dcrat | c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
14/12/2024, 13:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe
Size

2.8MB
MD5

2021a9779c45f35a46b1b28f2e9136fa
SHA1

76e03dfcc8732388fad4fd83b72b34cad50786ca
SHA256

c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a
SHA512

5fc1617b672c308df2116cbfcd08e6d6b1c4969c3399dd9eb4c6d12a08bac23ac897c76de20cb1730fe44b50cf2bb840b11332f01f016ca1d4d6ab1bbdd19116
SSDEEP

49152:7CFujkASUPVAIsINt8BCt3GSHBZTz0uBHTNS/lhv+8PUkYH4j:GFixPV9s4CqWQbzB+dc8BJj

Score

10^/10

dcrat evasion execution infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 27 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4424	3768	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4248	3768	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4920	3768	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5040	3768	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3788	3768	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3192	3768	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2820	3768	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2184	3768	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4416	3768	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4636	3768	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2220	3768	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3232	3768	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1780	3768	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	760	3768	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1216	3768	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4172	3768	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1436	3768	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1488	3768	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2280	3768	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2972	3768	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2768	3768	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2568	3768	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4780	3768	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3784	3768	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3916	3768	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3896	3768	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3060	3768	schtasks.exe	83

UAC bypass 3 TTPs 42 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	upfc.exe

DCRat payload 2 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/memory/4296-1-0x0000000000630000-0x00000000008FC000-memory.dmp	dcrat
behavioral2/files/0x000a000000023b89-37.dat	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 10 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2512	powershell.exe
1908	powershell.exe
4864	powershell.exe
1804	powershell.exe
2340	powershell.exe
1704	powershell.exe
2072	powershell.exe
116	powershell.exe
3984	powershell.exe
1056	powershell.exe

Checks computer location settings 2 TTPs 14 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	upfc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	upfc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	upfc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	upfc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	upfc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	upfc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	upfc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	upfc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	upfc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	upfc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	upfc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	upfc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	upfc.exe

Executes dropped EXE 13 IoCs

pid	Process
1808	upfc.exe
5024	upfc.exe
1352	upfc.exe
2280	upfc.exe
3696	upfc.exe
2032	upfc.exe
4236	upfc.exe
1604	upfc.exe
3168	upfc.exe
4316	upfc.exe
2444	upfc.exe
4120	upfc.exe
2240	upfc.exe

Checks whether UAC is enabled 1 TTPs 28 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	upfc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	upfc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	upfc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	upfc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	upfc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	upfc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	upfc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	upfc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	upfc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	upfc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	upfc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	upfc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	upfc.exe

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Media Player\886983d96e3d3e	c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe
File created	C:\Program Files\Uninstall Information\explorer.exe	c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe
File created	C:\Program Files\Uninstall Information\7a0fd90576e088	c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe
File created	C:\Program Files (x86)\Windows Multimedia Platform\SppExtComObj.exe	c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe
File created	C:\Program Files (x86)\Windows Multimedia Platform\e1ef82546f0b02	c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe
File created	C:\Program Files\Windows NT\Accessories\it-IT\sysmon.exe	c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe
File created	C:\Program Files\Windows NT\Accessories\it-IT\121e5b5079f7c0	c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe
File created	C:\Program Files (x86)\Windows Media Player\csrss.exe	c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\LanguageOverlayCache\RuntimeBroker.exe	c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 14 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	upfc.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	upfc.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	upfc.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	upfc.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	upfc.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	upfc.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	upfc.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	upfc.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	upfc.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	upfc.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	upfc.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	upfc.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	upfc.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 27 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4920	schtasks.exe
2220	schtasks.exe
3784	schtasks.exe
5040	schtasks.exe
2280	schtasks.exe
1488	schtasks.exe
2768	schtasks.exe
3916	schtasks.exe
4248	schtasks.exe
3788	schtasks.exe
1780	schtasks.exe
2820	schtasks.exe
4416	schtasks.exe
2972	schtasks.exe
2568	schtasks.exe
3896	schtasks.exe
4172	schtasks.exe
2184	schtasks.exe
760	schtasks.exe
1216	schtasks.exe
4780	schtasks.exe
3192	schtasks.exe
3060	schtasks.exe
4424	schtasks.exe
4636	schtasks.exe
3232	schtasks.exe
1436	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4296	c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe
4296	c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe
4296	c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe
4296	c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe
4296	c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe
4296	c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe
4296	c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe
4296	c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe
4296	c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe
4296	c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe
4296	c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe
4296	c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe
4296	c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe
4296	c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe
4296	c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe
4296	c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe
4296	c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe
4296	c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe
3984	powershell.exe
3984	powershell.exe
116	powershell.exe
116	powershell.exe
2340	powershell.exe
2340	powershell.exe
1704	powershell.exe
1704	powershell.exe
4864	powershell.exe
1804	powershell.exe
4864	powershell.exe
1804	powershell.exe
1908	powershell.exe
1908	powershell.exe
2072	powershell.exe
2072	powershell.exe
2512	powershell.exe
2512	powershell.exe
1056	powershell.exe
1056	powershell.exe
1704	powershell.exe
2340	powershell.exe
116	powershell.exe
3984	powershell.exe
2512	powershell.exe
1804	powershell.exe
4864	powershell.exe
1908	powershell.exe
2072	powershell.exe
1056	powershell.exe
1808	upfc.exe
1808	upfc.exe
1808	upfc.exe
1808	upfc.exe
1808	upfc.exe
1808	upfc.exe
1808	upfc.exe
1808	upfc.exe
1808	upfc.exe
1808	upfc.exe
1808	upfc.exe
1808	upfc.exe
1808	upfc.exe
1808	upfc.exe
1808	upfc.exe
1808	upfc.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

description	pid	Process
Token: SeDebugPrivilege	4296	c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe
Token: SeDebugPrivilege	1704	powershell.exe
Token: SeDebugPrivilege	3984	powershell.exe
Token: SeDebugPrivilege	116	powershell.exe
Token: SeDebugPrivilege	2340	powershell.exe
Token: SeDebugPrivilege	4864	powershell.exe
Token: SeDebugPrivilege	1804	powershell.exe
Token: SeDebugPrivilege	1908	powershell.exe
Token: SeDebugPrivilege	2072	powershell.exe
Token: SeDebugPrivilege	2512	powershell.exe
Token: SeDebugPrivilege	1056	powershell.exe
Token: SeDebugPrivilege	1808	upfc.exe
Token: SeDebugPrivilege	5024	upfc.exe
Token: SeDebugPrivilege	1352	upfc.exe
Token: SeDebugPrivilege	2280	upfc.exe
Token: SeDebugPrivilege	3696	upfc.exe
Token: SeDebugPrivilege	2032	upfc.exe
Token: SeDebugPrivilege	4236	upfc.exe
Token: SeDebugPrivilege	1604	upfc.exe
Token: SeDebugPrivilege	3168	upfc.exe
Token: SeDebugPrivilege	4316	upfc.exe
Token: SeDebugPrivilege	2444	upfc.exe
Token: SeDebugPrivilege	4120	upfc.exe
Token: SeDebugPrivilege	2240	upfc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4296 wrote to memory of 1056	4296	c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe	111
PID 4296 wrote to memory of 1056	4296	c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe	111
PID 4296 wrote to memory of 3984	4296	c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe	112
PID 4296 wrote to memory of 3984	4296	c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe	112
PID 4296 wrote to memory of 116	4296	c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe	113
PID 4296 wrote to memory of 116	4296	c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe	113
PID 4296 wrote to memory of 2072	4296	c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe	114
PID 4296 wrote to memory of 2072	4296	c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe	114
PID 4296 wrote to memory of 4864	4296	c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe	115
PID 4296 wrote to memory of 4864	4296	c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe	115
PID 4296 wrote to memory of 1704	4296	c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe	116
PID 4296 wrote to memory of 1704	4296	c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe	116
PID 4296 wrote to memory of 1908	4296	c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe	117
PID 4296 wrote to memory of 1908	4296	c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe	117
PID 4296 wrote to memory of 2512	4296	c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe	118
PID 4296 wrote to memory of 2512	4296	c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe	118
PID 4296 wrote to memory of 2340	4296	c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe	119
PID 4296 wrote to memory of 2340	4296	c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe	119
PID 4296 wrote to memory of 1804	4296	c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe	120
PID 4296 wrote to memory of 1804	4296	c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe	120
PID 4296 wrote to memory of 772	4296	c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe	131
PID 4296 wrote to memory of 772	4296	c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe	131
PID 772 wrote to memory of 5048	772	cmd.exe	133
PID 772 wrote to memory of 5048	772	cmd.exe	133
PID 772 wrote to memory of 1808	772	cmd.exe	134
PID 772 wrote to memory of 1808	772	cmd.exe	134
PID 1808 wrote to memory of 3168	1808	upfc.exe	139
PID 1808 wrote to memory of 3168	1808	upfc.exe	139
PID 1808 wrote to memory of 4984	1808	upfc.exe	140
PID 1808 wrote to memory of 4984	1808	upfc.exe	140
PID 3168 wrote to memory of 5024	3168	WScript.exe	147
PID 3168 wrote to memory of 5024	3168	WScript.exe	147
PID 5024 wrote to memory of 1500	5024	upfc.exe	149
PID 5024 wrote to memory of 1500	5024	upfc.exe	149
PID 5024 wrote to memory of 4452	5024	upfc.exe	150
PID 5024 wrote to memory of 4452	5024	upfc.exe	150
PID 1500 wrote to memory of 1352	1500	WScript.exe	155
PID 1500 wrote to memory of 1352	1500	WScript.exe	155
PID 1352 wrote to memory of 2156	1352	upfc.exe	157
PID 1352 wrote to memory of 2156	1352	upfc.exe	157
PID 1352 wrote to memory of 4368	1352	upfc.exe	158
PID 1352 wrote to memory of 4368	1352	upfc.exe	158
PID 2156 wrote to memory of 2280	2156	WScript.exe	160
PID 2156 wrote to memory of 2280	2156	WScript.exe	160
PID 2280 wrote to memory of 1524	2280	upfc.exe	162
PID 2280 wrote to memory of 1524	2280	upfc.exe	162
PID 2280 wrote to memory of 3060	2280	upfc.exe	163
PID 2280 wrote to memory of 3060	2280	upfc.exe	163
PID 1524 wrote to memory of 3696	1524	WScript.exe	165
PID 1524 wrote to memory of 3696	1524	WScript.exe	165
PID 3696 wrote to memory of 1344	3696	upfc.exe	167
PID 3696 wrote to memory of 1344	3696	upfc.exe	167
PID 3696 wrote to memory of 3544	3696	upfc.exe	168
PID 3696 wrote to memory of 3544	3696	upfc.exe	168
PID 1344 wrote to memory of 2032	1344	WScript.exe	170
PID 1344 wrote to memory of 2032	1344	WScript.exe	170
PID 2032 wrote to memory of 228	2032	upfc.exe	172
PID 2032 wrote to memory of 228	2032	upfc.exe	172
PID 2032 wrote to memory of 1116	2032	upfc.exe	173
PID 2032 wrote to memory of 1116	2032	upfc.exe	173
PID 228 wrote to memory of 4236	228	WScript.exe	176
PID 228 wrote to memory of 4236	228	WScript.exe	176
PID 4236 wrote to memory of 4496	4236	upfc.exe	178
PID 4236 wrote to memory of 4496	4236	upfc.exe	178

System policy modification 1 TTPs 42 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	upfc.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe
"C:\Users\Admin\AppData\Local\Temp\c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe"
1⤵
- UAC bypass
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4296
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1056
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\unsecapp.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3984
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\upfc.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:116
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Uninstall Information\explorer.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2072
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Multimedia Platform\SppExtComObj.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4864
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\csrss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1704
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\services.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1908
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows NT\Accessories\it-IT\sysmon.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2512
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Media Player\csrss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2340
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\USOShared\upfc.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1804
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\qEIjCxjMJP.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:772
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:5048
- - C:\Recovery\WindowsRE\upfc.exe
    "C:\Recovery\WindowsRE\upfc.exe"
    3⤵
    - UAC bypass
    - Checks computer location settings
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:1808
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1c956408-9a59-4fd0-9f28-73944fea8d05.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3168
    - - C:\Recovery\WindowsRE\upfc.exe
        
        C:\Recovery\WindowsRE\upfc.exe
        5⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:5024
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\59e7886c-7459-4215-8467-2b19e443aa14.vbs"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1500
        
        C:\Recovery\WindowsRE\upfc.exe
        
        C:\Recovery\WindowsRE\upfc.exe
        7⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1352
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a3f55498-35a6-4783-a370-8072aeea2793.vbs"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:2156
        
        C:\Recovery\WindowsRE\upfc.exe
        
        C:\Recovery\WindowsRE\upfc.exe
        9⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2280
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1c48a095-26e0-4cd4-a3d6-5cd5bfd1f724.vbs"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:1524
        
        C:\Recovery\WindowsRE\upfc.exe
        
        C:\Recovery\WindowsRE\upfc.exe
        11⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:3696
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\44dbd6d6-798d-4916-a5e7-f2d2842ed3f2.vbs"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:1344
        
        C:\Recovery\WindowsRE\upfc.exe
        
        C:\Recovery\WindowsRE\upfc.exe
        13⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2032
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c76ed3c8-f614-4c87-8a2c-4b6ad6221bbf.vbs"
        14⤵
        Suspicious use of WriteProcessMemory
        
        PID:228
        
        C:\Recovery\WindowsRE\upfc.exe
        
        C:\Recovery\WindowsRE\upfc.exe
        15⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:4236
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ff8aa040-b511-46d1-afc4-a2aa5adfb403.vbs"
        16⤵
        
        PID:4496
        
        C:\Recovery\WindowsRE\upfc.exe
        
        C:\Recovery\WindowsRE\upfc.exe
        17⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1604
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\67ee21ff-cdfc-4d16-aef0-35b5dcc1706b.vbs"
        18⤵
        
        PID:1768
        
        C:\Recovery\WindowsRE\upfc.exe
        
        C:\Recovery\WindowsRE\upfc.exe
        19⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:3168
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8f2193b4-7a1b-4826-9db0-80ef23b21215.vbs"
        20⤵
        
        PID:4824
        
        C:\Recovery\WindowsRE\upfc.exe
        
        C:\Recovery\WindowsRE\upfc.exe
        21⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:4316
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4e938430-58d7-482f-ac1f-7e86ed588f1c.vbs"
        22⤵
        
        PID:436
        
        C:\Recovery\WindowsRE\upfc.exe
        
        C:\Recovery\WindowsRE\upfc.exe
        23⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2444
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5f3accac-6f7f-4ccb-8ab9-f8e3992a21ce.vbs"
        24⤵
        
        PID:2488
        
        C:\Recovery\WindowsRE\upfc.exe
        
        C:\Recovery\WindowsRE\upfc.exe
        25⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:4120
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\869e27dc-eae0-429e-bb15-b1f24254690e.vbs"
        26⤵
        
        PID:3220
        
        C:\Recovery\WindowsRE\upfc.exe
        
        C:\Recovery\WindowsRE\upfc.exe
        27⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2240
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8d38d924-dbb6-4c08-a14e-72d5dcc2d060.vbs"
        28⤵
        
        PID:2028
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\720387ff-ab46-411d-89d1-5d2645bc74f5.vbs"
        28⤵
        
        PID:5052
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\46376961-01b8-4671-97ba-e2c6fe2f4439.vbs"
        26⤵
        
        PID:2408
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\151a1640-7f7a-44df-ac0d-554a10e4370f.vbs"
        24⤵
        
        PID:4756
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\82b5992f-92b7-47bf-a619-1b64bca40bac.vbs"
        22⤵
        
        PID:4600
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\72abf1d4-5a1d-4666-ad64-415c0629a082.vbs"
        20⤵
        
        PID:1260
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bae683f8-1467-4b77-bb34-eff35f0174e9.vbs"
        18⤵
        
        PID:5104
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\338e7b9a-f71c-42c2-88f2-b6cf486dc288.vbs"
        16⤵
        
        PID:1516
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d3f057c1-3668-47e6-879c-6b030f3c34a6.vbs"
        14⤵
        
        PID:1116
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\16efd208-2c67-419c-b860-7aad637c0fc4.vbs"
        12⤵
        
        PID:3544
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\79596a49-a06d-4714-8aee-cd14ac28c92c.vbs"
        10⤵
        
        PID:3060
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2bf79d93-6b4d-4c1a-8599-9afab8565b7d.vbs"
        8⤵
        
        PID:4368
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\040f808a-b06b-48df-8b45-6b4cc1e06d70.vbs"
        6⤵
        
        PID:4452
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fe6d415c-b338-4f66-b734-a5b2b20041f5.vbs"
      4⤵
      PID:4984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\unsecapp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Users\Default User\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4248

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\upfc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3192

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Program Files\Uninstall Information\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2184

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Program Files\Uninstall Information\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4416

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\SppExtComObj.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Multimedia Platform\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2220

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3232

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Users\Public\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4172

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\Public\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Users\Public\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1488

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows NT\Accessories\it-IT\sysmon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2280

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Program Files\Windows NT\Accessories\it-IT\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows NT\Accessories\it-IT\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Media Player\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Media Player\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\USOShared\upfc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Users\All Users\USOShared\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\USOShared\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3060

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Recovery\WindowsRE\csrss.exe

Filesize
2.8MB

MD5
2021a9779c45f35a46b1b28f2e9136fa

SHA1
76e03dfcc8732388fad4fd83b72b34cad50786ca

SHA256
c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a

SHA512
5fc1617b672c308df2116cbfcd08e6d6b1c4969c3399dd9eb4c6d12a08bac23ac897c76de20cb1730fe44b50cf2bb840b11332f01f016ca1d4d6ab1bbdd19116

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\upfc.exe.log

Filesize
1KB

MD5
4a667f150a4d1d02f53a9f24d89d53d1

SHA1
306e125c9edce66f28fdb63e6c4ca5c9ad6e8c97

SHA256
414659decfd237dde09625a49811e03b5b30ee06ee2ee97ea8bcfac394d281fd

SHA512
4edd8e73ce03488a6d92750a782cd4042fbb54a5b3f8d8ba3ea227fda0653c2cd84f0c5d64976c7cdc1f518a2fdc8ff10e2a015ec7acf3cd01b0d62bc98542d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
62623d22bd9e037191765d5083ce16a3

SHA1
4a07da6872672f715a4780513d95ed8ddeefd259

SHA256
95d79fd575bbd21540e378fcbc1cd00d16f51af62ce15bae7080bb72c24e2010

SHA512
9a448b7a0d867466c2ea04ab84d2a9485d5fd20ab53b2b854f491831ee3f1d781b94d2635f7b0b35cb9f2d373cd52c67570879a56a42ed66bc9db06962ed4992

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
a8e8360d573a4ff072dcc6f09d992c88

SHA1
3446774433ceaf0b400073914facab11b98b6807

SHA256
bf5e284e8f95122bf75ead61c7e2b40f55c96742b05330b5b1cb7915991df13b

SHA512
4ee5167643d82082f57c42616007ef9be57f43f9731921bdf7bca611a914724ad94072d3c8f5b130fa54129e5328ccdebf37ba74339c37deb53e79df5cdf0dbe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
bd5940f08d0be56e65e5f2aaf47c538e

SHA1
d7e31b87866e5e383ab5499da64aba50f03e8443

SHA256
2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6

SHA512
c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
2e907f77659a6601fcc408274894da2e

SHA1
9f5b72abef1cd7145bf37547cdb1b9254b4efe9d

SHA256
385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233

SHA512
34fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721

Download Submit
C:\Users\Admin\AppData\Local\Temp\1c48a095-26e0-4cd4-a3d6-5cd5bfd1f724.vbs

Filesize
706B

MD5
827cc0bdfc7f2d8cc59bc338d4722c1f

SHA1
a582c399592bda6869d328d0721fb2b44f536153

SHA256
499de40025f1af9e25825891b5a5afe570a9046701993e90bfe311d27d2fa668

SHA512
21306348a76c5351a67fbdb47ace9288704da3db5163e886ce68429b3f6be7c1ec6a81e8665fdd9d5beeb3a0f93051b2e800c437e81ef3d82ab1c925136a8296

Download Submit
C:\Users\Admin\AppData\Local\Temp\1c956408-9a59-4fd0-9f28-73944fea8d05.vbs

Filesize
706B

MD5
28cc12be7c1262d41d91bb7ccc2b6547

SHA1
7f5187094856dd55c3333f017299e470c5bdc2ca

SHA256
a622b2608c0df45d6241309739088c89f752dd7184551aa70eb2ee9509e79ea1

SHA512
68427256b43b4a5672c6580628bf4b2836ca99e4975a657ad0cc603f609ce0bbc78b9267a3dd5cd626fa63abc213afe4aa8d35f077e320528b4f1db841fb9f68

Download Submit
C:\Users\Admin\AppData\Local\Temp\44dbd6d6-798d-4916-a5e7-f2d2842ed3f2.vbs

Filesize
706B

MD5
3d069f6eede9cdca0cc7c9c39c9900e1

SHA1
6c8ac4c54a17b70edae8bfce66d1c94720f2f01c

SHA256
2198114a0db2f36f3f388abd10844e8bd2ae26c73cf6c45b137dc91bdb4de05f

SHA512
715c66e83dd3aa7c537a1f36f2916082614b0c002f9aa95fb302da0c31049a08403e00943b94bbf07948a8c6ca3a7978121a0a950680e7210a1720a67a9ae583

Download Submit
C:\Users\Admin\AppData\Local\Temp\4e938430-58d7-482f-ac1f-7e86ed588f1c.vbs

Filesize
706B

MD5
dd4370959a49010e2abb2ace75c448a6

SHA1
a1513f564604f1c9253547aef480ec7ecdb92d05

SHA256
fa9bfd9f73bde8f3e4be73649d521287a85307bc363a95933e4527ac99fa653e

SHA512
8eb87b861e903fd86cd94e3db921d85e83823a8d8e6c699b703fd33026da6ca389c7b9e3de7a07d2dd3bf084ecd7afeb837835d8095a086e6e643f5470f61041

Download Submit
C:\Users\Admin\AppData\Local\Temp\59e7886c-7459-4215-8467-2b19e443aa14.vbs

Filesize
706B

MD5
3d8c7143f6811246a5a7daa8740f424c

SHA1
8ade429308099f7eb22a8b0ed86b4714c066801a

SHA256
bab84f8de47118355da9fba5a35bc0fe542feba02b413df9a8ba77137ed48e4c

SHA512
ec9dd16658b6aedada6c6a3014daad1e8b19bbbe35b78687907c9748383643e483a8a103d72215e51880ae0092def0dca5e8d24e92db537dcf39458e82aa69dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\5f3accac-6f7f-4ccb-8ab9-f8e3992a21ce.vbs

Filesize
706B

MD5
2d63afb799591f38b1c3ad248dfa0556

SHA1
d8ee504baeab3665a679f8c02edee5961e0811b7

SHA256
e1a8aeb09bcb376dc8a60356f028a22625e58b896ecb913249081ab584a9d8b5

SHA512
163ccca967fcfb78b00eb50483ffb4c35e430d3635e2d538c1280847d460201b60569460ef37118a4173f1a627cf8387b5f56524374b20bde892c5b69a95fb97

Download Submit
C:\Users\Admin\AppData\Local\Temp\67ee21ff-cdfc-4d16-aef0-35b5dcc1706b.vbs

Filesize
706B

MD5
93eefddfea352ddf9d83edb5f67f53dc

SHA1
4f7e19a395c6011e5ede0819c886dbc7ae0c2222

SHA256
5cc98cad80891b23afd123eaeba5fb9510998e4f14597b523fe9773e4642726e

SHA512
22c3e669c6b3f600b4c43d770a2c8e2e319394f4b6c7c2c5e4025cb41729c472a3fc38e147f5151aaa263c1da9ed8861dfdca8b45118312ea0e90d033e2385c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\869e27dc-eae0-429e-bb15-b1f24254690e.vbs

Filesize
706B

MD5
5c283ed81454de7941bd17a4700d608a

SHA1
c71dcb88666f175374728c7f3fc457af87f9253f

SHA256
4a2fa9352e708655abea9d523103b822650af32b50a69d198a3f4a1f9fdafd69

SHA512
98918a9a4e7429167baf00d3d022e0904a6933a0f2cd768fd13b74605c303013e3843e38de308ca75a797e51e5a9d13b3b1b897060d74b41072ae288d55816c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\8d38d924-dbb6-4c08-a14e-72d5dcc2d060.vbs

Filesize
706B

MD5
b8720b32993021113e7ad752ddcc85e6

SHA1
2835c743a5725282baf17bcea3530b9c2f906924

SHA256
6062919b1f97a0e880dc963804616a627931de298e3ced5646fb0ea64b31ef47

SHA512
3e14bfe412c9f303c5876032474df6835eedf36e07f805e07fd3442b7c266747a4fe8ffc5f629e18bf39c595f25ec5ff3ad7ba63f99e50695255ead8c854031b

Download Submit
C:\Users\Admin\AppData\Local\Temp\8f2193b4-7a1b-4826-9db0-80ef23b21215.vbs

Filesize
706B

MD5
22cb6ee667f514a0bec176baa9d976f4

SHA1
20b36be5bfd583bc093104302129212c92fcdc32

SHA256
98e8612378bc13c0b97708d798e27c5732234ad5e14b8926f10d09a03b70b2a4

SHA512
27d14b5a2e67a657f271aea8d0ee57cc1fde85906f1a193faa09696179b43581a6e06ac9ebd4c597b236428c6fec1cbecaa8afd020b2e06eaa0507acfdbc75fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qw3ddm3c.145.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\a3f55498-35a6-4783-a370-8072aeea2793.vbs

Filesize
706B

MD5
0ee655c677c5c7be7e8500fd37971bb3

SHA1
4d59aadf94f9db0fcf4d9e98f7976ac7f3fc85d1

SHA256
18fb48b290728f5b6709079ed97d8b935d49f5fb07e583c30a39cfbd95ec6c4c

SHA512
0d646a2ef5fcc22eea0dd922e3422b050e84a95583ae9e360c0c9d112e456d9f926cb8bc2507919f0f79d3e1a49fb8d1378b58d4c15521cdc4a544c26ee67e60

Download Submit
C:\Users\Admin\AppData\Local\Temp\c76ed3c8-f614-4c87-8a2c-4b6ad6221bbf.vbs

Filesize
706B

MD5
8e2f15ee6cdf787bc0c835e1bfd90ff1

SHA1
b528f13410d087188a6a2f67fcb6f8a2a2b36b2d

SHA256
8b044d5647667b57fe8a078352a92d680abc408c07e4d812217f737f7c2595e5

SHA512
5c2c7d10d4403c04e926095ec412843104e538d40b20f9d209d51047bad51759026d60dd850920675d7dff274c6ddb19ebacfb1d3e6077a8f358079cc8afc7c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\fe6d415c-b338-4f66-b734-a5b2b20041f5.vbs

Filesize
482B

MD5
24ada8f22fb273ddd442600d3decc7c1

SHA1
68a931dff2c8582cd1449357184a11fdbe16fac2

SHA256
f3f0f3075c935abc979383420139275396526b52f39af378837ef67a4cc8cbe9

SHA512
ddb7d86aeba8b5a1752b534c55865ab7844b57099c3c82f577744ebe4c2d2d8b38273977ba133ce7f2fa2d404353c8a59d4b94f87ef550dfbc4326792ea763e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\ff8aa040-b511-46d1-afc4-a2aa5adfb403.vbs

Filesize
706B

MD5
078a8881996be03658f2f6bb899cd828

SHA1
c4235d0cc6b45eafc0bd4839ba300b5829225280

SHA256
3638d42d45c3d70e81523de473f5d8687bb0d04e47886ccf5ee458caf8b67242

SHA512
586b034d48e26e61a443ef35130d082e43de39f4c8416f6188736a356314b727588c410c9af86d387cd1f7a0ecb44c48339e3d4a15b1930fd0578bc0646f91d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\qEIjCxjMJP.bat

Filesize
195B

MD5
3b7ac67bc490e00c96a23643582052b5

SHA1
bd23d6493a190f921abc6701848c3f1a8839983d

SHA256
3684587ce65058bd836a6a5f9690f87ff7573675766b140815fb349c31a6417d

SHA512
9da38c2a252e9bae775dccb6b8900038e94e99b1e45272e597156eb023ac62ca651328f2a9154e1db5e33ded486a8212e3b8a84591464bfdfe4a8855a3cf466a

Download Submit
memory/1352-192-0x000000001BA50000-0x000000001BA62000-memory.dmp

Filesize
72KB

Download
memory/1704-57-0x00000195EBA20000-0x00000195EBA42000-memory.dmp

Filesize
136KB

Download
memory/4296-14-0x0000000002BD0000-0x0000000002BD8000-memory.dmp

Filesize
32KB

Download
memory/4296-15-0x0000000002C30000-0x0000000002C42000-memory.dmp

Filesize
72KB

Download
memory/4296-27-0x00007FFB42950000-0x00007FFB43411000-memory.dmp

Filesize
10.8MB

Download
memory/4296-23-0x000000001BFA0000-0x000000001BFAE000-memory.dmp

Filesize
56KB

Download
memory/4296-24-0x000000001BFB0000-0x000000001BFB8000-memory.dmp

Filesize
32KB

Download
memory/4296-63-0x00007FFB42950000-0x00007FFB43411000-memory.dmp

Filesize
10.8MB

Download
memory/4296-25-0x000000001C210000-0x000000001C21A000-memory.dmp

Filesize
40KB

Download
memory/4296-26-0x000000001C0D0000-0x000000001C0DC000-memory.dmp

Filesize
48KB

Download
memory/4296-22-0x000000001BF90000-0x000000001BF9A000-memory.dmp

Filesize
40KB

Download
memory/4296-21-0x000000001C0C0000-0x000000001C0C8000-memory.dmp

Filesize
32KB

Download
memory/4296-20-0x000000001BE80000-0x000000001BE8C000-memory.dmp

Filesize
48KB

Download
memory/4296-18-0x000000001B610000-0x000000001B618000-memory.dmp

Filesize
32KB

Download
memory/4296-19-0x000000001BE70000-0x000000001BE7C000-memory.dmp

Filesize
48KB

Download
memory/4296-17-0x0000000002C40000-0x0000000002C4C000-memory.dmp

Filesize
48KB

Download
memory/4296-16-0x000000001C3A0000-0x000000001C8C8000-memory.dmp

Filesize
5.2MB

Download
memory/4296-30-0x00007FFB42950000-0x00007FFB43411000-memory.dmp

Filesize
10.8MB

Download
memory/4296-0-0x00007FFB42953000-0x00007FFB42955000-memory.dmp

Filesize
8KB

Download
memory/4296-13-0x0000000002BC0000-0x0000000002BCC000-memory.dmp

Filesize
48KB

Download
memory/4296-12-0x0000000002BB0000-0x0000000002BB8000-memory.dmp

Filesize
32KB

Download
memory/4296-11-0x000000001B5A0000-0x000000001B5F6000-memory.dmp

Filesize
344KB

Download
memory/4296-10-0x0000000002BA0000-0x0000000002BAA000-memory.dmp

Filesize
40KB

Download
memory/4296-6-0x0000000002A30000-0x0000000002A46000-memory.dmp

Filesize
88KB

Download
memory/4296-7-0x0000000002A50000-0x0000000002A58000-memory.dmp

Filesize
32KB

Download
memory/4296-9-0x0000000002B90000-0x0000000002BA0000-memory.dmp

Filesize
64KB

Download
memory/4296-8-0x0000000002A70000-0x0000000002A78000-memory.dmp

Filesize
32KB

Download
memory/4296-1-0x0000000000630000-0x00000000008FC000-memory.dmp

Filesize
2.8MB

Download
memory/4296-5-0x0000000002A20000-0x0000000002A28000-memory.dmp

Filesize
32KB

Download
memory/4296-3-0x0000000001210000-0x000000000122C000-memory.dmp

Filesize
112KB

Download
memory/4296-4-0x0000000002BE0000-0x0000000002C30000-memory.dmp

Filesize
320KB

Download
memory/4296-2-0x00007FFB42950000-0x00007FFB43411000-memory.dmp

Filesize
10.8MB

Download
memory/4316-270-0x000000001BF40000-0x000000001BF96000-memory.dmp

Filesize
344KB

Download