dcrat | bfd1aabb65dfce7b7c5f2d444917baa23fd04d6047e62cd1aaf9cb2a9ca9d3a9

Resubmissions

14-01-2025 04:25

250114-e2erasypan 10

14-01-2025 03:06

250114-dl14xsxmdn 10

Analysis

max time kernel
900s
max time network
890s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
14-01-2025 04:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bfd1aabb65dfce7b7c5f2d444917baa23fd04d6047e62cd1aaf9cb2a9ca9d3a9.exe
Size

3.3MB
MD5

c883ea559bee9a0cb393aa32dcaf5d80
SHA1

995dfd0d9d504bec628e7d7297962677d8ab32cb
SHA256

bfd1aabb65dfce7b7c5f2d444917baa23fd04d6047e62cd1aaf9cb2a9ca9d3a9
SHA512

9ee8ef8a9912b14bcbeb3c13b2670c92eecc17c4a8a719d6bd9935f17239a244457e2f711c01e374febd767c866d6c563bad97e687680919ca0c017d738626ee
SSDEEP

98304:db5Nf/dq7yqKM1TcGZ6gtq1/Lko4uVa8N7:hMyqKM1TogtqT44NN7

Score

10^/10

dcrat discovery evasion infostealer persistence rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 6 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Public\\spoolsv.exe\", \"C:\\Windows\\Branding\\Basebrd\\en-US\\cmd.exe\", \"C:\\Program Files (x86)\\Windows Media Player\\dllhost.exe\""	containerReview.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Public\\spoolsv.exe\", \"C:\\Windows\\Branding\\Basebrd\\en-US\\cmd.exe\", \"C:\\Program Files (x86)\\Windows Media Player\\dllhost.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\System.exe\""	containerReview.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Public\\spoolsv.exe\", \"C:\\Windows\\Branding\\Basebrd\\en-US\\cmd.exe\", \"C:\\Program Files (x86)\\Windows Media Player\\dllhost.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\System.exe\", \"C:\\Users\\Default User\\explorer.exe\""	containerReview.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Public\\spoolsv.exe\", \"C:\\Windows\\Branding\\Basebrd\\en-US\\cmd.exe\", \"C:\\Program Files (x86)\\Windows Media Player\\dllhost.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\System.exe\", \"C:\\Users\\Default User\\explorer.exe\", \"C:\\blockcomSession\\containerReview.exe\""	containerReview.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Public\\spoolsv.exe\""	containerReview.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Public\\spoolsv.exe\", \"C:\\Windows\\Branding\\Basebrd\\en-US\\cmd.exe\""	containerReview.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1972	1404	schtasks.exe	44
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	528	1404	schtasks.exe	44
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2780	1404	schtasks.exe	44
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1948	1404	schtasks.exe	44
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	680	1404	schtasks.exe	44
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1840	1404	schtasks.exe	44
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2076	1404	schtasks.exe	44
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1472	1404	schtasks.exe	44
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1796	1404	schtasks.exe	44
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	888	1404	schtasks.exe	44
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	552	1404	schtasks.exe	44
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2060	1404	schtasks.exe	44
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3052	1404	schtasks.exe	44
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	296	1404	schtasks.exe	44
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1844	1404	schtasks.exe	44
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2284	1404	schtasks.exe	44
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2544	1404	schtasks.exe	44
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1772	1404	schtasks.exe	44

Executes dropped EXE 64 IoCs

pid	Process
1956	bfd1aabb65dfce7b7c5f2d444917baa23fd04d6047e62cd1aaf9cb2a9ca9d3a9.exe
2380	icsys.icn.exe
2104	explorer.exe
2868	spoolsv.exe
2716	svchost.exe
2712	spoolsv.exe
2700	containerReview.exe
2704	spoolsv.exe
2972	spoolsv.exe
2376	spoolsv.exe
1912	spoolsv.exe
2568	spoolsv.exe
2628	spoolsv.exe
2512	spoolsv.exe
1916	spoolsv.exe
1628	spoolsv.exe
2524	spoolsv.exe
624	spoolsv.exe
1280	spoolsv.exe
1256	spoolsv.exe
992	spoolsv.exe
2788	spoolsv.exe
1968	spoolsv.exe
2792	spoolsv.exe
2840	spoolsv.exe
2080	spoolsv.exe
1940	spoolsv.exe
2608	spoolsv.exe
2728	spoolsv.exe
956	spoolsv.exe
2668	containerReview.exe
2708	System.exe
1584	spoolsv.exe
2836	System.exe
444	spoolsv.exe
3028	spoolsv.exe
1388	spoolsv.exe
1616	spoolsv.exe
2212	spoolsv.exe
1996	spoolsv.exe
2052	spoolsv.exe
2596	spoolsv.exe
2952	spoolsv.exe
920	spoolsv.exe
1132	explorer.exe
1904	spoolsv.exe
996	spoolsv.exe
896	spoolsv.exe
1636	spoolsv.exe
2860	spoolsv.exe
2652	spoolsv.exe
2564	spoolsv.exe
2400	spoolsv.exe
2336	spoolsv.exe
2216	spoolsv.exe
1524	spoolsv.exe
2976	spoolsv.exe
1600	spoolsv.exe
2500	spoolsv.exe
2448	containerReview.exe
2372	System.exe
2228	spoolsv.exe
2920	System.exe
2064	System.exe

Loads dropped DLL 8 IoCs

pid	Process
2392	bfd1aabb65dfce7b7c5f2d444917baa23fd04d6047e62cd1aaf9cb2a9ca9d3a9.exe
2392	bfd1aabb65dfce7b7c5f2d444917baa23fd04d6047e62cd1aaf9cb2a9ca9d3a9.exe
2380	icsys.icn.exe
2104	explorer.exe
2868	spoolsv.exe
2716	svchost.exe
2940	cmd.exe
2940	cmd.exe

Adds Run key to start application 2 TTPs 16 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Users\\Default User\\explorer.exe\""	containerReview.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Program Files (x86)\\Windows Media Player\\dllhost.exe\""	containerReview.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Users\\Default User\\explorer.exe\""	containerReview.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Users\\Public\\spoolsv.exe\""	containerReview.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Program Files (x86)\\Windows Media Player\\dllhost.exe\""	containerReview.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\containerReview = "\"C:\\blockcomSession\\containerReview.exe\""	containerReview.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cmd = "\"C:\\Windows\\Branding\\Basebrd\\en-US\\cmd.exe\""	containerReview.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\System.exe\""	containerReview.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\System.exe\""	containerReview.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\containerReview = "\"C:\\blockcomSession\\containerReview.exe\""	containerReview.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Users\\Public\\spoolsv.exe\""	containerReview.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\cmd = "\"C:\\Windows\\Branding\\Basebrd\\en-US\\cmd.exe\""	containerReview.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\explorer.exe	svchost.exe
File opened for modification	C:\Windows\SysWOW64\explorer.exe	explorer.exe
File created	\??\c:\Windows\System32\CSC41D329FBDA134AEDBF8910DA6CF3C83.TMP	csc.exe
File created	\??\c:\Windows\System32\dzuhbf.exe	csc.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
1956	bfd1aabb65dfce7b7c5f2d444917baa23fd04d6047e62cd1aaf9cb2a9ca9d3a9.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Media Player\5940a34987c991	containerReview.exe
File created	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\System.exe	containerReview.exe
File created	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\27d1bcfc3c54e0	containerReview.exe
File created	C:\Program Files (x86)\Windows Media Player\dllhost.exe	containerReview.exe

Drops file in Windows directory 8 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\resources\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\resources\svchost.exe	spoolsv.exe
File created	C:\Windows\Branding\Basebrd\en-US\cmd.exe	containerReview.exe
File created	C:\Windows\Branding\Basebrd\en-US\ebf1f9fa8afd6d	containerReview.exe
File opened for modification	C:\Windows\Resources\tjud.exe	explorer.exe
File opened for modification	C:\Windows\Resources\Themes\tjcm.cmn	explorer.exe
File opened for modification	C:\Windows\Resources\Themes\icsys.icn.exe	bfd1aabb65dfce7b7c5f2d444917baa23fd04d6047e62cd1aaf9cb2a9ca9d3a9.exe
File opened for modification	\??\c:\windows\resources\themes\explorer.exe	icsys.icn.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 24 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bfd1aabb65dfce7b7c5f2d444917baa23fd04d6047e62cd1aaf9cb2a9ca9d3a9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icsys.icn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bfd1aabb65dfce7b7c5f2d444917baa23fd04d6047e62cd1aaf9cb2a9ca9d3a9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 39 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2004	PING.EXE
1976	PING.EXE
2880	PING.EXE
3108	PING.EXE
3044	PING.EXE
984	PING.EXE
2768	PING.EXE
2804	PING.EXE
1724	PING.EXE
3000	PING.EXE
2468	PING.EXE
1496	PING.EXE
2148	PING.EXE
2292	PING.EXE
2612	PING.EXE
2560	PING.EXE
3016	PING.EXE
1016	PING.EXE
2820	PING.EXE
1900	PING.EXE
1624	PING.EXE
1004	PING.EXE
2236	PING.EXE
2892	PING.EXE
1452	PING.EXE
2864	PING.EXE
748	PING.EXE
2488	PING.EXE
3464	PING.EXE
1028	PING.EXE
2824	PING.EXE
1684	PING.EXE
2908	PING.EXE
2964	PING.EXE
2012	PING.EXE
2264	PING.EXE
1992	PING.EXE
3600	PING.EXE
1960	PING.EXE

Runs ping.exe 1 TTPs 39 IoCs

Remote System Discovery

T1018

pid	Process
1724	PING.EXE
2264	PING.EXE
2004	PING.EXE
2560	PING.EXE
3000	PING.EXE
1452	PING.EXE
2880	PING.EXE
1004	PING.EXE
1016	PING.EXE
1028	PING.EXE
2824	PING.EXE
1976	PING.EXE
2864	PING.EXE
1960	PING.EXE
2148	PING.EXE
1684	PING.EXE
2292	PING.EXE
1900	PING.EXE
3044	PING.EXE
2908	PING.EXE
2964	PING.EXE
2488	PING.EXE
3108	PING.EXE
3464	PING.EXE
2468	PING.EXE
3016	PING.EXE
1624	PING.EXE
3600	PING.EXE
2612	PING.EXE
2236	PING.EXE
1496	PING.EXE
748	PING.EXE
2768	PING.EXE
1992	PING.EXE
2820	PING.EXE
2892	PING.EXE
984	PING.EXE
2012	PING.EXE
2804	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 33 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1972	schtasks.exe
888	schtasks.exe
2544	schtasks.exe
1772	schtasks.exe
2780	schtasks.exe
296	schtasks.exe
2760	schtasks.exe
2424	schtasks.exe
1472	schtasks.exe
940	schtasks.exe
2232	schtasks.exe
1948	schtasks.exe
1796	schtasks.exe
2060	schtasks.exe
2960	schtasks.exe
528	schtasks.exe
552	schtasks.exe
2284	schtasks.exe
2308	schtasks.exe
264	schtasks.exe
3268	schtasks.exe
1840	schtasks.exe
3052	schtasks.exe
2176	schtasks.exe
1012	schtasks.exe
1760	schtasks.exe
4064	schtasks.exe
680	schtasks.exe
2076	schtasks.exe
1844	schtasks.exe
1792	schtasks.exe
2024	schtasks.exe
2688	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2392	bfd1aabb65dfce7b7c5f2d444917baa23fd04d6047e62cd1aaf9cb2a9ca9d3a9.exe
2392	bfd1aabb65dfce7b7c5f2d444917baa23fd04d6047e62cd1aaf9cb2a9ca9d3a9.exe
2392	bfd1aabb65dfce7b7c5f2d444917baa23fd04d6047e62cd1aaf9cb2a9ca9d3a9.exe
2392	bfd1aabb65dfce7b7c5f2d444917baa23fd04d6047e62cd1aaf9cb2a9ca9d3a9.exe
2392	bfd1aabb65dfce7b7c5f2d444917baa23fd04d6047e62cd1aaf9cb2a9ca9d3a9.exe
2392	bfd1aabb65dfce7b7c5f2d444917baa23fd04d6047e62cd1aaf9cb2a9ca9d3a9.exe
2392	bfd1aabb65dfce7b7c5f2d444917baa23fd04d6047e62cd1aaf9cb2a9ca9d3a9.exe
2392	bfd1aabb65dfce7b7c5f2d444917baa23fd04d6047e62cd1aaf9cb2a9ca9d3a9.exe
2392	bfd1aabb65dfce7b7c5f2d444917baa23fd04d6047e62cd1aaf9cb2a9ca9d3a9.exe
2392	bfd1aabb65dfce7b7c5f2d444917baa23fd04d6047e62cd1aaf9cb2a9ca9d3a9.exe
2392	bfd1aabb65dfce7b7c5f2d444917baa23fd04d6047e62cd1aaf9cb2a9ca9d3a9.exe
2392	bfd1aabb65dfce7b7c5f2d444917baa23fd04d6047e62cd1aaf9cb2a9ca9d3a9.exe
2392	bfd1aabb65dfce7b7c5f2d444917baa23fd04d6047e62cd1aaf9cb2a9ca9d3a9.exe
2392	bfd1aabb65dfce7b7c5f2d444917baa23fd04d6047e62cd1aaf9cb2a9ca9d3a9.exe
2392	bfd1aabb65dfce7b7c5f2d444917baa23fd04d6047e62cd1aaf9cb2a9ca9d3a9.exe
2392	bfd1aabb65dfce7b7c5f2d444917baa23fd04d6047e62cd1aaf9cb2a9ca9d3a9.exe
1956	bfd1aabb65dfce7b7c5f2d444917baa23fd04d6047e62cd1aaf9cb2a9ca9d3a9.exe
2380	icsys.icn.exe
2380	icsys.icn.exe
2380	icsys.icn.exe
2380	icsys.icn.exe
2380	icsys.icn.exe
2380	icsys.icn.exe
2380	icsys.icn.exe
2380	icsys.icn.exe
2380	icsys.icn.exe
2380	icsys.icn.exe
2380	icsys.icn.exe
2380	icsys.icn.exe
2380	icsys.icn.exe
2380	icsys.icn.exe
2380	icsys.icn.exe
2380	icsys.icn.exe
2380	icsys.icn.exe
2104	explorer.exe
2104	explorer.exe
2104	explorer.exe
2104	explorer.exe
2104	explorer.exe
2104	explorer.exe
2104	explorer.exe
2104	explorer.exe
2104	explorer.exe
2104	explorer.exe
2104	explorer.exe
2104	explorer.exe
2104	explorer.exe
2104	explorer.exe
2104	explorer.exe
2104	explorer.exe
2716	svchost.exe
2716	svchost.exe
2716	svchost.exe
2716	svchost.exe
2716	svchost.exe
2716	svchost.exe
2716	svchost.exe
2716	svchost.exe
2716	svchost.exe
2716	svchost.exe
2716	svchost.exe
2716	svchost.exe
2716	svchost.exe
2716	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
2104	explorer.exe
2716	svchost.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2700	containerReview.exe
Token: SeDebugPrivilege	2704	spoolsv.exe
Token: SeDebugPrivilege	2972	spoolsv.exe
Token: SeDebugPrivilege	2376	spoolsv.exe
Token: SeDebugPrivilege	1912	spoolsv.exe
Token: SeDebugPrivilege	2568	spoolsv.exe
Token: SeDebugPrivilege	2628	spoolsv.exe
Token: SeDebugPrivilege	2512	spoolsv.exe
Token: SeDebugPrivilege	1916	spoolsv.exe
Token: SeDebugPrivilege	1628	spoolsv.exe
Token: SeDebugPrivilege	2524	spoolsv.exe
Token: SeDebugPrivilege	624	spoolsv.exe
Token: SeDebugPrivilege	1280	spoolsv.exe
Token: SeDebugPrivilege	1256	spoolsv.exe
Token: SeDebugPrivilege	992	spoolsv.exe
Token: SeDebugPrivilege	2788	spoolsv.exe
Token: SeDebugPrivilege	1968	spoolsv.exe
Token: SeDebugPrivilege	2792	spoolsv.exe
Token: SeDebugPrivilege	2840	spoolsv.exe
Token: SeDebugPrivilege	2080	spoolsv.exe
Token: SeDebugPrivilege	1940	spoolsv.exe
Token: SeDebugPrivilege	2608	spoolsv.exe
Token: SeDebugPrivilege	2728	spoolsv.exe
Token: SeDebugPrivilege	956	spoolsv.exe
Token: SeDebugPrivilege	2708	System.exe
Token: SeDebugPrivilege	2668	containerReview.exe
Token: SeDebugPrivilege	1584	spoolsv.exe
Token: SeDebugPrivilege	2836	System.exe
Token: SeDebugPrivilege	444	spoolsv.exe
Token: SeDebugPrivilege	3028	spoolsv.exe
Token: SeDebugPrivilege	1388	spoolsv.exe
Token: SeDebugPrivilege	1616	spoolsv.exe
Token: SeDebugPrivilege	2212	spoolsv.exe
Token: SeDebugPrivilege	1996	spoolsv.exe
Token: SeDebugPrivilege	2052	spoolsv.exe
Token: SeDebugPrivilege	2596	spoolsv.exe
Token: SeDebugPrivilege	2952	spoolsv.exe
Token: SeDebugPrivilege	920	spoolsv.exe
Token: SeDebugPrivilege	1132	explorer.exe
Token: SeDebugPrivilege	1904	spoolsv.exe
Token: SeDebugPrivilege	996	spoolsv.exe
Token: SeDebugPrivilege	896	spoolsv.exe
Token: SeDebugPrivilege	1636	spoolsv.exe
Token: SeDebugPrivilege	2860	spoolsv.exe
Token: SeDebugPrivilege	2652	spoolsv.exe
Token: SeDebugPrivilege	2564	spoolsv.exe
Token: SeDebugPrivilege	2400	spoolsv.exe
Token: SeDebugPrivilege	2336	spoolsv.exe
Token: SeDebugPrivilege	2216	spoolsv.exe
Token: SeDebugPrivilege	1524	spoolsv.exe
Token: SeDebugPrivilege	2976	spoolsv.exe
Token: SeDebugPrivilege	1600	spoolsv.exe
Token: SeDebugPrivilege	2500	spoolsv.exe
Token: SeDebugPrivilege	2372	System.exe
Token: SeDebugPrivilege	2448	containerReview.exe
Token: SeDebugPrivilege	2228	spoolsv.exe
Token: SeDebugPrivilege	2920	System.exe
Token: SeDebugPrivilege	2064	System.exe
Token: SeDebugPrivilege	1576	System.exe
Token: SeDebugPrivilege	2744	System.exe
Token: SeDebugPrivilege	1420	System.exe
Token: SeDebugPrivilege	2532	dllhost.exe
Token: SeDebugPrivilege	1964	System.exe
Token: SeDebugPrivilege	1612	System.exe

Suspicious use of SetWindowsHookEx 13 IoCs

pid	Process
2392	bfd1aabb65dfce7b7c5f2d444917baa23fd04d6047e62cd1aaf9cb2a9ca9d3a9.exe
2392	bfd1aabb65dfce7b7c5f2d444917baa23fd04d6047e62cd1aaf9cb2a9ca9d3a9.exe
1956	bfd1aabb65dfce7b7c5f2d444917baa23fd04d6047e62cd1aaf9cb2a9ca9d3a9.exe
2380	icsys.icn.exe
2380	icsys.icn.exe
2104	explorer.exe
2104	explorer.exe
2868	spoolsv.exe
2868	spoolsv.exe
2716	svchost.exe
2716	svchost.exe
2712	spoolsv.exe
2712	spoolsv.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2392 wrote to memory of 1956	2392	bfd1aabb65dfce7b7c5f2d444917baa23fd04d6047e62cd1aaf9cb2a9ca9d3a9.exe	30
PID 2392 wrote to memory of 1956	2392	bfd1aabb65dfce7b7c5f2d444917baa23fd04d6047e62cd1aaf9cb2a9ca9d3a9.exe	30
PID 2392 wrote to memory of 1956	2392	bfd1aabb65dfce7b7c5f2d444917baa23fd04d6047e62cd1aaf9cb2a9ca9d3a9.exe	30
PID 2392 wrote to memory of 1956	2392	bfd1aabb65dfce7b7c5f2d444917baa23fd04d6047e62cd1aaf9cb2a9ca9d3a9.exe	30
PID 2392 wrote to memory of 2380	2392	bfd1aabb65dfce7b7c5f2d444917baa23fd04d6047e62cd1aaf9cb2a9ca9d3a9.exe	31
PID 2392 wrote to memory of 2380	2392	bfd1aabb65dfce7b7c5f2d444917baa23fd04d6047e62cd1aaf9cb2a9ca9d3a9.exe	31
PID 2392 wrote to memory of 2380	2392	bfd1aabb65dfce7b7c5f2d444917baa23fd04d6047e62cd1aaf9cb2a9ca9d3a9.exe	31
PID 2392 wrote to memory of 2380	2392	bfd1aabb65dfce7b7c5f2d444917baa23fd04d6047e62cd1aaf9cb2a9ca9d3a9.exe	31
PID 2380 wrote to memory of 2104	2380	icsys.icn.exe	32
PID 2380 wrote to memory of 2104	2380	icsys.icn.exe	32
PID 2380 wrote to memory of 2104	2380	icsys.icn.exe	32
PID 2380 wrote to memory of 2104	2380	icsys.icn.exe	32
PID 2104 wrote to memory of 2868	2104	explorer.exe	33
PID 2104 wrote to memory of 2868	2104	explorer.exe	33
PID 2104 wrote to memory of 2868	2104	explorer.exe	33
PID 2104 wrote to memory of 2868	2104	explorer.exe	33
PID 2868 wrote to memory of 2716	2868	spoolsv.exe	34
PID 2868 wrote to memory of 2716	2868	spoolsv.exe	34
PID 2868 wrote to memory of 2716	2868	spoolsv.exe	34
PID 2868 wrote to memory of 2716	2868	spoolsv.exe	34
PID 1956 wrote to memory of 2624	1956	bfd1aabb65dfce7b7c5f2d444917baa23fd04d6047e62cd1aaf9cb2a9ca9d3a9.exe	35
PID 1956 wrote to memory of 2624	1956	bfd1aabb65dfce7b7c5f2d444917baa23fd04d6047e62cd1aaf9cb2a9ca9d3a9.exe	35
PID 1956 wrote to memory of 2624	1956	bfd1aabb65dfce7b7c5f2d444917baa23fd04d6047e62cd1aaf9cb2a9ca9d3a9.exe	35
PID 1956 wrote to memory of 2624	1956	bfd1aabb65dfce7b7c5f2d444917baa23fd04d6047e62cd1aaf9cb2a9ca9d3a9.exe	35
PID 2716 wrote to memory of 2712	2716	svchost.exe	36
PID 2716 wrote to memory of 2712	2716	svchost.exe	36
PID 2716 wrote to memory of 2712	2716	svchost.exe	36
PID 2716 wrote to memory of 2712	2716	svchost.exe	36
PID 2104 wrote to memory of 2720	2104	explorer.exe	37
PID 2104 wrote to memory of 2720	2104	explorer.exe	37
PID 2104 wrote to memory of 2720	2104	explorer.exe	37
PID 2104 wrote to memory of 2720	2104	explorer.exe	37
PID 2716 wrote to memory of 2176	2716	svchost.exe	38
PID 2716 wrote to memory of 2176	2716	svchost.exe	38
PID 2716 wrote to memory of 2176	2716	svchost.exe	38
PID 2716 wrote to memory of 2176	2716	svchost.exe	38
PID 2624 wrote to memory of 2940	2624	WScript.exe	41
PID 2624 wrote to memory of 2940	2624	WScript.exe	41
PID 2624 wrote to memory of 2940	2624	WScript.exe	41
PID 2624 wrote to memory of 2940	2624	WScript.exe	41
PID 2940 wrote to memory of 2700	2940	cmd.exe	43
PID 2940 wrote to memory of 2700	2940	cmd.exe	43
PID 2940 wrote to memory of 2700	2940	cmd.exe	43
PID 2940 wrote to memory of 2700	2940	cmd.exe	43
PID 2700 wrote to memory of 2020	2700	containerReview.exe	48
PID 2700 wrote to memory of 2020	2700	containerReview.exe	48
PID 2700 wrote to memory of 2020	2700	containerReview.exe	48
PID 2020 wrote to memory of 1092	2020	csc.exe	50
PID 2020 wrote to memory of 1092	2020	csc.exe	50
PID 2020 wrote to memory of 1092	2020	csc.exe	50
PID 2700 wrote to memory of 792	2700	containerReview.exe	66
PID 2700 wrote to memory of 792	2700	containerReview.exe	66
PID 2700 wrote to memory of 792	2700	containerReview.exe	66
PID 792 wrote to memory of 1528	792	cmd.exe	68
PID 792 wrote to memory of 1528	792	cmd.exe	68
PID 792 wrote to memory of 1528	792	cmd.exe	68
PID 792 wrote to memory of 1028	792	cmd.exe	69
PID 792 wrote to memory of 1028	792	cmd.exe	69
PID 792 wrote to memory of 1028	792	cmd.exe	69
PID 792 wrote to memory of 2704	792	cmd.exe	71
PID 792 wrote to memory of 2704	792	cmd.exe	71
PID 792 wrote to memory of 2704	792	cmd.exe	71
PID 2704 wrote to memory of 2872	2704	spoolsv.exe	72
PID 2704 wrote to memory of 2872	2704	spoolsv.exe	72

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\bfd1aabb65dfce7b7c5f2d444917baa23fd04d6047e62cd1aaf9cb2a9ca9d3a9.exe
C:\Users\Admin\AppData\Local\Temp\bfd1aabb65dfce7b7c5f2d444917baa23fd04d6047e62cd1aaf9cb2a9ca9d3a9.exe cmd /c %SIGILL% "SIGTERM|DELETE|SIGKILL"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2392
- \??\c:\users\admin\appdata\local\temp\bfd1aabb65dfce7b7c5f2d444917baa23fd04d6047e62cd1aaf9cb2a9ca9d3a9.exe
  c:\users\admin\appdata\local\temp\bfd1aabb65dfce7b7c5f2d444917baa23fd04d6047e62cd1aaf9cb2a9ca9d3a9.exe cmd /c %SIGILL% "SIGTERM|DELETE|SIGKILL"
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1956
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\blockcomSession\RezYUes00TmmVGwINjr2qWMSbF3Etb9Bt2Ra62zGWDtewTBc.vbe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2624
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\blockcomSession\R3z0peym99fhJdrKbUwEGrQMoM2HpnSPGrE0X0k2hc.bat" "
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2940
    - - C:\blockcomSession\containerReview.exe
        
        "C:\blockcomSession/containerReview.exe"
        5⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Program Files directory
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2700
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\mk2xsbgc\mk2xsbgc.cmdline"
        6⤵
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2020
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB25E.tmp" "c:\Windows\System32\CSC41D329FBDA134AEDBF8910DA6CF3C83.TMP"
        7⤵
        
        PID:1092
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2e16WBON6E.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:792
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        7⤵
        
        PID:1528
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        7⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1028
        
        C:\Users\Public\spoolsv.exe
        
        "C:\Users\Public\spoolsv.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2704
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wykhLflpMg.bat"
        8⤵
        
        PID:2872
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        9⤵
        
        PID:2676
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:1988
        
        C:\Users\Public\spoolsv.exe
        
        "C:\Users\Public\spoolsv.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2972
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\LoBiefy8ZI.bat"
        10⤵
        
        PID:1804
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        11⤵
        
        PID:2316
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:2096
        
        C:\Users\Public\spoolsv.exe
        
        "C:\Users\Public\spoolsv.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2376
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\aj397jMwN3.bat"
        12⤵
        
        PID:684
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        13⤵
        
        PID:2328
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:840
        
        C:\Users\Public\spoolsv.exe
        
        "C:\Users\Public\spoolsv.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1912
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\jpLz1yvSlu.bat"
        14⤵
        
        PID:924
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        15⤵
        
        PID:908
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        15⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1724
        
        C:\Users\Public\spoolsv.exe
        
        "C:\Users\Public\spoolsv.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2568
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\L4pr7KvdK9.bat"
        16⤵
        
        PID:2616
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        17⤵
        
        PID:2600
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:2752
        
        C:\Users\Public\spoolsv.exe
        
        "C:\Users\Public\spoolsv.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2628
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\B5GxaJWFI4.bat"
        18⤵
        
        PID:1260
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        19⤵
        
        PID:2188
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:2988
        
        C:\Users\Public\spoolsv.exe
        
        "C:\Users\Public\spoolsv.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2512
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\e4kjvfRyFL.bat"
        20⤵
        
        PID:1284
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        21⤵
        
        PID:1248
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        21⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2264
        
        C:\Users\Public\spoolsv.exe
        
        "C:\Users\Public\spoolsv.exe"
        21⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1916
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Lvud1u8Gv5.bat"
        22⤵
        
        PID:1480
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        23⤵
        
        PID:2956
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        23⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3000
        
        C:\Users\Public\spoolsv.exe
        
        "C:\Users\Public\spoolsv.exe"
        23⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1628
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\84x6wBxxuC.bat"
        24⤵
        
        PID:2724
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        25⤵
        
        PID:2828
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        25⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2824
        
        C:\Users\Public\spoolsv.exe
        
        "C:\Users\Public\spoolsv.exe"
        25⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2524
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\7gEkM0BkJD.bat"
        26⤵
        
        PID:2452
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        27⤵
        
        PID:916
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        27⤵
        
        PID:2932
        
        C:\Users\Public\spoolsv.exe
        
        "C:\Users\Public\spoolsv.exe"
        27⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:624
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\4XCyKdTKaY.bat"
        28⤵
        
        PID:236
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        29⤵
        
        PID:896
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        29⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1684
        
        C:\Users\Public\spoolsv.exe
        
        "C:\Users\Public\spoolsv.exe"
        29⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1280
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Fp8c0TPT53.bat"
        30⤵
        
        PID:2260
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        31⤵
        
        PID:2304
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        31⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2292
        
        C:\Users\Public\spoolsv.exe
        
        "C:\Users\Public\spoolsv.exe"
        31⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1256
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\sJRdaZOVrD.bat"
        32⤵
        
        PID:2364
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        33⤵
        
        PID:2348
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        33⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2820
        
        C:\Users\Public\spoolsv.exe
        
        "C:\Users\Public\spoolsv.exe"
        33⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:992
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\9fn0Ky9lyW.bat"
        34⤵
        
        PID:2772
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        35⤵
        
        PID:1576
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        35⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2468
        
        C:\Users\Public\spoolsv.exe
        
        "C:\Users\Public\spoolsv.exe"
        35⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2788
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\TqMgut2j0M.bat"
        36⤵
        
        PID:1580
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        37⤵
        
        PID:776
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        37⤵
        
        PID:2240
        
        C:\Users\Public\spoolsv.exe
        
        "C:\Users\Public\spoolsv.exe"
        37⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1968
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\FnlL3aVnrp.bat"
        38⤵
        
        PID:1252
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        39⤵
        
        PID:2748
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        39⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2612
        
        C:\Users\Public\spoolsv.exe
        
        "C:\Users\Public\spoolsv.exe"
        39⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2792
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\dmjHjjptz9.bat"
        40⤵
        
        PID:2756
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        41⤵
        
        PID:1760
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        41⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2004
        
        C:\Users\Public\spoolsv.exe
        
        "C:\Users\Public\spoolsv.exe"
        41⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2840
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\bqMLTwU6O8.bat"
        42⤵
        
        PID:980
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        43⤵
        
        PID:2156
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        43⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2236
        
        C:\Users\Public\spoolsv.exe
        
        "C:\Users\Public\spoolsv.exe"
        43⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2080
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\bgR6NVhjy4.bat"
        44⤵
        
        PID:1008
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        45⤵
        
        PID:1736
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        45⤵
        
        PID:1572
        
        C:\Users\Public\spoolsv.exe
        
        "C:\Users\Public\spoolsv.exe"
        45⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1940
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\I19jVKSgi3.bat"
        46⤵
        
        PID:2648
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        47⤵
        
        PID:2828
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        47⤵
        
        PID:2348
        
        C:\Users\Public\spoolsv.exe
        
        "C:\Users\Public\spoolsv.exe"
        47⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2608
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\oUDKk3Fowg.bat"
        48⤵
        
        PID:1608
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        49⤵
        
        PID:404
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        49⤵
        
        PID:2016
        
        C:\Users\Public\spoolsv.exe
        
        "C:\Users\Public\spoolsv.exe"
        49⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2728
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\D5pDZHTGxN.bat"
        50⤵
        
        PID:1704
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        51⤵
        
        PID:1448
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        51⤵
        
        PID:1648
        
        C:\Users\Public\spoolsv.exe
        
        "C:\Users\Public\spoolsv.exe"
        51⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:956
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\HnJb1ZSpW8.bat"
        52⤵
        
        PID:2784
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        53⤵
        
        PID:664
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        53⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1900
        
        C:\Users\Public\spoolsv.exe
        
        "C:\Users\Public\spoolsv.exe"
        53⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1584
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Ec6WH18BjC.bat"
        54⤵
        
        PID:968
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        55⤵
        
        PID:2248
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        55⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1976
        
        C:\Users\Public\spoolsv.exe
        
        "C:\Users\Public\spoolsv.exe"
        55⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:444
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\4ZZGHVO0om.bat"
        56⤵
        
        PID:2136
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        57⤵
        
        PID:676
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        57⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1496
        
        C:\Users\Public\spoolsv.exe
        
        "C:\Users\Public\spoolsv.exe"
        57⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3028
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\JRGN3N9ZXF.bat"
        58⤵
        
        PID:1928
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        59⤵
        
        PID:2996
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        59⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3044
        
        C:\Users\Public\spoolsv.exe
        
        "C:\Users\Public\spoolsv.exe"
        59⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1388
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\h0hx9QknVf.bat"
        60⤵
        
        PID:1564
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        61⤵
        
        PID:2384
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        61⤵
        
        PID:1768
        
        C:\Users\Public\spoolsv.exe
        
        "C:\Users\Public\spoolsv.exe"
        61⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2212
- C:\Windows\Resources\Themes\icsys.icn.exe
  C:\Windows\Resources\Themes\icsys.icn.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2380
- - \??\c:\windows\resources\themes\explorer.exe
    c:\windows\resources\themes\explorer.exe
    3⤵
    - Modifies visiblity of hidden/system files in Explorer
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2104
  - - \??\c:\windows\resources\spoolsv.exe
      c:\windows\resources\spoolsv.exe SE
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2868
    - - \??\c:\windows\resources\svchost.exe
        
        c:\windows\resources\svchost.exe
        5⤵
        Modifies visiblity of hidden/system files in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2716
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe PR
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2712
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 04:32 /f
        6⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:2176
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 04:33 /f
        6⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:1792
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 04:34 /f
        6⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:2960
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 04:35 /f
        6⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:940
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 04:36 /f
        6⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:2024
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 04:37 /f
        6⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:1012
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 04:38 /f
        6⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:2688
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 04:39 /f
        6⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:2308
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 04:40 /f
        6⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:2760
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 04:41 /f
        6⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:2232
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 04:42 /f
        6⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:264
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 04:43 /f
        6⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:1760
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 04:44 /f
        6⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:2424
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 04:45 /f
        6⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:3268
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 04:46 /f
        6⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:4064
  - - C:\Windows\Explorer.exe
      C:\Windows\Explorer.exe
      4⤵
      PID:2720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Users\Public\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\Public\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Users\Public\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 10 /tr "'C:\Windows\Branding\Basebrd\en-US\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Windows\Branding\Basebrd\en-US\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 13 /tr "'C:\Windows\Branding\Basebrd\en-US\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Media Player\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Media Player\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\Default User\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "containerReviewc" /sc MINUTE /mo 14 /tr "'C:\blockcomSession\containerReview.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2284

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "containerReview" /sc ONLOGON /tr "'C:\blockcomSession\containerReview.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "containerReviewc" /sc MINUTE /mo 5 /tr "'C:\blockcomSession\containerReview.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1772

C:\Windows\system32\taskeng.exe
taskeng.exe {7ACEF4A0-427E-44CD-9785-5C026F33CD0A} S-1-5-21-2872745919-2748461613-2989606286-1000:CCJBVTGQ\Admin:Interactive:[1]
1⤵
PID:744
- C:\blockcomSession\containerReview.exe
  C:\blockcomSession\containerReview.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2668
- C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\System.exe
  "C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\System.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2708
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\QcyIS95rA8.bat"
    3⤵
    PID:2800
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:1904
  - - C:\Windows\system32\w32tm.exe
      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
      4⤵
      PID:2344
  - - C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\System.exe
      "C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\System.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:2836
- C:\Users\Public\spoolsv.exe
  C:\Users\Public\spoolsv.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1616
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\dxSYZSKoEG.bat"
    3⤵
    PID:2328
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:576
  - - C:\Windows\system32\w32tm.exe
      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
      4⤵
      PID:2936
  - - C:\Users\Public\spoolsv.exe
      "C:\Users\Public\spoolsv.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:1996
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\qeUrZkilq6.bat"
        5⤵
        
        PID:2640
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:2848
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2892
      - C:\Users\Public\spoolsv.exe
        
        "C:\Users\Public\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2052
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\s5ynp54EAe.bat"
        7⤵
        
        PID:1176
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:2832
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:2396
        
        C:\Users\Public\spoolsv.exe
        
        "C:\Users\Public\spoolsv.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2596
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\3IMqqsTTOd.bat"
        9⤵
        
        PID:1172
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        10⤵
        
        PID:184
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        10⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2908
        
        C:\Users\Public\spoolsv.exe
        
        "C:\Users\Public\spoolsv.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2952
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Vs6Gb3dzjw.bat"
        11⤵
        
        PID:1188
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        12⤵
        
        PID:664
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:2368
        
        C:\Users\Public\spoolsv.exe
        
        "C:\Users\Public\spoolsv.exe"
        12⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:920
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\lOMsQrAcGI.bat"
        13⤵
        
        PID:2408
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        14⤵
        
        PID:2144
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:576
        
        C:\Users\Public\spoolsv.exe
        
        "C:\Users\Public\spoolsv.exe"
        14⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1904
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Qp3qGlURdT.bat"
        15⤵
        
        PID:2884
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        16⤵
        
        PID:1576
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        16⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1452
        
        C:\Users\Public\spoolsv.exe
        
        "C:\Users\Public\spoolsv.exe"
        16⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:996
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\zasSNaUvot.bat"
        17⤵
        
        PID:1544
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        18⤵
        
        PID:1692
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:3056
        
        C:\Users\Public\spoolsv.exe
        
        "C:\Users\Public\spoolsv.exe"
        18⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:896
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\1pharLUl0n.bat"
        19⤵
        
        PID:2484
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        20⤵
        
        PID:2072
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:2924
        
        C:\Users\Public\spoolsv.exe
        
        "C:\Users\Public\spoolsv.exe"
        20⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1636
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\fhkx1dF1Mw.bat"
        21⤵
        
        PID:2832
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        22⤵
        
        PID:2108
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        22⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2560
        
        C:\Users\Public\spoolsv.exe
        
        "C:\Users\Public\spoolsv.exe"
        22⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2860
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\0RyEHAiYPp.bat"
        23⤵
        
        PID:2192
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        24⤵
        
        PID:1600
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        24⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1624
        
        C:\Users\Public\spoolsv.exe
        
        "C:\Users\Public\spoolsv.exe"
        24⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2652
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\sChiDKEMVQ.bat"
        25⤵
        
        PID:2956
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        26⤵
        
        PID:1032
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        26⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3016
        
        C:\Users\Public\spoolsv.exe
        
        "C:\Users\Public\spoolsv.exe"
        26⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2564
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\NbfRo2XZmG.bat"
        27⤵
        
        PID:1592
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        28⤵
        
        PID:1740
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        28⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2864
        
        C:\Users\Public\spoolsv.exe
        
        "C:\Users\Public\spoolsv.exe"
        28⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2400
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6gfTO1Diev.bat"
        29⤵
        
        PID:1400
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        30⤵
        
        PID:2680
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        30⤵
        
        PID:1196
        
        C:\Users\Public\spoolsv.exe
        
        "C:\Users\Public\spoolsv.exe"
        30⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2336
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\lnXy25yoCy.bat"
        31⤵
        
        PID:1020
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        32⤵
        
        PID:2416
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        32⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:984
        
        C:\Users\Public\spoolsv.exe
        
        "C:\Users\Public\spoolsv.exe"
        32⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2216
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\nE1uIQLIWX.bat"
        33⤵
        
        PID:2692
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        34⤵
        
        PID:1096
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        34⤵
        
        PID:2548
        
        C:\Users\Public\spoolsv.exe
        
        "C:\Users\Public\spoolsv.exe"
        34⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1524
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2vzlDYcv1s.bat"
        35⤵
        
        PID:2732
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        36⤵
        
        PID:2148
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        36⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:748
        
        C:\Users\Public\spoolsv.exe
        
        "C:\Users\Public\spoolsv.exe"
        36⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2976
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\GogtzRNUlL.bat"
        37⤵
        
        PID:2712
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        38⤵
        
        PID:2944
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        38⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2768
        
        C:\Users\Public\spoolsv.exe
        
        "C:\Users\Public\spoolsv.exe"
        38⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1600
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\NqvJKoZOIs.bat"
        39⤵
        
        PID:2828
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        40⤵
        
        PID:2140
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        40⤵
        
        PID:1728
        
        C:\Users\Public\spoolsv.exe
        
        "C:\Users\Public\spoolsv.exe"
        40⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2500
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\7ZUpyl1cxR.bat"
        41⤵
        
        PID:1492
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        42⤵
        
        PID:1800
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        42⤵
        
        PID:1568
        
        C:\Users\Public\spoolsv.exe
        
        "C:\Users\Public\spoolsv.exe"
        42⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2228
- C:\Users\Default User\explorer.exe
  "C:\Users\Default User\explorer.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1132
- C:\blockcomSession\containerReview.exe
  C:\blockcomSession\containerReview.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2448
- C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\System.exe
  "C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\System.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2372
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\R64HSi6Xsg.bat"
    3⤵
    PID:664
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:1992
  - - C:\Windows\system32\PING.EXE
      ping -n 10 localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:2880
  - - C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\System.exe
      "C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\System.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:2920
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tnXcb7QBZk.bat"
        5⤵
        
        PID:2224
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:2036
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:1548
      - C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\System.exe
        
        "C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\System.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2064
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\RNhQwN31dW.bat"
        7⤵
        
        PID:2848
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:2660
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:1504
        
        C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\System.exe
        
        "C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\System.exe"
        8⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1576
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\s6L5myzuOs.bat"
        9⤵
        
        PID:1908
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        10⤵
        
        PID:2160
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:3064
        
        C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\System.exe
        
        "C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\System.exe"
        10⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2744
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\72DWG1NhBc.bat"
        11⤵
        
        PID:1296
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        12⤵
        
        PID:2664
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        12⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1992
        
        C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\System.exe
        
        "C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\System.exe"
        12⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1420
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\iHhOMNMslr.bat"
        13⤵
        
        PID:2180
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        14⤵
        
        PID:2476
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        14⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2964
        
        C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\System.exe
        
        "C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\System.exe"
        14⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1964
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\qJsMcbRTCu.bat"
        15⤵
        
        PID:328
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        16⤵
        
        PID:3048
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        16⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2488
        
        C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\System.exe
        
        "C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\System.exe"
        16⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1612
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\j5cqYlxHIW.bat"
        17⤵
        
        PID:2528
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        18⤵
        
        PID:616
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:2384
        
        C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\System.exe
        
        "C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\System.exe"
        18⤵
        
        PID:2036
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\utpnwKYKap.bat"
        19⤵
        
        PID:1268
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        20⤵
        
        PID:2604
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        20⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1004
        
        C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\System.exe
        
        "C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\System.exe"
        20⤵
        
        PID:2352
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\jlnOMvOYTO.bat"
        21⤵
        
        PID:2776
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        22⤵
        
        PID:2256
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:2516
        
        C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\System.exe
        
        "C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\System.exe"
        22⤵
        
        PID:1936
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\va0LlUybli.bat"
        23⤵
        
        PID:1532
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        24⤵
        
        PID:1140
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        24⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2148
        
        C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\System.exe
        
        "C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\System.exe"
        24⤵
        
        PID:2160
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\aYLtGzs08v.bat"
        25⤵
        
        PID:2256
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        26⤵
        
        PID:1720
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        26⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2012
        
        C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\System.exe
        
        "C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\System.exe"
        26⤵
        
        PID:1632
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\j5cqYlxHIW.bat"
        27⤵
        
        PID:1336
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        28⤵
        
        PID:2272
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        28⤵
        
        PID:616
        
        C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\System.exe
        
        "C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\System.exe"
        28⤵
        
        PID:1140
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\utpnwKYKap.bat"
        29⤵
        
        PID:1708
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        30⤵
        
        PID:776
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        30⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1016
        
        C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\System.exe
        
        "C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\System.exe"
        30⤵
        
        PID:3156
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Z63w1kYtFS.bat"
        31⤵
        
        PID:3324
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        32⤵
        
        PID:3360
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        32⤵
        
        PID:3368
        
        C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\System.exe
        
        "C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\System.exe"
        32⤵
        
        PID:3624
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\HhxybCDMPZ.bat"
        33⤵
        
        PID:3796
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        34⤵
        
        PID:3832
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        34⤵
        
        PID:3840
        
        C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\System.exe
        
        "C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\System.exe"
        34⤵
        
        PID:3872
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\SWAv0lnPhs.bat"
        35⤵
        
        PID:4076
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        36⤵
        
        PID:3092
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        36⤵
        
        PID:3076
        
        C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\System.exe
        
        "C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\System.exe"
        36⤵
        
        PID:2340
- C:\Program Files (x86)\Windows Media Player\dllhost.exe
  "C:\Program Files (x86)\Windows Media Player\dllhost.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2532
- C:\Users\Public\spoolsv.exe
  C:\Users\Public\spoolsv.exe
  2⤵
  PID:1596
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\39SckRh7ya.bat"
    3⤵
    PID:2296
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:1720
  - - C:\Windows\system32\w32tm.exe
      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
      4⤵
      PID:1540
  - - C:\Users\Public\spoolsv.exe
      "C:\Users\Public\spoolsv.exe"
      4⤵
      PID:3020
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\yRPxJCkWkW.bat"
        5⤵
        
        PID:2220
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:2472
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2804
      - C:\Users\Public\spoolsv.exe
        
        "C:\Users\Public\spoolsv.exe"
        6⤵
        
        PID:2252
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\thAzAlBiSC.bat"
        7⤵
        
        PID:2068
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:2152
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:2764
        
        C:\Users\Public\spoolsv.exe
        
        "C:\Users\Public\spoolsv.exe"
        8⤵
        
        PID:1664
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\UgSSpTGNbI.bat"
        9⤵
        
        PID:2152
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        10⤵
        
        PID:3100
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        10⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3108
        
        C:\Users\Public\spoolsv.exe
        
        "C:\Users\Public\spoolsv.exe"
        10⤵
        
        PID:3388
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\z03YznJ6kZ.bat"
        11⤵
        
        PID:3560
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        12⤵
        
        PID:3592
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        12⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3600
        
        C:\Users\Public\spoolsv.exe
        
        "C:\Users\Public\spoolsv.exe"
        12⤵
        
        PID:3900
- C:\Windows\Branding\Basebrd\en-US\cmd.exe
  C:\Windows\Branding\Basebrd\en-US\cmd.exe
  2⤵
  PID:2456
- C:\Users\Default User\explorer.exe
  "C:\Users\Default User\explorer.exe"
  2⤵
  PID:3448
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\PfaLCNk3Y7.bat"
    3⤵
    PID:3668
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:3728
  - - C:\Windows\system32\w32tm.exe
      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
      4⤵
      PID:3708
  - - C:\Users\Default User\explorer.exe
      "C:\Users\Default User\explorer.exe"
      4⤵
      PID:3792
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\UeH86Hd8X1.bat"
        5⤵
        
        PID:3868
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:3932
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:4004
      - C:\Users\Default User\explorer.exe
        
        "C:\Users\Default User\explorer.exe"
        6⤵
        
        PID:3888
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2oGrqKSnf6.bat"
        7⤵
        
        PID:3104
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:2108
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:1408
        
        C:\Users\Default User\explorer.exe
        
        "C:\Users\Default User\explorer.exe"
        8⤵
        
        PID:1884
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\EdToEt2qxP.bat"
        9⤵
        
        PID:3160
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        10⤵
        
        PID:3232
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:3116
        
        C:\Users\Default User\explorer.exe
        
        "C:\Users\Default User\explorer.exe"
        10⤵
        
        PID:2664
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2JnastWSjL.bat"
        11⤵
        
        PID:3528
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        12⤵
        
        PID:3416
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        12⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3464
        
        C:\Users\Default User\explorer.exe
        
        "C:\Users\Default User\explorer.exe"
        12⤵
        
        PID:3744
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\u6uLkwxv3A.bat"
        13⤵
        
        PID:3932
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        14⤵
        
        PID:4068
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:4072
        
        C:\Users\Default User\explorer.exe
        
        "C:\Users\Default User\explorer.exe"
        14⤵
        
        PID:4024
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\FnlL3aVnrp.bat"
        15⤵
        
        PID:3904
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        16⤵
        
        PID:2312
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        16⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1960
        
        C:\Users\Default User\explorer.exe
        
        "C:\Users\Default User\explorer.exe"
        16⤵
        
        PID:3276
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\50TwasnRS2.bat"
        17⤵
        
        PID:3728
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        18⤵
        
        PID:3476
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:3376
        
        C:\Users\Default User\explorer.exe
        
        "C:\Users\Default User\explorer.exe"
        18⤵
        
        PID:3400
- C:\blockcomSession\containerReview.exe
  C:\blockcomSession\containerReview.exe
  2⤵
  PID:3128
- C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\System.exe
  "C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\System.exe"
  2⤵
  PID:3212

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2e16WBON6E.bat

Filesize
155B

MD5
3426c5cf874a72de6aed2bbea050cd86

SHA1
ca514ed088153fdc4d409c659462d6066c5a437a

SHA256
5564eb7cc73e9eb4f466e5d3082b78b89845a0795ffd9b7e59e4b64f8ae97ad9

SHA512
4b07a89869204906067580a2f6cca271ff06ad02d309f7380fbd02199e9cbec5559c4816fa532359cc9271a3dc60436f6892a559cbe93bb7e5836cbcd44b97d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\4XCyKdTKaY.bat

Filesize
155B

MD5
54407761091fb2b3e0bdc5f8fcfdfbf4

SHA1
8582a652713b8888e12db1c55f5f4534ab793755

SHA256
97e4ae6e35559169bd0f3bf7b3fde2e5f5c5f742aa1c750cd6994b530ecb4a57

SHA512
db8cbd27e47fb24a2e8ab1c327b3a028f27989d4cbfe779ce7a13427b738e22731e61627cfb2ce63774e2943e8172922f0113224c6919e5b6b0629a77fe73193

Download Submit
C:\Users\Admin\AppData\Local\Temp\7gEkM0BkJD.bat

Filesize
203B

MD5
130d3cf41d54ec1786b8a0e626bf75e6

SHA1
b1dcbe7f0ac6fb8c5a3f9ac019789ef3fd5c8ce8

SHA256
942df11bb717f4bf9b2765587be7cbfd052fd77692c09d7d13e4956eec58e078

SHA512
6dceffce93166c1810989a23717aec09892f3b1c3a4dda84545342999fd2bc0a4b466e8208e28dbe45882724f60b9e3905f28328c2babbcd06c883345a2890d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\84x6wBxxuC.bat

Filesize
155B

MD5
44e6fa731ac08986ff0c7958dc93a461

SHA1
13440b497a196fa4e02c67f8235367ad6c355a3b

SHA256
715f5fb066c6dd58700fe99a4b8fe0d9830b77a4e08305514eeb3678983e661e

SHA512
ebcf89c8fe253a7bdfdd87dcad5bf253efd440adee0416a96eb99e38d04e03ee092a2a26be7e66b7be6e45efdd3c05fa23888e171fea0899dbf4860106a8e018

Download Submit
C:\Users\Admin\AppData\Local\Temp\B5GxaJWFI4.bat

Filesize
203B

MD5
421b2da99af4afdd33ba59c0b275dd98

SHA1
bae9c80e98a026cc21167bb727869267fe31a544

SHA256
13cb34a46ceadf196be9c85cf77d53579f4fac469bc33ac72df69dc48b683864

SHA512
8deec45fb2f33793d5718cf621f581c3b84562663ef6c0e62be550d33f666474dabfcd7e0e183111667bb89eff315b808f89a916f531744bbee90ff9f4eedff4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Fp8c0TPT53.bat

Filesize
155B

MD5
6ad11225ed8b19476fbe0b217a22c167

SHA1
e7cdce04a77c53d073935fcfe277ef99b4f17b94

SHA256
5e295933839eeb1296f331384c10dc5dedf2fa0d88fbf76cf517ca67e429e7a0

SHA512
13ed3648eed28047b8e774114328d5197ef52c26715494d675c8ad4f3ace2245142df3d9a859d031bbe573d6d21b41e1e59ea017b482ab053693d47070176cbd

Download Submit
C:\Users\Admin\AppData\Local\Temp\L4pr7KvdK9.bat

Filesize
203B

MD5
cc938efd2b0b3cfd7ac6616cc2580b96

SHA1
ecea92032bd22ede89ac3954252f34eced3bc2dc

SHA256
6878753af2d70dbfc82b29923c1cd31cc09b31de5429332073033ec9132ab129

SHA512
829081faf369f4f2038208750ad230d980d260a68ce4a6840a0c02a0e5526a6521a87a8fc6481df79e2e3c0b7b280d39b4224594dea4ba5db8bc276c64b27fa7

Download Submit
C:\Users\Admin\AppData\Local\Temp\LoBiefy8ZI.bat

Filesize
203B

MD5
78b767027b44882ced0a7f78331d55d2

SHA1
9d2ca185d30d664072f85af53a991bfd60eeb655

SHA256
f59f56a77ba9bb202f842ec4edddee43c36e391f487a03fbaf1fde5bdc1a49eb

SHA512
9000f593fd42458c44a6faa42d19ff5196483aee99a0b03b09ca9c6963420e146b58f50b8e048cd982b0b96ccd88533777353b17981ab91e82cee7a43bdd85e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Lvud1u8Gv5.bat

Filesize
155B

MD5
f77f0c3f9100f6c2e47ad264af74f2b8

SHA1
175aa34f87176790933ac9094370c17b0ad75682

SHA256
a90e6eb9f05ae14d81a396c2197cdfed1f4ec924928e27d5404f8b2594be9b62

SHA512
2ec6b03471438c903c9f00d1e73a109eeaef8341b1b3305a08dc2e04d1cbddb5cf66b6c1a2a2d1fbf16b4963b8c719e36a6f61711783cc2fd32f86ad4a590462

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESB25E.tmp

Filesize
1KB

MD5
6239b9300c0032f39635c56838f42493

SHA1
3a9c50b7ad35c1a453be21700eb1dd2bdef57ba2

SHA256
8aca4ec8d9d64764eb2711f65f2e3257e30c5d02682bbf423db0718cc51078d6

SHA512
9e418e331dc00f9493bad5ba31b5c186dbb4f5083f4610db80deba714629f26ea18d553b47436f5ad11af773e1dda1f3639f607dc2ed689a0969d5f39da4eb39

Download Submit
C:\Users\Admin\AppData\Local\Temp\aj397jMwN3.bat

Filesize
203B

MD5
8a791b91e073f0b3a0742f5a59429955

SHA1
3fa0ae921a061e01eda6de9da4e87b1f29e474eb

SHA256
c7a94ade2a921e86bbdfb47d1e3a919e238ef924946d672de22d4ead269b0c54

SHA512
2f3df8fbbbd161b4bca6a63852d73a002ce6f3d11b2a198bb4f5c7c45f17e2de250209ab4d3ca7ecaccac83ddce37156322d86d21a245cb1c5e37e5ad2b6e367

Download Submit
C:\Users\Admin\AppData\Local\Temp\e4kjvfRyFL.bat

Filesize
155B

MD5
8f279d714452994dfd6f2d3ea23b9a0e

SHA1
e4a775babc82069a938b23f7c4af0a922c1e73b2

SHA256
47d44a3a5370f85c65c0c975b773d9f6d9c0e796fc9ad1e67b1e43cfb04d3bc5

SHA512
23bb6b187dd796e199f3f839e69afbec86fad451758aaa2ca100b9b687b643cf441a2118537751cf10a90c39ae1a2e3fce6add081eadd2bbcdb179f5ef5507f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\jpLz1yvSlu.bat

Filesize
155B

MD5
4eb458ab6e4f1aecf4b263e9bb47adb4

SHA1
d6cef349b71770a7a4af9ba0cbd8b2c659904112

SHA256
b221f8f7452c7f079abf6c11588d9d681fe6afdf3cf2a87e7b462f6503b94d83

SHA512
0f2b68c0ce01ccd9f1ad6cea0da0458239e28042cb7a14bab089052deba7c15fd8b34bedda066815cd5efef288854e5bb54028d25a089d005016704733a02573

Download Submit
C:\Users\Admin\AppData\Local\Temp\wykhLflpMg.bat

Filesize
203B

MD5
079ff9ed231d989838d02f1c6ad06c39

SHA1
437a61f921582d89b208451bf9ea7dd16a1ae530

SHA256
801c91360933dacd927caa186d1bb9287d40f35c581c60b907b6fa9736cebefd

SHA512
8ac6e39cf132ff6e3c4e52b6b72be2c2940a3701344bb9651c8fc6ad967c8b3897577664a974d67400d350930fc3d100eba15b223ad2f13c2eaa430534556afe

Download Submit
C:\Windows\Resources\Themes\explorer.exe

Filesize
135KB

MD5
0cb9e42f70cdef75b96c5cc4886b1fe3

SHA1
e2f1d71979497ff1f31afab319e8f20af2afa8e3

SHA256
12309b401a35fc93ff33d6992d29cb9bb4e503b65fbbd1824b64c4ea8a04909d

SHA512
6c10663f493f95ed1b281ff53c4e60e1fa1fc7c80cd841933a4dd18d866ca1c5d84ad8fea4e5a1096dec2acdac271fd324a1b96f6be16062d865151e3bf4637a

Download Submit
C:\blockcomSession\R3z0peym99fhJdrKbUwEGrQMoM2HpnSPGrE0X0k2hc.bat

Filesize
89B

MD5
de5b4fde5bc10d0f76a55eb9d249ab56

SHA1
751938b6ab03340842b429805fd2da1aa0d8c964

SHA256
009aa3f866391c87bd840efb9b6b4eb33fc4dcb625cd23e436d0c9383e033f0f

SHA512
58f02657db363b742c6aee66ccd5a6b279280e2dd09d7394b7b9907ca2cd005cd67ee88ca98d533605e30608fc61abc6f51f7d3be4a3813d7414d280b6f16a1f

Download Submit
C:\blockcomSession\RezYUes00TmmVGwINjr2qWMSbF3Etb9Bt2Ra62zGWDtewTBc.vbe

Filesize
236B

MD5
d2dd350044ce1fe408a44a036a7e6a0d

SHA1
3597e45deb69f4aa4749855e9ed452a39a9c7d42

SHA256
487bfe07abff347481f10c648717aab8008c7606c026b920358544f85c25e1b2

SHA512
81147d83dc5ffd1adb10add8486f6dac65df0e7c579f8244ef8f3d6f646ced97fad3f55a178ced9b60f5f23bb77a0e29bccb22651280a9eae135976af71c366a

Download Submit
C:\blockcomSession\containerReview.exe

Filesize
1.9MB

MD5
f568e43bc473cd8ceb2553c58194df61

SHA1
14c0fff25edfd186dab91ee6bcc94450c9bed84d

SHA256
c91375814e8a5bb71736ce61fa429bc7b98a2b7b2a254b9967c51f3fccfacd52

SHA512
47cf66ce90fecd147077c72dc3f06db2199b9bc96e887915d6b0d4bfea7577d60a7345da6e5bc59967d02528fbdf6c8bf86233261338f782b9185c890fbc400e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\mk2xsbgc\mk2xsbgc.0.cs

Filesize
359B

MD5
4c54da02f5d71adefe1d57095e497bb9

SHA1
a6dc7d8fe72ae62cbe9992896846aa0f4c3334a7

SHA256
657f61dacbc4a1fbc6da442e6637c85dcd0945d7046c575df0575c1d29a6b246

SHA512
203f74fd743f95537ff501e3c7f81ff7927bc6a00f2946f30c17c773e8734c6eebc99805ea6b59f079ecbf58bd9ab26d98f345af9033e7842e49258214c75c7e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\mk2xsbgc\mk2xsbgc.cmdline

Filesize
235B

MD5
a57d1b0443e189546d8a35a0a62d3d24

SHA1
0654c53a37387f319d2466c13edefab4bc6a3608

SHA256
a96ccb36bc0927ffb78fcb99e7de487ccdd34e9bceca51d03227667ef001be5f

SHA512
c2efee3071202b253ef5c5b3bd9af44662dedb46950bc32eb86caf7a3bfa91af9e72a3b87ed98cb7004ed9ffb155b5862d66f3540c5b842686828df4fb2b5e4f

Download Submit
\??\c:\Windows\System32\CSC41D329FBDA134AEDBF8910DA6CF3C83.TMP

Filesize
1KB

MD5
9446a6998523ec187daa3d79bec9c8fa

SHA1
16c7f73aef03c8a15b4d9e8b1cfa5183caf7ca96

SHA256
f55f1bd2c1246cfb3b60cd8649fcc78b3837896bdf5132d6fc8ea0ecabf892d7

SHA512
fac3ad1b0c8663aaa94cd66b6ea0aa1848e570ff4a22b709cf2696abb76e28f42fb0d2a74316a7ad86bb6216177013c6b71ce2f4df139edc3054a03ee3467c9d

Download Submit
\Users\Admin\AppData\Local\Temp\bfd1aabb65dfce7b7c5f2d444917baa23fd04d6047e62cd1aaf9cb2a9ca9d3a9.exe

Filesize
3.2MB

MD5
a7040b85fc683f088f4c6e5b44052c43

SHA1
7e3d644d1a1fb7b9bcccb6406d2e7fbd062eae66

SHA256
b786f31f1c89c71d0510bbd32510595d9891c67db516f968261b02594a423a8d

SHA512
e225f6f7e114690aad25e9c67460e50f5b84cc8ca87a69ba94ff63ab42415df176a3ed6c3456cddb849927604a4888b17e5e781ac97d2ba0197f9687bbb2c301

Download Submit
\Windows\Resources\Themes\icsys.icn.exe

Filesize
135KB

MD5
d36cc2935ae0e7a5d2936db589a9b8cc

SHA1
082bd58c0ad60fa4783b63a4f681a5c5fad8e1a6

SHA256
4c93adb50768feb3cdea95f1fedc5d6fdc262d59f12c4b66601d377e2709c2e3

SHA512
547452ba0de7c8ebeec8e4bb2d916c7a881b6743e6d1fb6d2761a202b7cf5bb30c3f541957de70c584b46b7171f3f20338b4985341829b408c366aeaeced9290

Download Submit
\Windows\Resources\spoolsv.exe

Filesize
135KB

MD5
57933399e7087b52748e21c5d46b61a7

SHA1
365d81f0b3fb5517d241a0ab98660fa477bd739c

SHA256
013ebfa8b90f90afc26537fe9c195d5129b9ab42ebebbb7945560b67ec7ef0c9

SHA512
b0aa6aaef2fc21082a4779045c943ab53136e9c64d6b50a929a274f5e199db13ea0598ec30906bdf5528dc265b10f8b9f6ca159b3a560f7b3b5cc3fed1c99218

Download Submit
\Windows\Resources\svchost.exe

Filesize
135KB

MD5
62888d2a34dbbbbc9acb6f95efdcdcd3

SHA1
24a6e6b40c89b853bc06de5ec74e43632f3033d8

SHA256
301b033196282e92073b73332f936c909cbb09b7bd7ba6111f59c0a1750d1c71

SHA512
b5acb3c6f45698e3944dcc3e767ab826303f4141d9836494d7861d63c0f1e3e569dd732f8db9e1994031694192685b59e9a44476bbe2833f8dbc58abd6ab6677

Download Submit
memory/444-425-0x0000000000290000-0x0000000000480000-memory.dmp

Filesize
1.9MB

Download
memory/624-255-0x0000000000820000-0x0000000000A10000-memory.dmp

Filesize
1.9MB

Download
memory/896-544-0x0000000000CC0000-0x0000000000EB0000-memory.dmp

Filesize
1.9MB

Download
memory/920-510-0x0000000000C80000-0x0000000000E70000-memory.dmp

Filesize
1.9MB

Download
memory/956-391-0x00000000003A0000-0x0000000000590000-memory.dmp

Filesize
1.9MB

Download
memory/992-293-0x0000000000D80000-0x0000000000F70000-memory.dmp

Filesize
1.9MB

Download
memory/996-533-0x0000000000A20000-0x0000000000C10000-memory.dmp

Filesize
1.9MB

Download
memory/1132-517-0x0000000000B70000-0x0000000000D60000-memory.dmp

Filesize
1.9MB

Download
memory/1256-282-0x0000000000BD0000-0x0000000000DC0000-memory.dmp

Filesize
1.9MB

Download
memory/1280-268-0x0000000000160000-0x0000000000350000-memory.dmp

Filesize
1.9MB

Download
memory/1388-447-0x00000000013E0000-0x00000000015D0000-memory.dmp

Filesize
1.9MB

Download
memory/1524-630-0x0000000000C90000-0x0000000000E80000-memory.dmp

Filesize
1.9MB

Download
memory/1584-414-0x0000000000260000-0x0000000000450000-memory.dmp

Filesize
1.9MB

Download
memory/1596-787-0x0000000000E20000-0x0000000001010000-memory.dmp

Filesize
1.9MB

Download
memory/1628-229-0x0000000001030000-0x0000000001220000-memory.dmp

Filesize
1.9MB

Download
memory/1632-819-0x0000000000AE0000-0x0000000000CD0000-memory.dmp

Filesize
1.9MB

Download
memory/1636-555-0x00000000012A0000-0x0000000001490000-memory.dmp

Filesize
1.9MB

Download
memory/1904-522-0x0000000000330000-0x0000000000520000-memory.dmp

Filesize
1.9MB

Download
memory/1912-161-0x0000000001140000-0x0000000001330000-memory.dmp

Filesize
1.9MB

Download
memory/1916-215-0x0000000000E00000-0x0000000000FF0000-memory.dmp

Filesize
1.9MB

Download
memory/1956-11-0x0000000000C70000-0x0000000001051000-memory.dmp

Filesize
3.9MB

Download
memory/1956-59-0x0000000000C70000-0x0000000001051000-memory.dmp

Filesize
3.9MB

Download
memory/1968-315-0x0000000000100000-0x00000000002F0000-memory.dmp

Filesize
1.9MB

Download
memory/2064-695-0x0000000000AB0000-0x0000000000CA0000-memory.dmp

Filesize
1.9MB

Download
memory/2080-348-0x0000000000A90000-0x0000000000C80000-memory.dmp

Filesize
1.9MB

Download
memory/2104-186-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2104-193-0x00000000004C0000-0x00000000004DF000-memory.dmp

Filesize
124KB

Download
memory/2160-798-0x0000000000030000-0x0000000000220000-memory.dmp

Filesize
1.9MB

Download
memory/2216-619-0x0000000000B00000-0x0000000000CF0000-memory.dmp

Filesize
1.9MB

Download
memory/2228-673-0x0000000000210000-0x0000000000400000-memory.dmp

Filesize
1.9MB

Download
memory/2336-608-0x0000000000250000-0x0000000000440000-memory.dmp

Filesize
1.9MB

Download
memory/2340-903-0x0000000000090000-0x0000000000280000-memory.dmp

Filesize
1.9MB

Download
memory/2376-148-0x0000000001130000-0x0000000001320000-memory.dmp

Filesize
1.9MB

Download
memory/2380-72-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2380-26-0x00000000003A0000-0x00000000003BF000-memory.dmp

Filesize
124KB

Download
memory/2392-63-0x0000000002AE0000-0x0000000002EC1000-memory.dmp

Filesize
3.9MB

Download
memory/2392-0-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2392-9-0x0000000002AE0000-0x0000000002EC1000-memory.dmp

Filesize
3.9MB

Download
memory/2392-73-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2392-15-0x0000000000670000-0x000000000068F000-memory.dmp

Filesize
124KB

Download
memory/2400-597-0x0000000000810000-0x0000000000A00000-memory.dmp

Filesize
1.9MB

Download
memory/2448-672-0x00000000000C0000-0x00000000002B0000-memory.dmp

Filesize
1.9MB

Download
memory/2456-904-0x0000000001090000-0x0000000001280000-memory.dmp

Filesize
1.9MB

Download
memory/2512-202-0x00000000002D0000-0x00000000004C0000-memory.dmp

Filesize
1.9MB

Download
memory/2524-242-0x00000000000B0000-0x00000000002A0000-memory.dmp

Filesize
1.9MB

Download
memory/2532-732-0x00000000009C0000-0x0000000000BB0000-memory.dmp

Filesize
1.9MB

Download
memory/2564-586-0x0000000000120000-0x0000000000310000-memory.dmp

Filesize
1.9MB

Download
memory/2596-488-0x00000000001B0000-0x00000000003A0000-memory.dmp

Filesize
1.9MB

Download
memory/2608-369-0x00000000002B0000-0x00000000004A0000-memory.dmp

Filesize
1.9MB

Download
memory/2664-947-0x00000000001E0000-0x00000000003D0000-memory.dmp

Filesize
1.9MB

Download
memory/2668-403-0x0000000001230000-0x0000000001420000-memory.dmp

Filesize
1.9MB

Download
memory/2700-91-0x00000000003E0000-0x00000000003EC000-memory.dmp

Filesize
48KB

Download
memory/2700-81-0x0000000000390000-0x000000000039E000-memory.dmp

Filesize
56KB

Download
memory/2700-85-0x00000000005F0000-0x0000000000608000-memory.dmp

Filesize
96KB

Download
memory/2700-87-0x00000000003A0000-0x00000000003AE000-memory.dmp

Filesize
56KB

Download
memory/2700-83-0x00000000003C0000-0x00000000003DC000-memory.dmp

Filesize
112KB

Download
memory/2700-79-0x0000000000150000-0x0000000000340000-memory.dmp

Filesize
1.9MB

Download
memory/2700-89-0x00000000003B0000-0x00000000003BE000-memory.dmp

Filesize
56KB

Download
memory/2704-122-0x0000000000FE0000-0x00000000011D0000-memory.dmp

Filesize
1.9MB

Download
memory/2708-402-0x0000000001330000-0x0000000001520000-memory.dmp

Filesize
1.9MB

Download
memory/2712-69-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2716-200-0x0000000000390000-0x00000000003AF000-memory.dmp

Filesize
124KB

Download
memory/2716-194-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2716-64-0x0000000000390000-0x00000000003AF000-memory.dmp

Filesize
124KB

Download
memory/2728-380-0x0000000000060000-0x0000000000250000-memory.dmp

Filesize
1.9MB

Download
memory/2788-304-0x00000000002F0000-0x00000000004E0000-memory.dmp

Filesize
1.9MB

Download
memory/2792-326-0x0000000001180000-0x0000000001370000-memory.dmp

Filesize
1.9MB

Download
memory/2840-337-0x0000000000200000-0x00000000003F0000-memory.dmp

Filesize
1.9MB

Download
memory/2868-55-0x00000000003B0000-0x00000000003CF000-memory.dmp

Filesize
124KB

Download
memory/2868-70-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2920-684-0x00000000001A0000-0x0000000000390000-memory.dmp

Filesize
1.9MB

Download
memory/2952-499-0x0000000000C60000-0x0000000000E50000-memory.dmp

Filesize
1.9MB

Download
memory/2972-135-0x0000000000170000-0x0000000000360000-memory.dmp

Filesize
1.9MB

Download
memory/2976-641-0x0000000001250000-0x0000000001440000-memory.dmp

Filesize
1.9MB

Download
memory/3028-436-0x0000000000240000-0x0000000000430000-memory.dmp

Filesize
1.9MB

Download
memory/3128-980-0x0000000000E10000-0x0000000001000000-memory.dmp

Filesize
1.9MB

Download
memory/3212-981-0x00000000008A0000-0x0000000000A90000-memory.dmp

Filesize
1.9MB

Download
memory/3276-978-0x0000000000F80000-0x0000000001170000-memory.dmp

Filesize
1.9MB

Download
memory/3388-870-0x0000000000010000-0x0000000000200000-memory.dmp

Filesize
1.9MB

Download
memory/3448-905-0x0000000000CB0000-0x0000000000EA0000-memory.dmp

Filesize
1.9MB

Download
memory/3792-916-0x0000000000EE0000-0x00000000010D0000-memory.dmp

Filesize
1.9MB

Download
memory/3872-891-0x00000000009F0000-0x0000000000BE0000-memory.dmp

Filesize
1.9MB

Download
memory/3900-892-0x0000000000890000-0x0000000000A80000-memory.dmp

Filesize
1.9MB

Download