dcrat | 6769f3dcde3cc9f6fb8fd1fb6a37b52221ef79b97d5d4002c44308da7a24b144

Analysis

max time kernel
150s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
21-12-2024 13:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Nursultan Alpha/start.exe
Size

2.3MB
MD5

c473326baa0562bc1081ac3fff5fadab
SHA1

79ae481230a4aeb89232b60bb015c7f376cd70d7
SHA256

66058290e904b349c68a65b6deac3875acf5c9b618bd31756f1a9cbde2cfb83b
SHA512

f822532e90006b0e69305a93e01512185a1a367ebb734e8b8c443efb716abe1d4460f246b70b32e7e18c8fc6aa7db85ec039d59773305e8061375b0634351ff5
SSDEEP

49152:IBJPbv4/KHiciethGCUA1TJeUCMkiOT3eY1CKzuJtGvAAzT:yNbv4/BUVb5JLChiAu1evAoT

Score

10^/10

dcrat discovery execution infostealer persistence rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 6 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\StartMenuExperienceHost.exe\""	Comcontainerdriver.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\StartMenuExperienceHost.exe\", \"C:\\Program Files\\Java\\StartMenuExperienceHost.exe\""	Comcontainerdriver.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\StartMenuExperienceHost.exe\", \"C:\\Program Files\\Java\\StartMenuExperienceHost.exe\", \"C:\\chainBlocksurrogatewin\\csrss.exe\""	Comcontainerdriver.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\StartMenuExperienceHost.exe\", \"C:\\Program Files\\Java\\StartMenuExperienceHost.exe\", \"C:\\chainBlocksurrogatewin\\csrss.exe\", \"C:\\Users\\All Users\\fontdrvhost.exe\""	Comcontainerdriver.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\StartMenuExperienceHost.exe\", \"C:\\Program Files\\Java\\StartMenuExperienceHost.exe\", \"C:\\chainBlocksurrogatewin\\csrss.exe\", \"C:\\Users\\All Users\\fontdrvhost.exe\", \"C:\\Windows\\Resources\\Themes\\aero\\Shell\\spoolsv.exe\""	Comcontainerdriver.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\StartMenuExperienceHost.exe\", \"C:\\Program Files\\Java\\StartMenuExperienceHost.exe\", \"C:\\chainBlocksurrogatewin\\csrss.exe\", \"C:\\Users\\All Users\\fontdrvhost.exe\", \"C:\\Windows\\Resources\\Themes\\aero\\Shell\\spoolsv.exe\", \"C:\\chainBlocksurrogatewin\\Comcontainerdriver.exe\""	Comcontainerdriver.exe

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4864	3476	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5088	3476	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2468	3476	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1508	3476	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1996	3476	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4564	3476	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3136	3476	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5036	3476	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4960	3476	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1148	3476	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3464	3476	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	876	3476	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3128	3476	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	892	3476	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4912	3476	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4452	3476	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1732	3476	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	216	3476	schtasks.exe	86

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
3268	powershell.exe
112	powershell.exe
5072	powershell.exe
2628	powershell.exe
3488	powershell.exe
4800	powershell.exe

Checks computer location settings 2 TTPs 14 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	start.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	StartMenuExperienceHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	StartMenuExperienceHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	StartMenuExperienceHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	StartMenuExperienceHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	StartMenuExperienceHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	StartMenuExperienceHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	StartMenuExperienceHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	Comcontainerdriver.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	StartMenuExperienceHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	StartMenuExperienceHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	StartMenuExperienceHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	StartMenuExperienceHost.exe

Executes dropped EXE 13 IoCs

pid	Process
1784	Comcontainerdriver.exe
2456	StartMenuExperienceHost.exe
1384	StartMenuExperienceHost.exe
1464	StartMenuExperienceHost.exe
3616	StartMenuExperienceHost.exe
3604	StartMenuExperienceHost.exe
3720	StartMenuExperienceHost.exe
3912	StartMenuExperienceHost.exe
4968	StartMenuExperienceHost.exe
2040	StartMenuExperienceHost.exe
3300	StartMenuExperienceHost.exe
1396	StartMenuExperienceHost.exe
4032	StartMenuExperienceHost.exe

Adds Run key to start application 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\StartMenuExperienceHost = "\"C:\\Recovery\\WindowsRE\\StartMenuExperienceHost.exe\""	Comcontainerdriver.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\StartMenuExperienceHost = "\"C:\\Recovery\\WindowsRE\\StartMenuExperienceHost.exe\""	Comcontainerdriver.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Users\\All Users\\fontdrvhost.exe\""	Comcontainerdriver.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Windows\\Resources\\Themes\\aero\\Shell\\spoolsv.exe\""	Comcontainerdriver.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Windows\\Resources\\Themes\\aero\\Shell\\spoolsv.exe\""	Comcontainerdriver.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Comcontainerdriver = "\"C:\\chainBlocksurrogatewin\\Comcontainerdriver.exe\""	Comcontainerdriver.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Comcontainerdriver = "\"C:\\chainBlocksurrogatewin\\Comcontainerdriver.exe\""	Comcontainerdriver.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\StartMenuExperienceHost = "\"C:\\Program Files\\Java\\StartMenuExperienceHost.exe\""	Comcontainerdriver.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\StartMenuExperienceHost = "\"C:\\Program Files\\Java\\StartMenuExperienceHost.exe\""	Comcontainerdriver.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\chainBlocksurrogatewin\\csrss.exe\""	Comcontainerdriver.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\chainBlocksurrogatewin\\csrss.exe\""	Comcontainerdriver.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Users\\All Users\\fontdrvhost.exe\""	Comcontainerdriver.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
33	ipinfo.io
34	ipinfo.io

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	\??\c:\Windows\System32\8zj1cq.exe	csc.exe
File created	\??\c:\Windows\System32\CSC460B7BA5CC6A4DB685F27BC0C9966FA7.TMP	csc.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files\Java\StartMenuExperienceHost.exe	Comcontainerdriver.exe
File created	C:\Program Files\Java\55b276f4edf653	Comcontainerdriver.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\Resources\Themes\aero\Shell\spoolsv.exe	Comcontainerdriver.exe
File opened for modification	C:\Windows\Resources\Themes\aero\Shell\spoolsv.exe	Comcontainerdriver.exe
File created	C:\Windows\Resources\Themes\aero\Shell\f3b6ecef712a24	Comcontainerdriver.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	start.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 6 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
3920	PING.EXE
3168	PING.EXE
2248	PING.EXE
4868	PING.EXE
3256	PING.EXE
2464	PING.EXE

Modifies registry class 13 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	StartMenuExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	StartMenuExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	StartMenuExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	StartMenuExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	StartMenuExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	StartMenuExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	StartMenuExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	StartMenuExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	StartMenuExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	StartMenuExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	StartMenuExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	start.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	Comcontainerdriver.exe

Runs ping.exe 1 TTPs 6 IoCs

Remote System Discovery

T1018

pid	Process
3168	PING.EXE
2248	PING.EXE
4868	PING.EXE
3256	PING.EXE
2464	PING.EXE
3920	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1148	schtasks.exe
4960	schtasks.exe
216	schtasks.exe
5088	schtasks.exe
1508	schtasks.exe
3136	schtasks.exe
3464	schtasks.exe
876	schtasks.exe
892	schtasks.exe
4864	schtasks.exe
1996	schtasks.exe
5036	schtasks.exe
3128	schtasks.exe
4912	schtasks.exe
4452	schtasks.exe
1732	schtasks.exe
2468	schtasks.exe
4564	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1784	Comcontainerdriver.exe
1784	Comcontainerdriver.exe
1784	Comcontainerdriver.exe
1784	Comcontainerdriver.exe
1784	Comcontainerdriver.exe
1784	Comcontainerdriver.exe
1784	Comcontainerdriver.exe
1784	Comcontainerdriver.exe
1784	Comcontainerdriver.exe
1784	Comcontainerdriver.exe
1784	Comcontainerdriver.exe
1784	Comcontainerdriver.exe
1784	Comcontainerdriver.exe
1784	Comcontainerdriver.exe
1784	Comcontainerdriver.exe
1784	Comcontainerdriver.exe
1784	Comcontainerdriver.exe
1784	Comcontainerdriver.exe
1784	Comcontainerdriver.exe
1784	Comcontainerdriver.exe
1784	Comcontainerdriver.exe
1784	Comcontainerdriver.exe
1784	Comcontainerdriver.exe
1784	Comcontainerdriver.exe
1784	Comcontainerdriver.exe
1784	Comcontainerdriver.exe
1784	Comcontainerdriver.exe
1784	Comcontainerdriver.exe
1784	Comcontainerdriver.exe
1784	Comcontainerdriver.exe
1784	Comcontainerdriver.exe
1784	Comcontainerdriver.exe
1784	Comcontainerdriver.exe
1784	Comcontainerdriver.exe
1784	Comcontainerdriver.exe
1784	Comcontainerdriver.exe
1784	Comcontainerdriver.exe
1784	Comcontainerdriver.exe
1784	Comcontainerdriver.exe
1784	Comcontainerdriver.exe
1784	Comcontainerdriver.exe
1784	Comcontainerdriver.exe
1784	Comcontainerdriver.exe
1784	Comcontainerdriver.exe
1784	Comcontainerdriver.exe
1784	Comcontainerdriver.exe
1784	Comcontainerdriver.exe
1784	Comcontainerdriver.exe
1784	Comcontainerdriver.exe
1784	Comcontainerdriver.exe
1784	Comcontainerdriver.exe
1784	Comcontainerdriver.exe
1784	Comcontainerdriver.exe
1784	Comcontainerdriver.exe
1784	Comcontainerdriver.exe
1784	Comcontainerdriver.exe
1784	Comcontainerdriver.exe
1784	Comcontainerdriver.exe
1784	Comcontainerdriver.exe
1784	Comcontainerdriver.exe
1784	Comcontainerdriver.exe
1784	Comcontainerdriver.exe
1784	Comcontainerdriver.exe
1784	Comcontainerdriver.exe

Suspicious use of AdjustPrivilegeToken 19 IoCs

description	pid	Process
Token: SeDebugPrivilege	1784	Comcontainerdriver.exe
Token: SeDebugPrivilege	3268	powershell.exe
Token: SeDebugPrivilege	5072	powershell.exe
Token: SeDebugPrivilege	3488	powershell.exe
Token: SeDebugPrivilege	4800	powershell.exe
Token: SeDebugPrivilege	112	powershell.exe
Token: SeDebugPrivilege	2628	powershell.exe
Token: SeDebugPrivilege	2456	StartMenuExperienceHost.exe
Token: SeDebugPrivilege	1384	StartMenuExperienceHost.exe
Token: SeDebugPrivilege	1464	StartMenuExperienceHost.exe
Token: SeDebugPrivilege	3616	StartMenuExperienceHost.exe
Token: SeDebugPrivilege	3604	StartMenuExperienceHost.exe
Token: SeDebugPrivilege	3720	StartMenuExperienceHost.exe
Token: SeDebugPrivilege	3912	StartMenuExperienceHost.exe
Token: SeDebugPrivilege	4968	StartMenuExperienceHost.exe
Token: SeDebugPrivilege	2040	StartMenuExperienceHost.exe
Token: SeDebugPrivilege	3300	StartMenuExperienceHost.exe
Token: SeDebugPrivilege	1396	StartMenuExperienceHost.exe
Token: SeDebugPrivilege	4032	StartMenuExperienceHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3268 wrote to memory of 3876	3268	start.exe	82
PID 3268 wrote to memory of 3876	3268	start.exe	82
PID 3268 wrote to memory of 3876	3268	start.exe	82
PID 3876 wrote to memory of 3916	3876	WScript.exe	91
PID 3876 wrote to memory of 3916	3876	WScript.exe	91
PID 3876 wrote to memory of 3916	3876	WScript.exe	91
PID 3916 wrote to memory of 1784	3916	cmd.exe	93
PID 3916 wrote to memory of 1784	3916	cmd.exe	93
PID 1784 wrote to memory of 2104	1784	Comcontainerdriver.exe	97
PID 1784 wrote to memory of 2104	1784	Comcontainerdriver.exe	97
PID 2104 wrote to memory of 3896	2104	csc.exe	100
PID 2104 wrote to memory of 3896	2104	csc.exe	100
PID 1784 wrote to memory of 2628	1784	Comcontainerdriver.exe	116
PID 1784 wrote to memory of 2628	1784	Comcontainerdriver.exe	116
PID 1784 wrote to memory of 5072	1784	Comcontainerdriver.exe	117
PID 1784 wrote to memory of 5072	1784	Comcontainerdriver.exe	117
PID 1784 wrote to memory of 3488	1784	Comcontainerdriver.exe	118
PID 1784 wrote to memory of 3488	1784	Comcontainerdriver.exe	118
PID 1784 wrote to memory of 112	1784	Comcontainerdriver.exe	119
PID 1784 wrote to memory of 112	1784	Comcontainerdriver.exe	119
PID 1784 wrote to memory of 3268	1784	Comcontainerdriver.exe	120
PID 1784 wrote to memory of 3268	1784	Comcontainerdriver.exe	120
PID 1784 wrote to memory of 4800	1784	Comcontainerdriver.exe	122
PID 1784 wrote to memory of 4800	1784	Comcontainerdriver.exe	122
PID 1784 wrote to memory of 4624	1784	Comcontainerdriver.exe	128
PID 1784 wrote to memory of 4624	1784	Comcontainerdriver.exe	128
PID 4624 wrote to memory of 4944	4624	cmd.exe	130
PID 4624 wrote to memory of 4944	4624	cmd.exe	130
PID 4624 wrote to memory of 396	4624	cmd.exe	131
PID 4624 wrote to memory of 396	4624	cmd.exe	131
PID 4624 wrote to memory of 2456	4624	cmd.exe	132
PID 4624 wrote to memory of 2456	4624	cmd.exe	132
PID 2456 wrote to memory of 4452	2456	StartMenuExperienceHost.exe	133
PID 2456 wrote to memory of 4452	2456	StartMenuExperienceHost.exe	133
PID 4452 wrote to memory of 3444	4452	cmd.exe	135
PID 4452 wrote to memory of 3444	4452	cmd.exe	135
PID 4452 wrote to memory of 3168	4452	cmd.exe	136
PID 4452 wrote to memory of 3168	4452	cmd.exe	136
PID 4452 wrote to memory of 1384	4452	cmd.exe	137
PID 4452 wrote to memory of 1384	4452	cmd.exe	137
PID 1384 wrote to memory of 2452	1384	StartMenuExperienceHost.exe	138
PID 1384 wrote to memory of 2452	1384	StartMenuExperienceHost.exe	138
PID 2452 wrote to memory of 532	2452	cmd.exe	140
PID 2452 wrote to memory of 532	2452	cmd.exe	140
PID 2452 wrote to memory of 4148	2452	cmd.exe	141
PID 2452 wrote to memory of 4148	2452	cmd.exe	141
PID 2452 wrote to memory of 1464	2452	cmd.exe	142
PID 2452 wrote to memory of 1464	2452	cmd.exe	142
PID 1464 wrote to memory of 2688	1464	StartMenuExperienceHost.exe	143
PID 1464 wrote to memory of 2688	1464	StartMenuExperienceHost.exe	143
PID 2688 wrote to memory of 4944	2688	cmd.exe	145
PID 2688 wrote to memory of 4944	2688	cmd.exe	145
PID 2688 wrote to memory of 2248	2688	cmd.exe	146
PID 2688 wrote to memory of 2248	2688	cmd.exe	146
PID 2688 wrote to memory of 3616	2688	cmd.exe	147
PID 2688 wrote to memory of 3616	2688	cmd.exe	147
PID 3616 wrote to memory of 3840	3616	StartMenuExperienceHost.exe	148
PID 3616 wrote to memory of 3840	3616	StartMenuExperienceHost.exe	148
PID 3840 wrote to memory of 4864	3840	cmd.exe	150
PID 3840 wrote to memory of 4864	3840	cmd.exe	150
PID 3840 wrote to memory of 4868	3840	cmd.exe	151
PID 3840 wrote to memory of 4868	3840	cmd.exe	151
PID 3840 wrote to memory of 3604	3840	cmd.exe	152
PID 3840 wrote to memory of 3604	3840	cmd.exe	152

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Nursultan Alpha\start.exe
"C:\Users\Admin\AppData\Local\Temp\Nursultan Alpha\start.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3268
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\chainBlocksurrogatewin\GQQ4ylq7g8v2sObSsphEhdaxNJcwRuTMFt5I2eiVZyEpGNyUkwbTE.vbe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3876
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\chainBlocksurrogatewin\jadNZOaHlMDhsSca68lTCEwCwvIEx4Rlg.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3916
  - - C:\chainBlocksurrogatewin\Comcontainerdriver.exe
      "C:\chainBlocksurrogatewin/Comcontainerdriver.exe"
      4⤵
      Modifies WinLogon for persistence
      Checks computer location settings
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Program Files directory
      Drops file in Windows directory
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1784
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\4mbgj5ac\4mbgj5ac.cmdline"
        5⤵
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2104
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFCDE.tmp" "c:\Windows\System32\CSC460B7BA5CC6A4DB685F27BC0C9966FA7.TMP"
        6⤵
        
        PID:3896
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2628
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Java\StartMenuExperienceHost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:5072
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\chainBlocksurrogatewin\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:3488
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\fontdrvhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:112
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\aero\Shell\spoolsv.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:3268
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\chainBlocksurrogatewin\Comcontainerdriver.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:4800
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\4kDUFAlUro.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4624
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:4944
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:396
      - C:\Recovery\WindowsRE\StartMenuExperienceHost.exe
        
        "C:\Recovery\WindowsRE\StartMenuExperienceHost.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2456
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hFxofDmc2H.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:4452
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:3444
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        8⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3168
        
        C:\Recovery\WindowsRE\StartMenuExperienceHost.exe
        
        "C:\Recovery\WindowsRE\StartMenuExperienceHost.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1384
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Z3scJZvfCA.bat"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:2452
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        10⤵
        
        PID:532
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:4148
        
        C:\Recovery\WindowsRE\StartMenuExperienceHost.exe
        
        "C:\Recovery\WindowsRE\StartMenuExperienceHost.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1464
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\uHdcbfRrII.bat"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:2688
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        12⤵
        
        PID:4944
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        12⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2248
        
        C:\Recovery\WindowsRE\StartMenuExperienceHost.exe
        
        "C:\Recovery\WindowsRE\StartMenuExperienceHost.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3616
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\n5TyArTaLh.bat"
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:3840
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        14⤵
        
        PID:4864
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        14⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4868
        
        C:\Recovery\WindowsRE\StartMenuExperienceHost.exe
        
        "C:\Recovery\WindowsRE\StartMenuExperienceHost.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3604
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Cg5rz6h3MO.bat"
        15⤵
        
        PID:2816
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        16⤵
        
        PID:2132
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        16⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3256
        
        C:\Recovery\WindowsRE\StartMenuExperienceHost.exe
        
        "C:\Recovery\WindowsRE\StartMenuExperienceHost.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3720
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8JExSyzmRo.bat"
        17⤵
        
        PID:2364
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        18⤵
        
        PID:4260
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:2032
        
        C:\Recovery\WindowsRE\StartMenuExperienceHost.exe
        
        "C:\Recovery\WindowsRE\StartMenuExperienceHost.exe"
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3912
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\nQ6S61kszs.bat"
        19⤵
        
        PID:4472
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        20⤵
        
        PID:1188
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        20⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2464
        
        C:\Recovery\WindowsRE\StartMenuExperienceHost.exe
        
        "C:\Recovery\WindowsRE\StartMenuExperienceHost.exe"
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4968
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\thAzAlBiSC.bat"
        21⤵
        
        PID:1824
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        22⤵
        
        PID:3364
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:3664
        
        C:\Recovery\WindowsRE\StartMenuExperienceHost.exe
        
        "C:\Recovery\WindowsRE\StartMenuExperienceHost.exe"
        22⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2040
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\lxRC8VlBb2.bat"
        23⤵
        
        PID:4500
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        24⤵
        
        PID:468
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:2420
        
        C:\Recovery\WindowsRE\StartMenuExperienceHost.exe
        
        "C:\Recovery\WindowsRE\StartMenuExperienceHost.exe"
        24⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3300
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\lcphCLUtxr.bat"
        25⤵
        
        PID:3960
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        26⤵
        
        PID:2844
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        26⤵
        
        PID:1088
        
        C:\Recovery\WindowsRE\StartMenuExperienceHost.exe
        
        "C:\Recovery\WindowsRE\StartMenuExperienceHost.exe"
        26⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1396
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\n5TyArTaLh.bat"
        27⤵
        
        PID:1784
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        28⤵
        
        PID:3464
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        28⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3920
        
        C:\Recovery\WindowsRE\StartMenuExperienceHost.exe
        
        "C:\Recovery\WindowsRE\StartMenuExperienceHost.exe"
        28⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 11 /tr "'C:\Program Files\Java\StartMenuExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Program Files\Java\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 6 /tr "'C:\Program Files\Java\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\chainBlocksurrogatewin\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3136

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\chainBlocksurrogatewin\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\chainBlocksurrogatewin\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1148

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Users\All Users\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3464

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Windows\Resources\Themes\aero\Shell\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3128

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\Resources\Themes\aero\Shell\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Windows\Resources\Themes\aero\Shell\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ComcontainerdriverC" /sc MINUTE /mo 11 /tr "'C:\chainBlocksurrogatewin\Comcontainerdriver.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Comcontainerdriver" /sc ONLOGON /tr "'C:\chainBlocksurrogatewin\Comcontainerdriver.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ComcontainerdriverC" /sc MINUTE /mo 11 /tr "'C:\chainBlocksurrogatewin\Comcontainerdriver.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:216

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\StartMenuExperienceHost.exe.log

Filesize
2KB

MD5
cda7aec8a5d61f816468b7c887846489

SHA1
2bcb9dd067a889db254dcea552f1992e7c0cdda8

SHA256
1081e04ab8edd4e3295dfcce72fab4a83d7894dc1b61bc9b36cac17bb80642d2

SHA512
27bb2bf9ee7c956a4453cadf3f3b66ec274f88675c1e9cd53c95b1d2a8b045e0f57f931d70a5bc4c6554bf0bc3f8d2c6b33b73c1b25d3c4f0ecdd96429a26ded

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6d42b6da621e8df5674e26b799c8e2aa

SHA1
ab3ce1327ea1eeedb987ec823d5e0cb146bafa48

SHA256
5ab6a1726f425c6d0158f55eb8d81754ddedd51e651aa0a899a29b7a58619c4c

SHA512
53faffbda8a835bc1143e894c118c15901a5fd09cfc2224dd2f754c06dc794897315049a579b9a8382d4564f071576045aaaf824019b7139d939152dca38ce29

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
77d622bb1a5b250869a3238b9bc1402b

SHA1
d47f4003c2554b9dfc4c16f22460b331886b191b

SHA256
f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

SHA512
d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
62623d22bd9e037191765d5083ce16a3

SHA1
4a07da6872672f715a4780513d95ed8ddeefd259

SHA256
95d79fd575bbd21540e378fcbc1cd00d16f51af62ce15bae7080bb72c24e2010

SHA512
9a448b7a0d867466c2ea04ab84d2a9485d5fd20ab53b2b854f491831ee3f1d781b94d2635f7b0b35cb9f2d373cd52c67570879a56a42ed66bc9db06962ed4992

Download Submit
C:\Users\Admin\AppData\Local\Temp\4kDUFAlUro.bat

Filesize
225B

MD5
9232aa55f470837fbf4a050c396924a3

SHA1
6cc6f1b49dbdda79839018601a0b8b751a9ece88

SHA256
218d1c7fe91ccf5d56553adc6918c8658129cf5f46a834626a1bbb10b54b686e

SHA512
02227ddd1324e34644176d534e20f55b484f62804e8b28f7858ef8b751efe470bd2df0695c8e8c716bd7b8b82997e87f4f534dce3479f7ebc9770684ce5a5952

Download Submit
C:\Users\Admin\AppData\Local\Temp\8JExSyzmRo.bat

Filesize
225B

MD5
ea2391f14b6130e11a46d1614fb439ad

SHA1
31ad5ec9a06359a728b589086e83fb86edc8d7a4

SHA256
99cab7bb141e04bb89cf3d16414a98fc343f0029f17923d7783f1c229b553461

SHA512
09bd445497f6201ad1a40b6a67169786adbf23c216151d5f1686b7c175b095e73d3c7a02a85add9bf68ad3453fce05fd5af53cd4963bd60476d747b6fbba02dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cg5rz6h3MO.bat

Filesize
177B

MD5
1b33ee46aef7345a7e0c2265fa72b3e9

SHA1
1c563343545211d3c0aa0590c1c0155c075768a1

SHA256
5d8729c76cb0f38c2d3b2a9ef10778ba59952835b88dbfd4ff0f5dbb6515520e

SHA512
fce3973e5a8b6fc5a0013bef713ab46b2c32b5678169d411f3887de59e3729d620e6d4d5e72fd3f20c568d3716a7cb4f044f5896082e7973965cc47eb67937fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESFCDE.tmp

Filesize
1KB

MD5
42bff80178086dac5047fb21d5ed1c92

SHA1
accb5df9de4dc3fd647dca3b83496f21c1980add

SHA256
65f79408899df20f76026084501b1862f393a6494e1bd8a5283f1877c337aab6

SHA512
946a605add04165746c1158d3423e31429e7307b5556639626e3ab67f9e6c39ca31da040646e990f7cc3b6366bc0a3ebf12f508200cdf1f0301273eb09dc1371

Download Submit
C:\Users\Admin\AppData\Local\Temp\Z3scJZvfCA.bat

Filesize
225B

MD5
571440f86a6bb2a498ad1433d4b3f267

SHA1
7561003c8adb569646685915cd6d5adfefeee5f4

SHA256
d196649d16068d39e2a942e66e459fcbb3e0df1b0b2a6e6edf4f7ebbeae1900e

SHA512
10bc4816d41adfa6200639df0ae59845c13620022bc6cd9ef7031f5ecc84053f0f32f1ea8e0bdcc3905c84cac168683bec867a56fd7b6726402510cf803e152d

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ppixfu3y.j2v.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\hFxofDmc2H.bat

Filesize
177B

MD5
9f7ae565f0bf0b2da907e7b4c4310807

SHA1
267ee8691b705d5379c63add9c3e27d4e1f697e7

SHA256
90e5e3b1af913d7eee8305a8206d1d728936ea9c4b5dd5aeb10bd7e07684cc78

SHA512
a320ed387094e081793928ffa49c9efee652988b071f6e26d41ff305277d37b6269dcb95f756df2843dad5571207f0cf73fc854d81b6fabe4cda1a7cf7a31949

Download Submit
C:\Users\Admin\AppData\Local\Temp\lcphCLUtxr.bat

Filesize
225B

MD5
cbcd2a5c4d8d5a96f372a60e91819733

SHA1
ec4f2274bbbabfec9c0df5a62ac8ae3aae6a7454

SHA256
a47eda9a1d9e86957b83512063781796851563b9b153fe6d858ba0dc8e935c0a

SHA512
e5aaa5193013a059333626eb090d7264cad2917b9f4efba34af77440e485f562524c6df869d182db891493ea030bdb54e69ef3dac79105e79030def65b65e891

Download Submit
C:\Users\Admin\AppData\Local\Temp\lxRC8VlBb2.bat

Filesize
225B

MD5
ef0208f63fdd257ca5aa3629d59a9175

SHA1
5d605d28bbdab91f7a7b1f3853cef6f2bc31a9f0

SHA256
fe1a9ae087f0b3b3fd41510c469e54b3ff94d464a1802986c79d41717d6e90c3

SHA512
38e18c38b434bdf1431d34865c09b750f82df4a5c4f3879e18694177c5564ca825d6010d22c3afca293b6874db0b5ab6fc0f9b6deb15ffbefd5143b7146d59a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\n5TyArTaLh.bat

Filesize
177B

MD5
3725ac71cfe40c3fab1b9faad942879b

SHA1
4dd9bad6547f47984793600a1ca63d9dabdcf844

SHA256
913d08e854269473c34ad9f3a227d29ecd65a16585bdce255fef8c3025d494b2

SHA512
a100d3410a7e4180e9d8668649fe7b86019a5d52160b59623741133deb3eb2342fbbc8d9788e4d267a1f8f4c5ef47302bfbdb31f0b3dd7e3a16ec08059c94406

Download Submit
C:\Users\Admin\AppData\Local\Temp\nQ6S61kszs.bat

Filesize
177B

MD5
13c01b13a6a9fe975b564ddfc6c9513b

SHA1
c64abd5252006c0422700e11f084b7c2a6555b3d

SHA256
6cad5cb26ca05ca0a4c8016a7e57476b68a02b586605162d5804d0c7278e3e40

SHA512
c2ab97733a5508f4503d04be74446632949ad3d793ab59a46fc8ec16cd11ece80603bfebd9637baca0b0e0662018423be7f30df3fc6bc92d43d29761daae1eaa

Download Submit
C:\Users\Admin\AppData\Local\Temp\thAzAlBiSC.bat

Filesize
225B

MD5
ff749d0a600d800b7c86e01765da22ee

SHA1
08c2fcd91321392e33aafc8c9a86ddc900903753

SHA256
ac5c57e3f62eb8fc6f449eb6c76ec00606ac866bbc470254a99084c15d46c8b5

SHA512
842d8c94ade16614ae37304827d3fe591bc1e449546159af87da18ab14d7665f0fced563b14ebfe680c6ef97fdd6bb050bd9840c781aa3faa768f5f4e3a199eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\uHdcbfRrII.bat

Filesize
177B

MD5
4164359cd25bd51309eb9231dfad537b

SHA1
d4d4a133ae75f65e2c688f78b31c7147421679df

SHA256
d40f324d6c8e5c6c6856bea5f346a6b77416a01315e708781d916bb00af8d7d1

SHA512
c846fa318eadda525ac27f5d9c540d15c59a58936a562649641c1aaf06f812086050ba6f67d3d1c48d1a6d6294a3d7375aa357786182918ec416797aac839975

Download Submit
C:\chainBlocksurrogatewin\Comcontainerdriver.exe

Filesize
2.0MB

MD5
9d27ce3f27809787e6c8bf545963d1e0

SHA1
89c73f5ba0a7cfb3afa53515b38704f90f8e70c4

SHA256
605f67d7b44d7d35fc5331e1badbe43ef332e369c86437c28bda68184c83294a

SHA512
0b49b02802a1652487d7d9dc052444194e74a43a3771dc68081c545114a437fbcc2aedd8ca032144ae7fa3e480cc4727e01fa9d0aa461ea786cb9bf63f867a4d

Download Submit
C:\chainBlocksurrogatewin\GQQ4ylq7g8v2sObSsphEhdaxNJcwRuTMFt5I2eiVZyEpGNyUkwbTE.vbe

Filesize
234B

MD5
8dfd0c504793456574496822db2d2a6d

SHA1
18f7f8d6e3af7dd7c2d491c219743ac6e18886d9

SHA256
c9349402fa75d4a2ce0c9b704be94ca546cf3d2912a3272af80c050e8251c2b5

SHA512
946de0213c05a3db186f27754b40e08de12021a7dc2cf43f55c29da4ec2bb40347abab7104684acf5696cb1e289ccb90ac826db5048dca698f98cb043d15358a

Download Submit
C:\chainBlocksurrogatewin\jadNZOaHlMDhsSca68lTCEwCwvIEx4Rlg.bat

Filesize
104B

MD5
e5d7112ec4ea1326fb903ec7d5249948

SHA1
068099c095e83c6fa948702e467de51455f5b873

SHA256
4a7538c31c88df87c83d85e6e729fe85ea5371ebf41545df1639dbf6a07ad709

SHA512
ee5fe8ff4f8a41acad3baeb3069b662f808a6ccaf581c66340498ecdd6470af999c8d4fc91979269b51461bb025041d7cb2ac30c52603161aa0b11a53c889ba4

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\4mbgj5ac\4mbgj5ac.0.cs

Filesize
381B

MD5
d873d8f42736e80e83478ce195bc5e98

SHA1
6c1d60270534feb83ce6692ab62d936e2fe38938

SHA256
a983fd93878363ec0a9a6865e82dd27ab3f4ee5ae858bd065424ac577e05115e

SHA512
729884ab49ee0b2e6b985090af74afa211bb23b7c945eeb70f7f0f0bb2b91adfd53dacae19529677d7e9d014297b20dc44b506da7fa841cf19acc8a1000eb2dc

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\4mbgj5ac\4mbgj5ac.cmdline

Filesize
235B

MD5
a1c8cc0cd536ea4a0a58efc75658492b

SHA1
ecf2a6fe0fa95f781e952006b8dbb0105139e88b

SHA256
23a2485b479ae2b1bc7058dc735234c6a0b8924bdb69225303c2d07f3ce32494

SHA512
7bd02b60d757a77eeaf81b1ab4f354013ce8f8e12078d8a8a9e09a21a4b6794b59c0eea4b213b3a5016568bb3eaf393ba92999c5627dac123d4f169e9e14cd28

Download Submit
\??\c:\Windows\System32\CSC460B7BA5CC6A4DB685F27BC0C9966FA7.TMP

Filesize
1KB

MD5
d544bac668d308d2aba58ded2c13d82d

SHA1
e5dd50ef24d5c16629092f9290661a92387773b3

SHA256
84b05d56c45fd0382410fcd59e16aeef467ed0a455595dda88386dd5c87d7a02

SHA512
0826de2bc95d93dde2c540d2d768a0188481ee88f1da79f9c7d70d7ccd3c8715b8f1d62053f84d14f19e4d2b0a13e67084d970a158464e6223e340eb0733e1b0

Download Submit
memory/1384-162-0x000000001B180000-0x000000001B1EB000-memory.dmp

Filesize
428KB

Download
memory/1396-297-0x000000001C4F0000-0x000000001C55B000-memory.dmp

Filesize
428KB

Download
memory/1464-177-0x000000001BE20000-0x000000001BE8B000-memory.dmp

Filesize
428KB

Download
memory/1784-27-0x0000000002DB0000-0x0000000002DBE000-memory.dmp

Filesize
56KB

Download
memory/1784-17-0x000000001B7F0000-0x000000001B80C000-memory.dmp

Filesize
112KB

Download
memory/1784-12-0x00007FFFFD6A3000-0x00007FFFFD6A5000-memory.dmp

Filesize
8KB

Download
memory/1784-60-0x000000001C160000-0x000000001C1CB000-memory.dmp

Filesize
428KB

Download
memory/1784-31-0x000000001B850000-0x000000001B85C000-memory.dmp

Filesize
48KB

Download
memory/1784-29-0x0000000002DC0000-0x0000000002DC8000-memory.dmp

Filesize
32KB

Download
memory/1784-25-0x0000000002C90000-0x0000000002C9E000-memory.dmp

Filesize
56KB

Download
memory/1784-13-0x00000000009B0000-0x0000000000BB4000-memory.dmp

Filesize
2.0MB

Download
memory/1784-23-0x000000001C250000-0x000000001C778000-memory.dmp

Filesize
5.2MB

Download
memory/1784-15-0x0000000002C80000-0x0000000002C8E000-memory.dmp

Filesize
56KB

Download
memory/1784-22-0x000000001B830000-0x000000001B842000-memory.dmp

Filesize
72KB

Download
memory/1784-18-0x000000001B970000-0x000000001B9C0000-memory.dmp

Filesize
320KB

Download
memory/1784-20-0x000000001B810000-0x000000001B828000-memory.dmp

Filesize
96KB

Download
memory/2040-267-0x000000001BE50000-0x000000001BEBB000-memory.dmp

Filesize
428KB

Download
memory/2456-146-0x000000001C380000-0x000000001C3EB000-memory.dmp

Filesize
428KB

Download
memory/3268-70-0x000001EBF2100000-0x000001EBF2122000-memory.dmp

Filesize
136KB

Download
memory/3300-282-0x000000001C3D0000-0x000000001C43B000-memory.dmp

Filesize
428KB

Download
memory/3604-207-0x000000001B6E0000-0x000000001B74B000-memory.dmp

Filesize
428KB

Download
memory/3616-192-0x000000001C130000-0x000000001C19B000-memory.dmp

Filesize
428KB

Download
memory/3720-222-0x000000001BCF0000-0x000000001BD5B000-memory.dmp

Filesize
428KB

Download
memory/3912-237-0x000000001C0B0000-0x000000001C11B000-memory.dmp

Filesize
428KB

Download
memory/4968-252-0x000000001BCB0000-0x000000001BD1B000-memory.dmp

Filesize
428KB

Download