e0f566934e24a7fe29c2b45f2c8b70bb56980769238002dedf2ef72ebe49cde3

Analysis

max time kernel
122s
max time network
123s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
19/08/2024, 00:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a8d164756ecd1e60e4510334f4ef64c6_JaffaCakes118.exe
Size

1.2MB
MD5

a8d164756ecd1e60e4510334f4ef64c6
SHA1

9d3825cc87e83bd29561a31a49cee63f173ff515
SHA256

e0f566934e24a7fe29c2b45f2c8b70bb56980769238002dedf2ef72ebe49cde3
SHA512

fbf7a081ed5048a3daa44de7b11058358e52e9139178a970654b9f4880eed5e63ff3e0086603361b6cb83662ce87643e5971d1077a79a32d37acad3d509758c9
SSDEEP

24576:F0nWgSSwbfqAuwIlIRz/JCLhtrNGy6Eydl+uP4ySUbK+w5GgZzkEg8:F0nWgoXIlI5/gLHrNRyn+H7l+w3zk18

Score

8^/10

defense_evasion discovery upx

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
5	1480	curl.exe

Executes dropped EXE 15 IoCs

pid	Process
2800	tasklist.exe
2176	BiscontiComputers-start.exe
2580	tasklist.exe
2012	tasklist.exe
1852	tasklist.exe
1140	uharc.exe
2964	tasklist.exe
3060	tasklist.exe
2216	tasklist.exe
2532	tasklist.exe
340	uharc.exe
2996	tasklist.exe
536	tasklist.exe
1480	curl.exe
1148	tasklist.exe

Loads dropped DLL 32 IoCs

pid	Process
2820	cmd.exe
2820	cmd.exe
2820	cmd.exe
2820	cmd.exe
2820	cmd.exe
2820	cmd.exe
2820	cmd.exe
2820	cmd.exe
2820	cmd.exe
2820	cmd.exe
1428	cmd.exe
1428	cmd.exe
2820	cmd.exe
2820	cmd.exe
2820	cmd.exe
2820	cmd.exe
2820	cmd.exe
2820	cmd.exe
2820	cmd.exe
2820	cmd.exe
2172	cmd.exe
2172	cmd.exe
2820	cmd.exe
2820	cmd.exe
2820	cmd.exe
2820	cmd.exe
2172	cmd.exe
2172	cmd.exe
1480	curl.exe
1480	curl.exe
2820	cmd.exe
2820	cmd.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2868-171-0x0000000000400000-0x000000000059A000-memory.dmp	upx
behavioral1/memory/340-160-0x0000000000400000-0x0000000000493000-memory.dmp	upx
behavioral1/files/0x00050000000194ca-132.dat	upx
behavioral1/memory/1140-110-0x0000000000400000-0x0000000000493000-memory.dmp	upx
behavioral1/memory/1428-85-0x0000000000410000-0x00000000004A3000-memory.dmp	upx
behavioral1/memory/2868-0-0x0000000000400000-0x000000000059A000-memory.dmp	upx

Enumerates processes with tasklist 1 TTPs 11 IoCs

discovery

Process Discovery

T1057

pid	Process
2216	tasklist.exe
3060	tasklist.exe
2964	tasklist.exe
2012	tasklist.exe
2580	tasklist.exe
2800	tasklist.exe
1148	tasklist.exe
536	tasklist.exe
2996	tasklist.exe
2532	tasklist.exe
1852	tasklist.exe

Hide Artifacts: Hidden Files and Directories 1 TTPs 1 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
2692	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	find.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a8d164756ecd1e60e4510334f4ef64c6_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uharc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	find.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	find.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BiscontiComputers-start.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	find.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	find.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	find.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	find.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	curl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 27 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2388	PING.EXE
2472	PING.EXE
1528	PING.EXE
1180	PING.EXE
1284	PING.EXE
2952	PING.EXE
2620	PING.EXE
884	PING.EXE
2300	PING.EXE
1932	PING.EXE
636	PING.EXE
2572	PING.EXE
2132	PING.EXE
2884	PING.EXE
404	PING.EXE
1028	PING.EXE
1912	PING.EXE
2428	PING.EXE
2024	PING.EXE
2516	PING.EXE
2700	PING.EXE
2052	PING.EXE
2240	PING.EXE
1960	PING.EXE
1232	PING.EXE
1632	PING.EXE
2788	PING.EXE

Runs ping.exe 1 TTPs 27 IoCs

Remote System Discovery

T1018

pid	Process
1284	PING.EXE
2572	PING.EXE
2052	PING.EXE
2472	PING.EXE
2300	PING.EXE
2516	PING.EXE
2788	PING.EXE
1932	PING.EXE
2024	PING.EXE
2952	PING.EXE
2620	PING.EXE
2388	PING.EXE
404	PING.EXE
2240	PING.EXE
1232	PING.EXE
2132	PING.EXE
1632	PING.EXE
1528	PING.EXE
1960	PING.EXE
2700	PING.EXE
1912	PING.EXE
2884	PING.EXE
2428	PING.EXE
1028	PING.EXE
636	PING.EXE
884	PING.EXE
1180	PING.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1480	curl.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeDebugPrivilege	2800	tasklist.exe
Token: SeDebugPrivilege	2580	tasklist.exe
Token: SeDebugPrivilege	2012	tasklist.exe
Token: SeDebugPrivilege	1852	tasklist.exe
Token: SeDebugPrivilege	2964	tasklist.exe
Token: SeDebugPrivilege	3060	tasklist.exe
Token: SeDebugPrivilege	2216	tasklist.exe
Token: SeDebugPrivilege	2532	tasklist.exe
Token: SeDebugPrivilege	2996	tasklist.exe
Token: SeDebugPrivilege	536	tasklist.exe
Token: SeDebugPrivilege	1148	tasklist.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2868 wrote to memory of 2820	2868	a8d164756ecd1e60e4510334f4ef64c6_JaffaCakes118.exe	30
PID 2868 wrote to memory of 2820	2868	a8d164756ecd1e60e4510334f4ef64c6_JaffaCakes118.exe	30
PID 2868 wrote to memory of 2820	2868	a8d164756ecd1e60e4510334f4ef64c6_JaffaCakes118.exe	30
PID 2868 wrote to memory of 2820	2868	a8d164756ecd1e60e4510334f4ef64c6_JaffaCakes118.exe	30
PID 2820 wrote to memory of 1240	2820	cmd.exe	32
PID 2820 wrote to memory of 1240	2820	cmd.exe	32
PID 2820 wrote to memory of 1240	2820	cmd.exe	32
PID 2820 wrote to memory of 1240	2820	cmd.exe	32
PID 2820 wrote to memory of 2800	2820	cmd.exe	33
PID 2820 wrote to memory of 2800	2820	cmd.exe	33
PID 2820 wrote to memory of 2800	2820	cmd.exe	33
PID 2820 wrote to memory of 2800	2820	cmd.exe	33
PID 2820 wrote to memory of 2180	2820	cmd.exe	35
PID 2820 wrote to memory of 2180	2820	cmd.exe	35
PID 2820 wrote to memory of 2180	2820	cmd.exe	35
PID 2820 wrote to memory of 2180	2820	cmd.exe	35
PID 2820 wrote to memory of 2176	2820	cmd.exe	36
PID 2820 wrote to memory of 2176	2820	cmd.exe	36
PID 2820 wrote to memory of 2176	2820	cmd.exe	36
PID 2820 wrote to memory of 2176	2820	cmd.exe	36
PID 2820 wrote to memory of 2884	2820	cmd.exe	38
PID 2820 wrote to memory of 2884	2820	cmd.exe	38
PID 2820 wrote to memory of 2884	2820	cmd.exe	38
PID 2820 wrote to memory of 2884	2820	cmd.exe	38
PID 2176 wrote to memory of 2748	2176	BiscontiComputers-start.exe	39
PID 2176 wrote to memory of 2748	2176	BiscontiComputers-start.exe	39
PID 2176 wrote to memory of 2748	2176	BiscontiComputers-start.exe	39
PID 2176 wrote to memory of 2748	2176	BiscontiComputers-start.exe	39
PID 2176 wrote to memory of 2056	2176	BiscontiComputers-start.exe	40
PID 2176 wrote to memory of 2056	2176	BiscontiComputers-start.exe	40
PID 2176 wrote to memory of 2056	2176	BiscontiComputers-start.exe	40
PID 2176 wrote to memory of 2056	2176	BiscontiComputers-start.exe	40
PID 2176 wrote to memory of 2692	2176	BiscontiComputers-start.exe	41
PID 2176 wrote to memory of 2692	2176	BiscontiComputers-start.exe	41
PID 2176 wrote to memory of 2692	2176	BiscontiComputers-start.exe	41
PID 2176 wrote to memory of 2692	2176	BiscontiComputers-start.exe	41
PID 2692 wrote to memory of 2184	2692	cmd.exe	42
PID 2692 wrote to memory of 2184	2692	cmd.exe	42
PID 2692 wrote to memory of 2184	2692	cmd.exe	42
PID 2692 wrote to memory of 2184	2692	cmd.exe	42
PID 2176 wrote to memory of 1392	2176	BiscontiComputers-start.exe	43
PID 2176 wrote to memory of 1392	2176	BiscontiComputers-start.exe	43
PID 2176 wrote to memory of 1392	2176	BiscontiComputers-start.exe	43
PID 2176 wrote to memory of 1392	2176	BiscontiComputers-start.exe	43
PID 2176 wrote to memory of 2524	2176	BiscontiComputers-start.exe	44
PID 2176 wrote to memory of 2524	2176	BiscontiComputers-start.exe	44
PID 2176 wrote to memory of 2524	2176	BiscontiComputers-start.exe	44
PID 2176 wrote to memory of 2524	2176	BiscontiComputers-start.exe	44
PID 2176 wrote to memory of 2572	2176	BiscontiComputers-start.exe	45
PID 2176 wrote to memory of 2572	2176	BiscontiComputers-start.exe	45
PID 2176 wrote to memory of 2572	2176	BiscontiComputers-start.exe	45
PID 2176 wrote to memory of 2572	2176	BiscontiComputers-start.exe	45
PID 2820 wrote to memory of 2580	2820	cmd.exe	46
PID 2820 wrote to memory of 2580	2820	cmd.exe	46
PID 2820 wrote to memory of 2580	2820	cmd.exe	46
PID 2820 wrote to memory of 2580	2820	cmd.exe	46
PID 2176 wrote to memory of 2696	2176	BiscontiComputers-start.exe	47
PID 2176 wrote to memory of 2696	2176	BiscontiComputers-start.exe	47
PID 2176 wrote to memory of 2696	2176	BiscontiComputers-start.exe	47
PID 2176 wrote to memory of 2696	2176	BiscontiComputers-start.exe	47
PID 2176 wrote to memory of 2588	2176	BiscontiComputers-start.exe	48
PID 2176 wrote to memory of 2588	2176	BiscontiComputers-start.exe	48
PID 2176 wrote to memory of 2588	2176	BiscontiComputers-start.exe	48
PID 2176 wrote to memory of 2588	2176	BiscontiComputers-start.exe	48

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
2184	attrib.exe
1240	attrib.exe

C:\Users\Admin\AppData\Local\Temp\a8d164756ecd1e60e4510334f4ef64c6_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a8d164756ecd1e60e4510334f4ef64c6_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2868
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\39A6.tmp\BiscontiComputers.bat" C:\Users\Admin\AppData\Local\Temp\"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2820
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h "C:\Users\Admin\AppData\Local\Temp\\bisc_files"
    3⤵
    - System Location Discovery: System Language Discovery
    - Views/modifies file attributes
    PID:1240
- - C:\Users\Admin\AppData\Local\Temp\39A6.tmp\tasklist.exe
    tasklist /FI "IMAGENAME eq BiscontiComputers-start.exe" /FO CSV
    3⤵
    - Executes dropped EXE
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:2800
- - C:\Windows\SysWOW64\find.exe
    find "BiscontiComputers-start.exe" C:\Users\Admin\AppData\Local\Temp\running2.log
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2180
- - C:\Users\Admin\AppData\Local\Temp\39A6.tmp\BiscontiComputers-start.exe
    "BiscontiComputers-start.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2176
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c if not exist "C:\Users\Admin\AppData\Local\Temp\afolder" mkdir "C:\Users\Admin\AppData\Local\Temp\afolder"
      4⤵
      PID:2748
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c if not exist "C:\Users\Admin\AppData\Local\Temp\ztmp" mkdir "C:\Users\Admin\AppData\Local\Temp\ztmp"
      4⤵
      PID:2056
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c attrib +h C:\Users\Admin\AppData\Local\Temp\ztmp
      4⤵
      Hide Artifacts: Hidden Files and Directories
      Suspicious use of WriteProcessMemory
      PID:2692
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib +h C:\Users\Admin\AppData\Local\Temp\ztmp
        5⤵
        System Location Discovery: System Language Discovery
        Views/modifies file attributes
        
        PID:2184
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c if exist "C:\Users\Admin\AppData\Local\Temp\afolder\AutoFix.exe" del "C:\Users\Admin\AppData\Local\Temp\afolder\AutoFix.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1392
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c if exist "C:\Users\Admin\AppData\Local\Temp\afolder\check_inet.bat" del "C:\Users\Admin\AppData\Local\Temp\afolder\check_inet.bat"
      4⤵
      PID:2524
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c if exist "C:\Users\Admin\AppData\Local\Temp\afolder\createsrp.vbs" del "C:\Users\Admin\AppData\Local\Temp\afolder\createsrp.vbs"
      4⤵
      PID:2572
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c if exist "C:\Users\Admin\AppData\Local\Temp\afolder\curl.uha" del "C:\Users\Admin\AppData\Local\Temp\afolder\curl.uha"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2696
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c if exist "C:\Users\Admin\AppData\Local\Temp\afolder\no_dup.bat" del "C:\Users\Admin\AppData\Local\Temp\afolder\no_dup.bat"
      4⤵
      PID:2588
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c if exist "C:\Users\Admin\AppData\Local\Temp\afolder\prog_list.exe" del "C:\Users\Admin\AppData\Local\Temp\afolder\prog_list.exe"
      4⤵
      PID:2984
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c if exist "C:\Users\Admin\AppData\Local\Temp\afolder\resetdma.vbs" del "C:\Users\Admin\AppData\Local\Temp\afolder\resetdma.vbs"
      4⤵
      PID:2292
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c if exist "C:\Users\Admin\AppData\Local\Temp\afolder\say.exe" del "C:\Users\Admin\AppData\Local\Temp\afolder\say.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1700
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c if exist "C:\Users\Admin\AppData\Local\Temp\afolder\sendmail.exe" del "C:\Users\Admin\AppData\Local\Temp\afolder\sendmail.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1616
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c if exist "C:\Users\Admin\AppData\Local\Temp\afolder\SetWallpaper.exe" del "C:\Users\Admin\AppData\Local\Temp\afolder\SetWallpaper.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2796
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c if exist "C:\Users\Admin\AppData\Local\Temp\afolder\uharc.exe" del "C:\Users\Admin\AppData\Local\Temp\afolder\uharc.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2880
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c if exist "C:\Users\Admin\AppData\Local\Temp\afolder\dwn_util.bat" del "C:\Users\Admin\AppData\Local\Temp\afolder\dwn_util.bat"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2756
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c if exist "C:\Users\Admin\AppData\Local\Temp\afolder\waiting.bat" del "C:\Users\Admin\AppData\Local\Temp\afolder\waiting.bat"
      4⤵
      PID:2872
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c if exist "C:\Users\Admin\AppData\Local\Temp\afolder\regjump.exe" del "C:\Users\Admin\AppData\Local\Temp\afolder\regjump.exe"
      4⤵
      PID:2892
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c if exist "C:\Users\Admin\AppData\Local\Temp\afolder\Wi-Fi-bisconticomputers.xml" del "C:\Users\Admin\AppData\Local\Temp\afolder\Wi-Fi-bisconticomputers.xml"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1712
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c if exist "C:\Users\Admin\AppData\Local\Temp\ztmp\tmp6603.bat" del "C:\Users\Admin\AppData\Local\Temp\ztmp\tmp6603.bat"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1480
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c if exist "C:\Users\Admin\AppData\Local\Temp\ztmp\tmp6984.exe" del "C:\Users\Admin\AppData\Local\Temp\ztmp\tmp6984.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:636
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ztmp\tmp6603.bat
      4⤵
      Loads dropped DLL
      PID:1428
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\waiting.bat"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1128
      - C:\Windows\SysWOW64\PING.EXE
        
        ping 1.1.1.1 -n 1 -w 125
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1232
      - C:\Windows\SysWOW64\PING.EXE
        
        ping 1.1.1.1 -n 1 -w 125
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:404
      - C:\Windows\SysWOW64\PING.EXE
        
        ping 1.1.1.1 -n 1 -w 125
        6⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1528
      - C:\Windows\SysWOW64\PING.EXE
        
        ping 1.1.1.1 -n 1 -w 125
        6⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2300
      - C:\Windows\SysWOW64\PING.EXE
        
        ping 1.1.1.1 -n 1 -w 125
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2052
      - C:\Windows\SysWOW64\PING.EXE
        
        ping 1.1.1.1 -n 1 -w 125
        6⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1028
      - C:\Windows\SysWOW64\PING.EXE
        
        ping 1.1.1.1 -n 1 -w 125
        6⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2388
      - C:\Windows\SysWOW64\PING.EXE
        
        ping 1.1.1.1 -n 1 -w 125
        6⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2788
      - C:\Windows\SysWOW64\PING.EXE
        
        ping 1.1.1.1 -n 1 -w 125
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2620
      - C:\Windows\SysWOW64\PING.EXE
        
        ping 1.1.1.1 -n 1 -w 125
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2572
      - C:\Windows\SysWOW64\PING.EXE
        
        ping 1.1.1.1 -n 1 -w 125
        6⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2132
      - C:\Windows\SysWOW64\PING.EXE
        
        ping 1.1.1.1 -n 1 -w 125
        6⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:636
      - C:\Windows\SysWOW64\PING.EXE
        
        ping 1.1.1.1 -n 1 -w 125
        6⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2952
      - C:\Windows\SysWOW64\PING.EXE
        
        ping 1.1.1.1 -n 1 -w 125
        6⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2240
    - - C:\Users\Admin\AppData\Local\Temp\afolder\uharc.exe
        
        "C:\Users\Admin\AppData\Local\Temp\afolder\uharc.exe" x -t"C:\Users\Admin\AppData\Local\Temp\bisc" -y+ C:\Users\Admin\AppData\Local\Temp\afolder\curl.uha
        5⤵
        Executes dropped EXE
        
        PID:1140
    - - C:\Windows\SysWOW64\PING.EXE
        
        PING -n 1 www.modyouri.com
        5⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2472
    - - C:\Windows\SysWOW64\find.exe
        
        find "Reply from "
        5⤵
        
        PID:2476
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\bisc\check_inet.bat"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2932
      - C:\Windows\SysWOW64\PING.EXE
        
        PING -n 1 www.google.com
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2428
      - C:\Windows\SysWOW64\find.exe
        
        find "Reply from "
        6⤵
        
        PID:1556
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\bisc\dwn_util.bat"
        5⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2172
      - C:\Windows\SysWOW64\mode.com
        
        mode con: lines=10
        6⤵
        
        PID:2644
      - C:\Users\Admin\AppData\Local\Temp\afolder\uharc.exe
        
        "C:\Users\Admin\AppData\Local\Temp\afolder\uharc.exe" x -t"C:\Users\Admin\AppData\Local\Temp\bisc" -y+ C:\Users\Admin\AppData\Local\Temp\afolder\curl.uha
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:340
      - C:\Users\Admin\AppData\Local\Temp\bisc\curl.exe
        
        ""C:\Users\Admin\AppData\Local\Temp\bisc\curl"" --progress-bar -o "C:\Users\Admin\AppData\Local\Temp\bisc\aiov.txt " "http://www.modyouri.com/bisc_files/aiov.txt "
        6⤵
        Blocklisted process makes network request
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1480
    - - C:\Windows\SysWOW64\fc.exe
        
        fc "C:\Users\Admin\AppData\Local\Temp\bisc_files\aiov.txt" "C:\Users\Admin\AppData\Local\Temp\bisc\aiov.txt"
        5⤵
        
        PID:1332
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c if exist "C:\Users\Admin\AppData\Local\Temp\afolder\AutoFix.exe" del "C:\Users\Admin\AppData\Local\Temp\afolder\AutoFix.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:988
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c if exist "C:\Users\Admin\AppData\Local\Temp\afolder\check_inet.bat" del "C:\Users\Admin\AppData\Local\Temp\afolder\check_inet.bat"
      4⤵
      PID:892
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c if exist "C:\Users\Admin\AppData\Local\Temp\afolder\createsrp.vbs" del "C:\Users\Admin\AppData\Local\Temp\afolder\createsrp.vbs"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1508
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c if exist "C:\Users\Admin\AppData\Local\Temp\afolder\curl.uha" del "C:\Users\Admin\AppData\Local\Temp\afolder\curl.uha"
      4⤵
      System Location Discovery: System Language Discovery
      PID:928
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c if exist "C:\Users\Admin\AppData\Local\Temp\afolder\no_dup.bat" del "C:\Users\Admin\AppData\Local\Temp\afolder\no_dup.bat"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2092
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c if exist "C:\Users\Admin\AppData\Local\Temp\afolder\prog_list.exe" del "C:\Users\Admin\AppData\Local\Temp\afolder\prog_list.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:404
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c if exist "C:\Users\Admin\AppData\Local\Temp\afolder\resetdma.vbs" del "C:\Users\Admin\AppData\Local\Temp\afolder\resetdma.vbs"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1928
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c if exist "C:\Users\Admin\AppData\Local\Temp\afolder\say.exe" del "C:\Users\Admin\AppData\Local\Temp\afolder\say.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2204
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c if exist "C:\Users\Admin\AppData\Local\Temp\afolder\sendmail.exe" del "C:\Users\Admin\AppData\Local\Temp\afolder\sendmail.exe"
      4⤵
      PID:1972
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c if exist "C:\Users\Admin\AppData\Local\Temp\afolder\SetWallpaper.exe" del "C:\Users\Admin\AppData\Local\Temp\afolder\SetWallpaper.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1992
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c if exist "C:\Users\Admin\AppData\Local\Temp\afolder\uharc.exe" del "C:\Users\Admin\AppData\Local\Temp\afolder\uharc.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1520
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c if exist "C:\Users\Admin\AppData\Local\Temp\afolder\dwn_util.bat" del "C:\Users\Admin\AppData\Local\Temp\afolder\dwn_util.bat"
      4⤵
      PID:2088
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c if exist "C:\Users\Admin\AppData\Local\Temp\afolder\waiting.bat" del "C:\Users\Admin\AppData\Local\Temp\afolder\waiting.bat"
      4⤵
      System Location Discovery: System Language Discovery
      PID:912
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c if exist "C:\Users\Admin\AppData\Local\Temp\afolder\regjump.exe" del "C:\Users\Admin\AppData\Local\Temp\afolder\regjump.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1692
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c if exist "C:\Users\Admin\AppData\Local\Temp\afolder\Wi-Fi-bisconticomputers.xml" del "C:\Users\Admin\AppData\Local\Temp\afolder\Wi-Fi-bisconticomputers.xml"
      4⤵
      PID:2912
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c if exist "C:\Users\Admin\AppData\Local\Temp\ztmp\tmp6603.bat" del "C:\Users\Admin\AppData\Local\Temp\ztmp\tmp6603.bat"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2264
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c if exist "C:\Users\Admin\AppData\Local\Temp\ztmp\tmp6984.exe" del "C:\Users\Admin\AppData\Local\Temp\ztmp\tmp6984.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1860
- - C:\Windows\SysWOW64\PING.EXE
    ping 1.1.1.1 -n 1 -w 1000
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:2884
- - C:\Users\Admin\AppData\Local\Temp\39A6.tmp\tasklist.exe
    tasklist /FI "IMAGENAME eq BiscontiComputers-start.exe" /FO CSV
    3⤵
    - Executes dropped EXE
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:2580
- - C:\Windows\SysWOW64\find.exe
    find "BiscontiComputers-start.exe" C:\Users\Admin\AppData\Local\Temp\running.log
    3⤵
    PID:2072
- - C:\Windows\SysWOW64\PING.EXE
    ping 1.1.1.1 -n 1 -w 1000
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:1180
- - C:\Users\Admin\AppData\Local\Temp\39A6.tmp\tasklist.exe
    tasklist /FI "IMAGENAME eq BiscontiComputers-start.exe" /FO CSV
    3⤵
    - Executes dropped EXE
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:2012
- - C:\Windows\SysWOW64\find.exe
    find "BiscontiComputers-start.exe" C:\Users\Admin\AppData\Local\Temp\running.log
    3⤵
    PID:2784
- - C:\Windows\SysWOW64\PING.EXE
    ping 1.1.1.1 -n 1 -w 1000
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:2024
- - C:\Users\Admin\AppData\Local\Temp\39A6.tmp\tasklist.exe
    tasklist /FI "IMAGENAME eq BiscontiComputers-start.exe" /FO CSV
    3⤵
    - Executes dropped EXE
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:1852
- - C:\Windows\SysWOW64\find.exe
    find "BiscontiComputers-start.exe" C:\Users\Admin\AppData\Local\Temp\running.log
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1284
- - C:\Windows\SysWOW64\PING.EXE
    ping 1.1.1.1 -n 1 -w 1000
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:1932
- - C:\Users\Admin\AppData\Local\Temp\39A6.tmp\tasklist.exe
    tasklist /FI "IMAGENAME eq BiscontiComputers-start.exe" /FO CSV
    3⤵
    - Executes dropped EXE
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:2964
- - C:\Windows\SysWOW64\find.exe
    find "BiscontiComputers-start.exe" C:\Users\Admin\AppData\Local\Temp\running.log
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2912
- - C:\Windows\SysWOW64\PING.EXE
    ping 1.1.1.1 -n 1 -w 1000
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:1912
- - C:\Users\Admin\AppData\Local\Temp\39A6.tmp\tasklist.exe
    tasklist /FI "IMAGENAME eq BiscontiComputers-start.exe" /FO CSV
    3⤵
    - Executes dropped EXE
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:3060
- - C:\Windows\SysWOW64\find.exe
    find "BiscontiComputers-start.exe" C:\Users\Admin\AppData\Local\Temp\running.log
    3⤵
    PID:1084
- - C:\Windows\SysWOW64\PING.EXE
    ping 1.1.1.1 -n 1 -w 1000
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:884
- - C:\Users\Admin\AppData\Local\Temp\39A6.tmp\tasklist.exe
    tasklist /FI "IMAGENAME eq BiscontiComputers-start.exe" /FO CSV
    3⤵
    - Executes dropped EXE
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:2216
- - C:\Windows\SysWOW64\find.exe
    find "BiscontiComputers-start.exe" C:\Users\Admin\AppData\Local\Temp\running.log
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2332
- - C:\Windows\SysWOW64\PING.EXE
    ping 1.1.1.1 -n 1 -w 1000
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:1632
- - C:\Users\Admin\AppData\Local\Temp\39A6.tmp\tasklist.exe
    tasklist /FI "IMAGENAME eq BiscontiComputers-start.exe" /FO CSV
    3⤵
    - Executes dropped EXE
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:2532
- - C:\Windows\SysWOW64\find.exe
    find "BiscontiComputers-start.exe" C:\Users\Admin\AppData\Local\Temp\running.log
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1784
- - C:\Windows\SysWOW64\PING.EXE
    ping 1.1.1.1 -n 1 -w 1000
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:2700
- - C:\Users\Admin\AppData\Local\Temp\39A6.tmp\tasklist.exe
    tasklist /FI "IMAGENAME eq BiscontiComputers-start.exe" /FO CSV
    3⤵
    - Executes dropped EXE
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2996
- - C:\Windows\SysWOW64\find.exe
    find "BiscontiComputers-start.exe" C:\Users\Admin\AppData\Local\Temp\running.log
    3⤵
    - System Location Discovery: System Language Discovery
    PID:668
- - C:\Windows\SysWOW64\PING.EXE
    ping 1.1.1.1 -n 1 -w 1000
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:2516
- - C:\Users\Admin\AppData\Local\Temp\39A6.tmp\tasklist.exe
    tasklist /FI "IMAGENAME eq BiscontiComputers-start.exe" /FO CSV
    3⤵
    - Executes dropped EXE
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:536
- - C:\Windows\SysWOW64\find.exe
    find "BiscontiComputers-start.exe" C:\Users\Admin\AppData\Local\Temp\running.log
    3⤵
    - System Location Discovery: System Language Discovery
    PID:264
- - C:\Windows\SysWOW64\PING.EXE
    ping 1.1.1.1 -n 1 -w 1000
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:1960
- - C:\Users\Admin\AppData\Local\Temp\39A6.tmp\tasklist.exe
    tasklist /FI "IMAGENAME eq BiscontiComputers-start.exe" /FO CSV
    3⤵
    - Executes dropped EXE
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:1148
- - C:\Windows\SysWOW64\find.exe
    find "BiscontiComputers-start.exe" C:\Users\Admin\AppData\Local\Temp\running.log
    3⤵
    PID:944
- - C:\Windows\SysWOW64\PING.EXE
    ping 1.1.1.1 -n 1 -w 1000
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:1284

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Discovery

Process Discovery

T1057

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\39A6.tmp\BiscontiComputers-start.exe

Filesize
1.5MB

MD5
e379168fe006772711f9e9ccf22411e5

SHA1
3d9440603c535aeb1e4c95c0283dba38ea87f3cb

SHA256
4a9b643d707939baff1f987dc2ed250c72380a2f58cc837f04478887d2803512

SHA512
22cd94475e81f537f56a69d19988805d56a9198ecd82ccb46fe7489d2426b24e932ea5f2007b1409131bd0b4f390c15092f7cef4d7916300f59a32ba88602a50

Download Submit
C:\Users\Admin\AppData\Local\Temp\39A6.tmp\BiscontiComputers.bat

Filesize
2KB

MD5
88b5086f5f0dfd215e12290e8de8148b

SHA1
ef2509a6896200ff5fd752c9ec9021a89f832c2e

SHA256
da58bb85e99f8c4941fed0f3b5ba7d6812056d4445d3dbac26268caa5c48c33d

SHA512
542e9d5d728e35a2b03fa1985d792d72b15008ef2183ea0f3d37cc5dbf1b0a2518652c1d072d2c7c64acd58500def158fe4abd4ffd3c4573900523f496b1db78

Download Submit
C:\Users\Admin\AppData\Local\Temp\39A6.tmp\tasklist.exe

Filesize
70KB

MD5
70363a3228df8fc8cff4e78f36b31c45

SHA1
67a3482b629b1ee013da449112d3d24aad6fa957

SHA256
c568e436289c271b09c82d51b10b713ea46d2aee7f0ff515c4ffbbf5d11f8178

SHA512
da494184a36b2aaa709147c0a558258701755520d82b2863c9c22794ac0f295b70d3bbffaaf97ca77ce0d7313e408f5eeaac9e31b6972b7cb8a16ca3aa0d2d15

Download Submit
C:\Users\Admin\AppData\Local\Temp\afolder\Wi-Fi-bisconticomputers.xml

Filesize
712B

MD5
ee776b220c4f95e18b93e8e91695ac2c

SHA1
7a257aede812707c64797b5decad9cc9f0839ee1

SHA256
cd07c43b967d37ae09275acde2d5ee70c76c727ee1c86e5bf9e4e4a1222c4be8

SHA512
266a9de4fe8278e428d61b179f90def0addc523d77bd65f2f1f0b04c43880f54118857bdceee2285dc8b66e1ad56d0cfa6ab2ba5d0b56946a4ad7fb4bc1b6f57

Download Submit
C:\Users\Admin\AppData\Local\Temp\afolder\check_inet.bat

Filesize
664B

MD5
581b6ba034bc84910287bc2b4d71ab58

SHA1
81b241cda9516e6db484f2dbbff3c0eb641b9186

SHA256
2d805f58c664b6be4e6d6aba5af0c7d07c4bf173981f36a62011c50809862ed4

SHA512
43a89e66f4804d233a98c855d0c4b20c439a0258d3231e399ad0c063535e57ba1f38cf2ba699b7f09e376330f0f412569d7def771d831911e9643199c32774b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\afolder\curl.uha

Filesize
816KB

MD5
045bb7f6767536d2734a82bfa907a88c

SHA1
d661d2d131d4df532f9375c1953b4e3b5cb5d8a6

SHA256
105c7728959c59efaee6c23b5ec90e1e0b243a2b21855313fca015ee1b45d8bd

SHA512
61d9a8a7fb00fda4d24a89473b9ada4da8ba6b0b72157e7d19105e525efd4d9fffe36c8de57b19576d20510b8922081c807f057d971dfffa66d6885d4bd96bdb

Download Submit
C:\Users\Admin\AppData\Local\Temp\afolder\uharc.exe

Filesize
101KB

MD5
50f6270de215776eb6e9ab43c2367f90

SHA1
a2f0be6b23b6a923c402d6893e7e3c50e89a1132

SHA256
f0a425fc7159c0311fcf32a03c80e24f40b273d199ce95defe470786087f822a

SHA512
6dac8fbf961c41832000623092247b1deccf288a4fe32c4f028e89eb485b8d1713012038af955a87674beeaba92c0bc9ef47c4c10242bc3953b2b1a0e53431ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\bisc\dwn_util.bat

Filesize
1KB

MD5
08b1e6c236cf405c8eaf2174f47f840d

SHA1
4885088aa42193f2e81692084a74fe38d63e779e

SHA256
0720c8786ae5b0064637392be0706e82524737f34249abf5b6b94b74c952a6e5

SHA512
17fe6ee6f3d7ab0cdbee18f66ae412c35535b6e4d6d5cae2d04caab2230cfa16ef4fb0a8b1d980972c333261ef9620f8df035eedead6c71ab531079f58b20f7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\bisc\libcurl.dll

Filesize
322KB

MD5
659c79fbe882e54c44f3bd39f073d7c0

SHA1
d684bab7481def64c5e75d1732b69bbd6ca2ffb3

SHA256
ea7c540a7e59596a8793bd00d742ca5f86db7022be03465b6967285c1667c849

SHA512
0ea0483774c09a99deaf9a26372ea9308c719f1b5dbc6b9413ecdb89a3e4cc1b36e8a59f7dcddbd76c0e683d5169c9271f997eee465b0ea927264ec514d45245

Download Submit
C:\Users\Admin\AppData\Local\Temp\bisc\libeay32.dll

Filesize
1.5MB

MD5
923fad7854959d5e971bcb787a699f3c

SHA1
41a72dd510b5f08d9a2cf4a0dacf3fbb76ddb2ca

SHA256
9018baac15d34cfd47f092a3c9c12ba1c5ddb910a4692187174d8f09f193e5f8

SHA512
4f367d95468d7c27647d2e9626006908ca1c5d786c6e364953f83bc81df5248e7fba0468097fc017d1ac48f77526ebaaad77c4c1e49712a2381de8bf3e159660

Download Submit
C:\Users\Admin\AppData\Local\Temp\bisc\libssl32.dll

Filesize
19KB

MD5
b15da2b65fe5e474b60db4a961f363e8

SHA1
f78b9d1ebd3b22cd52d152806a85297b70e00956

SHA256
10d7081a72d7fd4b4dfe0bb88119be5dd1df0a019a43b8fe25136b64e397e067

SHA512
518334e3e1a5d307596fa1416df4bf5081a7304d7ac15d97e7b2af79502fe414dc577c5caf6122a7cd093a6b6ae7ae37b2e7f821918a8911479858219305d79b

Download Submit
C:\Users\Admin\AppData\Local\Temp\bisc\libssl32.dll

Filesize
346KB

MD5
b394f91a8069216775f87749253dbe82

SHA1
d82f8cf2f2198fb60dddfd1ab4deec47b3b70657

SHA256
0f22abb27e6572b0bd383fec50076dd9898cd2f3366551bb51f2856697d11c19

SHA512
86dfccfee8693b2a6ad2265fbaa3f472569e3ae4725dae8224ba9cacaf11aa2e4f9a9ff9d41620d42f41c91df758c8a76008242e148c88e3a6b216dda8ef65d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\running.log

Filesize
122B

MD5
29951b7eb56ca17d9e85c763e03c7fc5

SHA1
6ec95ecc48cff0d3c0d78f210b9a39549c20f97c

SHA256
6d3d1350616636a08b60470a2026586298d93a70602f9eaea5169f5b8823a122

SHA512
bf9270453dbece6a303481cce660d6e2b499c6c60ea623f8579decfe3cb60c63c2db84ae8a8ed24761417ff154b1ed7f3da814dbb3128f4333db86f773df3d72

Download Submit
C:\Users\Admin\AppData\Local\Temp\running.log

Filesize
122B

MD5
af84c276ac1f37685088d8f5fb2d71db

SHA1
28d5dee5814765639cec2f5dc17cc3b80436c081

SHA256
4722e641542fbe44265884feb708501b1b7bbc093c35e9b43e05f6a5a72b94b5

SHA512
d7d6cb401a81be2e6291afb9a242eea087ab59ddac854014a4143cecf0b099bff453fa6e2ade44af442d76a3f3e4ad73856a561d1cf2800a2a8e1014630fb0a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\running.log

Filesize
122B

MD5
6332932ab0270009bc10c1755323befc

SHA1
0326263ad556ff3b018f6fad275f5004a1347ab0

SHA256
752f1ecf091f6d1c491fe0b3a9255e63c86e8212daecc8c87658ab9fe42acef3

SHA512
2e32b35b0ef12923de8e28e8c56a3d053be2dfc0c3b7449448121f73a907fec589b0b2b855cc5d05396fe875197203097c90ba699eb58ce078619b605f75f64e

Download Submit
C:\Users\Admin\AppData\Local\Temp\waiting.bat

Filesize
1KB

MD5
9d18a3c65e1607e3b947002c410dc854

SHA1
e3150714ebe02225e94e9384cb06f4d6bac0498a

SHA256
124743104aa1d341eee0da8704bff5550c083af64c7da7d16f1cacf3c741c43d

SHA512
fb3acb5e87a42970b23caa4dda1e994ead34ce6feb532eb2a34f156e1c6c61eaa893c57842dbf7d0460dada6150d586317cb1cb7c695dd434cf9e265147e6c6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ztmp\tmp6603.bat

Filesize
119KB

MD5
ffff088533bfb46ef230ef0c9cde291d

SHA1
d9698e39b4926c6c60815e280b4e8a9bb39519e7

SHA256
aad770fcee71c4919923d38a007e9b8c902640b38ba3652cce3810ebb77c3ec9

SHA512
42b8b2d7cb0c2c754a62c7588ffeed88c05199c06521c6fd5a9d9cdb2c6878a0d106c3e0b192c11210206f9fdfb3ef570fa57649d52182aa99e87cf31c6ed186

Download Submit
\Users\Admin\AppData\Local\Temp\bisc\curl.exe

Filesize
432KB

MD5
42d74927a0f4f583fb4a43c6841f0da1

SHA1
84e0ddb2b0fd27a72d5e5caaf19d2323babeedd0

SHA256
a5666c0d1ab708994ee1636d0cbe8cec759378d764a6704e20c31a505f19809c

SHA512
01e3d5423c49a484cd1ffb295bbdd4583fa70d08549b0c42b283f0a31bfe799bdda95d3452f19cf59e288545dce248972de7e1b37db7f23bd4c292baa8df7093

Download Submit
memory/340-160-0x0000000000400000-0x0000000000493000-memory.dmp

Filesize
588KB

Download
memory/1140-110-0x0000000000400000-0x0000000000493000-memory.dmp

Filesize
588KB

Download
memory/1428-85-0x0000000000410000-0x00000000004A3000-memory.dmp

Filesize
588KB

Download
memory/1428-88-0x0000000000410000-0x00000000004A3000-memory.dmp

Filesize
588KB

Download
memory/1480-167-0x000000006B080000-0x000000006B0C3000-memory.dmp

Filesize
268KB

Download
memory/1480-165-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/1480-166-0x0000000061D80000-0x0000000061EA9000-memory.dmp

Filesize
1.2MB

Download
memory/2172-131-0x00000000001B0000-0x0000000000243000-memory.dmp

Filesize
588KB

Download
memory/2868-171-0x0000000000400000-0x000000000059A000-memory.dmp

Filesize
1.6MB

Download
memory/2868-0-0x0000000000400000-0x000000000059A000-memory.dmp

Filesize
1.6MB

Download