dcrat | 6769f3dcde3cc9f6fb8fd1fb6a37b52221ef79b97d5d4002c44308da7a24b144

Analysis

max time kernel
894s
max time network
897s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241211-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241211-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
21-12-2024 12:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Nursultan Alpha/start.exe
Size

2.3MB
MD5

c473326baa0562bc1081ac3fff5fadab
SHA1

79ae481230a4aeb89232b60bb015c7f376cd70d7
SHA256

66058290e904b349c68a65b6deac3875acf5c9b618bd31756f1a9cbde2cfb83b
SHA512

f822532e90006b0e69305a93e01512185a1a367ebb734e8b8c443efb716abe1d4460f246b70b32e7e18c8fc6aa7db85ec039d59773305e8061375b0634351ff5
SSDEEP

49152:IBJPbv4/KHiciethGCUA1TJeUCMkiOT3eY1CKzuJtGvAAzT:yNbv4/BUVb5JLChiAu1evAoT

Score

10^/10

dcrat discovery execution infostealer persistence rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 6 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\OEM\\MoUsoCoreWorker.exe\", \"C:\\Program Files\\Java\\jdk-1.8\\jre\\legal\\dllhost.exe\", \"C:\\chainBlocksurrogatewin\\dwm.exe\", \"C:\\Recovery\\WindowsRE\\OfficeClickToRun.exe\", \"C:\\Program Files\\Java\\jre-1.8\\legal\\lsass.exe\""	Comcontainerdriver.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\OEM\\MoUsoCoreWorker.exe\", \"C:\\Program Files\\Java\\jdk-1.8\\jre\\legal\\dllhost.exe\", \"C:\\chainBlocksurrogatewin\\dwm.exe\", \"C:\\Recovery\\WindowsRE\\OfficeClickToRun.exe\", \"C:\\Program Files\\Java\\jre-1.8\\legal\\lsass.exe\", \"C:\\chainBlocksurrogatewin\\Comcontainerdriver.exe\""	Comcontainerdriver.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\OEM\\MoUsoCoreWorker.exe\""	Comcontainerdriver.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\OEM\\MoUsoCoreWorker.exe\", \"C:\\Program Files\\Java\\jdk-1.8\\jre\\legal\\dllhost.exe\""	Comcontainerdriver.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\OEM\\MoUsoCoreWorker.exe\", \"C:\\Program Files\\Java\\jdk-1.8\\jre\\legal\\dllhost.exe\", \"C:\\chainBlocksurrogatewin\\dwm.exe\""	Comcontainerdriver.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\OEM\\MoUsoCoreWorker.exe\", \"C:\\Program Files\\Java\\jdk-1.8\\jre\\legal\\dllhost.exe\", \"C:\\chainBlocksurrogatewin\\dwm.exe\", \"C:\\Recovery\\WindowsRE\\OfficeClickToRun.exe\""	Comcontainerdriver.exe

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	748	1012	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4984	1012	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4420	1012	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1980	1012	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4104	1012	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1896	1012	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1612	1012	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2776	1012	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1664	1012	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5096	1012	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3948	1012	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3024	1012	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4956	1012	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1520	1012	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1784	1012	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1588	1012	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3644	1012	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3860	1012	schtasks.exe	87

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1288	powershell.exe
4604	powershell.exe
236	powershell.exe
632	powershell.exe
2280	powershell.exe
4408	powershell.exe

Checks computer location settings 2 TTPs 44 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1798060429-1844192857-3165087720-1000\Control Panel\International\Geo\Nation	Comcontainerdriver.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1798060429-1844192857-3165087720-1000\Control Panel\International\Geo\Nation	OfficeClickToRun.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1798060429-1844192857-3165087720-1000\Control Panel\International\Geo\Nation	OfficeClickToRun.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1798060429-1844192857-3165087720-1000\Control Panel\International\Geo\Nation	OfficeClickToRun.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1798060429-1844192857-3165087720-1000\Control Panel\International\Geo\Nation	OfficeClickToRun.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1798060429-1844192857-3165087720-1000\Control Panel\International\Geo\Nation	dllhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1798060429-1844192857-3165087720-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1798060429-1844192857-3165087720-1000\Control Panel\International\Geo\Nation	OfficeClickToRun.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1798060429-1844192857-3165087720-1000\Control Panel\International\Geo\Nation	OfficeClickToRun.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1798060429-1844192857-3165087720-1000\Control Panel\International\Geo\Nation	OfficeClickToRun.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1798060429-1844192857-3165087720-1000\Control Panel\International\Geo\Nation	OfficeClickToRun.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1798060429-1844192857-3165087720-1000\Control Panel\International\Geo\Nation	OfficeClickToRun.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1798060429-1844192857-3165087720-1000\Control Panel\International\Geo\Nation	OfficeClickToRun.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1798060429-1844192857-3165087720-1000\Control Panel\International\Geo\Nation	OfficeClickToRun.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1798060429-1844192857-3165087720-1000\Control Panel\International\Geo\Nation	OfficeClickToRun.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1798060429-1844192857-3165087720-1000\Control Panel\International\Geo\Nation	OfficeClickToRun.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1798060429-1844192857-3165087720-1000\Control Panel\International\Geo\Nation	OfficeClickToRun.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1798060429-1844192857-3165087720-1000\Control Panel\International\Geo\Nation	MoUsoCoreWorker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1798060429-1844192857-3165087720-1000\Control Panel\International\Geo\Nation	OfficeClickToRun.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1798060429-1844192857-3165087720-1000\Control Panel\International\Geo\Nation	OfficeClickToRun.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1798060429-1844192857-3165087720-1000\Control Panel\International\Geo\Nation	OfficeClickToRun.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1798060429-1844192857-3165087720-1000\Control Panel\International\Geo\Nation	MoUsoCoreWorker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1798060429-1844192857-3165087720-1000\Control Panel\International\Geo\Nation	OfficeClickToRun.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1798060429-1844192857-3165087720-1000\Control Panel\International\Geo\Nation	OfficeClickToRun.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1798060429-1844192857-3165087720-1000\Control Panel\International\Geo\Nation	OfficeClickToRun.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1798060429-1844192857-3165087720-1000\Control Panel\International\Geo\Nation	OfficeClickToRun.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1798060429-1844192857-3165087720-1000\Control Panel\International\Geo\Nation	dllhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1798060429-1844192857-3165087720-1000\Control Panel\International\Geo\Nation	dllhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1798060429-1844192857-3165087720-1000\Control Panel\International\Geo\Nation	OfficeClickToRun.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1798060429-1844192857-3165087720-1000\Control Panel\International\Geo\Nation	OfficeClickToRun.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1798060429-1844192857-3165087720-1000\Control Panel\International\Geo\Nation	OfficeClickToRun.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1798060429-1844192857-3165087720-1000\Control Panel\International\Geo\Nation	OfficeClickToRun.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1798060429-1844192857-3165087720-1000\Control Panel\International\Geo\Nation	OfficeClickToRun.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1798060429-1844192857-3165087720-1000\Control Panel\International\Geo\Nation	dllhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1798060429-1844192857-3165087720-1000\Control Panel\International\Geo\Nation	dllhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1798060429-1844192857-3165087720-1000\Control Panel\International\Geo\Nation	dllhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1798060429-1844192857-3165087720-1000\Control Panel\International\Geo\Nation	OfficeClickToRun.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1798060429-1844192857-3165087720-1000\Control Panel\International\Geo\Nation	OfficeClickToRun.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1798060429-1844192857-3165087720-1000\Control Panel\International\Geo\Nation	OfficeClickToRun.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1798060429-1844192857-3165087720-1000\Control Panel\International\Geo\Nation	OfficeClickToRun.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1798060429-1844192857-3165087720-1000\Control Panel\International\Geo\Nation	OfficeClickToRun.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1798060429-1844192857-3165087720-1000\Control Panel\International\Geo\Nation	OfficeClickToRun.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1798060429-1844192857-3165087720-1000\Control Panel\International\Geo\Nation	OfficeClickToRun.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1798060429-1844192857-3165087720-1000\Control Panel\International\Geo\Nation	start.exe

Executes dropped EXE 51 IoCs

pid	Process
5036	Comcontainerdriver.exe
4120	OfficeClickToRun.exe
1280	OfficeClickToRun.exe
4960	OfficeClickToRun.exe
3736	OfficeClickToRun.exe
4972	OfficeClickToRun.exe
3224	OfficeClickToRun.exe
2052	OfficeClickToRun.exe
4644	OfficeClickToRun.exe
1312	OfficeClickToRun.exe
4392	OfficeClickToRun.exe
3288	OfficeClickToRun.exe
3776	OfficeClickToRun.exe
4592	OfficeClickToRun.exe
3352	OfficeClickToRun.exe
1312	OfficeClickToRun.exe
4596	OfficeClickToRun.exe
3444	OfficeClickToRun.exe
3712	OfficeClickToRun.exe
416	OfficeClickToRun.exe
4328	OfficeClickToRun.exe
2188	OfficeClickToRun.exe
2236	OfficeClickToRun.exe
2824	OfficeClickToRun.exe
3128	OfficeClickToRun.exe
4264	OfficeClickToRun.exe
1044	OfficeClickToRun.exe
4788	OfficeClickToRun.exe
2284	OfficeClickToRun.exe
2472	OfficeClickToRun.exe
3332	OfficeClickToRun.exe
1896	OfficeClickToRun.exe
4348	OfficeClickToRun.exe
1772	OfficeClickToRun.exe
1324	MoUsoCoreWorker.exe
3544	OfficeClickToRun.exe
3736	MoUsoCoreWorker.exe
3088	dllhost.exe
1168	lsass.exe
2852	dllhost.exe
4396	MoUsoCoreWorker.exe
1628	dwm.exe
4208	OfficeClickToRun.exe
416	Comcontainerdriver.exe
1968	MoUsoCoreWorker.exe
4340	dllhost.exe
4748	lsass.exe
2304	dllhost.exe
4200	dllhost.exe
4884	dllhost.exe
3048	dllhost.exe

Adds Run key to start application 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1798060429-1844192857-3165087720-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Program Files\\Java\\jdk-1.8\\jre\\legal\\dllhost.exe\""	Comcontainerdriver.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Program Files\\Java\\jdk-1.8\\jre\\legal\\dllhost.exe\""	Comcontainerdriver.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1798060429-1844192857-3165087720-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OfficeClickToRun = "\"C:\\Recovery\\WindowsRE\\OfficeClickToRun.exe\""	Comcontainerdriver.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OfficeClickToRun = "\"C:\\Recovery\\WindowsRE\\OfficeClickToRun.exe\""	Comcontainerdriver.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Program Files\\Java\\jre-1.8\\legal\\lsass.exe\""	Comcontainerdriver.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1798060429-1844192857-3165087720-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Comcontainerdriver = "\"C:\\chainBlocksurrogatewin\\Comcontainerdriver.exe\""	Comcontainerdriver.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Comcontainerdriver = "\"C:\\chainBlocksurrogatewin\\Comcontainerdriver.exe\""	Comcontainerdriver.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1798060429-1844192857-3165087720-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MoUsoCoreWorker = "\"C:\\Recovery\\OEM\\MoUsoCoreWorker.exe\""	Comcontainerdriver.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MoUsoCoreWorker = "\"C:\\Recovery\\OEM\\MoUsoCoreWorker.exe\""	Comcontainerdriver.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1798060429-1844192857-3165087720-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\chainBlocksurrogatewin\\dwm.exe\""	Comcontainerdriver.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\chainBlocksurrogatewin\\dwm.exe\""	Comcontainerdriver.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1798060429-1844192857-3165087720-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Program Files\\Java\\jre-1.8\\legal\\lsass.exe\""	Comcontainerdriver.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
33	ipinfo.io
34	ipinfo.io

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	\??\c:\Windows\System32\CSC7908460A3C0C4410A21AF1D56AFE54B.TMP	csc.exe
File created	\??\c:\Windows\System32\pimzod.exe	csc.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files\Java\jre-1.8\legal\lsass.exe	Comcontainerdriver.exe
File created	C:\Program Files\Java\jre-1.8\legal\6203df4a6bafc7	Comcontainerdriver.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\dllhost.exe	Comcontainerdriver.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\5940a34987c991	Comcontainerdriver.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	start.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 22 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
3720	PING.EXE
4108	PING.EXE
4996	PING.EXE
4708	PING.EXE
1752	PING.EXE
1160	PING.EXE
3272	PING.EXE
3352	PING.EXE
2072	PING.EXE
2996	PING.EXE
2668	PING.EXE
408	PING.EXE
3172	PING.EXE
2928	PING.EXE
3644	PING.EXE
2352	PING.EXE
2052	PING.EXE
3600	PING.EXE
4348	PING.EXE
4468	PING.EXE
852	PING.EXE
2500	PING.EXE

Modifies registry class 43 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1798060429-1844192857-3165087720-1000_Classes\Local Settings	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-21-1798060429-1844192857-3165087720-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-1798060429-1844192857-3165087720-1000_Classes\Local Settings	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-21-1798060429-1844192857-3165087720-1000_Classes\Local Settings	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-21-1798060429-1844192857-3165087720-1000_Classes\Local Settings	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-21-1798060429-1844192857-3165087720-1000_Classes\Local Settings	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-21-1798060429-1844192857-3165087720-1000_Classes\Local Settings	Comcontainerdriver.exe
Key created	\REGISTRY\USER\S-1-5-21-1798060429-1844192857-3165087720-1000_Classes\Local Settings	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-21-1798060429-1844192857-3165087720-1000_Classes\Local Settings	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-21-1798060429-1844192857-3165087720-1000_Classes\Local Settings	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-21-1798060429-1844192857-3165087720-1000_Classes\Local Settings	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-21-1798060429-1844192857-3165087720-1000_Classes\Local Settings	start.exe
Key created	\REGISTRY\USER\S-1-5-21-1798060429-1844192857-3165087720-1000_Classes\Local Settings	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-21-1798060429-1844192857-3165087720-1000_Classes\Local Settings	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-21-1798060429-1844192857-3165087720-1000_Classes\Local Settings	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-21-1798060429-1844192857-3165087720-1000_Classes\Local Settings	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-21-1798060429-1844192857-3165087720-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-1798060429-1844192857-3165087720-1000_Classes\Local Settings	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-21-1798060429-1844192857-3165087720-1000_Classes\Local Settings	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-21-1798060429-1844192857-3165087720-1000_Classes\Local Settings	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-21-1798060429-1844192857-3165087720-1000_Classes\Local Settings	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-21-1798060429-1844192857-3165087720-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-1798060429-1844192857-3165087720-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-1798060429-1844192857-3165087720-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-1798060429-1844192857-3165087720-1000_Classes\Local Settings	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-21-1798060429-1844192857-3165087720-1000_Classes\Local Settings	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-21-1798060429-1844192857-3165087720-1000_Classes\Local Settings	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-21-1798060429-1844192857-3165087720-1000_Classes\Local Settings	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-21-1798060429-1844192857-3165087720-1000_Classes\Local Settings	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-21-1798060429-1844192857-3165087720-1000_Classes\Local Settings	MoUsoCoreWorker.exe
Key created	\REGISTRY\USER\S-1-5-21-1798060429-1844192857-3165087720-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-1798060429-1844192857-3165087720-1000_Classes\Local Settings	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-21-1798060429-1844192857-3165087720-1000_Classes\Local Settings	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-21-1798060429-1844192857-3165087720-1000_Classes\Local Settings	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-21-1798060429-1844192857-3165087720-1000_Classes\Local Settings	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-21-1798060429-1844192857-3165087720-1000_Classes\Local Settings	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-21-1798060429-1844192857-3165087720-1000_Classes\Local Settings	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-21-1798060429-1844192857-3165087720-1000_Classes\Local Settings	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-21-1798060429-1844192857-3165087720-1000_Classes\Local Settings	MoUsoCoreWorker.exe
Key created	\REGISTRY\USER\S-1-5-21-1798060429-1844192857-3165087720-1000_Classes\Local Settings	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-21-1798060429-1844192857-3165087720-1000_Classes\Local Settings	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-21-1798060429-1844192857-3165087720-1000_Classes\Local Settings	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-21-1798060429-1844192857-3165087720-1000_Classes\Local Settings	OfficeClickToRun.exe

Runs ping.exe 1 TTPs 22 IoCs

Remote System Discovery

T1018

pid	Process
2352	PING.EXE
3352	PING.EXE
2072	PING.EXE
3172	PING.EXE
2996	PING.EXE
4708	PING.EXE
1752	PING.EXE
1160	PING.EXE
3720	PING.EXE
3272	PING.EXE
2668	PING.EXE
2052	PING.EXE
3600	PING.EXE
4996	PING.EXE
4348	PING.EXE
4468	PING.EXE
2928	PING.EXE
4108	PING.EXE
408	PING.EXE
2500	PING.EXE
852	PING.EXE
3644	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1612	schtasks.exe
3948	schtasks.exe
4956	schtasks.exe
1520	schtasks.exe
4420	schtasks.exe
1980	schtasks.exe
4984	schtasks.exe
3644	schtasks.exe
2776	schtasks.exe
1664	schtasks.exe
3024	schtasks.exe
3860	schtasks.exe
748	schtasks.exe
4104	schtasks.exe
1784	schtasks.exe
1588	schtasks.exe
1896	schtasks.exe
5096	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5036	Comcontainerdriver.exe
5036	Comcontainerdriver.exe
5036	Comcontainerdriver.exe
5036	Comcontainerdriver.exe
5036	Comcontainerdriver.exe
5036	Comcontainerdriver.exe
5036	Comcontainerdriver.exe
5036	Comcontainerdriver.exe
5036	Comcontainerdriver.exe
5036	Comcontainerdriver.exe
5036	Comcontainerdriver.exe
5036	Comcontainerdriver.exe
5036	Comcontainerdriver.exe
5036	Comcontainerdriver.exe
5036	Comcontainerdriver.exe
5036	Comcontainerdriver.exe
5036	Comcontainerdriver.exe
5036	Comcontainerdriver.exe
5036	Comcontainerdriver.exe
5036	Comcontainerdriver.exe
5036	Comcontainerdriver.exe
5036	Comcontainerdriver.exe
5036	Comcontainerdriver.exe
5036	Comcontainerdriver.exe
5036	Comcontainerdriver.exe
5036	Comcontainerdriver.exe
5036	Comcontainerdriver.exe
5036	Comcontainerdriver.exe
5036	Comcontainerdriver.exe
5036	Comcontainerdriver.exe
5036	Comcontainerdriver.exe
5036	Comcontainerdriver.exe
5036	Comcontainerdriver.exe
5036	Comcontainerdriver.exe
5036	Comcontainerdriver.exe
5036	Comcontainerdriver.exe
5036	Comcontainerdriver.exe
5036	Comcontainerdriver.exe
5036	Comcontainerdriver.exe
5036	Comcontainerdriver.exe
5036	Comcontainerdriver.exe
5036	Comcontainerdriver.exe
5036	Comcontainerdriver.exe
5036	Comcontainerdriver.exe
5036	Comcontainerdriver.exe
5036	Comcontainerdriver.exe
5036	Comcontainerdriver.exe
5036	Comcontainerdriver.exe
5036	Comcontainerdriver.exe
5036	Comcontainerdriver.exe
5036	Comcontainerdriver.exe
5036	Comcontainerdriver.exe
5036	Comcontainerdriver.exe
5036	Comcontainerdriver.exe
5036	Comcontainerdriver.exe
5036	Comcontainerdriver.exe
5036	Comcontainerdriver.exe
5036	Comcontainerdriver.exe
5036	Comcontainerdriver.exe
5036	Comcontainerdriver.exe
5036	Comcontainerdriver.exe
5036	Comcontainerdriver.exe
5036	Comcontainerdriver.exe
5036	Comcontainerdriver.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	5036	Comcontainerdriver.exe
Token: SeDebugPrivilege	2280	powershell.exe
Token: SeDebugPrivilege	4408	powershell.exe
Token: SeDebugPrivilege	236	powershell.exe
Token: SeDebugPrivilege	632	powershell.exe
Token: SeDebugPrivilege	1288	powershell.exe
Token: SeDebugPrivilege	4604	powershell.exe
Token: SeIncreaseQuotaPrivilege	632	powershell.exe
Token: SeSecurityPrivilege	632	powershell.exe
Token: SeTakeOwnershipPrivilege	632	powershell.exe
Token: SeLoadDriverPrivilege	632	powershell.exe
Token: SeSystemProfilePrivilege	632	powershell.exe
Token: SeSystemtimePrivilege	632	powershell.exe
Token: SeProfSingleProcessPrivilege	632	powershell.exe
Token: SeIncBasePriorityPrivilege	632	powershell.exe
Token: SeCreatePagefilePrivilege	632	powershell.exe
Token: SeBackupPrivilege	632	powershell.exe
Token: SeRestorePrivilege	632	powershell.exe
Token: SeShutdownPrivilege	632	powershell.exe
Token: SeDebugPrivilege	632	powershell.exe
Token: SeSystemEnvironmentPrivilege	632	powershell.exe
Token: SeRemoteShutdownPrivilege	632	powershell.exe
Token: SeUndockPrivilege	632	powershell.exe
Token: SeManageVolumePrivilege	632	powershell.exe
Token: 33	632	powershell.exe
Token: 34	632	powershell.exe
Token: 35	632	powershell.exe
Token: 36	632	powershell.exe
Token: SeIncreaseQuotaPrivilege	4408	powershell.exe
Token: SeSecurityPrivilege	4408	powershell.exe
Token: SeTakeOwnershipPrivilege	4408	powershell.exe
Token: SeLoadDriverPrivilege	4408	powershell.exe
Token: SeSystemProfilePrivilege	4408	powershell.exe
Token: SeSystemtimePrivilege	4408	powershell.exe
Token: SeProfSingleProcessPrivilege	4408	powershell.exe
Token: SeIncBasePriorityPrivilege	4408	powershell.exe
Token: SeCreatePagefilePrivilege	4408	powershell.exe
Token: SeBackupPrivilege	4408	powershell.exe
Token: SeRestorePrivilege	4408	powershell.exe
Token: SeShutdownPrivilege	4408	powershell.exe
Token: SeDebugPrivilege	4408	powershell.exe
Token: SeSystemEnvironmentPrivilege	4408	powershell.exe
Token: SeRemoteShutdownPrivilege	4408	powershell.exe
Token: SeUndockPrivilege	4408	powershell.exe
Token: SeManageVolumePrivilege	4408	powershell.exe
Token: 33	4408	powershell.exe
Token: 34	4408	powershell.exe
Token: 35	4408	powershell.exe
Token: 36	4408	powershell.exe
Token: SeIncreaseQuotaPrivilege	236	powershell.exe
Token: SeSecurityPrivilege	236	powershell.exe
Token: SeTakeOwnershipPrivilege	236	powershell.exe
Token: SeLoadDriverPrivilege	236	powershell.exe
Token: SeSystemProfilePrivilege	236	powershell.exe
Token: SeSystemtimePrivilege	236	powershell.exe
Token: SeProfSingleProcessPrivilege	236	powershell.exe
Token: SeIncBasePriorityPrivilege	236	powershell.exe
Token: SeCreatePagefilePrivilege	236	powershell.exe
Token: SeBackupPrivilege	236	powershell.exe
Token: SeRestorePrivilege	236	powershell.exe
Token: SeShutdownPrivilege	236	powershell.exe
Token: SeDebugPrivilege	236	powershell.exe
Token: SeSystemEnvironmentPrivilege	236	powershell.exe
Token: SeRemoteShutdownPrivilege	236	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 388 wrote to memory of 3284	388	start.exe	83
PID 388 wrote to memory of 3284	388	start.exe	83
PID 388 wrote to memory of 3284	388	start.exe	83
PID 3284 wrote to memory of 1628	3284	WScript.exe	92
PID 3284 wrote to memory of 1628	3284	WScript.exe	92
PID 3284 wrote to memory of 1628	3284	WScript.exe	92
PID 1628 wrote to memory of 5036	1628	cmd.exe	94
PID 1628 wrote to memory of 5036	1628	cmd.exe	94
PID 5036 wrote to memory of 3696	5036	Comcontainerdriver.exe	98
PID 5036 wrote to memory of 3696	5036	Comcontainerdriver.exe	98
PID 3696 wrote to memory of 1356	3696	csc.exe	100
PID 3696 wrote to memory of 1356	3696	csc.exe	100
PID 5036 wrote to memory of 1288	5036	Comcontainerdriver.exe	116
PID 5036 wrote to memory of 1288	5036	Comcontainerdriver.exe	116
PID 5036 wrote to memory of 4408	5036	Comcontainerdriver.exe	117
PID 5036 wrote to memory of 4408	5036	Comcontainerdriver.exe	117
PID 5036 wrote to memory of 2280	5036	Comcontainerdriver.exe	118
PID 5036 wrote to memory of 2280	5036	Comcontainerdriver.exe	118
PID 5036 wrote to memory of 632	5036	Comcontainerdriver.exe	119
PID 5036 wrote to memory of 632	5036	Comcontainerdriver.exe	119
PID 5036 wrote to memory of 236	5036	Comcontainerdriver.exe	120
PID 5036 wrote to memory of 236	5036	Comcontainerdriver.exe	120
PID 5036 wrote to memory of 4604	5036	Comcontainerdriver.exe	121
PID 5036 wrote to memory of 4604	5036	Comcontainerdriver.exe	121
PID 5036 wrote to memory of 3288	5036	Comcontainerdriver.exe	128
PID 5036 wrote to memory of 3288	5036	Comcontainerdriver.exe	128
PID 3288 wrote to memory of 2068	3288	cmd.exe	130
PID 3288 wrote to memory of 2068	3288	cmd.exe	130
PID 3288 wrote to memory of 1020	3288	cmd.exe	131
PID 3288 wrote to memory of 1020	3288	cmd.exe	131
PID 3288 wrote to memory of 4120	3288	cmd.exe	133
PID 3288 wrote to memory of 4120	3288	cmd.exe	133
PID 4120 wrote to memory of 1828	4120	OfficeClickToRun.exe	134
PID 4120 wrote to memory of 1828	4120	OfficeClickToRun.exe	134
PID 1828 wrote to memory of 472	1828	cmd.exe	136
PID 1828 wrote to memory of 472	1828	cmd.exe	136
PID 1828 wrote to memory of 3272	1828	cmd.exe	137
PID 1828 wrote to memory of 3272	1828	cmd.exe	137
PID 1828 wrote to memory of 1280	1828	cmd.exe	138
PID 1828 wrote to memory of 1280	1828	cmd.exe	138
PID 1280 wrote to memory of 1568	1280	OfficeClickToRun.exe	139
PID 1280 wrote to memory of 1568	1280	OfficeClickToRun.exe	139
PID 1568 wrote to memory of 4948	1568	cmd.exe	141
PID 1568 wrote to memory of 4948	1568	cmd.exe	141
PID 1568 wrote to memory of 3560	1568	cmd.exe	142
PID 1568 wrote to memory of 3560	1568	cmd.exe	142
PID 1568 wrote to memory of 4960	1568	cmd.exe	143
PID 1568 wrote to memory of 4960	1568	cmd.exe	143
PID 4960 wrote to memory of 816	4960	OfficeClickToRun.exe	144
PID 4960 wrote to memory of 816	4960	OfficeClickToRun.exe	144
PID 816 wrote to memory of 3820	816	cmd.exe	146
PID 816 wrote to memory of 3820	816	cmd.exe	146
PID 816 wrote to memory of 3352	816	cmd.exe	147
PID 816 wrote to memory of 3352	816	cmd.exe	147
PID 816 wrote to memory of 3736	816	cmd.exe	148
PID 816 wrote to memory of 3736	816	cmd.exe	148
PID 3736 wrote to memory of 1168	3736	OfficeClickToRun.exe	149
PID 3736 wrote to memory of 1168	3736	OfficeClickToRun.exe	149
PID 1168 wrote to memory of 4468	1168	cmd.exe	151
PID 1168 wrote to memory of 4468	1168	cmd.exe	151
PID 1168 wrote to memory of 2928	1168	cmd.exe	152
PID 1168 wrote to memory of 2928	1168	cmd.exe	152
PID 1168 wrote to memory of 4972	1168	cmd.exe	153
PID 1168 wrote to memory of 4972	1168	cmd.exe	153

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Nursultan Alpha\start.exe
"C:\Users\Admin\AppData\Local\Temp\Nursultan Alpha\start.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:388
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\chainBlocksurrogatewin\GQQ4ylq7g8v2sObSsphEhdaxNJcwRuTMFt5I2eiVZyEpGNyUkwbTE.vbe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3284
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\chainBlocksurrogatewin\jadNZOaHlMDhsSca68lTCEwCwvIEx4Rlg.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1628
  - - C:\chainBlocksurrogatewin\Comcontainerdriver.exe
      "C:\chainBlocksurrogatewin/Comcontainerdriver.exe"
      4⤵
      Modifies WinLogon for persistence
      Checks computer location settings
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Program Files directory
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:5036
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\axsdawer\axsdawer.cmdline"
        5⤵
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3696
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC081.tmp" "c:\Windows\System32\CSC7908460A3C0C4410A21AF1D56AFE54B.TMP"
        6⤵
        
        PID:1356
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\OEM\MoUsoCoreWorker.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1288
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Java\jdk-1.8\jre\legal\dllhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:4408
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\chainBlocksurrogatewin\dwm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2280
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\OfficeClickToRun.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:632
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Java\jre-1.8\legal\lsass.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:236
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\chainBlocksurrogatewin\Comcontainerdriver.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:4604
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\J8oQlItEMs.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3288
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:2068
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:1020
      - C:\Recovery\WindowsRE\OfficeClickToRun.exe
        
        "C:\Recovery\WindowsRE\OfficeClickToRun.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4120
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\iHhOMNMslr.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:1828
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:472
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        8⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3272
        
        C:\Recovery\WindowsRE\OfficeClickToRun.exe
        
        "C:\Recovery\WindowsRE\OfficeClickToRun.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1280
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Y3JLLbydWs.bat"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:1568
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        10⤵
        
        PID:4948
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:3560
        
        C:\Recovery\WindowsRE\OfficeClickToRun.exe
        
        "C:\Recovery\WindowsRE\OfficeClickToRun.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4960
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\J1i0UIQhNL.bat"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:816
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        12⤵
        
        PID:3820
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        12⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3352
        
        C:\Recovery\WindowsRE\OfficeClickToRun.exe
        
        "C:\Recovery\WindowsRE\OfficeClickToRun.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3736
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\blnknsxC6d.bat"
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:1168
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        14⤵
        
        PID:4468
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        14⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2928
        
        C:\Recovery\WindowsRE\OfficeClickToRun.exe
        
        "C:\Recovery\WindowsRE\OfficeClickToRun.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:4972
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\v5TcjuvxiT.bat"
        15⤵
        
        PID:3128
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        16⤵
        
        PID:4600
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        16⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4108
        
        C:\Recovery\WindowsRE\OfficeClickToRun.exe
        
        "C:\Recovery\WindowsRE\OfficeClickToRun.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:3224
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\7z2CYqkT7L.bat"
        17⤵
        
        PID:1940
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        18⤵
        
        PID:3912
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:3612
        
        C:\Recovery\WindowsRE\OfficeClickToRun.exe
        
        "C:\Recovery\WindowsRE\OfficeClickToRun.exe"
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:2052
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\02n8fxtMT9.bat"
        19⤵
        
        PID:1772
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        20⤵
        
        PID:1600
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        20⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2072
        
        C:\Recovery\WindowsRE\OfficeClickToRun.exe
        
        "C:\Recovery\WindowsRE\OfficeClickToRun.exe"
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:4644
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\CwMiVtjst0.bat"
        21⤵
        
        PID:1448
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        22⤵
        
        PID:3956
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        22⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:852
        
        C:\Recovery\WindowsRE\OfficeClickToRun.exe
        
        "C:\Recovery\WindowsRE\OfficeClickToRun.exe"
        22⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:1312
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\LFX8y3PYZG.bat"
        23⤵
        
        PID:2188
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        24⤵
        
        PID:2156
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:3428
        
        C:\Recovery\WindowsRE\OfficeClickToRun.exe
        
        "C:\Recovery\WindowsRE\OfficeClickToRun.exe"
        24⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:4392
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Kg5VX99QjA.bat"
        25⤵
        
        PID:3088
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        26⤵
        
        PID:932
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        26⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3644
        
        C:\Recovery\WindowsRE\OfficeClickToRun.exe
        
        "C:\Recovery\WindowsRE\OfficeClickToRun.exe"
        26⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:3288
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\iHhOMNMslr.bat"
        27⤵
        
        PID:2084
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        28⤵
        
        PID:4268
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        28⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2352
        
        C:\Recovery\WindowsRE\OfficeClickToRun.exe
        
        "C:\Recovery\WindowsRE\OfficeClickToRun.exe"
        28⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:3776
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\df0NLUfleM.bat"
        29⤵
        
        PID:1512
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        30⤵
        
        PID:2336
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        30⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2052
        
        C:\Recovery\WindowsRE\OfficeClickToRun.exe
        
        "C:\Recovery\WindowsRE\OfficeClickToRun.exe"
        30⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:4592
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\euqVpFfbpH.bat"
        31⤵
        
        PID:2832
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        32⤵
        
        PID:744
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        32⤵
        
        PID:4776
        
        C:\Recovery\WindowsRE\OfficeClickToRun.exe
        
        "C:\Recovery\WindowsRE\OfficeClickToRun.exe"
        32⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:3352
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hNUloleJD7.bat"
        33⤵
        
        PID:2452
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        34⤵
        
        PID:3028
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        34⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3600
        
        C:\Recovery\WindowsRE\OfficeClickToRun.exe
        
        "C:\Recovery\WindowsRE\OfficeClickToRun.exe"
        34⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:1312
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\go28NrNAN1.bat"
        35⤵
        
        PID:2120
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        36⤵
        
        PID:2928
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        36⤵
        
        PID:1692
        
        C:\Recovery\WindowsRE\OfficeClickToRun.exe
        
        "C:\Recovery\WindowsRE\OfficeClickToRun.exe"
        36⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:4596
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Lvud1u8Gv5.bat"
        37⤵
        
        PID:1244
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        38⤵
        
        PID:4252
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        38⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2668
        
        C:\Recovery\WindowsRE\OfficeClickToRun.exe
        
        "C:\Recovery\WindowsRE\OfficeClickToRun.exe"
        38⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:3444
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\WpUDqpymLx.bat"
        39⤵
        
        PID:3440
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        40⤵
        
        PID:5012
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        40⤵
        
        PID:4856
        
        C:\Recovery\WindowsRE\OfficeClickToRun.exe
        
        "C:\Recovery\WindowsRE\OfficeClickToRun.exe"
        40⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:3712
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\CwMiVtjst0.bat"
        41⤵
        
        PID:2748
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        42⤵
        
        PID:2964
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        42⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:408
        
        C:\Recovery\WindowsRE\OfficeClickToRun.exe
        
        "C:\Recovery\WindowsRE\OfficeClickToRun.exe"
        42⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:416
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\QrE9yw7ggl.bat"
        43⤵
        
        PID:1816
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        44⤵
        
        PID:928
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        44⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3172
        
        C:\Recovery\WindowsRE\OfficeClickToRun.exe
        
        "C:\Recovery\WindowsRE\OfficeClickToRun.exe"
        44⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:4328
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\LFX8y3PYZG.bat"
        45⤵
        
        PID:2156
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        46⤵
        
        PID:4944
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        46⤵
        
        PID:3100
        
        C:\Recovery\WindowsRE\OfficeClickToRun.exe
        
        "C:\Recovery\WindowsRE\OfficeClickToRun.exe"
        46⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:2188
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\bCL7Nxg3GW.bat"
        47⤵
        
        PID:2088
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        48⤵
        
        PID:188
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        48⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4996
        
        C:\Recovery\WindowsRE\OfficeClickToRun.exe
        
        "C:\Recovery\WindowsRE\OfficeClickToRun.exe"
        48⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:2236
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\sxRqhXCXyo.bat"
        49⤵
        
        PID:1244
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        50⤵
        
        PID:2684
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        50⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2996
        
        C:\Recovery\WindowsRE\OfficeClickToRun.exe
        
        "C:\Recovery\WindowsRE\OfficeClickToRun.exe"
        50⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:2824
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\euqVpFfbpH.bat"
        51⤵
        
        PID:2364
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        52⤵
        
        PID:1292
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        52⤵
        
        PID:3844
        
        C:\Recovery\WindowsRE\OfficeClickToRun.exe
        
        "C:\Recovery\WindowsRE\OfficeClickToRun.exe"
        52⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:3128
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\xtlNdaBxkU.bat"
        53⤵
        
        PID:816
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        54⤵
        
        PID:2992
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        54⤵
        
        PID:3612
        
        C:\Recovery\WindowsRE\OfficeClickToRun.exe
        
        "C:\Recovery\WindowsRE\OfficeClickToRun.exe"
        54⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:4264
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\DqZM2URRQk.bat"
        55⤵
        
        PID:2748
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        56⤵
        
        PID:1880
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        56⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4708
        
        C:\Recovery\WindowsRE\OfficeClickToRun.exe
        
        "C:\Recovery\WindowsRE\OfficeClickToRun.exe"
        56⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:1044
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8EsK2bkKJG.bat"
        57⤵
        
        PID:1208
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        58⤵
        
        PID:3956
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        58⤵
        
        PID:1876
        
        C:\Recovery\WindowsRE\OfficeClickToRun.exe
        
        "C:\Recovery\WindowsRE\OfficeClickToRun.exe"
        58⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:4788
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\WpUDqpymLx.bat"
        59⤵
        
        PID:3428
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        60⤵
        
        PID:4436
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        60⤵
        
        PID:1968
        
        C:\Recovery\WindowsRE\OfficeClickToRun.exe
        
        "C:\Recovery\WindowsRE\OfficeClickToRun.exe"
        60⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:2284
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\DABqzejj4v.bat"
        61⤵
        
        PID:5092
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        62⤵
        
        PID:1520
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        62⤵
        
        PID:2088
        
        C:\Recovery\WindowsRE\OfficeClickToRun.exe
        
        "C:\Recovery\WindowsRE\OfficeClickToRun.exe"
        62⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:2472
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5kD435lcwQ.bat"
        63⤵
        
        PID:4760
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        64⤵
        
        PID:952
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        64⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2500
        
        C:\Recovery\WindowsRE\OfficeClickToRun.exe
        
        "C:\Recovery\WindowsRE\OfficeClickToRun.exe"
        64⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:3332
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\h2sGrcN1Zw.bat"
        65⤵
        
        PID:2352
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        66⤵
        
        PID:3916
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        66⤵
        
        PID:4988
        
        C:\Recovery\WindowsRE\OfficeClickToRun.exe
        
        "C:\Recovery\WindowsRE\OfficeClickToRun.exe"
        66⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:1896
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\3VSOeTt4rz.bat"
        67⤵
        
        PID:3720
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        68⤵
        
        PID:1188
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        68⤵
        
        PID:1352
        
        C:\Recovery\WindowsRE\OfficeClickToRun.exe
        
        "C:\Recovery\WindowsRE\OfficeClickToRun.exe"
        68⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:4348
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\blnknsxC6d.bat"
        69⤵
        
        PID:4432
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        70⤵
        
        PID:3692
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        70⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1752
        
        C:\Recovery\WindowsRE\OfficeClickToRun.exe
        
        "C:\Recovery\WindowsRE\OfficeClickToRun.exe"
        70⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:1772
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8EsK2bkKJG.bat"
        71⤵
        
        PID:2748
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        72⤵
        
        PID:2608
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        72⤵
        
        PID:1852
        
        C:\Recovery\WindowsRE\OfficeClickToRun.exe
        
        "C:\Recovery\WindowsRE\OfficeClickToRun.exe"
        72⤵
        Executes dropped EXE
        
        PID:3544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MoUsoCoreWorkerM" /sc MINUTE /mo 8 /tr "'C:\Recovery\OEM\MoUsoCoreWorker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MoUsoCoreWorker" /sc ONLOGON /tr "'C:\Recovery\OEM\MoUsoCoreWorker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MoUsoCoreWorkerM" /sc MINUTE /mo 6 /tr "'C:\Recovery\OEM\MoUsoCoreWorker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4420

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Program Files\Java\jdk-1.8\jre\legal\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Java\jdk-1.8\jre\legal\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Program Files\Java\jdk-1.8\jre\legal\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\chainBlocksurrogatewin\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\chainBlocksurrogatewin\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\chainBlocksurrogatewin\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5096

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Program Files\Java\jre-1.8\legal\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\Java\jre-1.8\legal\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Program Files\Java\jre-1.8\legal\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ComcontainerdriverC" /sc MINUTE /mo 7 /tr "'C:\chainBlocksurrogatewin\Comcontainerdriver.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Comcontainerdriver" /sc ONLOGON /tr "'C:\chainBlocksurrogatewin\Comcontainerdriver.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ComcontainerdriverC" /sc MINUTE /mo 12 /tr "'C:\chainBlocksurrogatewin\Comcontainerdriver.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3860

C:\Recovery\OEM\MoUsoCoreWorker.exe
"C:\Recovery\OEM\MoUsoCoreWorker.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
PID:1324
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\riciCmDgnt.bat"
  2⤵
  PID:1648
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:4480
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:700
- - C:\Recovery\OEM\MoUsoCoreWorker.exe
    "C:\Recovery\OEM\MoUsoCoreWorker.exe"
    3⤵
    - Executes dropped EXE
    PID:3736

C:\Program Files\Java\jdk-1.8\jre\legal\dllhost.exe
"C:\Program Files\Java\jdk-1.8\jre\legal\dllhost.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
PID:3088
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\4kHW8Esv2t.bat"
  2⤵
  PID:436
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:1900
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:4268
- - C:\Program Files\Java\jdk-1.8\jre\legal\dllhost.exe
    "C:\Program Files\Java\jdk-1.8\jre\legal\dllhost.exe"
    3⤵
    - Executes dropped EXE
    PID:2852

C:\Program Files\Java\jre-1.8\legal\lsass.exe
"C:\Program Files\Java\jre-1.8\legal\lsass.exe"
1⤵
- Executes dropped EXE
PID:1168

C:\Recovery\OEM\MoUsoCoreWorker.exe
"C:\Recovery\OEM\MoUsoCoreWorker.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
PID:4396
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\LFX8y3PYZG.bat"
  2⤵
  PID:4896
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:3352
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:392
- - C:\Recovery\OEM\MoUsoCoreWorker.exe
    "C:\Recovery\OEM\MoUsoCoreWorker.exe"
    3⤵
    - Executes dropped EXE
    PID:1968

C:\chainBlocksurrogatewin\dwm.exe
"C:\chainBlocksurrogatewin\dwm.exe"
1⤵
- Executes dropped EXE
PID:1628

C:\Recovery\WindowsRE\OfficeClickToRun.exe
"C:\Recovery\WindowsRE\OfficeClickToRun.exe"
1⤵
- Executes dropped EXE
PID:4208

C:\chainBlocksurrogatewin\Comcontainerdriver.exe
"C:\chainBlocksurrogatewin\Comcontainerdriver.exe"
1⤵
- Executes dropped EXE
PID:416

C:\Program Files\Java\jdk-1.8\jre\legal\dllhost.exe
"C:\Program Files\Java\jdk-1.8\jre\legal\dllhost.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
PID:4340
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hNUloleJD7.bat"
  2⤵
  PID:4580
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:4052
- - C:\Windows\system32\PING.EXE
    ping -n 10 localhost
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:1160
- - C:\Program Files\Java\jdk-1.8\jre\legal\dllhost.exe
    "C:\Program Files\Java\jdk-1.8\jre\legal\dllhost.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Modifies registry class
    PID:2304
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\DqZM2URRQk.bat"
      4⤵
      PID:5004
    - - C:\Windows\system32\chcp.com
        
        chcp 65001
        5⤵
        
        PID:3424
    - - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3720
    - - C:\Program Files\Java\jdk-1.8\jre\legal\dllhost.exe
        
        "C:\Program Files\Java\jdk-1.8\jre\legal\dllhost.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:4200
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\uBGyBJCOAj.bat"
        6⤵
        
        PID:2908
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        7⤵
        
        PID:3096
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        7⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4348
        
        C:\Program Files\Java\jdk-1.8\jre\legal\dllhost.exe
        
        "C:\Program Files\Java\jdk-1.8\jre\legal\dllhost.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:4884
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\4kHW8Esv2t.bat"
        8⤵
        
        PID:3416
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        9⤵
        
        PID:4728
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:3960
        
        C:\Program Files\Java\jdk-1.8\jre\legal\dllhost.exe
        
        "C:\Program Files\Java\jdk-1.8\jre\legal\dllhost.exe"
        9⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:3048
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\iHhOMNMslr.bat"
        10⤵
        
        PID:1372
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        11⤵
        
        PID:4788
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        11⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4468

C:\Program Files\Java\jre-1.8\legal\lsass.exe
"C:\Program Files\Java\jre-1.8\legal\lsass.exe"
1⤵
- Executes dropped EXE
PID:4748

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\OfficeClickToRun.exe.log

Filesize
2KB

MD5
37b7d8a80014e411590a12eabd434e3f

SHA1
a5b974633e16e2d026cb0d4ac44bcceedc89a6c4

SHA256
2ed89fa4863a8e41972a29a6b55734278470e9fcf2ae95b3b0d6c66342c977a9

SHA512
8c0e3f3ceeb9e36a48c0f920d25eec09d902e19a11ca775678de9fb96e0bb678a7b0e2a5daf5569a33bb4cf80b18d77815079c4bc0517c8ab594ee7b471580ea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
3eb3833f769dd890afc295b977eab4b4

SHA1
e857649b037939602c72ad003e5d3698695f436f

SHA256
c485a6e2fd17c342fca60060f47d6a5655a65a412e35e001bb5bf88d96e6e485

SHA512
c24bbc8f278478d43756807b8c584d4e3fb2289db468bc92986a489f74a8da386a667a758360a397e77e018e363be8912ac260072fa3e31117ad0599ac749e72

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
c67441dfa09f61bca500bb43407c56b8

SHA1
5a56cf7cbeb48c109e2128c31b681fac3959157b

SHA256
63082da456c124d0bc516d2161d1613db5f3008d903e4066d2c7b4e90b435f33

SHA512
325de8b718b3a01df05e20e028c5882240e5fd2e96c771361b776312923ff178f27494a1f5249bf6d7365a99155eb8735a51366e85597008e6a10462e63ee0e8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
60b3262c3163ee3d466199160b9ed07d

SHA1
994ece4ea4e61de0be2fdd580f87e3415f9e1ff6

SHA256
e3b30f16d41f94cba2b8a75f35c91ae7418465abfbfe5477ec0551d1952b2fdb

SHA512
081d2015cb94477eb0fbc38f44b6d9b4a3204fb3ad0b7d0e146a88ab4ab9a0d475207f1adae03f4a81ccc5beb7568dc8be1249f69e32fe56efd9ee2f6ee3b1af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
6a807b1c91ac66f33f88a787d64904c1

SHA1
83c554c7de04a8115c9005709e5cd01fca82c5d3

SHA256
155314c1c86d8d4e5b802f1eef603c5dd4a2f7c949f069a38af5ba4959bd8256

SHA512
29f2d9f30fc081e7fe6e9fb772c810c9be0422afdc6aff5a286f49a990ededebcf0d083798c2d9f41ad8434393c6d0f5fa6df31226d9c3511ba2a41eb4a65200

Download Submit
C:\Users\Admin\AppData\Local\Temp\02n8fxtMT9.bat

Filesize
170B

MD5
769d01b1cff086a160303090bc5f9d1e

SHA1
8d60f2ff95f1796a578f3f11e32c024064635501

SHA256
5274335d49b169619734da98559969e5297e16dd97a6c21098cbdfa512c8766d

SHA512
482e23b47d1d1e878514905fef756bec136e27051f531516c52b95f6daf64ada890955f8bc0353f1d785298cdff249142ca851b71f12d6ec90e95f084770d913

Download Submit
C:\Users\Admin\AppData\Local\Temp\3VSOeTt4rz.bat

Filesize
218B

MD5
e972bc6fdd887cd8ad6d842c14fac2c6

SHA1
7d04d6f3a2dc92350a29916ab3e7e52444713d5a

SHA256
5b74e3c8a2e6deb1d61efbb85f523b7bebf4e72813d232a01b6d93f883f03382

SHA512
6feb28bb34c0c1bdc74ea6c71f1324a5d8f97a013c5cec62700433af6ea8936aa153198076d882de4aa349a3d062ed5ebdf09292f0a2595bb59bbd68276da39d

Download Submit
C:\Users\Admin\AppData\Local\Temp\4kHW8Esv2t.bat

Filesize
227B

MD5
5dc83af77974c2daa075456378fb6763

SHA1
80d7afe7df677ef4043eacc384556cb307ca3c65

SHA256
3261b395075fa2e77f02994daa6de7e3151f747437551bb4054ef01d18547cb0

SHA512
ed012963f572c6213d72d0a2d0a56855e20750655a30ea3fa46547b0b0d82120bbd6d9a8ce4ff1b122e76b264b3873319bb7d8efdd1031778dd856297f3c3ead

Download Submit
C:\Users\Admin\AppData\Local\Temp\5kD435lcwQ.bat

Filesize
170B

MD5
26e885b1b6e41dc6ef5a839b403c4671

SHA1
9d525f035a9aabe60ee323971ac6fad94813e6d5

SHA256
b01ee0e8ac2eb8a6d95fdfd9069e5cfcb0eb93fb821027b5d595f1e8cc31c8b3

SHA512
40c8c7fc9641a715af2d8670903de613070540cfa7ad10920645bdc5ae5e8061e65c0ae2fc2bdea0d24a2ab5daef0d9e744a101793c4be22a8426fe8c4039d42

Download Submit
C:\Users\Admin\AppData\Local\Temp\7z2CYqkT7L.bat

Filesize
218B

MD5
ad1e1ad6760525169d7ce117f5ca7190

SHA1
25ce78040bb9cb62f3a5b291ffdf3ee93f505f85

SHA256
9058f86068a9bf4845119ae2ea621db11e1597285d4afb508018bd6ee7628137

SHA512
1980ad287c0cd2423d7b09397a4e363586d93250923769459780194f92ef6b26d8ea7b26e19f516c738e1b4fada723050857b2d3eac24274619859fb67019062

Download Submit
C:\Users\Admin\AppData\Local\Temp\8EsK2bkKJG.bat

Filesize
218B

MD5
accbb56cf054f9fa16a4f4e2240b3376

SHA1
8fab8e545e5063281c71746522e26321292ae933

SHA256
875b1347d73d4089de8a5452348f7f9a363f3320c37485486dcc6e6aafe85d05

SHA512
974ad83c6a212a1b48f25f54698f25b6a7d85fd7fb1e55e73370d8f3088f73ddf75dc10127db27538a0d6a1eb94f196c4aee5b2a2b98a67eaf76aeccbedd11b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\CwMiVtjst0.bat

Filesize
170B

MD5
d0239733c11bd0ecbdafe8190404fd17

SHA1
759f771c3cbe1e739720392a48eefc0725902051

SHA256
6425feef4fa89f04cb4622525f506632679e19a7483be6f8309754252f554d85

SHA512
d7e6e562971781a5a76665b22f610c23f7a6dfc281e99b548f6778adf5076ab063804c90111bc13f6406d59b790ff3d8b6bb38eea2e9b6cd85effe763b20e649

Download Submit
C:\Users\Admin\AppData\Local\Temp\DABqzejj4v.bat

Filesize
218B

MD5
873b5511ed58f2bff8273e775fd9319e

SHA1
5d06ea01887f120d90bf92220aa17be3459954c4

SHA256
58caeb159b394f08ed293f77ef8104279cbbe255464e0095cd83b35c8011cbb4

SHA512
d52d27862adf0451f064b0a1169874c2b26bc99a6e308827afeffe37604e509c2f337fb8eadfbb9c70d6aeef1018afc589ba97c639419315c428892cb560e377

Download Submit
C:\Users\Admin\AppData\Local\Temp\DqZM2URRQk.bat

Filesize
179B

MD5
f28f763da02f606a6a19e13af9e306f8

SHA1
798c968eee61a8fb0617b5e5926547d10e9a86f5

SHA256
0ad0c20485d85134feabf9d8f1bb49502be6a6c5817e4965d5d91f1f3509840c

SHA512
f9d583dc270a1e6c6d6eed20d2f9a0a88abfc963c47008f7fdd9bf06c5502276ad3092caeb660bd99b2595519c0daea40d802cc5af63c263678f271a364a3152

Download Submit
C:\Users\Admin\AppData\Local\Temp\DqZM2URRQk.bat

Filesize
170B

MD5
00e2c130e97434f0929fae04e85a5b31

SHA1
f760f15751d56f92bf9ceb81e1c91bf03c5721f1

SHA256
d8e35ebdd5dd5ca7e1579bd206969e3ae2d441a3476546d13c63c1900f7a68e5

SHA512
d88fa8e5f972287aa23ca53229faf2181fdaa278fbc52299f08420d760a5e5db6bb800107bab27e6f028b3e6627b9f2ead27651cee1a7abf3dbc13e766d80def

Download Submit
C:\Users\Admin\AppData\Local\Temp\J1i0UIQhNL.bat

Filesize
170B

MD5
d2947109cbc73791bb8c1662f6c4322e

SHA1
a996d7405b3fd47ba4924fd5b272de5a48b74119

SHA256
f08e06a56e2ae9ff008916ff00b758d83a959807414f45905ad268987d9fa14d

SHA512
a65eee4baf1a29493fc41d28ab8a720a91ba7c1be714180a6b93b4d55dfcc502d0cf83772996f007e472ff7d74b4ccaeb25f20900a0daa9f3753fba8fd39fbd1

Download Submit
C:\Users\Admin\AppData\Local\Temp\J8oQlItEMs.bat

Filesize
218B

MD5
06c6dc5b26fbb44ce687fa44eb7f58ee

SHA1
55ebeeacbf28356056a9bff008f46d593d895b29

SHA256
310b9d62b83f33bc0dfaacfb4c8f58fb4c59049d7178aef50cf4cd24c9e38d62

SHA512
26fd7d40d056b9a0646577d35324acfb2b688d0e95974231271a3f4449b0c2c9658b5e941c9c3dffb9647577390c6a3cc377be34a964803a8bbd71ef6fa6b2b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Kg5VX99QjA.bat

Filesize
170B

MD5
b1d5b1d1b482c8c5e35f0259103f55a0

SHA1
919a549ac43e9b78e7f46c8028554219653e73ce

SHA256
7481928d69e2d811682b8a2b5237d8097dc65abbc12ff688d7e47d7fadbfa90a

SHA512
62076accef72927464e7dfcd1e2a206f037829bd7352db2b36465c58877c109e8d9846ea2b46824b8a271575f069b1603ad084ddc5ae50e29a36fddac855958d

Download Submit
C:\Users\Admin\AppData\Local\Temp\LFX8y3PYZG.bat

Filesize
211B

MD5
600a9d7d7ba85a1c303a0f36ad75210b

SHA1
2d9ccaa9a4a30720771f4918f138b41bcdfe8f5d

SHA256
041d0b35c759c21c4245fc344f9044264c6dc7deb558c2ce8e209f0eb14f50a4

SHA512
28ea710c65df3d7ba313620882e58abb72677a5b62350b49270a1045476d77e1a233184ce9f47feaa5c0581919604de5dcfb3f0dd77c60fbe85e1ad19493f668

Download Submit
C:\Users\Admin\AppData\Local\Temp\LFX8y3PYZG.bat

Filesize
218B

MD5
914f527a6af24c2224ce7455e32e88f6

SHA1
e40a6f3e64bdb312a8abf030402bae6772f4de2a

SHA256
4ac300fcb8928c9e349e27de47fd17fd1162cc2bca309353c2f731443d38b1f2

SHA512
7b4258870f95e62f7c61c51e1464a6c6df633516b398736def635acc57c0d266fdaa6b0e15d1e1c12ee0cefa190f398171401bdf1b9b115d5b3a26becbe45e10

Download Submit
C:\Users\Admin\AppData\Local\Temp\Lvud1u8Gv5.bat

Filesize
170B

MD5
673378cb949bd62984a99d03c1eb8c8d

SHA1
a31f1b4fe49ecf4a0babaa59a7234765642fbff2

SHA256
d32b85a78483001c69c6da69f34da21fe9fb551ad0e38630e09e4a6b8b8c59c8

SHA512
2bda0582c97a544f2a519ba95ca7f79ce532d93ba5b63e80595fa46fa54ced44e8bab1f521ce29c415648a37b6c4846c0ef6c1869ad6527ff6c9c140bca2f78d

Download Submit
C:\Users\Admin\AppData\Local\Temp\QrE9yw7ggl.bat

Filesize
170B

MD5
b03b244770b54d8ae5ad30e19c5c7273

SHA1
ef09880fb7e0bc3c593d0db9fb7099172540f306

SHA256
1b502b80460ef0a8f0b2a6669ef480ed3f63adf9ef19c86a4f54a9f00afd62a4

SHA512
0ae1c10a74e2b119898656cf32fbcc458aa85c4e325e9f1bd8e8a9db536952301f33b42d977f1cb04e0302b40b08eedb46115cb1cde685d2783bc9c21d40810d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESC081.tmp

Filesize
1KB

MD5
89168f63e007d50c160f4ec77f0d2da8

SHA1
a414c3744d6f20b862308c815703d37b43495d7a

SHA256
56ef952049d094085e838c931b4cfc5a9ef0534ac5f10a2793fa09f246bb8c5a

SHA512
247afaecc3d0b78463b7f4bf752b9275a9aa4dc439092ec52b06cd8c32a01fb67838fbea4cfcbe75e53e459dcf4134b9f3f5b8fb9426955e2c54f875566514c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\WpUDqpymLx.bat

Filesize
218B

MD5
c60f486e7ca13901c08f11457673da04

SHA1
875a40f994f1b51c4c52f37eed292782f809a815

SHA256
05c0b50651abdaa422449b8f561d70947f94d6618857edc79eeba35429fff9e6

SHA512
d5e4b1abf6c5380684d937a5c295a2024e97281540cbdf36cd6918615d32eaf22fa6015f48bab903c7e5b5f87a29ddd454cfbb6fe4ccc9e18f6184555e127125

Download Submit
C:\Users\Admin\AppData\Local\Temp\Y3JLLbydWs.bat

Filesize
218B

MD5
c4375695a43de5c63931619b8ca5f81c

SHA1
9c185d6b2a214e5fe2c155cc88dce8d47eb7d49b

SHA256
d12a50ac15ac6cf5f16a8b24a23e4906a2aa7c0db22ce00afd37d5fbd529f6f7

SHA512
ba9bedd09c7e7a69714d2f986d0837ff573d628584785d06ed8a73f92a49fc98a8bf30b7e6ada9ee48e361a68a400d53c49d6a02e64e1ee59416a05396bd7cb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_sjf2at50.exk.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\bCL7Nxg3GW.bat

Filesize
170B

MD5
98f22487ed0bc13506a4285a29f55ac8

SHA1
b54fb9280f50c28c44b1a52d5ea22b4d87679812

SHA256
a3d02bdf7706688101865ae9899130092fd2c282d9ea5a8226c990fd9e194d7a

SHA512
b3c80cb86f6dce3515d1a63f293df6ae4d752a6ce199adb4ec306f8520deca64a2a4ee6946ede06cd01042ff7fbde3b8643d42874d3eb902ad2abb45194ff52e

Download Submit
C:\Users\Admin\AppData\Local\Temp\blnknsxC6d.bat

Filesize
170B

MD5
276f67d9d283e2b37deb9942eb92b1ef

SHA1
6d7114b4593a8ba06423b19542d4f32daffe531e

SHA256
78208b9a6d73a5fcdb18dddba30dbc553fb7a31220529933928268e205a26048

SHA512
d47fcb24b8e8f28474b46ebaff61a1992193772a857d3146ff296195e411fb53c81e4b78d02e4ca0a1cb7887c3fc3c16a0b8b2aa07e7658162c9640b9fb0b3ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\df0NLUfleM.bat

Filesize
170B

MD5
d2da3d8e864db602ec6e9ea52263b61d

SHA1
ff068e00e313b09c0cdf083447a998e5608ad8cc

SHA256
95e9fd1e6bcf554c3313df5ef082bda3d42a92452e368713fdef9b1781c1062d

SHA512
134a1fda0ff7008ab2807f06849eb2567fdb887d564a5f6e9a2d20e8a99e4b373bc6babc6f01f0f647fc91540a84502dd4aec8a45ed6228d0a90559f815c8c63

Download Submit
C:\Users\Admin\AppData\Local\Temp\euqVpFfbpH.bat

Filesize
218B

MD5
2fc61952332d00d6b5185bfbed9b97e2

SHA1
ee8673ef7127ea92af21002d9967fec376c04ac7

SHA256
2471802efae5e6e49365593b332b409ab56e70ce4a6d8eb4aaf283043b917787

SHA512
74cfc306b52dce2a867a93ecdefdea3a71534316634945f6743c54539b44a0f97087b62420862013443ad25dd1fb46c1f628747a7cb8046ae5e738e9311e1135

Download Submit
C:\Users\Admin\AppData\Local\Temp\go28NrNAN1.bat

Filesize
218B

MD5
1de1f9451aaa7d679a226706b49dfa26

SHA1
ccf47a4abef899fbd9849112f3ebdc78530dd9c5

SHA256
8ba61984bfda90c8ac5c6961f4ac17caa38081c06434434200df6efa350f1c11

SHA512
df44584d4b2ea051c64c6fffdee5e61beb0f0b367e226268328aa54636432bed49b7d09733d62a16ac5702a903b8e95eeb5c33c8d4dcffd93805b4fd5789763b

Download Submit
C:\Users\Admin\AppData\Local\Temp\h2sGrcN1Zw.bat

Filesize
218B

MD5
245435dd2f22e3fa80ca4f8bc59460c8

SHA1
d0798a2287b0ca2c7aa757eef9c372a0b732f99b

SHA256
0d7b3525690348f0be79ddac712b7ca05fc4b1f0bb709bd35d748624ee0c9161

SHA512
882e5c761eafdd0f5e9efc3a61e6dbc3d4cdecf2628facea2c858c52c512c8cbb290b995ac15a8e5d666983914f19dcb00145c7ce2fc96ba6a4cb88f810e0999

Download Submit
C:\Users\Admin\AppData\Local\Temp\hNUloleJD7.bat

Filesize
170B

MD5
1699d52dc66e967539ad280a88d6cf39

SHA1
8ebc1297fd34b89af3dc2d72109c80f6b36e811b

SHA256
549c25a1a37a122d81904428edefe75f953bccf07aa710c18f94be325231a1c1

SHA512
0bd524accd644e27ab2c91762af8662a14256ccc574b753331b4b23270cf35560f63a6179363d6306acbf2a3c3009244d5e368d0f8400db7fe7a85a882832e6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\hNUloleJD7.bat

Filesize
179B

MD5
30861fa1b1fdd7b13523948d8db82d46

SHA1
811b52563ef56159e65bded3251271c466d56336

SHA256
b84a22d7a358e5789ce59210fd801715de67e2366dad9d9244fd6adf49fb23b5

SHA512
f7fa4f7360344d6b2551786eb84b4423e805f6af74904d7f628cb226617af0eff274e6ff07c7cdfb5ac9b4ce99039711b20f9b2b1afedca56e30e9baaac13c10

Download Submit
C:\Users\Admin\AppData\Local\Temp\iHhOMNMslr.bat

Filesize
170B

MD5
f6bf26178f3d5691d957759d63f6dab0

SHA1
e9e1863759efddb44da5c1ebda80b4994ad9159e

SHA256
a25a96ae1a4ec3319c8619e0acecd1ffb0614702418ff7f2b3cebe065638f6f2

SHA512
c1f9b2c874afa423544768c07ed68e4f8500c75698a05e2cbe19d37d26131c265ab7e760b9332822bb287e556d3b0ec1d88b7cf7715ecb6f949202f82850abe7

Download Submit
C:\Users\Admin\AppData\Local\Temp\iHhOMNMslr.bat

Filesize
179B

MD5
7729d4a8141e0ea246ac3e0003849ff3

SHA1
fb3a1cb3d59d85516cd3e6ddc5b683af7891e128

SHA256
a674991358cea296c249423068b146627ae06d3e85b973d4c408c6dd8d75299a

SHA512
6b9009010d9a81fcdbe62341a77a9d5be8a35bdaae6d208239c024709bcb6b2b13d87ef39d24a6f5b4c6332be492207743f1618d135f78fb7b6a6e8aad966e40

Download Submit
C:\Users\Admin\AppData\Local\Temp\riciCmDgnt.bat

Filesize
211B

MD5
73a787f5abc24811109cdaba024b0c47

SHA1
a8beff4e51f79bc75f9acfca83cb4c7ae24e2f39

SHA256
328ea34123bd99040558f1f8feea350b9cfd9c001e9a2a9a83f7ed0fa9779cc6

SHA512
8a7408300fc9275a86ae0f9de2a243509c288a2424ae63727105aa7561502781cbb3387cb1eb39e6707299ecfefacb6567f6388e4113ee93a49387d31a4a3ad7

Download Submit
C:\Users\Admin\AppData\Local\Temp\sxRqhXCXyo.bat

Filesize
170B

MD5
905a6b765d312850ff92904eb88a5e9f

SHA1
8c76f046ae0c2d3605de8aecd6a22dbe58018e3e

SHA256
cf004d3c1c0d78886041dc587716f8c6079b647575b4d06e0b33855b4be70acf

SHA512
78eabc3360e0bdffd53c4219e7b58921411567bfc9f9f281a276b87bcd4d15e4daa8d26ac9d887623343dcaa0115da93db11c4b38c9da0d13f56f5707402d3e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\uBGyBJCOAj.bat

Filesize
179B

MD5
8a3e843a52d9c64e4ecba55d4d54d204

SHA1
91089b25a97e23f630df1c46e99125c65fe2452f

SHA256
2e4911cb93dc05ee715f1dcefa5f2a1b0d3ba7556432be3ba138ef4361aa4239

SHA512
3456b93824575913260ea2498aadc4e65eeac9ed1b79ced489259c9a55d107836643a1b0ffccd7f5f8d482e6ab01820c49abeeea9a325e19cd23d35d9d6f1262

Download Submit
C:\Users\Admin\AppData\Local\Temp\v5TcjuvxiT.bat

Filesize
170B

MD5
c888749a332f5f95ac9537d106ee5ac6

SHA1
f76abbde5a9ce3541de8361345acd40e4ff7b275

SHA256
707a0f13d3e360a0aa9f7a11259dbce92d969cf86b4f952745ec7c6584998646

SHA512
9d2776df40a1206af46aaa3d11fc5b874f3af12029335d2fec42b88cfc1819e7bc57af9cb42a514ea30a0cab43ddf100767005a7a6de3383bfd12c556cb42787

Download Submit
C:\Users\Admin\AppData\Local\Temp\xtlNdaBxkU.bat

Filesize
218B

MD5
f5b66985cdacc1f2dc0508ca9b9fb42f

SHA1
7f9dcbe5d67888ca56e32e457531dbbd622a02f4

SHA256
29ec56ee464b50134355cd38e39464894956b2d6101966493bd0645d5bbc5d6b

SHA512
56958140d3419b02067a28b7e0708d47ff6dfe720a016bc6bbeac23bb2b1bfad9b88b983e3938b84293e61a712fcc82a5be3bfdb647afc38e9b4042d9c9bddb6

Download Submit
C:\chainBlocksurrogatewin\Comcontainerdriver.exe

Filesize
2.0MB

MD5
9d27ce3f27809787e6c8bf545963d1e0

SHA1
89c73f5ba0a7cfb3afa53515b38704f90f8e70c4

SHA256
605f67d7b44d7d35fc5331e1badbe43ef332e369c86437c28bda68184c83294a

SHA512
0b49b02802a1652487d7d9dc052444194e74a43a3771dc68081c545114a437fbcc2aedd8ca032144ae7fa3e480cc4727e01fa9d0aa461ea786cb9bf63f867a4d

Download Submit
C:\chainBlocksurrogatewin\GQQ4ylq7g8v2sObSsphEhdaxNJcwRuTMFt5I2eiVZyEpGNyUkwbTE.vbe

Filesize
234B

MD5
8dfd0c504793456574496822db2d2a6d

SHA1
18f7f8d6e3af7dd7c2d491c219743ac6e18886d9

SHA256
c9349402fa75d4a2ce0c9b704be94ca546cf3d2912a3272af80c050e8251c2b5

SHA512
946de0213c05a3db186f27754b40e08de12021a7dc2cf43f55c29da4ec2bb40347abab7104684acf5696cb1e289ccb90ac826db5048dca698f98cb043d15358a

Download Submit
C:\chainBlocksurrogatewin\jadNZOaHlMDhsSca68lTCEwCwvIEx4Rlg.bat

Filesize
104B

MD5
e5d7112ec4ea1326fb903ec7d5249948

SHA1
068099c095e83c6fa948702e467de51455f5b873

SHA256
4a7538c31c88df87c83d85e6e729fe85ea5371ebf41545df1639dbf6a07ad709

SHA512
ee5fe8ff4f8a41acad3baeb3069b662f808a6ccaf581c66340498ecdd6470af999c8d4fc91979269b51461bb025041d7cb2ac30c52603161aa0b11a53c889ba4

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\axsdawer\axsdawer.0.cs

Filesize
367B

MD5
a44597a9eb32a09f9a7b546913f2cb97

SHA1
9ac8119f4f8c202094b8ee0fcc5e4f358cdfd7fb

SHA256
1428924100b8c108cbdaa656144c2cfb0eef49c7196b991cb8ce635cee35b61f

SHA512
a5da41463097be1dfc9a1efc6779c68dda8adfd01ed9f5df36613f07300a5372e23c3b7a9e90ba96f79b0c501cce80b91142dd417d5a52115a55b362fd5bdc3d

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\axsdawer\axsdawer.cmdline

Filesize
235B

MD5
3080f764f6f76792353e9aa45e8b72d0

SHA1
ebfcc0ec44efc8f7366beaa53f91aadad5ed0ccd

SHA256
12c35cf27cc2010af1edd10dc9616aa35b3d941411ff59f34f64aab3b15f66fc

SHA512
9b9de25edc5a5e83085094226ca532b61931e8dcb34d45ef4e8a4a91ea1c0ae03a8670382f7917dea7aea7ddc50708c13ff4a56c4f67fc35c71de9a237e11a53

Download Submit
\??\c:\Windows\System32\CSC7908460A3C0C4410A21AF1D56AFE54B.TMP

Filesize
1KB

MD5
57bb40f5be3151e0770c0f34716e8ab2

SHA1
dc223d49f634572af57cfe6af2afc502710dd26d

SHA256
2e7fcd380c66bfc68cdca17518f6be145ddcfcbfb51c4de817623b3c8497b9c7

SHA512
99d1716d29d3e2982a0864ae0351f97b2a1b3df28fcb065ee6d3777b16790278cbbee2636789bb007a9aea8513f5dbcc98c1b38159e67c0774e040328470e43b

Download Submit
memory/1280-164-0x000000001C290000-0x000000001C38F000-memory.dmp

Filesize
1020KB

Download
memory/2280-69-0x000001E651E30000-0x000001E651E52000-memory.dmp

Filesize
136KB

Download
memory/2304-759-0x000000001D2A0000-0x000000001D447000-memory.dmp

Filesize
1.7MB

Download
memory/3048-807-0x000000001C410000-0x000000001C5B7000-memory.dmp

Filesize
1.7MB

Download
memory/3736-200-0x000000001C7A0000-0x000000001C89F000-memory.dmp

Filesize
1020KB

Download
memory/4120-145-0x000000001CDD0000-0x000000001CECF000-memory.dmp

Filesize
1020KB

Download
memory/4200-775-0x000000001C710000-0x000000001C8B7000-memory.dmp

Filesize
1.7MB

Download
memory/4340-743-0x000000001D2E0000-0x000000001D487000-memory.dmp

Filesize
1.7MB

Download
memory/4396-726-0x000000001D340000-0x000000001D4E7000-memory.dmp

Filesize
1.7MB

Download
memory/4884-791-0x000000001D2D0000-0x000000001D477000-memory.dmp

Filesize
1.7MB

Download
memory/4960-182-0x000000001C100000-0x000000001C1FF000-memory.dmp

Filesize
1020KB

Download
memory/5036-26-0x000000001C200000-0x000000001C728000-memory.dmp

Filesize
5.2MB

Download
memory/5036-18-0x00000000013E0000-0x00000000013EE000-memory.dmp

Filesize
56KB

Download
memory/5036-20-0x0000000001450000-0x000000000146C000-memory.dmp

Filesize
112KB

Download
memory/5036-16-0x00000000008D0000-0x0000000000AD4000-memory.dmp

Filesize
2.0MB

Download
memory/5036-21-0x0000000002EC0000-0x0000000002F10000-memory.dmp

Filesize
320KB

Download
memory/5036-15-0x00007FFF31C03000-0x00007FFF31C05000-memory.dmp

Filesize
8KB

Download
memory/5036-23-0x0000000002D20000-0x0000000002D38000-memory.dmp

Filesize
96KB

Download
memory/5036-25-0x0000000002D40000-0x0000000002D52000-memory.dmp

Filesize
72KB

Download
memory/5036-28-0x0000000001430000-0x000000000143E000-memory.dmp

Filesize
56KB

Download
memory/5036-30-0x0000000001440000-0x000000000144E000-memory.dmp

Filesize
56KB

Download
memory/5036-32-0x0000000002D60000-0x0000000002D68000-memory.dmp

Filesize
32KB

Download
memory/5036-34-0x0000000002D70000-0x0000000002D7C000-memory.dmp

Filesize
48KB

Download