5e807de88a43edb7b341ed17b4e218f35c3204bf5dc969c131792b0a23e9ddc1

Analysis

max time kernel
147s
max time network
161s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
22/03/2025, 06:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e37c63b72b4dd8c6a148989a74f33e54278e68275a33bcd9bab0dbac29e5af0d.exe
Size

1.9MB
MD5

88c85713b28206515423821dce1f0a0b
SHA1

3b8372f2cdf9875b21e189634f50661cf4d40a2c
SHA256

e37c63b72b4dd8c6a148989a74f33e54278e68275a33bcd9bab0dbac29e5af0d
SHA512

26e7cf21280bf49336462cfcf229ea6a8c72c3241c0398e85e9fb3f2fe50d174e3bb1f0215f784767034a4b1ecbe59d61e02bf4541014612bd0e30f67f5a6a07
SSDEEP

24576:0z4T3bMX0/0ZqSEaa3OVFu8VQTo8Ia29MSVyAXmFPf87ptY60/YYhdbh7JRj:0OMX0/08SVYTcxMXPxthD

Score

10^/10

defense_evasion execution trojan

Malware Config

Signatures

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3448	1716	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2040	1716	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4392	1716	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2508	1716	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1448	1716	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4056	1716	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4972	1716	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5004	1716	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4604	1716	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1228	1716	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3272	1716	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1836	1716	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2544	1716	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3732	1716	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	704	1716	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1576	1716	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1504	1716	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4464	1716	schtasks.exe	87

UAC bypass 3 TTPs 30 IoCs

defense_evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e37c63b72b4dd8c6a148989a74f33e54278e68275a33bcd9bab0dbac29e5af0d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	e37c63b72b4dd8c6a148989a74f33e54278e68275a33bcd9bab0dbac29e5af0d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	e37c63b72b4dd8c6a148989a74f33e54278e68275a33bcd9bab0dbac29e5af0d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OfficeClickToRun.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
5084	powershell.exe
3076	powershell.exe
2928	powershell.exe
1160	powershell.exe
1536	powershell.exe
4132	powershell.exe
4420	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	e37c63b72b4dd8c6a148989a74f33e54278e68275a33bcd9bab0dbac29e5af0d.exe

Checks computer location settings 2 TTPs 10 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	OfficeClickToRun.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	OfficeClickToRun.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	e37c63b72b4dd8c6a148989a74f33e54278e68275a33bcd9bab0dbac29e5af0d.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	OfficeClickToRun.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	OfficeClickToRun.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	OfficeClickToRun.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	OfficeClickToRun.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	OfficeClickToRun.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	OfficeClickToRun.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	OfficeClickToRun.exe

Executes dropped EXE 9 IoCs

pid	Process
4840	OfficeClickToRun.exe
4832	OfficeClickToRun.exe
4032	OfficeClickToRun.exe
4864	OfficeClickToRun.exe
4516	OfficeClickToRun.exe
3308	OfficeClickToRun.exe
4276	OfficeClickToRun.exe
1804	OfficeClickToRun.exe
3828	OfficeClickToRun.exe

Checks whether UAC is enabled 1 TTPs 20 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	OfficeClickToRun.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e37c63b72b4dd8c6a148989a74f33e54278e68275a33bcd9bab0dbac29e5af0d.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	OfficeClickToRun.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	OfficeClickToRun.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	e37c63b72b4dd8c6a148989a74f33e54278e68275a33bcd9bab0dbac29e5af0d.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File created	C:\Program Files\Windows NT\Accessories\ja-JP\upfc.exe	e37c63b72b4dd8c6a148989a74f33e54278e68275a33bcd9bab0dbac29e5af0d.exe
File created	C:\Program Files\Windows NT\Accessories\ja-JP\ea1d8f6d871115	e37c63b72b4dd8c6a148989a74f33e54278e68275a33bcd9bab0dbac29e5af0d.exe
File opened for modification	C:\Program Files\Windows NT\Accessories\ja-JP\RCXA04B.tmp	e37c63b72b4dd8c6a148989a74f33e54278e68275a33bcd9bab0dbac29e5af0d.exe
File opened for modification	C:\Program Files\Windows NT\Accessories\ja-JP\RCXA0C9.tmp	e37c63b72b4dd8c6a148989a74f33e54278e68275a33bcd9bab0dbac29e5af0d.exe
File opened for modification	C:\Program Files\Windows NT\Accessories\ja-JP\upfc.exe	e37c63b72b4dd8c6a148989a74f33e54278e68275a33bcd9bab0dbac29e5af0d.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 10 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000_Classes\Local Settings	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000_Classes\Local Settings	e37c63b72b4dd8c6a148989a74f33e54278e68275a33bcd9bab0dbac29e5af0d.exe
Key created	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000_Classes\Local Settings	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000_Classes\Local Settings	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000_Classes\Local Settings	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000_Classes\Local Settings	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000_Classes\Local Settings	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000_Classes\Local Settings	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000_Classes\Local Settings	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000_Classes\Local Settings	OfficeClickToRun.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1836	schtasks.exe
2544	schtasks.exe
3732	schtasks.exe
2040	schtasks.exe
2508	schtasks.exe
1448	schtasks.exe
1228	schtasks.exe
3448	schtasks.exe
4392	schtasks.exe
4972	schtasks.exe
5004	schtasks.exe
704	schtasks.exe
1576	schtasks.exe
1504	schtasks.exe
4464	schtasks.exe
4056	schtasks.exe
4604	schtasks.exe
3272	schtasks.exe

Suspicious behavior: EnumeratesProcesses 37 IoCs

pid	Process
3456	e37c63b72b4dd8c6a148989a74f33e54278e68275a33bcd9bab0dbac29e5af0d.exe
3456	e37c63b72b4dd8c6a148989a74f33e54278e68275a33bcd9bab0dbac29e5af0d.exe
3456	e37c63b72b4dd8c6a148989a74f33e54278e68275a33bcd9bab0dbac29e5af0d.exe
3456	e37c63b72b4dd8c6a148989a74f33e54278e68275a33bcd9bab0dbac29e5af0d.exe
3456	e37c63b72b4dd8c6a148989a74f33e54278e68275a33bcd9bab0dbac29e5af0d.exe
3456	e37c63b72b4dd8c6a148989a74f33e54278e68275a33bcd9bab0dbac29e5af0d.exe
3456	e37c63b72b4dd8c6a148989a74f33e54278e68275a33bcd9bab0dbac29e5af0d.exe
1160	powershell.exe
1160	powershell.exe
5084	powershell.exe
5084	powershell.exe
4132	powershell.exe
4132	powershell.exe
3076	powershell.exe
3076	powershell.exe
4420	powershell.exe
4420	powershell.exe
1536	powershell.exe
1536	powershell.exe
2928	powershell.exe
2928	powershell.exe
1160	powershell.exe
4420	powershell.exe
1536	powershell.exe
5084	powershell.exe
3076	powershell.exe
4132	powershell.exe
2928	powershell.exe
4840	OfficeClickToRun.exe
4832	OfficeClickToRun.exe
4032	OfficeClickToRun.exe
4864	OfficeClickToRun.exe
4516	OfficeClickToRun.exe
3308	OfficeClickToRun.exe
4276	OfficeClickToRun.exe
1804	OfficeClickToRun.exe
3828	OfficeClickToRun.exe

Suspicious use of AdjustPrivilegeToken 17 IoCs

description	pid	Process
Token: SeDebugPrivilege	3456	e37c63b72b4dd8c6a148989a74f33e54278e68275a33bcd9bab0dbac29e5af0d.exe
Token: SeDebugPrivilege	1160	powershell.exe
Token: SeDebugPrivilege	1536	powershell.exe
Token: SeDebugPrivilege	5084	powershell.exe
Token: SeDebugPrivilege	4132	powershell.exe
Token: SeDebugPrivilege	3076	powershell.exe
Token: SeDebugPrivilege	4420	powershell.exe
Token: SeDebugPrivilege	2928	powershell.exe
Token: SeDebugPrivilege	4840	OfficeClickToRun.exe
Token: SeDebugPrivilege	4832	OfficeClickToRun.exe
Token: SeDebugPrivilege	4032	OfficeClickToRun.exe
Token: SeDebugPrivilege	4864	OfficeClickToRun.exe
Token: SeDebugPrivilege	4516	OfficeClickToRun.exe
Token: SeDebugPrivilege	3308	OfficeClickToRun.exe
Token: SeDebugPrivilege	4276	OfficeClickToRun.exe
Token: SeDebugPrivilege	1804	OfficeClickToRun.exe
Token: SeDebugPrivilege	3828	OfficeClickToRun.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3456 wrote to memory of 2928	3456	e37c63b72b4dd8c6a148989a74f33e54278e68275a33bcd9bab0dbac29e5af0d.exe	109
PID 3456 wrote to memory of 2928	3456	e37c63b72b4dd8c6a148989a74f33e54278e68275a33bcd9bab0dbac29e5af0d.exe	109
PID 3456 wrote to memory of 3076	3456	e37c63b72b4dd8c6a148989a74f33e54278e68275a33bcd9bab0dbac29e5af0d.exe	110
PID 3456 wrote to memory of 3076	3456	e37c63b72b4dd8c6a148989a74f33e54278e68275a33bcd9bab0dbac29e5af0d.exe	110
PID 3456 wrote to memory of 5084	3456	e37c63b72b4dd8c6a148989a74f33e54278e68275a33bcd9bab0dbac29e5af0d.exe	111
PID 3456 wrote to memory of 5084	3456	e37c63b72b4dd8c6a148989a74f33e54278e68275a33bcd9bab0dbac29e5af0d.exe	111
PID 3456 wrote to memory of 1160	3456	e37c63b72b4dd8c6a148989a74f33e54278e68275a33bcd9bab0dbac29e5af0d.exe	113
PID 3456 wrote to memory of 1160	3456	e37c63b72b4dd8c6a148989a74f33e54278e68275a33bcd9bab0dbac29e5af0d.exe	113
PID 3456 wrote to memory of 1536	3456	e37c63b72b4dd8c6a148989a74f33e54278e68275a33bcd9bab0dbac29e5af0d.exe	114
PID 3456 wrote to memory of 1536	3456	e37c63b72b4dd8c6a148989a74f33e54278e68275a33bcd9bab0dbac29e5af0d.exe	114
PID 3456 wrote to memory of 4420	3456	e37c63b72b4dd8c6a148989a74f33e54278e68275a33bcd9bab0dbac29e5af0d.exe	116
PID 3456 wrote to memory of 4420	3456	e37c63b72b4dd8c6a148989a74f33e54278e68275a33bcd9bab0dbac29e5af0d.exe	116
PID 3456 wrote to memory of 4132	3456	e37c63b72b4dd8c6a148989a74f33e54278e68275a33bcd9bab0dbac29e5af0d.exe	118
PID 3456 wrote to memory of 4132	3456	e37c63b72b4dd8c6a148989a74f33e54278e68275a33bcd9bab0dbac29e5af0d.exe	118
PID 3456 wrote to memory of 3488	3456	e37c63b72b4dd8c6a148989a74f33e54278e68275a33bcd9bab0dbac29e5af0d.exe	123
PID 3456 wrote to memory of 3488	3456	e37c63b72b4dd8c6a148989a74f33e54278e68275a33bcd9bab0dbac29e5af0d.exe	123
PID 3488 wrote to memory of 1460	3488	cmd.exe	125
PID 3488 wrote to memory of 1460	3488	cmd.exe	125
PID 3488 wrote to memory of 4840	3488	cmd.exe	128
PID 3488 wrote to memory of 4840	3488	cmd.exe	128
PID 4840 wrote to memory of 3580	4840	OfficeClickToRun.exe	129
PID 4840 wrote to memory of 3580	4840	OfficeClickToRun.exe	129
PID 4840 wrote to memory of 4348	4840	OfficeClickToRun.exe	130
PID 4840 wrote to memory of 4348	4840	OfficeClickToRun.exe	130
PID 3580 wrote to memory of 4832	3580	WScript.exe	133
PID 3580 wrote to memory of 4832	3580	WScript.exe	133
PID 4832 wrote to memory of 1176	4832	OfficeClickToRun.exe	134
PID 4832 wrote to memory of 1176	4832	OfficeClickToRun.exe	134
PID 4832 wrote to memory of 692	4832	OfficeClickToRun.exe	135
PID 4832 wrote to memory of 692	4832	OfficeClickToRun.exe	135
PID 1176 wrote to memory of 4032	1176	WScript.exe	142
PID 1176 wrote to memory of 4032	1176	WScript.exe	142
PID 4032 wrote to memory of 228	4032	OfficeClickToRun.exe	143
PID 4032 wrote to memory of 228	4032	OfficeClickToRun.exe	143
PID 4032 wrote to memory of 4840	4032	OfficeClickToRun.exe	144
PID 4032 wrote to memory of 4840	4032	OfficeClickToRun.exe	144
PID 228 wrote to memory of 4864	228	WScript.exe	145
PID 228 wrote to memory of 4864	228	WScript.exe	145
PID 4864 wrote to memory of 2704	4864	OfficeClickToRun.exe	146
PID 4864 wrote to memory of 2704	4864	OfficeClickToRun.exe	146
PID 4864 wrote to memory of 4000	4864	OfficeClickToRun.exe	147
PID 4864 wrote to memory of 4000	4864	OfficeClickToRun.exe	147
PID 2704 wrote to memory of 4516	2704	WScript.exe	149
PID 2704 wrote to memory of 4516	2704	WScript.exe	149
PID 4516 wrote to memory of 812	4516	OfficeClickToRun.exe	150
PID 4516 wrote to memory of 812	4516	OfficeClickToRun.exe	150
PID 4516 wrote to memory of 2460	4516	OfficeClickToRun.exe	151
PID 4516 wrote to memory of 2460	4516	OfficeClickToRun.exe	151
PID 812 wrote to memory of 3308	812	WScript.exe	152
PID 812 wrote to memory of 3308	812	WScript.exe	152
PID 3308 wrote to memory of 3468	3308	OfficeClickToRun.exe	153
PID 3308 wrote to memory of 3468	3308	OfficeClickToRun.exe	153
PID 3308 wrote to memory of 3456	3308	OfficeClickToRun.exe	154
PID 3308 wrote to memory of 3456	3308	OfficeClickToRun.exe	154
PID 3468 wrote to memory of 4276	3468	WScript.exe	155
PID 3468 wrote to memory of 4276	3468	WScript.exe	155
PID 4276 wrote to memory of 1180	4276	OfficeClickToRun.exe	156
PID 4276 wrote to memory of 1180	4276	OfficeClickToRun.exe	156
PID 4276 wrote to memory of 3352	4276	OfficeClickToRun.exe	157
PID 4276 wrote to memory of 3352	4276	OfficeClickToRun.exe	157
PID 1180 wrote to memory of 1804	1180	WScript.exe	158
PID 1180 wrote to memory of 1804	1180	WScript.exe	158
PID 1804 wrote to memory of 2204	1804	OfficeClickToRun.exe	159
PID 1804 wrote to memory of 2204	1804	OfficeClickToRun.exe	159

System policy modification 1 TTPs 30 IoCs

defense_evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	e37c63b72b4dd8c6a148989a74f33e54278e68275a33bcd9bab0dbac29e5af0d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	e37c63b72b4dd8c6a148989a74f33e54278e68275a33bcd9bab0dbac29e5af0d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e37c63b72b4dd8c6a148989a74f33e54278e68275a33bcd9bab0dbac29e5af0d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\e37c63b72b4dd8c6a148989a74f33e54278e68275a33bcd9bab0dbac29e5af0d.exe
"C:\Users\Admin\AppData\Local\Temp\e37c63b72b4dd8c6a148989a74f33e54278e68275a33bcd9bab0dbac29e5af0d.exe"
1⤵
- UAC bypass
- Drops file in Drivers directory
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3456
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\e37c63b72b4dd8c6a148989a74f33e54278e68275a33bcd9bab0dbac29e5af0d.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2928
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\RuntimeBroker.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3076
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows NT\Accessories\ja-JP\upfc.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5084
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\RuntimeBroker.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1160
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\0154351536fc379faee1\csrss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1536
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\3ac54ddf2ad44faa6035cf\OfficeClickToRun.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4420
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\0154351536fc379faee1\winlogon.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4132
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\HXYUNDfkzI.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3488
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:1460
- - C:\3ac54ddf2ad44faa6035cf\OfficeClickToRun.exe
    "C:\3ac54ddf2ad44faa6035cf\OfficeClickToRun.exe"
    3⤵
    - UAC bypass
    - Checks computer location settings
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:4840
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3f4143be-aa86-44be-8845-daea1a49c876.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3580
    - - C:\3ac54ddf2ad44faa6035cf\OfficeClickToRun.exe
        
        C:\3ac54ddf2ad44faa6035cf\OfficeClickToRun.exe
        5⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:4832
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2c5dd1d5-a5ad-4206-9c14-1945b5e4ba46.vbs"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1176
        
        C:\3ac54ddf2ad44faa6035cf\OfficeClickToRun.exe
        
        C:\3ac54ddf2ad44faa6035cf\OfficeClickToRun.exe
        7⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:4032
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a43cce0b-0bfb-4df1-a531-ec1d9d262a7d.vbs"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:228
        
        C:\3ac54ddf2ad44faa6035cf\OfficeClickToRun.exe
        
        C:\3ac54ddf2ad44faa6035cf\OfficeClickToRun.exe
        9⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:4864
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dece766e-4918-4e53-a6ef-b1ffb2a98c21.vbs"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:2704
        
        C:\3ac54ddf2ad44faa6035cf\OfficeClickToRun.exe
        
        C:\3ac54ddf2ad44faa6035cf\OfficeClickToRun.exe
        11⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:4516
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d142691d-50bc-4878-bd8b-f0d5f8f134ce.vbs"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:812
        
        C:\3ac54ddf2ad44faa6035cf\OfficeClickToRun.exe
        
        C:\3ac54ddf2ad44faa6035cf\OfficeClickToRun.exe
        13⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:3308
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e6307a4b-c4e4-4b4e-aa47-1d8d8fdab6ae.vbs"
        14⤵
        Suspicious use of WriteProcessMemory
        
        PID:3468
        
        C:\3ac54ddf2ad44faa6035cf\OfficeClickToRun.exe
        
        C:\3ac54ddf2ad44faa6035cf\OfficeClickToRun.exe
        15⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:4276
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\77fbc26a-a298-4bc2-b0aa-07ce44cda62f.vbs"
        16⤵
        Suspicious use of WriteProcessMemory
        
        PID:1180
        
        C:\3ac54ddf2ad44faa6035cf\OfficeClickToRun.exe
        
        C:\3ac54ddf2ad44faa6035cf\OfficeClickToRun.exe
        17⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1804
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a708acca-bf2e-4e1a-9d98-beeafd67e0fb.vbs"
        18⤵
        
        PID:2204
        
        C:\3ac54ddf2ad44faa6035cf\OfficeClickToRun.exe
        
        C:\3ac54ddf2ad44faa6035cf\OfficeClickToRun.exe
        19⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:3828
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9a52eb8e-2508-4770-bc85-04e2805cef74.vbs"
        20⤵
        
        PID:4736
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\66032aa2-8bc8-48b9-ace4-ba0a57941472.vbs"
        20⤵
        
        PID:2500
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\74d5fe7b-7dd6-4616-8071-e5da7470841e.vbs"
        18⤵
        
        PID:464
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\31326418-4fee-44e5-895f-1d9f85d590bb.vbs"
        16⤵
        
        PID:3352
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\83d4d6b7-5d70-4a6c-b6d5-5656ad986ae6.vbs"
        14⤵
        
        PID:3456
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1345c587-210b-4306-a22a-b89151775be0.vbs"
        12⤵
        
        PID:2460
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c41060c6-5372-4cea-af5f-2e90530ddc98.vbs"
        10⤵
        
        PID:4000
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e71625e6-e74c-43a5-a69a-762c9b5627c2.vbs"
        8⤵
        
        PID:4840
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\448baac2-fb62-472b-8194-af6e4f1e7c8c.vbs"
        6⤵
        
        PID:692
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\eec4c828-de4d-4a15-b78a-51ee85bb33f3.vbs"
      4⤵
      PID:4348

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Users\Public\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Public\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Users\Public\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4392

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows NT\Accessories\ja-JP\upfc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Program Files\Windows NT\Accessories\ja-JP\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows NT\Accessories\ja-JP\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\0154351536fc379faee1\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1228

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\0154351536fc379faee1\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3272

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\0154351536fc379faee1\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 13 /tr "'C:\3ac54ddf2ad44faa6035cf\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\3ac54ddf2ad44faa6035cf\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 10 /tr "'C:\3ac54ddf2ad44faa6035cf\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\0154351536fc379faee1\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\0154351536fc379faee1\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1504

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\0154351536fc379faee1\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4464

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\3ac54ddf2ad44faa6035cf\OfficeClickToRun.exe

Filesize
1.9MB

MD5
88c85713b28206515423821dce1f0a0b

SHA1
3b8372f2cdf9875b21e189634f50661cf4d40a2c

SHA256
e37c63b72b4dd8c6a148989a74f33e54278e68275a33bcd9bab0dbac29e5af0d

SHA512
26e7cf21280bf49336462cfcf229ea6a8c72c3241c0398e85e9fb3f2fe50d174e3bb1f0215f784767034a4b1ecbe59d61e02bf4541014612bd0e30f67f5a6a07

Download Submit
C:\Program Files\Windows NT\Accessories\ja-JP\upfc.exe

Filesize
1.9MB

MD5
2664f04f097a2c24fe357b33213f3121

SHA1
0eb6ce6e7eba8019090ecf94793de3cb72b98f1a

SHA256
3c47c0548fecd66fb41b06e0868bc23ba62acb72301a435758d95a87a51752c7

SHA512
34fa7474ac28b094756817b0d407e4276312cf4526b0e07a060eca4b79b413b77a219a521af04108f31db934741810a50934e269c7e532edd593a62f926c06bb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\OfficeClickToRun.exe.log

Filesize
1KB

MD5
364147c1feef3565925ea5b4ac701a01

SHA1
9a46393ac3ffad3bb3c8f0e074b65d68d75e21ef

SHA256
38cf1ab1146ad24e88763fc0508c2a99478d8428b453ba8c8b830d2883a4562b

SHA512
bfec1d3f22abd5668def189259deb4d919ceb4d51ac965d0baf9b6cf8bea0db680d49a2b8d0b75524cc04c7803cdfd91e484b31dc8ddc3ff47d1e5c59a9e35cf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
0c56ba5098c530bbd1cdb28d50090d39

SHA1
ff63178ea722ec2db118c81051bf85544fb6b316

SHA256
0299d374c4b984cb0475284b966dfbe8bb08e45b93dabdf327f96a60b05273d1

SHA512
cbbf27ac30e55f4df35ae5aae50d1a2f9475dc2ac0eecf9ce0ab19adef606fff08c26d0eef5686012d36566551179afe09b15c1da1840415b1696f76324a03f2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
19c1c95807d53fcb88e1e2289e645f0b

SHA1
832c029a7433b229e66296b6f8a4ba56b0246298

SHA256
73f393ffbdb24758131fa51669790c37ed233802f1ed85f7bdfd058e0b5fb83f

SHA512
f528e937baf51c0b85aa25277bd8d12a10e5f8a78187b32eaaacd0dfceba6f3bf90cf21945e299f52fe1110e48ebabe1a8df868e94a72d8899e7f4f49848aa71

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e10ceaefa38a8a0c7cf27b2938747eae

SHA1
18dd07de4b7d6f6d0fb7e1feebd78f0a93f6c89e

SHA256
d2f2ece67e3314a38df3789214221bbdd06f9f577470b543f6d094b621fba43b

SHA512
84c811e7d313674fff4c24945d275f2aa88380955679bd3a60c7dbde83a370143f3b1b8a677a8b543a571c9069a9262a3f414ff5aff74a283adb81e6321138ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
990f2ad22e4ee8bb16d0e84568ff1c04

SHA1
8ee103c2c4969dd252d3f136479e718361e2ace2

SHA256
9e058905555242348650ecae8008fd39cf63bac0f3160637aab912fd54fd2578

SHA512
ab70a31915f4241c23a020a0e1c8ad5b2468c06911ceb4418b5377619953780f14070a2674858b1a7d999b356448ffdb51db6393e56f20defb291866383f5802

Download Submit
C:\Users\Admin\AppData\Local\Temp\2c5dd1d5-a5ad-4206-9c14-1945b5e4ba46.vbs

Filesize
722B

MD5
35cdc34fb1f724734fe03060b0b29936

SHA1
3d62c52daf3f9c885df328b458bbce26ae337317

SHA256
601887a572ef5d893d9505bd2dea9800dfb5b358d27f8cd53f44e8fb3ca20b3c

SHA512
a0f35a1dc1e8a5fbca5b41ad9048614fbb65b0a1a9d72a199361a152794a7da93761cbbed91daec83760941f910c074d5c83dcd4f616a7a250020b20236fa60f

Download Submit
C:\Users\Admin\AppData\Local\Temp\3f4143be-aa86-44be-8845-daea1a49c876.vbs

Filesize
722B

MD5
c0c6cdf2b8cbca5488eb18800cbbf158

SHA1
3d4eec67572540d7517df3bbfc8f9e9e828ce8f9

SHA256
b176a50a0bc8d8528aa331d79011eb52931139a801f3dea401739d91cb977220

SHA512
2c4f3c583a8741aacf2aca95eec3e75a5c0e10f756b2ba703e34402153f2fdd0114a8e8093831ded6d506ff89c20e30690f1a9cbe29cf00307462c43137cf5ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\77fbc26a-a298-4bc2-b0aa-07ce44cda62f.vbs

Filesize
722B

MD5
c5e3479b5b02ce01a3f1e1ab0206ef72

SHA1
7e65d0d31aa425f825b9e297cf9afc4b31ac282b

SHA256
0e18efae4030c3842dce49ba00759ede23b87735329ed7f1331d8ed4ce4f6e77

SHA512
e5283c35e9ff9c3616f92e414eb92af17f539162d9a911ae15c3ff4187c0374d158ff28acc8e8bc62de6a510ed763775ef4650f615392e3409f7baa07e8c9ccd

Download Submit
C:\Users\Admin\AppData\Local\Temp\9a52eb8e-2508-4770-bc85-04e2805cef74.vbs

Filesize
722B

MD5
60036cb97e87445da391f9aada57601e

SHA1
b86799520b982bc67cf402b6acf1fb81aa32496f

SHA256
7aee14f8e414877eecf81b713af8b548b16af8a730e675a477fd6c9e06af18ee

SHA512
5183e9409dee2f4b302061721f45e0a0fe628f3b45a52d7c51bbae7d3208022b40c0ff37f95e044374b07e056385f206b6541f5c7eb1eb71e9517c331d9ef5bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\HXYUNDfkzI.bat

Filesize
211B

MD5
66d8f88a8c0ee26e1ba74cadbc921a4e

SHA1
eef451dcbe962900c8268234dddd01698fd5a41a

SHA256
42e95e58be11aa1dbde61ffc40e48e635b09e5c5dee1d7f419bd82bbfc432974

SHA512
6cfca13d19c4fa8a715e148378620b9d6a54ea55558f3cb462f1f33e6a4d5cbe24ddfa09519ce735d5293c598d3abd8292881508f35b4c89acec753222538ddc

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_0mpzvfrf.spg.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\a43cce0b-0bfb-4df1-a531-ec1d9d262a7d.vbs

Filesize
722B

MD5
7f64ed8ddc4e52c4f85a20997e766e64

SHA1
5c2e4836a4bb904ccfe7bfbcc546f6aada63c140

SHA256
9ec1dfa754a6c1256d936c220c1891185fc878285e1660295a11e50e986e090a

SHA512
5300e4ac544aae2a1baf1b9ffa2269f8d6ccd4a328125e8c12ec3ac928b71749f78d86608c510c0a797565f469ea4f7a63a0ff984430fa2f40bc13901dcc057b

Download Submit
C:\Users\Admin\AppData\Local\Temp\a708acca-bf2e-4e1a-9d98-beeafd67e0fb.vbs

Filesize
722B

MD5
951510c3276328a895583db9f1eeb5d8

SHA1
3e215c385c2b4163d82273fb6af8c80785370a0d

SHA256
05326be04c350b704a160ee13dfb54a826afd40764b31f183b6189ae5003a625

SHA512
383b0ddb1141174b2cd5fab9aa5c400b8cc33f380a8c34463b1f1c266eac9a9b2871ff80d0383a6a8ed68a17e71893b556844b68de056743d6c92570b2f082c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\d142691d-50bc-4878-bd8b-f0d5f8f134ce.vbs

Filesize
722B

MD5
955820d4bf5a0f7fb74814b3b80a92cf

SHA1
ed5abc59cd1f7a875ca7dc9475ccea81ae38fddf

SHA256
64cf05955a8b32b2cf0bcfd6059fa1a8a4b04f13b6563af46671ae6c53e3dd08

SHA512
c1a85aa478a28fc3d68aa250310bbfd5f8b011fefdabc45e65b5349db83bc5f6eff9c67f79ba0853001f9d26aab13f9e1384da9d91393e6f2f7f81cc767c7473

Download Submit
C:\Users\Admin\AppData\Local\Temp\dece766e-4918-4e53-a6ef-b1ffb2a98c21.vbs

Filesize
722B

MD5
fdd1080f2832a18071e731f79136b885

SHA1
c435365507bdf28a337a313ca885e84c27e0890b

SHA256
58b09a892a808eabe0a480d0c65b2cfd12bcd4c8c1a20f83ac5aacb47e8903a4

SHA512
78ce2e94051b9aefa36064fbcb94c534fbdceb433412b657e21ed444a6fdae3f1041cb1c231a4d47a27d80d4a4c1d3473fae36f6eb9dd4878220eb3775b68e61

Download Submit
C:\Users\Admin\AppData\Local\Temp\e6307a4b-c4e4-4b4e-aa47-1d8d8fdab6ae.vbs

Filesize
722B

MD5
28fe5c93d365ad39d6a8c7d203d4f4f6

SHA1
73fe48f9775005feafb60d52f0696aeed4f872d5

SHA256
1f76f46d82f7cb79a2cd99a4a2b659a17644ff0b48e455d057a78a4ac334ebe5

SHA512
6e0f70b1d781917aaaf81c767cfc5c58cd53aa5c8ed5b0d82b92f2af46c6145cc8de7f21efb647ac5e3c28eebfb92fd7dfa66fd93a06b7c89325bbf057babfe0

Download Submit
C:\Users\Admin\AppData\Local\Temp\eec4c828-de4d-4a15-b78a-51ee85bb33f3.vbs

Filesize
498B

MD5
5e3c8be64ed49712252705541f99f75c

SHA1
bb36e239f28c1a92e69b0d8129607ca498be966d

SHA256
5f114e08ecc6e29caeef10f81ba53f455d1785a166937f5eef60e326843ef64d

SHA512
d8800ade46e8a0fc22e46ce58c01f213b697ecc78aaa1644ca2a97e6ba1cb949c3fe0a2339733d1bc5b49465c36755d58053fbb54f5f4e413ff165dd1e9394aa

Download Submit
memory/1160-119-0x000001BDEC970000-0x000001BDEC992000-memory.dmp

Filesize
136KB

Download
memory/3456-10-0x0000000002DD0000-0x0000000002DDC000-memory.dmp

Filesize
48KB

Download
memory/3456-4-0x0000000002E00000-0x0000000002E50000-memory.dmp

Filesize
320KB

Download
memory/3456-18-0x000000001B7C0000-0x000000001B7C8000-memory.dmp

Filesize
32KB

Download
memory/3456-143-0x00007FFC80300000-0x00007FFC80DC1000-memory.dmp

Filesize
10.8MB

Download
memory/3456-19-0x000000001B7D0000-0x000000001B7DC000-memory.dmp

Filesize
48KB

Download
memory/3456-20-0x000000001B7E0000-0x000000001B7EC000-memory.dmp

Filesize
48KB

Download
memory/3456-17-0x000000001B7B0000-0x000000001B7BE000-memory.dmp

Filesize
56KB

Download
memory/3456-15-0x0000000002E70000-0x0000000002E7C000-memory.dmp

Filesize
48KB

Download
memory/3456-14-0x000000001C900000-0x000000001CE28000-memory.dmp

Filesize
5.2MB

Download
memory/3456-13-0x0000000002DF0000-0x0000000002E02000-memory.dmp

Filesize
72KB

Download
memory/3456-1-0x0000000000860000-0x0000000000A4A000-memory.dmp

Filesize
1.9MB

Download
memory/3456-11-0x0000000002DE0000-0x0000000002DE8000-memory.dmp

Filesize
32KB

Download
memory/3456-0-0x00007FFC80303000-0x00007FFC80305000-memory.dmp

Filesize
8KB

Download
memory/3456-2-0x00007FFC80300000-0x00007FFC80DC1000-memory.dmp

Filesize
10.8MB

Download
memory/3456-16-0x0000000002E80000-0x0000000002E8A000-memory.dmp

Filesize
40KB

Download
memory/3456-7-0x0000000002DB0000-0x0000000002DC6000-memory.dmp

Filesize
88KB

Download
memory/3456-8-0x0000000002C80000-0x0000000002C8A000-memory.dmp

Filesize
40KB

Download
memory/3456-6-0x0000000002C70000-0x0000000002C80000-memory.dmp

Filesize
64KB

Download
memory/3456-3-0x0000000002C40000-0x0000000002C5C000-memory.dmp

Filesize
112KB

Download
memory/3456-9-0x000000001B760000-0x000000001B7B6000-memory.dmp

Filesize
344KB

Download
memory/3456-5-0x0000000002C60000-0x0000000002C68000-memory.dmp

Filesize
32KB

Download
memory/4516-247-0x000000001BF20000-0x000000001BF32000-memory.dmp

Filesize
72KB

Download
memory/4516-246-0x000000001C340000-0x000000001C396000-memory.dmp

Filesize
344KB

Download
memory/4832-212-0x000000001BD60000-0x000000001BD72000-memory.dmp

Filesize
72KB

Download
memory/4840-199-0x000000001B0F0000-0x000000001B102000-memory.dmp

Filesize
72KB

Download