dcrat | bd97113232c06c13e8659adacaec61f3b66414d8be912d888aa1b1fce3ab3684

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
10-01-2025 01:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2fb0b933c97aa9b37e31f7adf38695e8185b61c7d312c183f05fd4256ef38497.exe
Size

1.8MB
MD5

32db4bf35b9c2efc730718e2f8cd4fbc
SHA1

616a5c549f6c1c191f82d8cea82c65e25869241e
SHA256

2fb0b933c97aa9b37e31f7adf38695e8185b61c7d312c183f05fd4256ef38497
SHA512

577146b764a00bcd3ff34a4ec278c49db91e7a5eb3647f561455499a7c01c52c513a5283041a378ffb57747e0ad0c93795d7287b5814a01f94612ac81f1828c2
SSDEEP

24576:PYWx+zBv7JhqvqIsCHeX2RYk1ORuQfAb3ev4XwpgcYZSqu/lYXeHB80K:PAz2H5RYj4QyQZviTu/Ouh

Score

10^/10

dcrat discovery execution infostealer persistence rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 6 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\explorer.exe\""	2fb0b933c97aa9b37e31f7adf38695e8185b61c7d312c183f05fd4256ef38497.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\explorer.exe\", \"C:\\Recovery\\WindowsRE\\OfficeClickToRun.exe\""	2fb0b933c97aa9b37e31f7adf38695e8185b61c7d312c183f05fd4256ef38497.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\explorer.exe\", \"C:\\Recovery\\WindowsRE\\OfficeClickToRun.exe\", \"C:\\Program Files (x86)\\WindowsPowerShell\\fontdrvhost.exe\""	2fb0b933c97aa9b37e31f7adf38695e8185b61c7d312c183f05fd4256ef38497.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\explorer.exe\", \"C:\\Recovery\\WindowsRE\\OfficeClickToRun.exe\", \"C:\\Program Files (x86)\\WindowsPowerShell\\fontdrvhost.exe\", \"C:\\Windows\\bcastdvr\\wininit.exe\""	2fb0b933c97aa9b37e31f7adf38695e8185b61c7d312c183f05fd4256ef38497.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\explorer.exe\", \"C:\\Recovery\\WindowsRE\\OfficeClickToRun.exe\", \"C:\\Program Files (x86)\\WindowsPowerShell\\fontdrvhost.exe\", \"C:\\Windows\\bcastdvr\\wininit.exe\", \"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Setup Files\\csrss.exe\""	2fb0b933c97aa9b37e31f7adf38695e8185b61c7d312c183f05fd4256ef38497.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\explorer.exe\", \"C:\\Recovery\\WindowsRE\\OfficeClickToRun.exe\", \"C:\\Program Files (x86)\\WindowsPowerShell\\fontdrvhost.exe\", \"C:\\Windows\\bcastdvr\\wininit.exe\", \"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Setup Files\\csrss.exe\", \"C:\\Users\\Admin\\AppData\\Local\\Temp\\2fb0b933c97aa9b37e31f7adf38695e8185b61c7d312c183f05fd4256ef38497.exe\""	2fb0b933c97aa9b37e31f7adf38695e8185b61c7d312c183f05fd4256ef38497.exe

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1720	3440	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1220	3440	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	464	3440	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1128	3440	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4668	3440	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1840	3440	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4736	3440	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	808	3440	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3496	3440	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3268	3440	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4548	3440	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3676	3440	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2956	3440	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1928	3440	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3428	3440	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3212	3440	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	796	3440	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3372	3440	schtasks.exe	82

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1236	powershell.exe
1388	powershell.exe
5044	powershell.exe
1264	powershell.exe
1584	powershell.exe
4924	powershell.exe

Checks computer location settings 2 TTPs 17 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	OfficeClickToRun.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	OfficeClickToRun.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	OfficeClickToRun.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	OfficeClickToRun.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	OfficeClickToRun.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	OfficeClickToRun.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	OfficeClickToRun.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	OfficeClickToRun.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	OfficeClickToRun.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	OfficeClickToRun.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	OfficeClickToRun.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	OfficeClickToRun.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	2fb0b933c97aa9b37e31f7adf38695e8185b61c7d312c183f05fd4256ef38497.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	OfficeClickToRun.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	OfficeClickToRun.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	OfficeClickToRun.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	OfficeClickToRun.exe

Executes dropped EXE 17 IoCs

pid	Process
1880	OfficeClickToRun.exe
1536	OfficeClickToRun.exe
4916	OfficeClickToRun.exe
1640	OfficeClickToRun.exe
5036	OfficeClickToRun.exe
4560	OfficeClickToRun.exe
3220	OfficeClickToRun.exe
3944	OfficeClickToRun.exe
2228	OfficeClickToRun.exe
3484	OfficeClickToRun.exe
4784	OfficeClickToRun.exe
4536	OfficeClickToRun.exe
4344	OfficeClickToRun.exe
1004	OfficeClickToRun.exe
4268	OfficeClickToRun.exe
5084	OfficeClickToRun.exe
1352	OfficeClickToRun.exe

Adds Run key to start application 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OfficeClickToRun = "\"C:\\Recovery\\WindowsRE\\OfficeClickToRun.exe\""	2fb0b933c97aa9b37e31f7adf38695e8185b61c7d312c183f05fd4256ef38497.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Windows\\bcastdvr\\wininit.exe\""	2fb0b933c97aa9b37e31f7adf38695e8185b61c7d312c183f05fd4256ef38497.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Setup Files\\csrss.exe\""	2fb0b933c97aa9b37e31f7adf38695e8185b61c7d312c183f05fd4256ef38497.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Setup Files\\csrss.exe\""	2fb0b933c97aa9b37e31f7adf38695e8185b61c7d312c183f05fd4256ef38497.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\2fb0b933c97aa9b37e31f7adf38695e8185b61c7d312c183f05fd4256ef38497 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\2fb0b933c97aa9b37e31f7adf38695e8185b61c7d312c183f05fd4256ef38497.exe\""	2fb0b933c97aa9b37e31f7adf38695e8185b61c7d312c183f05fd4256ef38497.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Recovery\\WindowsRE\\explorer.exe\""	2fb0b933c97aa9b37e31f7adf38695e8185b61c7d312c183f05fd4256ef38497.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OfficeClickToRun = "\"C:\\Recovery\\WindowsRE\\OfficeClickToRun.exe\""	2fb0b933c97aa9b37e31f7adf38695e8185b61c7d312c183f05fd4256ef38497.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Program Files (x86)\\WindowsPowerShell\\fontdrvhost.exe\""	2fb0b933c97aa9b37e31f7adf38695e8185b61c7d312c183f05fd4256ef38497.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Program Files (x86)\\WindowsPowerShell\\fontdrvhost.exe\""	2fb0b933c97aa9b37e31f7adf38695e8185b61c7d312c183f05fd4256ef38497.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Windows\\bcastdvr\\wininit.exe\""	2fb0b933c97aa9b37e31f7adf38695e8185b61c7d312c183f05fd4256ef38497.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\2fb0b933c97aa9b37e31f7adf38695e8185b61c7d312c183f05fd4256ef38497 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\2fb0b933c97aa9b37e31f7adf38695e8185b61c7d312c183f05fd4256ef38497.exe\""	2fb0b933c97aa9b37e31f7adf38695e8185b61c7d312c183f05fd4256ef38497.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Recovery\\WindowsRE\\explorer.exe\""	2fb0b933c97aa9b37e31f7adf38695e8185b61c7d312c183f05fd4256ef38497.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	\??\c:\Windows\System32\CSC2553FB0FF0C447308D2424526AA97CD.TMP	csc.exe
File created	\??\c:\Windows\System32\lhkpi-.exe	csc.exe

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\WindowsPowerShell\5b884080fd4f94	2fb0b933c97aa9b37e31f7adf38695e8185b61c7d312c183f05fd4256ef38497.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\csrss.exe	2fb0b933c97aa9b37e31f7adf38695e8185b61c7d312c183f05fd4256ef38497.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\csrss.exe	2fb0b933c97aa9b37e31f7adf38695e8185b61c7d312c183f05fd4256ef38497.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\886983d96e3d3e	2fb0b933c97aa9b37e31f7adf38695e8185b61c7d312c183f05fd4256ef38497.exe
File created	C:\Program Files (x86)\WindowsPowerShell\fontdrvhost.exe	2fb0b933c97aa9b37e31f7adf38695e8185b61c7d312c183f05fd4256ef38497.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\Boot\winlogon.exe	2fb0b933c97aa9b37e31f7adf38695e8185b61c7d312c183f05fd4256ef38497.exe
File created	C:\Windows\bcastdvr\wininit.exe	2fb0b933c97aa9b37e31f7adf38695e8185b61c7d312c183f05fd4256ef38497.exe
File created	C:\Windows\bcastdvr\56085415360792	2fb0b933c97aa9b37e31f7adf38695e8185b61c7d312c183f05fd4256ef38497.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 9 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
4508	PING.EXE
3228	PING.EXE
3156	PING.EXE
2180	PING.EXE
2724	PING.EXE
800	PING.EXE
2640	PING.EXE
116	PING.EXE
1820	PING.EXE

Modifies registry class 17 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	2fb0b933c97aa9b37e31f7adf38695e8185b61c7d312c183f05fd4256ef38497.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	OfficeClickToRun.exe

Runs ping.exe 1 TTPs 9 IoCs

Remote System Discovery

T1018

pid	Process
1820	PING.EXE
4508	PING.EXE
116	PING.EXE
2180	PING.EXE
2724	PING.EXE
2640	PING.EXE
3228	PING.EXE
3156	PING.EXE
800	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1720	schtasks.exe
1128	schtasks.exe
1840	schtasks.exe
4736	schtasks.exe
3496	schtasks.exe
3676	schtasks.exe
2956	schtasks.exe
3428	schtasks.exe
1220	schtasks.exe
464	schtasks.exe
4548	schtasks.exe
3212	schtasks.exe
796	schtasks.exe
4668	schtasks.exe
808	schtasks.exe
3268	schtasks.exe
1928	schtasks.exe
3372	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3172	2fb0b933c97aa9b37e31f7adf38695e8185b61c7d312c183f05fd4256ef38497.exe
3172	2fb0b933c97aa9b37e31f7adf38695e8185b61c7d312c183f05fd4256ef38497.exe
3172	2fb0b933c97aa9b37e31f7adf38695e8185b61c7d312c183f05fd4256ef38497.exe
3172	2fb0b933c97aa9b37e31f7adf38695e8185b61c7d312c183f05fd4256ef38497.exe
3172	2fb0b933c97aa9b37e31f7adf38695e8185b61c7d312c183f05fd4256ef38497.exe
3172	2fb0b933c97aa9b37e31f7adf38695e8185b61c7d312c183f05fd4256ef38497.exe
3172	2fb0b933c97aa9b37e31f7adf38695e8185b61c7d312c183f05fd4256ef38497.exe
3172	2fb0b933c97aa9b37e31f7adf38695e8185b61c7d312c183f05fd4256ef38497.exe
3172	2fb0b933c97aa9b37e31f7adf38695e8185b61c7d312c183f05fd4256ef38497.exe
3172	2fb0b933c97aa9b37e31f7adf38695e8185b61c7d312c183f05fd4256ef38497.exe
3172	2fb0b933c97aa9b37e31f7adf38695e8185b61c7d312c183f05fd4256ef38497.exe
3172	2fb0b933c97aa9b37e31f7adf38695e8185b61c7d312c183f05fd4256ef38497.exe
3172	2fb0b933c97aa9b37e31f7adf38695e8185b61c7d312c183f05fd4256ef38497.exe
3172	2fb0b933c97aa9b37e31f7adf38695e8185b61c7d312c183f05fd4256ef38497.exe
3172	2fb0b933c97aa9b37e31f7adf38695e8185b61c7d312c183f05fd4256ef38497.exe
3172	2fb0b933c97aa9b37e31f7adf38695e8185b61c7d312c183f05fd4256ef38497.exe
3172	2fb0b933c97aa9b37e31f7adf38695e8185b61c7d312c183f05fd4256ef38497.exe
3172	2fb0b933c97aa9b37e31f7adf38695e8185b61c7d312c183f05fd4256ef38497.exe
3172	2fb0b933c97aa9b37e31f7adf38695e8185b61c7d312c183f05fd4256ef38497.exe
3172	2fb0b933c97aa9b37e31f7adf38695e8185b61c7d312c183f05fd4256ef38497.exe
3172	2fb0b933c97aa9b37e31f7adf38695e8185b61c7d312c183f05fd4256ef38497.exe
3172	2fb0b933c97aa9b37e31f7adf38695e8185b61c7d312c183f05fd4256ef38497.exe
3172	2fb0b933c97aa9b37e31f7adf38695e8185b61c7d312c183f05fd4256ef38497.exe
3172	2fb0b933c97aa9b37e31f7adf38695e8185b61c7d312c183f05fd4256ef38497.exe
3172	2fb0b933c97aa9b37e31f7adf38695e8185b61c7d312c183f05fd4256ef38497.exe
3172	2fb0b933c97aa9b37e31f7adf38695e8185b61c7d312c183f05fd4256ef38497.exe
3172	2fb0b933c97aa9b37e31f7adf38695e8185b61c7d312c183f05fd4256ef38497.exe
3172	2fb0b933c97aa9b37e31f7adf38695e8185b61c7d312c183f05fd4256ef38497.exe
3172	2fb0b933c97aa9b37e31f7adf38695e8185b61c7d312c183f05fd4256ef38497.exe
3172	2fb0b933c97aa9b37e31f7adf38695e8185b61c7d312c183f05fd4256ef38497.exe
3172	2fb0b933c97aa9b37e31f7adf38695e8185b61c7d312c183f05fd4256ef38497.exe
3172	2fb0b933c97aa9b37e31f7adf38695e8185b61c7d312c183f05fd4256ef38497.exe
3172	2fb0b933c97aa9b37e31f7adf38695e8185b61c7d312c183f05fd4256ef38497.exe
3172	2fb0b933c97aa9b37e31f7adf38695e8185b61c7d312c183f05fd4256ef38497.exe
3172	2fb0b933c97aa9b37e31f7adf38695e8185b61c7d312c183f05fd4256ef38497.exe
3172	2fb0b933c97aa9b37e31f7adf38695e8185b61c7d312c183f05fd4256ef38497.exe
3172	2fb0b933c97aa9b37e31f7adf38695e8185b61c7d312c183f05fd4256ef38497.exe
3172	2fb0b933c97aa9b37e31f7adf38695e8185b61c7d312c183f05fd4256ef38497.exe
3172	2fb0b933c97aa9b37e31f7adf38695e8185b61c7d312c183f05fd4256ef38497.exe
3172	2fb0b933c97aa9b37e31f7adf38695e8185b61c7d312c183f05fd4256ef38497.exe
3172	2fb0b933c97aa9b37e31f7adf38695e8185b61c7d312c183f05fd4256ef38497.exe
3172	2fb0b933c97aa9b37e31f7adf38695e8185b61c7d312c183f05fd4256ef38497.exe
3172	2fb0b933c97aa9b37e31f7adf38695e8185b61c7d312c183f05fd4256ef38497.exe
3172	2fb0b933c97aa9b37e31f7adf38695e8185b61c7d312c183f05fd4256ef38497.exe
3172	2fb0b933c97aa9b37e31f7adf38695e8185b61c7d312c183f05fd4256ef38497.exe
3172	2fb0b933c97aa9b37e31f7adf38695e8185b61c7d312c183f05fd4256ef38497.exe
3172	2fb0b933c97aa9b37e31f7adf38695e8185b61c7d312c183f05fd4256ef38497.exe
3172	2fb0b933c97aa9b37e31f7adf38695e8185b61c7d312c183f05fd4256ef38497.exe
3172	2fb0b933c97aa9b37e31f7adf38695e8185b61c7d312c183f05fd4256ef38497.exe
3172	2fb0b933c97aa9b37e31f7adf38695e8185b61c7d312c183f05fd4256ef38497.exe
3172	2fb0b933c97aa9b37e31f7adf38695e8185b61c7d312c183f05fd4256ef38497.exe
3172	2fb0b933c97aa9b37e31f7adf38695e8185b61c7d312c183f05fd4256ef38497.exe
3172	2fb0b933c97aa9b37e31f7adf38695e8185b61c7d312c183f05fd4256ef38497.exe
3172	2fb0b933c97aa9b37e31f7adf38695e8185b61c7d312c183f05fd4256ef38497.exe
3172	2fb0b933c97aa9b37e31f7adf38695e8185b61c7d312c183f05fd4256ef38497.exe
3172	2fb0b933c97aa9b37e31f7adf38695e8185b61c7d312c183f05fd4256ef38497.exe
3172	2fb0b933c97aa9b37e31f7adf38695e8185b61c7d312c183f05fd4256ef38497.exe
3172	2fb0b933c97aa9b37e31f7adf38695e8185b61c7d312c183f05fd4256ef38497.exe
3172	2fb0b933c97aa9b37e31f7adf38695e8185b61c7d312c183f05fd4256ef38497.exe
3172	2fb0b933c97aa9b37e31f7adf38695e8185b61c7d312c183f05fd4256ef38497.exe
3172	2fb0b933c97aa9b37e31f7adf38695e8185b61c7d312c183f05fd4256ef38497.exe
3172	2fb0b933c97aa9b37e31f7adf38695e8185b61c7d312c183f05fd4256ef38497.exe
3172	2fb0b933c97aa9b37e31f7adf38695e8185b61c7d312c183f05fd4256ef38497.exe
3172	2fb0b933c97aa9b37e31f7adf38695e8185b61c7d312c183f05fd4256ef38497.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

description	pid	Process
Token: SeDebugPrivilege	3172	2fb0b933c97aa9b37e31f7adf38695e8185b61c7d312c183f05fd4256ef38497.exe
Token: SeDebugPrivilege	5044	powershell.exe
Token: SeDebugPrivilege	1388	powershell.exe
Token: SeDebugPrivilege	1584	powershell.exe
Token: SeDebugPrivilege	4924	powershell.exe
Token: SeDebugPrivilege	1236	powershell.exe
Token: SeDebugPrivilege	1264	powershell.exe
Token: SeDebugPrivilege	1880	OfficeClickToRun.exe
Token: SeDebugPrivilege	1536	OfficeClickToRun.exe
Token: SeDebugPrivilege	4916	OfficeClickToRun.exe
Token: SeDebugPrivilege	1640	OfficeClickToRun.exe
Token: SeDebugPrivilege	5036	OfficeClickToRun.exe
Token: SeDebugPrivilege	4560	OfficeClickToRun.exe
Token: SeDebugPrivilege	3220	OfficeClickToRun.exe
Token: SeDebugPrivilege	3944	OfficeClickToRun.exe
Token: SeDebugPrivilege	2228	OfficeClickToRun.exe
Token: SeDebugPrivilege	3484	OfficeClickToRun.exe
Token: SeDebugPrivilege	4784	OfficeClickToRun.exe
Token: SeDebugPrivilege	4536	OfficeClickToRun.exe
Token: SeDebugPrivilege	4344	OfficeClickToRun.exe
Token: SeDebugPrivilege	1004	OfficeClickToRun.exe
Token: SeDebugPrivilege	4268	OfficeClickToRun.exe
Token: SeDebugPrivilege	5084	OfficeClickToRun.exe
Token: SeDebugPrivilege	1352	OfficeClickToRun.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3172 wrote to memory of 1120	3172	2fb0b933c97aa9b37e31f7adf38695e8185b61c7d312c183f05fd4256ef38497.exe	86
PID 3172 wrote to memory of 1120	3172	2fb0b933c97aa9b37e31f7adf38695e8185b61c7d312c183f05fd4256ef38497.exe	86
PID 1120 wrote to memory of 3444	1120	csc.exe	88
PID 1120 wrote to memory of 3444	1120	csc.exe	88
PID 3172 wrote to memory of 1264	3172	2fb0b933c97aa9b37e31f7adf38695e8185b61c7d312c183f05fd4256ef38497.exe	104
PID 3172 wrote to memory of 1264	3172	2fb0b933c97aa9b37e31f7adf38695e8185b61c7d312c183f05fd4256ef38497.exe	104
PID 3172 wrote to memory of 5044	3172	2fb0b933c97aa9b37e31f7adf38695e8185b61c7d312c183f05fd4256ef38497.exe	105
PID 3172 wrote to memory of 5044	3172	2fb0b933c97aa9b37e31f7adf38695e8185b61c7d312c183f05fd4256ef38497.exe	105
PID 3172 wrote to memory of 1388	3172	2fb0b933c97aa9b37e31f7adf38695e8185b61c7d312c183f05fd4256ef38497.exe	106
PID 3172 wrote to memory of 1388	3172	2fb0b933c97aa9b37e31f7adf38695e8185b61c7d312c183f05fd4256ef38497.exe	106
PID 3172 wrote to memory of 1236	3172	2fb0b933c97aa9b37e31f7adf38695e8185b61c7d312c183f05fd4256ef38497.exe	107
PID 3172 wrote to memory of 1236	3172	2fb0b933c97aa9b37e31f7adf38695e8185b61c7d312c183f05fd4256ef38497.exe	107
PID 3172 wrote to memory of 1584	3172	2fb0b933c97aa9b37e31f7adf38695e8185b61c7d312c183f05fd4256ef38497.exe	108
PID 3172 wrote to memory of 1584	3172	2fb0b933c97aa9b37e31f7adf38695e8185b61c7d312c183f05fd4256ef38497.exe	108
PID 3172 wrote to memory of 4924	3172	2fb0b933c97aa9b37e31f7adf38695e8185b61c7d312c183f05fd4256ef38497.exe	109
PID 3172 wrote to memory of 4924	3172	2fb0b933c97aa9b37e31f7adf38695e8185b61c7d312c183f05fd4256ef38497.exe	109
PID 3172 wrote to memory of 2724	3172	2fb0b933c97aa9b37e31f7adf38695e8185b61c7d312c183f05fd4256ef38497.exe	115
PID 3172 wrote to memory of 2724	3172	2fb0b933c97aa9b37e31f7adf38695e8185b61c7d312c183f05fd4256ef38497.exe	115
PID 2724 wrote to memory of 1440	2724	cmd.exe	118
PID 2724 wrote to memory of 1440	2724	cmd.exe	118
PID 2724 wrote to memory of 2640	2724	cmd.exe	119
PID 2724 wrote to memory of 2640	2724	cmd.exe	119
PID 2724 wrote to memory of 1880	2724	cmd.exe	120
PID 2724 wrote to memory of 1880	2724	cmd.exe	120
PID 1880 wrote to memory of 1344	1880	OfficeClickToRun.exe	121
PID 1880 wrote to memory of 1344	1880	OfficeClickToRun.exe	121
PID 1344 wrote to memory of 3220	1344	cmd.exe	123
PID 1344 wrote to memory of 3220	1344	cmd.exe	123
PID 1344 wrote to memory of 1452	1344	cmd.exe	124
PID 1344 wrote to memory of 1452	1344	cmd.exe	124
PID 1344 wrote to memory of 1536	1344	cmd.exe	129
PID 1344 wrote to memory of 1536	1344	cmd.exe	129
PID 1536 wrote to memory of 936	1536	OfficeClickToRun.exe	130
PID 1536 wrote to memory of 936	1536	OfficeClickToRun.exe	130
PID 936 wrote to memory of 1376	936	cmd.exe	132
PID 936 wrote to memory of 1376	936	cmd.exe	132
PID 936 wrote to memory of 1700	936	cmd.exe	133
PID 936 wrote to memory of 1700	936	cmd.exe	133
PID 936 wrote to memory of 4916	936	cmd.exe	136
PID 936 wrote to memory of 4916	936	cmd.exe	136
PID 4916 wrote to memory of 3008	4916	OfficeClickToRun.exe	137
PID 4916 wrote to memory of 3008	4916	OfficeClickToRun.exe	137
PID 3008 wrote to memory of 4200	3008	cmd.exe	139
PID 3008 wrote to memory of 4200	3008	cmd.exe	139
PID 3008 wrote to memory of 5056	3008	cmd.exe	140
PID 3008 wrote to memory of 5056	3008	cmd.exe	140
PID 3008 wrote to memory of 1640	3008	cmd.exe	143
PID 3008 wrote to memory of 1640	3008	cmd.exe	143
PID 1640 wrote to memory of 1460	1640	OfficeClickToRun.exe	144
PID 1640 wrote to memory of 1460	1640	OfficeClickToRun.exe	144
PID 1460 wrote to memory of 764	1460	cmd.exe	146
PID 1460 wrote to memory of 764	1460	cmd.exe	146
PID 1460 wrote to memory of 1820	1460	cmd.exe	147
PID 1460 wrote to memory of 1820	1460	cmd.exe	147
PID 1460 wrote to memory of 5036	1460	cmd.exe	148
PID 1460 wrote to memory of 5036	1460	cmd.exe	148
PID 5036 wrote to memory of 3720	5036	OfficeClickToRun.exe	149
PID 5036 wrote to memory of 3720	5036	OfficeClickToRun.exe	149
PID 3720 wrote to memory of 4060	3720	cmd.exe	151
PID 3720 wrote to memory of 4060	3720	cmd.exe	151
PID 3720 wrote to memory of 4508	3720	cmd.exe	152
PID 3720 wrote to memory of 4508	3720	cmd.exe	152
PID 3720 wrote to memory of 4560	3720	cmd.exe	153
PID 3720 wrote to memory of 4560	3720	cmd.exe	153

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\2fb0b933c97aa9b37e31f7adf38695e8185b61c7d312c183f05fd4256ef38497.exe
"C:\Users\Admin\AppData\Local\Temp\2fb0b933c97aa9b37e31f7adf38695e8185b61c7d312c183f05fd4256ef38497.exe"
1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3172
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\wjll1bt5\wjll1bt5.cmdline"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:1120
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBDC2.tmp" "c:\Windows\System32\CSC2553FB0FF0C447308D2424526AA97CD.TMP"
    3⤵
    PID:3444
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\explorer.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:1264
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\OfficeClickToRun.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:5044
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\WindowsPowerShell\fontdrvhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:1388
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\bcastdvr\wininit.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:1236
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\csrss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:1584
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\2fb0b933c97aa9b37e31f7adf38695e8185b61c7d312c183f05fd4256ef38497.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:4924
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\bXTKNuQ4NL.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2724
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:1440
- - C:\Windows\system32\PING.EXE
    ping -n 10 localhost
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:2640
- - C:\Recovery\WindowsRE\OfficeClickToRun.exe
    "C:\Recovery\WindowsRE\OfficeClickToRun.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1880
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ZxWzsCgC4b.bat"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1344
    - - C:\Windows\system32\chcp.com
        
        chcp 65001
        5⤵
        
        PID:3220
    - - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        5⤵
        
        PID:1452
    - - C:\Recovery\WindowsRE\OfficeClickToRun.exe
        
        "C:\Recovery\WindowsRE\OfficeClickToRun.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1536
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\g9fdK0eS1C.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:936
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        7⤵
        
        PID:1376
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:1700
        
        C:\Recovery\WindowsRE\OfficeClickToRun.exe
        
        "C:\Recovery\WindowsRE\OfficeClickToRun.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4916
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\F4OUXFRIcf.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:3008
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        9⤵
        
        PID:4200
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:5056
        
        C:\Recovery\WindowsRE\OfficeClickToRun.exe
        
        "C:\Recovery\WindowsRE\OfficeClickToRun.exe"
        9⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1640
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\v5TcjuvxiT.bat"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:1460
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        11⤵
        
        PID:764
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        11⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1820
        
        C:\Recovery\WindowsRE\OfficeClickToRun.exe
        
        "C:\Recovery\WindowsRE\OfficeClickToRun.exe"
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5036
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\uBGyBJCOAj.bat"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:3720
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        13⤵
        
        PID:4060
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        13⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4508
        
        C:\Recovery\WindowsRE\OfficeClickToRun.exe
        
        "C:\Recovery\WindowsRE\OfficeClickToRun.exe"
        13⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4560
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\JRGN3N9ZXF.bat"
        14⤵
        
        PID:3912
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        15⤵
        
        PID:4820
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        15⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3228
        
        C:\Recovery\WindowsRE\OfficeClickToRun.exe
        
        "C:\Recovery\WindowsRE\OfficeClickToRun.exe"
        15⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3220
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\kWWWq8Mjwm.bat"
        16⤵
        
        PID:448
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        17⤵
        
        PID:3968
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        17⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3156
        
        C:\Recovery\WindowsRE\OfficeClickToRun.exe
        
        "C:\Recovery\WindowsRE\OfficeClickToRun.exe"
        17⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3944
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\qTmai1Dpby.bat"
        18⤵
        
        PID:1744
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        19⤵
        
        PID:2888
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:2600
        
        C:\Recovery\WindowsRE\OfficeClickToRun.exe
        
        "C:\Recovery\WindowsRE\OfficeClickToRun.exe"
        19⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2228
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wevF9pB6YZ.bat"
        20⤵
        
        PID:1988
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        21⤵
        
        PID:3860
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:2560
        
        C:\Recovery\WindowsRE\OfficeClickToRun.exe
        
        "C:\Recovery\WindowsRE\OfficeClickToRun.exe"
        21⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3484
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\sxRqhXCXyo.bat"
        22⤵
        
        PID:3616
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        23⤵
        
        PID:388
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        23⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:116
        
        C:\Recovery\WindowsRE\OfficeClickToRun.exe
        
        "C:\Recovery\WindowsRE\OfficeClickToRun.exe"
        23⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4784
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\QrE9yw7ggl.bat"
        24⤵
        
        PID:4260
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        25⤵
        
        PID:1048
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        25⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2180
        
        C:\Recovery\WindowsRE\OfficeClickToRun.exe
        
        "C:\Recovery\WindowsRE\OfficeClickToRun.exe"
        25⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4536
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\02n8fxtMT9.bat"
        26⤵
        
        PID:1016
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        27⤵
        
        PID:4008
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        27⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2724
        
        C:\Recovery\WindowsRE\OfficeClickToRun.exe
        
        "C:\Recovery\WindowsRE\OfficeClickToRun.exe"
        27⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4344
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\qTmai1Dpby.bat"
        28⤵
        
        PID:4660
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        29⤵
        
        PID:1308
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        29⤵
        
        PID:2956
        
        C:\Recovery\WindowsRE\OfficeClickToRun.exe
        
        "C:\Recovery\WindowsRE\OfficeClickToRun.exe"
        29⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1004
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ZI9TpMxUin.bat"
        30⤵
        
        PID:2164
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        31⤵
        
        PID:1344
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        31⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:800
        
        C:\Recovery\WindowsRE\OfficeClickToRun.exe
        
        "C:\Recovery\WindowsRE\OfficeClickToRun.exe"
        31⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4268
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\h2sGrcN1Zw.bat"
        32⤵
        
        PID:4472
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        33⤵
        
        PID:3928
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        33⤵
        
        PID:1548
        
        C:\Recovery\WindowsRE\OfficeClickToRun.exe
        
        "C:\Recovery\WindowsRE\OfficeClickToRun.exe"
        33⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:5084
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\xtlNdaBxkU.bat"
        34⤵
        
        PID:3224
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        35⤵
        
        PID:2908
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        35⤵
        
        PID:4892
        
        C:\Recovery\WindowsRE\OfficeClickToRun.exe
        
        "C:\Recovery\WindowsRE\OfficeClickToRun.exe"
        35⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1352

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1220

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:464

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1128

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\WindowsPowerShell\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files (x86)\WindowsPowerShell\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\WindowsPowerShell\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3496

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Windows\bcastdvr\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\bcastdvr\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Windows\bcastdvr\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3428

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "2fb0b933c97aa9b37e31f7adf38695e8185b61c7d312c183f05fd4256ef384972" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\AppData\Local\Temp\2fb0b933c97aa9b37e31f7adf38695e8185b61c7d312c183f05fd4256ef38497.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3212

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "2fb0b933c97aa9b37e31f7adf38695e8185b61c7d312c183f05fd4256ef38497" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\2fb0b933c97aa9b37e31f7adf38695e8185b61c7d312c183f05fd4256ef38497.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "2fb0b933c97aa9b37e31f7adf38695e8185b61c7d312c183f05fd4256ef384972" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\AppData\Local\Temp\2fb0b933c97aa9b37e31f7adf38695e8185b61c7d312c183f05fd4256ef38497.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3372

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Recovery\WindowsRE\explorer.exe

Filesize
1.8MB

MD5
32db4bf35b9c2efc730718e2f8cd4fbc

SHA1
616a5c549f6c1c191f82d8cea82c65e25869241e

SHA256
2fb0b933c97aa9b37e31f7adf38695e8185b61c7d312c183f05fd4256ef38497

SHA512
577146b764a00bcd3ff34a4ec278c49db91e7a5eb3647f561455499a7c01c52c513a5283041a378ffb57747e0ad0c93795d7287b5814a01f94612ac81f1828c2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\OfficeClickToRun.exe.log

Filesize
1KB

MD5
f8b2fca3a50771154571c11f1c53887b

SHA1
2e83b0c8e2f4c10b145b7fb4832ed1c78743de3f

SHA256
0efa72802031a8f902c3a4ab18fe3d667dafc71c93eb3a1811e78353ecf4a6b6

SHA512
b98b8d5516593d13415199d4ac6fbe4ff924488487c4bd863cb677601048785d872a3ff30129148e2961cb6fb2fc33117540302980a132f57f7ec9a497813f1a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
2e907f77659a6601fcc408274894da2e

SHA1
9f5b72abef1cd7145bf37547cdb1b9254b4efe9d

SHA256
385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233

SHA512
34fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6d3e9c29fe44e90aae6ed30ccf799ca8

SHA1
c7974ef72264bbdf13a2793ccf1aed11bc565dce

SHA256
2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d

SHA512
60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a

Download Submit
C:\Users\Admin\AppData\Local\Temp\02n8fxtMT9.bat

Filesize
170B

MD5
769d01b1cff086a160303090bc5f9d1e

SHA1
8d60f2ff95f1796a578f3f11e32c024064635501

SHA256
5274335d49b169619734da98559969e5297e16dd97a6c21098cbdfa512c8766d

SHA512
482e23b47d1d1e878514905fef756bec136e27051f531516c52b95f6daf64ada890955f8bc0353f1d785298cdff249142ca851b71f12d6ec90e95f084770d913

Download Submit
C:\Users\Admin\AppData\Local\Temp\F4OUXFRIcf.bat

Filesize
218B

MD5
522dff449d4636610dc010dda4bbcf31

SHA1
70d598128c0d13c7d1e4c6bebf3f53fb89d5cd53

SHA256
db6eec20382e45ae3433ecca1fe3b5c6caa9cef93b9c9ccb35165c8a11962a93

SHA512
265285b1b5a5255cdf7a73d81d855ebd53f7316a5900c06e3ef0ba651b633c2eb7aee0de40cbd067ff1ab69133b56d37800c684d38fc4b027bb90bc965d999cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\JRGN3N9ZXF.bat

Filesize
170B

MD5
336a0f243963dfb44325ad12e012d20c

SHA1
624a961248df223ccf0bf5666972325ffcacf356

SHA256
6e7994534c2eab64e8735d1ef82eda64fbbd0876c3b2e7cb88e44c591306fa5d

SHA512
403aa9f4163b0abd7027c9182a2056c0e3331642cbf6c2c49f9b9c45a649d534848c3ecdcd1f31eb2e1e723effa465b6febecac77a2c0f79dab54ad6c28f798d

Download Submit
C:\Users\Admin\AppData\Local\Temp\QrE9yw7ggl.bat

Filesize
170B

MD5
b03b244770b54d8ae5ad30e19c5c7273

SHA1
ef09880fb7e0bc3c593d0db9fb7099172540f306

SHA256
1b502b80460ef0a8f0b2a6669ef480ed3f63adf9ef19c86a4f54a9f00afd62a4

SHA512
0ae1c10a74e2b119898656cf32fbcc458aa85c4e325e9f1bd8e8a9db536952301f33b42d977f1cb04e0302b40b08eedb46115cb1cde685d2783bc9c21d40810d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESBDC2.tmp

Filesize
1KB

MD5
7e3b8b963faca0ed23d18c26aad3f7ef

SHA1
61f98de7a37d1ae649dd6666d4e6aabc1491d36e

SHA256
cd000aaf46b2d6a9ab3ee0a59fc5111cc7c3b4fd2c724a5da78eeec4787ef358

SHA512
201f3c820c417f21a8a24cd79b1ae5fd6fbed853608b070408e60ad2438699375a35484c9db1f2b36c88896046899dd8883d016671b901c580db88007de95f00

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZI9TpMxUin.bat

Filesize
170B

MD5
18553c149aed3d83a59ffdf1a74b1e45

SHA1
425e1107b6782f3251ca106a6d5ebfb62ca20334

SHA256
620c41264059b8d5a40c79ae848676561c22c7cfafe4bf618ece419532853e94

SHA512
b1bee42a4adb8582541cdbecac4d7df608ce99592eab6ecdbfc7e54d34cbd10167c05d055149dd8508355921d8cd1bb2ccf8f21b41a2140f31eb610b78b16917

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZxWzsCgC4b.bat

Filesize
218B

MD5
94cc9de10715db77da9e7bf2b9dbad24

SHA1
30c0f8e3d44849cff9fa49cb71099aa4b151d470

SHA256
02a9cccd15e6ffa42d41bd50cc96ef25ffc7b21f2c97095c552cf77394bf2737

SHA512
3255b0ae620bc49767f5306894c23024e8bedb043c4e012e8cbdf3975d876768f244e33d2ec94f288f20dd576a037c1f2d2a3fd62c44073ade4b8bf9ad861306

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_i1hadjn2.0g4.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\bXTKNuQ4NL.bat

Filesize
170B

MD5
f2f962552f19d7857c1e9415c285b863

SHA1
c5525b0a738cce81bc9dac7d0ed661090a7055eb

SHA256
b3f8337c44134db3826c3ded01d5f6ebc05aebe6b41a5f3a3a721e188c2911ba

SHA512
ae34f98dbe333becbe6890ceb0a2152a12ef4f5b4eeb06533ba3e8a4e320ace4a6d7e80e3cc4026926cf36d72e777a8d43ac4bf0130dbb40a8cab4172be7e978

Download Submit
C:\Users\Admin\AppData\Local\Temp\g9fdK0eS1C.bat

Filesize
218B

MD5
1a98f58616231b045450a79e07321827

SHA1
4a9fe872915dfc8723acc4cb74e841dea1d5e96d

SHA256
77596a8283c031a9fede38765621f1d69931a745f71a80ca867940144d78c86e

SHA512
aa88f6a7a8e7fb038733bcc6802e8db65973abe55c6e24127ef73069afa837df516aa8024231e85b57d727262721de4d9483ecd488399325dac93d57a5accdd8

Download Submit
C:\Users\Admin\AppData\Local\Temp\h2sGrcN1Zw.bat

Filesize
218B

MD5
245435dd2f22e3fa80ca4f8bc59460c8

SHA1
d0798a2287b0ca2c7aa757eef9c372a0b732f99b

SHA256
0d7b3525690348f0be79ddac712b7ca05fc4b1f0bb709bd35d748624ee0c9161

SHA512
882e5c761eafdd0f5e9efc3a61e6dbc3d4cdecf2628facea2c858c52c512c8cbb290b995ac15a8e5d666983914f19dcb00145c7ce2fc96ba6a4cb88f810e0999

Download Submit
C:\Users\Admin\AppData\Local\Temp\kWWWq8Mjwm.bat

Filesize
170B

MD5
f2635def5a78048cb18831940ae61c0e

SHA1
fdf5da10d22ef0f4cdcafeeee173e5c09449d253

SHA256
a12084012ad4f7d321e040881c73e173ac181306c2d829bcc933a51937f4beb4

SHA512
ab72376d1d6ebe3426b79a64191176a65c0942360d7223468b1c8621834ae65d61af0ba79c73025b616dc899091b0d36d83cdfe9b19cec2e25e66baf697ecb06

Download Submit
C:\Users\Admin\AppData\Local\Temp\qTmai1Dpby.bat

Filesize
218B

MD5
541c24c3f92df878b50275f6fe0a6af1

SHA1
a512a716609408b878d458fabe42ea4afdaa9b12

SHA256
a1311afe419aceeca5a520260362a3bbfe0bf06bb001b0e61200a267cf7abbef

SHA512
6ab4c73f1b2da7de84c28b6caf56c9cd9916449d268614e244794860a11266938f0f212a936d2bda3e891ffd4137123451f01b2dfc4e4a31542fd2cc616c7627

Download Submit
C:\Users\Admin\AppData\Local\Temp\sxRqhXCXyo.bat

Filesize
170B

MD5
905a6b765d312850ff92904eb88a5e9f

SHA1
8c76f046ae0c2d3605de8aecd6a22dbe58018e3e

SHA256
cf004d3c1c0d78886041dc587716f8c6079b647575b4d06e0b33855b4be70acf

SHA512
78eabc3360e0bdffd53c4219e7b58921411567bfc9f9f281a276b87bcd4d15e4daa8d26ac9d887623343dcaa0115da93db11c4b38c9da0d13f56f5707402d3e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\uBGyBJCOAj.bat

Filesize
170B

MD5
3c95f5f45c1b1ff101155a707fbe5f05

SHA1
e23a970b54db308610be2b60e7bab98408c51e4b

SHA256
e34f74984ed4013c85f375c57dffb51e28371ced101c434f2589e3c2484aa340

SHA512
a1195655aec3f61fb7882cbc8f6fab6bed86187813e2ca6d917f684e451fe294a8ca20407968294a872c92682759f5553f872527deb1575e450aac20dd248d56

Download Submit
C:\Users\Admin\AppData\Local\Temp\v5TcjuvxiT.bat

Filesize
170B

MD5
c888749a332f5f95ac9537d106ee5ac6

SHA1
f76abbde5a9ce3541de8361345acd40e4ff7b275

SHA256
707a0f13d3e360a0aa9f7a11259dbce92d969cf86b4f952745ec7c6584998646

SHA512
9d2776df40a1206af46aaa3d11fc5b874f3af12029335d2fec42b88cfc1819e7bc57af9cb42a514ea30a0cab43ddf100767005a7a6de3383bfd12c556cb42787

Download Submit
C:\Users\Admin\AppData\Local\Temp\wevF9pB6YZ.bat

Filesize
218B

MD5
c16cccb2996523919eda79c5736e8721

SHA1
89a06bfaad534839ff972a387a9f31dd92bfb8b9

SHA256
7be011ab7a52092f4fea08d64adb907990c40fd24ced8ca687a6c3f65e24350a

SHA512
25df26a766ca8332cd6ed2788067111bd6edf0cc1aca619fa98c8e42c4e720edd5607e3c6d0e90e907cf6d373bc5a9da8fe573279ee910bddcb4fae383b24fe0

Download Submit
C:\Users\Admin\AppData\Local\Temp\xtlNdaBxkU.bat

Filesize
218B

MD5
f5b66985cdacc1f2dc0508ca9b9fb42f

SHA1
7f9dcbe5d67888ca56e32e457531dbbd622a02f4

SHA256
29ec56ee464b50134355cd38e39464894956b2d6101966493bd0645d5bbc5d6b

SHA512
56958140d3419b02067a28b7e0708d47ff6dfe720a016bc6bbeac23bb2b1bfad9b88b983e3938b84293e61a712fcc82a5be3bfdb647afc38e9b4042d9c9bddb6

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\wjll1bt5\wjll1bt5.0.cs

Filesize
366B

MD5
c95112013e1ae4d17959c5aaa1ad8d3c

SHA1
a89f3f4a038d95039ce7bd5681ec9972ed9023f0

SHA256
a999d687cd7cf38f2bccd93061240bca48e594a5f7f3f77e5a6b9507dd5b642d

SHA512
f208d887f2d78e8ab9f676b2dd18ef6e4f654912f284a1b424f6abc4a92661fd0c61067655acd781f85546c5b15f7d34c5cecca8c01c47e878e22c379b827501

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\wjll1bt5\wjll1bt5.cmdline

Filesize
235B

MD5
c65f7c44835add17f299a8ebbe6627d3

SHA1
6669378ac177d8cc84a7410077428c2718110030

SHA256
2e346a7fe35738697d2534af06cbca2038f5fd0510c0094baf5341bf4400325f

SHA512
faad473bffe447b60ddf36eaa373a23e8fa9c6087d64dbdd1911a87e51ea6657015d9eda0e6639268838f8bd6136075551836adeb30ed35fb90da616422af042

Download Submit
\??\c:\Windows\System32\CSC2553FB0FF0C447308D2424526AA97CD.TMP

Filesize
1KB

MD5
75e32610d8ef6143201c7c28465fcda9

SHA1
b2bae99fade2dda07aecbe1659d184be0fc4e7a6

SHA256
97ee1cac3965d9cc55a60f20206f384719431f19ac96bdc52b93a98de51a639b

SHA512
b303fb99586efd19a08223ba93472fa6d33fcf9198bbf42fb16ba61001db59e5fd5835ea7696ed34e4004d23fa60697e724e6085d1269d788204bf95dfe46abc

Download Submit
memory/1640-160-0x000000001B930000-0x000000001BA32000-memory.dmp

Filesize
1.0MB

Download
memory/2228-215-0x000000001B590000-0x000000001B692000-memory.dmp

Filesize
1.0MB

Download
memory/3172-15-0x00007FF9184C0000-0x00007FF918F81000-memory.dmp

Filesize
10.8MB

Download
memory/3172-6-0x0000000000B20000-0x0000000000B2E000-memory.dmp

Filesize
56KB

Download
memory/3172-57-0x00007FF9184C0000-0x00007FF918F81000-memory.dmp

Filesize
10.8MB

Download
memory/3172-31-0x00007FF9184C0000-0x00007FF918F81000-memory.dmp

Filesize
10.8MB

Download
memory/3172-28-0x00007FF9184C0000-0x00007FF918F81000-memory.dmp

Filesize
10.8MB

Download
memory/3172-1-0x0000000000080000-0x000000000025A000-memory.dmp

Filesize
1.9MB

Download
memory/3172-25-0x00007FF9184C0000-0x00007FF918F81000-memory.dmp

Filesize
10.8MB

Download
memory/3172-2-0x00007FF9184C0000-0x00007FF918F81000-memory.dmp

Filesize
10.8MB

Download
memory/3172-0-0x00007FF9184C3000-0x00007FF9184C5000-memory.dmp

Filesize
8KB

Download
memory/3172-3-0x00007FF9184C0000-0x00007FF918F81000-memory.dmp

Filesize
10.8MB

Download
memory/3172-14-0x0000000000BC0000-0x0000000000BCC000-memory.dmp

Filesize
48KB

Download
memory/3172-4-0x00007FF9184C0000-0x00007FF918F81000-memory.dmp

Filesize
10.8MB

Download
memory/3172-12-0x00000000024B0000-0x00000000024C8000-memory.dmp

Filesize
96KB

Download
memory/3172-10-0x000000001B270000-0x000000001B2C0000-memory.dmp

Filesize
320KB

Download
memory/3172-9-0x0000000002490000-0x00000000024AC000-memory.dmp

Filesize
112KB

Download
memory/3172-7-0x00007FF9184C0000-0x00007FF918F81000-memory.dmp

Filesize
10.8MB

Download
memory/3220-193-0x000000001B600000-0x000000001B702000-memory.dmp

Filesize
1.0MB

Download
memory/3944-204-0x000000001B890000-0x000000001B992000-memory.dmp

Filesize
1.0MB

Download
memory/4560-182-0x000000001B2F0000-0x000000001B3F2000-memory.dmp

Filesize
1.0MB

Download
memory/5036-171-0x000000001C130000-0x000000001C232000-memory.dmp

Filesize
1.0MB

Download
memory/5044-56-0x00000159FF0F0000-0x00000159FF112000-memory.dmp

Filesize
136KB

Download