dcrat | 18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d15367377a7b942c259319c

Analysis

max time kernel
147s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
10-01-2025 04:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe
Size

827KB
MD5

c847a23633e81d799fba45bde7cc9951
SHA1

090035126cabb2fb574175c271097042025202de
SHA256

18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d15367377a7b942c259319c
SHA512

6b057e15133fe58bc1d105a90b761d2f3558e8a8d3a901d9892905dd75f6be569a4bff4a02d919623305c4d524d96b7f902ef3dded6782cc237b1a47807f34bb
SSDEEP

12288:EP4wqKCH1Hq0nAwv+j49dkrI58NAyZixuj8zXcdFjfpdpoyqQ6Tz:ENdgHqBj49dkrIscuQwbrqQ6Tz

Score

10^/10

dcrat infostealer persistence rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 12 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\wininit.exe\", \"C:\\Users\\All Users\\SearchApp.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\dllhost.exe\", \"C:\\Users\\Default\\Documents\\My Pictures\\unsecapp.exe\", \"C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\SearchApp.exe\""	18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\wininit.exe\", \"C:\\Users\\All Users\\SearchApp.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\dllhost.exe\", \"C:\\Users\\Default\\Documents\\My Pictures\\unsecapp.exe\", \"C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\SearchApp.exe\", \"C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\OfficeClickToRun.exe\", \"C:\\Windows\\assembly\\csrss.exe\", \"C:\\Recovery\\WindowsRE\\dllhost.exe\""	18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\wininit.exe\", \"C:\\Users\\All Users\\SearchApp.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\dllhost.exe\", \"C:\\Users\\Default\\Documents\\My Pictures\\unsecapp.exe\", \"C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\SearchApp.exe\", \"C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\OfficeClickToRun.exe\", \"C:\\Windows\\assembly\\csrss.exe\", \"C:\\Recovery\\WindowsRE\\dllhost.exe\", \"C:\\Recovery\\WindowsRE\\spoolsv.exe\", \"C:\\Windows\\assembly\\RuntimeBroker.exe\""	18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\wininit.exe\", \"C:\\Users\\All Users\\SearchApp.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\dllhost.exe\", \"C:\\Users\\Default\\Documents\\My Pictures\\unsecapp.exe\", \"C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\SearchApp.exe\", \"C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\OfficeClickToRun.exe\", \"C:\\Windows\\assembly\\csrss.exe\", \"C:\\Recovery\\WindowsRE\\dllhost.exe\", \"C:\\Recovery\\WindowsRE\\spoolsv.exe\", \"C:\\Windows\\assembly\\RuntimeBroker.exe\", \"C:\\Windows\\SoftwareDistribution\\PostRebootEventCache.V2\\System.exe\", \"C:\\Users\\All Users\\WindowsHolographicDevices\\SpatialStore\\dllhost.exe\""	18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\wininit.exe\", \"C:\\Users\\All Users\\SearchApp.exe\""	18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\wininit.exe\", \"C:\\Users\\All Users\\SearchApp.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\dllhost.exe\""	18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\wininit.exe\", \"C:\\Users\\All Users\\SearchApp.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\dllhost.exe\", \"C:\\Users\\Default\\Documents\\My Pictures\\unsecapp.exe\", \"C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\SearchApp.exe\", \"C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\OfficeClickToRun.exe\""	18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\wininit.exe\", \"C:\\Users\\All Users\\SearchApp.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\dllhost.exe\", \"C:\\Users\\Default\\Documents\\My Pictures\\unsecapp.exe\", \"C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\SearchApp.exe\", \"C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\OfficeClickToRun.exe\", \"C:\\Windows\\assembly\\csrss.exe\""	18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\wininit.exe\", \"C:\\Users\\All Users\\SearchApp.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\dllhost.exe\", \"C:\\Users\\Default\\Documents\\My Pictures\\unsecapp.exe\", \"C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\SearchApp.exe\", \"C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\OfficeClickToRun.exe\", \"C:\\Windows\\assembly\\csrss.exe\", \"C:\\Recovery\\WindowsRE\\dllhost.exe\", \"C:\\Recovery\\WindowsRE\\spoolsv.exe\""	18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\wininit.exe\", \"C:\\Users\\All Users\\SearchApp.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\dllhost.exe\", \"C:\\Users\\Default\\Documents\\My Pictures\\unsecapp.exe\", \"C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\SearchApp.exe\", \"C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\OfficeClickToRun.exe\", \"C:\\Windows\\assembly\\csrss.exe\", \"C:\\Recovery\\WindowsRE\\dllhost.exe\", \"C:\\Recovery\\WindowsRE\\spoolsv.exe\", \"C:\\Windows\\assembly\\RuntimeBroker.exe\", \"C:\\Windows\\SoftwareDistribution\\PostRebootEventCache.V2\\System.exe\""	18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\wininit.exe\""	18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\wininit.exe\", \"C:\\Users\\All Users\\SearchApp.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\dllhost.exe\", \"C:\\Users\\Default\\Documents\\My Pictures\\unsecapp.exe\""	18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe

Process spawned unexpected child process 36 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	564	1476	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3740	1476	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4160	1476	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3812	1476	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3528	1476	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2768	1476	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4204	1476	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4624	1476	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3628	1476	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3096	1476	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2600	1476	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4796	1476	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2660	1476	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5004	1476	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	32	1476	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2764	1476	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5000	1476	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1964	1476	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4828	1476	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2288	1476	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1940	1476	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3596	1476	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2644	1476	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2116	1476	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4464	1476	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4628	1476	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4968	1476	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4644	1476	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5092	1476	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4612	1476	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3420	1476	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3560	1476	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4976	1476	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3744	1476	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1848	1476	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4732	1476	schtasks.exe	83

DCRat payload 2 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/memory/3900-1-0x0000000000840000-0x0000000000916000-memory.dmp	dcrat
behavioral2/files/0x000a000000023b85-11.dat	dcrat

Checks computer location settings 2 TTPs 15 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	OfficeClickToRun.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	OfficeClickToRun.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	OfficeClickToRun.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	OfficeClickToRun.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	OfficeClickToRun.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	OfficeClickToRun.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	OfficeClickToRun.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	OfficeClickToRun.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	OfficeClickToRun.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	OfficeClickToRun.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	OfficeClickToRun.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	OfficeClickToRun.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	OfficeClickToRun.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	OfficeClickToRun.exe

Executes dropped EXE 14 IoCs

pid	Process
2900	OfficeClickToRun.exe
2420	OfficeClickToRun.exe
3672	OfficeClickToRun.exe
3956	OfficeClickToRun.exe
1160	OfficeClickToRun.exe
3916	OfficeClickToRun.exe
1580	OfficeClickToRun.exe
3984	OfficeClickToRun.exe
5100	OfficeClickToRun.exe
4912	OfficeClickToRun.exe
4940	OfficeClickToRun.exe
32	OfficeClickToRun.exe
1044	OfficeClickToRun.exe
4420	OfficeClickToRun.exe

Adds Run key to start application 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SearchApp = "\"C:\\Users\\All Users\\SearchApp.exe\""	18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SearchApp = "\"C:\\Users\\All Users\\SearchApp.exe\""	18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\unsecapp = "\"C:\\Users\\Default\\Documents\\My Pictures\\unsecapp.exe\""	18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\assembly\\csrss.exe\""	18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SearchApp = "\"C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\SearchApp.exe\""	18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\assembly\\csrss.exe\""	18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Recovery\\WindowsRE\\dllhost.exe\""	18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Windows\\assembly\\RuntimeBroker.exe\""	18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Users\\All Users\\WindowsHolographicDevices\\SpatialStore\\dllhost.exe\""	18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Recovery\\WindowsRE\\spoolsv.exe\""	18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Windows\\SoftwareDistribution\\PostRebootEventCache.V2\\System.exe\""	18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Users\\All Users\\WindowsHolographicDevices\\SpatialStore\\dllhost.exe\""	18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Recovery\\WindowsRE\\wininit.exe\""	18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Program Files (x86)\\Mozilla Maintenance Service\\dllhost.exe\""	18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\unsecapp = "\"C:\\Users\\Default\\Documents\\My Pictures\\unsecapp.exe\""	18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SearchApp = "\"C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\SearchApp.exe\""	18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Recovery\\WindowsRE\\dllhost.exe\""	18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Windows\\assembly\\RuntimeBroker.exe\""	18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Windows\\SoftwareDistribution\\PostRebootEventCache.V2\\System.exe\""	18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Recovery\\WindowsRE\\wininit.exe\""	18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Program Files (x86)\\Mozilla Maintenance Service\\dllhost.exe\""	18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OfficeClickToRun = "\"C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\OfficeClickToRun.exe\""	18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OfficeClickToRun = "\"C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\OfficeClickToRun.exe\""	18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Recovery\\WindowsRE\\spoolsv.exe\""	18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 15 IoCs

Web Service

T1102

flow	ioc
21	pastebin.com
54	pastebin.com
58	pastebin.com
59	pastebin.com
15	pastebin.com
41	pastebin.com
42	pastebin.com
46	pastebin.com
56	pastebin.com
16	pastebin.com
47	pastebin.com
55	pastebin.com
57	pastebin.com
60	pastebin.com
29	pastebin.com

Drops file in Program Files directory 6 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Mozilla Maintenance Service\5940a34987c991	18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\SearchApp.exe	18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\38384e6a620884	18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\OfficeClickToRun.exe	18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\e6c9b481da804f	18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\dllhost.exe	18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File created	C:\Windows\SoftwareDistribution\PostRebootEventCache.V2\System.exe	18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe
File created	C:\Windows\SoftwareDistribution\PostRebootEventCache.V2\27d1bcfc3c54e0	18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe
File created	C:\Windows\assembly\csrss.exe	18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe
File created	C:\Windows\assembly\886983d96e3d3e	18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe
File created	C:\Windows\assembly\RuntimeBroker.exe	18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe
File created	C:\Windows\assembly\9e8d7a4ca61bd9	18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 14 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	OfficeClickToRun.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 36 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4628	schtasks.exe
5092	schtasks.exe
3744	schtasks.exe
564	schtasks.exe
3812	schtasks.exe
5000	schtasks.exe
1940	schtasks.exe
5004	schtasks.exe
3740	schtasks.exe
4624	schtasks.exe
4796	schtasks.exe
2660	schtasks.exe
4160	schtasks.exe
4644	schtasks.exe
3420	schtasks.exe
3596	schtasks.exe
2116	schtasks.exe
4464	schtasks.exe
3560	schtasks.exe
4976	schtasks.exe
3528	schtasks.exe
3628	schtasks.exe
2764	schtasks.exe
2644	schtasks.exe
2600	schtasks.exe
4732	schtasks.exe
4204	schtasks.exe
1964	schtasks.exe
1848	schtasks.exe
2288	schtasks.exe
4968	schtasks.exe
4612	schtasks.exe
2768	schtasks.exe
3096	schtasks.exe
32	schtasks.exe
4828	schtasks.exe

Suspicious behavior: EnumeratesProcesses 23 IoCs

pid	Process
3900	18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe
3900	18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe
3900	18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe
3900	18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe
3900	18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe
3900	18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe
3900	18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe
3900	18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe
3900	18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe
2900	OfficeClickToRun.exe
2420	OfficeClickToRun.exe
3672	OfficeClickToRun.exe
3956	OfficeClickToRun.exe
1160	OfficeClickToRun.exe
3916	OfficeClickToRun.exe
1580	OfficeClickToRun.exe
3984	OfficeClickToRun.exe
5100	OfficeClickToRun.exe
4912	OfficeClickToRun.exe
4940	OfficeClickToRun.exe
32	OfficeClickToRun.exe
1044	OfficeClickToRun.exe
4420	OfficeClickToRun.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

description	pid	Process
Token: SeDebugPrivilege	3900	18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe
Token: SeDebugPrivilege	2900	OfficeClickToRun.exe
Token: SeDebugPrivilege	2420	OfficeClickToRun.exe
Token: SeDebugPrivilege	3672	OfficeClickToRun.exe
Token: SeDebugPrivilege	3956	OfficeClickToRun.exe
Token: SeDebugPrivilege	1160	OfficeClickToRun.exe
Token: SeDebugPrivilege	3916	OfficeClickToRun.exe
Token: SeDebugPrivilege	1580	OfficeClickToRun.exe
Token: SeDebugPrivilege	3984	OfficeClickToRun.exe
Token: SeDebugPrivilege	5100	OfficeClickToRun.exe
Token: SeDebugPrivilege	4912	OfficeClickToRun.exe
Token: SeDebugPrivilege	4940	OfficeClickToRun.exe
Token: SeDebugPrivilege	32	OfficeClickToRun.exe
Token: SeDebugPrivilege	1044	OfficeClickToRun.exe
Token: SeDebugPrivilege	4420	OfficeClickToRun.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3900 wrote to memory of 2900	3900	18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	120
PID 3900 wrote to memory of 2900	3900	18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	120
PID 2900 wrote to memory of 4536	2900	OfficeClickToRun.exe	123
PID 2900 wrote to memory of 4536	2900	OfficeClickToRun.exe	123
PID 4536 wrote to memory of 4528	4536	cmd.exe	125
PID 4536 wrote to memory of 4528	4536	cmd.exe	125
PID 4536 wrote to memory of 2420	4536	cmd.exe	132
PID 4536 wrote to memory of 2420	4536	cmd.exe	132
PID 2420 wrote to memory of 3824	2420	OfficeClickToRun.exe	138
PID 2420 wrote to memory of 3824	2420	OfficeClickToRun.exe	138
PID 3824 wrote to memory of 4920	3824	cmd.exe	141
PID 3824 wrote to memory of 4920	3824	cmd.exe	141
PID 3824 wrote to memory of 3672	3824	cmd.exe	143
PID 3824 wrote to memory of 3672	3824	cmd.exe	143
PID 3672 wrote to memory of 3900	3672	OfficeClickToRun.exe	147
PID 3672 wrote to memory of 3900	3672	OfficeClickToRun.exe	147
PID 3900 wrote to memory of 3280	3900	cmd.exe	149
PID 3900 wrote to memory of 3280	3900	cmd.exe	149
PID 3900 wrote to memory of 3956	3900	cmd.exe	152
PID 3900 wrote to memory of 3956	3900	cmd.exe	152
PID 3956 wrote to memory of 1616	3956	OfficeClickToRun.exe	154
PID 3956 wrote to memory of 1616	3956	OfficeClickToRun.exe	154
PID 1616 wrote to memory of 2480	1616	cmd.exe	156
PID 1616 wrote to memory of 2480	1616	cmd.exe	156
PID 1616 wrote to memory of 1160	1616	cmd.exe	158
PID 1616 wrote to memory of 1160	1616	cmd.exe	158
PID 1160 wrote to memory of 4924	1160	OfficeClickToRun.exe	160
PID 1160 wrote to memory of 4924	1160	OfficeClickToRun.exe	160
PID 4924 wrote to memory of 1480	4924	cmd.exe	162
PID 4924 wrote to memory of 1480	4924	cmd.exe	162
PID 4924 wrote to memory of 3916	4924	cmd.exe	164
PID 4924 wrote to memory of 3916	4924	cmd.exe	164
PID 3916 wrote to memory of 3192	3916	OfficeClickToRun.exe	167
PID 3916 wrote to memory of 3192	3916	OfficeClickToRun.exe	167
PID 3192 wrote to memory of 1552	3192	cmd.exe	169
PID 3192 wrote to memory of 1552	3192	cmd.exe	169
PID 3192 wrote to memory of 1580	3192	cmd.exe	171
PID 3192 wrote to memory of 1580	3192	cmd.exe	171
PID 1580 wrote to memory of 3256	1580	OfficeClickToRun.exe	173
PID 1580 wrote to memory of 3256	1580	OfficeClickToRun.exe	173
PID 3256 wrote to memory of 408	3256	cmd.exe	175
PID 3256 wrote to memory of 408	3256	cmd.exe	175
PID 3256 wrote to memory of 3984	3256	cmd.exe	177
PID 3256 wrote to memory of 3984	3256	cmd.exe	177
PID 3984 wrote to memory of 4048	3984	OfficeClickToRun.exe	179
PID 3984 wrote to memory of 4048	3984	OfficeClickToRun.exe	179
PID 4048 wrote to memory of 4976	4048	cmd.exe	181
PID 4048 wrote to memory of 4976	4048	cmd.exe	181
PID 4048 wrote to memory of 5100	4048	cmd.exe	183
PID 4048 wrote to memory of 5100	4048	cmd.exe	183
PID 5100 wrote to memory of 3692	5100	OfficeClickToRun.exe	185
PID 5100 wrote to memory of 3692	5100	OfficeClickToRun.exe	185
PID 3692 wrote to memory of 4916	3692	cmd.exe	187
PID 3692 wrote to memory of 4916	3692	cmd.exe	187
PID 3692 wrote to memory of 4912	3692	cmd.exe	189
PID 3692 wrote to memory of 4912	3692	cmd.exe	189
PID 4912 wrote to memory of 4268	4912	OfficeClickToRun.exe	191
PID 4912 wrote to memory of 4268	4912	OfficeClickToRun.exe	191
PID 4268 wrote to memory of 2228	4268	cmd.exe	193
PID 4268 wrote to memory of 2228	4268	cmd.exe	193
PID 4268 wrote to memory of 4940	4268	cmd.exe	195
PID 4268 wrote to memory of 4940	4268	cmd.exe	195
PID 4940 wrote to memory of 3520	4940	OfficeClickToRun.exe	197
PID 4940 wrote to memory of 3520	4940	OfficeClickToRun.exe	197

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe
"C:\Users\Admin\AppData\Local\Temp\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe"
1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3900
- C:\Program Files\Reference Assemblies\Microsoft\Framework\OfficeClickToRun.exe
  "C:\Program Files\Reference Assemblies\Microsoft\Framework\OfficeClickToRun.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2900
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\JbtrqXgYk1.bat"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4536
  - - C:\Windows\system32\w32tm.exe
      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
      4⤵
      PID:4528
  - - C:\Program Files\Reference Assemblies\Microsoft\Framework\OfficeClickToRun.exe
      "C:\Program Files\Reference Assemblies\Microsoft\Framework\OfficeClickToRun.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2420
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\j95GpUP4tv.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3824
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:4920
      - C:\Program Files\Reference Assemblies\Microsoft\Framework\OfficeClickToRun.exe
        
        "C:\Program Files\Reference Assemblies\Microsoft\Framework\OfficeClickToRun.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3672
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\UMOyPGkKXB.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:3900
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:3280
        
        C:\Program Files\Reference Assemblies\Microsoft\Framework\OfficeClickToRun.exe
        
        "C:\Program Files\Reference Assemblies\Microsoft\Framework\OfficeClickToRun.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3956
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\r7gOBUt9HL.bat"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:1616
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:2480
        
        C:\Program Files\Reference Assemblies\Microsoft\Framework\OfficeClickToRun.exe
        
        "C:\Program Files\Reference Assemblies\Microsoft\Framework\OfficeClickToRun.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1160
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\q3WH03M43W.bat"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:4924
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:1480
        
        C:\Program Files\Reference Assemblies\Microsoft\Framework\OfficeClickToRun.exe
        
        "C:\Program Files\Reference Assemblies\Microsoft\Framework\OfficeClickToRun.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3916
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\syYKg8QxNI.bat"
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:3192
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:1552
        
        C:\Program Files\Reference Assemblies\Microsoft\Framework\OfficeClickToRun.exe
        
        "C:\Program Files\Reference Assemblies\Microsoft\Framework\OfficeClickToRun.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1580
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\xAFUrPKKMy.bat"
        15⤵
        Suspicious use of WriteProcessMemory
        
        PID:3256
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:408
        
        C:\Program Files\Reference Assemblies\Microsoft\Framework\OfficeClickToRun.exe
        
        "C:\Program Files\Reference Assemblies\Microsoft\Framework\OfficeClickToRun.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3984
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\xAFUrPKKMy.bat"
        17⤵
        Suspicious use of WriteProcessMemory
        
        PID:4048
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:4976
        
        C:\Program Files\Reference Assemblies\Microsoft\Framework\OfficeClickToRun.exe
        
        "C:\Program Files\Reference Assemblies\Microsoft\Framework\OfficeClickToRun.exe"
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5100
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\j95GpUP4tv.bat"
        19⤵
        Suspicious use of WriteProcessMemory
        
        PID:3692
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:4916
        
        C:\Program Files\Reference Assemblies\Microsoft\Framework\OfficeClickToRun.exe
        
        "C:\Program Files\Reference Assemblies\Microsoft\Framework\OfficeClickToRun.exe"
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4912
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\iIDKKqsGny.bat"
        21⤵
        Suspicious use of WriteProcessMemory
        
        PID:4268
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:2228
        
        C:\Program Files\Reference Assemblies\Microsoft\Framework\OfficeClickToRun.exe
        
        "C:\Program Files\Reference Assemblies\Microsoft\Framework\OfficeClickToRun.exe"
        22⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4940
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\n7UEJyIAjk.bat"
        23⤵
        
        PID:3520
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:4008
        
        C:\Program Files\Reference Assemblies\Microsoft\Framework\OfficeClickToRun.exe
        
        "C:\Program Files\Reference Assemblies\Microsoft\Framework\OfficeClickToRun.exe"
        24⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:32
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\DegeIw2hse.bat"
        25⤵
        
        PID:840
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        26⤵
        
        PID:4480
        
        C:\Program Files\Reference Assemblies\Microsoft\Framework\OfficeClickToRun.exe
        
        "C:\Program Files\Reference Assemblies\Microsoft\Framework\OfficeClickToRun.exe"
        26⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1044
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\aPx44ABVco.bat"
        27⤵
        
        PID:4732
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        28⤵
        
        PID:208
        
        C:\Program Files\Reference Assemblies\Microsoft\Framework\OfficeClickToRun.exe
        
        "C:\Program Files\Reference Assemblies\Microsoft\Framework\OfficeClickToRun.exe"
        28⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4420
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\IrNnSCw4rJ.bat"
        29⤵
        
        PID:4864
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        30⤵
        
        PID:1228

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4160

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\SearchApp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Users\All Users\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4204

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 8 /tr "'C:\Users\Default\Documents\My Pictures\unsecapp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3096

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Users\Default\Documents\My Pictures\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 14 /tr "'C:\Users\Default\Documents\My Pictures\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\WindowsPowerShell\Modules\SearchApp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Program Files (x86)\WindowsPowerShell\Modules\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\WindowsPowerShell\Modules\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:32

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 6 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 14 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Windows\assembly\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\assembly\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2288

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Windows\assembly\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4464

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Windows\assembly\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\assembly\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Windows\assembly\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\Windows\SoftwareDistribution\PostRebootEventCache.V2\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3420

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\SoftwareDistribution\PostRebootEventCache.V2\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Windows\SoftwareDistribution\PostRebootEventCache.V2\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\WindowsHolographicDevices\SpatialStore\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\All Users\WindowsHolographicDevices\SpatialStore\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\WindowsHolographicDevices\SpatialStore\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4732

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\WindowsPowerShell\Modules\SearchApp.exe

Filesize
827KB

MD5
c847a23633e81d799fba45bde7cc9951

SHA1
090035126cabb2fb574175c271097042025202de

SHA256
18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d15367377a7b942c259319c

SHA512
6b057e15133fe58bc1d105a90b761d2f3558e8a8d3a901d9892905dd75f6be569a4bff4a02d919623305c4d524d96b7f902ef3dded6782cc237b1a47807f34bb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\OfficeClickToRun.exe.log

Filesize
1KB

MD5
baf55b95da4a601229647f25dad12878

SHA1
abc16954ebfd213733c4493fc1910164d825cac8

SHA256
ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924

SHA512
24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

Download Submit
C:\Users\Admin\AppData\Local\Temp\DegeIw2hse.bat

Filesize
243B

MD5
00b1fde2d79eea7d012a6682d2c11540

SHA1
e7d99c190601be496b4b9e31203b985dc11f204b

SHA256
528d479826e4685f8a6f2d534d7d8af0efd5916bc85297000747888183d24156

SHA512
893a2cf0daa57f76d8683d23cff65c280c90b7c43e46ce9fe1d1dc1a3c91d75faba6f4939c5c280ddb301bff3e315909e88539e88c5e8bb4d5999b683be5cc22

Download Submit
C:\Users\Admin\AppData\Local\Temp\IrNnSCw4rJ.bat

Filesize
243B

MD5
94b27432548ab16be633606d0a64e5ff

SHA1
cf54deab26c4d9e95e65e139cc5b4c2cae157eef

SHA256
c25fe5956c25a86a16ebcfc497f0d3cc304e9f959520ea266b49ff57fb446128

SHA512
602946c5dc8d6d898a1cfbb4383b22805962d749a6f45eed5964b203d0d2487088c9de26992c3e70aba4e6a3b376deecb6f397f45fcabcff749f593c4952a88f

Download Submit
C:\Users\Admin\AppData\Local\Temp\JbtrqXgYk1.bat

Filesize
243B

MD5
7d78a1830e537d784d214a337e506c3a

SHA1
7c17014b096bdc011755358026c01305439f5c70

SHA256
c8a61d1a8b6242e62ae1257478b5a828cde3c1f410cccda83f95966293a0cbfd

SHA512
d06805b8a0fbf63cd82143e85ac786bb56edc3db7063cecf0847d75c0ca76f977edc0985cbcc8997f4b6496ce0a8f6103f00fda8fea524bb11b78f256be153b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\UMOyPGkKXB.bat

Filesize
243B

MD5
95bfc76f47cf7410e8cd7eb8af9f99c8

SHA1
e48ec7c15b048595f1aceeba86428a8c325fdc01

SHA256
249ca59429e6188cb971e5ca7cfe0579d4fc37189c38b9f0a9955614cd29cb8a

SHA512
d7637d2453ecda154b5ec204d4c0cc038cee949ef458a23098d466a9afa9c7f7b4085292640248571545d93cfa374067b3c1418738ca8af5eec8cb64a90dd111

Download Submit
C:\Users\Admin\AppData\Local\Temp\aPx44ABVco.bat

Filesize
243B

MD5
83debbf15b17a1eb3ef3461edc109ad9

SHA1
7319d008288865c455135ef2984249094ba5403c

SHA256
49dc9591713d6e1fc34f0ec260c4e0e7eecda66218a301da928dd55c6f1af085

SHA512
b73c355a287972fc8ae0ea3fbba724813fda1f996b9f5434678ebf37a1cd59f8a1aef263c88edafbdf45cf99e4f5940f98a68a0d960115f16637af6468529d2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\iIDKKqsGny.bat

Filesize
243B

MD5
849ae17c9040fd57c640fa2e22695b6e

SHA1
0bfcc53cb4e4b994bc0c835f91a2f730a09208b4

SHA256
986c246f992696ef2e09b5c71ceefb67f39d170d3a5f17f5e1b501cf2f9fe3e9

SHA512
9822bce51fbb9d05d661c3ba7a0b3a708d0aa957ce19b8a15c1f0ec1ab78ec33f32fbb5ab9ff4d725081356aeea44c34cf39919125a882b7c1ef75d5e34e6178

Download Submit
C:\Users\Admin\AppData\Local\Temp\j95GpUP4tv.bat

Filesize
243B

MD5
d794cae1de4f43e3221aa8f5f80536bb

SHA1
58dec88eff54a1932e7d29106ad6eacf41a8a3c3

SHA256
5ffc8d2893e4c4eb8de0a4f18908836fc0627d37829499e4925cf3dd88a10d41

SHA512
892274c35642b06ba8ae85f8da90fba3b6c2c99f26841793f33953f327cdf7981fcd8aa9eff058cf276cc3fdec241c4c85aadfcbacc9643040756dcc5852f29d

Download Submit
C:\Users\Admin\AppData\Local\Temp\n7UEJyIAjk.bat

Filesize
243B

MD5
a536a8e7d549a9daed98d36125e2ee18

SHA1
45452783421ccad5f755603c468492b48350772b

SHA256
5fce87b0a77521ff916fb3cf59c167278841f416c3511e567549e9ceb4a24301

SHA512
dab2606978d5b66378b39ed97c0c6a8470c3e4afdf60d8f987992206c805143d61bfffac657fc8e24cea09a601aec1000012ecdb19af04458447b8b472be4f11

Download Submit
C:\Users\Admin\AppData\Local\Temp\q3WH03M43W.bat

Filesize
243B

MD5
89334871a3533e9a5d934b5ee4755450

SHA1
971af906160d9379f914f6a261ef4f21793d8b86

SHA256
05a3efa7ca9f8ec74a252793f95e13e917e94ead9a9f4e0359ebb6c3e16a36f4

SHA512
e7980271e3299b7c959ab6aaacd6d45a6d40405032da62bd9e75c0fcee6f3d54240aff28b968cbd911132077016f62c7326fe1e3452577eeba3eb2595c50961c

Download Submit
C:\Users\Admin\AppData\Local\Temp\r7gOBUt9HL.bat

Filesize
243B

MD5
9a36f9a5e6b1768418064a5610ad3a58

SHA1
3c5fb48cc866177d6b073836359bf8c1c3cbcecc

SHA256
43245e9598785c628f274d16a42ad09efe060dd80537337663585ef9a5c9879a

SHA512
45f56458033fd0bab167ce30c03891ee8dd2754e4304d7bade2b9892b48b411c2626880ece35a847fd818d5d06e2ac5027de13f652e0500c352a0858d8c05188

Download Submit
C:\Users\Admin\AppData\Local\Temp\syYKg8QxNI.bat

Filesize
243B

MD5
57825f108af65f4afcf3517e02fb154b

SHA1
e2f3e93094cf0b2ec32ae951e2223da8561f8377

SHA256
bb73551a4e6286dd7856fb5a71e0c945f6ba18774b4c5129406cfb47673d4859

SHA512
3a6912f30ceab988c168a1b372ff693d4f896e04e8cb0b64107a887001e18891bbc1b8bb55c75aff3fbe66168b3e71be0e9342370386099d8e4a91cbc309ce85

Download Submit
C:\Users\Admin\AppData\Local\Temp\xAFUrPKKMy.bat

Filesize
243B

MD5
f937464d41ff688dc0500cab5d6fd4c9

SHA1
67fa3cbf4e5e942722a99c87227f04f7858436cd

SHA256
c9b6726d2bb08723122ba33f77fbf5fa3a300c1c6c095e10ed88cfe0e257bb13

SHA512
e583cb06a811b3f293f54753dd6df39237789521b6c6310a2d52ecf6de85255490e9fd1c0aedcd2b337f3632836e7abce83338d79aa468973142b2fd81d35bae

Download Submit
memory/3900-0-0x00007FFB290C3000-0x00007FFB290C5000-memory.dmp

Filesize
8KB

Download
memory/3900-38-0x00007FFB290C0000-0x00007FFB29B81000-memory.dmp

Filesize
10.8MB

Download
memory/3900-4-0x00007FFB290C0000-0x00007FFB29B81000-memory.dmp

Filesize
10.8MB

Download
memory/3900-1-0x0000000000840000-0x0000000000916000-memory.dmp

Filesize
856KB

Download