dcrat | bfd1aabb65dfce7b7c5f2d444917baa23fd04d6047e62cd1aaf9cb2a9ca9d3a9

Resubmissions

14-01-2025 04:25

250114-e2erasypan 10

14-01-2025 03:06

250114-dl14xsxmdn 10

Analysis

max time kernel
150s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
14-01-2025 03:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bfd1aabb65dfce7b7c5f2d444917baa23fd04d6047e62cd1aaf9cb2a9ca9d3a9.exe
Size

3.3MB
MD5

c883ea559bee9a0cb393aa32dcaf5d80
SHA1

995dfd0d9d504bec628e7d7297962677d8ab32cb
SHA256

bfd1aabb65dfce7b7c5f2d444917baa23fd04d6047e62cd1aaf9cb2a9ca9d3a9
SHA512

9ee8ef8a9912b14bcbeb3c13b2670c92eecc17c4a8a719d6bd9935f17239a244457e2f711c01e374febd767c866d6c563bad97e687680919ca0c017d738626ee
SSDEEP

98304:db5Nf/dq7yqKM1TcGZ6gtq1/Lko4uVa8N7:hMyqKM1TogtqT44NN7

Score

10^/10

dcrat discovery evasion infostealer persistence rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 6 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Google\\Chrome\\Application\\smss.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\winlogon.exe\", \"C:\\Users\\Public\\Music\\cmd.exe\", \"C:\\Program Files\\Windows Defender\\es-ES\\smss.exe\", \"C:\\Program Files (x86)\\Windows Photo Viewer\\ja-JP\\csrss.exe\""	containerReview.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Google\\Chrome\\Application\\smss.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\winlogon.exe\", \"C:\\Users\\Public\\Music\\cmd.exe\", \"C:\\Program Files\\Windows Defender\\es-ES\\smss.exe\", \"C:\\Program Files (x86)\\Windows Photo Viewer\\ja-JP\\csrss.exe\", \"C:\\blockcomSession\\containerReview.exe\""	containerReview.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Google\\Chrome\\Application\\smss.exe\""	containerReview.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Google\\Chrome\\Application\\smss.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\winlogon.exe\""	containerReview.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Google\\Chrome\\Application\\smss.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\winlogon.exe\", \"C:\\Users\\Public\\Music\\cmd.exe\""	containerReview.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Google\\Chrome\\Application\\smss.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\winlogon.exe\", \"C:\\Users\\Public\\Music\\cmd.exe\", \"C:\\Program Files\\Windows Defender\\es-ES\\smss.exe\""	containerReview.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4224	5116	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1656	5116	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4692	5116	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3252	5116	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4512	5116	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4596	5116	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1648	5116	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1448	5116	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3756	5116	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1584	5116	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4424	5116	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3620	5116	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4192	5116	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	636	5116	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2164	5116	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4440	5116	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4868	5116	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1576	5116	schtasks.exe	95

Checks computer location settings 2 TTPs 17 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	containerReview.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	containerReview.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	containerReview.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	containerReview.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	containerReview.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	containerReview.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	containerReview.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	containerReview.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	containerReview.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	containerReview.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	containerReview.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	containerReview.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	containerReview.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	bfd1aabb65dfce7b7c5f2d444917baa23fd04d6047e62cd1aaf9cb2a9ca9d3a9.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	containerReview.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	containerReview.exe

Executes dropped EXE 21 IoCs

pid	Process
3532	bfd1aabb65dfce7b7c5f2d444917baa23fd04d6047e62cd1aaf9cb2a9ca9d3a9.exe
3984	icsys.icn.exe
5112	explorer.exe
3232	spoolsv.exe
3424	svchost.exe
4796	spoolsv.exe
4448	containerReview.exe
2928	containerReview.exe
4768	containerReview.exe
3592	containerReview.exe
4444	containerReview.exe
1924	containerReview.exe
1648	containerReview.exe
4788	containerReview.exe
1480	containerReview.exe
1660	containerReview.exe
1048	containerReview.exe
3556	containerReview.exe
2132	containerReview.exe
4012	containerReview.exe
1372	containerReview.exe

Adds Run key to start application 2 TTPs 16 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files (x86)\\Windows Photo Viewer\\ja-JP\\csrss.exe\""	containerReview.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cmd = "\"C:\\Users\\Public\\Music\\cmd.exe\""	containerReview.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Program Files\\Windows Defender\\es-ES\\smss.exe\""	containerReview.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Program Files\\Google\\Chrome\\Application\\smss.exe\""	containerReview.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Program Files\\Google\\Chrome\\Application\\smss.exe\""	containerReview.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Program Files\\Windows Defender\\es-ES\\smss.exe\""	containerReview.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cmd = "\"C:\\Users\\Public\\Music\\cmd.exe\""	containerReview.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Program Files (x86)\\Windows Portable Devices\\winlogon.exe\""	containerReview.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Program Files (x86)\\Windows Portable Devices\\winlogon.exe\""	containerReview.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files (x86)\\Windows Photo Viewer\\ja-JP\\csrss.exe\""	containerReview.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\containerReview = "\"C:\\blockcomSession\\containerReview.exe\""	containerReview.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\containerReview = "\"C:\\blockcomSession\\containerReview.exe\""	containerReview.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\explorer.exe	svchost.exe
File created	\??\c:\Windows\System32\CSC7E3A3A307AA74F1D93C0AD8E1A23FBE1.TMP	csc.exe
File created	\??\c:\Windows\System32\xqt5sk.exe	csc.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
3532	bfd1aabb65dfce7b7c5f2d444917baa23fd04d6047e62cd1aaf9cb2a9ca9d3a9.exe

Drops file in Program Files directory 9 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Photo Viewer\ja-JP\886983d96e3d3e	containerReview.exe
File created	C:\Program Files\Windows Defender\es-ES\smss.exe	containerReview.exe
File created	C:\Program Files\Google\Chrome\Application\69ddcba757bf72	containerReview.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\ja-JP\csrss.exe	containerReview.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\ja-JP\csrss.exe	containerReview.exe
File created	C:\Program Files\Windows Defender\es-ES\69ddcba757bf72	containerReview.exe
File created	C:\Program Files (x86)\Windows Portable Devices\winlogon.exe	containerReview.exe
File created	C:\Program Files (x86)\Windows Portable Devices\cc11b995f2a76d	containerReview.exe
File created	C:\Program Files\Google\Chrome\Application\smss.exe	containerReview.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\resources\themes\explorer.exe	icsys.icn.exe
File opened for modification	\??\c:\windows\resources\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\resources\svchost.exe	spoolsv.exe
File opened for modification	C:\Windows\Resources\tjud.exe	explorer.exe
File opened for modification	C:\Windows\Resources\Themes\icsys.icn.exe	bfd1aabb65dfce7b7c5f2d444917baa23fd04d6047e62cd1aaf9cb2a9ca9d3a9.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bfd1aabb65dfce7b7c5f2d444917baa23fd04d6047e62cd1aaf9cb2a9ca9d3a9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bfd1aabb65dfce7b7c5f2d444917baa23fd04d6047e62cd1aaf9cb2a9ca9d3a9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icsys.icn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 7 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
3704	PING.EXE
1376	PING.EXE
3304	PING.EXE
1560	PING.EXE
4792	PING.EXE
4484	PING.EXE
1312	PING.EXE

Modifies registry class 16 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	bfd1aabb65dfce7b7c5f2d444917baa23fd04d6047e62cd1aaf9cb2a9ca9d3a9.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	containerReview.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	containerReview.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	containerReview.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	containerReview.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	containerReview.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	containerReview.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	containerReview.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	containerReview.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	containerReview.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	containerReview.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	containerReview.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	containerReview.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	containerReview.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	containerReview.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	containerReview.exe

Runs ping.exe 1 TTPs 7 IoCs

Remote System Discovery

T1018

pid	Process
3304	PING.EXE
1560	PING.EXE
4792	PING.EXE
4484	PING.EXE
1312	PING.EXE
3704	PING.EXE
1376	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4424	schtasks.exe
4192	schtasks.exe
636	schtasks.exe
1576	schtasks.exe
3252	schtasks.exe
1448	schtasks.exe
3756	schtasks.exe
1656	schtasks.exe
3620	schtasks.exe
2164	schtasks.exe
4224	schtasks.exe
1584	schtasks.exe
4440	schtasks.exe
1648	schtasks.exe
4868	schtasks.exe
4692	schtasks.exe
4512	schtasks.exe
4596	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1764	bfd1aabb65dfce7b7c5f2d444917baa23fd04d6047e62cd1aaf9cb2a9ca9d3a9.exe
1764	bfd1aabb65dfce7b7c5f2d444917baa23fd04d6047e62cd1aaf9cb2a9ca9d3a9.exe
1764	bfd1aabb65dfce7b7c5f2d444917baa23fd04d6047e62cd1aaf9cb2a9ca9d3a9.exe
1764	bfd1aabb65dfce7b7c5f2d444917baa23fd04d6047e62cd1aaf9cb2a9ca9d3a9.exe
1764	bfd1aabb65dfce7b7c5f2d444917baa23fd04d6047e62cd1aaf9cb2a9ca9d3a9.exe
1764	bfd1aabb65dfce7b7c5f2d444917baa23fd04d6047e62cd1aaf9cb2a9ca9d3a9.exe
1764	bfd1aabb65dfce7b7c5f2d444917baa23fd04d6047e62cd1aaf9cb2a9ca9d3a9.exe
1764	bfd1aabb65dfce7b7c5f2d444917baa23fd04d6047e62cd1aaf9cb2a9ca9d3a9.exe
1764	bfd1aabb65dfce7b7c5f2d444917baa23fd04d6047e62cd1aaf9cb2a9ca9d3a9.exe
1764	bfd1aabb65dfce7b7c5f2d444917baa23fd04d6047e62cd1aaf9cb2a9ca9d3a9.exe
1764	bfd1aabb65dfce7b7c5f2d444917baa23fd04d6047e62cd1aaf9cb2a9ca9d3a9.exe
1764	bfd1aabb65dfce7b7c5f2d444917baa23fd04d6047e62cd1aaf9cb2a9ca9d3a9.exe
1764	bfd1aabb65dfce7b7c5f2d444917baa23fd04d6047e62cd1aaf9cb2a9ca9d3a9.exe
1764	bfd1aabb65dfce7b7c5f2d444917baa23fd04d6047e62cd1aaf9cb2a9ca9d3a9.exe
1764	bfd1aabb65dfce7b7c5f2d444917baa23fd04d6047e62cd1aaf9cb2a9ca9d3a9.exe
1764	bfd1aabb65dfce7b7c5f2d444917baa23fd04d6047e62cd1aaf9cb2a9ca9d3a9.exe
1764	bfd1aabb65dfce7b7c5f2d444917baa23fd04d6047e62cd1aaf9cb2a9ca9d3a9.exe
1764	bfd1aabb65dfce7b7c5f2d444917baa23fd04d6047e62cd1aaf9cb2a9ca9d3a9.exe
1764	bfd1aabb65dfce7b7c5f2d444917baa23fd04d6047e62cd1aaf9cb2a9ca9d3a9.exe
1764	bfd1aabb65dfce7b7c5f2d444917baa23fd04d6047e62cd1aaf9cb2a9ca9d3a9.exe
1764	bfd1aabb65dfce7b7c5f2d444917baa23fd04d6047e62cd1aaf9cb2a9ca9d3a9.exe
1764	bfd1aabb65dfce7b7c5f2d444917baa23fd04d6047e62cd1aaf9cb2a9ca9d3a9.exe
1764	bfd1aabb65dfce7b7c5f2d444917baa23fd04d6047e62cd1aaf9cb2a9ca9d3a9.exe
1764	bfd1aabb65dfce7b7c5f2d444917baa23fd04d6047e62cd1aaf9cb2a9ca9d3a9.exe
1764	bfd1aabb65dfce7b7c5f2d444917baa23fd04d6047e62cd1aaf9cb2a9ca9d3a9.exe
1764	bfd1aabb65dfce7b7c5f2d444917baa23fd04d6047e62cd1aaf9cb2a9ca9d3a9.exe
1764	bfd1aabb65dfce7b7c5f2d444917baa23fd04d6047e62cd1aaf9cb2a9ca9d3a9.exe
1764	bfd1aabb65dfce7b7c5f2d444917baa23fd04d6047e62cd1aaf9cb2a9ca9d3a9.exe
1764	bfd1aabb65dfce7b7c5f2d444917baa23fd04d6047e62cd1aaf9cb2a9ca9d3a9.exe
1764	bfd1aabb65dfce7b7c5f2d444917baa23fd04d6047e62cd1aaf9cb2a9ca9d3a9.exe
1764	bfd1aabb65dfce7b7c5f2d444917baa23fd04d6047e62cd1aaf9cb2a9ca9d3a9.exe
1764	bfd1aabb65dfce7b7c5f2d444917baa23fd04d6047e62cd1aaf9cb2a9ca9d3a9.exe
3532	bfd1aabb65dfce7b7c5f2d444917baa23fd04d6047e62cd1aaf9cb2a9ca9d3a9.exe
3532	bfd1aabb65dfce7b7c5f2d444917baa23fd04d6047e62cd1aaf9cb2a9ca9d3a9.exe
3984	icsys.icn.exe
3984	icsys.icn.exe
3984	icsys.icn.exe
3984	icsys.icn.exe
3984	icsys.icn.exe
3984	icsys.icn.exe
3984	icsys.icn.exe
3984	icsys.icn.exe
3984	icsys.icn.exe
3984	icsys.icn.exe
3984	icsys.icn.exe
3984	icsys.icn.exe
3984	icsys.icn.exe
3984	icsys.icn.exe
3984	icsys.icn.exe
3984	icsys.icn.exe
3984	icsys.icn.exe
3984	icsys.icn.exe
3984	icsys.icn.exe
3984	icsys.icn.exe
3984	icsys.icn.exe
3984	icsys.icn.exe
3984	icsys.icn.exe
3984	icsys.icn.exe
3984	icsys.icn.exe
3984	icsys.icn.exe
3984	icsys.icn.exe
3984	icsys.icn.exe
3984	icsys.icn.exe
3984	icsys.icn.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
5112	explorer.exe
3424	svchost.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

description	pid	Process
Token: SeDebugPrivilege	4448	containerReview.exe
Token: SeDebugPrivilege	2928	containerReview.exe
Token: SeDebugPrivilege	4768	containerReview.exe
Token: SeDebugPrivilege	3592	containerReview.exe
Token: SeDebugPrivilege	4444	containerReview.exe
Token: SeDebugPrivilege	1924	containerReview.exe
Token: SeDebugPrivilege	1648	containerReview.exe
Token: SeDebugPrivilege	4788	containerReview.exe
Token: SeDebugPrivilege	1480	containerReview.exe
Token: SeDebugPrivilege	1660	containerReview.exe
Token: SeDebugPrivilege	1048	containerReview.exe
Token: SeDebugPrivilege	3556	containerReview.exe
Token: SeDebugPrivilege	2132	containerReview.exe
Token: SeDebugPrivilege	4012	containerReview.exe
Token: SeDebugPrivilege	1372	containerReview.exe

Suspicious use of SetWindowsHookEx 13 IoCs

pid	Process
1764	bfd1aabb65dfce7b7c5f2d444917baa23fd04d6047e62cd1aaf9cb2a9ca9d3a9.exe
1764	bfd1aabb65dfce7b7c5f2d444917baa23fd04d6047e62cd1aaf9cb2a9ca9d3a9.exe
3532	bfd1aabb65dfce7b7c5f2d444917baa23fd04d6047e62cd1aaf9cb2a9ca9d3a9.exe
3984	icsys.icn.exe
3984	icsys.icn.exe
5112	explorer.exe
5112	explorer.exe
3232	spoolsv.exe
3232	spoolsv.exe
3424	svchost.exe
3424	svchost.exe
4796	spoolsv.exe
4796	spoolsv.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1764 wrote to memory of 3532	1764	bfd1aabb65dfce7b7c5f2d444917baa23fd04d6047e62cd1aaf9cb2a9ca9d3a9.exe	82
PID 1764 wrote to memory of 3532	1764	bfd1aabb65dfce7b7c5f2d444917baa23fd04d6047e62cd1aaf9cb2a9ca9d3a9.exe	82
PID 1764 wrote to memory of 3532	1764	bfd1aabb65dfce7b7c5f2d444917baa23fd04d6047e62cd1aaf9cb2a9ca9d3a9.exe	82
PID 1764 wrote to memory of 3984	1764	bfd1aabb65dfce7b7c5f2d444917baa23fd04d6047e62cd1aaf9cb2a9ca9d3a9.exe	83
PID 1764 wrote to memory of 3984	1764	bfd1aabb65dfce7b7c5f2d444917baa23fd04d6047e62cd1aaf9cb2a9ca9d3a9.exe	83
PID 1764 wrote to memory of 3984	1764	bfd1aabb65dfce7b7c5f2d444917baa23fd04d6047e62cd1aaf9cb2a9ca9d3a9.exe	83
PID 3984 wrote to memory of 5112	3984	icsys.icn.exe	84
PID 3984 wrote to memory of 5112	3984	icsys.icn.exe	84
PID 3984 wrote to memory of 5112	3984	icsys.icn.exe	84
PID 5112 wrote to memory of 3232	5112	explorer.exe	85
PID 5112 wrote to memory of 3232	5112	explorer.exe	85
PID 5112 wrote to memory of 3232	5112	explorer.exe	85
PID 3232 wrote to memory of 3424	3232	spoolsv.exe	86
PID 3232 wrote to memory of 3424	3232	spoolsv.exe	86
PID 3232 wrote to memory of 3424	3232	spoolsv.exe	86
PID 3532 wrote to memory of 4208	3532	bfd1aabb65dfce7b7c5f2d444917baa23fd04d6047e62cd1aaf9cb2a9ca9d3a9.exe	87
PID 3532 wrote to memory of 4208	3532	bfd1aabb65dfce7b7c5f2d444917baa23fd04d6047e62cd1aaf9cb2a9ca9d3a9.exe	87
PID 3532 wrote to memory of 4208	3532	bfd1aabb65dfce7b7c5f2d444917baa23fd04d6047e62cd1aaf9cb2a9ca9d3a9.exe	87
PID 3424 wrote to memory of 4796	3424	svchost.exe	88
PID 3424 wrote to memory of 4796	3424	svchost.exe	88
PID 3424 wrote to memory of 4796	3424	svchost.exe	88
PID 4208 wrote to memory of 5056	4208	WScript.exe	99
PID 4208 wrote to memory of 5056	4208	WScript.exe	99
PID 4208 wrote to memory of 5056	4208	WScript.exe	99
PID 5056 wrote to memory of 4448	5056	cmd.exe	101
PID 5056 wrote to memory of 4448	5056	cmd.exe	101
PID 4448 wrote to memory of 4280	4448	containerReview.exe	108
PID 4448 wrote to memory of 4280	4448	containerReview.exe	108
PID 4280 wrote to memory of 4828	4280	csc.exe	110
PID 4280 wrote to memory of 4828	4280	csc.exe	110
PID 4448 wrote to memory of 2160	4448	containerReview.exe	126
PID 4448 wrote to memory of 2160	4448	containerReview.exe	126
PID 2160 wrote to memory of 4148	2160	cmd.exe	128
PID 2160 wrote to memory of 4148	2160	cmd.exe	128
PID 2160 wrote to memory of 3304	2160	cmd.exe	129
PID 2160 wrote to memory of 3304	2160	cmd.exe	129
PID 2160 wrote to memory of 2928	2160	cmd.exe	131
PID 2160 wrote to memory of 2928	2160	cmd.exe	131
PID 2928 wrote to memory of 2332	2928	containerReview.exe	134
PID 2928 wrote to memory of 2332	2928	containerReview.exe	134
PID 2332 wrote to memory of 1496	2332	cmd.exe	136
PID 2332 wrote to memory of 1496	2332	cmd.exe	136
PID 2332 wrote to memory of 1560	2332	cmd.exe	137
PID 2332 wrote to memory of 1560	2332	cmd.exe	137
PID 2332 wrote to memory of 4768	2332	cmd.exe	142
PID 2332 wrote to memory of 4768	2332	cmd.exe	142
PID 4768 wrote to memory of 3540	4768	containerReview.exe	144
PID 4768 wrote to memory of 3540	4768	containerReview.exe	144
PID 3540 wrote to memory of 5008	3540	cmd.exe	146
PID 3540 wrote to memory of 5008	3540	cmd.exe	146
PID 3540 wrote to memory of 4284	3540	cmd.exe	147
PID 3540 wrote to memory of 4284	3540	cmd.exe	147
PID 3540 wrote to memory of 3592	3540	cmd.exe	149
PID 3540 wrote to memory of 3592	3540	cmd.exe	149
PID 3592 wrote to memory of 544	3592	containerReview.exe	152
PID 3592 wrote to memory of 544	3592	containerReview.exe	152
PID 544 wrote to memory of 2328	544	cmd.exe	154
PID 544 wrote to memory of 2328	544	cmd.exe	154
PID 544 wrote to memory of 4792	544	cmd.exe	155
PID 544 wrote to memory of 4792	544	cmd.exe	155
PID 544 wrote to memory of 4444	544	cmd.exe	157
PID 544 wrote to memory of 4444	544	cmd.exe	157
PID 4444 wrote to memory of 4240	4444	containerReview.exe	160
PID 4444 wrote to memory of 4240	4444	containerReview.exe	160

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\bfd1aabb65dfce7b7c5f2d444917baa23fd04d6047e62cd1aaf9cb2a9ca9d3a9.exe
"C:\Users\Admin\AppData\Local\Temp\bfd1aabb65dfce7b7c5f2d444917baa23fd04d6047e62cd1aaf9cb2a9ca9d3a9.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1764
- \??\c:\users\admin\appdata\local\temp\bfd1aabb65dfce7b7c5f2d444917baa23fd04d6047e62cd1aaf9cb2a9ca9d3a9.exe
  c:\users\admin\appdata\local\temp\bfd1aabb65dfce7b7c5f2d444917baa23fd04d6047e62cd1aaf9cb2a9ca9d3a9.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3532
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\blockcomSession\RezYUes00TmmVGwINjr2qWMSbF3Etb9Bt2Ra62zGWDtewTBc.vbe"
    3⤵
    - Checks computer location settings
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4208
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\blockcomSession\R3z0peym99fhJdrKbUwEGrQMoM2HpnSPGrE0X0k2hc.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:5056
    - - C:\blockcomSession\containerReview.exe
        
        "C:\blockcomSession/containerReview.exe"
        5⤵
        Modifies WinLogon for persistence
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Program Files directory
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4448
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\1a0gp5qk\1a0gp5qk.cmdline"
        6⤵
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4280
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD91A.tmp" "c:\Windows\System32\CSC7E3A3A307AA74F1D93C0AD8E1A23FBE1.TMP"
        7⤵
        
        PID:4828
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\XUYSYwjQ1L.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2160
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        7⤵
        
        PID:4148
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        7⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3304
        
        C:\blockcomSession\containerReview.exe
        
        "C:\blockcomSession\containerReview.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2928
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\gwa5WPFrYr.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:2332
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        9⤵
        
        PID:1496
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        9⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1560
        
        C:\blockcomSession\containerReview.exe
        
        "C:\blockcomSession\containerReview.exe"
        9⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4768
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\COegk83zmU.bat"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:3540
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        11⤵
        
        PID:5008
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:4284
        
        C:\blockcomSession\containerReview.exe
        
        "C:\blockcomSession\containerReview.exe"
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3592
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\77a9gOcAJB.bat"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:544
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        13⤵
        
        PID:2328
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        13⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4792
        
        C:\blockcomSession\containerReview.exe
        
        "C:\blockcomSession\containerReview.exe"
        13⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4444
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\cZiCzHXbdI.bat"
        14⤵
        
        PID:4240
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        15⤵
        
        PID:2944
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        15⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4484
        
        C:\blockcomSession\containerReview.exe
        
        "C:\blockcomSession\containerReview.exe"
        15⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1924
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\bzGZZMGSnB.bat"
        16⤵
        
        PID:3184
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        17⤵
        
        PID:1036
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:1760
        
        C:\blockcomSession\containerReview.exe
        
        "C:\blockcomSession\containerReview.exe"
        17⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1648
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\zhbNlpe3Af.bat"
        18⤵
        
        PID:4032
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        19⤵
        
        PID:1120
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        19⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1312
        
        C:\blockcomSession\containerReview.exe
        
        "C:\blockcomSession\containerReview.exe"
        19⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4788
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\CjHAhHKHQf.bat"
        20⤵
        
        PID:4704
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        21⤵
        
        PID:2040
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:2352
        
        C:\blockcomSession\containerReview.exe
        
        "C:\blockcomSession\containerReview.exe"
        21⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1480
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\M4O85ItfzR.bat"
        22⤵
        
        PID:1112
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        23⤵
        
        PID:840
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:1272
        
        C:\blockcomSession\containerReview.exe
        
        "C:\blockcomSession\containerReview.exe"
        23⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1660
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\aKt4VVYkRN.bat"
        24⤵
        
        PID:1416
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        25⤵
        
        PID:3820
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:552
        
        C:\blockcomSession\containerReview.exe
        
        "C:\blockcomSession\containerReview.exe"
        25⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1048
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\0wRVFaeuMa.bat"
        26⤵
        
        PID:1596
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        27⤵
        
        PID:1876
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        27⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3704
        
        C:\blockcomSession\containerReview.exe
        
        "C:\blockcomSession\containerReview.exe"
        27⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3556
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\R0he2Lr4l7.bat"
        28⤵
        
        PID:4428
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        29⤵
        
        PID:4264
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        29⤵
        
        PID:3992
        
        C:\blockcomSession\containerReview.exe
        
        "C:\blockcomSession\containerReview.exe"
        29⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2132
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\sVWBOBo5KY.bat"
        30⤵
        
        PID:4996
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        31⤵
        
        PID:4276
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        31⤵
        
        PID:3956
        
        C:\blockcomSession\containerReview.exe
        
        "C:\blockcomSession\containerReview.exe"
        31⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4012
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\rq9fLK5Nyj.bat"
        32⤵
        
        PID:1360
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        33⤵
        
        PID:4120
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        33⤵
        
        PID:1724
        
        C:\blockcomSession\containerReview.exe
        
        "C:\blockcomSession\containerReview.exe"
        33⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1372
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\81mmE0Ljqu.bat"
        34⤵
        
        PID:400
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        35⤵
        
        PID:4744
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        35⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1376
- C:\Windows\Resources\Themes\icsys.icn.exe
  C:\Windows\Resources\Themes\icsys.icn.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3984
- - \??\c:\windows\resources\themes\explorer.exe
    c:\windows\resources\themes\explorer.exe
    3⤵
    - Modifies visiblity of hidden/system files in Explorer
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:5112
  - - \??\c:\windows\resources\spoolsv.exe
      c:\windows\resources\spoolsv.exe SE
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:3232
    - - \??\c:\windows\resources\svchost.exe
        
        c:\windows\resources\svchost.exe
        5⤵
        Modifies visiblity of hidden/system files in Explorer
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3424
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe PR
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Program Files\Google\Chrome\Application\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\Google\Chrome\Application\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Program Files\Google\Chrome\Application\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Portable Devices\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3252

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Portable Devices\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 11 /tr "'C:\Users\Public\Music\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Users\Public\Music\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 12 /tr "'C:\Users\Public\Music\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Defender\es-ES\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\es-ES\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Defender\es-ES\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Photo Viewer\ja-JP\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4192

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\ja-JP\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Photo Viewer\ja-JP\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2164

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "containerReviewc" /sc MINUTE /mo 10 /tr "'C:\blockcomSession\containerReview.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4440

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "containerReview" /sc ONLOGON /tr "'C:\blockcomSession\containerReview.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "containerReviewc" /sc MINUTE /mo 7 /tr "'C:\blockcomSession\containerReview.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1576

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\containerReview.exe.log

Filesize
1KB

MD5
af6acd95d59de87c04642509c30e81c1

SHA1
f9549ae93fdb0a5861a79a08f60aa81c4b32377b

SHA256
7521ee2d065a78efcab55a194fbd78492f84b70595f139263875f4ea92b194d6

SHA512
93ab99bcf588fde553de3240e0d2b0cbd4e4bc5ef5e99d53f45a267d7ff30103a80b5a7aa1c52d6eff1e070af0ec82d2c0b8aafb7099742aa16810edc1815c3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\0wRVFaeuMa.bat

Filesize
166B

MD5
acb9c1caf3deaecf59f8bb5c545488ed

SHA1
f84fe26017932080350ad5724f2fa0485461ea34

SHA256
e730a660eebd1a1a76313d672f0484941a3330cd6626bdbbd0b84c0fec52c285

SHA512
c76ba4cf9e27c02b331b0943ca3cd97a0eb38654edbdced957f430bd87de21e9dc01fac0312d99d70ad85be17b74bfb1469b489fb6ec5da50cf0c7e06c5d10bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\77a9gOcAJB.bat

Filesize
166B

MD5
434d1444e2ac7ecd42cc6ba44c910ac3

SHA1
eb4decf4014c4b3170cbcfba2013115d5ccd355c

SHA256
cf6820cfc9ca54c6a2540eb9927cae11a2856ef1ff5e984eb9dbe866d1d056bc

SHA512
39c02d03a17a3ba549b0ca1f9866cb249d23d76269724c2775c32b6fa6c3299e4fc185602268b203d7a18ea1e6f2ef7bc8cdf2521345c28fb185346c37fb7ca0

Download Submit
C:\Users\Admin\AppData\Local\Temp\81mmE0Ljqu.bat

Filesize
166B

MD5
c45554d53f41182e15e444b42d18c140

SHA1
d7fd5940a795c05ec572ed222e0403e543416de3

SHA256
d5d820590a2eee084087b14c6a6b62de33a0f9aa4261aa00d1045e765a44c3ac

SHA512
223a673701f66199e529a86c3273dc3724e7f9ef4acddd10cb5bc8c817a2ccfd5706c298d8e3f3c5eb366a5d05017e8b986d6867717215ec3f58564ac710fabf

Download Submit
C:\Users\Admin\AppData\Local\Temp\COegk83zmU.bat

Filesize
214B

MD5
18a83ba545fd3fcddde95329c695c7be

SHA1
aa4da82b0759299211f182f95061530538b4210e

SHA256
aabdc67232cd8b66278e977ea105a2d432f737ec9fc19b0deb6b23bbb6c9150f

SHA512
079ed53a1c4e27a38c38666b2c41434d555aa1d31b4691c3a257177799a94b05febb0673c1b242b06ce55cf10fc02354205151b50f33231e801ac7f7880dc75f

Download Submit
C:\Users\Admin\AppData\Local\Temp\CjHAhHKHQf.bat

Filesize
214B

MD5
6d3b1fedaff56a023b2320fbf0a3e4c0

SHA1
c4464632b3df5dd044e66f70aeadfbd5a2cac5b1

SHA256
3b05a485c439b1de3a41ba7e1634a2f0bef87bc4da5d2c30a262acc568ab2a76

SHA512
96edb2735589f6c167c501a06dfe5741d7612cd68cd849048dda5c1cdc2cab1727f6cc96094e725c1b60df10dccf9461f248af613100c04276045a042be478b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\M4O85ItfzR.bat

Filesize
214B

MD5
b9b375500dec34a71f0c391153db4f05

SHA1
20de9975c5c996c7ef52d17f65bd2754e8856704

SHA256
4a128cdd42453615965da050e8a35cc7e3c177ccdb255c33409c345feb2ef951

SHA512
b7015891af195baf191ace56dfcbf63e0f598b3184a5f21ccb682ca5488448dc4786e9185479b57cf4af2c7cc4d2dd37417be5ce447e5815dc176dadfbe667f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\R0he2Lr4l7.bat

Filesize
214B

MD5
7ab0a005161b1a49e8461a2068d6712b

SHA1
302772611cd09e01b56bcae2c46a753bf67e5a33

SHA256
c1455dad371defe71ce1a0ca8665f47dbbac099c8036ce8fcc445d93c9a877ec

SHA512
ea17959f4df33846d7c85e497113c582b3dad4fb7290b8bedb4bdd1d9d33a8661a7edf575e6e1941f1fa9c0e81eaf7846c5a6af465719aab12c83fb6a5ca9b62

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESD91A.tmp

Filesize
1KB

MD5
1f1ff64ea420d22bd8975a599957eb04

SHA1
307f192bb2cb3b804e36b6d000b12410b7680698

SHA256
483bc32e352231c8f2af5f0066150f55c2075ff8b3c9c99fb7ebf90c1fdb4e30

SHA512
69ff91c9dbbdadc74e6d73716f5e1fe835fce6184b19a2a23d491632c4e065d26a4266fa4ccb48ef883c5f5bef80241273190bbc77c5db486cc0546efca6a114

Download Submit
C:\Users\Admin\AppData\Local\Temp\XUYSYwjQ1L.bat

Filesize
166B

MD5
b9991e425c480297ee71a4f35ca9dd6b

SHA1
90b3c3a1318b3e9218941ddad71e7bdec0396436

SHA256
b2163a402bcd6215c19e231e06bace5345955c23a5f42c4e384157045f70fb34

SHA512
e7eaee4dca5ccc6ad920e3898095c6cec18160d6e6139874d62ad72df62890ff21ab18ba3e6db0d26f6af6e2a946e76297b2aaaaea42c3d7c82fac810af7ae3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\aKt4VVYkRN.bat

Filesize
214B

MD5
9ff87612089489081e7dadf3f920dfbe

SHA1
d956f56c6b5aa542f28f948e5d77404a13815662

SHA256
f7fc4a4f20b422770328cb08aa31d25e65d945d5aaeb8b4bcddea0adb82f90ae

SHA512
b63f35e335fb7dfd8f2ef5a38f943f4970029246a7b726865035636f167a0ee7ca1d8299b848a2c0796fd9980417794e5d3a7d095debdef51dddb12760db27eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\bfd1aabb65dfce7b7c5f2d444917baa23fd04d6047e62cd1aaf9cb2a9ca9d3a9.exe

Filesize
3.2MB

MD5
a7040b85fc683f088f4c6e5b44052c43

SHA1
7e3d644d1a1fb7b9bcccb6406d2e7fbd062eae66

SHA256
b786f31f1c89c71d0510bbd32510595d9891c67db516f968261b02594a423a8d

SHA512
e225f6f7e114690aad25e9c67460e50f5b84cc8ca87a69ba94ff63ab42415df176a3ed6c3456cddb849927604a4888b17e5e781ac97d2ba0197f9687bbb2c301

Download Submit
C:\Users\Admin\AppData\Local\Temp\bzGZZMGSnB.bat

Filesize
214B

MD5
659bd8326d45447f6872e22b5efcb621

SHA1
c3446f23b3a42153bf04711c69e185fae36fb804

SHA256
a2db89b8f64c04b669e9b2dd5acea342159bf0b6466fa1fe2cbf0a98af2e388b

SHA512
4da45beb7d5023bcc4c0156a5dd244ac74cec34563f9500c13237861f75fc5f0d17e0a3fffa40087a4ac5df855b83d8b29b300e122f1e382184f57f3215dcc0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\cZiCzHXbdI.bat

Filesize
166B

MD5
5c7efbdadfaefff1506058d3e0ebbd18

SHA1
24e9b8e6733e049f15eae493c95bd02b0dafdaaa

SHA256
22cebcb2296c79f7cda4b765ca8afd609a9934d0340ee02cec033ffa714b3750

SHA512
250de55afd7c2039509d5737642d83dda5b3f98ae6c2fff3eca11104849c44d76d9e45c498257d4dcd850c73f58f4973d4ad6ffbf77fa39fac146583cbd6713d

Download Submit
C:\Users\Admin\AppData\Local\Temp\gwa5WPFrYr.bat

Filesize
166B

MD5
36732932ab512cd354be65f2208ca4f1

SHA1
68c79c644ca0a111d15bdb0f62ba1f91c4a5b2e1

SHA256
a36248c1c631448e2364e0026ed24ad491aa5532258fa14004417fb1ee451179

SHA512
22df94fbcc6351105644d036e90d5d4e428804d3996133a6202b0ff6b283c0aeed82029ee53c59e6be5d44a7ea110ae58def3132d260b16aececb56edce93b70

Download Submit
C:\Users\Admin\AppData\Local\Temp\rq9fLK5Nyj.bat

Filesize
214B

MD5
ef7e28e687cbb8694e80fcfbe355ea2a

SHA1
17a1fc0877ac307ca9acaab08fd9ede20f7f9065

SHA256
41d8859111e82c4dfec83178be1d8e8d838081a6510e898c18debb9d0adddd3b

SHA512
4f83a52a45d37a0e2ad8b91ad6d7684368dc09f8bd5c7f1dcf1405a85fe72ca95685b0edafad3bd477f650be7e441cbd6c458199ba3f5577396cc5e8d6c00b48

Download Submit
C:\Users\Admin\AppData\Local\Temp\sVWBOBo5KY.bat

Filesize
214B

MD5
8a4d6b83d19ea51698456aa8414566c1

SHA1
f114f52170f32f700b1d7f9a2e472a32284d2817

SHA256
87e88f1d5c0c3bd7bd722ee160f77d7697dc51e69b091773787c12b16f842fa2

SHA512
5f8429a83d946371d1af464d261b0ffc1516732344403bbab11cb0e630c0da05c44e1b89749ef102532f6aee1754a85e79084c50f7ebfe35081b29b37b152095

Download Submit
C:\Users\Admin\AppData\Local\Temp\zhbNlpe3Af.bat

Filesize
166B

MD5
edba0e0e7eaa8cda89376be2ddb648ae

SHA1
2745005110d8dbc712528b902cede91c07fbd525

SHA256
ce9301f9ce6a34983bbf20c3f49331efe2dae0eab75b4ef75a4b17f994f60dfe

SHA512
04def25d2a0155859ee351be5a57cea05df77a472b897a0607dbb14d7ab6e9e8fb0ddebd8172420c5985aaeb01666b3923f4a2900902ed5c21098c02f73c5870

Download Submit
C:\Windows\Resources\Themes\explorer.exe

Filesize
135KB

MD5
cb9e383f008a4de99894bb286903a415

SHA1
905969d070bf49eb436d6296a16ffcdb64165334

SHA256
0c2183d208c9a54070e0dfb433eea1461425599fec7c10d8d2a59d6e7c638067

SHA512
65334c08b9d89778e1162bda0992047ce9cdbfcd0e4fd4b14dd73ecbe1b3d837c461a8ba3e08e34f3a78b15aa5df26c222ea71e25f2dcd1fe73b97788511d613

Download Submit
C:\Windows\Resources\Themes\icsys.icn.exe

Filesize
135KB

MD5
d36cc2935ae0e7a5d2936db589a9b8cc

SHA1
082bd58c0ad60fa4783b63a4f681a5c5fad8e1a6

SHA256
4c93adb50768feb3cdea95f1fedc5d6fdc262d59f12c4b66601d377e2709c2e3

SHA512
547452ba0de7c8ebeec8e4bb2d916c7a881b6743e6d1fb6d2761a202b7cf5bb30c3f541957de70c584b46b7171f3f20338b4985341829b408c366aeaeced9290

Download Submit
C:\Windows\Resources\svchost.exe

Filesize
135KB

MD5
3df9e8da0398cffd3d76682fae6d77f0

SHA1
a7bda50979202222f5996d9b983c2a51cdb51b59

SHA256
80366c3325137cc9dbe4e2f191d330ae8968026818d3be212db93263a5eb3259

SHA512
f2c3d03228639fa676a7f503e4c916584afe1acaaf26d0b8776f532e75e9af7771f4fb1bb6e2941e5f160107b96e8190b873e84ea2d2c3dc9f3c1f6d7ed9b55e

Download Submit
C:\blockcomSession\R3z0peym99fhJdrKbUwEGrQMoM2HpnSPGrE0X0k2hc.bat

Filesize
89B

MD5
de5b4fde5bc10d0f76a55eb9d249ab56

SHA1
751938b6ab03340842b429805fd2da1aa0d8c964

SHA256
009aa3f866391c87bd840efb9b6b4eb33fc4dcb625cd23e436d0c9383e033f0f

SHA512
58f02657db363b742c6aee66ccd5a6b279280e2dd09d7394b7b9907ca2cd005cd67ee88ca98d533605e30608fc61abc6f51f7d3be4a3813d7414d280b6f16a1f

Download Submit
C:\blockcomSession\RezYUes00TmmVGwINjr2qWMSbF3Etb9Bt2Ra62zGWDtewTBc.vbe

Filesize
236B

MD5
d2dd350044ce1fe408a44a036a7e6a0d

SHA1
3597e45deb69f4aa4749855e9ed452a39a9c7d42

SHA256
487bfe07abff347481f10c648717aab8008c7606c026b920358544f85c25e1b2

SHA512
81147d83dc5ffd1adb10add8486f6dac65df0e7c579f8244ef8f3d6f646ced97fad3f55a178ced9b60f5f23bb77a0e29bccb22651280a9eae135976af71c366a

Download Submit
C:\blockcomSession\containerReview.exe

Filesize
1.9MB

MD5
f568e43bc473cd8ceb2553c58194df61

SHA1
14c0fff25edfd186dab91ee6bcc94450c9bed84d

SHA256
c91375814e8a5bb71736ce61fa429bc7b98a2b7b2a254b9967c51f3fccfacd52

SHA512
47cf66ce90fecd147077c72dc3f06db2199b9bc96e887915d6b0d4bfea7577d60a7345da6e5bc59967d02528fbdf6c8bf86233261338f782b9185c890fbc400e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\1a0gp5qk\1a0gp5qk.0.cs

Filesize
383B

MD5
8eb648a465cd0d62b5bb68818f751ed4

SHA1
d922205cbaeca914c103b9ee5d532c8d064d7fda

SHA256
c1054c9263108a3aa47deb09e9c62ee41753513fa2e73b4022759c61e9de35d2

SHA512
33340a42e4bd58f093ba32275a29128cb4c0efec650df81d5c9f14ba80c2d0262f17a8f4ec44bda9457fad5df6fd57dcaac1d390dcb0fbc1d2f0f407c70121c8

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\1a0gp5qk\1a0gp5qk.cmdline

Filesize
235B

MD5
08de6718cc35a3bc88ecc8d25eb4b860

SHA1
acceccc29683beaf815b82b36d9266d14bf0b981

SHA256
67332fb859c62cf1ee134a0bfa2c780862898cdac2f1aebfc799f972fa3df031

SHA512
31a0fee11ce95eebd92bf7e998e9c683e7980857cd990cf8d9461313c866e0d7e3cde721703aae86a8870ab56e9291f1a11959a3728358468b58a34f819aae12

Download Submit
\??\c:\Windows\System32\CSC7E3A3A307AA74F1D93C0AD8E1A23FBE1.TMP

Filesize
1KB

MD5
ad61927912f86c7c9f1e72720f4ef0ef

SHA1
dbb61d9d5c7310c85716fe9f445fee2151cef437

SHA256
bf2696fc2183af293d74c988add5772c1c7257c2e85ae754e43cbe0e1d105a1e

SHA512
33b6f9f93672bd0ecb68e553de0ce92dd6b773c62da7721c9544171df7de8b8588e9ba42e13836db5d5ffc078ca656993f8d06a857dda5a27e1d639d5a6fb3ee

Download Submit
\??\c:\windows\resources\spoolsv.exe

Filesize
135KB

MD5
7fd0f6319f796e6df04dd830bda62b09

SHA1
0ce9b5e33b871525d07fdd2be4fac7a8c0b20664

SHA256
ba01298316de6238aedc31713ed8439bb94c2e41ebee72729c65779a7e111ad3

SHA512
60f387858311ca52779db80fe7bdee25c26537e1107875ea76bdcef5fba8b24600bd632ceebb9453f9fed70b7d5684003008fbf817db55320c3b172aaa7cb29e

Download Submit
memory/1764-58-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1764-0-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3232-53-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3424-180-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3532-55-0x0000000000AA0000-0x0000000000E81000-memory.dmp

Filesize
3.9MB

Download
memory/3532-8-0x0000000000AA0000-0x0000000000E81000-memory.dmp

Filesize
3.9MB

Download
memory/3984-13-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3984-57-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4448-74-0x00000000025C0000-0x00000000025CE000-memory.dmp

Filesize
56KB

Download
memory/4448-72-0x00000000025B0000-0x00000000025BE000-memory.dmp

Filesize
56KB

Download
memory/4448-70-0x000000001ADC0000-0x000000001ADD8000-memory.dmp

Filesize
96KB

Download
memory/4448-68-0x000000001AE30000-0x000000001AE80000-memory.dmp

Filesize
320KB

Download
memory/4448-67-0x000000001ADA0000-0x000000001ADBC000-memory.dmp

Filesize
112KB

Download
memory/4448-65-0x00000000025A0000-0x00000000025AE000-memory.dmp

Filesize
56KB

Download
memory/4448-63-0x0000000000090000-0x0000000000280000-memory.dmp

Filesize
1.9MB

Download
memory/4448-76-0x000000001ADE0000-0x000000001ADEC000-memory.dmp

Filesize
48KB

Download
memory/4796-56-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/5112-179-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download