dcrat | bfd1aabb65dfce7b7c5f2d444917baa23fd04d6047e62cd1aaf9cb2a9ca9d3a9

Resubmissions

14-01-2025 04:25

250114-e2erasypan 10

14-01-2025 03:06

250114-dl14xsxmdn 10

Analysis

max time kernel
900s
max time network
712s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
14-01-2025 04:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bfd1aabb65dfce7b7c5f2d444917baa23fd04d6047e62cd1aaf9cb2a9ca9d3a9.exe
Size

3.3MB
MD5

c883ea559bee9a0cb393aa32dcaf5d80
SHA1

995dfd0d9d504bec628e7d7297962677d8ab32cb
SHA256

bfd1aabb65dfce7b7c5f2d444917baa23fd04d6047e62cd1aaf9cb2a9ca9d3a9
SHA512

9ee8ef8a9912b14bcbeb3c13b2670c92eecc17c4a8a719d6bd9935f17239a244457e2f711c01e374febd767c866d6c563bad97e687680919ca0c017d738626ee
SSDEEP

98304:db5Nf/dq7yqKM1TcGZ6gtq1/Lko4uVa8N7:hMyqKM1TogtqT44NN7

Score

10^/10

dcrat discovery evasion infostealer persistence rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 6 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\All Users\\wininit.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\unsecapp.exe\", \"C:\\Recovery\\WindowsRE\\SearchApp.exe\", \"C:\\Recovery\\WindowsRE\\csrss.exe\", \"C:\\Program Files\\Windows Defender\\it-IT\\upfc.exe\", \"C:\\blockcomSession\\containerReview.exe\""	containerReview.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\All Users\\wininit.exe\""	containerReview.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\All Users\\wininit.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\unsecapp.exe\""	containerReview.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\All Users\\wininit.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\unsecapp.exe\", \"C:\\Recovery\\WindowsRE\\SearchApp.exe\""	containerReview.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\All Users\\wininit.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\unsecapp.exe\", \"C:\\Recovery\\WindowsRE\\SearchApp.exe\", \"C:\\Recovery\\WindowsRE\\csrss.exe\""	containerReview.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\All Users\\wininit.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\unsecapp.exe\", \"C:\\Recovery\\WindowsRE\\SearchApp.exe\", \"C:\\Recovery\\WindowsRE\\csrss.exe\", \"C:\\Program Files\\Windows Defender\\it-IT\\upfc.exe\""	containerReview.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2060	1772	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2708	1772	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3168	1772	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1624	1772	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1116	1772	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2504	1772	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3044	1772	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4968	1772	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3464	1772	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3240	1772	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5008	1772	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1432	1772	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3684	1772	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3708	1772	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	376	1772	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3784	1772	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4636	1772	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4648	1772	schtasks.exe	95

Checks computer location settings 2 TTPs 53 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	upfc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	upfc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	upfc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	upfc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	wininit.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	upfc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	unsecapp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	upfc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	upfc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	upfc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	upfc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	upfc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	csrss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	upfc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	upfc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	upfc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	upfc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	upfc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	upfc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	upfc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	upfc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	upfc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	bfd1aabb65dfce7b7c5f2d444917baa23fd04d6047e62cd1aaf9cb2a9ca9d3a9.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	upfc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	upfc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	upfc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	upfc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	upfc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	upfc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	upfc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	upfc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	upfc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	upfc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	upfc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	upfc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	upfc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	upfc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	upfc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	upfc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	upfc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	upfc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	upfc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	upfc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	upfc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	containerReview.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	upfc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	upfc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	upfc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	upfc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	upfc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	upfc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	upfc.exe

Executes dropped EXE 64 IoCs

pid	Process
3964	bfd1aabb65dfce7b7c5f2d444917baa23fd04d6047e62cd1aaf9cb2a9ca9d3a9.exe
2096	icsys.icn.exe
2348	explorer.exe
1168	spoolsv.exe
2364	svchost.exe
3972	spoolsv.exe
5024	containerReview.exe
1808	upfc.exe
400	upfc.exe
1656	upfc.exe
4164	upfc.exe
3452	upfc.exe
1560	upfc.exe
1328	upfc.exe
2260	upfc.exe
1700	upfc.exe
3976	upfc.exe
1628	upfc.exe
2856	upfc.exe
4036	upfc.exe
3532	upfc.exe
3136	upfc.exe
3652	upfc.exe
2256	upfc.exe
4416	upfc.exe
3108	upfc.exe
592	upfc.exe
3620	upfc.exe
1528	upfc.exe
3796	upfc.exe
3504	upfc.exe
1892	upfc.exe
2380	upfc.exe
1420	upfc.exe
3156	upfc.exe
4192	upfc.exe
1928	upfc.exe
4988	upfc.exe
3588	upfc.exe
1908	upfc.exe
3772	upfc.exe
2636	unsecapp.exe
1980	upfc.exe
2504	wininit.exe
540	SearchApp.exe
4524	wininit.exe
3704	upfc.exe
1848	upfc.exe
5080	upfc.exe
4216	upfc.exe
2284	upfc.exe
2268	upfc.exe
2788	upfc.exe
2276	upfc.exe
848	upfc.exe
4380	upfc.exe
4952	upfc.exe
3528	upfc.exe
1064	upfc.exe
4228	unsecapp.exe
3808	csrss.exe
2704	containerReview.exe
760	upfc.exe
4936	csrss.exe

Adds Run key to start application 2 TTPs 16 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\unsecapp = "\"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\unsecapp.exe\""	containerReview.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SearchApp = "\"C:\\Recovery\\WindowsRE\\SearchApp.exe\""	containerReview.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\containerReview = "\"C:\\blockcomSession\\containerReview.exe\""	containerReview.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Users\\All Users\\wininit.exe\""	containerReview.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SearchApp = "\"C:\\Recovery\\WindowsRE\\SearchApp.exe\""	containerReview.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Recovery\\WindowsRE\\csrss.exe\""	containerReview.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\containerReview = "\"C:\\blockcomSession\\containerReview.exe\""	containerReview.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\unsecapp = "\"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\unsecapp.exe\""	containerReview.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Recovery\\WindowsRE\\csrss.exe\""	containerReview.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\upfc = "\"C:\\Program Files\\Windows Defender\\it-IT\\upfc.exe\""	containerReview.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Users\\All Users\\wininit.exe\""	containerReview.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\upfc = "\"C:\\Program Files\\Windows Defender\\it-IT\\upfc.exe\""	containerReview.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\explorer.exe	svchost.exe
File created	\??\c:\Windows\System32\CSC72561D34D764DE786A95813C8702816.TMP	csc.exe
File created	\??\c:\Windows\System32\xqt5sk.exe	csc.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
3964	bfd1aabb65dfce7b7c5f2d444917baa23fd04d6047e62cd1aaf9cb2a9ca9d3a9.exe

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\29c1c3cc0f7685	containerReview.exe
File created	C:\Program Files\Windows Defender\it-IT\upfc.exe	containerReview.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT\upfc.exe	containerReview.exe
File created	C:\Program Files\Windows Defender\it-IT\ea1d8f6d871115	containerReview.exe
File created	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\unsecapp.exe	containerReview.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\resources\themes\explorer.exe	icsys.icn.exe
File opened for modification	\??\c:\windows\resources\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\resources\svchost.exe	spoolsv.exe
File opened for modification	C:\Windows\Resources\tjud.exe	explorer.exe
File opened for modification	C:\Windows\Resources\Themes\tjcm.cmn	explorer.exe
File opened for modification	C:\Windows\Resources\Themes\icsys.icn.exe	bfd1aabb65dfce7b7c5f2d444917baa23fd04d6047e62cd1aaf9cb2a9ca9d3a9.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bfd1aabb65dfce7b7c5f2d444917baa23fd04d6047e62cd1aaf9cb2a9ca9d3a9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icsys.icn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bfd1aabb65dfce7b7c5f2d444917baa23fd04d6047e62cd1aaf9cb2a9ca9d3a9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 29 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
3164	PING.EXE
2572	PING.EXE
2712	PING.EXE
3632	PING.EXE
3908	PING.EXE
3684	PING.EXE
3880	PING.EXE
380	PING.EXE
3688	PING.EXE
1716	PING.EXE
4116	PING.EXE
3836	PING.EXE
112	PING.EXE
2844	PING.EXE
700	PING.EXE
2872	PING.EXE
3920	PING.EXE
3356	PING.EXE
4436	PING.EXE
3196	PING.EXE
2816	PING.EXE
1384	PING.EXE
4856	PING.EXE
4688	PING.EXE
868	PING.EXE
1348	PING.EXE
4532	PING.EXE
3116	PING.EXE
1888	PING.EXE

Modifies registry class 52 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	wininit.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	upfc.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	unsecapp.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	upfc.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	upfc.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	upfc.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	upfc.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	upfc.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	upfc.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	upfc.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	upfc.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	bfd1aabb65dfce7b7c5f2d444917baa23fd04d6047e62cd1aaf9cb2a9ca9d3a9.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	upfc.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	upfc.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	upfc.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	upfc.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	upfc.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	upfc.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	upfc.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	upfc.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	upfc.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	upfc.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	upfc.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	upfc.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	upfc.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	upfc.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	upfc.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	containerReview.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	upfc.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	upfc.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	upfc.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	upfc.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	upfc.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	upfc.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	upfc.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	upfc.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	upfc.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	upfc.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	upfc.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	upfc.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	upfc.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	upfc.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	upfc.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	upfc.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	upfc.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	upfc.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	upfc.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	upfc.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	upfc.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	upfc.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	upfc.exe

Runs ping.exe 1 TTPs 29 IoCs

Remote System Discovery

T1018

pid	Process
1888	PING.EXE
2872	PING.EXE
2816	PING.EXE
4856	PING.EXE
1716	PING.EXE
3880	PING.EXE
2712	PING.EXE
1384	PING.EXE
3164	PING.EXE
2572	PING.EXE
4688	PING.EXE
112	PING.EXE
3632	PING.EXE
2844	PING.EXE
3908	PING.EXE
4116	PING.EXE
3688	PING.EXE
868	PING.EXE
3116	PING.EXE
3920	PING.EXE
1348	PING.EXE
4532	PING.EXE
380	PING.EXE
4436	PING.EXE
3196	PING.EXE
700	PING.EXE
3836	PING.EXE
3684	PING.EXE
3356	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2708	schtasks.exe
1624	schtasks.exe
1116	schtasks.exe
3684	schtasks.exe
3784	schtasks.exe
4636	schtasks.exe
1432	schtasks.exe
3708	schtasks.exe
3168	schtasks.exe
4968	schtasks.exe
3464	schtasks.exe
3240	schtasks.exe
5008	schtasks.exe
2060	schtasks.exe
2504	schtasks.exe
3044	schtasks.exe
376	schtasks.exe
4648	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4668	bfd1aabb65dfce7b7c5f2d444917baa23fd04d6047e62cd1aaf9cb2a9ca9d3a9.exe
4668	bfd1aabb65dfce7b7c5f2d444917baa23fd04d6047e62cd1aaf9cb2a9ca9d3a9.exe
4668	bfd1aabb65dfce7b7c5f2d444917baa23fd04d6047e62cd1aaf9cb2a9ca9d3a9.exe
4668	bfd1aabb65dfce7b7c5f2d444917baa23fd04d6047e62cd1aaf9cb2a9ca9d3a9.exe
4668	bfd1aabb65dfce7b7c5f2d444917baa23fd04d6047e62cd1aaf9cb2a9ca9d3a9.exe
4668	bfd1aabb65dfce7b7c5f2d444917baa23fd04d6047e62cd1aaf9cb2a9ca9d3a9.exe
4668	bfd1aabb65dfce7b7c5f2d444917baa23fd04d6047e62cd1aaf9cb2a9ca9d3a9.exe
4668	bfd1aabb65dfce7b7c5f2d444917baa23fd04d6047e62cd1aaf9cb2a9ca9d3a9.exe
4668	bfd1aabb65dfce7b7c5f2d444917baa23fd04d6047e62cd1aaf9cb2a9ca9d3a9.exe
4668	bfd1aabb65dfce7b7c5f2d444917baa23fd04d6047e62cd1aaf9cb2a9ca9d3a9.exe
4668	bfd1aabb65dfce7b7c5f2d444917baa23fd04d6047e62cd1aaf9cb2a9ca9d3a9.exe
4668	bfd1aabb65dfce7b7c5f2d444917baa23fd04d6047e62cd1aaf9cb2a9ca9d3a9.exe
4668	bfd1aabb65dfce7b7c5f2d444917baa23fd04d6047e62cd1aaf9cb2a9ca9d3a9.exe
4668	bfd1aabb65dfce7b7c5f2d444917baa23fd04d6047e62cd1aaf9cb2a9ca9d3a9.exe
4668	bfd1aabb65dfce7b7c5f2d444917baa23fd04d6047e62cd1aaf9cb2a9ca9d3a9.exe
4668	bfd1aabb65dfce7b7c5f2d444917baa23fd04d6047e62cd1aaf9cb2a9ca9d3a9.exe
4668	bfd1aabb65dfce7b7c5f2d444917baa23fd04d6047e62cd1aaf9cb2a9ca9d3a9.exe
4668	bfd1aabb65dfce7b7c5f2d444917baa23fd04d6047e62cd1aaf9cb2a9ca9d3a9.exe
4668	bfd1aabb65dfce7b7c5f2d444917baa23fd04d6047e62cd1aaf9cb2a9ca9d3a9.exe
4668	bfd1aabb65dfce7b7c5f2d444917baa23fd04d6047e62cd1aaf9cb2a9ca9d3a9.exe
4668	bfd1aabb65dfce7b7c5f2d444917baa23fd04d6047e62cd1aaf9cb2a9ca9d3a9.exe
4668	bfd1aabb65dfce7b7c5f2d444917baa23fd04d6047e62cd1aaf9cb2a9ca9d3a9.exe
4668	bfd1aabb65dfce7b7c5f2d444917baa23fd04d6047e62cd1aaf9cb2a9ca9d3a9.exe
4668	bfd1aabb65dfce7b7c5f2d444917baa23fd04d6047e62cd1aaf9cb2a9ca9d3a9.exe
4668	bfd1aabb65dfce7b7c5f2d444917baa23fd04d6047e62cd1aaf9cb2a9ca9d3a9.exe
4668	bfd1aabb65dfce7b7c5f2d444917baa23fd04d6047e62cd1aaf9cb2a9ca9d3a9.exe
4668	bfd1aabb65dfce7b7c5f2d444917baa23fd04d6047e62cd1aaf9cb2a9ca9d3a9.exe
4668	bfd1aabb65dfce7b7c5f2d444917baa23fd04d6047e62cd1aaf9cb2a9ca9d3a9.exe
4668	bfd1aabb65dfce7b7c5f2d444917baa23fd04d6047e62cd1aaf9cb2a9ca9d3a9.exe
4668	bfd1aabb65dfce7b7c5f2d444917baa23fd04d6047e62cd1aaf9cb2a9ca9d3a9.exe
4668	bfd1aabb65dfce7b7c5f2d444917baa23fd04d6047e62cd1aaf9cb2a9ca9d3a9.exe
4668	bfd1aabb65dfce7b7c5f2d444917baa23fd04d6047e62cd1aaf9cb2a9ca9d3a9.exe
3964	bfd1aabb65dfce7b7c5f2d444917baa23fd04d6047e62cd1aaf9cb2a9ca9d3a9.exe
3964	bfd1aabb65dfce7b7c5f2d444917baa23fd04d6047e62cd1aaf9cb2a9ca9d3a9.exe
2096	icsys.icn.exe
2096	icsys.icn.exe
2096	icsys.icn.exe
2096	icsys.icn.exe
2096	icsys.icn.exe
2096	icsys.icn.exe
2096	icsys.icn.exe
2096	icsys.icn.exe
2096	icsys.icn.exe
2096	icsys.icn.exe
2096	icsys.icn.exe
2096	icsys.icn.exe
2096	icsys.icn.exe
2096	icsys.icn.exe
2096	icsys.icn.exe
2096	icsys.icn.exe
2096	icsys.icn.exe
2096	icsys.icn.exe
2096	icsys.icn.exe
2096	icsys.icn.exe
2096	icsys.icn.exe
2096	icsys.icn.exe
2096	icsys.icn.exe
2096	icsys.icn.exe
2096	icsys.icn.exe
2096	icsys.icn.exe
2096	icsys.icn.exe
2096	icsys.icn.exe
2096	icsys.icn.exe
2096	icsys.icn.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
2348	explorer.exe
2364	svchost.exe

Suspicious use of AdjustPrivilegeToken 59 IoCs

description	pid	Process
Token: SeDebugPrivilege	5024	containerReview.exe
Token: SeDebugPrivilege	1808	upfc.exe
Token: SeDebugPrivilege	400	upfc.exe
Token: SeDebugPrivilege	1656	upfc.exe
Token: SeDebugPrivilege	4164	upfc.exe
Token: SeDebugPrivilege	3452	upfc.exe
Token: SeDebugPrivilege	1560	upfc.exe
Token: SeDebugPrivilege	1328	upfc.exe
Token: SeDebugPrivilege	2260	upfc.exe
Token: SeDebugPrivilege	1700	upfc.exe
Token: SeDebugPrivilege	3976	upfc.exe
Token: SeDebugPrivilege	1628	upfc.exe
Token: SeDebugPrivilege	2856	upfc.exe
Token: SeDebugPrivilege	4036	upfc.exe
Token: SeDebugPrivilege	3532	upfc.exe
Token: SeDebugPrivilege	3136	upfc.exe
Token: SeDebugPrivilege	3652	upfc.exe
Token: SeDebugPrivilege	2256	upfc.exe
Token: SeDebugPrivilege	4416	upfc.exe
Token: SeDebugPrivilege	3108	upfc.exe
Token: SeDebugPrivilege	592	upfc.exe
Token: SeDebugPrivilege	3620	upfc.exe
Token: SeDebugPrivilege	1528	upfc.exe
Token: SeDebugPrivilege	3796	upfc.exe
Token: SeDebugPrivilege	3504	upfc.exe
Token: SeDebugPrivilege	1892	upfc.exe
Token: SeDebugPrivilege	2380	upfc.exe
Token: SeDebugPrivilege	1420	upfc.exe
Token: SeDebugPrivilege	3156	upfc.exe
Token: SeDebugPrivilege	4192	upfc.exe
Token: SeDebugPrivilege	1928	upfc.exe
Token: SeDebugPrivilege	4988	upfc.exe
Token: SeDebugPrivilege	3588	upfc.exe
Token: SeDebugPrivilege	1908	upfc.exe
Token: SeDebugPrivilege	3772	upfc.exe
Token: SeDebugPrivilege	2636	unsecapp.exe
Token: SeDebugPrivilege	1980	upfc.exe
Token: SeDebugPrivilege	2504	wininit.exe
Token: SeDebugPrivilege	540	SearchApp.exe
Token: SeDebugPrivilege	4524	wininit.exe
Token: SeDebugPrivilege	3704	upfc.exe
Token: SeDebugPrivilege	1848	upfc.exe
Token: SeDebugPrivilege	5080	upfc.exe
Token: SeDebugPrivilege	4216	upfc.exe
Token: SeDebugPrivilege	2284	upfc.exe
Token: SeDebugPrivilege	2268	upfc.exe
Token: SeDebugPrivilege	2788	upfc.exe
Token: SeDebugPrivilege	2276	upfc.exe
Token: SeDebugPrivilege	848	upfc.exe
Token: SeDebugPrivilege	4380	upfc.exe
Token: SeDebugPrivilege	4952	upfc.exe
Token: SeDebugPrivilege	3528	upfc.exe
Token: SeDebugPrivilege	1064	upfc.exe
Token: SeDebugPrivilege	4228	unsecapp.exe
Token: SeDebugPrivilege	3808	csrss.exe
Token: SeDebugPrivilege	2704	containerReview.exe
Token: SeDebugPrivilege	760	upfc.exe
Token: SeDebugPrivilege	4936	csrss.exe
Token: SeDebugPrivilege	3936	unsecapp.exe

Suspicious use of SetWindowsHookEx 13 IoCs

pid	Process
4668	bfd1aabb65dfce7b7c5f2d444917baa23fd04d6047e62cd1aaf9cb2a9ca9d3a9.exe
4668	bfd1aabb65dfce7b7c5f2d444917baa23fd04d6047e62cd1aaf9cb2a9ca9d3a9.exe
3964	bfd1aabb65dfce7b7c5f2d444917baa23fd04d6047e62cd1aaf9cb2a9ca9d3a9.exe
2096	icsys.icn.exe
2096	icsys.icn.exe
2348	explorer.exe
2348	explorer.exe
1168	spoolsv.exe
1168	spoolsv.exe
2364	svchost.exe
2364	svchost.exe
3972	spoolsv.exe
3972	spoolsv.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4668 wrote to memory of 3964	4668	bfd1aabb65dfce7b7c5f2d444917baa23fd04d6047e62cd1aaf9cb2a9ca9d3a9.exe	83
PID 4668 wrote to memory of 3964	4668	bfd1aabb65dfce7b7c5f2d444917baa23fd04d6047e62cd1aaf9cb2a9ca9d3a9.exe	83
PID 4668 wrote to memory of 3964	4668	bfd1aabb65dfce7b7c5f2d444917baa23fd04d6047e62cd1aaf9cb2a9ca9d3a9.exe	83
PID 4668 wrote to memory of 2096	4668	bfd1aabb65dfce7b7c5f2d444917baa23fd04d6047e62cd1aaf9cb2a9ca9d3a9.exe	84
PID 4668 wrote to memory of 2096	4668	bfd1aabb65dfce7b7c5f2d444917baa23fd04d6047e62cd1aaf9cb2a9ca9d3a9.exe	84
PID 4668 wrote to memory of 2096	4668	bfd1aabb65dfce7b7c5f2d444917baa23fd04d6047e62cd1aaf9cb2a9ca9d3a9.exe	84
PID 2096 wrote to memory of 2348	2096	icsys.icn.exe	85
PID 2096 wrote to memory of 2348	2096	icsys.icn.exe	85
PID 2096 wrote to memory of 2348	2096	icsys.icn.exe	85
PID 2348 wrote to memory of 1168	2348	explorer.exe	86
PID 2348 wrote to memory of 1168	2348	explorer.exe	86
PID 2348 wrote to memory of 1168	2348	explorer.exe	86
PID 1168 wrote to memory of 2364	1168	spoolsv.exe	87
PID 1168 wrote to memory of 2364	1168	spoolsv.exe	87
PID 1168 wrote to memory of 2364	1168	spoolsv.exe	87
PID 3964 wrote to memory of 3700	3964	bfd1aabb65dfce7b7c5f2d444917baa23fd04d6047e62cd1aaf9cb2a9ca9d3a9.exe	88
PID 3964 wrote to memory of 3700	3964	bfd1aabb65dfce7b7c5f2d444917baa23fd04d6047e62cd1aaf9cb2a9ca9d3a9.exe	88
PID 3964 wrote to memory of 3700	3964	bfd1aabb65dfce7b7c5f2d444917baa23fd04d6047e62cd1aaf9cb2a9ca9d3a9.exe	88
PID 2364 wrote to memory of 3972	2364	svchost.exe	89
PID 2364 wrote to memory of 3972	2364	svchost.exe	89
PID 2364 wrote to memory of 3972	2364	svchost.exe	89
PID 3700 wrote to memory of 2544	3700	WScript.exe	97
PID 3700 wrote to memory of 2544	3700	WScript.exe	97
PID 3700 wrote to memory of 2544	3700	WScript.exe	97
PID 2544 wrote to memory of 5024	2544	cmd.exe	99
PID 2544 wrote to memory of 5024	2544	cmd.exe	99
PID 5024 wrote to memory of 4348	5024	containerReview.exe	105
PID 5024 wrote to memory of 4348	5024	containerReview.exe	105
PID 4348 wrote to memory of 3428	4348	csc.exe	107
PID 4348 wrote to memory of 3428	4348	csc.exe	107
PID 5024 wrote to memory of 1608	5024	containerReview.exe	123
PID 5024 wrote to memory of 1608	5024	containerReview.exe	123
PID 1608 wrote to memory of 4416	1608	cmd.exe	125
PID 1608 wrote to memory of 4416	1608	cmd.exe	125
PID 1608 wrote to memory of 700	1608	cmd.exe	126
PID 1608 wrote to memory of 700	1608	cmd.exe	126
PID 1608 wrote to memory of 1808	1608	cmd.exe	132
PID 1608 wrote to memory of 1808	1608	cmd.exe	132
PID 1808 wrote to memory of 4024	1808	upfc.exe	135
PID 1808 wrote to memory of 4024	1808	upfc.exe	135
PID 4024 wrote to memory of 1232	4024	cmd.exe	137
PID 4024 wrote to memory of 1232	4024	cmd.exe	137
PID 4024 wrote to memory of 4116	4024	cmd.exe	138
PID 4024 wrote to memory of 4116	4024	cmd.exe	138
PID 4024 wrote to memory of 400	4024	cmd.exe	143
PID 4024 wrote to memory of 400	4024	cmd.exe	143
PID 400 wrote to memory of 1660	400	upfc.exe	145
PID 400 wrote to memory of 1660	400	upfc.exe	145
PID 1660 wrote to memory of 5112	1660	cmd.exe	147
PID 1660 wrote to memory of 5112	1660	cmd.exe	147
PID 1660 wrote to memory of 380	1660	cmd.exe	148
PID 1660 wrote to memory of 380	1660	cmd.exe	148
PID 1660 wrote to memory of 1656	1660	cmd.exe	150
PID 1660 wrote to memory of 1656	1660	cmd.exe	150
PID 1656 wrote to memory of 3472	1656	upfc.exe	152
PID 1656 wrote to memory of 3472	1656	upfc.exe	152
PID 3472 wrote to memory of 1368	3472	cmd.exe	154
PID 3472 wrote to memory of 1368	3472	cmd.exe	154
PID 3472 wrote to memory of 2872	3472	cmd.exe	155
PID 3472 wrote to memory of 2872	3472	cmd.exe	155
PID 3472 wrote to memory of 4164	3472	cmd.exe	157
PID 3472 wrote to memory of 4164	3472	cmd.exe	157
PID 4164 wrote to memory of 4012	4164	upfc.exe	159
PID 4164 wrote to memory of 4012	4164	upfc.exe	159

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\bfd1aabb65dfce7b7c5f2d444917baa23fd04d6047e62cd1aaf9cb2a9ca9d3a9.exe
C:\Users\Admin\AppData\Local\Temp\bfd1aabb65dfce7b7c5f2d444917baa23fd04d6047e62cd1aaf9cb2a9ca9d3a9.exe cmd /c %SIGILL% "SIGTERM|DELETE|SIGKILL"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4668
- \??\c:\users\admin\appdata\local\temp\bfd1aabb65dfce7b7c5f2d444917baa23fd04d6047e62cd1aaf9cb2a9ca9d3a9.exe
  c:\users\admin\appdata\local\temp\bfd1aabb65dfce7b7c5f2d444917baa23fd04d6047e62cd1aaf9cb2a9ca9d3a9.exe cmd /c %SIGILL% "SIGTERM|DELETE|SIGKILL"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3964
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\blockcomSession\RezYUes00TmmVGwINjr2qWMSbF3Etb9Bt2Ra62zGWDtewTBc.vbe"
    3⤵
    - Checks computer location settings
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3700
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\blockcomSession\R3z0peym99fhJdrKbUwEGrQMoM2HpnSPGrE0X0k2hc.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2544
    - - C:\blockcomSession\containerReview.exe
        
        "C:\blockcomSession/containerReview.exe"
        5⤵
        Modifies WinLogon for persistence
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Program Files directory
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5024
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\0gdgrh1u\0gdgrh1u.cmdline"
        6⤵
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4348
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC4A8.tmp" "c:\Windows\System32\CSC72561D34D764DE786A95813C8702816.TMP"
        7⤵
        
        PID:3428
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\R9Wtkv8OgE.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1608
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        7⤵
        
        PID:4416
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        7⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:700
        
        C:\Program Files\Windows Defender\it-IT\upfc.exe
        
        "C:\Program Files\Windows Defender\it-IT\upfc.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1808
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\SPR0cWdHM6.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:4024
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        9⤵
        
        PID:1232
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        9⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4116
        
        C:\Program Files\Windows Defender\it-IT\upfc.exe
        
        "C:\Program Files\Windows Defender\it-IT\upfc.exe"
        9⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:400
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\HqVvjk53aP.bat"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:1660
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        11⤵
        
        PID:5112
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        11⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:380
        
        C:\Program Files\Windows Defender\it-IT\upfc.exe
        
        "C:\Program Files\Windows Defender\it-IT\upfc.exe"
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1656
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\CtBPmh6epj.bat"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:3472
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        13⤵
        
        PID:1368
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        13⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2872
        
        C:\Program Files\Windows Defender\it-IT\upfc.exe
        
        "C:\Program Files\Windows Defender\it-IT\upfc.exe"
        13⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4164
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\HqVvjk53aP.bat"
        14⤵
        
        PID:4012
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        15⤵
        
        PID:1016
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        15⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2816
        
        C:\Program Files\Windows Defender\it-IT\upfc.exe
        
        "C:\Program Files\Windows Defender\it-IT\upfc.exe"
        15⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3452
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wckvReZrUI.bat"
        16⤵
        
        PID:1932
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        17⤵
        
        PID:3616
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:988
        
        C:\Program Files\Windows Defender\it-IT\upfc.exe
        
        "C:\Program Files\Windows Defender\it-IT\upfc.exe"
        17⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1560
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tuGXyMaJvX.bat"
        18⤵
        
        PID:1360
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        19⤵
        
        PID:2904
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        19⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3920
        
        C:\Program Files\Windows Defender\it-IT\upfc.exe
        
        "C:\Program Files\Windows Defender\it-IT\upfc.exe"
        19⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1328
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\sFt2vWrbZi.bat"
        20⤵
        
        PID:1428
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        21⤵
        
        PID:3356
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        21⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3836
        
        C:\Program Files\Windows Defender\it-IT\upfc.exe
        
        "C:\Program Files\Windows Defender\it-IT\upfc.exe"
        21⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2260
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Y182dPLPTa.bat"
        22⤵
        
        PID:3664
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        23⤵
        
        PID:4016
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:944
        
        C:\Program Files\Windows Defender\it-IT\upfc.exe
        
        "C:\Program Files\Windows Defender\it-IT\upfc.exe"
        23⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1700
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\bjcQ5hKx2L.bat"
        24⤵
        
        PID:1532
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        25⤵
        
        PID:4888
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:3464
        
        C:\Program Files\Windows Defender\it-IT\upfc.exe
        
        "C:\Program Files\Windows Defender\it-IT\upfc.exe"
        25⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3976
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\eyO6VICV7m.bat"
        26⤵
        
        PID:3176
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        27⤵
        
        PID:2456
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        27⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4856
        
        C:\Program Files\Windows Defender\it-IT\upfc.exe
        
        "C:\Program Files\Windows Defender\it-IT\upfc.exe"
        27⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1628
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ZFxA7ALGfV.bat"
        28⤵
        
        PID:2424
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        29⤵
        
        PID:5072
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        29⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3164
        
        C:\Program Files\Windows Defender\it-IT\upfc.exe
        
        "C:\Program Files\Windows Defender\it-IT\upfc.exe"
        29⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2856
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\UJeeA8Mqtp.bat"
        30⤵
        
        PID:5056
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        31⤵
        
        PID:1904
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        31⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3684
        
        C:\Program Files\Windows Defender\it-IT\upfc.exe
        
        "C:\Program Files\Windows Defender\it-IT\upfc.exe"
        31⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4036
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\VXTmetMh5k.bat"
        32⤵
        
        PID:2824
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        33⤵
        
        PID:2500
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        33⤵
        
        PID:3932
        
        C:\Program Files\Windows Defender\it-IT\upfc.exe
        
        "C:\Program Files\Windows Defender\it-IT\upfc.exe"
        33⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3532
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\aUnIbwK7qQ.bat"
        34⤵
        
        PID:4412
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        35⤵
        
        PID:1812
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        35⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3356
        
        C:\Program Files\Windows Defender\it-IT\upfc.exe
        
        "C:\Program Files\Windows Defender\it-IT\upfc.exe"
        35⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3136
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\UeH86Hd8X1.bat"
        36⤵
        
        PID:876
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        37⤵
        
        PID:1916
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        37⤵
        
        PID:1620
        
        C:\Program Files\Windows Defender\it-IT\upfc.exe
        
        "C:\Program Files\Windows Defender\it-IT\upfc.exe"
        37⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3652
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\AeLHIw7ndo.bat"
        38⤵
        
        PID:4676
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        39⤵
        
        PID:1228
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        39⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2572
        
        C:\Program Files\Windows Defender\it-IT\upfc.exe
        
        "C:\Program Files\Windows Defender\it-IT\upfc.exe"
        39⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2256
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\KyXgl7nTK4.bat"
        40⤵
        
        PID:4976
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        41⤵
        
        PID:1508
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        41⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3688
        
        C:\Program Files\Windows Defender\it-IT\upfc.exe
        
        "C:\Program Files\Windows Defender\it-IT\upfc.exe"
        41⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4416
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Ng14EOm2tp.bat"
        42⤵
        
        PID:4184
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        43⤵
        
        PID:1016
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        43⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4688
        
        C:\Program Files\Windows Defender\it-IT\upfc.exe
        
        "C:\Program Files\Windows Defender\it-IT\upfc.exe"
        43⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3108
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\jvhcSLBvsS.bat"
        44⤵
        
        PID:2180
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        45⤵
        
        PID:1424
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        45⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:868
        
        C:\Program Files\Windows Defender\it-IT\upfc.exe
        
        "C:\Program Files\Windows Defender\it-IT\upfc.exe"
        45⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:592
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\F1DAo4o4YO.bat"
        46⤵
        
        PID:4432
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        47⤵
        
        PID:5112
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        47⤵
        
        PID:1652
        
        C:\Program Files\Windows Defender\it-IT\upfc.exe
        
        "C:\Program Files\Windows Defender\it-IT\upfc.exe"
        47⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3620
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Vs6Gb3dzjw.bat"
        48⤵
        
        PID:2384
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        49⤵
        
        PID:3756
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        49⤵
        
        PID:2136
        
        C:\Program Files\Windows Defender\it-IT\upfc.exe
        
        "C:\Program Files\Windows Defender\it-IT\upfc.exe"
        49⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1528
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\SPR0cWdHM6.bat"
        50⤵
        
        PID:4788
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        51⤵
        
        PID:1476
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        51⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1716
        
        C:\Program Files\Windows Defender\it-IT\upfc.exe
        
        "C:\Program Files\Windows Defender\it-IT\upfc.exe"
        51⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3796
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\lOMsQrAcGI.bat"
        52⤵
        
        PID:1624
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        53⤵
        
        PID:2204
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        53⤵
        
        PID:2372
        
        C:\Program Files\Windows Defender\it-IT\upfc.exe
        
        "C:\Program Files\Windows Defender\it-IT\upfc.exe"
        53⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3504
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Phxc9FejmL.bat"
        54⤵
        
        PID:4792
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        55⤵
        
        PID:1980
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        55⤵
        
        PID:2524
        
        C:\Program Files\Windows Defender\it-IT\upfc.exe
        
        "C:\Program Files\Windows Defender\it-IT\upfc.exe"
        55⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1892
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\m3jNUitKc7.bat"
        56⤵
        
        PID:900
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        57⤵
        
        PID:2336
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        57⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:112
        
        C:\Program Files\Windows Defender\it-IT\upfc.exe
        
        "C:\Program Files\Windows Defender\it-IT\upfc.exe"
        57⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2380
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\CtBPmh6epj.bat"
        58⤵
        
        PID:4896
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        59⤵
        
        PID:2016
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        59⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1348
        
        C:\Program Files\Windows Defender\it-IT\upfc.exe
        
        "C:\Program Files\Windows Defender\it-IT\upfc.exe"
        59⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1420
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\EMqflE6MDZ.bat"
        60⤵
        
        PID:688
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        61⤵
        
        PID:3876
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        61⤵
        
        PID:1676
        
        C:\Program Files\Windows Defender\it-IT\upfc.exe
        
        "C:\Program Files\Windows Defender\it-IT\upfc.exe"
        61⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3156
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Y182dPLPTa.bat"
        62⤵
        
        PID:1644
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        63⤵
        
        PID:2700
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        63⤵
        
        PID:2224
        
        C:\Program Files\Windows Defender\it-IT\upfc.exe
        
        "C:\Program Files\Windows Defender\it-IT\upfc.exe"
        63⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4192
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\rfQPUbaSjc.bat"
        64⤵
        
        PID:2028
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        65⤵
        
        PID:3208
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        65⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3880
        
        C:\Program Files\Windows Defender\it-IT\upfc.exe
        
        "C:\Program Files\Windows Defender\it-IT\upfc.exe"
        65⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1928
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\aUnIbwK7qQ.bat"
        66⤵
        
        PID:904
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        67⤵
        
        PID:4108
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        67⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4532
        
        C:\Program Files\Windows Defender\it-IT\upfc.exe
        
        "C:\Program Files\Windows Defender\it-IT\upfc.exe"
        67⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4988
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Phxc9FejmL.bat"
        68⤵
        
        PID:1232
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        69⤵
        
        PID:2216
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        69⤵
        
        PID:4236
        
        C:\Program Files\Windows Defender\it-IT\upfc.exe
        
        "C:\Program Files\Windows Defender\it-IT\upfc.exe"
        69⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3588
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6HUNmoPWiE.bat"
        70⤵
        
        PID:3924
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        71⤵
        
        PID:2464
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        71⤵
        
        PID:3600
        
        C:\Program Files\Windows Defender\it-IT\upfc.exe
        
        "C:\Program Files\Windows Defender\it-IT\upfc.exe"
        71⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1908
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\dxSYZSKoEG.bat"
        72⤵
        
        PID:3680
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        73⤵
        
        PID:2828
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        73⤵
        
        PID:1308
        
        C:\Program Files\Windows Defender\it-IT\upfc.exe
        
        "C:\Program Files\Windows Defender\it-IT\upfc.exe"
        73⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3772
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\oXOdSEs2zx.bat"
        74⤵
        
        PID:3420
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        75⤵
        
        PID:3212
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        75⤵
        
        PID:4468
        
        C:\Program Files\Windows Defender\it-IT\upfc.exe
        
        "C:\Program Files\Windows Defender\it-IT\upfc.exe"
        75⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1980
- C:\Windows\Resources\Themes\icsys.icn.exe
  C:\Windows\Resources\Themes\icsys.icn.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2096
- - \??\c:\windows\resources\themes\explorer.exe
    c:\windows\resources\themes\explorer.exe
    3⤵
    - Modifies visiblity of hidden/system files in Explorer
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2348
  - - \??\c:\windows\resources\spoolsv.exe
      c:\windows\resources\spoolsv.exe SE
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1168
    - - \??\c:\windows\resources\svchost.exe
        
        c:\windows\resources\svchost.exe
        5⤵
        Modifies visiblity of hidden/system files in Explorer
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2364
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe PR
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\All Users\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3168

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\unsecapp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2504

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3464

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3240

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Defender\it-IT\upfc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\it-IT\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Defender\it-IT\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "containerReviewc" /sc MINUTE /mo 12 /tr "'C:\blockcomSession\containerReview.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "containerReview" /sc ONLOGON /tr "'C:\blockcomSession\containerReview.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "containerReviewc" /sc MINUTE /mo 12 /tr "'C:\blockcomSession\containerReview.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4648

C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\unsecapp.exe
"C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\unsecapp.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2636

C:\Users\All Users\wininit.exe
"C:\Users\All Users\wininit.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:2504
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wckvReZrUI.bat"
  2⤵
  PID:1576
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:4512
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:4716
- - C:\Users\All Users\wininit.exe
    "C:\Users\All Users\wininit.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:4524

C:\Recovery\WindowsRE\SearchApp.exe
C:\Recovery\WindowsRE\SearchApp.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:540

C:\Program Files\Windows Defender\it-IT\upfc.exe
"C:\Program Files\Windows Defender\it-IT\upfc.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:3704
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\igsUyaB4hX.bat"
  2⤵
  PID:3016
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:2040
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:2100
- - C:\Program Files\Windows Defender\it-IT\upfc.exe
    "C:\Program Files\Windows Defender\it-IT\upfc.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    PID:1848
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\AeLHIw7ndo.bat"
      4⤵
      PID:1212
    - - C:\Windows\system32\chcp.com
        
        chcp 65001
        5⤵
        
        PID:1672
    - - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2712
    - - C:\Program Files\Windows Defender\it-IT\upfc.exe
        
        "C:\Program Files\Windows Defender\it-IT\upfc.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:5080
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Phxc9FejmL.bat"
        6⤵
        
        PID:3624
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        7⤵
        
        PID:4296
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:2388
        
        C:\Program Files\Windows Defender\it-IT\upfc.exe
        
        "C:\Program Files\Windows Defender\it-IT\upfc.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4216
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\NS7UfUfsaQ.bat"
        8⤵
        
        PID:2244
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        9⤵
        
        PID:3304
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:1016
        
        C:\Program Files\Windows Defender\it-IT\upfc.exe
        
        "C:\Program Files\Windows Defender\it-IT\upfc.exe"
        9⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2284
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\sFt2vWrbZi.bat"
        10⤵
        
        PID:3160
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        11⤵
        
        PID:4060
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        11⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3116
        
        C:\Program Files\Windows Defender\it-IT\upfc.exe
        
        "C:\Program Files\Windows Defender\it-IT\upfc.exe"
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2268
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\KyXgl7nTK4.bat"
        12⤵
        
        PID:4296
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        13⤵
        
        PID:4272
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        13⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4436
        
        C:\Program Files\Windows Defender\it-IT\upfc.exe
        
        "C:\Program Files\Windows Defender\it-IT\upfc.exe"
        13⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2788
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\HVsQnaolwE.bat"
        14⤵
        
        PID:4268
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        15⤵
        
        PID:1780
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        15⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3196
        
        C:\Program Files\Windows Defender\it-IT\upfc.exe
        
        "C:\Program Files\Windows Defender\it-IT\upfc.exe"
        15⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2276
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\eyO6VICV7m.bat"
        16⤵
        
        PID:824
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        17⤵
        
        PID:3908
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        17⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3632
        
        C:\Program Files\Windows Defender\it-IT\upfc.exe
        
        "C:\Program Files\Windows Defender\it-IT\upfc.exe"
        17⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:848
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\sFt2vWrbZi.bat"
        18⤵
        
        PID:4068
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        19⤵
        
        PID:4556
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        19⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2844
        
        C:\Program Files\Windows Defender\it-IT\upfc.exe
        
        "C:\Program Files\Windows Defender\it-IT\upfc.exe"
        19⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4380
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\jvhcSLBvsS.bat"
        20⤵
        
        PID:4704
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        21⤵
        
        PID:3604
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        21⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3908
        
        C:\Program Files\Windows Defender\it-IT\upfc.exe
        
        "C:\Program Files\Windows Defender\it-IT\upfc.exe"
        21⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4952
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hR2MTpBDVc.bat"
        22⤵
        
        PID:1764
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        23⤵
        
        PID:4948
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:2204
        
        C:\Program Files\Windows Defender\it-IT\upfc.exe
        
        "C:\Program Files\Windows Defender\it-IT\upfc.exe"
        23⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3528
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Phxc9FejmL.bat"
        24⤵
        
        PID:2640
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        25⤵
        
        PID:2228
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:2940
        
        C:\Program Files\Windows Defender\it-IT\upfc.exe
        
        "C:\Program Files\Windows Defender\it-IT\upfc.exe"
        25⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1064
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\UJeeA8Mqtp.bat"
        26⤵
        
        PID:2324
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        27⤵
        
        PID:1204
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        27⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1384
        
        C:\Program Files\Windows Defender\it-IT\upfc.exe
        
        "C:\Program Files\Windows Defender\it-IT\upfc.exe"
        27⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:760

C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\unsecapp.exe
"C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\unsecapp.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:4228
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\xqZ3vPYigC.bat"
  2⤵
  PID:1148
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:3724
- - C:\Windows\system32\PING.EXE
    ping -n 10 localhost
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:1888
- - C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\unsecapp.exe
    "C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\unsecapp.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3936

C:\Recovery\WindowsRE\csrss.exe
C:\Recovery\WindowsRE\csrss.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:3808
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Phxc9FejmL.bat"
  2⤵
  PID:2484
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:2116
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:2728
- - C:\Recovery\WindowsRE\csrss.exe
    "C:\Recovery\WindowsRE\csrss.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:4936

C:\blockcomSession\containerReview.exe
C:\blockcomSession\containerReview.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2704

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\upfc.exe.log

Filesize
1KB

MD5
935ecb30a8e13f625a9a89e3b0fcbf8f

SHA1
41cb046b7b5f89955fd53949efad8e9f3971d731

SHA256
2a7b829afe6a140bb37d24cc7711749c20cdaaf9cc7c4a182ff081180b4d99e9

SHA512
1210281612b0101ce63555a1a7855589ff68e1eac5b8a2461e10808c5b92c5dd111be72406c2923a94e10b687ceda43dc24d8c22a49dab40a4af793ee6b740aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\AeLHIw7ndo.bat

Filesize
176B

MD5
5e870e9cd2a08d412b102b3a61726c18

SHA1
cdc3eb983a7ccafec8343fc86ef0bc18fea36d8f

SHA256
00fcd1de10549c4274da1c17388ba2ae110d5d4f9cc7d0afe5ce00cdc71822d0

SHA512
3d23396bf819c4d867a88e2eef9600eaaa78e8e4502e39cf36ef069b1d5a55e8ccb08cdac9f89c63592bb29c5a094b520972b3a06c5fc31f947a6d7c2dca8abd

Download Submit
C:\Users\Admin\AppData\Local\Temp\CtBPmh6epj.bat

Filesize
176B

MD5
6c3a8d4b099eda991c027ed37bc2b76f

SHA1
84bbc7cc7e521786cb53dba79bfae319eeff1be9

SHA256
43ccdc4ef948ef1745bd247a1abff0bb765bdeeecbabc87b41bda8cb9f474e30

SHA512
a0e7b90b5dedbc7a73460844bda23ce09006b7fb6b4c72614c78a231cfb1bd69afaae5068b21ae39dddfadea0bd42566bf069df3ed39ed2460ad4c5f505e9f12

Download Submit
C:\Users\Admin\AppData\Local\Temp\F1DAo4o4YO.bat

Filesize
224B

MD5
d7cf75ba202660057ac3dc6bffdbbc83

SHA1
0cf62951a239d43704b4692304068d1a5ee2e5fb

SHA256
b24c0b71e52ee469c95fd0dce2183434106f5ca81e188eebbd6eebfe9b5fde9e

SHA512
e7f44b8283d5442693d047c709875ef3a72af7c847daa380e32832284b115c9e935bafd15f026bf8a907e865bd664e0dcde5f7bab5cfec9c5015eb76cdceb073

Download Submit
C:\Users\Admin\AppData\Local\Temp\HqVvjk53aP.bat

Filesize
176B

MD5
01ba22e0c4a1c85e635a76bb0a4bb97b

SHA1
6c4636c65f89de17a329696ef2de2ba42024a532

SHA256
7b8f2ab6a972a87978bd49e9bb67e610724dfe128d51d910b5944ed152e5e013

SHA512
0c865330d87a504d0b7e5348771e9991cf63c6eb93c5bb336ea1b3d50e89fd1afa54f11661c1b16c56a236e7c725b26076419c43f4165ce521fdf5ed124523e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\KyXgl7nTK4.bat

Filesize
176B

MD5
7b42f14e11e859925c688d04ed3cc7de

SHA1
08d8a8f9969fa58be291072fb5484f7f609795bb

SHA256
fc7681440b1d2f03cf908dd4c281dc9d949b13af4d1496edbe81e696d33ade43

SHA512
0f88a0589117eb24e37a9576573023a132c2e75d8e6520730b333e8e971364ff94e51ecc7950b8cc0336c523d30b8d19e3d34bed1b2bd2ee5f24d1db909f6813

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ng14EOm2tp.bat

Filesize
176B

MD5
dabf051180e9de0b44fe8f1f038d075a

SHA1
d7799f2f6d8ec7eec51eea52ab6a97137214359a

SHA256
2acf223ff5b4be76a9c711601b9a120d27a4c524e8485417ff0e40b3553ebdb0

SHA512
a392674ed43d4acc02d48c674d8f46eb1ab082c2609799ba9144945e90b8d1f37e349a68e3fde63b8d7e6f8422827593c3a3086905000df190b28a07aa8a9c29

Download Submit
C:\Users\Admin\AppData\Local\Temp\Phxc9FejmL.bat

Filesize
224B

MD5
af2005b91d3fd8d4d5c8fa4555fcad12

SHA1
83936e32d4d009ac6955b694ea396d9ea1315ca9

SHA256
0c62b3abd1f41758423bed7736d9038439bcc19f9511831e8902da3f8cd2234f

SHA512
f766701222bf21a185fdf357772dde4320219e95d9b16d4c70cc96bc9fc897ac695700e90284a71a79255a0dc682e5c7f157c46613f3d1e3c9b94ab8970b391e

Download Submit
C:\Users\Admin\AppData\Local\Temp\R9Wtkv8OgE.bat

Filesize
176B

MD5
6f82d121ae75b09a9245276d06b98812

SHA1
8e08ab798e30524bf8a9c4dc4c454adc7806e2cc

SHA256
9410849db1f21c9acb3e4a5d82dfda261126b437724d3936e9e74fda4a661361

SHA512
8d561beb840218a734393e8fb85dc6dea5ca83e31a4ee52ef94bc76404d9f15149f2f764eff75647afa198fd1d684c781046e37afe2b68241ab84add610cf1e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESC4A8.tmp

Filesize
1KB

MD5
1f6807543405f4cae670d67d8939b1b5

SHA1
2e635f6b96b20941740fef0ef95918e5d21d5cde

SHA256
0720bf9cb444352a3bb6a54b8d11dac9c36409ab674d958d539eec5bc8295852

SHA512
b8a43a649cb32a23d4acb0bf5b213476f0282a6ac9c9d20de985d76210581625ee7969315c48e565284650db9f2e6d1fc74ff2528b6f12c2290ed11644341e39

Download Submit
C:\Users\Admin\AppData\Local\Temp\SPR0cWdHM6.bat

Filesize
176B

MD5
d6931df40e393ce8b3cb00155f60113f

SHA1
8736f3e78fbca7352b9153fca3943cd7463335ac

SHA256
2852c86f0deda6ecb9b1eb804e434182b50bf8b7d69a2cca96ba7a829db53bce

SHA512
52382b5530cb1d465c8d334893560d18466527072729663b9a408938d66c2b43c5f1dadb37f00f261ca8231d431ae9ba7d8df61daadf3da126dce54719201ad2

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmEE9ECEWX

Filesize
25B

MD5
1914d68728123bb5932fefdf53851ee1

SHA1
3a4419ca7e739661dc0c78b08ccd9f208bebf5c3

SHA256
f3ebeea70869a6604add824b99d96f8d77500e5604b16f36564cd880829989db

SHA512
4e14facc7cae69622e1e9bed647cb6c0656cddfa2f962ac26fa4b59caa5efcf61f589793b2f6125be60fa68a33e544b4ec193e1ab4dec1240f166155925a69e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\UJeeA8Mqtp.bat

Filesize
176B

MD5
d9180e63333fa1fab08107603143857a

SHA1
2c0c9649829ef84b604043bb093e390cdae13971

SHA256
7b9221adfe7a5444e78556f6f821d8963c5e3f5f82d860387218e79faedc91e0

SHA512
d9df67bf332fd5829a21ad723ea7b2d6b0761ee2d2865736e07f4d29fff19dbd0278ef72664717712653430c6cef85a3e96abaeb6c6b45cdc906e444ef709681

Download Submit
C:\Users\Admin\AppData\Local\Temp\UeH86Hd8X1.bat

Filesize
224B

MD5
94c3f722049b6aae75526a3889fac216

SHA1
000f45d391ea1f32f83a3159b3ffa5ae8fc6e689

SHA256
da26a6cdc2474b31cdb20f19c679c6b6bd39ac91198d1f75a2d2527b71996708

SHA512
eb5dd183773a24c230ba7bea099938545b47b434cc26f41a147f6b5c0b90535e16bc085dbd8175f21640e91ac349f3a4819696b19da7f69f0751ac4f7e23c31d

Download Submit
C:\Users\Admin\AppData\Local\Temp\VXTmetMh5k.bat

Filesize
224B

MD5
9c03f912c4fdc80e50cdd2a4a3b33797

SHA1
1653528ab1782d7b860d161758f92c8ca08747c5

SHA256
42908985daf033bfc9d233c7c45c4a363eefb7e6c375f1833c4132b9084a4a35

SHA512
cb0713f6c9030ceabe6e5d3e025fff76e71355981a54d608c432f41ea6cdc7b5c5fbb23ee4f37c60d966af799161431e8c8db59fd51ea85a23f41c6c59a67fec

Download Submit
C:\Users\Admin\AppData\Local\Temp\Vs6Gb3dzjw.bat

Filesize
224B

MD5
8a1afeb2459447c6af0da0aac4a7c378

SHA1
35f1759c1368815870c3f021ad2de7b0b1687ac9

SHA256
bfbdd6e5d9657c4dc21e5185e65c0a0b3f68adab234c4111545ff7276083bfbf

SHA512
fe5a943c35c64cea4a57e87f6a59ab8cd1cac0851b3a0664faa0c9e63bebe4594558358969daf571a1823841af513561f88c8d6c047e62c2e4382fe27a55cefe

Download Submit
C:\Users\Admin\AppData\Local\Temp\Y182dPLPTa.bat

Filesize
224B

MD5
5c7127f2dc5c767ea161c6eb61fb0884

SHA1
18be4d589cf3dcd1b472d205c82e7558c3f2f275

SHA256
58a4d810fac481cc67196e95f79267d61bf7e5e614bb9a8ec47500984760ea9e

SHA512
98e66d980cbe66a4572074aeb5edbb35784eb7bffbfa7ad145d2b4b60fc8271aba6b3dd1b12189d62a0ab06b8a4866896e0953b34189fca50348763dcf39fa18

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZFxA7ALGfV.bat

Filesize
176B

MD5
624e3bae46490f5cb1f5234ccc242e19

SHA1
2db49ffdb6830c4844d81a2d20e73a8cda487e42

SHA256
0fa0655b4ac4e579dac117f3a87373b61d043c54202b91e0a0cd709cdad418ed

SHA512
e0c84da4d65d389e5867180dbff43a29103132340b47b07efb42c8df32c1a5307426c08b57824fd0187160af3664908cc7f4e5a3d5be3972d1d8dc49809b91e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\aUnIbwK7qQ.bat

Filesize
176B

MD5
f92fc7467815ca757ab275e899c938fd

SHA1
bcae844202836c14a28fec9ef6d5807e2b82c8d8

SHA256
299224524f2dbae0062bc858b6a9844694cf4ad27adc5b64d7e9620a0d79523a

SHA512
1de1cbd2a76775d681fe2e3da243c0343888d80e4ad35a30e730a522865050d97ccbc7b0e3adb32cad1794231829fc7597634d1f6564c2c682f1b2bc9870a989

Download Submit
C:\Users\Admin\AppData\Local\Temp\bfd1aabb65dfce7b7c5f2d444917baa23fd04d6047e62cd1aaf9cb2a9ca9d3a9.exe

Filesize
3.2MB

MD5
a7040b85fc683f088f4c6e5b44052c43

SHA1
7e3d644d1a1fb7b9bcccb6406d2e7fbd062eae66

SHA256
b786f31f1c89c71d0510bbd32510595d9891c67db516f968261b02594a423a8d

SHA512
e225f6f7e114690aad25e9c67460e50f5b84cc8ca87a69ba94ff63ab42415df176a3ed6c3456cddb849927604a4888b17e5e781ac97d2ba0197f9687bbb2c301

Download Submit
C:\Users\Admin\AppData\Local\Temp\bjcQ5hKx2L.bat

Filesize
224B

MD5
92ee6acca5c3f8438b1152bb969b1512

SHA1
68c07f0126b1313e5e2233f9ce563bca5fb61999

SHA256
50086f9ba53a95f4f31a95ccd61034c73677a05b6be03d58502d3606d1accd7e

SHA512
3adba27905b36f8a2f7ff60893877a8bc790bfa9674456b5a3c71b6137cea2b1ba204fed756d9767b4cd0945d640babfb59819ba56638d7081a1119c177d0878

Download Submit
C:\Users\Admin\AppData\Local\Temp\eyO6VICV7m.bat

Filesize
176B

MD5
07adbf5ab26c3dbd58b3ff22f350f63a

SHA1
5e31662276292f1a8bd695a338185782f6bd1604

SHA256
f102ac2d7385c07c988e5b130df6cc914fe987d4538a16e39d19794dc70d3554

SHA512
db31674f932bbc65148d1fb687529ea048bb0fa975bf60a328e1f4f1c9af77192767d2757b2d303b74880e6613f86e1f7ce33fffa0317dfb40dc191b383e9d6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\jvhcSLBvsS.bat

Filesize
176B

MD5
4c974f77968dc12554ad1c8a8691f600

SHA1
81cf5687025eee9e015ecfce00c4086525edc953

SHA256
54bdf22568b9d751ae10708c659e8bfe8c7f740af493e1172786b3fabfc84be0

SHA512
f0c4bf1912b23f41fd3ab76eadc306c52fb8f8938c305230443aee7e9472ab0235ef7123fb32ecc7254ae6cc92f992868a6d95f20b745bc989f93babb9797ee0

Download Submit
C:\Users\Admin\AppData\Local\Temp\sFt2vWrbZi.bat

Filesize
176B

MD5
6e8b195b6b99788206a3091c9090d1b4

SHA1
daced52954df2b19a078b593e254b3ceef2d1e1b

SHA256
4c86d9af3c2ace9eaae4bd8897413e21b2ab44391f469b675a2181b21dfff003

SHA512
beedebdf91269978a0d0cfeb6e2f931100ca3bebe7f63ddea5dc428a32120334646abf0e079d27d66b260482d1932713a03461ebf60d752a701edcf3a53f9840

Download Submit
C:\Users\Admin\AppData\Local\Temp\tuGXyMaJvX.bat

Filesize
176B

MD5
00a7ac262c0a509c61e1f2c9abd2274b

SHA1
bdcfaac0e4586171f082015dca3ac0414c542b23

SHA256
3529d64e9e986e22cde0dbeb53efba27dcbb26146a29056cbc3a141535dfce30

SHA512
0aef89e16a12df15e1547f7f38375e5c803a39e66eb152112958326f13f9442acbf57b54d18a2ede9c4d533b5b290c4a799673fd518e877cbebfccfff523702f

Download Submit
C:\Users\Admin\AppData\Local\Temp\wckvReZrUI.bat

Filesize
224B

MD5
80db051ba04939a597499be1c85d0bb8

SHA1
3c42c9bc738a3f86164f43d955567f569e4e5756

SHA256
9fb471fd6ba08349e50fc914b29b3baa406b74681f065e2aeff41f1592b3effc

SHA512
54fa1defea8ab0d216be0ccada12dc8b33a4c4d5dabbdd09d2a1c7667dd61f8d63fb2b12fc221e8b246290efe854ccd477da73ab990eb049af546ce21458e187

Download Submit
C:\Windows\Resources\Themes\explorer.exe

Filesize
135KB

MD5
0f5eee176fd520119f942c75c0f61b0f

SHA1
f094a16f73019d99f50dfadb8e53a449cc3fc41c

SHA256
b9d0d1e3290e6ade8ca74b9eda64ace170eaab5d5e6588ab60e088af2751cd3f

SHA512
bdb093133063399b6f3b1d2d590afb19070ddfa4b57af4e6fa959d06653b2b309c42bfc4776dccf71a8f0e08ec80aa5e0d497d48166dcf24cf4581d84aead661

Download Submit
C:\Windows\Resources\Themes\icsys.icn.exe

Filesize
135KB

MD5
d36cc2935ae0e7a5d2936db589a9b8cc

SHA1
082bd58c0ad60fa4783b63a4f681a5c5fad8e1a6

SHA256
4c93adb50768feb3cdea95f1fedc5d6fdc262d59f12c4b66601d377e2709c2e3

SHA512
547452ba0de7c8ebeec8e4bb2d916c7a881b6743e6d1fb6d2761a202b7cf5bb30c3f541957de70c584b46b7171f3f20338b4985341829b408c366aeaeced9290

Download Submit
C:\Windows\Resources\spoolsv.exe

Filesize
135KB

MD5
d63cd31ff5fbd41966164e2dba97dbb7

SHA1
7d95af735d6e51ebac61b7ccf5ee9b4e064d6b2e

SHA256
383876cb605c461e802639805465c64e8ccdd5823e8d6377dc9f254a490a1e00

SHA512
e7c1c2cb44ea9d17a373a47dd7999a575528c14bf51dc2fac43c0a99c2d5be14421556648545f97e68eb3ba84b71523bacca78c36a982805f82a036fb9e5bdce

Download Submit
C:\Windows\Resources\svchost.exe

Filesize
135KB

MD5
6e176510e8d75afc1b8c9591f6563f3a

SHA1
c84932d503c85d7df62c897c6f5601dc92202404

SHA256
6f86bdb3f13aa9622544ff99763dc97bacccdd88bc6819ddcd2fad871f4f0bc1

SHA512
c3c29d101a8d4bb8f9d31e339671a206822f27f9e7fab7825ac69a4b178e8939c987c12089f400b92a0588ed63332a376aca8800b07a29f377cc33b88b66f548

Download Submit
C:\blockcomSession\R3z0peym99fhJdrKbUwEGrQMoM2HpnSPGrE0X0k2hc.bat

Filesize
89B

MD5
de5b4fde5bc10d0f76a55eb9d249ab56

SHA1
751938b6ab03340842b429805fd2da1aa0d8c964

SHA256
009aa3f866391c87bd840efb9b6b4eb33fc4dcb625cd23e436d0c9383e033f0f

SHA512
58f02657db363b742c6aee66ccd5a6b279280e2dd09d7394b7b9907ca2cd005cd67ee88ca98d533605e30608fc61abc6f51f7d3be4a3813d7414d280b6f16a1f

Download Submit
C:\blockcomSession\RezYUes00TmmVGwINjr2qWMSbF3Etb9Bt2Ra62zGWDtewTBc.vbe

Filesize
236B

MD5
d2dd350044ce1fe408a44a036a7e6a0d

SHA1
3597e45deb69f4aa4749855e9ed452a39a9c7d42

SHA256
487bfe07abff347481f10c648717aab8008c7606c026b920358544f85c25e1b2

SHA512
81147d83dc5ffd1adb10add8486f6dac65df0e7c579f8244ef8f3d6f646ced97fad3f55a178ced9b60f5f23bb77a0e29bccb22651280a9eae135976af71c366a

Download Submit
C:\blockcomSession\containerReview.exe

Filesize
1.9MB

MD5
f568e43bc473cd8ceb2553c58194df61

SHA1
14c0fff25edfd186dab91ee6bcc94450c9bed84d

SHA256
c91375814e8a5bb71736ce61fa429bc7b98a2b7b2a254b9967c51f3fccfacd52

SHA512
47cf66ce90fecd147077c72dc3f06db2199b9bc96e887915d6b0d4bfea7577d60a7345da6e5bc59967d02528fbdf6c8bf86233261338f782b9185c890fbc400e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\0gdgrh1u\0gdgrh1u.0.cs

Filesize
362B

MD5
333b886645af34523278a6c234d3d1a3

SHA1
455f271c635bb6cb81b25b6b5d7a66c07781aca6

SHA256
d12ccc835bfbef7d44cdb24dd5d84c5231546d544ecd98982594c62a5ffc0b06

SHA512
c1e8683eda003332cfcd64699219a5c7541d04ff1e667d83581e5c736564d8c67098ac01b96f033caab006e4f9ca291f5d36343b4ff4c5808ed6260f33cdaa1c

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\0gdgrh1u\0gdgrh1u.cmdline

Filesize
235B

MD5
4624855d8377e2d7fa346d398332fed0

SHA1
992361d4e88c425caef3291c4eae902ae84ea521

SHA256
a6a21057fde7d0bbd8be852cb76b960b7a1aa1c864f6f46ccd0c21516d1551af

SHA512
01c17f7c477d2e246075e1f3d4cc7378a9b770f4553dd2a73418dcdb55183f89a79c26a1e070afe79aa055952a24ef70d27a7040ecd96248e1d575caabb1ccf0

Download Submit
\??\c:\Windows\System32\CSC72561D34D764DE786A95813C8702816.TMP

Filesize
1KB

MD5
ad61927912f86c7c9f1e72720f4ef0ef

SHA1
dbb61d9d5c7310c85716fe9f445fee2151cef437

SHA256
bf2696fc2183af293d74c988add5772c1c7257c2e85ae754e43cbe0e1d105a1e

SHA512
33b6f9f93672bd0ecb68e553de0ce92dd6b773c62da7721c9544171df7de8b8588e9ba42e13836db5d5ffc078ca656993f8d06a857dda5a27e1d639d5a6fb3ee

Download Submit
memory/1168-55-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2096-13-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2096-56-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2348-181-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2364-182-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3964-8-0x0000000000F70000-0x0000000001351000-memory.dmp

Filesize
3.9MB

Download
memory/3964-53-0x0000000000F70000-0x0000000001351000-memory.dmp

Filesize
3.9MB

Download
memory/3972-54-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4668-57-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4668-0-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/5024-75-0x0000000002AC0000-0x0000000002ACC000-memory.dmp

Filesize
48KB

Download
memory/5024-62-0x0000000000650000-0x0000000000840000-memory.dmp

Filesize
1.9MB

Download
memory/5024-64-0x0000000001050000-0x000000000105E000-memory.dmp

Filesize
56KB

Download
memory/5024-66-0x0000000002A80000-0x0000000002A9C000-memory.dmp

Filesize
112KB

Download
memory/5024-67-0x000000001B3E0000-0x000000001B430000-memory.dmp

Filesize
320KB

Download
memory/5024-69-0x0000000002AA0000-0x0000000002AB8000-memory.dmp

Filesize
96KB

Download
memory/5024-71-0x0000000002A50000-0x0000000002A5E000-memory.dmp

Filesize
56KB

Download
memory/5024-73-0x0000000002A60000-0x0000000002A6E000-memory.dmp

Filesize
56KB

Download