dcrat | 7362f82084bcdf47b0927674ad678f66214e8d4f2783a0b9338ee4eb773c3474

Analysis

max time kernel
150s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
15-12-2024 03:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7362f82084bcdf47b0927674ad678f66214e8d4f2783a0b9338ee4eb773c3474.exe
Size

2.2MB
MD5

3aa1bbd17d68b0b67b7423f1fe09b05b
SHA1

61c43b8f31a51d772fd39d5caa87699d74971a43
SHA256

7362f82084bcdf47b0927674ad678f66214e8d4f2783a0b9338ee4eb773c3474
SHA512

7ae82411565104b15cc0de4cc8315d93301befbb28b1e36e3c50d46c8ba9fb1ff8eb361e12cd9d32771e2a5ecbee9b026aca0105473a9fe5a877fc2744b32014
SSDEEP

49152:mx4QdTmxnMJUh+pDY92IXc3Mx+HqXQJc2cv1TDlH:QdPpDYbNiIP2cvxZH

Score

10^/10

dcrat evasion infostealer persistence rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 10 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\WindowsPowerShell\\Modules\\System.exe\""	7362f82084bcdf47b0927674ad678f66214e8d4f2783a0b9338ee4eb773c3474.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\WindowsPowerShell\\Modules\\System.exe\", \"C:\\Recovery\\WindowsRE\\smss.exe\", \"C:\\Recovery\\WindowsRE\\SppExtComObj.exe\", \"C:\\Windows\\CbsTemp\\OfficeClickToRun.exe\", \"C:\\Recovery\\WindowsRE\\sppsvc.exe\", \"C:\\Recovery\\WindowsRE\\smss.exe\", \"C:\\Program Files (x86)\\MSBuild\\System.exe\""	7362f82084bcdf47b0927674ad678f66214e8d4f2783a0b9338ee4eb773c3474.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\WindowsPowerShell\\Modules\\System.exe\", \"C:\\Recovery\\WindowsRE\\smss.exe\", \"C:\\Recovery\\WindowsRE\\SppExtComObj.exe\", \"C:\\Windows\\CbsTemp\\OfficeClickToRun.exe\""	7362f82084bcdf47b0927674ad678f66214e8d4f2783a0b9338ee4eb773c3474.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\WindowsPowerShell\\Modules\\System.exe\", \"C:\\Recovery\\WindowsRE\\smss.exe\", \"C:\\Recovery\\WindowsRE\\SppExtComObj.exe\", \"C:\\Windows\\CbsTemp\\OfficeClickToRun.exe\", \"C:\\Recovery\\WindowsRE\\sppsvc.exe\""	7362f82084bcdf47b0927674ad678f66214e8d4f2783a0b9338ee4eb773c3474.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\WindowsPowerShell\\Modules\\System.exe\", \"C:\\Recovery\\WindowsRE\\smss.exe\", \"C:\\Recovery\\WindowsRE\\SppExtComObj.exe\", \"C:\\Windows\\CbsTemp\\OfficeClickToRun.exe\", \"C:\\Recovery\\WindowsRE\\sppsvc.exe\", \"C:\\Recovery\\WindowsRE\\smss.exe\""	7362f82084bcdf47b0927674ad678f66214e8d4f2783a0b9338ee4eb773c3474.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\WindowsPowerShell\\Modules\\System.exe\", \"C:\\Recovery\\WindowsRE\\smss.exe\", \"C:\\Recovery\\WindowsRE\\SppExtComObj.exe\", \"C:\\Windows\\CbsTemp\\OfficeClickToRun.exe\", \"C:\\Recovery\\WindowsRE\\sppsvc.exe\", \"C:\\Recovery\\WindowsRE\\smss.exe\", \"C:\\Program Files (x86)\\MSBuild\\System.exe\", \"C:\\Users\\Default\\Downloads\\lsass.exe\""	7362f82084bcdf47b0927674ad678f66214e8d4f2783a0b9338ee4eb773c3474.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\WindowsPowerShell\\Modules\\System.exe\", \"C:\\Recovery\\WindowsRE\\smss.exe\", \"C:\\Recovery\\WindowsRE\\SppExtComObj.exe\", \"C:\\Windows\\CbsTemp\\OfficeClickToRun.exe\", \"C:\\Recovery\\WindowsRE\\sppsvc.exe\", \"C:\\Recovery\\WindowsRE\\smss.exe\", \"C:\\Program Files (x86)\\MSBuild\\System.exe\", \"C:\\Users\\Default\\Downloads\\lsass.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\OfficeClickToRun.exe\""	7362f82084bcdf47b0927674ad678f66214e8d4f2783a0b9338ee4eb773c3474.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\WindowsPowerShell\\Modules\\System.exe\", \"C:\\Recovery\\WindowsRE\\smss.exe\", \"C:\\Recovery\\WindowsRE\\SppExtComObj.exe\", \"C:\\Windows\\CbsTemp\\OfficeClickToRun.exe\", \"C:\\Recovery\\WindowsRE\\sppsvc.exe\", \"C:\\Recovery\\WindowsRE\\smss.exe\", \"C:\\Program Files (x86)\\MSBuild\\System.exe\", \"C:\\Users\\Default\\Downloads\\lsass.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\OfficeClickToRun.exe\", \"C:\\Users\\All Users\\dllhost.exe\""	7362f82084bcdf47b0927674ad678f66214e8d4f2783a0b9338ee4eb773c3474.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\WindowsPowerShell\\Modules\\System.exe\", \"C:\\Recovery\\WindowsRE\\smss.exe\""	7362f82084bcdf47b0927674ad678f66214e8d4f2783a0b9338ee4eb773c3474.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\WindowsPowerShell\\Modules\\System.exe\", \"C:\\Recovery\\WindowsRE\\smss.exe\", \"C:\\Recovery\\WindowsRE\\SppExtComObj.exe\""	7362f82084bcdf47b0927674ad678f66214e8d4f2783a0b9338ee4eb773c3474.exe

Process spawned unexpected child process 30 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2304	4828	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4356	4828	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4204	4828	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4868	4828	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4708	4828	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4140	4828	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1256	4828	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1156	4828	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4952	4828	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	248	4828	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	224	4828	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3700	4828	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	244	4828	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4964	4828	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4960	4828	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4772	4828	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2656	4828	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3348	4828	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4024	4828	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1748	4828	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1616	4828	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	388	4828	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4784	4828	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5068	4828	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	548	4828	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2964	4828	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3360	4828	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4912	4828	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3104	4828	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1752	4828	schtasks.exe	82

UAC bypass 3 TTPs 48 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	7362f82084bcdf47b0927674ad678f66214e8d4f2783a0b9338ee4eb773c3474.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	7362f82084bcdf47b0927674ad678f66214e8d4f2783a0b9338ee4eb773c3474.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	7362f82084bcdf47b0927674ad678f66214e8d4f2783a0b9338ee4eb773c3474.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe

DCRat payload 2 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/memory/4536-1-0x0000000000150000-0x000000000038E000-memory.dmp	dcrat
behavioral2/files/0x0007000000023cd2-44.dat	dcrat

Checks computer location settings 2 TTPs 16 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	OfficeClickToRun.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	OfficeClickToRun.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	OfficeClickToRun.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	OfficeClickToRun.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	OfficeClickToRun.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	OfficeClickToRun.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	OfficeClickToRun.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	OfficeClickToRun.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	7362f82084bcdf47b0927674ad678f66214e8d4f2783a0b9338ee4eb773c3474.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	OfficeClickToRun.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	OfficeClickToRun.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	OfficeClickToRun.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	OfficeClickToRun.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	OfficeClickToRun.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	OfficeClickToRun.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	OfficeClickToRun.exe

Executes dropped EXE 15 IoCs

pid	Process
2376	OfficeClickToRun.exe
1680	OfficeClickToRun.exe
3320	OfficeClickToRun.exe
4784	OfficeClickToRun.exe
472	OfficeClickToRun.exe
1784	OfficeClickToRun.exe
1152	OfficeClickToRun.exe
4960	OfficeClickToRun.exe
2968	OfficeClickToRun.exe
2076	OfficeClickToRun.exe
4304	OfficeClickToRun.exe
4732	OfficeClickToRun.exe
3956	OfficeClickToRun.exe
4924	OfficeClickToRun.exe
3228	OfficeClickToRun.exe

Adds Run key to start application 2 TTPs 18 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Recovery\\WindowsRE\\smss.exe\""	7362f82084bcdf47b0927674ad678f66214e8d4f2783a0b9338ee4eb773c3474.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Recovery\\WindowsRE\\sppsvc.exe\""	7362f82084bcdf47b0927674ad678f66214e8d4f2783a0b9338ee4eb773c3474.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Program Files (x86)\\MSBuild\\System.exe\""	7362f82084bcdf47b0927674ad678f66214e8d4f2783a0b9338ee4eb773c3474.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Program Files\\WindowsPowerShell\\Modules\\System.exe\""	7362f82084bcdf47b0927674ad678f66214e8d4f2783a0b9338ee4eb773c3474.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SppExtComObj = "\"C:\\Recovery\\WindowsRE\\SppExtComObj.exe\""	7362f82084bcdf47b0927674ad678f66214e8d4f2783a0b9338ee4eb773c3474.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OfficeClickToRun = "\"C:\\Windows\\CbsTemp\\OfficeClickToRun.exe\""	7362f82084bcdf47b0927674ad678f66214e8d4f2783a0b9338ee4eb773c3474.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Program Files\\WindowsPowerShell\\Modules\\System.exe\""	7362f82084bcdf47b0927674ad678f66214e8d4f2783a0b9338ee4eb773c3474.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OfficeClickToRun = "\"C:\\Windows\\CbsTemp\\OfficeClickToRun.exe\""	7362f82084bcdf47b0927674ad678f66214e8d4f2783a0b9338ee4eb773c3474.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Recovery\\WindowsRE\\sppsvc.exe\""	7362f82084bcdf47b0927674ad678f66214e8d4f2783a0b9338ee4eb773c3474.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Program Files (x86)\\MSBuild\\System.exe\""	7362f82084bcdf47b0927674ad678f66214e8d4f2783a0b9338ee4eb773c3474.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OfficeClickToRun = "\"C:\\Program Files (x86)\\Microsoft.NET\\OfficeClickToRun.exe\""	7362f82084bcdf47b0927674ad678f66214e8d4f2783a0b9338ee4eb773c3474.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OfficeClickToRun = "\"C:\\Program Files (x86)\\Microsoft.NET\\OfficeClickToRun.exe\""	7362f82084bcdf47b0927674ad678f66214e8d4f2783a0b9338ee4eb773c3474.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Users\\All Users\\dllhost.exe\""	7362f82084bcdf47b0927674ad678f66214e8d4f2783a0b9338ee4eb773c3474.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Recovery\\WindowsRE\\smss.exe\""	7362f82084bcdf47b0927674ad678f66214e8d4f2783a0b9338ee4eb773c3474.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SppExtComObj = "\"C:\\Recovery\\WindowsRE\\SppExtComObj.exe\""	7362f82084bcdf47b0927674ad678f66214e8d4f2783a0b9338ee4eb773c3474.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Users\\Default\\Downloads\\lsass.exe\""	7362f82084bcdf47b0927674ad678f66214e8d4f2783a0b9338ee4eb773c3474.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Users\\Default\\Downloads\\lsass.exe\""	7362f82084bcdf47b0927674ad678f66214e8d4f2783a0b9338ee4eb773c3474.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Users\\All Users\\dllhost.exe\""	7362f82084bcdf47b0927674ad678f66214e8d4f2783a0b9338ee4eb773c3474.exe

Checks whether UAC is enabled 1 TTPs 32 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	7362f82084bcdf47b0927674ad678f66214e8d4f2783a0b9338ee4eb773c3474.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	OfficeClickToRun.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	OfficeClickToRun.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	OfficeClickToRun.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	OfficeClickToRun.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	OfficeClickToRun.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	7362f82084bcdf47b0927674ad678f66214e8d4f2783a0b9338ee4eb773c3474.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	OfficeClickToRun.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	OfficeClickToRun.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	OfficeClickToRun.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	OfficeClickToRun.exe

Drops file in Program Files directory 7 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft.NET\OfficeClickToRun.exe	7362f82084bcdf47b0927674ad678f66214e8d4f2783a0b9338ee4eb773c3474.exe
File created	C:\Program Files (x86)\Microsoft.NET\e6c9b481da804f	7362f82084bcdf47b0927674ad678f66214e8d4f2783a0b9338ee4eb773c3474.exe
File created	C:\Program Files\WindowsPowerShell\Modules\System.exe	7362f82084bcdf47b0927674ad678f66214e8d4f2783a0b9338ee4eb773c3474.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\System.exe	7362f82084bcdf47b0927674ad678f66214e8d4f2783a0b9338ee4eb773c3474.exe
File created	C:\Program Files\WindowsPowerShell\Modules\27d1bcfc3c54e0	7362f82084bcdf47b0927674ad678f66214e8d4f2783a0b9338ee4eb773c3474.exe
File created	C:\Program Files (x86)\MSBuild\System.exe	7362f82084bcdf47b0927674ad678f66214e8d4f2783a0b9338ee4eb773c3474.exe
File created	C:\Program Files (x86)\MSBuild\27d1bcfc3c54e0	7362f82084bcdf47b0927674ad678f66214e8d4f2783a0b9338ee4eb773c3474.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\CbsTemp\OfficeClickToRun.exe	7362f82084bcdf47b0927674ad678f66214e8d4f2783a0b9338ee4eb773c3474.exe
File created	C:\Windows\CbsTemp\e6c9b481da804f	7362f82084bcdf47b0927674ad678f66214e8d4f2783a0b9338ee4eb773c3474.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 15 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	OfficeClickToRun.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 30 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4964	schtasks.exe
4772	schtasks.exe
1748	schtasks.exe
1616	schtasks.exe
4784	schtasks.exe
3104	schtasks.exe
2304	schtasks.exe
4708	schtasks.exe
4868	schtasks.exe
2964	schtasks.exe
4024	schtasks.exe
4356	schtasks.exe
1156	schtasks.exe
388	schtasks.exe
224	schtasks.exe
3700	schtasks.exe
3348	schtasks.exe
548	schtasks.exe
3360	schtasks.exe
4204	schtasks.exe
4952	schtasks.exe
5068	schtasks.exe
4912	schtasks.exe
1256	schtasks.exe
4960	schtasks.exe
244	schtasks.exe
2656	schtasks.exe
1752	schtasks.exe
4140	schtasks.exe
248	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4536	7362f82084bcdf47b0927674ad678f66214e8d4f2783a0b9338ee4eb773c3474.exe
4536	7362f82084bcdf47b0927674ad678f66214e8d4f2783a0b9338ee4eb773c3474.exe
4536	7362f82084bcdf47b0927674ad678f66214e8d4f2783a0b9338ee4eb773c3474.exe
4536	7362f82084bcdf47b0927674ad678f66214e8d4f2783a0b9338ee4eb773c3474.exe
4536	7362f82084bcdf47b0927674ad678f66214e8d4f2783a0b9338ee4eb773c3474.exe
4536	7362f82084bcdf47b0927674ad678f66214e8d4f2783a0b9338ee4eb773c3474.exe
4536	7362f82084bcdf47b0927674ad678f66214e8d4f2783a0b9338ee4eb773c3474.exe
4536	7362f82084bcdf47b0927674ad678f66214e8d4f2783a0b9338ee4eb773c3474.exe
4536	7362f82084bcdf47b0927674ad678f66214e8d4f2783a0b9338ee4eb773c3474.exe
4536	7362f82084bcdf47b0927674ad678f66214e8d4f2783a0b9338ee4eb773c3474.exe
4536	7362f82084bcdf47b0927674ad678f66214e8d4f2783a0b9338ee4eb773c3474.exe
4536	7362f82084bcdf47b0927674ad678f66214e8d4f2783a0b9338ee4eb773c3474.exe
4536	7362f82084bcdf47b0927674ad678f66214e8d4f2783a0b9338ee4eb773c3474.exe
4536	7362f82084bcdf47b0927674ad678f66214e8d4f2783a0b9338ee4eb773c3474.exe
4536	7362f82084bcdf47b0927674ad678f66214e8d4f2783a0b9338ee4eb773c3474.exe
4536	7362f82084bcdf47b0927674ad678f66214e8d4f2783a0b9338ee4eb773c3474.exe
4536	7362f82084bcdf47b0927674ad678f66214e8d4f2783a0b9338ee4eb773c3474.exe
4536	7362f82084bcdf47b0927674ad678f66214e8d4f2783a0b9338ee4eb773c3474.exe
4536	7362f82084bcdf47b0927674ad678f66214e8d4f2783a0b9338ee4eb773c3474.exe
4536	7362f82084bcdf47b0927674ad678f66214e8d4f2783a0b9338ee4eb773c3474.exe
4536	7362f82084bcdf47b0927674ad678f66214e8d4f2783a0b9338ee4eb773c3474.exe
4536	7362f82084bcdf47b0927674ad678f66214e8d4f2783a0b9338ee4eb773c3474.exe
4536	7362f82084bcdf47b0927674ad678f66214e8d4f2783a0b9338ee4eb773c3474.exe
4536	7362f82084bcdf47b0927674ad678f66214e8d4f2783a0b9338ee4eb773c3474.exe
4536	7362f82084bcdf47b0927674ad678f66214e8d4f2783a0b9338ee4eb773c3474.exe
4536	7362f82084bcdf47b0927674ad678f66214e8d4f2783a0b9338ee4eb773c3474.exe
4536	7362f82084bcdf47b0927674ad678f66214e8d4f2783a0b9338ee4eb773c3474.exe
4536	7362f82084bcdf47b0927674ad678f66214e8d4f2783a0b9338ee4eb773c3474.exe
4536	7362f82084bcdf47b0927674ad678f66214e8d4f2783a0b9338ee4eb773c3474.exe
4536	7362f82084bcdf47b0927674ad678f66214e8d4f2783a0b9338ee4eb773c3474.exe
4536	7362f82084bcdf47b0927674ad678f66214e8d4f2783a0b9338ee4eb773c3474.exe
4536	7362f82084bcdf47b0927674ad678f66214e8d4f2783a0b9338ee4eb773c3474.exe
4536	7362f82084bcdf47b0927674ad678f66214e8d4f2783a0b9338ee4eb773c3474.exe
4536	7362f82084bcdf47b0927674ad678f66214e8d4f2783a0b9338ee4eb773c3474.exe
4536	7362f82084bcdf47b0927674ad678f66214e8d4f2783a0b9338ee4eb773c3474.exe
4536	7362f82084bcdf47b0927674ad678f66214e8d4f2783a0b9338ee4eb773c3474.exe
4536	7362f82084bcdf47b0927674ad678f66214e8d4f2783a0b9338ee4eb773c3474.exe
4536	7362f82084bcdf47b0927674ad678f66214e8d4f2783a0b9338ee4eb773c3474.exe
4536	7362f82084bcdf47b0927674ad678f66214e8d4f2783a0b9338ee4eb773c3474.exe
2376	OfficeClickToRun.exe
2376	OfficeClickToRun.exe
2376	OfficeClickToRun.exe
2376	OfficeClickToRun.exe
2376	OfficeClickToRun.exe
2376	OfficeClickToRun.exe
2376	OfficeClickToRun.exe
2376	OfficeClickToRun.exe
2376	OfficeClickToRun.exe
2376	OfficeClickToRun.exe
2376	OfficeClickToRun.exe
2376	OfficeClickToRun.exe
2376	OfficeClickToRun.exe
2376	OfficeClickToRun.exe
2376	OfficeClickToRun.exe
2376	OfficeClickToRun.exe
2376	OfficeClickToRun.exe
2376	OfficeClickToRun.exe
2376	OfficeClickToRun.exe
2376	OfficeClickToRun.exe
2376	OfficeClickToRun.exe
2376	OfficeClickToRun.exe
2376	OfficeClickToRun.exe
2376	OfficeClickToRun.exe
2376	OfficeClickToRun.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeDebugPrivilege	4536	7362f82084bcdf47b0927674ad678f66214e8d4f2783a0b9338ee4eb773c3474.exe
Token: SeDebugPrivilege	2376	OfficeClickToRun.exe
Token: SeDebugPrivilege	1680	OfficeClickToRun.exe
Token: SeDebugPrivilege	3320	OfficeClickToRun.exe
Token: SeDebugPrivilege	4784	OfficeClickToRun.exe
Token: SeDebugPrivilege	472	OfficeClickToRun.exe
Token: SeDebugPrivilege	1784	OfficeClickToRun.exe
Token: SeDebugPrivilege	1152	OfficeClickToRun.exe
Token: SeDebugPrivilege	4960	OfficeClickToRun.exe
Token: SeDebugPrivilege	2968	OfficeClickToRun.exe
Token: SeDebugPrivilege	2076	OfficeClickToRun.exe
Token: SeDebugPrivilege	4304	OfficeClickToRun.exe
Token: SeDebugPrivilege	4732	OfficeClickToRun.exe
Token: SeDebugPrivilege	3956	OfficeClickToRun.exe
Token: SeDebugPrivilege	4924	OfficeClickToRun.exe
Token: SeDebugPrivilege	3228	OfficeClickToRun.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4536 wrote to memory of 2376	4536	7362f82084bcdf47b0927674ad678f66214e8d4f2783a0b9338ee4eb773c3474.exe	113
PID 4536 wrote to memory of 2376	4536	7362f82084bcdf47b0927674ad678f66214e8d4f2783a0b9338ee4eb773c3474.exe	113
PID 2376 wrote to memory of 1820	2376	OfficeClickToRun.exe	114
PID 2376 wrote to memory of 1820	2376	OfficeClickToRun.exe	114
PID 2376 wrote to memory of 3212	2376	OfficeClickToRun.exe	115
PID 2376 wrote to memory of 3212	2376	OfficeClickToRun.exe	115
PID 1820 wrote to memory of 1680	1820	WScript.exe	122
PID 1820 wrote to memory of 1680	1820	WScript.exe	122
PID 1680 wrote to memory of 3004	1680	OfficeClickToRun.exe	123
PID 1680 wrote to memory of 3004	1680	OfficeClickToRun.exe	123
PID 1680 wrote to memory of 3760	1680	OfficeClickToRun.exe	124
PID 1680 wrote to memory of 3760	1680	OfficeClickToRun.exe	124
PID 3004 wrote to memory of 3320	3004	WScript.exe	126
PID 3004 wrote to memory of 3320	3004	WScript.exe	126
PID 3320 wrote to memory of 240	3320	OfficeClickToRun.exe	127
PID 3320 wrote to memory of 240	3320	OfficeClickToRun.exe	127
PID 3320 wrote to memory of 412	3320	OfficeClickToRun.exe	128
PID 3320 wrote to memory of 412	3320	OfficeClickToRun.exe	128
PID 240 wrote to memory of 4784	240	WScript.exe	130
PID 240 wrote to memory of 4784	240	WScript.exe	130
PID 4784 wrote to memory of 2536	4784	OfficeClickToRun.exe	131
PID 4784 wrote to memory of 2536	4784	OfficeClickToRun.exe	131
PID 4784 wrote to memory of 2796	4784	OfficeClickToRun.exe	132
PID 4784 wrote to memory of 2796	4784	OfficeClickToRun.exe	132
PID 2536 wrote to memory of 472	2536	WScript.exe	133
PID 2536 wrote to memory of 472	2536	WScript.exe	133
PID 472 wrote to memory of 3568	472	OfficeClickToRun.exe	134
PID 472 wrote to memory of 3568	472	OfficeClickToRun.exe	134
PID 472 wrote to memory of 2376	472	OfficeClickToRun.exe	135
PID 472 wrote to memory of 2376	472	OfficeClickToRun.exe	135
PID 3568 wrote to memory of 1784	3568	WScript.exe	136
PID 3568 wrote to memory of 1784	3568	WScript.exe	136
PID 1784 wrote to memory of 432	1784	OfficeClickToRun.exe	137
PID 1784 wrote to memory of 432	1784	OfficeClickToRun.exe	137
PID 1784 wrote to memory of 1464	1784	OfficeClickToRun.exe	138
PID 1784 wrote to memory of 1464	1784	OfficeClickToRun.exe	138
PID 432 wrote to memory of 1152	432	WScript.exe	139
PID 432 wrote to memory of 1152	432	WScript.exe	139
PID 1152 wrote to memory of 5028	1152	OfficeClickToRun.exe	140
PID 1152 wrote to memory of 5028	1152	OfficeClickToRun.exe	140
PID 1152 wrote to memory of 2340	1152	OfficeClickToRun.exe	141
PID 1152 wrote to memory of 2340	1152	OfficeClickToRun.exe	141
PID 5028 wrote to memory of 4960	5028	WScript.exe	142
PID 5028 wrote to memory of 4960	5028	WScript.exe	142
PID 4960 wrote to memory of 816	4960	OfficeClickToRun.exe	143
PID 4960 wrote to memory of 816	4960	OfficeClickToRun.exe	143
PID 4960 wrote to memory of 4604	4960	OfficeClickToRun.exe	144
PID 4960 wrote to memory of 4604	4960	OfficeClickToRun.exe	144
PID 816 wrote to memory of 2968	816	WScript.exe	145
PID 816 wrote to memory of 2968	816	WScript.exe	145
PID 2968 wrote to memory of 3784	2968	OfficeClickToRun.exe	146
PID 2968 wrote to memory of 3784	2968	OfficeClickToRun.exe	146
PID 2968 wrote to memory of 2140	2968	OfficeClickToRun.exe	147
PID 2968 wrote to memory of 2140	2968	OfficeClickToRun.exe	147
PID 3784 wrote to memory of 2076	3784	WScript.exe	148
PID 3784 wrote to memory of 2076	3784	WScript.exe	148
PID 2076 wrote to memory of 1820	2076	OfficeClickToRun.exe	149
PID 2076 wrote to memory of 1820	2076	OfficeClickToRun.exe	149
PID 2076 wrote to memory of 1980	2076	OfficeClickToRun.exe	150
PID 2076 wrote to memory of 1980	2076	OfficeClickToRun.exe	150
PID 1820 wrote to memory of 4304	1820	WScript.exe	151
PID 1820 wrote to memory of 4304	1820	WScript.exe	151
PID 4304 wrote to memory of 4392	4304	OfficeClickToRun.exe	152
PID 4304 wrote to memory of 4392	4304	OfficeClickToRun.exe	152

System policy modification 1 TTPs 48 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	7362f82084bcdf47b0927674ad678f66214e8d4f2783a0b9338ee4eb773c3474.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	7362f82084bcdf47b0927674ad678f66214e8d4f2783a0b9338ee4eb773c3474.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	7362f82084bcdf47b0927674ad678f66214e8d4f2783a0b9338ee4eb773c3474.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OfficeClickToRun.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\7362f82084bcdf47b0927674ad678f66214e8d4f2783a0b9338ee4eb773c3474.exe
"C:\Users\Admin\AppData\Local\Temp\7362f82084bcdf47b0927674ad678f66214e8d4f2783a0b9338ee4eb773c3474.exe"
1⤵
- Modifies WinLogon for persistence
- UAC bypass
- Checks computer location settings
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4536
- C:\Windows\CbsTemp\OfficeClickToRun.exe
  "C:\Windows\CbsTemp\OfficeClickToRun.exe"
  2⤵
  - UAC bypass
  - Checks computer location settings
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2376
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e18c137c-d1e7-4e5a-9e6d-e424a48c564c.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1820
  - - C:\Windows\CbsTemp\OfficeClickToRun.exe
      C:\Windows\CbsTemp\OfficeClickToRun.exe
      4⤵
      UAC bypass
      Checks computer location settings
      Executes dropped EXE
      Checks whether UAC is enabled
      Modifies registry class
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:1680
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5b609269-fad3-491d-b177-4ee73488bcab.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3004
      - C:\Windows\CbsTemp\OfficeClickToRun.exe
        
        C:\Windows\CbsTemp\OfficeClickToRun.exe
        6⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:3320
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8d38cb18-6c4a-495c-86e8-7aa3a9b4a9f1.vbs"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:240
        
        C:\Windows\CbsTemp\OfficeClickToRun.exe
        
        C:\Windows\CbsTemp\OfficeClickToRun.exe
        8⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:4784
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\737dd586-b40e-4d08-9d3a-cfe293e79088.vbs"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:2536
        
        C:\Windows\CbsTemp\OfficeClickToRun.exe
        
        C:\Windows\CbsTemp\OfficeClickToRun.exe
        10⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:472
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f5d89846-576f-4dcf-938f-803aecc99656.vbs"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:3568
        
        C:\Windows\CbsTemp\OfficeClickToRun.exe
        
        C:\Windows\CbsTemp\OfficeClickToRun.exe
        12⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1784
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c8857ff5-9bd1-43ec-bdba-77ac519d51d3.vbs"
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:432
        
        C:\Windows\CbsTemp\OfficeClickToRun.exe
        
        C:\Windows\CbsTemp\OfficeClickToRun.exe
        14⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1152
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\837a4a49-cfca-4087-bd65-8b05eb9a8078.vbs"
        15⤵
        Suspicious use of WriteProcessMemory
        
        PID:5028
        
        C:\Windows\CbsTemp\OfficeClickToRun.exe
        
        C:\Windows\CbsTemp\OfficeClickToRun.exe
        16⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:4960
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1245619f-7266-453a-85ba-c99f4d5dd014.vbs"
        17⤵
        Suspicious use of WriteProcessMemory
        
        PID:816
        
        C:\Windows\CbsTemp\OfficeClickToRun.exe
        
        C:\Windows\CbsTemp\OfficeClickToRun.exe
        18⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2968
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0471046b-0d52-484b-a0ab-f496259583b6.vbs"
        19⤵
        Suspicious use of WriteProcessMemory
        
        PID:3784
        
        C:\Windows\CbsTemp\OfficeClickToRun.exe
        
        C:\Windows\CbsTemp\OfficeClickToRun.exe
        20⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2076
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9cca24f5-9d9f-4f15-b7db-c80b4870cb4d.vbs"
        21⤵
        Suspicious use of WriteProcessMemory
        
        PID:1820
        
        C:\Windows\CbsTemp\OfficeClickToRun.exe
        
        C:\Windows\CbsTemp\OfficeClickToRun.exe
        22⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:4304
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\afb0b95b-ff89-47d9-9415-92ae6b4d8ff7.vbs"
        23⤵
        
        PID:4392
        
        C:\Windows\CbsTemp\OfficeClickToRun.exe
        
        C:\Windows\CbsTemp\OfficeClickToRun.exe
        24⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:4732
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c7359b1b-0caf-43f3-a611-656168be5cdc.vbs"
        25⤵
        
        PID:2120
        
        C:\Windows\CbsTemp\OfficeClickToRun.exe
        
        C:\Windows\CbsTemp\OfficeClickToRun.exe
        26⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:3956
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e522bc2d-0ed6-4d9f-b98a-2c4e552d37a2.vbs"
        27⤵
        
        PID:4444
        
        C:\Windows\CbsTemp\OfficeClickToRun.exe
        
        C:\Windows\CbsTemp\OfficeClickToRun.exe
        28⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:4924
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\df8e9c6a-5453-4288-bb57-267761bb59e6.vbs"
        29⤵
        
        PID:3604
        
        C:\Windows\CbsTemp\OfficeClickToRun.exe
        
        C:\Windows\CbsTemp\OfficeClickToRun.exe
        30⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:3228
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2da54f2f-d515-4b85-9999-ca9e38880e62.vbs"
        31⤵
        
        PID:4928
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e339c7d4-1d14-42d1-9e6b-d384642810d8.vbs"
        31⤵
        
        PID:2544
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ca793ec4-5403-45be-acac-f9abba7e2473.vbs"
        29⤵
        
        PID:3932
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b1d6f964-3c63-4c5d-976e-93b97db99371.vbs"
        27⤵
        
        PID:880
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6b30f214-2485-46aa-9a76-64e6e6f223a2.vbs"
        25⤵
        
        PID:4892
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\17fbcd1f-2fee-4554-99f7-be4dfb01ce31.vbs"
        23⤵
        
        PID:3332
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\26967f4d-a9bc-4e44-92ba-37731c5549fe.vbs"
        21⤵
        
        PID:1980
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\54cded41-08ed-4e0f-a39e-17c1236ba984.vbs"
        19⤵
        
        PID:2140
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\96a5a56d-2ffb-48d6-809f-066fa01714da.vbs"
        17⤵
        
        PID:4604
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2014958b-02dd-4052-a46c-fdf243534d21.vbs"
        15⤵
        
        PID:2340
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4f195518-f0fd-4f5b-83dd-747689b1e80c.vbs"
        13⤵
        
        PID:1464
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\24272418-a29a-4ad8-8283-66715d740a4c.vbs"
        11⤵
        
        PID:2376
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f6f8e3b4-874e-4f78-a5ec-203617aee6e1.vbs"
        9⤵
        
        PID:2796
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4793295b-4799-40ad-ac2e-6859a177dc22.vbs"
        7⤵
        
        PID:412
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\289120bb-e43a-4e89-97a6-aee4bdc83de7.vbs"
        5⤵
        
        PID:3760
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3db88500-f71d-45e8-92a6-b3324cce6e42.vbs"
    3⤵
    PID:3212

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Program Files\WindowsPowerShell\Modules\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2304

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\WindowsPowerShell\Modules\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Program Files\WindowsPowerShell\Modules\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4204

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4140

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1256

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1156

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 6 /tr "'C:\Windows\CbsTemp\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:248

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Windows\CbsTemp\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 11 /tr "'C:\Windows\CbsTemp\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:244

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3348

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\MSBuild\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\MSBuild\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Users\Default\Downloads\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:388

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\Default\Downloads\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Users\Default\Downloads\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft.NET\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft.NET\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3360

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\All Users\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1752

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Recovery\WindowsRE\sppsvc.exe

Filesize
2.2MB

MD5
3aa1bbd17d68b0b67b7423f1fe09b05b

SHA1
61c43b8f31a51d772fd39d5caa87699d74971a43

SHA256
7362f82084bcdf47b0927674ad678f66214e8d4f2783a0b9338ee4eb773c3474

SHA512
7ae82411565104b15cc0de4cc8315d93301befbb28b1e36e3c50d46c8ba9fb1ff8eb361e12cd9d32771e2a5ecbee9b026aca0105473a9fe5a877fc2744b32014

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\OfficeClickToRun.exe.log

Filesize
1KB

MD5
49b64127208271d8f797256057d0b006

SHA1
b99bd7e2b4e9ed24de47fb3341ea67660b84cca1

SHA256
2a5d403a2e649d8eceef8f785eeb0f6d33888ec6bbf251b3c347e34cb32b1e77

SHA512
f7c728923c893dc9bc88ad2159e0abcda41e1b40ff7e7756e6252d135ed238a2248a2662b3392449836dd1b0b580f0c866cc33e409527484fe4602e3d3f10e3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\0471046b-0d52-484b-a0ab-f496259583b6.vbs

Filesize
715B

MD5
f49aa6c3350fe7accc9fd5a13572ae4d

SHA1
b4a5eb3e65ce53ea89375fb795d2be24ff948628

SHA256
b8da665e66dc6ab98e3bc9d89a0ff0f88f658d5117b621c5506ef33bb1a06d53

SHA512
98116c38b0122624d0a1f447b5f6678f5416ae43a13fd1436b600eae513c2658ff69f9702f090255bdfbbbd622156105c2d1e02fde976951547c4ba079d5d8fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\1245619f-7266-453a-85ba-c99f4d5dd014.vbs

Filesize
715B

MD5
9b3ca16d6d9455eeb172e40f9e9eda35

SHA1
c45c6432c1b8f057adc0ec267fb5618b28876b6a

SHA256
e8ee14da6e55142466c79091903bf64f84ee1a4697e9f011183dfeb790114105

SHA512
abf7f796624869822a96745f5bfdb22778caa52904b81430004d9f4e325e36ed749536b72764a56157cdfcf66f0e804a0f222846cfe13b42e6a9bbe018949ab8

Download Submit
C:\Users\Admin\AppData\Local\Temp\2da54f2f-d515-4b85-9999-ca9e38880e62.vbs

Filesize
715B

MD5
f720bac23c307eb1aa2403f3ac599e25

SHA1
d7c4fe8457b5334535a6f7c75d56844ff1195c95

SHA256
d75a5853f79b59c352466d4f7ae445c709b090744f9c674691fae67a644bfeb3

SHA512
80d09e823f3ad6f4c4169dc17ff321a549516e6be62a89c1ff0a3bc16d129010cac1dcaa109e72bff3cf593526eed0094970af5d6872bcaabc6ceb75fe38f412

Download Submit
C:\Users\Admin\AppData\Local\Temp\3db88500-f71d-45e8-92a6-b3324cce6e42.vbs

Filesize
491B

MD5
fe2c0690017b88d0d00a10b2e2ad6e5d

SHA1
1ba2793a727f246307ff1ae4861f24aa6923c49c

SHA256
180b5d4ac2ee893d532558bc529ce100706b88aa5496c3e554c4a33223a164ae

SHA512
e36b4599d895bcb78a413271f8ba1a7b22581f0a9d6b1ca6dd5072da17fcf8843bb00eff0884a0edf30e75d98c4f70bcac2d453699af62c6ffb5e88986856a5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\5b609269-fad3-491d-b177-4ee73488bcab.vbs

Filesize
715B

MD5
04c1bec49a31c2af0188c248d3050900

SHA1
e98d6ccf6b8229de5bee1d1ffc30284e3b0b2694

SHA256
4bda19d915d4156510774d6bf98a82609a43d76b026a6b5e12348d8e532698f9

SHA512
e75981451955bfe030ac2d2891eb7fbc66838cfac93b1ce9f2cf131b75e77b2dc2f182d8781fb86631c0ecea5a738f7fd01ade2c5be449e0c46817b63bcee7b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\737dd586-b40e-4d08-9d3a-cfe293e79088.vbs

Filesize
715B

MD5
6cefbe005d195717812b7c1bf6b42585

SHA1
a5f219b171f632afd069b79d6b0ec2ba7426113f

SHA256
2d36ec0dbe217e8c2bcd5f013653fa7298a0714cd54e5cf8ad62e9b48e8d4675

SHA512
6ea076f5bf1225a2e81008ff686390aa68cfb6d94a2a9881a594963d92f4de1b669ba6d755f6e3814d71fc47ba1e80a6d8c961bf70f277beef5d46c75714f107

Download Submit
C:\Users\Admin\AppData\Local\Temp\837a4a49-cfca-4087-bd65-8b05eb9a8078.vbs

Filesize
715B

MD5
ba361f2e3b96fde6e31c521276cdb065

SHA1
0dae2d52b7e86c7e1757abc23726020e1cef1564

SHA256
806689c220f8a5c15895838da17d12d4d97efafb7b02fb2101135e74b1e4820f

SHA512
48e5f8a1bb8feb1e788425a543caf6ac04e0b11849d4a1786066ff8632ce5ef7e6b9f2b729de73f28455f3a0a303a430fe8ef5800a2dd623ce26a176d5c94287

Download Submit
C:\Users\Admin\AppData\Local\Temp\8d38cb18-6c4a-495c-86e8-7aa3a9b4a9f1.vbs

Filesize
715B

MD5
58c5221eea7bc1c7cfbb6bc4cf6b0166

SHA1
2edbd2f68e7d3ab74caf4e0d953eadc088614014

SHA256
124f7e3597d49a291e46cb6bab9a4bf0c03f9cc26403c14926dcc9256391ad89

SHA512
d8b671fe58ecce6806f0211a4795a595dc0096f52b15cb4bdbb6115adc92fa6294b1cb911ad2450908acf5ce93a759a4f6d783738b156e9e1bf3ab556141f921

Download Submit
C:\Users\Admin\AppData\Local\Temp\9cca24f5-9d9f-4f15-b7db-c80b4870cb4d.vbs

Filesize
715B

MD5
a8cc3ba6713080318f2265d29ca8bf3a

SHA1
2d328496ade92bd6d0967e6f79fee466b40f72f1

SHA256
027aadf0981e66278f5c22b1b2c111971be8424935ed33faef42e00d2a68b2fa

SHA512
a4415c697252ffc73527aad3df9e5d29baa09d9194df72870a93a332186dba2c0c3487a2d92ebaa249546ff8f74b83d76040fd7b307112b41c89e8d3bcb7266b

Download Submit
C:\Users\Admin\AppData\Local\Temp\afb0b95b-ff89-47d9-9415-92ae6b4d8ff7.vbs

Filesize
715B

MD5
7b17c0b028ea68ed9ca827df71b6b016

SHA1
d5883bdd91339496a219a7936cd40cb965c11c3b

SHA256
306db214880bf32405eec5f5ebe7f0c4813379e0a0a79182473ba11d185b8ca5

SHA512
119f7a5fb1a54a0fa8899e5db38a3b23e32185df23ae9128f3d0d66e9b74d414907105ed9f322ea366727470be273b4ba26d7c15631d1449ead8b5e067962358

Download Submit
C:\Users\Admin\AppData\Local\Temp\c7359b1b-0caf-43f3-a611-656168be5cdc.vbs

Filesize
715B

MD5
8a9e22468036d2a9372dba468e3b8744

SHA1
2dd9b87118395dd8c374b97fb7a3f546485c227c

SHA256
d65d70647ddb3af8b2a77583a5ccc818e27084926f5ac6c9b24ac18707a625df

SHA512
1b7ed4ff8dc4858ebba52918f5649b1dfcab25ded950210c9068ed35f636f2b936fdd413a1bf7486f57c30efe8ad1ffaade37b7cf2f512b938219d8af62a795d

Download Submit
C:\Users\Admin\AppData\Local\Temp\c8857ff5-9bd1-43ec-bdba-77ac519d51d3.vbs

Filesize
715B

MD5
1e83379f75ea3925cf68c7f07cd1e0ae

SHA1
ed56d6fc21ec71a1ae26a8157dc32035c9953704

SHA256
06fbe1bd53ca42bc9a6d97df119156ec9f11b3d983a2a3b4e35c20767c9438bc

SHA512
f9c1402b3fa1cafc740c1d52cfc115a921e21a64d2f0b148bd371ef5381f373cbbb5f2fb7de186c65874d8d8e7f5b4721a75c9a15cf2655c42334db87a6302d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\df8e9c6a-5453-4288-bb57-267761bb59e6.vbs

Filesize
715B

MD5
39a783eeaf37d762b556cbe46329b9ed

SHA1
63a03f1de8e33f3716f46da081ac4b8a11b768f1

SHA256
462c7131b3b5ae96c823f47a4765a45e9e278c9428baafa40a7ea7d722634a94

SHA512
49411a1d823916de173c87bf479a0b0a2d5be548352be77baeccf8717d77d5c3fbddab09086840d51c07669f0e5eaa403339be3687c9d9edaa21bd760875a3a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\e18c137c-d1e7-4e5a-9e6d-e424a48c564c.vbs

Filesize
715B

MD5
a36fc7acb97a921a82e841b526d45a84

SHA1
d585e7006ab03073c4e1f45b0835c704bf396be0

SHA256
7213ad5637732d8d8f5c8f51ef9a7ddb0a58c00df9c90335e30677fcae4f6156

SHA512
a7eb96e9bada6a94c7d9e98fcf78feddf5215ce2c3fe55c75b027995a482d871688de82c7fca306702b71975e43f40454ed32c110f698c9b6314dcf87c9362e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\e522bc2d-0ed6-4d9f-b98a-2c4e552d37a2.vbs

Filesize
715B

MD5
b135d1fc6f5ceb98b483e8a1500d3e09

SHA1
e040348b8fd535435be45f85d1c46f4511cf654c

SHA256
6726402d558d0bf5baebe0509090aba7ddc80abb23da66fe6264b6fe3760d66c

SHA512
5da784e56179fd3385b00dd992ecaf7b29aea57efaaad2c28502ed5fb5509d22e08ccbd12e4d6053b9717f3e590fc279afbb4147707e7a7e732b4182720ff375

Download Submit
C:\Users\Admin\AppData\Local\Temp\f5d89846-576f-4dcf-938f-803aecc99656.vbs

Filesize
714B

MD5
b867ed053677d4a4af232cd97c377962

SHA1
d5319f5a051853b1d54cc2d5eb2f75fd7a7d5b7d

SHA256
103b8acd1bfd1ddb332d9dea770e4f56cc2a37b10d9e9f5094ac914f371e4d54

SHA512
ead491d3b78b9c22ebc4f720c9c88b8f2a25c922e871b164492eda22dc8ea3b2b8b97f94a486b766dfc887ccf974ad95573598dd3cb77570d83ae9cba5e54a90

Download Submit
memory/1152-137-0x000000001B8D0000-0x000000001B8E2000-memory.dmp

Filesize
72KB

Download
memory/1784-125-0x0000000002740000-0x0000000002752000-memory.dmp

Filesize
72KB

Download
memory/2076-171-0x0000000002890000-0x00000000028A2000-memory.dmp

Filesize
72KB

Download
memory/2376-68-0x000000001B9F0000-0x000000001BA02000-memory.dmp

Filesize
72KB

Download
memory/3228-228-0x0000000002A90000-0x0000000002AA2000-memory.dmp

Filesize
72KB

Download
memory/4304-183-0x000000001BBA0000-0x000000001BBB2000-memory.dmp

Filesize
72KB

Download
memory/4536-15-0x000000001B0B0000-0x000000001B0BA000-memory.dmp

Filesize
40KB

Download
memory/4536-18-0x000000001B0E0000-0x000000001B0EC000-memory.dmp

Filesize
48KB

Download
memory/4536-32-0x000000001BAE0000-0x000000001BAEC000-memory.dmp

Filesize
48KB

Download
memory/4536-31-0x000000001BAD0000-0x000000001BAD8000-memory.dmp

Filesize
32KB

Download
memory/4536-30-0x000000001BAC0000-0x000000001BAC8000-memory.dmp

Filesize
32KB

Download
memory/4536-34-0x000000001BB00000-0x000000001BB0A000-memory.dmp

Filesize
40KB

Download
memory/4536-35-0x000000001BB10000-0x000000001BB1C000-memory.dmp

Filesize
48KB

Download
memory/4536-33-0x000000001BAF0000-0x000000001BAF8000-memory.dmp

Filesize
32KB

Download
memory/4536-29-0x000000001BAB0000-0x000000001BABE000-memory.dmp

Filesize
56KB

Download
memory/4536-28-0x000000001B9A0000-0x000000001B9AA000-memory.dmp

Filesize
40KB

Download
memory/4536-26-0x000000001B980000-0x000000001B988000-memory.dmp

Filesize
32KB

Download
memory/4536-21-0x000000001BD80000-0x000000001C2A8000-memory.dmp

Filesize
5.2MB

Download
memory/4536-25-0x000000001B870000-0x000000001B87C000-memory.dmp

Filesize
48KB

Download
memory/4536-67-0x00007FFFE13C0000-0x00007FFFE1E81000-memory.dmp

Filesize
10.8MB

Download
memory/4536-24-0x000000001B860000-0x000000001B86C000-memory.dmp

Filesize
48KB

Download
memory/4536-23-0x000000001B850000-0x000000001B858000-memory.dmp

Filesize
32KB

Download
memory/4536-22-0x000000001B110000-0x000000001B11C000-memory.dmp

Filesize
48KB

Download
memory/4536-19-0x000000001B0F0000-0x000000001B0F8000-memory.dmp

Filesize
32KB

Download
memory/4536-20-0x000000001B100000-0x000000001B112000-memory.dmp

Filesize
72KB

Download
memory/4536-27-0x000000001B990000-0x000000001B99C000-memory.dmp

Filesize
48KB

Download
memory/4536-17-0x000000001B0D0000-0x000000001B0D8000-memory.dmp

Filesize
32KB

Download
memory/4536-16-0x000000001B0C0000-0x000000001B0CC000-memory.dmp

Filesize
48KB

Download
memory/4536-0-0x00007FFFE13C3000-0x00007FFFE13C5000-memory.dmp

Filesize
8KB

Download
memory/4536-14-0x000000001B090000-0x000000001B0A0000-memory.dmp

Filesize
64KB

Download
memory/4536-13-0x000000001B080000-0x000000001B088000-memory.dmp

Filesize
32KB

Download
memory/4536-12-0x000000001B0A0000-0x000000001B0AC000-memory.dmp

Filesize
48KB

Download
memory/4536-11-0x0000000002640000-0x0000000002652000-memory.dmp

Filesize
72KB

Download
memory/4536-10-0x0000000002630000-0x0000000002638000-memory.dmp

Filesize
32KB

Download
memory/4536-9-0x0000000002610000-0x0000000002626000-memory.dmp

Filesize
88KB

Download
memory/4536-6-0x000000001B030000-0x000000001B080000-memory.dmp

Filesize
320KB

Download
memory/4536-7-0x00000000025F0000-0x00000000025F8000-memory.dmp

Filesize
32KB

Download
memory/4536-8-0x0000000002600000-0x0000000002610000-memory.dmp

Filesize
64KB

Download
memory/4536-4-0x00000000025C0000-0x00000000025C8000-memory.dmp

Filesize
32KB

Download
memory/4536-5-0x00000000025D0000-0x00000000025EC000-memory.dmp

Filesize
112KB

Download
memory/4536-3-0x00000000025B0000-0x00000000025BE000-memory.dmp

Filesize
56KB

Download
memory/4536-2-0x00007FFFE13C0000-0x00007FFFE1E81000-memory.dmp

Filesize
10.8MB

Download
memory/4536-1-0x0000000000150000-0x000000000038E000-memory.dmp

Filesize
2.2MB

Download