colibri | 8c84d9701048f57f131151b58294d2884c850fccfc5b1200b2d783a8f0ca4a77

Analysis

max time kernel
120s
max time network
121s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
24-11-2024 11:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8c84d9701048f57f131151b58294d2884c850fccfc5b1200b2d783a8f0ca4a77.exe
Size

4.9MB
MD5

c62cd7e55437ae4873f4cc2e98d87ccb
SHA1

99a5dc009e586ebb83f324c03f1729dad34ee031
SHA256

8c84d9701048f57f131151b58294d2884c850fccfc5b1200b2d783a8f0ca4a77
SHA512

497d6ed88c05e7b689f2fd8a00c92a652fd1f31edacf0b69edef0adb2f250509a1aee00beb4d6496021dd4aeb1b015b63ad6c70a5bf76466fd4104d1ee17754c
SSDEEP

49152:rl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8B:J

Score

10^/10

colibri dcrat build1 discovery evasion execution infostealer loader rat trojan

Malware Config

Extracted

Family

colibri

Version

1.2.0

Botnet

Build1

http://zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc/gate.php

http://yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx/gate.php

rc4.plain

Signatures

Colibri Loader
A loader sold as MaaS first seen in August 2021.
loader colibri
Colibri family
colibri
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 51 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1868	428	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1096	428	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4600	428	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1248	428	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1160	428	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3464	428	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2284	428	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2536	428	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1640	428	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4892	428	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2844	428	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2416	428	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2908	428	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4788	428	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4596	428	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3992	428	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1600	428	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4796	428	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1952	428	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2260	428	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2516	428	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	632	428	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2864	428	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1528	428	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2200	428	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3936	428	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4984	428	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2748	428	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2012	428	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3776	428	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3040	428	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5000	428	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3260	428	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1864	428	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2312	428	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5072	428	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3596	428	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1172	428	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1324	428	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1224	428	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1148	428	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3988	428	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4388	428	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4352	428	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1792	428	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	64	428	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5036	428	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4492	428	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4812	428	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4856	428	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4448	428	schtasks.exe	83

UAC bypass 3 TTPs 33 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

upfc.exeupfc.exe8c84d9701048f57f131151b58294d2884c850fccfc5b1200b2d783a8f0ca4a77.exeupfc.exeupfc.exeupfc.exeupfc.exeupfc.exeupfc.exeupfc.exeupfc.exe

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	8c84d9701048f57f131151b58294d2884c850fccfc5b1200b2d783a8f0ca4a77.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	8c84d9701048f57f131151b58294d2884c850fccfc5b1200b2d783a8f0ca4a77.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	8c84d9701048f57f131151b58294d2884c850fccfc5b1200b2d783a8f0ca4a77.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	upfc.exe

DCRat payload 1 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral2/memory/696-3-0x000000001B960000-0x000000001BA8E000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 11 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	Process
4884	powershell.exe
4796	powershell.exe
1952	powershell.exe
2756	powershell.exe
2260	powershell.exe
1600	powershell.exe
4952	powershell.exe
3992	powershell.exe
4360	powershell.exe
2184	powershell.exe
2992	powershell.exe

Checks computer location settings 2 TTPs 11 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

upfc.exeupfc.exeupfc.exeupfc.exeupfc.exeupfc.exeupfc.exeupfc.exeupfc.exeupfc.exe8c84d9701048f57f131151b58294d2884c850fccfc5b1200b2d783a8f0ca4a77.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	upfc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	upfc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	upfc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	upfc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	upfc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	upfc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	upfc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	upfc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	upfc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	upfc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	8c84d9701048f57f131151b58294d2884c850fccfc5b1200b2d783a8f0ca4a77.exe

Executes dropped EXE 37 IoCs

Processes:

tmpAB94.tmp.exetmpAB94.tmp.exeupfc.exetmpE251.tmp.exetmpE251.tmp.exeupfc.exetmp347.tmp.exetmp347.tmp.exetmp347.tmp.exeupfc.exetmp1F0C.tmp.exetmp1F0C.tmp.exeupfc.exetmp506D.tmp.exetmp506D.tmp.exeupfc.exetmp6E45.tmp.exetmp6E45.tmp.exetmp6E45.tmp.exeupfc.exetmp9F19.tmp.exetmp9F19.tmp.exeupfc.exetmpD25E.tmp.exetmpD25E.tmp.exeupfc.exetmp238.tmp.exetmp238.tmp.exetmp238.tmp.exetmp238.tmp.exetmp238.tmp.exeupfc.exetmp32DE.tmp.exetmp32DE.tmp.exeupfc.exetmp4F20.tmp.exetmp4F20.tmp.exe

pid	Process
2480	tmpAB94.tmp.exe
3644	tmpAB94.tmp.exe
4612	upfc.exe
224	tmpE251.tmp.exe
232	tmpE251.tmp.exe
2856	upfc.exe
2640	tmp347.tmp.exe
4212	tmp347.tmp.exe
4924	tmp347.tmp.exe
220	upfc.exe
1420	tmp1F0C.tmp.exe
4476	tmp1F0C.tmp.exe
3368	upfc.exe
1040	tmp506D.tmp.exe
4796	tmp506D.tmp.exe
1836	upfc.exe
1148	tmp6E45.tmp.exe
4884	tmp6E45.tmp.exe
1644	tmp6E45.tmp.exe
232	upfc.exe
1512	tmp9F19.tmp.exe
1864	tmp9F19.tmp.exe
2564	upfc.exe
4468	tmpD25E.tmp.exe
3776	tmpD25E.tmp.exe
4772	upfc.exe
2124	tmp238.tmp.exe
2328	tmp238.tmp.exe
412	tmp238.tmp.exe
216	tmp238.tmp.exe
4812	tmp238.tmp.exe
3368	upfc.exe
2284	tmp32DE.tmp.exe
1616	tmp32DE.tmp.exe
3564	upfc.exe
4832	tmp4F20.tmp.exe
532	tmp4F20.tmp.exe

Checks whether UAC is enabled 1 TTPs 22 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

upfc.exeupfc.exeupfc.exe8c84d9701048f57f131151b58294d2884c850fccfc5b1200b2d783a8f0ca4a77.exeupfc.exeupfc.exeupfc.exeupfc.exeupfc.exeupfc.exeupfc.exe

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	upfc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	upfc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	8c84d9701048f57f131151b58294d2884c850fccfc5b1200b2d783a8f0ca4a77.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	upfc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	upfc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	upfc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	upfc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	upfc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	upfc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	upfc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	8c84d9701048f57f131151b58294d2884c850fccfc5b1200b2d783a8f0ca4a77.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	upfc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	upfc.exe

Suspicious use of SetThreadContext 11 IoCs

Processes:

tmpAB94.tmp.exetmpE251.tmp.exetmp347.tmp.exetmp1F0C.tmp.exetmp506D.tmp.exetmp6E45.tmp.exetmp9F19.tmp.exetmpD25E.tmp.exetmp238.tmp.exetmp32DE.tmp.exetmp4F20.tmp.exe

description	pid	Process	procid_target
PID 2480 set thread context of 3644	2480	tmpAB94.tmp.exe	137
PID 224 set thread context of 232	224	tmpE251.tmp.exe	175
PID 4212 set thread context of 4924	4212	tmp347.tmp.exe	189
PID 1420 set thread context of 4476	1420	tmp1F0C.tmp.exe	200
PID 1040 set thread context of 4796	1040	tmp506D.tmp.exe	209
PID 4884 set thread context of 1644	4884	tmp6E45.tmp.exe	219
PID 1512 set thread context of 1864	1512	tmp9F19.tmp.exe	229
PID 4468 set thread context of 3776	4468	tmpD25E.tmp.exe	239
PID 216 set thread context of 4812	216	tmp238.tmp.exe	252
PID 2284 set thread context of 1616	2284	tmp32DE.tmp.exe	261
PID 4832 set thread context of 532	4832	tmp4F20.tmp.exe	270

Drops file in Program Files directory 28 IoCs

Processes:

8c84d9701048f57f131151b58294d2884c850fccfc5b1200b2d783a8f0ca4a77.exe

description	ioc	Process
File created	C:\Program Files\Microsoft Office\Office16\smss.exe	8c84d9701048f57f131151b58294d2884c850fccfc5b1200b2d783a8f0ca4a77.exe
File created	C:\Program Files\Windows Sidebar\Shared Gadgets\explorer.exe	8c84d9701048f57f131151b58294d2884c850fccfc5b1200b2d783a8f0ca4a77.exe
File created	C:\Program Files (x86)\Common Files\Adobe\5b884080fd4f94	8c84d9701048f57f131151b58294d2884c850fccfc5b1200b2d783a8f0ca4a77.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\skins\upfc.exe	8c84d9701048f57f131151b58294d2884c850fccfc5b1200b2d783a8f0ca4a77.exe
File opened for modification	C:\Program Files (x86)\Windows NT\TableTextService\RCXB368.tmp	8c84d9701048f57f131151b58294d2884c850fccfc5b1200b2d783a8f0ca4a77.exe
File opened for modification	C:\Program Files\Windows Sidebar\Shared Gadgets\RCXC263.tmp	8c84d9701048f57f131151b58294d2884c850fccfc5b1200b2d783a8f0ca4a77.exe
File created	C:\Program Files\VideoLAN\VLC\skins\ea1d8f6d871115	8c84d9701048f57f131151b58294d2884c850fccfc5b1200b2d783a8f0ca4a77.exe
File created	C:\Program Files (x86)\Windows NT\TableTextService\sysmon.exe	8c84d9701048f57f131151b58294d2884c850fccfc5b1200b2d783a8f0ca4a77.exe
File opened for modification	C:\Program Files\Windows Sidebar\Shared Gadgets\explorer.exe	8c84d9701048f57f131151b58294d2884c850fccfc5b1200b2d783a8f0ca4a77.exe
File opened for modification	C:\Program Files (x86)\Windows NT\explorer.exe	8c84d9701048f57f131151b58294d2884c850fccfc5b1200b2d783a8f0ca4a77.exe
File opened for modification	C:\Program Files\Microsoft Office\Office16\smss.exe	8c84d9701048f57f131151b58294d2884c850fccfc5b1200b2d783a8f0ca4a77.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\RCXC8FD.tmp	8c84d9701048f57f131151b58294d2884c850fccfc5b1200b2d783a8f0ca4a77.exe
File created	C:\Program Files\Windows Sidebar\Shared Gadgets\7a0fd90576e088	8c84d9701048f57f131151b58294d2884c850fccfc5b1200b2d783a8f0ca4a77.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\fontdrvhost.exe	8c84d9701048f57f131151b58294d2884c850fccfc5b1200b2d783a8f0ca4a77.exe
File opened for modification	C:\Program Files\Windows NT\TableTextService\en-US\RCXCB7F.tmp	8c84d9701048f57f131151b58294d2884c850fccfc5b1200b2d783a8f0ca4a77.exe
File created	C:\Program Files\Windows NT\TableTextService\en-US\dwm.exe	8c84d9701048f57f131151b58294d2884c850fccfc5b1200b2d783a8f0ca4a77.exe
File created	C:\Program Files\Windows NT\TableTextService\en-US\6cb0b6c459d5d3	8c84d9701048f57f131151b58294d2884c850fccfc5b1200b2d783a8f0ca4a77.exe
File created	C:\Program Files (x86)\Windows NT\TableTextService\121e5b5079f7c0	8c84d9701048f57f131151b58294d2884c850fccfc5b1200b2d783a8f0ca4a77.exe
File created	C:\Program Files\Microsoft Office\Office16\69ddcba757bf72	8c84d9701048f57f131151b58294d2884c850fccfc5b1200b2d783a8f0ca4a77.exe
File created	C:\Program Files (x86)\Common Files\Adobe\fontdrvhost.exe	8c84d9701048f57f131151b58294d2884c850fccfc5b1200b2d783a8f0ca4a77.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\skins\RCXACEC.tmp	8c84d9701048f57f131151b58294d2884c850fccfc5b1200b2d783a8f0ca4a77.exe
File created	C:\Program Files (x86)\Windows NT\explorer.exe	8c84d9701048f57f131151b58294d2884c850fccfc5b1200b2d783a8f0ca4a77.exe
File opened for modification	C:\Program Files\Microsoft Office\Office16\RCXBA12.tmp	8c84d9701048f57f131151b58294d2884c850fccfc5b1200b2d783a8f0ca4a77.exe
File opened for modification	C:\Program Files (x86)\Windows NT\RCXC467.tmp	8c84d9701048f57f131151b58294d2884c850fccfc5b1200b2d783a8f0ca4a77.exe
File created	C:\Program Files\VideoLAN\VLC\skins\upfc.exe	8c84d9701048f57f131151b58294d2884c850fccfc5b1200b2d783a8f0ca4a77.exe
File created	C:\Program Files (x86)\Windows NT\7a0fd90576e088	8c84d9701048f57f131151b58294d2884c850fccfc5b1200b2d783a8f0ca4a77.exe
File opened for modification	C:\Program Files (x86)\Windows NT\TableTextService\sysmon.exe	8c84d9701048f57f131151b58294d2884c850fccfc5b1200b2d783a8f0ca4a77.exe
File opened for modification	C:\Program Files\Windows NT\TableTextService\en-US\dwm.exe	8c84d9701048f57f131151b58294d2884c850fccfc5b1200b2d783a8f0ca4a77.exe

Drops file in Windows directory 4 IoCs

Processes:

8c84d9701048f57f131151b58294d2884c850fccfc5b1200b2d783a8f0ca4a77.exe

description	ioc	Process
File created	C:\Windows\DiagTrack\38384e6a620884	8c84d9701048f57f131151b58294d2884c850fccfc5b1200b2d783a8f0ca4a77.exe
File opened for modification	C:\Windows\DiagTrack\RCXBE4A.tmp	8c84d9701048f57f131151b58294d2884c850fccfc5b1200b2d783a8f0ca4a77.exe
File opened for modification	C:\Windows\DiagTrack\SearchApp.exe	8c84d9701048f57f131151b58294d2884c850fccfc5b1200b2d783a8f0ca4a77.exe
File created	C:\Windows\DiagTrack\SearchApp.exe	8c84d9701048f57f131151b58294d2884c850fccfc5b1200b2d783a8f0ca4a77.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 16 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

tmpD25E.tmp.exetmp238.tmp.exetmp506D.tmp.exetmp9F19.tmp.exetmp238.tmp.exetmp238.tmp.exetmp238.tmp.exetmp4F20.tmp.exetmp6E45.tmp.exetmp32DE.tmp.exetmpAB94.tmp.exetmpE251.tmp.exetmp347.tmp.exetmp347.tmp.exetmp1F0C.tmp.exetmp6E45.tmp.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpD25E.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp238.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp506D.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp9F19.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp238.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp238.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp238.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp4F20.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp6E45.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp32DE.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpAB94.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpE251.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp347.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp347.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp1F0C.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp6E45.tmp.exe

Modifies registry class 11 IoCs

Processes:

upfc.exeupfc.exeupfc.exeupfc.exeupfc.exeupfc.exeupfc.exeupfc.exeupfc.exe8c84d9701048f57f131151b58294d2884c850fccfc5b1200b2d783a8f0ca4a77.exeupfc.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	upfc.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	upfc.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	upfc.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	upfc.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	upfc.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	upfc.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	upfc.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	upfc.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	upfc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	8c84d9701048f57f131151b58294d2884c850fccfc5b1200b2d783a8f0ca4a77.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	upfc.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 51 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

pid	Process
4596	schtasks.exe
2012	schtasks.exe
3596	schtasks.exe
1224	schtasks.exe
2536	schtasks.exe
3260	schtasks.exe
1148	schtasks.exe
1792	schtasks.exe
1600	schtasks.exe
3936	schtasks.exe
3040	schtasks.exe
1864	schtasks.exe
2864	schtasks.exe
4984	schtasks.exe
1248	schtasks.exe
1160	schtasks.exe
4796	schtasks.exe
1952	schtasks.exe
2260	schtasks.exe
632	schtasks.exe
3776	schtasks.exe
4448	schtasks.exe
4856	schtasks.exe
4788	schtasks.exe
2748	schtasks.exe
2312	schtasks.exe
5072	schtasks.exe
4352	schtasks.exe
4812	schtasks.exe
2284	schtasks.exe
1640	schtasks.exe
2908	schtasks.exe
2516	schtasks.exe
2200	schtasks.exe
64	schtasks.exe
1324	schtasks.exe
3988	schtasks.exe
1868	schtasks.exe
4600	schtasks.exe
3464	schtasks.exe
4892	schtasks.exe
2844	schtasks.exe
3992	schtasks.exe
5036	schtasks.exe
4492	schtasks.exe
1096	schtasks.exe
2416	schtasks.exe
1528	schtasks.exe
5000	schtasks.exe
1172	schtasks.exe
4388	schtasks.exe

Suspicious behavior: EnumeratesProcesses 56 IoCs

Processes:

8c84d9701048f57f131151b58294d2884c850fccfc5b1200b2d783a8f0ca4a77.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeupfc.exeupfc.exeupfc.exeupfc.exeupfc.exeupfc.exeupfc.exeupfc.exeupfc.exeupfc.exe

pid	Process
696	8c84d9701048f57f131151b58294d2884c850fccfc5b1200b2d783a8f0ca4a77.exe
696	8c84d9701048f57f131151b58294d2884c850fccfc5b1200b2d783a8f0ca4a77.exe
696	8c84d9701048f57f131151b58294d2884c850fccfc5b1200b2d783a8f0ca4a77.exe
696	8c84d9701048f57f131151b58294d2884c850fccfc5b1200b2d783a8f0ca4a77.exe
696	8c84d9701048f57f131151b58294d2884c850fccfc5b1200b2d783a8f0ca4a77.exe
696	8c84d9701048f57f131151b58294d2884c850fccfc5b1200b2d783a8f0ca4a77.exe
696	8c84d9701048f57f131151b58294d2884c850fccfc5b1200b2d783a8f0ca4a77.exe
696	8c84d9701048f57f131151b58294d2884c850fccfc5b1200b2d783a8f0ca4a77.exe
696	8c84d9701048f57f131151b58294d2884c850fccfc5b1200b2d783a8f0ca4a77.exe
696	8c84d9701048f57f131151b58294d2884c850fccfc5b1200b2d783a8f0ca4a77.exe
696	8c84d9701048f57f131151b58294d2884c850fccfc5b1200b2d783a8f0ca4a77.exe
696	8c84d9701048f57f131151b58294d2884c850fccfc5b1200b2d783a8f0ca4a77.exe
696	8c84d9701048f57f131151b58294d2884c850fccfc5b1200b2d783a8f0ca4a77.exe
2184	powershell.exe
2184	powershell.exe
1600	powershell.exe
1600	powershell.exe
1952	powershell.exe
1952	powershell.exe
4952	powershell.exe
4952	powershell.exe
4796	powershell.exe
4796	powershell.exe
4360	powershell.exe
4360	powershell.exe
2992	powershell.exe
2992	powershell.exe
2756	powershell.exe
2756	powershell.exe
3992	powershell.exe
3992	powershell.exe
2260	powershell.exe
2260	powershell.exe
4884	powershell.exe
4884	powershell.exe
2992	powershell.exe
4884	powershell.exe
2184	powershell.exe
1600	powershell.exe
1952	powershell.exe
4952	powershell.exe
2756	powershell.exe
4360	powershell.exe
2260	powershell.exe
3992	powershell.exe
4796	powershell.exe
4612	upfc.exe
2856	upfc.exe
220	upfc.exe
3368	upfc.exe
1836	upfc.exe
232	upfc.exe
2564	upfc.exe
4772	upfc.exe
3368	upfc.exe
3564	upfc.exe

Suspicious use of AdjustPrivilegeToken 22 IoCs

Processes:

description	pid	Process
Token: SeDebugPrivilege	696	8c84d9701048f57f131151b58294d2884c850fccfc5b1200b2d783a8f0ca4a77.exe
Token: SeDebugPrivilege	2184	powershell.exe
Token: SeDebugPrivilege	1600	powershell.exe
Token: SeDebugPrivilege	1952	powershell.exe
Token: SeDebugPrivilege	4952	powershell.exe
Token: SeDebugPrivilege	4796	powershell.exe
Token: SeDebugPrivilege	4360	powershell.exe
Token: SeDebugPrivilege	2992	powershell.exe
Token: SeDebugPrivilege	2756	powershell.exe
Token: SeDebugPrivilege	3992	powershell.exe
Token: SeDebugPrivilege	2260	powershell.exe
Token: SeDebugPrivilege	4884	powershell.exe
Token: SeDebugPrivilege	4612	upfc.exe
Token: SeDebugPrivilege	2856	upfc.exe
Token: SeDebugPrivilege	220	upfc.exe
Token: SeDebugPrivilege	3368	upfc.exe
Token: SeDebugPrivilege	1836	upfc.exe
Token: SeDebugPrivilege	232	upfc.exe
Token: SeDebugPrivilege	2564	upfc.exe
Token: SeDebugPrivilege	4772	upfc.exe
Token: SeDebugPrivilege	3368	upfc.exe
Token: SeDebugPrivilege	3564	upfc.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

8c84d9701048f57f131151b58294d2884c850fccfc5b1200b2d783a8f0ca4a77.exetmpAB94.tmp.exeupfc.exetmpE251.tmp.exeWScript.exeupfc.exetmp347.tmp.exetmp347.tmp.exe

description	pid	Process	procid_target
PID 696 wrote to memory of 2480	696	8c84d9701048f57f131151b58294d2884c850fccfc5b1200b2d783a8f0ca4a77.exe	135
PID 696 wrote to memory of 2480	696	8c84d9701048f57f131151b58294d2884c850fccfc5b1200b2d783a8f0ca4a77.exe	135
PID 696 wrote to memory of 2480	696	8c84d9701048f57f131151b58294d2884c850fccfc5b1200b2d783a8f0ca4a77.exe	135
PID 2480 wrote to memory of 3644	2480	tmpAB94.tmp.exe	137
PID 2480 wrote to memory of 3644	2480	tmpAB94.tmp.exe	137
PID 2480 wrote to memory of 3644	2480	tmpAB94.tmp.exe	137
PID 2480 wrote to memory of 3644	2480	tmpAB94.tmp.exe	137
PID 2480 wrote to memory of 3644	2480	tmpAB94.tmp.exe	137
PID 2480 wrote to memory of 3644	2480	tmpAB94.tmp.exe	137
PID 2480 wrote to memory of 3644	2480	tmpAB94.tmp.exe	137
PID 696 wrote to memory of 4884	696	8c84d9701048f57f131151b58294d2884c850fccfc5b1200b2d783a8f0ca4a77.exe	144
PID 696 wrote to memory of 4884	696	8c84d9701048f57f131151b58294d2884c850fccfc5b1200b2d783a8f0ca4a77.exe	144
PID 696 wrote to memory of 1600	696	8c84d9701048f57f131151b58294d2884c850fccfc5b1200b2d783a8f0ca4a77.exe	145
PID 696 wrote to memory of 1600	696	8c84d9701048f57f131151b58294d2884c850fccfc5b1200b2d783a8f0ca4a77.exe	145
PID 696 wrote to memory of 4952	696	8c84d9701048f57f131151b58294d2884c850fccfc5b1200b2d783a8f0ca4a77.exe	146
PID 696 wrote to memory of 4952	696	8c84d9701048f57f131151b58294d2884c850fccfc5b1200b2d783a8f0ca4a77.exe	146
PID 696 wrote to memory of 3992	696	8c84d9701048f57f131151b58294d2884c850fccfc5b1200b2d783a8f0ca4a77.exe	147
PID 696 wrote to memory of 3992	696	8c84d9701048f57f131151b58294d2884c850fccfc5b1200b2d783a8f0ca4a77.exe	147
PID 696 wrote to memory of 4360	696	8c84d9701048f57f131151b58294d2884c850fccfc5b1200b2d783a8f0ca4a77.exe	148
PID 696 wrote to memory of 4360	696	8c84d9701048f57f131151b58294d2884c850fccfc5b1200b2d783a8f0ca4a77.exe	148
PID 696 wrote to memory of 4796	696	8c84d9701048f57f131151b58294d2884c850fccfc5b1200b2d783a8f0ca4a77.exe	149
PID 696 wrote to memory of 4796	696	8c84d9701048f57f131151b58294d2884c850fccfc5b1200b2d783a8f0ca4a77.exe	149
PID 696 wrote to memory of 2184	696	8c84d9701048f57f131151b58294d2884c850fccfc5b1200b2d783a8f0ca4a77.exe	150
PID 696 wrote to memory of 2184	696	8c84d9701048f57f131151b58294d2884c850fccfc5b1200b2d783a8f0ca4a77.exe	150
PID 696 wrote to memory of 1952	696	8c84d9701048f57f131151b58294d2884c850fccfc5b1200b2d783a8f0ca4a77.exe	151
PID 696 wrote to memory of 1952	696	8c84d9701048f57f131151b58294d2884c850fccfc5b1200b2d783a8f0ca4a77.exe	151
PID 696 wrote to memory of 2992	696	8c84d9701048f57f131151b58294d2884c850fccfc5b1200b2d783a8f0ca4a77.exe	152
PID 696 wrote to memory of 2992	696	8c84d9701048f57f131151b58294d2884c850fccfc5b1200b2d783a8f0ca4a77.exe	152
PID 696 wrote to memory of 2260	696	8c84d9701048f57f131151b58294d2884c850fccfc5b1200b2d783a8f0ca4a77.exe	153
PID 696 wrote to memory of 2260	696	8c84d9701048f57f131151b58294d2884c850fccfc5b1200b2d783a8f0ca4a77.exe	153
PID 696 wrote to memory of 2756	696	8c84d9701048f57f131151b58294d2884c850fccfc5b1200b2d783a8f0ca4a77.exe	154
PID 696 wrote to memory of 2756	696	8c84d9701048f57f131151b58294d2884c850fccfc5b1200b2d783a8f0ca4a77.exe	154
PID 696 wrote to memory of 4612	696	8c84d9701048f57f131151b58294d2884c850fccfc5b1200b2d783a8f0ca4a77.exe	166
PID 696 wrote to memory of 4612	696	8c84d9701048f57f131151b58294d2884c850fccfc5b1200b2d783a8f0ca4a77.exe	166
PID 4612 wrote to memory of 1484	4612	upfc.exe	170
PID 4612 wrote to memory of 1484	4612	upfc.exe	170
PID 4612 wrote to memory of 2632	4612	upfc.exe	171
PID 4612 wrote to memory of 2632	4612	upfc.exe	171
PID 4612 wrote to memory of 224	4612	upfc.exe	173
PID 4612 wrote to memory of 224	4612	upfc.exe	173
PID 4612 wrote to memory of 224	4612	upfc.exe	173
PID 224 wrote to memory of 232	224	tmpE251.tmp.exe	175
PID 224 wrote to memory of 232	224	tmpE251.tmp.exe	175
PID 224 wrote to memory of 232	224	tmpE251.tmp.exe	175
PID 224 wrote to memory of 232	224	tmpE251.tmp.exe	175
PID 224 wrote to memory of 232	224	tmpE251.tmp.exe	175
PID 224 wrote to memory of 232	224	tmpE251.tmp.exe	175
PID 224 wrote to memory of 232	224	tmpE251.tmp.exe	175
PID 1484 wrote to memory of 2856	1484	WScript.exe	182
PID 1484 wrote to memory of 2856	1484	WScript.exe	182
PID 2856 wrote to memory of 1520	2856	upfc.exe	184
PID 2856 wrote to memory of 1520	2856	upfc.exe	184
PID 2856 wrote to memory of 4608	2856	upfc.exe	185
PID 2856 wrote to memory of 4608	2856	upfc.exe	185
PID 2856 wrote to memory of 2640	2856	upfc.exe	186
PID 2856 wrote to memory of 2640	2856	upfc.exe	186
PID 2856 wrote to memory of 2640	2856	upfc.exe	186
PID 2640 wrote to memory of 4212	2640	tmp347.tmp.exe	188
PID 2640 wrote to memory of 4212	2640	tmp347.tmp.exe	188
PID 2640 wrote to memory of 4212	2640	tmp347.tmp.exe	188
PID 4212 wrote to memory of 4924	4212	tmp347.tmp.exe	189
PID 4212 wrote to memory of 4924	4212	tmp347.tmp.exe	189
PID 4212 wrote to memory of 4924	4212	tmp347.tmp.exe	189
PID 4212 wrote to memory of 4924	4212	tmp347.tmp.exe	189

System policy modification 1 TTPs 33 IoCs

evasion

Modify Registry

T1112

Processes:

upfc.exeupfc.exeupfc.exeupfc.exeupfc.exeupfc.exeupfc.exe8c84d9701048f57f131151b58294d2884c850fccfc5b1200b2d783a8f0ca4a77.exeupfc.exeupfc.exeupfc.exe

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	8c84d9701048f57f131151b58294d2884c850fccfc5b1200b2d783a8f0ca4a77.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	8c84d9701048f57f131151b58294d2884c850fccfc5b1200b2d783a8f0ca4a77.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	8c84d9701048f57f131151b58294d2884c850fccfc5b1200b2d783a8f0ca4a77.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	upfc.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\8c84d9701048f57f131151b58294d2884c850fccfc5b1200b2d783a8f0ca4a77.exe
"C:\Users\Admin\AppData\Local\Temp\8c84d9701048f57f131151b58294d2884c850fccfc5b1200b2d783a8f0ca4a77.exe"
1⤵
- UAC bypass
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:696
- C:\Users\Admin\AppData\Local\Temp\tmpAB94.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpAB94.tmp.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2480
- - C:\Users\Admin\AppData\Local\Temp\tmpAB94.tmp.exe
    "C:\Users\Admin\AppData\Local\Temp\tmpAB94.tmp.exe"
    3⤵
    - Executes dropped EXE
    PID:3644
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4884
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1600
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4952
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3992
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4360
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4796
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2184
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1952
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2992
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2260
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2756
- C:\Program Files\VideoLAN\VLC\skins\upfc.exe
  "C:\Program Files\VideoLAN\VLC\skins\upfc.exe"
  2⤵
  - UAC bypass
  - Checks computer location settings
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:4612
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f4c9626c-220b-4802-9d87-ab871201dc20.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1484
  - - C:\Program Files\VideoLAN\VLC\skins\upfc.exe
      "C:\Program Files\VideoLAN\VLC\skins\upfc.exe"
      4⤵
      UAC bypass
      Checks computer location settings
      Executes dropped EXE
      Checks whether UAC is enabled
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:2856
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\418378ad-caa9-49e0-bf2a-bc7da95c7e1a.vbs"
        5⤵
        
        PID:1520
      - C:\Program Files\VideoLAN\VLC\skins\upfc.exe
        
        "C:\Program Files\VideoLAN\VLC\skins\upfc.exe"
        6⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:220
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e9d75929-c36a-4c5d-941a-ccbe728eae1a.vbs"
        7⤵
        
        PID:2864
        
        C:\Program Files\VideoLAN\VLC\skins\upfc.exe
        
        "C:\Program Files\VideoLAN\VLC\skins\upfc.exe"
        8⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:3368
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\90c62974-69e0-478b-a4d6-c6d9d0bb7016.vbs"
        9⤵
        
        PID:4772
        
        C:\Program Files\VideoLAN\VLC\skins\upfc.exe
        
        "C:\Program Files\VideoLAN\VLC\skins\upfc.exe"
        10⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1836
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fa5ea5ec-bb1b-4a95-a1ab-5b51b59aa7b1.vbs"
        11⤵
        
        PID:3096
        
        C:\Program Files\VideoLAN\VLC\skins\upfc.exe
        
        "C:\Program Files\VideoLAN\VLC\skins\upfc.exe"
        12⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:232
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4f330194-a5b4-41a6-969f-7e371c216f0d.vbs"
        13⤵
        
        PID:856
        
        C:\Program Files\VideoLAN\VLC\skins\upfc.exe
        
        "C:\Program Files\VideoLAN\VLC\skins\upfc.exe"
        14⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2564
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\13d4bc50-06fd-4a20-a35e-517f56444b6c.vbs"
        15⤵
        
        PID:5052
        
        C:\Program Files\VideoLAN\VLC\skins\upfc.exe
        
        "C:\Program Files\VideoLAN\VLC\skins\upfc.exe"
        16⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:4772
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\003925b0-3856-4fb0-8ee3-67bf985120d9.vbs"
        17⤵
        
        PID:4520
        
        C:\Program Files\VideoLAN\VLC\skins\upfc.exe
        
        "C:\Program Files\VideoLAN\VLC\skins\upfc.exe"
        18⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:3368
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fdc54ee8-6171-429f-99c4-5c13d37d3ce2.vbs"
        19⤵
        
        PID:2260
        
        C:\Program Files\VideoLAN\VLC\skins\upfc.exe
        
        "C:\Program Files\VideoLAN\VLC\skins\upfc.exe"
        20⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:3564
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4ccf7ff7-6d96-412b-99a7-ca56b1603d82.vbs"
        21⤵
        
        PID:1216
        
        C:\Program Files\VideoLAN\VLC\skins\upfc.exe
        
        "C:\Program Files\VideoLAN\VLC\skins\upfc.exe"
        22⤵
        
        PID:2276
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c0237e35-f089-4fa0-87c3-2f002623a14a.vbs"
        21⤵
        
        PID:1528
        
        C:\Users\Admin\AppData\Local\Temp\tmp4F20.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp4F20.tmp.exe"
        21⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4832
        
        C:\Users\Admin\AppData\Local\Temp\tmp4F20.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp4F20.tmp.exe"
        22⤵
        Executes dropped EXE
        
        PID:532
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\caf54168-f2f1-4725-b3b4-bcc541abac80.vbs"
        19⤵
        
        PID:2044
        
        C:\Users\Admin\AppData\Local\Temp\tmp32DE.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp32DE.tmp.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2284
        
        C:\Users\Admin\AppData\Local\Temp\tmp32DE.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp32DE.tmp.exe"
        20⤵
        Executes dropped EXE
        
        PID:1616
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5a053e4a-fbb2-42eb-955e-e62643ec8356.vbs"
        17⤵
        
        PID:2860
        
        C:\Users\Admin\AppData\Local\Temp\tmp238.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp238.tmp.exe"
        17⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2124
        
        C:\Users\Admin\AppData\Local\Temp\tmp238.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp238.tmp.exe"
        18⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2328
        
        C:\Users\Admin\AppData\Local\Temp\tmp238.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp238.tmp.exe"
        19⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:412
        
        C:\Users\Admin\AppData\Local\Temp\tmp238.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp238.tmp.exe"
        20⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:216
        
        C:\Users\Admin\AppData\Local\Temp\tmp238.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp238.tmp.exe"
        21⤵
        Executes dropped EXE
        
        PID:4812
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8adc7dbe-7e5a-4910-9b40-ca6eab14e8e5.vbs"
        15⤵
        
        PID:3012
        
        C:\Users\Admin\AppData\Local\Temp\tmpD25E.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpD25E.tmp.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4468
        
        C:\Users\Admin\AppData\Local\Temp\tmpD25E.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpD25E.tmp.exe"
        16⤵
        Executes dropped EXE
        
        PID:3776
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b79b2eaa-6af4-4b51-90c2-005783c18dc9.vbs"
        13⤵
        
        PID:3992
        
        C:\Users\Admin\AppData\Local\Temp\tmp9F19.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9F19.tmp.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1512
        
        C:\Users\Admin\AppData\Local\Temp\tmp9F19.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9F19.tmp.exe"
        14⤵
        Executes dropped EXE
        
        PID:1864
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\683b0ed6-0f23-4835-8e65-979d57b1a230.vbs"
        11⤵
        
        PID:2408
        
        C:\Users\Admin\AppData\Local\Temp\tmp6E45.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp6E45.tmp.exe"
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1148
        
        C:\Users\Admin\AppData\Local\Temp\tmp6E45.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp6E45.tmp.exe"
        12⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4884
        
        C:\Users\Admin\AppData\Local\Temp\tmp6E45.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp6E45.tmp.exe"
        13⤵
        Executes dropped EXE
        
        PID:1644
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\020462d6-5bc7-4473-9052-5bc12be526d1.vbs"
        9⤵
        
        PID:1224
        
        C:\Users\Admin\AppData\Local\Temp\tmp506D.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp506D.tmp.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1040
        
        C:\Users\Admin\AppData\Local\Temp\tmp506D.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp506D.tmp.exe"
        10⤵
        Executes dropped EXE
        
        PID:4796
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fcaf47ba-3e5a-440b-9e4a-005fc7d4a14d.vbs"
        7⤵
        
        PID:3328
        
        C:\Users\Admin\AppData\Local\Temp\tmp1F0C.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp1F0C.tmp.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1420
        
        C:\Users\Admin\AppData\Local\Temp\tmp1F0C.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp1F0C.tmp.exe"
        8⤵
        Executes dropped EXE
        
        PID:4476
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\db6db943-8dd2-4fa7-939a-362ea1b856f3.vbs"
        5⤵
        
        PID:4608
    - - C:\Users\Admin\AppData\Local\Temp\tmp347.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp347.tmp.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2640
      - C:\Users\Admin\AppData\Local\Temp\tmp347.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp347.tmp.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4212
        
        C:\Users\Admin\AppData\Local\Temp\tmp347.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp347.tmp.exe"
        7⤵
        Executes dropped EXE
        
        PID:4924
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2a9129b0-24b7-4e56-9bdc-7ab7b803e3b4.vbs"
    3⤵
    PID:2632
- - C:\Users\Admin\AppData\Local\Temp\tmpE251.tmp.exe
    "C:\Users\Admin\AppData\Local\Temp\tmpE251.tmp.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:224
  - - C:\Users\Admin\AppData\Local\Temp\tmpE251.tmp.exe
      "C:\Users\Admin\AppData\Local\Temp\tmpE251.tmp.exe"
      4⤵
      Executes dropped EXE
      PID:232

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\Default User\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1096

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 7 /tr "'C:\Program Files\VideoLAN\VLC\skins\upfc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1248

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\skins\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1160

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 5 /tr "'C:\Program Files\VideoLAN\VLC\skins\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3464

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2284

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Music\StartMenuExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Users\Public\Music\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 7 /tr "'C:\Users\Public\Music\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2416

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\sysmon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\TableTextService\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Windows\Temp\MsEdgeCrashpad\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\Temp\MsEdgeCrashpad\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Windows\Temp\MsEdgeCrashpad\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2260

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Program Files\Microsoft Office\Office16\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\Office16\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Program Files\Microsoft Office\Office16\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\Microsoft OneDrive\setup\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2200

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\All Users\Microsoft OneDrive\setup\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\Microsoft OneDrive\setup\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 10 /tr "'C:\Windows\DiagTrack\SearchApp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Windows\DiagTrack\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 5 /tr "'C:\Windows\DiagTrack\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3260

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2312

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5072

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows NT\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1172

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows NT\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\Pictures\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\Admin\Pictures\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1148

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\Pictures\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Common Files\Adobe\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4388

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\Adobe\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4352

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Common Files\Adobe\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows NT\TableTextService\en-US\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:64

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\Windows NT\TableTextService\en-US\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows NT\TableTextService\en-US\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\SendTo\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\Admin\SendTo\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\SendTo\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4448

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Windows NT\TableTextService\sysmon.exe

Filesize
4.9MB

MD5
c62cd7e55437ae4873f4cc2e98d87ccb

SHA1
99a5dc009e586ebb83f324c03f1729dad34ee031

SHA256
8c84d9701048f57f131151b58294d2884c850fccfc5b1200b2d783a8f0ca4a77

SHA512
497d6ed88c05e7b689f2fd8a00c92a652fd1f31edacf0b69edef0adb2f250509a1aee00beb4d6496021dd4aeb1b015b63ad6c70a5bf76466fd4104d1ee17754c

Download Submit
C:\Program Files\Windows NT\TableTextService\en-US\dwm.exe

Filesize
4.9MB

MD5
8090589d1f208d079882953c0ce2f31d

SHA1
d3060c15300e4cb37baa08154284ee6bf3450017

SHA256
e1adb32bfa0b1969cbb10fff5b276cae7d36b4f67137583be95e1e7c22ede460

SHA512
0db96dd02a3761edff21bb72d66d6a30e682b9303135094245c5fb13a20324dfb50c3e75b3d14fa42c18733da2742b16849041d1a7c103d5bb5ddc8d80733fc2

Download Submit
C:\Recovery\WindowsRE\smss.exe

Filesize
4.9MB

MD5
61c176f9614fbbf986b4551087d8d0fd

SHA1
6a6d374ad8a74904d2dde55e4bb1e4705f42809e

SHA256
73d3dfa014da637eccdc2e055f16db98a691523e7cfb2ef5c93f9fb58de02747

SHA512
9e3c3b4d7c56e9dd0b82da5cf209ef3edbddc0c259f914b555249a3f569585c4bc2c1eb2a177471d6bbb12e02cebb791ff18bffbbf3d60a844e6e32aec686727

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\upfc.exe.log

Filesize
1KB

MD5
4a667f150a4d1d02f53a9f24d89d53d1

SHA1
306e125c9edce66f28fdb63e6c4ca5c9ad6e8c97

SHA256
414659decfd237dde09625a49811e03b5b30ee06ee2ee97ea8bcfac394d281fd

SHA512
4edd8e73ce03488a6d92750a782cd4042fbb54a5b3f8d8ba3ea227fda0653c2cd84f0c5d64976c7cdc1f518a2fdc8ff10e2a015ec7acf3cd01b0d62bc98542d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
28d4235aa2e6d782751f980ceb6e5021

SHA1
f5d82d56acd642b9fc4b963f684fd6b78f25a140

SHA256
8c66720f953e82cfbd8f00543c42c0cf77c3d97787ec09cb3e1e2ba5819bd638

SHA512
dba1bd6600f5affcfdc33a59e7ac853ee5fdfafb8d1407a1768728bd4f66ef6b49437214716b7e33e3de91d7ce95709050a3dab4354dd62acaf1de28107017a2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
5f0ddc7f3691c81ee14d17b419ba220d

SHA1
f0ef5fde8bab9d17c0b47137e014c91be888ee53

SHA256
a31805264b8b13ce4145f272cb2830728c186c46e314b48514d636866217add5

SHA512
2ce7c2a0833f581297c13dd88ccfcd36bf129d2b5d7718c52b1d67c97cbd8fc93abc085a040229a0fd712e880c690de7f6b996b0b47c46a091fabb7931be58d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
59d97011e091004eaffb9816aa0b9abd

SHA1
1602a56b01dd4b7c577ca27d3117e4bcc1aa657b

SHA256
18f381e0db020a763b8c515c346ef58679ab9c403267eacfef5359e272f7e71d

SHA512
d9ca49c1a17580981e2c1a50d73c0eecaa7a62f8514741512172e395af2a3d80aeb0f71c58bc7f52c18246d57ba67af09b6bff4776877d6cc6f0245c30e092d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\13d4bc50-06fd-4a20-a35e-517f56444b6c.vbs

Filesize
720B

MD5
d60ec65a7a65e21a7778f755c15f446d

SHA1
0955a71e5ea07c51bd6515ec8fb2dc230fbe6688

SHA256
f2ae1272534a08fbb8bcef373b27c51a7a7889caad8098ec8051a3a357679f81

SHA512
5a17a907e8972b7b006db48d542822221259ee862e3073b45bb66817cc44c9a824bc69d671c37340d80e4b53b915044b7dbb5aa89e1b23d48748971cb454377c

Download Submit
C:\Users\Admin\AppData\Local\Temp\2a9129b0-24b7-4e56-9bdc-7ab7b803e3b4.vbs

Filesize
496B

MD5
673b7842fe8902508deaeb5720d0b23f

SHA1
373e23c69023c854c985d4b4c2a574d6e200fdd8

SHA256
4e18da4b1961788980530c046ece47921b0ed18c2ff9e768ae48c299633f84ae

SHA512
941da949a72f77bc018ab2d229cb8cdef86e43382b33ac603bcea5a6364724d4d56763ddb23e00906fe89d798f14cd53605214829b044e5461f144962e8149d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\418378ad-caa9-49e0-bf2a-bc7da95c7e1a.vbs

Filesize
720B

MD5
9eec72e37e5fe39e722d1ff117e2f18b

SHA1
11a0cdd0b20f73deae7ef8d2e30527b38a7ce185

SHA256
b55d032556cf03a7aa6ec0315e70b285079df1a666913f9ac9d2b97a314a51ed

SHA512
4fbe1585e4865abebb18fae0bdc21502fe057585a60d5a3375a495520b5ff60b9070bbb6e0206d92008bef70d0a6addb8c41101894fc037ea929e55af429f337

Download Submit
C:\Users\Admin\AppData\Local\Temp\4f330194-a5b4-41a6-969f-7e371c216f0d.vbs

Filesize
719B

MD5
61d63dcc50f9ba3d8ef3087a7bf0b490

SHA1
0ddc8b45cd9631be694d8863e0dbe820e7385395

SHA256
6160cf332ff70d1c3c1b4f31880979da0ec178eaf21ef36b21ebbeddba2e5133

SHA512
d2ebc4e4f4fe6407d82b123580ca79d6d5aac6aacad0f9ae3e781a3916ad563e7e23328dfed4615598a14dc7fc09ae7b94477e6c435927aeb97456b31b6c000e

Download Submit
C:\Users\Admin\AppData\Local\Temp\90c62974-69e0-478b-a4d6-c6d9d0bb7016.vbs

Filesize
720B

MD5
ba57cb8e84908aac50dadf5682971f45

SHA1
a7dfcece3967d75b88b4556b744e0e4962944857

SHA256
cd8fbabe897f5ef9b6a8a6e2e519f5f0cf67e66c84641f9459fdda1aef473637

SHA512
a68398e5bae5fb0f0762a57938bb8002424ce13031777b5b0b7e169a707548debeb9b7841bc2d83205d96586b4ebe22fbc3adb90654d475ab5b50211ba2231d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_xex4fmr0.g0g.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\e9d75929-c36a-4c5d-941a-ccbe728eae1a.vbs

Filesize
719B

MD5
42bbee0555def14a9bbee75bc00cbe69

SHA1
2ece625959cc96b0c297b7ed254d1e087e7f4f1c

SHA256
6c101f5f97a89ddfa6524957c58120d54081713fe910db93b6d14c91f3d329ec

SHA512
b2dc427d299a4c61759b842ea49a401195acfa7fd9395adf8ad406c379a3a57c954a85c98d432157f0a7b97121b078c08d11a340d4e8bc4708f8b6f168c1ab9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\f4c9626c-220b-4802-9d87-ab871201dc20.vbs

Filesize
720B

MD5
a772b07e2da4562b797b4bea77bfbece

SHA1
60058f101d481f3afbfbcba5bc370a2b5b77f309

SHA256
fb3a5409d1d13a5e6b30a1c0d1c73b3788e6e61a78479c14792cbe36f79fd2d9

SHA512
f62e0b5c059d63994392d2324657246e78a216384b4aab3b9cf45146d036c770aaf342dbd5aef93d6a270687cd8a9189d1996cbfc167bde20cf1b988fa673999

Download Submit
C:\Users\Admin\AppData\Local\Temp\fa5ea5ec-bb1b-4a95-a1ab-5b51b59aa7b1.vbs

Filesize
720B

MD5
0a05430bcdc92c2fc1ea73140bcdc372

SHA1
afbc8a7283050f5399b1c8ba4980a715366c53e0

SHA256
4e0e00dd46d41a39e74c526539d24c52fe67fa8fbd72a4942639a16bf7423299

SHA512
ccbec852bb3cb316616ccae4a848ad3224e0907d53be502c859eddf62348fcc6c7823036b9c6dd29762da0376ef780831b816913d3c8c7ee737d1defba79555c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpAB94.tmp.exe

Filesize
75KB

MD5
e0a68b98992c1699876f818a22b5b907

SHA1
d41e8ad8ba51217eb0340f8f69629ccb474484d0

SHA256
2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

SHA512
856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

Download Submit
memory/696-2-0x00007FFCC7F00000-0x00007FFCC89C1000-memory.dmp

Filesize
10.8MB

Download
memory/696-0-0x00007FFCC7F03000-0x00007FFCC7F05000-memory.dmp

Filesize
8KB

Download
memory/696-8-0x000000001B8D0000-0x000000001B8E6000-memory.dmp

Filesize
88KB

Download
memory/696-150-0x00007FFCC7F03000-0x00007FFCC7F05000-memory.dmp

Filesize
8KB

Download
memory/696-164-0x00007FFCC7F00000-0x00007FFCC89C1000-memory.dmp

Filesize
10.8MB

Download
memory/696-6-0x0000000002D40000-0x0000000002D48000-memory.dmp

Filesize
32KB

Download
memory/696-11-0x000000001B900000-0x000000001B912000-memory.dmp

Filesize
72KB

Download
memory/696-9-0x000000001B890000-0x000000001B8A0000-memory.dmp

Filesize
64KB

Download
memory/696-344-0x00007FFCC7F00000-0x00007FFCC89C1000-memory.dmp

Filesize
10.8MB

Download
memory/696-7-0x0000000002D60000-0x0000000002D70000-memory.dmp

Filesize
64KB

Download
memory/696-5-0x000000001C090000-0x000000001C0E0000-memory.dmp

Filesize
320KB

Download
memory/696-4-0x000000001B8B0000-0x000000001B8CC000-memory.dmp

Filesize
112KB

Download
memory/696-3-0x000000001B960000-0x000000001BA8E000-memory.dmp

Filesize
1.2MB

Download
memory/696-12-0x000000001C610000-0x000000001CB38000-memory.dmp

Filesize
5.2MB

Download
memory/696-10-0x000000001B8F0000-0x000000001B8FA000-memory.dmp

Filesize
40KB

Download
memory/696-17-0x000000001C0E0000-0x000000001C0E8000-memory.dmp

Filesize
32KB

Download
memory/696-18-0x000000001C0F0000-0x000000001C0FC000-memory.dmp

Filesize
48KB

Download
memory/696-1-0x0000000000650000-0x0000000000B44000-memory.dmp

Filesize
5.0MB

Download
memory/696-16-0x000000001B940000-0x000000001B948000-memory.dmp

Filesize
32KB

Download
memory/696-15-0x000000001B930000-0x000000001B93E000-memory.dmp

Filesize
56KB

Download
memory/696-14-0x000000001B920000-0x000000001B92E000-memory.dmp

Filesize
56KB

Download
memory/696-13-0x000000001B910000-0x000000001B91A000-memory.dmp

Filesize
40KB

Download
memory/2184-238-0x00000238EB6A0000-0x00000238EB6C2000-memory.dmp

Filesize
136KB

Download
memory/3564-571-0x0000000002900000-0x0000000002912000-memory.dmp

Filesize
72KB

Download
memory/3644-79-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download