⤵
        Executes dropped EXE
        
        PID:452
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c3a1b842-736b-4720-9652-2dd315dca6c5.vbs"
        5⤵
        
        PID:4908
    - - C:\Users\Admin\AppData\Local\Temp\tmp1102.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp1102.tmp.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2696
      - C:\Users\Admin\AppData\Local\Temp\tmp1102.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp1102.tmp.exe"
        6⤵
        Executes dropped EXE
        
        PID:4544
- - C:\Users\Admin\AppData\Local\Temp\tmpEE96.tmp.exe
    "C:\Users\Admin\AppData\Local\Temp\tmpEE96.tmp.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2988
  - - C:\Users\Admin\AppData\Local\Temp\tmpEE96.tmp.exe
      "C:\Users\Admin\AppData\Local\Temp\tmpEE96.tmp.exe"
      4⤵
      Executes dropped EXE
      PID:1332
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0da950ca-594b-43d3-a5a9-5e9b7d62544e.vbs"
    3⤵
    PID:4452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Program Files\Common Files\System\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3352

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\Common Files\System\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Program Files\Common Files\System\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Program Files\dotnet\host\fxr\8.0.2\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1480

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\dotnet\host\fxr\8.0.2\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Program Files\dotnet\host\fxr\8.0.2\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\My Documents\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Admin\My Documents\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\My Documents\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 8 /tr "'C:\Windows\Media\Sonata\upfc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Windows\Media\Sonata\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2352

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 14 /tr "'C:\Windows\Media\Sonata\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\sysmon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\upfc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "c24f2fb77a06cdfe4e9c074b1e2accb305b0ad091c1668372cc1f5249612b8b2c" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\c24f2fb77a06cdfe4e9c074b1e2accb305b0ad091c1668372cc1f5249612b8b2.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "c24f2fb77a06cdfe4e9c074b1e2accb305b0ad091c1668372cc1f5249612b8b2" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\c24f2fb77a06cdfe4e9c074b1e2accb305b0ad091c1668372cc1f5249612b8b2.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "c24f2fb77a06cdfe4e9c074b1e2accb305b0ad091c1668372cc1f5249612b8b2c" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\c24f2fb77a06cdfe4e9c074b1e2accb305b0ad091c1668372cc1f5249612b8b2.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 7 /tr "'C:\Users\Default\Cookies\unsecapp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Users\Default\Cookies\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 6 /tr "'C:\Users\Default\Cookies\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1352

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 6 /tr "'C:\Windows\Prefetch\ReadyBoot\upfc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Windows\Prefetch\ReadyBoot\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 14 /tr "'C:\Windows\Prefetch\ReadyBoot\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1824

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Windows Security\BrowserCore\en-US\sysmon.exe

Filesize
4.9MB

MD5
7bcee51d69d6f7f7872dade20a2c5916

SHA1
4ad1278f8368527aa02d08c6ee86da5b22be2cab

SHA256
c24f2fb77a06cdfe4e9c074b1e2accb305b0ad091c1668372cc1f5249612b8b2

SHA512
8da8506093074361776f8b1693a2058fc6775be636034237c8ef7f5a03d422b881a9c8ea047b8d89bc314c649ba0c3bd7a16ac8dcd4c41d788135845bd151e34

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\upfc.exe.log

Filesize
1KB

MD5
4a667f150a4d1d02f53a9f24d89d53d1

SHA1
306e125c9edce66f28fdb63e6c4ca5c9ad6e8c97

SHA256
414659decfd237dde09625a49811e03b5b30ee06ee2ee97ea8bcfac394d281fd

SHA512
4edd8e73ce03488a6d92750a782cd4042fbb54a5b3f8d8ba3ea227fda0653c2cd84f0c5d64976c7cdc1f518a2fdc8ff10e2a015ec7acf3cd01b0d62bc98542d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
293a5e452e148112857e22e746feff34

SHA1
7a5018bf98a3e38970809531288a7e3efb979532

SHA256
05e48657fb5340817f522c955b379cfb639977480af3ab1414682e9bf6616551

SHA512
7332f2b22f4ab64bb67c1a493f7cf2b378e311d5be6c6c99339210d4e9022c17f01a698333cd679a0776cca23460e28ec88c2ccfcf50c732ee218ef25ab19049

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
136802803399fb4b565ebf9d8ce65a37

SHA1
3f8ccc84226df3ae772cea69b47c307b4bfdca48

SHA256
958468fd981d96f052f8658dac6edd7a343255a72955622d231be990cff35510

SHA512
19b5e24c08908cfcd9c9dd3c85e67e06afdf65dc3f6b45eb95cac5ad64d66390b09051844e48d10ce8b663fa9681fcd02e39509a8a5c118d922d2647945cf8b3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e243a38635ff9a06c87c2a61a2200656

SHA1
ecd95ed5bf1a9fbe96a8448fc2814a0210fa2afc

SHA256
af5782703f3f2d5a29fb313dae6680a64134db26064d4a321a3f23b75f6ca00f

SHA512
4418957a1b10eee44cf270c81816ae707352411c4f5ac14b6b61ab537c91480e24e0a0a2c276a6291081b4984c123cf673a45dcedb0ceeef682054ba0fc19cb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\04826599-0ec8-47af-9b2d-342b22dc74c6.vbs

Filesize
731B

MD5
86a787630558e85d34ffab3cb7d76779

SHA1
82f5a1305f139504b8f60295c9c3967fbff1f5ed

SHA256
01e3afe091f8aec1cf30c5066474900dee28e461d0416bae308c0a52a62923eb

SHA512
983c171eb87e8090b719eaea1615e5a9d36ceb14f289138954e7351a67a6b9212da1d831eb6182e8100f5836975bd738a89ee53cc3255a4e40dc7fde9f44dfef

Download Submit
C:\Users\Admin\AppData\Local\Temp\0da950ca-594b-43d3-a5a9-5e9b7d62544e.vbs

Filesize
507B

MD5
9f717e0f5a607513c136eb02ccd6b89b

SHA1
05c1d73e5ff658894d87ce0fd21c5bd6095ffe8e

SHA256
4c594c08d918679f023353da296ec7602806c1099c8718f185a952d97c223d31

SHA512
0ee7a4db55d55bb1f45889b64995e1ad9c1a139fa3ebbd8f138696e37dbcc55371896547fa1f9c1c040ed5c2380f3d91bddc28379dfafe0dc3f97bc15644cdfd

Download Submit
C:\Users\Admin\AppData\Local\Temp\813dc571-0411-4896-a85c-d1a691e61fdc.vbs

Filesize
731B

MD5
48b4e8c599bd2c858338ffb0a93b87f7

SHA1
903f79dcec334c561dc155bbb696c1a7a7b43ee0

SHA256
53dc0d61be4668531624df720187abcf2faa3d4c7d6fbbf65fbaeb21ace1518c

SHA512
3b30ace6390a850bcf390b9088b9b8f84b08c3d0b0e431781ebe0f5fe20fc11d914068ea89c48e1bc875d44dd4e32237da26d697a165e6fab9680845af133202

Download Submit
C:\Users\Admin\AppData\Local\Temp\9e59fac9-ffc4-42c4-a615-98c38a2ef24c.vbs

Filesize
731B

MD5
2ff6f41cc8a996095f45b380b977f086

SHA1
ed9462010c7f47b8d6d28391159c692cc6330942

SHA256
b7f63a4054a4b63ed6fa1af91f9b5d00887505f3718809646726260d05991668

SHA512
e403b31cb5b3d064622e79a995f70a9557f25bb1092c89fc1b69471f372b192017c0d54137dde16e919ba1f1891b71eccd099f003740b86ba99f976f52fa49a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ec2s1pu1.wcg.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\db1be781-f711-47d5-812d-f4abae4cbad0.vbs

Filesize
731B

MD5
dbbe39758e7f57ac84094b1bf2d4fbb6

SHA1
af3d4ccc3c8ad13ab30f9ae49ea7ed0121609e12

SHA256
4272d73b710ac9e395b4880cb777d490c59ff91e49bf579c7f2348c5d71c0506

SHA512
77816024de92e854df6360431045d0f994a0957c7347fce657215494d7eede023e3ca38d9ab357aabb9a497bdc45bf8607f9d98780f5bf5cd363f87a89cbe2a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\e1a3d146-5d6d-4d01-9849-2e7532f44bd5.vbs

Filesize
731B

MD5
31b4c4a4ac13ca8bc1ff9c1b13a46c6b

SHA1
25cec1565d16e44e2ca903e393f1c0849c14500b

SHA256
79fe69e8fb67ac1c7e932f438a36ee64b09446e94bd4cf303652f22581b72632

SHA512
b1a4fd6e7f42879a8b34d41c5f3e87311bfc9e27c3dce10f8af66540df44f118753801924b976d88c9aa69e9f937a7d1cebd5424d6cce85a979a48dceb302b4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ed7010aa-abb3-4df2-bd7b-ab3773fca7c8.vbs

Filesize
731B

MD5
8e10a9d9511aaa211e75684047dcc087

SHA1
5672aecc36d4f27eb09e2ffc91983fdef4fb95fb

SHA256
a27bfe7b7502f3a1842b6531d45c73d9015807793b1899a628e98a31948c6134

SHA512
ca3fba952402203c5bb91382bea4a904a24141aa16bf82c1420cd710513db476ff846fce540fb18255cb8393312db7f00f9c10345ca076c85452b1b002095575

Download Submit
C:\Users\Admin\AppData\Local\Temp\fc0fc10e-b346-46f1-9b66-d6ff386be244.vbs

Filesize
731B

MD5
281b7a14ed06121c9f7a2e3e14bb8c01

SHA1
de93e5f1fb2266bc658a9990100a10af692b8f62

SHA256
73b7a3f121171635a151c188532e8fd8a874fd977828b996a4034261dec357a4

SHA512
94775ebec475f47deb0036c550174ddb07f7182e6a15508e7e295578eb790a85628a335fd18af9aad082537f565f4cc68424d834760c1fbe016e954186b23a11

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpC43B.tmp.exe

Filesize
75KB

MD5
e0a68b98992c1699876f818a22b5b907

SHA1
d41e8ad8ba51217eb0340f8f69629ccb474484d0

SHA256
2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

SHA512
856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

Download Submit
memory/740-562-0x0000000002E80000-0x0000000002E92000-memory.dmp

Filesize
72KB

Download
memory/2416-446-0x00000000035B0000-0x00000000035C2000-memory.dmp

Filesize
72KB

Download
memory/3200-11-0x000000001C4A0000-0x000000001C4B2000-memory.dmp

Filesize
72KB

Download
memory/3200-12-0x000000001CA40000-0x000000001CF68000-memory.dmp

Filesize
5.2MB

Download
memory/3200-1-0x0000000000AB0000-0x0000000000FA4000-memory.dmp

Filesize
5.0MB

Download
memory/3200-171-0x00007FFCC03A3000-0x00007FFCC03A5000-memory.dmp

Filesize
8KB

Download
memory/3200-2-0x000000001BE40000-0x000000001BF6E000-memory.dmp

Filesize
1.2MB

Download
memory/3200-16-0x000000001C530000-0x000000001C538000-memory.dmp

Filesize
32KB

Download
memory/3200-283-0x00007FFCC03A0000-0x00007FFCC0E61000-memory.dmp

Filesize
10.8MB

Download
memory/3200-284-0x00007FFCC03A0000-0x00007FFCC0E61000-memory.dmp

Filesize
10.8MB

Download
memory/3200-3-0x00007FFCC03A0000-0x00007FFCC0E61000-memory.dmp

Filesize
10.8MB

Download
memory/3200-17-0x000000001C540000-0x000000001C548000-memory.dmp

Filesize
32KB

Download
memory/3200-14-0x000000001C510000-0x000000001C51E000-memory.dmp

Filesize
56KB

Download
memory/3200-15-0x000000001C520000-0x000000001C52E000-memory.dmp

Filesize
56KB

Download
memory/3200-13-0x000000001C4B0000-0x000000001C4BA000-memory.dmp

Filesize
40KB

Download
memory/3200-18-0x000000001C550000-0x000000001C55C000-memory.dmp

Filesize
48KB

Download
memory/3200-0-0x00007FFCC03A3000-0x00007FFCC03A5000-memory.dmp

Filesize
8KB

Download
memory/3200-8-0x000000001C470000-0x000000001C486000-memory.dmp

Filesize
88KB

Download
memory/3200-10-0x000000001C490000-0x000000001C49A000-memory.dmp

Filesize
40KB

Download
memory/3200-9-0x000000001BE20000-0x000000001BE30000-memory.dmp

Filesize
64KB

Download
memory/3200-5-0x000000001C4C0000-0x000000001C510000-memory.dmp

Filesize
320KB

Download
memory/3200-6-0x000000001BCF0000-0x000000001BCF8000-memory.dmp

Filesize
32KB

Download
memory/3200-7-0x000000001BE10000-0x000000001BE20000-memory.dmp

Filesize
64KB

Download
memory/3200-4-0x00000000031B0000-0x00000000031CC000-memory.dmp

Filesize
112KB

Download
memory/4000-172-0x000001D8D05C0000-0x000001D8D05E2000-memory.dmp

Filesize
136KB

Download
memory/4028-285-0x000000001C680000-0x000000001C692000-memory.dmp

Filesize
72KB

Download
memory/4204-58-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download