dcrat | 501aa5f94b15b8716ef7f76e2dbdc146b436cd9e72274d6ec5dec7265706c0ad

Analysis

max time kernel
115s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
27-11-2024 16:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

501aa5f94b15b8716ef7f76e2dbdc146b436cd9e72274d6ec5dec7265706c0ad.exe
Size

1.4MB
MD5

181d043c0617914801548f09d5b776d4
SHA1

757f042065a3dc2c9f73e635b41f83591c8ad647
SHA256

501aa5f94b15b8716ef7f76e2dbdc146b436cd9e72274d6ec5dec7265706c0ad
SHA512

c56897c04b11db7c09ef21be8fe6a541c3c9ffb428b3e1340fce5b035f9f74bb133b57e7cc0852730efd20b4a49da0e8a79b6390f105d18f9fb39461559be574
SSDEEP

24576:6oIREGQw97lGTIYskQyxNtGSKERqWzAcqGv+3spCElJz009I+LU:gRdGcHkBxNYARdzAcqGv+cphlJzxV

Score

10^/10

dcrat evasion infostealer persistence rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 16 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

501aa5f94b15b8716ef7f76e2dbdc146b436cd9e72274d6ec5dec7265706c0ad.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\smss.exe\", \"C:\\Windows\\fr-FR\\StartMenuExperienceHost.exe\""	501aa5f94b15b8716ef7f76e2dbdc146b436cd9e72274d6ec5dec7265706c0ad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\smss.exe\", \"C:\\Windows\\fr-FR\\StartMenuExperienceHost.exe\", \"C:\\Users\\Public\\Libraries\\RuntimeBroker.exe\", \"C:\\Users\\Default User\\SppExtComObj.exe\", \"C:\\Program Files\\Windows Defender\\it-IT\\lsass.exe\", \"C:\\Program Files (x86)\\Windows Photo Viewer\\ja-JP\\SearchApp.exe\""	501aa5f94b15b8716ef7f76e2dbdc146b436cd9e72274d6ec5dec7265706c0ad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\smss.exe\", \"C:\\Windows\\fr-FR\\StartMenuExperienceHost.exe\", \"C:\\Users\\Public\\Libraries\\RuntimeBroker.exe\", \"C:\\Users\\Default User\\SppExtComObj.exe\", \"C:\\Program Files\\Windows Defender\\it-IT\\lsass.exe\", \"C:\\Program Files (x86)\\Windows Photo Viewer\\ja-JP\\SearchApp.exe\", \"C:\\Program Files\\dotnet\\host\\fxr\\TextInputHost.exe\", \"C:\\Users\\Admin\\OfficeClickToRun.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\lsass.exe\", \"C:\\Recovery\\WindowsRE\\csrss.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\winlogon.exe\", \"C:\\Recovery\\WindowsRE\\dllhost.exe\", \"C:\\Program Files (x86)\\WindowsPowerShell\\lsass.exe\""	501aa5f94b15b8716ef7f76e2dbdc146b436cd9e72274d6ec5dec7265706c0ad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\smss.exe\", \"C:\\Windows\\fr-FR\\StartMenuExperienceHost.exe\", \"C:\\Users\\Public\\Libraries\\RuntimeBroker.exe\", \"C:\\Users\\Default User\\SppExtComObj.exe\""	501aa5f94b15b8716ef7f76e2dbdc146b436cd9e72274d6ec5dec7265706c0ad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\smss.exe\", \"C:\\Windows\\fr-FR\\StartMenuExperienceHost.exe\", \"C:\\Users\\Public\\Libraries\\RuntimeBroker.exe\", \"C:\\Users\\Default User\\SppExtComObj.exe\", \"C:\\Program Files\\Windows Defender\\it-IT\\lsass.exe\", \"C:\\Program Files (x86)\\Windows Photo Viewer\\ja-JP\\SearchApp.exe\", \"C:\\Program Files\\dotnet\\host\\fxr\\TextInputHost.exe\""	501aa5f94b15b8716ef7f76e2dbdc146b436cd9e72274d6ec5dec7265706c0ad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\smss.exe\", \"C:\\Windows\\fr-FR\\StartMenuExperienceHost.exe\", \"C:\\Users\\Public\\Libraries\\RuntimeBroker.exe\", \"C:\\Users\\Default User\\SppExtComObj.exe\", \"C:\\Program Files\\Windows Defender\\it-IT\\lsass.exe\", \"C:\\Program Files (x86)\\Windows Photo Viewer\\ja-JP\\SearchApp.exe\", \"C:\\Program Files\\dotnet\\host\\fxr\\TextInputHost.exe\", \"C:\\Users\\Admin\\OfficeClickToRun.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\lsass.exe\""	501aa5f94b15b8716ef7f76e2dbdc146b436cd9e72274d6ec5dec7265706c0ad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\smss.exe\", \"C:\\Windows\\fr-FR\\StartMenuExperienceHost.exe\", \"C:\\Users\\Public\\Libraries\\RuntimeBroker.exe\", \"C:\\Users\\Default User\\SppExtComObj.exe\", \"C:\\Program Files\\Windows Defender\\it-IT\\lsass.exe\", \"C:\\Program Files (x86)\\Windows Photo Viewer\\ja-JP\\SearchApp.exe\", \"C:\\Program Files\\dotnet\\host\\fxr\\TextInputHost.exe\", \"C:\\Users\\Admin\\OfficeClickToRun.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\lsass.exe\", \"C:\\Recovery\\WindowsRE\\csrss.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\winlogon.exe\", \"C:\\Recovery\\WindowsRE\\dllhost.exe\""	501aa5f94b15b8716ef7f76e2dbdc146b436cd9e72274d6ec5dec7265706c0ad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\smss.exe\", \"C:\\Windows\\fr-FR\\StartMenuExperienceHost.exe\", \"C:\\Users\\Public\\Libraries\\RuntimeBroker.exe\", \"C:\\Users\\Default User\\SppExtComObj.exe\", \"C:\\Program Files\\Windows Defender\\it-IT\\lsass.exe\""	501aa5f94b15b8716ef7f76e2dbdc146b436cd9e72274d6ec5dec7265706c0ad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\smss.exe\", \"C:\\Windows\\fr-FR\\StartMenuExperienceHost.exe\", \"C:\\Users\\Public\\Libraries\\RuntimeBroker.exe\", \"C:\\Users\\Default User\\SppExtComObj.exe\", \"C:\\Program Files\\Windows Defender\\it-IT\\lsass.exe\", \"C:\\Program Files (x86)\\Windows Photo Viewer\\ja-JP\\SearchApp.exe\", \"C:\\Program Files\\dotnet\\host\\fxr\\TextInputHost.exe\", \"C:\\Users\\Admin\\OfficeClickToRun.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\lsass.exe\", \"C:\\Recovery\\WindowsRE\\csrss.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\winlogon.exe\", \"C:\\Recovery\\WindowsRE\\dllhost.exe\", \"C:\\Program Files (x86)\\WindowsPowerShell\\lsass.exe\", \"C:\\Windows\\Speech_OneCore\\Engines\\wininit.exe\""	501aa5f94b15b8716ef7f76e2dbdc146b436cd9e72274d6ec5dec7265706c0ad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\smss.exe\", \"C:\\Windows\\fr-FR\\StartMenuExperienceHost.exe\", \"C:\\Users\\Public\\Libraries\\RuntimeBroker.exe\", \"C:\\Users\\Default User\\SppExtComObj.exe\", \"C:\\Program Files\\Windows Defender\\it-IT\\lsass.exe\", \"C:\\Program Files (x86)\\Windows Photo Viewer\\ja-JP\\SearchApp.exe\", \"C:\\Program Files\\dotnet\\host\\fxr\\TextInputHost.exe\", \"C:\\Users\\Admin\\OfficeClickToRun.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\lsass.exe\", \"C:\\Recovery\\WindowsRE\\csrss.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\winlogon.exe\", \"C:\\Recovery\\WindowsRE\\dllhost.exe\", \"C:\\Program Files (x86)\\WindowsPowerShell\\lsass.exe\", \"C:\\Windows\\Speech_OneCore\\Engines\\wininit.exe\", \"C:\\Windows\\Cursors\\sysmon.exe\""	501aa5f94b15b8716ef7f76e2dbdc146b436cd9e72274d6ec5dec7265706c0ad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\smss.exe\", \"C:\\Windows\\fr-FR\\StartMenuExperienceHost.exe\", \"C:\\Users\\Public\\Libraries\\RuntimeBroker.exe\", \"C:\\Users\\Default User\\SppExtComObj.exe\", \"C:\\Program Files\\Windows Defender\\it-IT\\lsass.exe\", \"C:\\Program Files (x86)\\Windows Photo Viewer\\ja-JP\\SearchApp.exe\", \"C:\\Program Files\\dotnet\\host\\fxr\\TextInputHost.exe\", \"C:\\Users\\Admin\\OfficeClickToRun.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\lsass.exe\", \"C:\\Recovery\\WindowsRE\\csrss.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\winlogon.exe\", \"C:\\Recovery\\WindowsRE\\dllhost.exe\", \"C:\\Program Files (x86)\\WindowsPowerShell\\lsass.exe\", \"C:\\Windows\\Speech_OneCore\\Engines\\wininit.exe\", \"C:\\Windows\\Cursors\\sysmon.exe\", \"C:\\Program Files (x86)\\Windows Mail\\explorer.exe\""	501aa5f94b15b8716ef7f76e2dbdc146b436cd9e72274d6ec5dec7265706c0ad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\smss.exe\""	501aa5f94b15b8716ef7f76e2dbdc146b436cd9e72274d6ec5dec7265706c0ad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\smss.exe\", \"C:\\Windows\\fr-FR\\StartMenuExperienceHost.exe\", \"C:\\Users\\Public\\Libraries\\RuntimeBroker.exe\""	501aa5f94b15b8716ef7f76e2dbdc146b436cd9e72274d6ec5dec7265706c0ad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\smss.exe\", \"C:\\Windows\\fr-FR\\StartMenuExperienceHost.exe\", \"C:\\Users\\Public\\Libraries\\RuntimeBroker.exe\", \"C:\\Users\\Default User\\SppExtComObj.exe\", \"C:\\Program Files\\Windows Defender\\it-IT\\lsass.exe\", \"C:\\Program Files (x86)\\Windows Photo Viewer\\ja-JP\\SearchApp.exe\", \"C:\\Program Files\\dotnet\\host\\fxr\\TextInputHost.exe\", \"C:\\Users\\Admin\\OfficeClickToRun.exe\""	501aa5f94b15b8716ef7f76e2dbdc146b436cd9e72274d6ec5dec7265706c0ad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\smss.exe\", \"C:\\Windows\\fr-FR\\StartMenuExperienceHost.exe\", \"C:\\Users\\Public\\Libraries\\RuntimeBroker.exe\", \"C:\\Users\\Default User\\SppExtComObj.exe\", \"C:\\Program Files\\Windows Defender\\it-IT\\lsass.exe\", \"C:\\Program Files (x86)\\Windows Photo Viewer\\ja-JP\\SearchApp.exe\", \"C:\\Program Files\\dotnet\\host\\fxr\\TextInputHost.exe\", \"C:\\Users\\Admin\\OfficeClickToRun.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\lsass.exe\", \"C:\\Recovery\\WindowsRE\\csrss.exe\""	501aa5f94b15b8716ef7f76e2dbdc146b436cd9e72274d6ec5dec7265706c0ad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\smss.exe\", \"C:\\Windows\\fr-FR\\StartMenuExperienceHost.exe\", \"C:\\Users\\Public\\Libraries\\RuntimeBroker.exe\", \"C:\\Users\\Default User\\SppExtComObj.exe\", \"C:\\Program Files\\Windows Defender\\it-IT\\lsass.exe\", \"C:\\Program Files (x86)\\Windows Photo Viewer\\ja-JP\\SearchApp.exe\", \"C:\\Program Files\\dotnet\\host\\fxr\\TextInputHost.exe\", \"C:\\Users\\Admin\\OfficeClickToRun.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\lsass.exe\", \"C:\\Recovery\\WindowsRE\\csrss.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\winlogon.exe\""	501aa5f94b15b8716ef7f76e2dbdc146b436cd9e72274d6ec5dec7265706c0ad.exe

Process spawned unexpected child process 48 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3956	3972	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3016	3972	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1652	3972	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	452	3972	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4628	3972	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3748	3972	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1296	3972	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2596	3972	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1488	3972	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4400	3972	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1060	3972	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	804	3972	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2984	3972	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1908	3972	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2080	3972	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2416	3972	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2772	3972	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4284	3972	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4880	3972	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3684	3972	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4888	3972	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4992	3972	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1828	3972	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3516	3972	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1668	3972	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	972	3972	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3668	3972	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3884	3972	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4924	3972	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4708	3972	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1960	3972	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2056	3972	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3128	3972	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4680	3972	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5076	3972	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3184	3972	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1164	3972	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4256	3972	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3724	3972	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3952	3972	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2036	3972	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2200	3972	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4952	3972	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	844	3972	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4160	3972	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1252	3972	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1544	3972	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2260	3972	schtasks.exe	83

UAC bypass 3 TTPs 39 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

501aa5f94b15b8716ef7f76e2dbdc146b436cd9e72274d6ec5dec7265706c0ad.exeOfficeClickToRun.exeOfficeClickToRun.exeOfficeClickToRun.exeOfficeClickToRun.exeOfficeClickToRun.exeOfficeClickToRun.exeOfficeClickToRun.exeOfficeClickToRun.exeOfficeClickToRun.exeOfficeClickToRun.exeOfficeClickToRun.exeOfficeClickToRun.exe

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	501aa5f94b15b8716ef7f76e2dbdc146b436cd9e72274d6ec5dec7265706c0ad.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	501aa5f94b15b8716ef7f76e2dbdc146b436cd9e72274d6ec5dec7265706c0ad.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	501aa5f94b15b8716ef7f76e2dbdc146b436cd9e72274d6ec5dec7265706c0ad.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe

DCRat payload 4 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral2/memory/4816-1-0x00000000003D0000-0x0000000000538000-memory.dmp	dcrat
behavioral2/files/0x0007000000023cac-19.dat	dcrat
behavioral2/files/0x0007000000023cb9-238.dat	dcrat
behavioral2/files/0x0007000000023cdc-242.dat	dcrat

Checks computer location settings 2 TTPs 13 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	501aa5f94b15b8716ef7f76e2dbdc146b436cd9e72274d6ec5dec7265706c0ad.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	OfficeClickToRun.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	OfficeClickToRun.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	OfficeClickToRun.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	OfficeClickToRun.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	OfficeClickToRun.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	OfficeClickToRun.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	OfficeClickToRun.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	OfficeClickToRun.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	OfficeClickToRun.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	OfficeClickToRun.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	OfficeClickToRun.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	OfficeClickToRun.exe

Executes dropped EXE 12 IoCs

Processes:

OfficeClickToRun.exeOfficeClickToRun.exeOfficeClickToRun.exeOfficeClickToRun.exeOfficeClickToRun.exeOfficeClickToRun.exeOfficeClickToRun.exeOfficeClickToRun.exeOfficeClickToRun.exeOfficeClickToRun.exeOfficeClickToRun.exeOfficeClickToRun.exe

pid	Process
768	OfficeClickToRun.exe
3872	OfficeClickToRun.exe
1964	OfficeClickToRun.exe
2724	OfficeClickToRun.exe
800	OfficeClickToRun.exe
4220	OfficeClickToRun.exe
4088	OfficeClickToRun.exe
1976	OfficeClickToRun.exe
4124	OfficeClickToRun.exe
1800	OfficeClickToRun.exe
4664	OfficeClickToRun.exe
5112	OfficeClickToRun.exe

Adds Run key to start application 2 TTPs 32 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

501aa5f94b15b8716ef7f76e2dbdc146b436cd9e72274d6ec5dec7265706c0ad.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Users\\Public\\Libraries\\RuntimeBroker.exe\""	501aa5f94b15b8716ef7f76e2dbdc146b436cd9e72274d6ec5dec7265706c0ad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Program Files\\Windows Defender\\it-IT\\lsass.exe\""	501aa5f94b15b8716ef7f76e2dbdc146b436cd9e72274d6ec5dec7265706c0ad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Program Files (x86)\\Mozilla Maintenance Service\\winlogon.exe\""	501aa5f94b15b8716ef7f76e2dbdc146b436cd9e72274d6ec5dec7265706c0ad.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Recovery\\WindowsRE\\dllhost.exe\""	501aa5f94b15b8716ef7f76e2dbdc146b436cd9e72274d6ec5dec7265706c0ad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Recovery\\WindowsRE\\dllhost.exe\""	501aa5f94b15b8716ef7f76e2dbdc146b436cd9e72274d6ec5dec7265706c0ad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Recovery\\WindowsRE\\smss.exe\""	501aa5f94b15b8716ef7f76e2dbdc146b436cd9e72274d6ec5dec7265706c0ad.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Program Files\\Windows Defender\\it-IT\\lsass.exe\""	501aa5f94b15b8716ef7f76e2dbdc146b436cd9e72274d6ec5dec7265706c0ad.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TextInputHost = "\"C:\\Program Files\\dotnet\\host\\fxr\\TextInputHost.exe\""	501aa5f94b15b8716ef7f76e2dbdc146b436cd9e72274d6ec5dec7265706c0ad.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OfficeClickToRun = "\"C:\\Users\\Admin\\OfficeClickToRun.exe\""	501aa5f94b15b8716ef7f76e2dbdc146b436cd9e72274d6ec5dec7265706c0ad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Program Files (x86)\\Windows Mail\\explorer.exe\""	501aa5f94b15b8716ef7f76e2dbdc146b436cd9e72274d6ec5dec7265706c0ad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SppExtComObj = "\"C:\\Users\\Default User\\SppExtComObj.exe\""	501aa5f94b15b8716ef7f76e2dbdc146b436cd9e72274d6ec5dec7265706c0ad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TextInputHost = "\"C:\\Program Files\\dotnet\\host\\fxr\\TextInputHost.exe\""	501aa5f94b15b8716ef7f76e2dbdc146b436cd9e72274d6ec5dec7265706c0ad.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Recovery\\WindowsRE\\csrss.exe\""	501aa5f94b15b8716ef7f76e2dbdc146b436cd9e72274d6ec5dec7265706c0ad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Recovery\\WindowsRE\\csrss.exe\""	501aa5f94b15b8716ef7f76e2dbdc146b436cd9e72274d6ec5dec7265706c0ad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Program Files (x86)\\WindowsPowerShell\\lsass.exe\""	501aa5f94b15b8716ef7f76e2dbdc146b436cd9e72274d6ec5dec7265706c0ad.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Windows\\Speech_OneCore\\Engines\\wininit.exe\""	501aa5f94b15b8716ef7f76e2dbdc146b436cd9e72274d6ec5dec7265706c0ad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Windows\\Speech_OneCore\\Engines\\wininit.exe\""	501aa5f94b15b8716ef7f76e2dbdc146b436cd9e72274d6ec5dec7265706c0ad.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Recovery\\WindowsRE\\smss.exe\""	501aa5f94b15b8716ef7f76e2dbdc146b436cd9e72274d6ec5dec7265706c0ad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\StartMenuExperienceHost = "\"C:\\Windows\\fr-FR\\StartMenuExperienceHost.exe\""	501aa5f94b15b8716ef7f76e2dbdc146b436cd9e72274d6ec5dec7265706c0ad.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\lsass.exe\""	501aa5f94b15b8716ef7f76e2dbdc146b436cd9e72274d6ec5dec7265706c0ad.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SppExtComObj = "\"C:\\Users\\Default User\\SppExtComObj.exe\""	501aa5f94b15b8716ef7f76e2dbdc146b436cd9e72274d6ec5dec7265706c0ad.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SearchApp = "\"C:\\Program Files (x86)\\Windows Photo Viewer\\ja-JP\\SearchApp.exe\""	501aa5f94b15b8716ef7f76e2dbdc146b436cd9e72274d6ec5dec7265706c0ad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SearchApp = "\"C:\\Program Files (x86)\\Windows Photo Viewer\\ja-JP\\SearchApp.exe\""	501aa5f94b15b8716ef7f76e2dbdc146b436cd9e72274d6ec5dec7265706c0ad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\lsass.exe\""	501aa5f94b15b8716ef7f76e2dbdc146b436cd9e72274d6ec5dec7265706c0ad.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Program Files (x86)\\Mozilla Maintenance Service\\winlogon.exe\""	501aa5f94b15b8716ef7f76e2dbdc146b436cd9e72274d6ec5dec7265706c0ad.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Program Files (x86)\\WindowsPowerShell\\lsass.exe\""	501aa5f94b15b8716ef7f76e2dbdc146b436cd9e72274d6ec5dec7265706c0ad.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysmon = "\"C:\\Windows\\Cursors\\sysmon.exe\""	501aa5f94b15b8716ef7f76e2dbdc146b436cd9e72274d6ec5dec7265706c0ad.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Program Files (x86)\\Windows Mail\\explorer.exe\""	501aa5f94b15b8716ef7f76e2dbdc146b436cd9e72274d6ec5dec7265706c0ad.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\StartMenuExperienceHost = "\"C:\\Windows\\fr-FR\\StartMenuExperienceHost.exe\""	501aa5f94b15b8716ef7f76e2dbdc146b436cd9e72274d6ec5dec7265706c0ad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OfficeClickToRun = "\"C:\\Users\\Admin\\OfficeClickToRun.exe\""	501aa5f94b15b8716ef7f76e2dbdc146b436cd9e72274d6ec5dec7265706c0ad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysmon = "\"C:\\Windows\\Cursors\\sysmon.exe\""	501aa5f94b15b8716ef7f76e2dbdc146b436cd9e72274d6ec5dec7265706c0ad.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Users\\Public\\Libraries\\RuntimeBroker.exe\""	501aa5f94b15b8716ef7f76e2dbdc146b436cd9e72274d6ec5dec7265706c0ad.exe

Checks whether UAC is enabled 1 TTPs 26 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	OfficeClickToRun.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	OfficeClickToRun.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	OfficeClickToRun.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	501aa5f94b15b8716ef7f76e2dbdc146b436cd9e72274d6ec5dec7265706c0ad.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	501aa5f94b15b8716ef7f76e2dbdc146b436cd9e72274d6ec5dec7265706c0ad.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	OfficeClickToRun.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	OfficeClickToRun.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe

Drops file in Program Files directory 15 IoCs

Processes:

501aa5f94b15b8716ef7f76e2dbdc146b436cd9e72274d6ec5dec7265706c0ad.exe

description	ioc	Process
File created	C:\Program Files\Windows Defender\it-IT\6203df4a6bafc7	501aa5f94b15b8716ef7f76e2dbdc146b436cd9e72274d6ec5dec7265706c0ad.exe
File created	C:\Program Files\dotnet\host\fxr\22eafd247d37c3	501aa5f94b15b8716ef7f76e2dbdc146b436cd9e72274d6ec5dec7265706c0ad.exe
File created	C:\Program Files\ModifiableWindowsApps\spoolsv.exe	501aa5f94b15b8716ef7f76e2dbdc146b436cd9e72274d6ec5dec7265706c0ad.exe
File created	C:\Program Files\dotnet\host\fxr\TextInputHost.exe	501aa5f94b15b8716ef7f76e2dbdc146b436cd9e72274d6ec5dec7265706c0ad.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\lsass.exe	501aa5f94b15b8716ef7f76e2dbdc146b436cd9e72274d6ec5dec7265706c0ad.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\cc11b995f2a76d	501aa5f94b15b8716ef7f76e2dbdc146b436cd9e72274d6ec5dec7265706c0ad.exe
File created	C:\Program Files (x86)\WindowsPowerShell\6203df4a6bafc7	501aa5f94b15b8716ef7f76e2dbdc146b436cd9e72274d6ec5dec7265706c0ad.exe
File created	C:\Program Files\Windows Defender\it-IT\lsass.exe	501aa5f94b15b8716ef7f76e2dbdc146b436cd9e72274d6ec5dec7265706c0ad.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\ja-JP\SearchApp.exe	501aa5f94b15b8716ef7f76e2dbdc146b436cd9e72274d6ec5dec7265706c0ad.exe
File created	C:\Program Files (x86)\Windows Mail\explorer.exe	501aa5f94b15b8716ef7f76e2dbdc146b436cd9e72274d6ec5dec7265706c0ad.exe
File created	C:\Program Files (x86)\Windows Mail\7a0fd90576e088	501aa5f94b15b8716ef7f76e2dbdc146b436cd9e72274d6ec5dec7265706c0ad.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\ja-JP\38384e6a620884	501aa5f94b15b8716ef7f76e2dbdc146b436cd9e72274d6ec5dec7265706c0ad.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\6203df4a6bafc7	501aa5f94b15b8716ef7f76e2dbdc146b436cd9e72274d6ec5dec7265706c0ad.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\winlogon.exe	501aa5f94b15b8716ef7f76e2dbdc146b436cd9e72274d6ec5dec7265706c0ad.exe
File created	C:\Program Files (x86)\WindowsPowerShell\lsass.exe	501aa5f94b15b8716ef7f76e2dbdc146b436cd9e72274d6ec5dec7265706c0ad.exe

Drops file in Windows directory 7 IoCs

Processes:

501aa5f94b15b8716ef7f76e2dbdc146b436cd9e72274d6ec5dec7265706c0ad.exe

description	ioc	Process
File created	C:\Windows\fr-FR\StartMenuExperienceHost.exe	501aa5f94b15b8716ef7f76e2dbdc146b436cd9e72274d6ec5dec7265706c0ad.exe
File created	C:\Windows\fr-FR\55b276f4edf653	501aa5f94b15b8716ef7f76e2dbdc146b436cd9e72274d6ec5dec7265706c0ad.exe
File created	C:\Windows\servicing\RuntimeBroker.exe	501aa5f94b15b8716ef7f76e2dbdc146b436cd9e72274d6ec5dec7265706c0ad.exe
File created	C:\Windows\Speech_OneCore\Engines\wininit.exe	501aa5f94b15b8716ef7f76e2dbdc146b436cd9e72274d6ec5dec7265706c0ad.exe
File created	C:\Windows\Speech_OneCore\Engines\56085415360792	501aa5f94b15b8716ef7f76e2dbdc146b436cd9e72274d6ec5dec7265706c0ad.exe
File created	C:\Windows\Cursors\sysmon.exe	501aa5f94b15b8716ef7f76e2dbdc146b436cd9e72274d6ec5dec7265706c0ad.exe
File created	C:\Windows\Cursors\121e5b5079f7c0	501aa5f94b15b8716ef7f76e2dbdc146b436cd9e72274d6ec5dec7265706c0ad.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 12 IoCs

Processes:

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	OfficeClickToRun.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 48 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

pid	Process
3748	schtasks.exe
5076	schtasks.exe
1164	schtasks.exe
2260	schtasks.exe
3016	schtasks.exe
452	schtasks.exe
1296	schtasks.exe
2080	schtasks.exe
3684	schtasks.exe
1668	schtasks.exe
3952	schtasks.exe
4284	schtasks.exe
4880	schtasks.exe
4888	schtasks.exe
4992	schtasks.exe
3516	schtasks.exe
3128	schtasks.exe
3184	schtasks.exe
2200	schtasks.exe
3956	schtasks.exe
4400	schtasks.exe
1828	schtasks.exe
4924	schtasks.exe
1960	schtasks.exe
2056	schtasks.exe
4680	schtasks.exe
4952	schtasks.exe
2416	schtasks.exe
2772	schtasks.exe
3724	schtasks.exe
4628	schtasks.exe
2596	schtasks.exe
2984	schtasks.exe
1908	schtasks.exe
972	schtasks.exe
1252	schtasks.exe
1544	schtasks.exe
1652	schtasks.exe
804	schtasks.exe
3668	schtasks.exe
3884	schtasks.exe
4256	schtasks.exe
1488	schtasks.exe
1060	schtasks.exe
4708	schtasks.exe
2036	schtasks.exe
844	schtasks.exe
4160	schtasks.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

Processes:

pid	Process
4816	501aa5f94b15b8716ef7f76e2dbdc146b436cd9e72274d6ec5dec7265706c0ad.exe
4816	501aa5f94b15b8716ef7f76e2dbdc146b436cd9e72274d6ec5dec7265706c0ad.exe
4816	501aa5f94b15b8716ef7f76e2dbdc146b436cd9e72274d6ec5dec7265706c0ad.exe
4816	501aa5f94b15b8716ef7f76e2dbdc146b436cd9e72274d6ec5dec7265706c0ad.exe
4816	501aa5f94b15b8716ef7f76e2dbdc146b436cd9e72274d6ec5dec7265706c0ad.exe
4816	501aa5f94b15b8716ef7f76e2dbdc146b436cd9e72274d6ec5dec7265706c0ad.exe
4816	501aa5f94b15b8716ef7f76e2dbdc146b436cd9e72274d6ec5dec7265706c0ad.exe
4816	501aa5f94b15b8716ef7f76e2dbdc146b436cd9e72274d6ec5dec7265706c0ad.exe
4816	501aa5f94b15b8716ef7f76e2dbdc146b436cd9e72274d6ec5dec7265706c0ad.exe
4816	501aa5f94b15b8716ef7f76e2dbdc146b436cd9e72274d6ec5dec7265706c0ad.exe
768	OfficeClickToRun.exe
3872	OfficeClickToRun.exe
1964	OfficeClickToRun.exe
2724	OfficeClickToRun.exe
800	OfficeClickToRun.exe
4220	OfficeClickToRun.exe
4088	OfficeClickToRun.exe
1976	OfficeClickToRun.exe
4124	OfficeClickToRun.exe
1800	OfficeClickToRun.exe
4664	OfficeClickToRun.exe
5112	OfficeClickToRun.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

Processes:

description	pid	Process
Token: SeDebugPrivilege	4816	501aa5f94b15b8716ef7f76e2dbdc146b436cd9e72274d6ec5dec7265706c0ad.exe
Token: SeDebugPrivilege	768	OfficeClickToRun.exe
Token: SeDebugPrivilege	3872	OfficeClickToRun.exe
Token: SeDebugPrivilege	1964	OfficeClickToRun.exe
Token: SeDebugPrivilege	2724	OfficeClickToRun.exe
Token: SeDebugPrivilege	800	OfficeClickToRun.exe
Token: SeDebugPrivilege	4220	OfficeClickToRun.exe
Token: SeDebugPrivilege	4088	OfficeClickToRun.exe
Token: SeDebugPrivilege	1976	OfficeClickToRun.exe
Token: SeDebugPrivilege	4124	OfficeClickToRun.exe
Token: SeDebugPrivilege	1800	OfficeClickToRun.exe
Token: SeDebugPrivilege	4664	OfficeClickToRun.exe
Token: SeDebugPrivilege	5112	OfficeClickToRun.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

501aa5f94b15b8716ef7f76e2dbdc146b436cd9e72274d6ec5dec7265706c0ad.exeOfficeClickToRun.exeWScript.exeOfficeClickToRun.exeWScript.exeOfficeClickToRun.exeWScript.exeOfficeClickToRun.exeWScript.exeOfficeClickToRun.exeWScript.exeOfficeClickToRun.exeWScript.exeOfficeClickToRun.exeWScript.exeOfficeClickToRun.exeWScript.exeOfficeClickToRun.exeWScript.exeOfficeClickToRun.exeWScript.exeOfficeClickToRun.exe

description	pid	Process	procid_target
PID 4816 wrote to memory of 768	4816	501aa5f94b15b8716ef7f76e2dbdc146b436cd9e72274d6ec5dec7265706c0ad.exe	132
PID 4816 wrote to memory of 768	4816	501aa5f94b15b8716ef7f76e2dbdc146b436cd9e72274d6ec5dec7265706c0ad.exe	132
PID 768 wrote to memory of 1932	768	OfficeClickToRun.exe	133
PID 768 wrote to memory of 1932	768	OfficeClickToRun.exe	133
PID 768 wrote to memory of 4728	768	OfficeClickToRun.exe	134
PID 768 wrote to memory of 4728	768	OfficeClickToRun.exe	134
PID 1932 wrote to memory of 3872	1932	WScript.exe	143
PID 1932 wrote to memory of 3872	1932	WScript.exe	143
PID 3872 wrote to memory of 184	3872	OfficeClickToRun.exe	145
PID 3872 wrote to memory of 184	3872	OfficeClickToRun.exe	145
PID 3872 wrote to memory of 4148	3872	OfficeClickToRun.exe	146
PID 3872 wrote to memory of 4148	3872	OfficeClickToRun.exe	146
PID 184 wrote to memory of 1964	184	WScript.exe	152
PID 184 wrote to memory of 1964	184	WScript.exe	152
PID 1964 wrote to memory of 2300	1964	OfficeClickToRun.exe	154
PID 1964 wrote to memory of 2300	1964	OfficeClickToRun.exe	154
PID 1964 wrote to memory of 1288	1964	OfficeClickToRun.exe	155
PID 1964 wrote to memory of 1288	1964	OfficeClickToRun.exe	155
PID 2300 wrote to memory of 2724	2300	WScript.exe	157
PID 2300 wrote to memory of 2724	2300	WScript.exe	157
PID 2724 wrote to memory of 1008	2724	OfficeClickToRun.exe	161
PID 2724 wrote to memory of 1008	2724	OfficeClickToRun.exe	161
PID 2724 wrote to memory of 2848	2724	OfficeClickToRun.exe	162
PID 2724 wrote to memory of 2848	2724	OfficeClickToRun.exe	162
PID 1008 wrote to memory of 800	1008	WScript.exe	165
PID 1008 wrote to memory of 800	1008	WScript.exe	165
PID 800 wrote to memory of 2428	800	OfficeClickToRun.exe	167
PID 800 wrote to memory of 2428	800	OfficeClickToRun.exe	167
PID 800 wrote to memory of 1992	800	OfficeClickToRun.exe	168
PID 800 wrote to memory of 1992	800	OfficeClickToRun.exe	168
PID 2428 wrote to memory of 4220	2428	WScript.exe	170
PID 2428 wrote to memory of 4220	2428	WScript.exe	170
PID 4220 wrote to memory of 1652	4220	OfficeClickToRun.exe	172
PID 4220 wrote to memory of 1652	4220	OfficeClickToRun.exe	172
PID 4220 wrote to memory of 3428	4220	OfficeClickToRun.exe	173
PID 4220 wrote to memory of 3428	4220	OfficeClickToRun.exe	173
PID 1652 wrote to memory of 4088	1652	WScript.exe	175
PID 1652 wrote to memory of 4088	1652	WScript.exe	175
PID 4088 wrote to memory of 1512	4088	OfficeClickToRun.exe	178
PID 4088 wrote to memory of 1512	4088	OfficeClickToRun.exe	178
PID 4088 wrote to memory of 3644	4088	OfficeClickToRun.exe	179
PID 4088 wrote to memory of 3644	4088	OfficeClickToRun.exe	179
PID 1512 wrote to memory of 1976	1512	WScript.exe	182
PID 1512 wrote to memory of 1976	1512	WScript.exe	182
PID 1976 wrote to memory of 1284	1976	OfficeClickToRun.exe	184
PID 1976 wrote to memory of 1284	1976	OfficeClickToRun.exe	184
PID 1976 wrote to memory of 116	1976	OfficeClickToRun.exe	185
PID 1976 wrote to memory of 116	1976	OfficeClickToRun.exe	185
PID 1284 wrote to memory of 4124	1284	WScript.exe	188
PID 1284 wrote to memory of 4124	1284	WScript.exe	188
PID 4124 wrote to memory of 216	4124	OfficeClickToRun.exe	190
PID 4124 wrote to memory of 216	4124	OfficeClickToRun.exe	190
PID 4124 wrote to memory of 1620	4124	OfficeClickToRun.exe	191
PID 4124 wrote to memory of 1620	4124	OfficeClickToRun.exe	191
PID 216 wrote to memory of 1800	216	WScript.exe	193
PID 216 wrote to memory of 1800	216	WScript.exe	193
PID 1800 wrote to memory of 3500	1800	OfficeClickToRun.exe	195
PID 1800 wrote to memory of 3500	1800	OfficeClickToRun.exe	195
PID 1800 wrote to memory of 464	1800	OfficeClickToRun.exe	196
PID 1800 wrote to memory of 464	1800	OfficeClickToRun.exe	196
PID 3500 wrote to memory of 4664	3500	WScript.exe	198
PID 3500 wrote to memory of 4664	3500	WScript.exe	198
PID 4664 wrote to memory of 4896	4664	OfficeClickToRun.exe	200
PID 4664 wrote to memory of 4896	4664	OfficeClickToRun.exe	200

System policy modification 1 TTPs 39 IoCs

evasion

Modify Registry

T1112

Processes:

OfficeClickToRun.exeOfficeClickToRun.exeOfficeClickToRun.exeOfficeClickToRun.exeOfficeClickToRun.exeOfficeClickToRun.exe501aa5f94b15b8716ef7f76e2dbdc146b436cd9e72274d6ec5dec7265706c0ad.exeOfficeClickToRun.exeOfficeClickToRun.exeOfficeClickToRun.exeOfficeClickToRun.exeOfficeClickToRun.exeOfficeClickToRun.exe

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	501aa5f94b15b8716ef7f76e2dbdc146b436cd9e72274d6ec5dec7265706c0ad.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	501aa5f94b15b8716ef7f76e2dbdc146b436cd9e72274d6ec5dec7265706c0ad.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	501aa5f94b15b8716ef7f76e2dbdc146b436cd9e72274d6ec5dec7265706c0ad.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OfficeClickToRun.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\501aa5f94b15b8716ef7f76e2dbdc146b436cd9e72274d6ec5dec7265706c0ad.exe
"C:\Users\Admin\AppData\Local\Temp\501aa5f94b15b8716ef7f76e2dbdc146b436cd9e72274d6ec5dec7265706c0ad.exe"
1⤵
- Modifies WinLogon for persistence
- UAC bypass
- Checks computer location settings
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4816
- C:\Users\Admin\OfficeClickToRun.exe
  "C:\Users\Admin\OfficeClickToRun.exe"
  2⤵
  - UAC bypass
  - Checks computer location settings
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:768
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\78b6b133-57a4-4663-8345-bef69bfd941c.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1932
  - - C:\Users\Admin\OfficeClickToRun.exe
      C:\Users\Admin\OfficeClickToRun.exe
      4⤵
      UAC bypass
      Checks computer location settings
      Executes dropped EXE
      Checks whether UAC is enabled
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:3872
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3e23de11-a0c2-4ed5-bb1c-9a0a07a86eea.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:184
      - C:\Users\Admin\OfficeClickToRun.exe
        
        C:\Users\Admin\OfficeClickToRun.exe
        6⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1964
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3a22ff81-916a-4f37-b57e-e47bd461e2bc.vbs"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2300
        
        C:\Users\Admin\OfficeClickToRun.exe
        
        C:\Users\Admin\OfficeClickToRun.exe
        8⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2724
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f9b47dbd-0995-49e4-8fe1-0e6f6eb2f2f9.vbs"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:1008
        
        C:\Users\Admin\OfficeClickToRun.exe
        
        C:\Users\Admin\OfficeClickToRun.exe
        10⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:800
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b88d6918-e6c2-495d-bba4-4d08a3e8b97e.vbs"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:2428
        
        C:\Users\Admin\OfficeClickToRun.exe
        
        C:\Users\Admin\OfficeClickToRun.exe
        12⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:4220
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8fdc24a1-a207-4ebf-939a-169151d20bd7.vbs"
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:1652
        
        C:\Users\Admin\OfficeClickToRun.exe
        
        C:\Users\Admin\OfficeClickToRun.exe
        14⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:4088
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\160166ab-46a0-4bbf-8731-80c742598fb2.vbs"
        15⤵
        Suspicious use of WriteProcessMemory
        
        PID:1512
        
        C:\Users\Admin\OfficeClickToRun.exe
        
        C:\Users\Admin\OfficeClickToRun.exe
        16⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1976
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ce90394a-aa92-4e1a-ab4e-d27ebeaceaa2.vbs"
        17⤵
        Suspicious use of WriteProcessMemory
        
        PID:1284
        
        C:\Users\Admin\OfficeClickToRun.exe
        
        C:\Users\Admin\OfficeClickToRun.exe
        18⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:4124
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\901dfc1a-1d2e-46ee-918e-b52cf964e5b2.vbs"
        19⤵
        Suspicious use of WriteProcessMemory
        
        PID:216
        
        C:\Users\Admin\OfficeClickToRun.exe
        
        C:\Users\Admin\OfficeClickToRun.exe
        20⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1800
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\57d3d9a1-d8d1-4ecc-a6ee-38d7995187ac.vbs"
        21⤵
        Suspicious use of WriteProcessMemory
        
        PID:3500
        
        C:\Users\Admin\OfficeClickToRun.exe
        
        C:\Users\Admin\OfficeClickToRun.exe
        22⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:4664
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\400ba427-99c4-4292-88dd-71a401ecd031.vbs"
        23⤵
        
        PID:4896
        
        C:\Users\Admin\OfficeClickToRun.exe
        
        C:\Users\Admin\OfficeClickToRun.exe
        24⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:5112
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4f95cd8f-41bd-4a29-baa8-dcf863575fec.vbs"
        25⤵
        
        PID:3452
        
        C:\Users\Admin\OfficeClickToRun.exe
        
        C:\Users\Admin\OfficeClickToRun.exe
        26⤵
        
        PID:1360
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7c88ddc2-1da0-4061-b626-c46e93fe0dbb.vbs"
        27⤵
        
        PID:1616
        
        C:\Users\Admin\OfficeClickToRun.exe
        
        C:\Users\Admin\OfficeClickToRun.exe
        28⤵
        
        PID:2016
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f24334ca-1e5c-40ed-838c-565e9c10e497.vbs"
        29⤵
        
        PID:2092
        
        C:\Users\Admin\OfficeClickToRun.exe
        
        C:\Users\Admin\OfficeClickToRun.exe
        30⤵
        
        PID:2768
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cb8ce9fb-e572-4010-8057-8a4a043225cc.vbs"
        31⤵
        
        PID:3912
        
        C:\Users\Admin\OfficeClickToRun.exe
        
        C:\Users\Admin\OfficeClickToRun.exe
        32⤵
        
        PID:832
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3e0b0a25-8522-445c-851c-079fe4ad85a2.vbs"
        33⤵
        
        PID:2612
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\906cd1c5-ba06-4ee9-b53b-440e89e4ab87.vbs"
        33⤵
        
        PID:4948
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9253b3b3-6ad8-4efe-a75f-c208fad4fae7.vbs"
        31⤵
        
        PID:2776
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8b5a5c2c-bf70-41b8-8c28-ff8cfaf97b6b.vbs"
        29⤵
        
        PID:4220
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c371c9ba-94a2-4648-927c-a655160706bd.vbs"
        27⤵
        
        PID:3684
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8cefffb0-6c41-41d6-8c35-0674d8f746d3.vbs"
        25⤵
        
        PID:1604
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\10e0c32a-e495-461f-8d43-03fde9bd0498.vbs"
        23⤵
        
        PID:4984
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\db144a67-3329-4058-9f74-281d28b23a81.vbs"
        21⤵
        
        PID:464
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a27ae2ca-4e93-43ff-be9b-5ad0b2eaef72.vbs"
        19⤵
        
        PID:1620
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\da1e8d9b-5653-44e5-98af-e44ca5c9dbf2.vbs"
        17⤵
        
        PID:116
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b67a694c-0ba5-4dd4-8fe8-f935cadeacd6.vbs"
        15⤵
        
        PID:3644
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\55bcd58f-be6a-451b-a279-161ed2be05f7.vbs"
        13⤵
        
        PID:3428
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f948e1cb-b606-4254-9e50-412a832ed05b.vbs"
        11⤵
        
        PID:1992
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\868b1460-5ebc-491b-bab8-9a0233d64472.vbs"
        9⤵
        
        PID:2848
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c3c3744d-c8c5-40bd-b872-1524ee187a10.vbs"
        7⤵
        
        PID:1288
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\df7f2f31-5f25-460d-a04b-3af603e16973.vbs"
        5⤵
        
        PID:4148
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a124c03b-46af-4d54-8789-c60edc6fcde4.vbs"
    3⤵
    PID:4728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 12 /tr "'C:\Windows\fr-FR\StartMenuExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Windows\fr-FR\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 9 /tr "'C:\Windows\fr-FR\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Users\Public\Libraries\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Public\Libraries\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Users\Public\Libraries\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\SppExtComObj.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4400

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Users\Default User\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1488

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Defender\it-IT\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\it-IT\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Defender\it-IT\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Photo Viewer\ja-JP\SearchApp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2416

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\ja-JP\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Photo Viewer\ja-JP\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4284

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 5 /tr "'C:\Program Files\dotnet\host\fxr\TextInputHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Program Files\dotnet\host\fxr\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 13 /tr "'C:\Program Files\dotnet\host\fxr\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Users\Admin\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3128

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3184

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\WindowsPowerShell\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1164

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\WindowsPowerShell\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4256

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\WindowsPowerShell\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Windows\Speech_OneCore\Engines\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\Speech_OneCore\Engines\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Windows\Speech_OneCore\Engines\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2200

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 11 /tr "'C:\Windows\Cursors\sysmon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Windows\Cursors\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 9 /tr "'C:\Windows\Cursors\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4160

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Mail\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1252

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Mail\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2260

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Windows Defender\it-IT\lsass.exe

Filesize
1.4MB

MD5
181d043c0617914801548f09d5b776d4

SHA1
757f042065a3dc2c9f73e635b41f83591c8ad647

SHA256
501aa5f94b15b8716ef7f76e2dbdc146b436cd9e72274d6ec5dec7265706c0ad

SHA512
c56897c04b11db7c09ef21be8fe6a541c3c9ffb428b3e1340fce5b035f9f74bb133b57e7cc0852730efd20b4a49da0e8a79b6390f105d18f9fb39461559be574

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\OfficeClickToRun.exe.log

Filesize
1KB

MD5
3690a1c3b695227a38625dcf27bd6dac

SHA1
c2ed91e98b120681182904fa2c7cd504e5c4b2f5

SHA256
2ca8df156dba033c5b3ae4009e3be14dcdc6b9be53588055efd0864a1ab8ff73

SHA512
15ebfe05c0317f844e957ac02842a60b01f00ddca981e888e547056d0e30c97829bc4a2a46ce43034b3346f7cf5406c7c41c2a830f0abc47c8d2fd2ef00cb2c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\160166ab-46a0-4bbf-8731-80c742598fb2.vbs

Filesize
711B

MD5
13528640a59e811f8228ea8b1f70ade8

SHA1
9f5891d630fd38cfa5695a1beffd6e82acd1007d

SHA256
2703b5c4c2dd9a8e23fb407db72eb7a8f7c93d35d3b130bd82e6b2d98e602948

SHA512
cd5f04e47f49f2e7970a055f7a4a1b2f23330adcae19d3dc80283c60510c27be499d9c3a3f5308e7cfe71d6fd12bee58188a0f63c51e0eba812f4b921b4f7cc6

Download Submit
C:\Users\Admin\AppData\Local\Temp\3a22ff81-916a-4f37-b57e-e47bd461e2bc.vbs

Filesize
711B

MD5
c417cde828916445d292f29cdb16a213

SHA1
68173b52284f4e93d8bef59e768d26abb9c4d217

SHA256
eea88aa11db54d1dea28b76706cad5d1b313633db5e038dd65d0efa5a5ce7b2c

SHA512
8bb10641a7c693f5b678604435463c85df04c345311256dd8e3746785581e022f7db77ae17fe51be844c5cd6888f1bd396baa0cad3c90e705ecdc3d0fa6ddb87

Download Submit
C:\Users\Admin\AppData\Local\Temp\3e0b0a25-8522-445c-851c-079fe4ad85a2.vbs

Filesize
710B

MD5
4626b4e1f2a114e5ac1ebd8c7c095794

SHA1
88ac63d13c408d247056901e8fe78a6006d87fec

SHA256
58c43a03d8b097642cb66f12002fc8309be4a6a9bc54dbaa185132d2ae784f8b

SHA512
267eec8d70b3f4b51ccf754ca96a0923354f5ab859cd1f6dcda92737c2cd9c32cf2cf1da9a2f4f762d78983c5c2211343b5c25c0a80375d9f1230e163f5ca6a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\3e23de11-a0c2-4ed5-bb1c-9a0a07a86eea.vbs

Filesize
711B

MD5
d81cb93b07d0625c599f7a5e0116ab89

SHA1
f79714eae2deee8580d658c4a8fbe1d971ac16ea

SHA256
ead3cf2b6b49f075f5b5ddf1b198d46abfe4bd026f61d5a4f0314f7e11277405

SHA512
3468ba9a9f594e745793561698aee69bd7e580a1e75fbe81b3b51f29dfb6f4f5bbe22212310858b3da3a41e91742635770fcdeeec5fc3b0f1f00c6cd41f1ae30

Download Submit
C:\Users\Admin\AppData\Local\Temp\400ba427-99c4-4292-88dd-71a401ecd031.vbs

Filesize
711B

MD5
f16748eda57455d59148d8e50efdb451

SHA1
426a68047c38fc4d58dab2e91498a59343849b2d

SHA256
55e555a9d97c0dff0e6d73b460bbacff396a2b2bd306ddcd405cb28f9ad363ea

SHA512
5321628336a2cfeab651a93168e91fb2baeb65c7062b9733bde2e88906566c5483c5c60fc0f7bca873809af56b477e95555858091a04530bc2ffa78461666deb

Download Submit
C:\Users\Admin\AppData\Local\Temp\4f95cd8f-41bd-4a29-baa8-dcf863575fec.vbs

Filesize
711B

MD5
ecf9925497679fdeae8783fb559cc259

SHA1
d9da18f79059b0106e6fc392097735ad141f96ce

SHA256
aea2d5805b0a89a915daf13c6ce5a1a86cd52194516a24bfe2d2ea2ffcc54ad7

SHA512
b4bfcf0b0f09016f71a41456a62039fba7e98a6d5a58d9adf25f9196f154131681c082e2a7679c95b78c724df8e069507f459523ccede50b13f47af0beeb3125

Download Submit
C:\Users\Admin\AppData\Local\Temp\57d3d9a1-d8d1-4ecc-a6ee-38d7995187ac.vbs

Filesize
711B

MD5
cfe05604881adf6d878f9e6c82f6befc

SHA1
af8699eb709517693e9017d8844ced2b2bd8b3da

SHA256
70e47bd5390427205384e0b6ccf0b8dc3d1808ad470f6770ece8e9bb59cfbdf1

SHA512
ce7b44f618b5c51861790c7923038e99c69dc7e1815aa5fb1455f5fa7ae43b76b6a6037ead109cbb6514469aced4a3981ea615b020ee16dea205aa01cd2c8cab

Download Submit
C:\Users\Admin\AppData\Local\Temp\78b6b133-57a4-4663-8345-bef69bfd941c.vbs

Filesize
710B

MD5
0208f4b0d8be301027b621adb60457f7

SHA1
88a25cfb9ec6b131688eec53be3ef185790a4d86

SHA256
e5913ea7dada8983b846b491b0c5b91b15991e4f698e7d8c97ef13e77cd5d33f

SHA512
b02f61cdb35fc22caa25028869761b1553a69426a0875cfe17680561f2551e2a0dacda96689186f663bc14f1f992092ab0b423cee477dff9a0c0523d5ef8e887

Download Submit
C:\Users\Admin\AppData\Local\Temp\7c88ddc2-1da0-4061-b626-c46e93fe0dbb.vbs

Filesize
711B

MD5
54dfe8f6f421f3b4313f4d73255546d7

SHA1
a9a9945ce4ce5c0cc872ebfc578c57123788a373

SHA256
dcc26c1588fbafa6456a6a863bc9d6a0404258a577ad2313f9dd23ce0e833e21

SHA512
e5bee14e3b0fe22e277af23df2a46d0994ff30d8ce6dfee9113c94703b35b5f36c1c278da2452fd5e03c2314764baf3bfc8461a72e951c219d39e2396c65efe6

Download Submit
C:\Users\Admin\AppData\Local\Temp\8fdc24a1-a207-4ebf-939a-169151d20bd7.vbs

Filesize
711B

MD5
6ab940fd9ca4b1bd61d33cde319160dd

SHA1
b77977b5d784544fa3dfcaa2052001e55e00c676

SHA256
7191fe3edc9bd6cec02680de6d5734ba296f6e1fda7218a7a0277a8db4c3bb3a

SHA512
38f56b1b2e30c680287c2e629059c83cfc61b1e49e7b067821bb9c0bec1c834c8fd9fb9f98eacfa7fe2b9df88b21b8cd858a42c80adf3b6cf2e25eab86da3e84

Download Submit
C:\Users\Admin\AppData\Local\Temp\901dfc1a-1d2e-46ee-918e-b52cf964e5b2.vbs

Filesize
711B

MD5
a9012e976a4a29c5bc9ac2c2bc087d3a

SHA1
ef0f7f38980ecca1b7733b1a2467b541fb923cdd

SHA256
ca848785bd9d993aa8fa7cbd7c3f2d113fef5eedf7eb60229d72bd0af50fb906

SHA512
eb682d1c25f1dfe507790c56841c1dd520b4c77c9b642a018d8cb9cd1bea51e448feffea03ebc1e58085a007295170411a0c9adcc2326862b8052a61f19a09d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\a124c03b-46af-4d54-8789-c60edc6fcde4.vbs

Filesize
487B

MD5
a60b2759e7681c1dd4a87f90fb58b489

SHA1
c73b52889797b395db04bf8e0d96dde097e13926

SHA256
ee4517636e8552e6011cc2ed9ca37e2ffe705b034d8ef79aba75db10db4c0348

SHA512
f7ffc0869387dc07d5d623479dff274f381f30f1c4da063adc05e074273ef1aa7185def3e5d037157fa89d5a7c6287aff70051dadd35310ea36bb1122317357d

Download Submit
C:\Users\Admin\AppData\Local\Temp\b88d6918-e6c2-495d-bba4-4d08a3e8b97e.vbs

Filesize
710B

MD5
0c02457d4660fb84d3b765f3fd7bc7fa

SHA1
a14b5518a83603d708a5c324fd56e5ab71235f3c

SHA256
1642431d9692a8f481cd718162fe9ffefa3656ca0465d935cd24b5f63c3d7a00

SHA512
0dc8db69c6def0c4c08d330c84e8160cf811350e872d31414703903d09befc3369bb3d711fee098e6d8fd6149814a535d5c9fab746b90b371c4704dce8041733

Download Submit
C:\Users\Admin\AppData\Local\Temp\c8f9630d01ef8ce0c023a3d3eace96a0b7d520ef.exe

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\c8f9630d01ef8ce0c023a3d3eace96a0b7d520ef.exe

Filesize
580KB

MD5
38a9f383f00eefe364c44d3155255b1e

SHA1
5de8f43ab61debe393c37b2a9ecbd51ad6555447

SHA256
1f6b6462fd1f81559c8b541686e2daaab46b51d4b2837fa2926f93e7a4d5178f

SHA512
7d9729b291b963309b6921d23bbcd8bf07d89af9600f42809375c178be6f10e6d313c1682d2199a2541d12b4a25698abd12fb28c9e098bb0015f03a9ed0df18d

Download Submit
C:\Users\Admin\AppData\Local\Temp\cb8ce9fb-e572-4010-8057-8a4a043225cc.vbs

Filesize
711B

MD5
999156c3a1fd659314ccc57af8426b52

SHA1
eb1b107afbd9749c95c242b53a7a2fec6d375256

SHA256
3e6019408c747c6de4be83261c726c729e724de4aa3659d6d9662e7f89797af0

SHA512
da200d0b37620bdcd0ec20666f49a4b3f44a0e87dbbdb5c7067eb6ac1202597dc389487c7a09cb8e6757acbb424dd10c0d8d3ebe9443744b36630c776e73195b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ce90394a-aa92-4e1a-ab4e-d27ebeaceaa2.vbs

Filesize
711B

MD5
15d7d91102d29212b22e2ab05595b56e

SHA1
faf6d6a014a0b566d82069ac37870fce8f2835cc

SHA256
339bc5ffc71689594866380e80a12ccf94dbf2b2a447e14fad3d671c5eef16b7

SHA512
a7cfce6d9db7e69abc9b96d25a062ba82049f0daa1297dfacffcb474bcc1eb9fdd06a246a48508655de7f81773fb94f39c13f8b90324a523bb66f5d53b49efe1

Download Submit
C:\Users\Admin\AppData\Local\Temp\f24334ca-1e5c-40ed-838c-565e9c10e497.vbs

Filesize
711B

MD5
f33188ca13f7606a471dbecd3fed8659

SHA1
0d174c883cc769d245128a0652728cfcb6eac08d

SHA256
dc4b3123e6a985a6addb7a7bb47cfdf999a908e28fc7d123e535db3117bbf704

SHA512
1cf67a95d819329bcc86120dda07336fa5da9cdfe78096e1788906909da0e92b36f5a81e4ea7a6b69953850dbd2a63e707ef6699f7903a88390aaf088c6b4a8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\f9b47dbd-0995-49e4-8fe1-0e6f6eb2f2f9.vbs

Filesize
711B

MD5
28bafb9e197720c38ce3cbace2f9977c

SHA1
390cc5eee65abe5851d889a8910ffc0f11d15853

SHA256
b9a30a90e02c9c2688587fb5486b7dae75d208d8931e226dad0b95c87cb9f636

SHA512
644afe0ffa930eba9b003eeb82fde2129aa1b5652f3b097f78fcff3eb079f7ece3970eb84eaa944c237b575b236cb3a4863996b5802f3842360bd1eb5ca36b1d

Download Submit
C:\Users\Admin\OfficeClickToRun.exe

Filesize
923KB

MD5
1f800291ca6abc4377a30b83b519163f

SHA1
01254331a9f13f773193aa9d17c6a017c6170775

SHA256
9ed743873afcf4ebed67e63a6345c49d78cb828f338c4d39d47273ac6f199f1f

SHA512
62b1b6786d9587dd2a46b268681234db77a117f70794a18ce126220b69618a9079fd15d9b0aaf7045a632229f08b54a78f691ba1c7710834863a7f3cdb97db34

Download Submit
memory/4816-6-0x0000000000E80000-0x0000000000E90000-memory.dmp

Filesize
64KB

Download
memory/4816-10-0x00000000028F0000-0x00000000028FE000-memory.dmp

Filesize
56KB

Download
memory/4816-0-0x00007FFD9EE53000-0x00007FFD9EE55000-memory.dmp

Filesize
8KB

Download
memory/4816-5-0x0000000002780000-0x0000000002796000-memory.dmp

Filesize
88KB

Download
memory/4816-3-0x0000000000E60000-0x0000000000E7C000-memory.dmp

Filesize
112KB

Download
memory/4816-2-0x00007FFD9EE50000-0x00007FFD9F911000-memory.dmp

Filesize
10.8MB

Download
memory/4816-4-0x0000000002910000-0x0000000002960000-memory.dmp

Filesize
320KB

Download
memory/4816-7-0x00000000028C0000-0x00000000028CA000-memory.dmp

Filesize
40KB

Download
memory/4816-72-0x00007FFD9EE50000-0x00007FFD9F911000-memory.dmp

Filesize
10.8MB

Download
memory/4816-8-0x00000000028D0000-0x00000000028DC000-memory.dmp

Filesize
48KB

Download
memory/4816-1-0x00000000003D0000-0x0000000000538000-memory.dmp

Filesize
1.4MB

Download
memory/4816-9-0x00000000028E0000-0x00000000028EA000-memory.dmp

Filesize
40KB

Download