dcrat | af58caae16d4efcf211bdc1ab7830e6c27d5bce03e6fd2fd7c59901f40c75ce2

Analysis

max time kernel
148s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
24-07-2024 19:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1.exe
Size

2.6MB
MD5

d33fd82b32895cb0552b9c6dad9b3435
SHA1

a3117af86755a70fbaebdb2c8d27ac06e9dd777f
SHA256

af58caae16d4efcf211bdc1ab7830e6c27d5bce03e6fd2fd7c59901f40c75ce2
SHA512

fa72d7aebdf5e6b5e5d855a1f169854f82227490b18b573934f17a40ff5592a6a5d9364f2d9dc0da0200fdc1433fc104ada83bf75233860d51fc30af76ef248f
SSDEEP

49152:UbA30NVKXoZA5f48GoTA2fIirWmSIECusCjsAOoP2BTl4yJEmt:UbRVigA5w8Gx26XwCcztJEmt

Score

10^/10

dcrat discovery infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 42 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1772	1280	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2320	1280	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1068	1280	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2360	1280	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1456	1280	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4584	1280	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1692	1280	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	924	1280	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4888	1280	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	388	1280	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1020	1280	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4036	1280	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4520	1280	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1696	1280	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1640	1280	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3656	1280	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2940	1280	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	404	1280	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4424	1280	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1056	1280	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2676	1280	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2216	1280	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1228	1280	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4580	1280	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3544	1280	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1288	1280	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3136	1280	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	368	1280	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4664	1280	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1036	1280	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3204	1280	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4012	1280	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2136	1280	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2840	1280	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1876	1280	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	820	1280	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3396	1280	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	220	1280	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4536	1280	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4392	1280	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4512	1280	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	644	1280	schtasks.exe

DCRat payload 2 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
C:\surrogateBrowser\componentperf.exe	dcrat
behavioral2/memory/4968-13-0x0000000000340000-0x000000000059E000-memory.dmp	dcrat

Checks computer location settings 2 TTPs 27 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

OfficeClickToRun.exeOfficeClickToRun.exeOfficeClickToRun.exeOfficeClickToRun.exeOfficeClickToRun.exe1.exeOfficeClickToRun.exeOfficeClickToRun.exeOfficeClickToRun.exeOfficeClickToRun.exeOfficeClickToRun.exeOfficeClickToRun.exeOfficeClickToRun.exeOfficeClickToRun.exeOfficeClickToRun.exeOfficeClickToRun.exeOfficeClickToRun.execomponentperf.exeOfficeClickToRun.exeOfficeClickToRun.exeOfficeClickToRun.exeOfficeClickToRun.exeOfficeClickToRun.exeOfficeClickToRun.exeOfficeClickToRun.exeWScript.exeOfficeClickToRun.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	OfficeClickToRun.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	OfficeClickToRun.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	OfficeClickToRun.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	OfficeClickToRun.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	OfficeClickToRun.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	OfficeClickToRun.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	OfficeClickToRun.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	OfficeClickToRun.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	OfficeClickToRun.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	OfficeClickToRun.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	OfficeClickToRun.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	OfficeClickToRun.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	OfficeClickToRun.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	OfficeClickToRun.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	OfficeClickToRun.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	OfficeClickToRun.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	componentperf.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	OfficeClickToRun.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	OfficeClickToRun.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	OfficeClickToRun.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	OfficeClickToRun.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	OfficeClickToRun.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	OfficeClickToRun.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	OfficeClickToRun.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	OfficeClickToRun.exe

Executes dropped EXE 25 IoCs

Processes:

componentperf.exeOfficeClickToRun.exeOfficeClickToRun.exeOfficeClickToRun.exeOfficeClickToRun.exeOfficeClickToRun.exeOfficeClickToRun.exeOfficeClickToRun.exeOfficeClickToRun.exeOfficeClickToRun.exeOfficeClickToRun.exeOfficeClickToRun.exeOfficeClickToRun.exeOfficeClickToRun.exeOfficeClickToRun.exeOfficeClickToRun.exeOfficeClickToRun.exeOfficeClickToRun.exeOfficeClickToRun.exeOfficeClickToRun.exeOfficeClickToRun.exeOfficeClickToRun.exeOfficeClickToRun.exeOfficeClickToRun.exeOfficeClickToRun.exe

pid	process
4968	componentperf.exe
1556	OfficeClickToRun.exe
4288	OfficeClickToRun.exe
3956	OfficeClickToRun.exe
2856	OfficeClickToRun.exe
3784	OfficeClickToRun.exe
596	OfficeClickToRun.exe
3224	OfficeClickToRun.exe
4588	OfficeClickToRun.exe
4524	OfficeClickToRun.exe
3528	OfficeClickToRun.exe
2016	OfficeClickToRun.exe
1304	OfficeClickToRun.exe
2024	OfficeClickToRun.exe
5104	OfficeClickToRun.exe
3388	OfficeClickToRun.exe
5060	OfficeClickToRun.exe
388	OfficeClickToRun.exe
312	OfficeClickToRun.exe
1432	OfficeClickToRun.exe
5100	OfficeClickToRun.exe
960	OfficeClickToRun.exe
1852	OfficeClickToRun.exe
2804	OfficeClickToRun.exe
312	OfficeClickToRun.exe

Drops file in Program Files directory 8 IoCs

Processes:

componentperf.exe

description	ioc	process
File created	C:\Program Files\Windows Media Player\it-IT\System.exe	componentperf.exe
File created	C:\Program Files\Windows Media Player\it-IT\27d1bcfc3c54e0	componentperf.exe
File created	C:\Program Files\Microsoft Office 15\ClientX64\TextInputHost.exe	componentperf.exe
File created	C:\Program Files\Microsoft Office 15\ClientX64\22eafd247d37c3	componentperf.exe
File created	C:\Program Files\Windows Mail\dwm.exe	componentperf.exe
File created	C:\Program Files\Windows Mail\6cb0b6c459d5d3	componentperf.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\RuntimeBroker.exe	componentperf.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\9e8d7a4ca61bd9	componentperf.exe

Drops file in Windows directory 4 IoCs

Processes:

componentperf.exe

description	ioc	process
File created	C:\Windows\SystemResources\Windows.Management.AutopilotResources\pris\OfficeClickToRun.exe	componentperf.exe
File created	C:\Windows\SystemResources\Windows.Management.AutopilotResources\pris\e6c9b481da804f	componentperf.exe
File created	C:\Windows\apppatch\Registry.exe	componentperf.exe
File created	C:\Windows\apppatch\ee2ad38f3d4382	componentperf.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

1.exeWScript.execmd.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies registry class 26 IoCs

Processes:

OfficeClickToRun.exeOfficeClickToRun.exeOfficeClickToRun.exeOfficeClickToRun.exeOfficeClickToRun.exeOfficeClickToRun.exeOfficeClickToRun.exeOfficeClickToRun.exeOfficeClickToRun.exeOfficeClickToRun.exe1.exeOfficeClickToRun.exeOfficeClickToRun.exeOfficeClickToRun.exeOfficeClickToRun.exeOfficeClickToRun.exeOfficeClickToRun.exeOfficeClickToRun.execomponentperf.exeOfficeClickToRun.exeOfficeClickToRun.exeOfficeClickToRun.exeOfficeClickToRun.exeOfficeClickToRun.exeOfficeClickToRun.exeOfficeClickToRun.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings	1.exe
Key created	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings	componentperf.exe
Key created	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings	OfficeClickToRun.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 42 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

pid	process
820	schtasks.exe
1020	schtasks.exe
1640	schtasks.exe
404	schtasks.exe
2676	schtasks.exe
2216	schtasks.exe
368	schtasks.exe
1876	schtasks.exe
3396	schtasks.exe
2360	schtasks.exe
1288	schtasks.exe
220	schtasks.exe
4512	schtasks.exe
3656	schtasks.exe
4424	schtasks.exe
1228	schtasks.exe
1456	schtasks.exe
4664	schtasks.exe
644	schtasks.exe
1772	schtasks.exe
1068	schtasks.exe
4584	schtasks.exe
4036	schtasks.exe
2940	schtasks.exe
3136	schtasks.exe
4536	schtasks.exe
1692	schtasks.exe
924	schtasks.exe
388	schtasks.exe
3544	schtasks.exe
4392	schtasks.exe
2840	schtasks.exe
4520	schtasks.exe
1696	schtasks.exe
1056	schtasks.exe
4580	schtasks.exe
1036	schtasks.exe
4012	schtasks.exe
2136	schtasks.exe
2320	schtasks.exe
4888	schtasks.exe
3204	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

pid	process
4968	componentperf.exe
4968	componentperf.exe
4968	componentperf.exe
4968	componentperf.exe
4968	componentperf.exe
4968	componentperf.exe
4968	componentperf.exe
4968	componentperf.exe
4968	componentperf.exe
4968	componentperf.exe
4968	componentperf.exe
4968	componentperf.exe
4968	componentperf.exe
4968	componentperf.exe
4968	componentperf.exe
4968	componentperf.exe
4968	componentperf.exe
4968	componentperf.exe
4968	componentperf.exe
4968	componentperf.exe
4968	componentperf.exe
4968	componentperf.exe
4968	componentperf.exe
4968	componentperf.exe
4968	componentperf.exe
4968	componentperf.exe
4968	componentperf.exe
4968	componentperf.exe
4968	componentperf.exe
4968	componentperf.exe
1556	OfficeClickToRun.exe
1556	OfficeClickToRun.exe
1556	OfficeClickToRun.exe
4288	OfficeClickToRun.exe
4288	OfficeClickToRun.exe
4288	OfficeClickToRun.exe
3956	OfficeClickToRun.exe
3956	OfficeClickToRun.exe
3956	OfficeClickToRun.exe
2856	OfficeClickToRun.exe
2856	OfficeClickToRun.exe
2856	OfficeClickToRun.exe
3784	OfficeClickToRun.exe
3784	OfficeClickToRun.exe
3784	OfficeClickToRun.exe
596	OfficeClickToRun.exe
596	OfficeClickToRun.exe
596	OfficeClickToRun.exe
3224	OfficeClickToRun.exe
3224	OfficeClickToRun.exe
3224	OfficeClickToRun.exe
4588	OfficeClickToRun.exe
4588	OfficeClickToRun.exe
4588	OfficeClickToRun.exe
4524	OfficeClickToRun.exe
4524	OfficeClickToRun.exe
4524	OfficeClickToRun.exe
3528	OfficeClickToRun.exe
3528	OfficeClickToRun.exe
3528	OfficeClickToRun.exe
2016	OfficeClickToRun.exe
2016	OfficeClickToRun.exe
2016	OfficeClickToRun.exe
1304	OfficeClickToRun.exe

Suspicious use of AdjustPrivilegeToken 25 IoCs

Processes:

description	pid	process
Token: SeDebugPrivilege	4968	componentperf.exe
Token: SeDebugPrivilege	1556	OfficeClickToRun.exe
Token: SeDebugPrivilege	4288	OfficeClickToRun.exe
Token: SeDebugPrivilege	3956	OfficeClickToRun.exe
Token: SeDebugPrivilege	2856	OfficeClickToRun.exe
Token: SeDebugPrivilege	3784	OfficeClickToRun.exe
Token: SeDebugPrivilege	596	OfficeClickToRun.exe
Token: SeDebugPrivilege	3224	OfficeClickToRun.exe
Token: SeDebugPrivilege	4588	OfficeClickToRun.exe
Token: SeDebugPrivilege	4524	OfficeClickToRun.exe
Token: SeDebugPrivilege	3528	OfficeClickToRun.exe
Token: SeDebugPrivilege	2016	OfficeClickToRun.exe
Token: SeDebugPrivilege	1304	OfficeClickToRun.exe
Token: SeDebugPrivilege	2024	OfficeClickToRun.exe
Token: SeDebugPrivilege	5104	OfficeClickToRun.exe
Token: SeDebugPrivilege	3388	OfficeClickToRun.exe
Token: SeDebugPrivilege	5060	OfficeClickToRun.exe
Token: SeDebugPrivilege	388	OfficeClickToRun.exe
Token: SeDebugPrivilege	312	OfficeClickToRun.exe
Token: SeDebugPrivilege	1432	OfficeClickToRun.exe
Token: SeDebugPrivilege	5100	OfficeClickToRun.exe
Token: SeDebugPrivilege	960	OfficeClickToRun.exe
Token: SeDebugPrivilege	1852	OfficeClickToRun.exe
Token: SeDebugPrivilege	2804	OfficeClickToRun.exe
Token: SeDebugPrivilege	312	OfficeClickToRun.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

1.exeWScript.execmd.execomponentperf.execmd.exeOfficeClickToRun.execmd.exeOfficeClickToRun.execmd.exeOfficeClickToRun.execmd.exeOfficeClickToRun.execmd.exeOfficeClickToRun.execmd.exeOfficeClickToRun.execmd.exeOfficeClickToRun.execmd.exeOfficeClickToRun.execmd.exeOfficeClickToRun.exe

description	pid	process	target process
PID 544 wrote to memory of 3416	544	1.exe	WScript.exe
PID 544 wrote to memory of 3416	544	1.exe	WScript.exe
PID 544 wrote to memory of 3416	544	1.exe	WScript.exe
PID 3416 wrote to memory of 1320	3416	WScript.exe	cmd.exe
PID 3416 wrote to memory of 1320	3416	WScript.exe	cmd.exe
PID 3416 wrote to memory of 1320	3416	WScript.exe	cmd.exe
PID 1320 wrote to memory of 4968	1320	cmd.exe	componentperf.exe
PID 1320 wrote to memory of 4968	1320	cmd.exe	componentperf.exe
PID 4968 wrote to memory of 3140	4968	componentperf.exe	cmd.exe
PID 4968 wrote to memory of 3140	4968	componentperf.exe	cmd.exe
PID 3140 wrote to memory of 2868	3140	cmd.exe	w32tm.exe
PID 3140 wrote to memory of 2868	3140	cmd.exe	w32tm.exe
PID 3140 wrote to memory of 1556	3140	cmd.exe	OfficeClickToRun.exe
PID 3140 wrote to memory of 1556	3140	cmd.exe	OfficeClickToRun.exe
PID 1556 wrote to memory of 1180	1556	OfficeClickToRun.exe	cmd.exe
PID 1556 wrote to memory of 1180	1556	OfficeClickToRun.exe	cmd.exe
PID 1180 wrote to memory of 2492	1180	cmd.exe	w32tm.exe
PID 1180 wrote to memory of 2492	1180	cmd.exe	w32tm.exe
PID 1180 wrote to memory of 4288	1180	cmd.exe	OfficeClickToRun.exe
PID 1180 wrote to memory of 4288	1180	cmd.exe	OfficeClickToRun.exe
PID 4288 wrote to memory of 2980	4288	OfficeClickToRun.exe	cmd.exe
PID 4288 wrote to memory of 2980	4288	OfficeClickToRun.exe	cmd.exe
PID 2980 wrote to memory of 1632	2980	cmd.exe	w32tm.exe
PID 2980 wrote to memory of 1632	2980	cmd.exe	w32tm.exe
PID 2980 wrote to memory of 3956	2980	cmd.exe	OfficeClickToRun.exe
PID 2980 wrote to memory of 3956	2980	cmd.exe	OfficeClickToRun.exe
PID 3956 wrote to memory of 1036	3956	OfficeClickToRun.exe	cmd.exe
PID 3956 wrote to memory of 1036	3956	OfficeClickToRun.exe	cmd.exe
PID 1036 wrote to memory of 872	1036	cmd.exe	w32tm.exe
PID 1036 wrote to memory of 872	1036	cmd.exe	w32tm.exe
PID 1036 wrote to memory of 2856	1036	cmd.exe	OfficeClickToRun.exe
PID 1036 wrote to memory of 2856	1036	cmd.exe	OfficeClickToRun.exe
PID 2856 wrote to memory of 2500	2856	OfficeClickToRun.exe	cmd.exe
PID 2856 wrote to memory of 2500	2856	OfficeClickToRun.exe	cmd.exe
PID 2500 wrote to memory of 4264	2500	cmd.exe	w32tm.exe
PID 2500 wrote to memory of 4264	2500	cmd.exe	w32tm.exe
PID 2500 wrote to memory of 3784	2500	cmd.exe	OfficeClickToRun.exe
PID 2500 wrote to memory of 3784	2500	cmd.exe	OfficeClickToRun.exe
PID 3784 wrote to memory of 3272	3784	OfficeClickToRun.exe	cmd.exe
PID 3784 wrote to memory of 3272	3784	OfficeClickToRun.exe	cmd.exe
PID 3272 wrote to memory of 4048	3272	cmd.exe	w32tm.exe
PID 3272 wrote to memory of 4048	3272	cmd.exe	w32tm.exe
PID 3272 wrote to memory of 596	3272	cmd.exe	OfficeClickToRun.exe
PID 3272 wrote to memory of 596	3272	cmd.exe	OfficeClickToRun.exe
PID 596 wrote to memory of 4988	596	OfficeClickToRun.exe	cmd.exe
PID 596 wrote to memory of 4988	596	OfficeClickToRun.exe	cmd.exe
PID 4988 wrote to memory of 2736	4988	cmd.exe	w32tm.exe
PID 4988 wrote to memory of 2736	4988	cmd.exe	w32tm.exe
PID 4988 wrote to memory of 3224	4988	cmd.exe	OfficeClickToRun.exe
PID 4988 wrote to memory of 3224	4988	cmd.exe	OfficeClickToRun.exe
PID 3224 wrote to memory of 3800	3224	OfficeClickToRun.exe	cmd.exe
PID 3224 wrote to memory of 3800	3224	OfficeClickToRun.exe	cmd.exe
PID 3800 wrote to memory of 4580	3800	cmd.exe	w32tm.exe
PID 3800 wrote to memory of 4580	3800	cmd.exe	w32tm.exe
PID 3800 wrote to memory of 4588	3800	cmd.exe	OfficeClickToRun.exe
PID 3800 wrote to memory of 4588	3800	cmd.exe	OfficeClickToRun.exe
PID 4588 wrote to memory of 4448	4588	OfficeClickToRun.exe	cmd.exe
PID 4588 wrote to memory of 4448	4588	OfficeClickToRun.exe	cmd.exe
PID 4448 wrote to memory of 1036	4448	cmd.exe	w32tm.exe
PID 4448 wrote to memory of 1036	4448	cmd.exe	w32tm.exe
PID 4448 wrote to memory of 4524	4448	cmd.exe	OfficeClickToRun.exe
PID 4448 wrote to memory of 4524	4448	cmd.exe	OfficeClickToRun.exe
PID 4524 wrote to memory of 4692	4524	OfficeClickToRun.exe	cmd.exe
PID 4524 wrote to memory of 4692	4524	OfficeClickToRun.exe	cmd.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\1.exe
"C:\Users\Admin\AppData\Local\Temp\1.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:544

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\surrogateBrowser\jugsRTlixTNpJQR.vbe"
2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3416

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\surrogateBrowser\6sJKwNteCedZSQrFBGYlXz0mxM.bat" "
3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1320

C:\surrogateBrowser\componentperf.exe
"C:\surrogateBrowser\componentperf.exe"
4⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4968

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\CkUsogfXnl.bat"
5⤵
- Suspicious use of WriteProcessMemory
PID:3140

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
6⤵
PID:2868

C:\Windows\SystemResources\Windows.Management.AutopilotResources\pris\OfficeClickToRun.exe
"C:\Windows\SystemResources\Windows.Management.AutopilotResources\pris\OfficeClickToRun.exe"
6⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1556

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\7bDnwPuEug.bat"
7⤵
- Suspicious use of WriteProcessMemory
PID:1180

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
8⤵
PID:2492

C:\Windows\SystemResources\Windows.Management.AutopilotResources\pris\OfficeClickToRun.exe
"C:\Windows\SystemResources\Windows.Management.AutopilotResources\pris\OfficeClickToRun.exe"
8⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4288

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\zlkj4ltLQI.bat"
9⤵
- Suspicious use of WriteProcessMemory
PID:2980

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
10⤵
PID:1632

C:\Windows\SystemResources\Windows.Management.AutopilotResources\pris\OfficeClickToRun.exe
"C:\Windows\SystemResources\Windows.Management.AutopilotResources\pris\OfficeClickToRun.exe"
10⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3956

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\KRs2fZV4we.bat"
11⤵
- Suspicious use of WriteProcessMemory
PID:1036

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
12⤵
PID:872

C:\Windows\SystemResources\Windows.Management.AutopilotResources\pris\OfficeClickToRun.exe
"C:\Windows\SystemResources\Windows.Management.AutopilotResources\pris\OfficeClickToRun.exe"
12⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2856

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ZDYK5nApHO.bat"
13⤵
- Suspicious use of WriteProcessMemory
PID:2500

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
14⤵
PID:4264

C:\Windows\SystemResources\Windows.Management.AutopilotResources\pris\OfficeClickToRun.exe
"C:\Windows\SystemResources\Windows.Management.AutopilotResources\pris\OfficeClickToRun.exe"
14⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3784

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\FaowIOOII5.bat"
15⤵
- Suspicious use of WriteProcessMemory
PID:3272

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
16⤵
PID:4048

C:\Windows\SystemResources\Windows.Management.AutopilotResources\pris\OfficeClickToRun.exe
"C:\Windows\SystemResources\Windows.Management.AutopilotResources\pris\OfficeClickToRun.exe"
16⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:596

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\lAZRwHYzWc.bat"
17⤵
- Suspicious use of WriteProcessMemory
PID:4988

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
18⤵
PID:2736

C:\Windows\SystemResources\Windows.Management.AutopilotResources\pris\OfficeClickToRun.exe
"C:\Windows\SystemResources\Windows.Management.AutopilotResources\pris\OfficeClickToRun.exe"
18⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3224

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\7kLsQlNPpi.bat"
19⤵
- Suspicious use of WriteProcessMemory
PID:3800

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
20⤵
PID:4580

C:\Windows\SystemResources\Windows.Management.AutopilotResources\pris\OfficeClickToRun.exe
"C:\Windows\SystemResources\Windows.Management.AutopilotResources\pris\OfficeClickToRun.exe"
20⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4588

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\n6bUdMbtqP.bat"
21⤵
- Suspicious use of WriteProcessMemory
PID:4448

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
22⤵
PID:1036

C:\Windows\SystemResources\Windows.Management.AutopilotResources\pris\OfficeClickToRun.exe
"C:\Windows\SystemResources\Windows.Management.AutopilotResources\pris\OfficeClickToRun.exe"
22⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4524

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\NYP5fOsMgV.bat"
23⤵
PID:4692

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
24⤵
PID:5100

C:\Windows\SystemResources\Windows.Management.AutopilotResources\pris\OfficeClickToRun.exe
"C:\Windows\SystemResources\Windows.Management.AutopilotResources\pris\OfficeClickToRun.exe"
24⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3528

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\JhLzHEla3w.bat"
25⤵
PID:4652

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
26⤵
PID:812

C:\Windows\SystemResources\Windows.Management.AutopilotResources\pris\OfficeClickToRun.exe
"C:\Windows\SystemResources\Windows.Management.AutopilotResources\pris\OfficeClickToRun.exe"
26⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2016

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\EOJxze5tr1.bat"
27⤵
PID:2348

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
28⤵
PID:548

C:\Windows\SystemResources\Windows.Management.AutopilotResources\pris\OfficeClickToRun.exe
"C:\Windows\SystemResources\Windows.Management.AutopilotResources\pris\OfficeClickToRun.exe"
28⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1304

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\OPH1A2PBmS.bat"
29⤵
PID:3744

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
30⤵
PID:4064

C:\Windows\SystemResources\Windows.Management.AutopilotResources\pris\OfficeClickToRun.exe
"C:\Windows\SystemResources\Windows.Management.AutopilotResources\pris\OfficeClickToRun.exe"
30⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:2024

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\kz4ReWEb5Y.bat"
31⤵
PID:3800

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
32⤵
PID:1728

C:\Windows\SystemResources\Windows.Management.AutopilotResources\pris\OfficeClickToRun.exe
"C:\Windows\SystemResources\Windows.Management.AutopilotResources\pris\OfficeClickToRun.exe"
32⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:5104

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\kz4ReWEb5Y.bat"
33⤵
PID:3748

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
34⤵
PID:4392

C:\Windows\SystemResources\Windows.Management.AutopilotResources\pris\OfficeClickToRun.exe
"C:\Windows\SystemResources\Windows.Management.AutopilotResources\pris\OfficeClickToRun.exe"
34⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:3388

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\OPH1A2PBmS.bat"
35⤵
PID:2368

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
36⤵
PID:4968

C:\Windows\SystemResources\Windows.Management.AutopilotResources\pris\OfficeClickToRun.exe
"C:\Windows\SystemResources\Windows.Management.AutopilotResources\pris\OfficeClickToRun.exe"
36⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:5060

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\zlkj4ltLQI.bat"
37⤵
PID:3620

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
38⤵
PID:2948

C:\Windows\SystemResources\Windows.Management.AutopilotResources\pris\OfficeClickToRun.exe
"C:\Windows\SystemResources\Windows.Management.AutopilotResources\pris\OfficeClickToRun.exe"
38⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:388

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\YKuCD7w8Ue.bat"
39⤵
PID:4424

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
40⤵
PID:1728

C:\Windows\SystemResources\Windows.Management.AutopilotResources\pris\OfficeClickToRun.exe
"C:\Windows\SystemResources\Windows.Management.AutopilotResources\pris\OfficeClickToRun.exe"
40⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:312

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\NYP5fOsMgV.bat"
41⤵
PID:4348

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
42⤵
PID:3080

C:\Windows\SystemResources\Windows.Management.AutopilotResources\pris\OfficeClickToRun.exe
"C:\Windows\SystemResources\Windows.Management.AutopilotResources\pris\OfficeClickToRun.exe"
42⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:1432

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ewVMycoP0v.bat"
43⤵
PID:4296

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
44⤵
PID:1220

C:\Windows\SystemResources\Windows.Management.AutopilotResources\pris\OfficeClickToRun.exe
"C:\Windows\SystemResources\Windows.Management.AutopilotResources\pris\OfficeClickToRun.exe"
44⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:5100

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\x1DfgQ9qXa.bat"
45⤵
PID:1016

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
46⤵
PID:348

C:\Windows\SystemResources\Windows.Management.AutopilotResources\pris\OfficeClickToRun.exe
"C:\Windows\SystemResources\Windows.Management.AutopilotResources\pris\OfficeClickToRun.exe"
46⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:960

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\oxTQ808hvM.bat"
47⤵
PID:4468

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
48⤵
PID:3580

C:\Windows\SystemResources\Windows.Management.AutopilotResources\pris\OfficeClickToRun.exe
"C:\Windows\SystemResources\Windows.Management.AutopilotResources\pris\OfficeClickToRun.exe"
48⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:1852

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\1n8esAjYxK.bat"
49⤵
PID:3588

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
50⤵
PID:2292

C:\Windows\SystemResources\Windows.Management.AutopilotResources\pris\OfficeClickToRun.exe
"C:\Windows\SystemResources\Windows.Management.AutopilotResources\pris\OfficeClickToRun.exe"
50⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:2804

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\7bDnwPuEug.bat"
51⤵
PID:3324

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
52⤵
PID:2756

C:\Windows\SystemResources\Windows.Management.AutopilotResources\pris\OfficeClickToRun.exe
"C:\Windows\SystemResources\Windows.Management.AutopilotResources\pris\OfficeClickToRun.exe"
52⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:312

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\vlZZCFJNsh.bat"
53⤵
PID:4124

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
54⤵
PID:4168

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\NetHood\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\Admin\NetHood\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\NetHood\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Media Player\it-IT\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2360

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\it-IT\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Media Player\it-IT\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 12 /tr "'C:\surrogateBrowser\Registry.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:388

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\surrogateBrowser\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 8 /tr "'C:\surrogateBrowser\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 14 /tr "'C:\Windows\SystemResources\Windows.Management.AutopilotResources\pris\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Windows\SystemResources\Windows.Management.AutopilotResources\pris\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 7 /tr "'C:\Windows\SystemResources\Windows.Management.AutopilotResources\pris\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 9 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\TextInputHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office 15\ClientX64\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 11 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\SoftwareDistribution\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\All Users\SoftwareDistribution\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1228

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\SoftwareDistribution\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\surrogateBrowser\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\surrogateBrowser\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1288

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\surrogateBrowser\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3136

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Mail\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:368

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Mail\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3204

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2136

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 6 /tr "'C:\Windows\apppatch\Registry.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Windows\apppatch\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 5 /tr "'C:\Windows\apppatch\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:220

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\Templates\backgroundTaskHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4392

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Users\Admin\Templates\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\Templates\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:644

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\OfficeClickToRun.exe.log

Filesize
1KB

MD5
3ad9a5252966a3ab5b1b3222424717be

SHA1
5397522c86c74ddbfb2585b9613c794f4b4c3410

SHA256
27525f5fc7871c6828ab5173315e95b5c7e918d2ee532781c562c378584b5249

SHA512
b1a745f7a0f33b777ffc34f74f42752144d9f2d06b8bc613e703570494762b3af87e153212c3274b18af14f17b8619e2f350b7c3cc11228f7d4208d4251e90e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\1n8esAjYxK.bat

Filesize
255B

MD5
8cbae0501c207685295f218627b397e3

SHA1
ad064b935b40e8b333bb439590ca5f2dd9eeed42

SHA256
e1fabe52e5b85edc8b0f0ef3611d65f309c1aa25ee0f444344617f2bcb5b9bd7

SHA512
2e7b75a07cd5e080b4ff6430e91f9df6ac8440a96077950c15eac64c1c72860b3723484c2628d11a86a4ae1f42301f9a43493663f3850b7eb3c9adf267925abf

Download Submit
C:\Users\Admin\AppData\Local\Temp\7bDnwPuEug.bat

Filesize
255B

MD5
0067bf54f6e883a25b2a6dcc21cddda2

SHA1
7224252acf29d720ac5384e95a84f9b03d3f969a

SHA256
198ef7cdf3654277bed91edcea8245e6908afdfaf4f96e9a63ae50dd4ded930c

SHA512
02f55d3b7d02448ec632d29340653dc816272add5467d485dd2054c53f4118d660be3f6252a179734a0ab66aab464e5aba1e6e8e391816aa385ab6126fe444a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\7kLsQlNPpi.bat

Filesize
255B

MD5
b86b52ff8cbc9e93817fa47e1416e997

SHA1
9316823431b2fdc91a84931d293f5cfa35c25769

SHA256
2a98825bbc00048ad99cad19dccb9920d0e8857e929287396b261b0e92852835

SHA512
9bd86c3242697465f82419e0f104918770b9b7abb62e9c584a67fc5d3d30b88e53dbda3452df22c9db7c4828ebde30fba1db0e5ac22699bbb5c5e19878d6ec07

Download Submit
C:\Users\Admin\AppData\Local\Temp\CkUsogfXnl.bat

Filesize
255B

MD5
2c2250ccf5721a0114cddf4c56dcadc6

SHA1
4710cc18da57f7ea4bbd21ce1dd1a74bff968cde

SHA256
adcfda44493cb78124f149198209871dc284c9d7ea5222e8405040fa285aabe4

SHA512
276e50199d4ccf2b588fc23bbec37ce35715ca4b865167a4e4d68368b10efd9e20ea504863f2edaae01124ad040d13b1fe6cbe054acf1ab7225ffaaf8a9948ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\EOJxze5tr1.bat

Filesize
255B

MD5
6d03d5170716ac1ede3fa7c2450d5e6e

SHA1
f6a96b88877cdad94c6018ce7a3f61184b826839

SHA256
dee66014722d6015e5a114a4aa7887d121d9c950a0e8abbad5d4431ab0841ac5

SHA512
8f7ced9fc1935385844e616bf740dad2ecbab1b509bc47caf92116016ec5016cf172ce7ea8d74face4ee1a7bee6d3bee1f06a6056fe204e504d572bab698f560

Download Submit
C:\Users\Admin\AppData\Local\Temp\FaowIOOII5.bat

Filesize
255B

MD5
8374488de87fd91c344ad8154c99718c

SHA1
67c57dd36d887bd40f00cf173fc244ce2a81de8b

SHA256
ad9025da52b9ccaeef266371adb78b40e5440f403b64ecdc11f838d5b91f1dd0

SHA512
cf2771553115888cc5f1e0028a74b67b45f33797db7a1f3ff617843626014b781b2462b99db3ed4a28184863a79b2765657d01f0dbe338ccc9a023605e8f987b

Download Submit
C:\Users\Admin\AppData\Local\Temp\JhLzHEla3w.bat

Filesize
255B

MD5
b80cd9a30b680e746be08b85031c1199

SHA1
47f578759c684e7c83fbd1e586326debe6715783

SHA256
ac2e148801129fc7a632147772126fbae9666a15d5b8041e0923ffaa1254f595

SHA512
3a63f5f2c9874934cd0c1893099fc7af8a0154bac75464fc3873c0f0a0ce5dda07e4b6019f03cc524d9571629998f6e99744e55fad286cfaa1571583b83dc64a

Download Submit
C:\Users\Admin\AppData\Local\Temp\KRs2fZV4we.bat

Filesize
255B

MD5
734b72cea87c34f22c195bff79317496

SHA1
9e96072186fd3ad1b2db47e50353dbf8b3830dfe

SHA256
58066917da3e0f8366ff468f00290c961261e3b2dd1279ff036324947e05edce

SHA512
4ee2a017d4967f8cf7aae174f97556de888f66c27353c1a37af6a08d58898aa85e481155b411cc421ea7905b4985fa1ba6b5288cd83404a3941ee755dfa5e16b

Download Submit
C:\Users\Admin\AppData\Local\Temp\NYP5fOsMgV.bat

Filesize
255B

MD5
db69f0e0f6a5b40d3a81535dc74b86e4

SHA1
2baa25f45441cfe9e35c75d6ddea55143bcb66c4

SHA256
abd87216d9a1db41a91c005a9b9148bd5ed649f7b70d17c7d066dec121d7f3f2

SHA512
ea0bd467c4480bbde8e562c19a9c2af03a70f6ca17555543616a522bfb6313c49f4d090d6b7af18a885e1978554dd1da3d61bf980db17f67001ebd4028c637f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\OPH1A2PBmS.bat

Filesize
255B

MD5
40011acdede67333b4f0016ea78554e5

SHA1
f70d7a05131b0a4c4b8ee262ec127c3b6658ef47

SHA256
012cf9cdac3fa54ea0ae574747cc76bdaf3f369226e0609120f3d75427b8962f

SHA512
0ef03c1e864d8e064299cfcfb51d63955237b992233ac205d1211e1bcf3907988f0b5a7920dea1688326450521eeea0f73574c122dfeb5773e31f2c0057248f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\YKuCD7w8Ue.bat

Filesize
255B

MD5
9006d27bf944eaea0889c6a161ba141c

SHA1
ba1b0c6864e116c96d4a0721a74f73c41c55765e

SHA256
e222cb162d1fe000c9c8b7f108eb96c5fb3216ac404c4fdc4fb7dbdbddb62a35

SHA512
b8ba5750c55f38dfa411a89f19f1cb1b476dda65904e47dcb26a640a43c9d85528f4e5a726b1700d3d28b2724c40bfb8910560b66f16d5544ce6c368270d0e77

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZDYK5nApHO.bat

Filesize
255B

MD5
eab04aa76ee42c7e9a22d79557ee2558

SHA1
917af0ab0d1eff01a4f465eb0f97973b08db6429

SHA256
80118b637f3fdcca98a6548e91423cd86f4da799658301cbd989ba31d5a4a674

SHA512
dc89c9816c3f18b3aecc0dec2dc48523c4eec0d14534b139a0f58447ebf2272966187170a625ed6f6a5dab8646ccf16706ef9daa5f448409f2132a60ca948290

Download Submit
C:\Users\Admin\AppData\Local\Temp\ewVMycoP0v.bat

Filesize
255B

MD5
0a9f616c01248a0ee045f38f2b506cfa

SHA1
4b75f4e3b3ad8a50068689b59d0326d8aefbac74

SHA256
38d96359d46a6e41e3af8005c514caa034f41f48bce406bab21e2ac0cdaca81b

SHA512
38d74562a8111e0c0616441e6be9b7e6cf122322fb9ce5fb979c88aea7cf8be3b9b68e0cd7f50a0656cec696e806975d2d3da23b025dca578a1665ca4be2cd09

Download Submit
C:\Users\Admin\AppData\Local\Temp\kz4ReWEb5Y.bat

Filesize
255B

MD5
482dbc8f57518d7920c8bea22ed5d390

SHA1
0ff59bbe66d056bb203e7a8241d0185598f5368e

SHA256
f403e25bca47d5d24ce03e61e5ae18cb9128d12c0ea3bf8b10933bf197a8e17b

SHA512
076de1dbc28605efd08e3fda37aa3129f63abff7ad4e67072389f42fc75fc39534a91e4a67c726f7d7fc856db63616e4fa411f75b4aae0ff0b462aa5a2d7d9b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\lAZRwHYzWc.bat

Filesize
255B

MD5
0fc01abb95236f85748efb0f3130e92f

SHA1
d502762fa7c6b0638c3febfbc6b470daf05be524

SHA256
d5bf1827159a0d8f2de35e443726414b2393690cacca296d8c7b38416e4ae144

SHA512
db34888620adc307a0b1207ad37976e4a82ef73d05ff34c7c5c25fa3f626d142607246d2e4c4a059cc136b2d255825cc218584c1e5ac056c445d0a80c85e7649

Download Submit
C:\Users\Admin\AppData\Local\Temp\n6bUdMbtqP.bat

Filesize
255B

MD5
45392fd5ea83877f6a2bb0b6893ae2fa

SHA1
4bf5f5772ba82f01900347172c510f1fb9ec42b5

SHA256
f819c03d541b5ee7a219e6dc217043d3a4dc54d77740776999fc3df20c5efe39

SHA512
c878aa6bd3c60719c369866197a1315fcde4684d12ac54bd26a897c039e0d50003e370f15cf69ec05c9eed7de142a6a598ed231f3edb5baea04b3b94d9b2402e

Download Submit
C:\Users\Admin\AppData\Local\Temp\oxTQ808hvM.bat

Filesize
255B

MD5
943f0166910e04504fd5f1fc86db5d24

SHA1
1fe2bbced33340df144a14e114e01ed507a0c32a

SHA256
3cd06e30239cff19ad0e285d6f5afea8fed242f8236fecd59cdb637fecc31ebc

SHA512
262efb6800f1175477c3acd50fdd4361bd8bffdb1f447e6a8e52c47c89d81d79f1b4265fb32bd393e619f2fd3efdb272fc0d742302f91b9d6b62c8e06a5fca33

Download Submit
C:\Users\Admin\AppData\Local\Temp\vlZZCFJNsh.bat

Filesize
255B

MD5
74f3a2f02557b104d96c97625f143100

SHA1
d6f4de67e209c73ec375cecd71fa6a6990266f32

SHA256
e5d64a73e887479f8ecffb0bb98dfeb6c98a93aa75ccce8f738e6fbda0f8d6f9

SHA512
b479f91a0c4e875ccd676a8bd9856f66c11bb647c54605a1cb55bee7b7e842bcb2167bc8fb8095c6a6667be5537154401b6f8d821cdc0d9a8d4c8ae463cce30b

Download Submit
C:\Users\Admin\AppData\Local\Temp\x1DfgQ9qXa.bat

Filesize
255B

MD5
fc6682763513abb4b2f0b9c5f921dc3b

SHA1
3a717a49eedbdd337f4d7f2288b0f940e0dcec82

SHA256
39eeb36eb69918ee8e5f596bd70883b7a58ff41ec6655c9bcdcc770f4106b055

SHA512
3938387b2b4335d67d9afd7aa93ec83fee9da690fd5e3bb6d6a6398b7148038ba71e8bd69177c362fefbd8b6ade90a08484e501080f5fee7432d787c4b49da86

Download Submit
C:\Users\Admin\AppData\Local\Temp\zlkj4ltLQI.bat

Filesize
255B

MD5
6b7be6f3c392e4fa6ea7e2e43cb6e710

SHA1
790c36c5e4a1bc409ef3f511709d84b2749712c0

SHA256
d89315c36622cbe33e9e7b11761d24be0e0bc8f8b68aca632c9003a3af6faea7

SHA512
f9c0ddbfd6f45b8feb71b5424e54c86bff2b95cff2889ad9d35694d946034812e632ecb0a0f34256ff09365e983af22755bbf78279e74fa556f20c5fb530656a

Download Submit
C:\surrogateBrowser\6sJKwNteCedZSQrFBGYlXz0mxM.bat

Filesize
39B

MD5
cc69ff276bc01cf713869de612989b6e

SHA1
68bf9bcbd1b73b192291e35cb5fc1398362c97b1

SHA256
bc399373baab928a60d2b9e99ef09c1bf87d6978ed27b80aedb83d355d38aa67

SHA512
f6e304dbec4185ff84309d2138f8823c02e8690074fdbfd560d7559b05916d6ab5c820344a5a5006d55236fa19d3338b2ee6d01cbe831ed170fd4bed22772a1c

Download Submit
C:\surrogateBrowser\componentperf.exe

Filesize
2.3MB

MD5
a7ed45551bd75d6efe5cb73025e5bf21

SHA1
009127e9825d0be8ac1566015f27d34cd9b52cd2

SHA256
815d0a143ee08216f0fcefa36c494f4bf3ba35c518f94046e649dc2fe55c8b84

SHA512
7853470fb2752d0a6795723d979aa39ac2438a01eb32543fe8cc976658480e5441cd6e64b7f2b97b3f483311e6db206a88c8c2c0a5c944d536d4e938e6f0d3c8

Download Submit
C:\surrogateBrowser\jugsRTlixTNpJQR.vbe

Filesize
219B

MD5
4ebf70867f59482e34dd049a8603e143

SHA1
7d4b332dfabe271c829705fcf7fa57c77a183796

SHA256
651bcddc048bd1d961d2ff6b546865aa3a8d803cca93952d88aae2888f3f2a68

SHA512
b14cd8f60b3be1b9617b7392f060a361fe7aa62d1a986f91251412a426f3cbe2cab79ac37aa3e8570b5ba64204c8b6ef61f2b60091eb6dcc6a1491025e5d1712

Download Submit
memory/1556-61-0x000000001C000000-0x000000001C056000-memory.dmp

Filesize
344KB

Download
memory/2024-137-0x000000001B080000-0x000000001B0D6000-memory.dmp

Filesize
344KB

Download
memory/3784-88-0x000000001B250000-0x000000001B2A6000-memory.dmp

Filesize
344KB

Download
memory/4968-17-0x000000001B0C0000-0x000000001B0D6000-memory.dmp

Filesize
88KB

Download
memory/4968-12-0x00007FFDDC893000-0x00007FFDDC895000-memory.dmp

Filesize
8KB

Download
memory/4968-13-0x0000000000340000-0x000000000059E000-memory.dmp

Filesize
2.4MB

Download
memory/4968-14-0x000000001B090000-0x000000001B0AC000-memory.dmp

Filesize
112KB

Download
memory/4968-16-0x000000001B0B0000-0x000000001B0B8000-memory.dmp

Filesize
32KB

Download
memory/4968-18-0x000000001B1F0000-0x000000001B200000-memory.dmp

Filesize
64KB

Download
memory/4968-20-0x000000001B7B0000-0x000000001B7BC000-memory.dmp

Filesize
48KB

Download
memory/4968-15-0x000000001B760000-0x000000001B7B0000-memory.dmp

Filesize
320KB

Download
memory/4968-19-0x000000001B710000-0x000000001B766000-memory.dmp

Filesize
344KB

Download
memory/4968-23-0x000000001B8E0000-0x000000001B8EC000-memory.dmp

Filesize
48KB

Download
memory/4968-21-0x000000001B8C0000-0x000000001B8C8000-memory.dmp

Filesize
32KB

Download
memory/4968-22-0x000000001B8D0000-0x000000001B8DA000-memory.dmp

Filesize
40KB

Download
memory/5104-144-0x0000000002CA0000-0x0000000002CF6000-memory.dmp

Filesize
344KB

Download