Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    148s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13/01/2025, 11:47

General

  • Target

    fatality.exe

  • Size

    3.2MB

  • MD5

    a7040b85fc683f088f4c6e5b44052c43

  • SHA1

    7e3d644d1a1fb7b9bcccb6406d2e7fbd062eae66

  • SHA256

    b786f31f1c89c71d0510bbd32510595d9891c67db516f968261b02594a423a8d

  • SHA512

    e225f6f7e114690aad25e9c67460e50f5b84cc8ca87a69ba94ff63ab42415df176a3ed6c3456cddb849927604a4888b17e5e781ac97d2ba0197f9687bbb2c301

  • SSDEEP

    98304:hb5Nf/dq7yqKM1TcGZ6gtq1/Lko4uVa8Nb:FMyqKM1TogtqT44NNb

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Dcrat family
  • Modifies WinLogon for persistence 2 TTPs 6 IoCs
  • Process spawned unexpected child process 18 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Checks computer location settings 2 TTPs 16 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 14 IoCs
  • Adds Run key to start application 2 TTPs 12 IoCs
  • Drops file in System32 directory 2 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Drops file in Program Files directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 9 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

  • Modifies registry class 15 IoCs
  • Runs ping.exe 1 TTPs 9 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 14 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\fatality.exe
    "C:\Users\Admin\AppData\Local\Temp\fatality.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3944
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\blockcomSession\RezYUes00TmmVGwINjr2qWMSbF3Etb9Bt2Ra62zGWDtewTBc.vbe"
      2⤵
      • Checks computer location settings
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2516
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\blockcomSession\R3z0peym99fhJdrKbUwEGrQMoM2HpnSPGrE0X0k2hc.bat" "
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2084
        • C:\blockcomSession\containerReview.exe
          "C:\blockcomSession/containerReview.exe"
          4⤵
          • Modifies WinLogon for persistence
          • Checks computer location settings
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in Program Files directory
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:5064
          • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
            "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\2fo4xjjg\2fo4xjjg.cmdline"
            5⤵
            • Drops file in System32 directory
            • Suspicious use of WriteProcessMemory
            PID:2244
            • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
              C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE1F4.tmp" "c:\Windows\System32\CSC7652260DA9914C60ACF64CCE6BA95BBE.TMP"
              6⤵
                PID:4128
            • C:\Windows\System32\cmd.exe
              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\jSfCofX1fM.bat"
              5⤵
              • Suspicious use of WriteProcessMemory
              PID:2268
              • C:\Windows\system32\chcp.com
                chcp 65001
                6⤵
                  PID:1848
                • C:\Windows\system32\PING.EXE
                  ping -n 10 localhost
                  6⤵
                  • System Network Configuration Discovery: Internet Connection Discovery
                  • Runs ping.exe
                  PID:3704
                • C:\blockcomSession\containerReview.exe
                  "C:\blockcomSession\containerReview.exe"
                  6⤵
                  • Checks computer location settings
                  • Executes dropped EXE
                  • Modifies registry class
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:1640
                  • C:\Windows\System32\cmd.exe
                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\KcXus5bWRf.bat"
                    7⤵
                    • Suspicious use of WriteProcessMemory
                    PID:1040
                    • C:\Windows\system32\chcp.com
                      chcp 65001
                      8⤵
                        PID:4264
                      • C:\Windows\system32\w32tm.exe
                        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                        8⤵
                          PID:232
                        • C:\blockcomSession\containerReview.exe
                          "C:\blockcomSession\containerReview.exe"
                          8⤵
                          • Checks computer location settings
                          • Executes dropped EXE
                          • Modifies registry class
                          • Suspicious use of AdjustPrivilegeToken
                          • Suspicious use of WriteProcessMemory
                          PID:428
                          • C:\Windows\System32\cmd.exe
                            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\c209FVriWl.bat"
                            9⤵
                            • Suspicious use of WriteProcessMemory
                            PID:3564
                            • C:\Windows\system32\chcp.com
                              chcp 65001
                              10⤵
                                PID:3096
                              • C:\Windows\system32\PING.EXE
                                ping -n 10 localhost
                                10⤵
                                • System Network Configuration Discovery: Internet Connection Discovery
                                • Runs ping.exe
                                PID:3720
                              • C:\blockcomSession\containerReview.exe
                                "C:\blockcomSession\containerReview.exe"
                                10⤵
                                • Checks computer location settings
                                • Executes dropped EXE
                                • Modifies registry class
                                • Suspicious use of AdjustPrivilegeToken
                                • Suspicious use of WriteProcessMemory
                                PID:4120
                                • C:\Windows\System32\cmd.exe
                                  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\PEEvsyJdYA.bat"
                                  11⤵
                                  • Suspicious use of WriteProcessMemory
                                  PID:2244
                                  • C:\Windows\system32\chcp.com
                                    chcp 65001
                                    12⤵
                                      PID:4600
                                    • C:\Windows\system32\PING.EXE
                                      ping -n 10 localhost
                                      12⤵
                                      • System Network Configuration Discovery: Internet Connection Discovery
                                      • Runs ping.exe
                                      PID:1696
                                    • C:\blockcomSession\containerReview.exe
                                      "C:\blockcomSession\containerReview.exe"
                                      12⤵
                                      • Checks computer location settings
                                      • Executes dropped EXE
                                      • Modifies registry class
                                      • Suspicious use of AdjustPrivilegeToken
                                      • Suspicious use of WriteProcessMemory
                                      PID:4076
                                      • C:\Windows\System32\cmd.exe
                                        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hPr2ldZzRL.bat"
                                        13⤵
                                        • Suspicious use of WriteProcessMemory
                                        PID:2192
                                        • C:\Windows\system32\chcp.com
                                          chcp 65001
                                          14⤵
                                            PID:3716
                                          • C:\Windows\system32\w32tm.exe
                                            w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                            14⤵
                                              PID:3472
                                            • C:\blockcomSession\containerReview.exe
                                              "C:\blockcomSession\containerReview.exe"
                                              14⤵
                                              • Checks computer location settings
                                              • Executes dropped EXE
                                              • Modifies registry class
                                              • Suspicious use of AdjustPrivilegeToken
                                              • Suspicious use of WriteProcessMemory
                                              PID:3320
                                              • C:\Windows\System32\cmd.exe
                                                "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2rRAYV41jN.bat"
                                                15⤵
                                                • Suspicious use of WriteProcessMemory
                                                PID:3744
                                                • C:\Windows\system32\chcp.com
                                                  chcp 65001
                                                  16⤵
                                                    PID:1572
                                                  • C:\Windows\system32\w32tm.exe
                                                    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                    16⤵
                                                      PID:2340
                                                    • C:\blockcomSession\containerReview.exe
                                                      "C:\blockcomSession\containerReview.exe"
                                                      16⤵
                                                      • Checks computer location settings
                                                      • Executes dropped EXE
                                                      • Modifies registry class
                                                      • Suspicious use of AdjustPrivilegeToken
                                                      • Suspicious use of WriteProcessMemory
                                                      PID:2268
                                                      • C:\Windows\System32\cmd.exe
                                                        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\DCY8wWdPJ9.bat"
                                                        17⤵
                                                        • Suspicious use of WriteProcessMemory
                                                        PID:4584
                                                        • C:\Windows\system32\chcp.com
                                                          chcp 65001
                                                          18⤵
                                                            PID:2996
                                                          • C:\Windows\system32\PING.EXE
                                                            ping -n 10 localhost
                                                            18⤵
                                                            • System Network Configuration Discovery: Internet Connection Discovery
                                                            • Runs ping.exe
                                                            PID:2388
                                                          • C:\blockcomSession\containerReview.exe
                                                            "C:\blockcomSession\containerReview.exe"
                                                            18⤵
                                                            • Checks computer location settings
                                                            • Executes dropped EXE
                                                            • Modifies registry class
                                                            • Suspicious use of AdjustPrivilegeToken
                                                            PID:4476
                                                            • C:\Windows\System32\cmd.exe
                                                              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\LHuPvvKEnU.bat"
                                                              19⤵
                                                                PID:4336
                                                                • C:\Windows\system32\chcp.com
                                                                  chcp 65001
                                                                  20⤵
                                                                    PID:5072
                                                                  • C:\Windows\system32\PING.EXE
                                                                    ping -n 10 localhost
                                                                    20⤵
                                                                    • System Network Configuration Discovery: Internet Connection Discovery
                                                                    • Runs ping.exe
                                                                    PID:4768
                                                                  • C:\blockcomSession\containerReview.exe
                                                                    "C:\blockcomSession\containerReview.exe"
                                                                    20⤵
                                                                    • Checks computer location settings
                                                                    • Executes dropped EXE
                                                                    • Modifies registry class
                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                    PID:3612
                                                                    • C:\Windows\System32\cmd.exe
                                                                      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\jsWIkAYgpB.bat"
                                                                      21⤵
                                                                        PID:2516
                                                                        • C:\Windows\system32\chcp.com
                                                                          chcp 65001
                                                                          22⤵
                                                                            PID:4688
                                                                          • C:\Windows\system32\PING.EXE
                                                                            ping -n 10 localhost
                                                                            22⤵
                                                                            • System Network Configuration Discovery: Internet Connection Discovery
                                                                            • Runs ping.exe
                                                                            PID:4080
                                                                          • C:\blockcomSession\containerReview.exe
                                                                            "C:\blockcomSession\containerReview.exe"
                                                                            22⤵
                                                                            • Checks computer location settings
                                                                            • Executes dropped EXE
                                                                            • Modifies registry class
                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                            PID:3988
                                                                            • C:\Windows\System32\cmd.exe
                                                                              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\36HI2G4svI.bat"
                                                                              23⤵
                                                                                PID:2800
                                                                                • C:\Windows\system32\chcp.com
                                                                                  chcp 65001
                                                                                  24⤵
                                                                                    PID:3140
                                                                                  • C:\Windows\system32\w32tm.exe
                                                                                    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                    24⤵
                                                                                      PID:944
                                                                                    • C:\blockcomSession\containerReview.exe
                                                                                      "C:\blockcomSession\containerReview.exe"
                                                                                      24⤵
                                                                                      • Checks computer location settings
                                                                                      • Executes dropped EXE
                                                                                      • Modifies registry class
                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                      PID:2208
                                                                                      • C:\Windows\System32\cmd.exe
                                                                                        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\LHuPvvKEnU.bat"
                                                                                        25⤵
                                                                                          PID:1832
                                                                                          • C:\Windows\system32\chcp.com
                                                                                            chcp 65001
                                                                                            26⤵
                                                                                              PID:3264
                                                                                            • C:\Windows\system32\PING.EXE
                                                                                              ping -n 10 localhost
                                                                                              26⤵
                                                                                              • System Network Configuration Discovery: Internet Connection Discovery
                                                                                              • Runs ping.exe
                                                                                              PID:1476
                                                                                            • C:\blockcomSession\containerReview.exe
                                                                                              "C:\blockcomSession\containerReview.exe"
                                                                                              26⤵
                                                                                              • Checks computer location settings
                                                                                              • Executes dropped EXE
                                                                                              • Modifies registry class
                                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                                              PID:2460
                                                                                              • C:\Windows\System32\cmd.exe
                                                                                                "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\OzOnODJmNF.bat"
                                                                                                27⤵
                                                                                                  PID:1436
                                                                                                  • C:\Windows\system32\chcp.com
                                                                                                    chcp 65001
                                                                                                    28⤵
                                                                                                      PID:2276
                                                                                                    • C:\Windows\system32\w32tm.exe
                                                                                                      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                                      28⤵
                                                                                                        PID:1400
                                                                                                      • C:\blockcomSession\containerReview.exe
                                                                                                        "C:\blockcomSession\containerReview.exe"
                                                                                                        28⤵
                                                                                                        • Checks computer location settings
                                                                                                        • Executes dropped EXE
                                                                                                        • Modifies registry class
                                                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                                                        PID:1324
                                                                                                        • C:\Windows\System32\cmd.exe
                                                                                                          "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\jD9ngJpyTM.bat"
                                                                                                          29⤵
                                                                                                            PID:736
                                                                                                            • C:\Windows\system32\chcp.com
                                                                                                              chcp 65001
                                                                                                              30⤵
                                                                                                                PID:2756
                                                                                                              • C:\Windows\system32\PING.EXE
                                                                                                                ping -n 10 localhost
                                                                                                                30⤵
                                                                                                                • System Network Configuration Discovery: Internet Connection Discovery
                                                                                                                • Runs ping.exe
                                                                                                                PID:856
                                                                                                              • C:\blockcomSession\containerReview.exe
                                                                                                                "C:\blockcomSession\containerReview.exe"
                                                                                                                30⤵
                                                                                                                • Checks computer location settings
                                                                                                                • Executes dropped EXE
                                                                                                                • Modifies registry class
                                                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                                                PID:4620
                                                                                                                • C:\Windows\System32\cmd.exe
                                                                                                                  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\LHuPvvKEnU.bat"
                                                                                                                  31⤵
                                                                                                                    PID:4912
                                                                                                                    • C:\Windows\system32\chcp.com
                                                                                                                      chcp 65001
                                                                                                                      32⤵
                                                                                                                        PID:4768
                                                                                                                      • C:\Windows\system32\PING.EXE
                                                                                                                        ping -n 10 localhost
                                                                                                                        32⤵
                                                                                                                        • System Network Configuration Discovery: Internet Connection Discovery
                                                                                                                        • Runs ping.exe
                                                                                                                        PID:3772
                                                        • C:\Windows\system32\schtasks.exe
                                                          schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Google\Update\1.3.36.371\System.exe'" /f
                                                          1⤵
                                                          • Process spawned unexpected child process
                                                          • Scheduled Task/Job: Scheduled Task
                                                          PID:1088
                                                        • C:\Windows\system32\schtasks.exe
                                                          schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Update\1.3.36.371\System.exe'" /rl HIGHEST /f
                                                          1⤵
                                                          • Process spawned unexpected child process
                                                          • Scheduled Task/Job: Scheduled Task
                                                          PID:2344
                                                        • C:\Windows\system32\schtasks.exe
                                                          schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Google\Update\1.3.36.371\System.exe'" /rl HIGHEST /f
                                                          1⤵
                                                          • Process spawned unexpected child process
                                                          • Scheduled Task/Job: Scheduled Task
                                                          PID:1540
                                                        • C:\Windows\system32\schtasks.exe
                                                          schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 12 /tr "'C:\blockcomSession\fontdrvhost.exe'" /f
                                                          1⤵
                                                          • Process spawned unexpected child process
                                                          • Scheduled Task/Job: Scheduled Task
                                                          PID:1184
                                                        • C:\Windows\system32\schtasks.exe
                                                          schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\blockcomSession\fontdrvhost.exe'" /rl HIGHEST /f
                                                          1⤵
                                                          • Process spawned unexpected child process
                                                          • Scheduled Task/Job: Scheduled Task
                                                          PID:2800
                                                        • C:\Windows\system32\schtasks.exe
                                                          schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 12 /tr "'C:\blockcomSession\fontdrvhost.exe'" /rl HIGHEST /f
                                                          1⤵
                                                          • Process spawned unexpected child process
                                                          • Scheduled Task/Job: Scheduled Task
                                                          PID:652
                                                        • C:\Windows\system32\schtasks.exe
                                                          schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 9 /tr "'C:\Program Files\Crashpad\attachments\unsecapp.exe'" /f
                                                          1⤵
                                                          • Process spawned unexpected child process
                                                          • Scheduled Task/Job: Scheduled Task
                                                          PID:2248
                                                        • C:\Windows\system32\schtasks.exe
                                                          schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Program Files\Crashpad\attachments\unsecapp.exe'" /rl HIGHEST /f
                                                          1⤵
                                                          • Process spawned unexpected child process
                                                          • Scheduled Task/Job: Scheduled Task
                                                          PID:4968
                                                        • C:\Windows\system32\schtasks.exe
                                                          schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 11 /tr "'C:\Program Files\Crashpad\attachments\unsecapp.exe'" /rl HIGHEST /f
                                                          1⤵
                                                          • Process spawned unexpected child process
                                                          • Scheduled Task/Job: Scheduled Task
                                                          PID:704
                                                        • C:\Windows\system32\schtasks.exe
                                                          schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Program Files\Google\Chrome\Application\SetupMetrics\RuntimeBroker.exe'" /f
                                                          1⤵
                                                          • Process spawned unexpected child process
                                                          • Scheduled Task/Job: Scheduled Task
                                                          PID:2472
                                                        • C:\Windows\system32\schtasks.exe
                                                          schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Google\Chrome\Application\SetupMetrics\RuntimeBroker.exe'" /rl HIGHEST /f
                                                          1⤵
                                                          • Process spawned unexpected child process
                                                          • Scheduled Task/Job: Scheduled Task
                                                          PID:3752
                                                        • C:\Windows\system32\schtasks.exe
                                                          schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Program Files\Google\Chrome\Application\SetupMetrics\RuntimeBroker.exe'" /rl HIGHEST /f
                                                          1⤵
                                                          • Process spawned unexpected child process
                                                          • Scheduled Task/Job: Scheduled Task
                                                          PID:4184
                                                        • C:\Windows\system32\schtasks.exe
                                                          schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\sihost.exe'" /f
                                                          1⤵
                                                          • Process spawned unexpected child process
                                                          • Scheduled Task/Job: Scheduled Task
                                                          PID:2840
                                                        • C:\Windows\system32\schtasks.exe
                                                          schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sihost.exe'" /rl HIGHEST /f
                                                          1⤵
                                                          • Process spawned unexpected child process
                                                          • Scheduled Task/Job: Scheduled Task
                                                          PID:1584
                                                        • C:\Windows\system32\schtasks.exe
                                                          schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\sihost.exe'" /rl HIGHEST /f
                                                          1⤵
                                                          • Process spawned unexpected child process
                                                          • Scheduled Task/Job: Scheduled Task
                                                          PID:2612
                                                        • C:\Windows\system32\schtasks.exe
                                                          schtasks.exe /create /tn "containerReviewc" /sc MINUTE /mo 14 /tr "'C:\blockcomSession\containerReview.exe'" /f
                                                          1⤵
                                                          • Process spawned unexpected child process
                                                          • Scheduled Task/Job: Scheduled Task
                                                          PID:2520
                                                        • C:\Windows\system32\schtasks.exe
                                                          schtasks.exe /create /tn "containerReview" /sc ONLOGON /tr "'C:\blockcomSession\containerReview.exe'" /rl HIGHEST /f
                                                          1⤵
                                                          • Process spawned unexpected child process
                                                          • Scheduled Task/Job: Scheduled Task
                                                          PID:4012
                                                        • C:\Windows\system32\schtasks.exe
                                                          schtasks.exe /create /tn "containerReviewc" /sc MINUTE /mo 14 /tr "'C:\blockcomSession\containerReview.exe'" /rl HIGHEST /f
                                                          1⤵
                                                          • Process spawned unexpected child process
                                                          • Scheduled Task/Job: Scheduled Task
                                                          PID:2168

                                                        Network

                                                        MITRE ATT&CK Enterprise v15

                                                        Replay Monitor

                                                        Loading Replay Monitor...

                                                        Downloads

                                                        • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\containerReview.exe.log

                                                          Filesize

                                                          1KB

                                                          MD5

                                                          af6acd95d59de87c04642509c30e81c1

                                                          SHA1

                                                          f9549ae93fdb0a5861a79a08f60aa81c4b32377b

                                                          SHA256

                                                          7521ee2d065a78efcab55a194fbd78492f84b70595f139263875f4ea92b194d6

                                                          SHA512

                                                          93ab99bcf588fde553de3240e0d2b0cbd4e4bc5ef5e99d53f45a267d7ff30103a80b5a7aa1c52d6eff1e070af0ec82d2c0b8aafb7099742aa16810edc1815c3a

                                                        • C:\Users\Admin\AppData\Local\Temp\2rRAYV41jN.bat

                                                          Filesize

                                                          214B

                                                          MD5

                                                          17f30d3eed2c1632b5fa1101a3bfd959

                                                          SHA1

                                                          f5e6004f742c1e317504205eb4a493ccb3268156

                                                          SHA256

                                                          05edc080d0cc4894183b3f5d24048a68639c0a4da0fc3d12ebe40f094d48d8fb

                                                          SHA512

                                                          fff5ac8ce88fbac5a8c170d65e4218b1e7f4a95fe57e39de85c39f322abebe5b328c93a92ba9a03182cb9342d6a53e4c0400ab3c1078c26cd2e08f0b8d294077

                                                        • C:\Users\Admin\AppData\Local\Temp\36HI2G4svI.bat

                                                          Filesize

                                                          214B

                                                          MD5

                                                          aeb736379ffcc521bd74dfafd77ad070

                                                          SHA1

                                                          23399ff372eb8120322a47d6f15b6bf4130237aa

                                                          SHA256

                                                          487f6287e67d25e821218835d551cc302069af30b27effdec956fb9243eb0e8e

                                                          SHA512

                                                          d340af786860d21010e7ca60f3334884ca6f2da52ebf07e2c54a61ffeae6e4078a03322286208a4f0df456ce629bd0b59363d291297e29accd1c3b88bef3c4ed

                                                        • C:\Users\Admin\AppData\Local\Temp\DCY8wWdPJ9.bat

                                                          Filesize

                                                          166B

                                                          MD5

                                                          e3985bc01f63e31292a96f6567e523bf

                                                          SHA1

                                                          a0c94f0befacda4f4b209e440915ab3be66d7375

                                                          SHA256

                                                          5afdeaaeb8855871cf33e93bca62862c03c5ea7abd0f10825584df896167118b

                                                          SHA512

                                                          12ee2c16ce9aba64adbff0180f5c119b95291b0caeb71777fb7fc7beb43dd5b37749317ff6612e8359763fa39dcadbb1a3b2ca0f0001106d02670b930f969e93

                                                        • C:\Users\Admin\AppData\Local\Temp\KcXus5bWRf.bat

                                                          Filesize

                                                          214B

                                                          MD5

                                                          894c59f67917d2d2e973774be7d77d9e

                                                          SHA1

                                                          7024a72d9303d16df80e724d8f957246065d0178

                                                          SHA256

                                                          e29055f57edaedcee075f32f8804a982f40159f61ec96f4daf971dc100b5eae5

                                                          SHA512

                                                          56990b61cecbbe91c5745cdf6ec49abb2d20d55e5497d0b94665d1f95ae57735d6df5ce8377d22d244a5e74c568322535c72a9bd967c11c077018d716666f696

                                                        • C:\Users\Admin\AppData\Local\Temp\LHuPvvKEnU.bat

                                                          Filesize

                                                          166B

                                                          MD5

                                                          9696be5705d559b972d768de97713ee7

                                                          SHA1

                                                          09acaf4f8f6d5af0bea4176fca35783318ba1710

                                                          SHA256

                                                          309a2c4e140926c40c0b4f29d22f1f8d1fd1498ea58fbc5b5fe637a54d0072b7

                                                          SHA512

                                                          05078699d8b9db01996d582469c2235f82c42751bb5e4c1d5e7a8a9edb1ea140f6c380285a9158c4ca28be9576210f6f9e8e0f044a702c8ef52e974b3aa46ac1

                                                        • C:\Users\Admin\AppData\Local\Temp\OzOnODJmNF.bat

                                                          Filesize

                                                          214B

                                                          MD5

                                                          8d88109e215a31e3c8ca44e8dca54650

                                                          SHA1

                                                          24bff1a13205db822b6dfa652dd8abeb11d1083b

                                                          SHA256

                                                          808e805319aa096e565b325227648bdb28dccde64d32887d356cac5b19987599

                                                          SHA512

                                                          3fba36e948427b514601d3a142031f140b8b7b983f689794fb23cdfae7eec13db6e0e89a52ebed729ee3dbfdb6570692a2feed657c3286c1c5b1f17bbd45ffad

                                                        • C:\Users\Admin\AppData\Local\Temp\PEEvsyJdYA.bat

                                                          Filesize

                                                          166B

                                                          MD5

                                                          9d006891073a1c41cb167ab430ec60a5

                                                          SHA1

                                                          a2c391c2800f0d3bfd5207c0e12e946558433a7e

                                                          SHA256

                                                          780a8a2f74621d9c3a0f2f08153605febfbdb5b77717761395cd40c92530d2ea

                                                          SHA512

                                                          9d74e187177a1f14aa97e5e9e305a85cb70241ac2dd608d0d654a9c02a3095fcf76810bc2f92c94323ebd88925a72481e45fdc19eccfb514c7b3271c7c7ea6f2

                                                        • C:\Users\Admin\AppData\Local\Temp\RESE1F4.tmp

                                                          Filesize

                                                          1KB

                                                          MD5

                                                          09db1a3765464772024e08ef8d72f53f

                                                          SHA1

                                                          2cda3b4397541849559733408b19b4902add8eb5

                                                          SHA256

                                                          b3fd39c7431eff359de7072eba70b5b5710c088a03b0f72bc1f3df3b64fbecc2

                                                          SHA512

                                                          6675452273ae5146edb0878ec0634e314cc9eab4e2ffd69d08facd2618349487f950611704c5a03327679bcc5935aa0dc76404cc44735f4ef82db793ae0afd24

                                                        • C:\Users\Admin\AppData\Local\Temp\c209FVriWl.bat

                                                          Filesize

                                                          166B

                                                          MD5

                                                          ae06775d837e30ce58388e89634f3e31

                                                          SHA1

                                                          d150798ac64fcacff25573e8e81b82e4e6a02d82

                                                          SHA256

                                                          41b3dbd5c76dfcb7b15f50224791c415b95c85ab71e41ca7116b5f34d52f4213

                                                          SHA512

                                                          bd6de28b3a2407d325a247b5123c8267e07f2c896eecaba6ab4484a15d43c292967483103d46c1410e46e4619b59f6000f42cd67c11fd314b7c0e22cd0c03604

                                                        • C:\Users\Admin\AppData\Local\Temp\hPr2ldZzRL.bat

                                                          Filesize

                                                          214B

                                                          MD5

                                                          b85065a7c8ccb4359682d99ba3012eb6

                                                          SHA1

                                                          4ab4249c6ce80e69b83897cb17a640837c054fa8

                                                          SHA256

                                                          a2799188d5be377b743544025b33929f7a8c504178294d05e23be457ae042387

                                                          SHA512

                                                          604e7564e65f36ec3a5f5d3094960a81cf8952cac766cba437b983c1b34978e614f0d4077bc6a11f63fc3d317b6e9272334b06b57fe350290f2e4581e1ea52f8

                                                        • C:\Users\Admin\AppData\Local\Temp\jD9ngJpyTM.bat

                                                          Filesize

                                                          166B

                                                          MD5

                                                          aad4e14c2f925ae85afbe2ffca9eeac8

                                                          SHA1

                                                          44eced5fa68fc89d3211c523ae1fe2fd4b57fe80

                                                          SHA256

                                                          9ced42f41f879d2a88300043211d711818d55a3bd618216f5bed8e3f5e6ec5a5

                                                          SHA512

                                                          29d5b266eeab13fccfda586e04ad276857ffd80523e6366f9c199d4ee4b1a4279e794a523bf51512f13e652f69f6213d6a52c7ad4ee195be7a0473887f2bb21c

                                                        • C:\Users\Admin\AppData\Local\Temp\jSfCofX1fM.bat

                                                          Filesize

                                                          166B

                                                          MD5

                                                          20840adfcb0f9037c9d40b7e11d8d0ae

                                                          SHA1

                                                          0479ab7ffdfab5bb130043bd7b812f980b7e4cdd

                                                          SHA256

                                                          aefc273e521f5b90becc8a90ad5edd6704e1e885dd8ff922ae75d0a4e6a68a94

                                                          SHA512

                                                          5d250b45348ce093d0c42e4b081d36967099166249dde7ddddaf156e9063a83da04fd14b51cf42ba98c07d6c86c3b7dfe570352268aebc16842a961106411abc

                                                        • C:\Users\Admin\AppData\Local\Temp\jsWIkAYgpB.bat

                                                          Filesize

                                                          166B

                                                          MD5

                                                          e2942e96f5fc0bb9fd32843d39651d60

                                                          SHA1

                                                          0440ba5f4dfa8749978d56c580098d64f24194b2

                                                          SHA256

                                                          4dce2fcc6e863243c0bae66f0ebf4c4d2e2ce3fec9a5aff67fc533acc2bd962d

                                                          SHA512

                                                          b086db33a2dcb463eda96ac826effae91ada2819f208ffbdaa926db9f99770e504bd241ce25d367dbc5a8f69a71cb16ac51fe7080d484a91ec14a4e52dfa75d3

                                                        • C:\blockcomSession\R3z0peym99fhJdrKbUwEGrQMoM2HpnSPGrE0X0k2hc.bat

                                                          Filesize

                                                          89B

                                                          MD5

                                                          de5b4fde5bc10d0f76a55eb9d249ab56

                                                          SHA1

                                                          751938b6ab03340842b429805fd2da1aa0d8c964

                                                          SHA256

                                                          009aa3f866391c87bd840efb9b6b4eb33fc4dcb625cd23e436d0c9383e033f0f

                                                          SHA512

                                                          58f02657db363b742c6aee66ccd5a6b279280e2dd09d7394b7b9907ca2cd005cd67ee88ca98d533605e30608fc61abc6f51f7d3be4a3813d7414d280b6f16a1f

                                                        • C:\blockcomSession\RezYUes00TmmVGwINjr2qWMSbF3Etb9Bt2Ra62zGWDtewTBc.vbe

                                                          Filesize

                                                          236B

                                                          MD5

                                                          d2dd350044ce1fe408a44a036a7e6a0d

                                                          SHA1

                                                          3597e45deb69f4aa4749855e9ed452a39a9c7d42

                                                          SHA256

                                                          487bfe07abff347481f10c648717aab8008c7606c026b920358544f85c25e1b2

                                                          SHA512

                                                          81147d83dc5ffd1adb10add8486f6dac65df0e7c579f8244ef8f3d6f646ced97fad3f55a178ced9b60f5f23bb77a0e29bccb22651280a9eae135976af71c366a

                                                        • C:\blockcomSession\containerReview.exe

                                                          Filesize

                                                          1.9MB

                                                          MD5

                                                          f568e43bc473cd8ceb2553c58194df61

                                                          SHA1

                                                          14c0fff25edfd186dab91ee6bcc94450c9bed84d

                                                          SHA256

                                                          c91375814e8a5bb71736ce61fa429bc7b98a2b7b2a254b9967c51f3fccfacd52

                                                          SHA512

                                                          47cf66ce90fecd147077c72dc3f06db2199b9bc96e887915d6b0d4bfea7577d60a7345da6e5bc59967d02528fbdf6c8bf86233261338f782b9185c890fbc400e

                                                        • \??\c:\Users\Admin\AppData\Local\Temp\2fo4xjjg\2fo4xjjg.0.cs

                                                          Filesize

                                                          390B

                                                          MD5

                                                          11edbe078c5dec8a3716edf821a22aa6

                                                          SHA1

                                                          387d4d209b19ab50ca78257689b585d0a7571ea1

                                                          SHA256

                                                          a0e3319fecfad20491026800ae5f109e54c811c8b1498e4e58cf82644a4b9e33

                                                          SHA512

                                                          62b6dced30edd1cd12e861d4cfacf46622c77bf439b8b19b4615f506e241264d9fea1a630ef6d2e2f0044c976fe75b924febc74aa413b852a4c8b43393cb5107

                                                        • \??\c:\Users\Admin\AppData\Local\Temp\2fo4xjjg\2fo4xjjg.cmdline

                                                          Filesize

                                                          235B

                                                          MD5

                                                          4fe95e98af0e67f4a2111f2daaa056e2

                                                          SHA1

                                                          e4b762febc6ecd859cff53123238812726cc6358

                                                          SHA256

                                                          128b8668f5a43e9a2cce8a946a5fdad23196dfc7ee1f39507be9fd168169eb54

                                                          SHA512

                                                          b158b1c918fb45220c7c2e93853507303a5377b18f839c17192b23c2907e77f755995acee2cb9c11a4586e0302b64e1f2e42721e715bc5cb25f851c8e3542c4c

                                                        • \??\c:\Windows\System32\CSC7652260DA9914C60ACF64CCE6BA95BBE.TMP

                                                          Filesize

                                                          1KB

                                                          MD5

                                                          2fd2b90e7053b01e6af25701a467eb1f

                                                          SHA1

                                                          68801a13cebba82c24f67a9d7c886fcefcf01a51

                                                          SHA256

                                                          12b900db56a20f01f0f1d65f46933971415d5b5675e59e8b02b3dae12aaa1527

                                                          SHA512

                                                          081d3a621e3664709867f3fdd82808364978f896fb007c0c8e6c8dfe25f2f2b8d37c9e0b2e4fb51c90bc6f691507b569e5d841ef3ca3bd38bd6adda2d30f32af

                                                        • memory/3944-0-0x0000000000EA0000-0x0000000001281000-memory.dmp

                                                          Filesize

                                                          3.9MB

                                                        • memory/3944-9-0x0000000000EA0000-0x0000000001281000-memory.dmp

                                                          Filesize

                                                          3.9MB

                                                        • memory/5064-29-0x0000000002C20000-0x0000000002C2C000-memory.dmp

                                                          Filesize

                                                          48KB

                                                        • memory/5064-27-0x0000000002BD0000-0x0000000002BDE000-memory.dmp

                                                          Filesize

                                                          56KB

                                                        • memory/5064-25-0x0000000002BC0000-0x0000000002BCE000-memory.dmp

                                                          Filesize

                                                          56KB

                                                        • memory/5064-23-0x0000000002C00000-0x0000000002C18000-memory.dmp

                                                          Filesize

                                                          96KB

                                                        • memory/5064-21-0x000000001B540000-0x000000001B590000-memory.dmp

                                                          Filesize

                                                          320KB

                                                        • memory/5064-20-0x0000000002BE0000-0x0000000002BFC000-memory.dmp

                                                          Filesize

                                                          112KB

                                                        • memory/5064-18-0x0000000002BB0000-0x0000000002BBE000-memory.dmp

                                                          Filesize

                                                          56KB

                                                        • memory/5064-16-0x00000000007B0000-0x00000000009A0000-memory.dmp

                                                          Filesize

                                                          1.9MB

                                                        • memory/5064-15-0x00007FF83DA43000-0x00007FF83DA45000-memory.dmp

                                                          Filesize

                                                          8KB