dcrat | bfd1aabb65dfce7b7c5f2d444917baa23fd04d6047e62cd1aaf9cb2a9ca9d3a9

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
13-01-2025 12:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fatality.exe
Size

3.3MB
MD5

c883ea559bee9a0cb393aa32dcaf5d80
SHA1

995dfd0d9d504bec628e7d7297962677d8ab32cb
SHA256

bfd1aabb65dfce7b7c5f2d444917baa23fd04d6047e62cd1aaf9cb2a9ca9d3a9
SHA512

9ee8ef8a9912b14bcbeb3c13b2670c92eecc17c4a8a719d6bd9935f17239a244457e2f711c01e374febd767c866d6c563bad97e687680919ca0c017d738626ee
SSDEEP

98304:db5Nf/dq7yqKM1TcGZ6gtq1/Lko4uVa8N7:hMyqKM1TogtqT44NN7

Score

10^/10

dcrat discovery evasion infostealer persistence rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 6 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Photo Viewer\\es-ES\\SppExtComObj.exe\", \"C:\\blockcomSession\\csrss.exe\", \"C:\\blockcomSession\\WmiPrvSE.exe\", \"C:\\Windows\\Speech\\cmd.exe\""	containerReview.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Photo Viewer\\es-ES\\SppExtComObj.exe\", \"C:\\blockcomSession\\csrss.exe\", \"C:\\blockcomSession\\WmiPrvSE.exe\", \"C:\\Windows\\Speech\\cmd.exe\", \"C:\\blockcomSession\\SppExtComObj.exe\""	containerReview.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Photo Viewer\\es-ES\\SppExtComObj.exe\", \"C:\\blockcomSession\\csrss.exe\", \"C:\\blockcomSession\\WmiPrvSE.exe\", \"C:\\Windows\\Speech\\cmd.exe\", \"C:\\blockcomSession\\SppExtComObj.exe\", \"C:\\blockcomSession\\containerReview.exe\""	containerReview.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Photo Viewer\\es-ES\\SppExtComObj.exe\""	containerReview.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Photo Viewer\\es-ES\\SppExtComObj.exe\", \"C:\\blockcomSession\\csrss.exe\""	containerReview.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Photo Viewer\\es-ES\\SppExtComObj.exe\", \"C:\\blockcomSession\\csrss.exe\", \"C:\\blockcomSession\\WmiPrvSE.exe\""	containerReview.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3764	3536	schtasks.exe	98
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1724	3536	schtasks.exe	98
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3696	3536	schtasks.exe	98
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2196	3536	schtasks.exe	98
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	584	3536	schtasks.exe	98
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	828	3536	schtasks.exe	98
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1496	3536	schtasks.exe	98
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4468	3536	schtasks.exe	98
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4932	3536	schtasks.exe	98
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2728	3536	schtasks.exe	98
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5100	3536	schtasks.exe	98
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4728	3536	schtasks.exe	98
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2272	3536	schtasks.exe	98
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3392	3536	schtasks.exe	98
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4276	3536	schtasks.exe	98
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4292	3536	schtasks.exe	98
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1756	3536	schtasks.exe	98
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3184	3536	schtasks.exe	98

Checks computer location settings 2 TTPs 16 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	fatality.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	containerReview.exe

Executes dropped EXE 20 IoCs

pid	Process
1284	fatality.exe
4404	icsys.icn.exe
748	explorer.exe
3612	spoolsv.exe
3228	svchost.exe
4160	spoolsv.exe
1540	containerReview.exe
4268	cmd.exe
3848	cmd.exe
3264	cmd.exe
3608	cmd.exe
4024	cmd.exe
584	cmd.exe
2092	cmd.exe
2528	cmd.exe
4512	cmd.exe
3920	cmd.exe
912	cmd.exe
5048	cmd.exe
3140	cmd.exe

Adds Run key to start application 2 TTPs 16 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\blockcomSession\\csrss.exe\""	containerReview.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\blockcomSession\\csrss.exe\""	containerReview.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\blockcomSession\\WmiPrvSE.exe\""	containerReview.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SppExtComObj = "\"C:\\Program Files (x86)\\Windows Photo Viewer\\es-ES\\SppExtComObj.exe\""	containerReview.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\containerReview = "\"C:\\blockcomSession\\containerReview.exe\""	containerReview.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\containerReview = "\"C:\\blockcomSession\\containerReview.exe\""	containerReview.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SppExtComObj = "\"C:\\blockcomSession\\SppExtComObj.exe\""	containerReview.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cmd = "\"C:\\Windows\\Speech\\cmd.exe\""	containerReview.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SppExtComObj = "\"C:\\blockcomSession\\SppExtComObj.exe\""	containerReview.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SppExtComObj = "\"C:\\Program Files (x86)\\Windows Photo Viewer\\es-ES\\SppExtComObj.exe\""	containerReview.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\blockcomSession\\WmiPrvSE.exe\""	containerReview.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cmd = "\"C:\\Windows\\Speech\\cmd.exe\""	containerReview.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	explorer.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	\??\c:\Windows\System32\hnaorh.exe	csc.exe
File opened for modification	C:\Windows\SysWOW64\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\explorer.exe	svchost.exe
File created	\??\c:\Windows\System32\CSC2CEDF6DFB4214A098371A04383175F24.TMP	csc.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
1284	fatality.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Photo Viewer\es-ES\SppExtComObj.exe	containerReview.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\es-ES\e1ef82546f0b02	containerReview.exe

Drops file in Windows directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Resources\Themes\icsys.icn.exe	fatality.exe
File opened for modification	\??\c:\windows\resources\themes\explorer.exe	icsys.icn.exe
File opened for modification	\??\c:\windows\resources\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\resources\svchost.exe	spoolsv.exe
File created	C:\Windows\Speech\cmd.exe	containerReview.exe
File created	C:\Windows\Speech\ebf1f9fa8afd6d	containerReview.exe
File opened for modification	C:\Windows\Resources\tjud.exe	explorer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icsys.icn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fatality.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fatality.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 9 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
4852	PING.EXE
1136	PING.EXE
2252	PING.EXE
2880	PING.EXE
1392	PING.EXE
4488	PING.EXE
4040	PING.EXE
4820	PING.EXE
3604	PING.EXE

Modifies registry class 15 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	containerReview.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	fatality.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	cmd.exe

Runs ping.exe 1 TTPs 9 IoCs

Remote System Discovery

T1018

pid	Process
4488	PING.EXE
1136	PING.EXE
2252	PING.EXE
4820	PING.EXE
1392	PING.EXE
4040	PING.EXE
4852	PING.EXE
2880	PING.EXE
3604	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4468	schtasks.exe
5100	schtasks.exe
4728	schtasks.exe
3392	schtasks.exe
4276	schtasks.exe
1496	schtasks.exe
1724	schtasks.exe
828	schtasks.exe
2272	schtasks.exe
1756	schtasks.exe
3184	schtasks.exe
3764	schtasks.exe
4932	schtasks.exe
2196	schtasks.exe
584	schtasks.exe
2728	schtasks.exe
4292	schtasks.exe
3696	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4052	fatality.exe
4052	fatality.exe
4052	fatality.exe
4052	fatality.exe
4052	fatality.exe
4052	fatality.exe
4052	fatality.exe
4052	fatality.exe
4052	fatality.exe
4052	fatality.exe
4052	fatality.exe
4052	fatality.exe
4052	fatality.exe
4052	fatality.exe
4052	fatality.exe
4052	fatality.exe
4052	fatality.exe
4052	fatality.exe
4052	fatality.exe
4052	fatality.exe
4052	fatality.exe
4052	fatality.exe
4052	fatality.exe
4052	fatality.exe
4052	fatality.exe
4052	fatality.exe
4052	fatality.exe
4052	fatality.exe
4052	fatality.exe
4052	fatality.exe
4052	fatality.exe
4052	fatality.exe
1284	fatality.exe
1284	fatality.exe
4404	icsys.icn.exe
4404	icsys.icn.exe
4404	icsys.icn.exe
4404	icsys.icn.exe
4404	icsys.icn.exe
4404	icsys.icn.exe
4404	icsys.icn.exe
4404	icsys.icn.exe
4404	icsys.icn.exe
4404	icsys.icn.exe
4404	icsys.icn.exe
4404	icsys.icn.exe
4404	icsys.icn.exe
4404	icsys.icn.exe
4404	icsys.icn.exe
4404	icsys.icn.exe
4404	icsys.icn.exe
4404	icsys.icn.exe
4404	icsys.icn.exe
4404	icsys.icn.exe
4404	icsys.icn.exe
4404	icsys.icn.exe
4404	icsys.icn.exe
4404	icsys.icn.exe
4404	icsys.icn.exe
4404	icsys.icn.exe
4404	icsys.icn.exe
4404	icsys.icn.exe
4404	icsys.icn.exe
4404	icsys.icn.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
748	explorer.exe
3228	svchost.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

description	pid	Process
Token: SeDebugPrivilege	1540	containerReview.exe
Token: SeDebugPrivilege	4268	cmd.exe
Token: SeDebugPrivilege	3848	cmd.exe
Token: SeDebugPrivilege	3264	cmd.exe
Token: SeDebugPrivilege	3608	cmd.exe
Token: SeDebugPrivilege	4024	cmd.exe
Token: SeDebugPrivilege	584	cmd.exe
Token: SeDebugPrivilege	2092	cmd.exe
Token: SeDebugPrivilege	2528	cmd.exe
Token: SeDebugPrivilege	4512	cmd.exe
Token: SeDebugPrivilege	3920	cmd.exe
Token: SeDebugPrivilege	912	cmd.exe
Token: SeDebugPrivilege	5048	cmd.exe
Token: SeDebugPrivilege	3140	cmd.exe

Suspicious use of SetWindowsHookEx 13 IoCs

pid	Process
4052	fatality.exe
4052	fatality.exe
1284	fatality.exe
4404	icsys.icn.exe
4404	icsys.icn.exe
748	explorer.exe
748	explorer.exe
3612	spoolsv.exe
3612	spoolsv.exe
3228	svchost.exe
3228	svchost.exe
4160	spoolsv.exe
4160	spoolsv.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4052 wrote to memory of 1284	4052	fatality.exe	83
PID 4052 wrote to memory of 1284	4052	fatality.exe	83
PID 4052 wrote to memory of 1284	4052	fatality.exe	83
PID 4052 wrote to memory of 4404	4052	fatality.exe	84
PID 4052 wrote to memory of 4404	4052	fatality.exe	84
PID 4052 wrote to memory of 4404	4052	fatality.exe	84
PID 4404 wrote to memory of 748	4404	icsys.icn.exe	85
PID 4404 wrote to memory of 748	4404	icsys.icn.exe	85
PID 4404 wrote to memory of 748	4404	icsys.icn.exe	85
PID 748 wrote to memory of 3612	748	explorer.exe	86
PID 748 wrote to memory of 3612	748	explorer.exe	86
PID 748 wrote to memory of 3612	748	explorer.exe	86
PID 3612 wrote to memory of 3228	3612	spoolsv.exe	87
PID 3612 wrote to memory of 3228	3612	spoolsv.exe	87
PID 3612 wrote to memory of 3228	3612	spoolsv.exe	87
PID 1284 wrote to memory of 2420	1284	fatality.exe	88
PID 1284 wrote to memory of 2420	1284	fatality.exe	88
PID 1284 wrote to memory of 2420	1284	fatality.exe	88
PID 3228 wrote to memory of 4160	3228	svchost.exe	89
PID 3228 wrote to memory of 4160	3228	svchost.exe	89
PID 3228 wrote to memory of 4160	3228	svchost.exe	89
PID 2420 wrote to memory of 228	2420	WScript.exe	94
PID 2420 wrote to memory of 228	2420	WScript.exe	94
PID 2420 wrote to memory of 228	2420	WScript.exe	94
PID 228 wrote to memory of 1540	228	cmd.exe	97
PID 228 wrote to memory of 1540	228	cmd.exe	97
PID 1540 wrote to memory of 3732	1540	containerReview.exe	102
PID 1540 wrote to memory of 3732	1540	containerReview.exe	102
PID 3732 wrote to memory of 4936	3732	csc.exe	104
PID 3732 wrote to memory of 4936	3732	csc.exe	104
PID 1540 wrote to memory of 1604	1540	containerReview.exe	120
PID 1540 wrote to memory of 1604	1540	containerReview.exe	120
PID 1604 wrote to memory of 1228	1604	cmd.exe	122
PID 1604 wrote to memory of 1228	1604	cmd.exe	122
PID 1604 wrote to memory of 3604	1604	cmd.exe	123
PID 1604 wrote to memory of 3604	1604	cmd.exe	123
PID 1604 wrote to memory of 4268	1604	cmd.exe	131
PID 1604 wrote to memory of 4268	1604	cmd.exe	131
PID 4268 wrote to memory of 1936	4268	cmd.exe	134
PID 4268 wrote to memory of 1936	4268	cmd.exe	134
PID 1936 wrote to memory of 1804	1936	cmd.exe	136
PID 1936 wrote to memory of 1804	1936	cmd.exe	136
PID 1936 wrote to memory of 4040	1936	cmd.exe	137
PID 1936 wrote to memory of 4040	1936	cmd.exe	137
PID 1936 wrote to memory of 3848	1936	cmd.exe	142
PID 1936 wrote to memory of 3848	1936	cmd.exe	142
PID 3848 wrote to memory of 1708	3848	cmd.exe	144
PID 3848 wrote to memory of 1708	3848	cmd.exe	144
PID 1708 wrote to memory of 3656	1708	cmd.exe	146
PID 1708 wrote to memory of 3656	1708	cmd.exe	146
PID 1708 wrote to memory of 4488	1708	cmd.exe	147
PID 1708 wrote to memory of 4488	1708	cmd.exe	147
PID 1708 wrote to memory of 3264	1708	cmd.exe	149
PID 1708 wrote to memory of 3264	1708	cmd.exe	149
PID 3264 wrote to memory of 3472	3264	cmd.exe	152
PID 3264 wrote to memory of 3472	3264	cmd.exe	152
PID 3472 wrote to memory of 2268	3472	cmd.exe	154
PID 3472 wrote to memory of 2268	3472	cmd.exe	154
PID 3472 wrote to memory of 3268	3472	cmd.exe	155
PID 3472 wrote to memory of 3268	3472	cmd.exe	155
PID 3472 wrote to memory of 3608	3472	cmd.exe	157
PID 3472 wrote to memory of 3608	3472	cmd.exe	157
PID 3608 wrote to memory of 2804	3608	cmd.exe	160
PID 3608 wrote to memory of 2804	3608	cmd.exe	160

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\fatality.exe
"C:\Users\Admin\AppData\Local\Temp\fatality.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4052
- \??\c:\users\admin\appdata\local\temp\fatality.exe
  c:\users\admin\appdata\local\temp\fatality.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1284
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\blockcomSession\RezYUes00TmmVGwINjr2qWMSbF3Etb9Bt2Ra62zGWDtewTBc.vbe"
    3⤵
    - Checks computer location settings
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2420
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\blockcomSession\R3z0peym99fhJdrKbUwEGrQMoM2HpnSPGrE0X0k2hc.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:228
    - - C:\blockcomSession\containerReview.exe
        
        "C:\blockcomSession/containerReview.exe"
        5⤵
        Modifies WinLogon for persistence
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Program Files directory
        Drops file in Windows directory
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1540
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\32mmcd4a\32mmcd4a.cmdline"
        6⤵
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3732
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA96F.tmp" "c:\Windows\System32\CSC2CEDF6DFB4214A098371A04383175F24.TMP"
        7⤵
        
        PID:4936
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2JCKGyhaxO.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1604
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        7⤵
        
        PID:1228
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        7⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3604
        
        C:\Windows\Speech\cmd.exe
        
        "C:\Windows\Speech\cmd.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4268
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\bkzh3ZFdGZ.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:1936
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        9⤵
        
        PID:1804
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        9⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4040
        
        C:\Windows\Speech\cmd.exe
        
        "C:\Windows\Speech\cmd.exe"
        9⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3848
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\I6hKBNza0Y.bat"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:1708
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        11⤵
        
        PID:3656
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        11⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4488
        
        C:\Windows\Speech\cmd.exe
        
        "C:\Windows\Speech\cmd.exe"
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3264
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\1v3DIijE8M.bat"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:3472
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        13⤵
        
        PID:2268
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:3268
        
        C:\Windows\Speech\cmd.exe
        
        "C:\Windows\Speech\cmd.exe"
        13⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3608
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\A1L3CyIkVD.bat"
        14⤵
        
        PID:2804
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        15⤵
        
        PID:1484
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        15⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4852
        
        C:\Windows\Speech\cmd.exe
        
        "C:\Windows\Speech\cmd.exe"
        15⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4024
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\CU0JBUISt3.bat"
        16⤵
        
        PID:4996
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        17⤵
        
        PID:4700
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:1496
        
        C:\Windows\Speech\cmd.exe
        
        "C:\Windows\Speech\cmd.exe"
        17⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:584
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\b5cCzjWvuk.bat"
        18⤵
        
        PID:4092
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        19⤵
        
        PID:2524
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        19⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1136
        
        C:\Windows\Speech\cmd.exe
        
        "C:\Windows\Speech\cmd.exe"
        19⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2092
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\GCUhdmH1So.bat"
        20⤵
        
        PID:2664
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        21⤵
        
        PID:1848
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        21⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2252
        
        C:\Windows\Speech\cmd.exe
        
        "C:\Windows\Speech\cmd.exe"
        21⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2528
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\YwaRxMoVB5.bat"
        22⤵
        
        PID:1120
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        23⤵
        
        PID:5032
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        23⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2880
        
        C:\Windows\Speech\cmd.exe
        
        "C:\Windows\Speech\cmd.exe"
        23⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4512
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\GrsChc0jod.bat"
        24⤵
        
        PID:508
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        25⤵
        
        PID:3908
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        25⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4820
        
        C:\Windows\Speech\cmd.exe
        
        "C:\Windows\Speech\cmd.exe"
        25⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3920
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\SlRmWYpFEV.bat"
        26⤵
        
        PID:4216
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        27⤵
        
        PID:3944
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        27⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1392
        
        C:\Windows\Speech\cmd.exe
        
        "C:\Windows\Speech\cmd.exe"
        27⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:912
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\EjpRfFHJ5y.bat"
        28⤵
        
        PID:3712
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        29⤵
        
        PID:4612
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        29⤵
        
        PID:852
        
        C:\Windows\Speech\cmd.exe
        
        "C:\Windows\Speech\cmd.exe"
        29⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:5048
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ujuZrulyBl.bat"
        30⤵
        
        PID:4680
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        31⤵
        
        PID:888
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        31⤵
        
        PID:1232
        
        C:\Windows\Speech\cmd.exe
        
        "C:\Windows\Speech\cmd.exe"
        31⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3140
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\TtX0d4fx4d.bat"
        32⤵
        
        PID:1376
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        33⤵
        
        PID:2876
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        33⤵
        
        PID:4716
- C:\Windows\Resources\Themes\icsys.icn.exe
  C:\Windows\Resources\Themes\icsys.icn.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4404
- - \??\c:\windows\resources\themes\explorer.exe
    c:\windows\resources\themes\explorer.exe
    3⤵
    - Modifies visiblity of hidden/system files in Explorer
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:748
  - - \??\c:\windows\resources\spoolsv.exe
      c:\windows\resources\spoolsv.exe SE
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:3612
    - - \??\c:\windows\resources\svchost.exe
        
        c:\windows\resources\svchost.exe
        5⤵
        Modifies visiblity of hidden/system files in Explorer
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3228
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe PR
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4160

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Photo Viewer\es-ES\SppExtComObj.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\es-ES\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Photo Viewer\es-ES\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\blockcomSession\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2196

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\blockcomSession\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\blockcomSession\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\blockcomSession\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1496

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\blockcomSession\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 12 /tr "'C:\blockcomSession\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 5 /tr "'C:\Windows\Speech\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Windows\Speech\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5100

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 14 /tr "'C:\Windows\Speech\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 14 /tr "'C:\blockcomSession\SppExtComObj.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2272

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\blockcomSession\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3392

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 9 /tr "'C:\blockcomSession\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4276

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "containerReviewc" /sc MINUTE /mo 8 /tr "'C:\blockcomSession\containerReview.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "containerReview" /sc ONLOGON /tr "'C:\blockcomSession\containerReview.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "containerReviewc" /sc MINUTE /mo 11 /tr "'C:\blockcomSession\containerReview.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3184

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\cmd.exe.log

Filesize
1KB

MD5
935ecb30a8e13f625a9a89e3b0fcbf8f

SHA1
41cb046b7b5f89955fd53949efad8e9f3971d731

SHA256
2a7b829afe6a140bb37d24cc7711749c20cdaaf9cc7c4a182ff081180b4d99e9

SHA512
1210281612b0101ce63555a1a7855589ff68e1eac5b8a2461e10808c5b92c5dd111be72406c2923a94e10b687ceda43dc24d8c22a49dab40a4af793ee6b740aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\1v3DIijE8M.bat

Filesize
201B

MD5
11080649f225b42fb3136878577380f2

SHA1
f8936e729b65839eaebbaaafc6648a6311dad319

SHA256
84f704ce20625347b329cc4ad48397ce3b1867695a4336331d494b750c614e06

SHA512
2966e0c1756c3531facfac540dab3c8ec674685dca69200d98a2973805f645d4e659c176e9e4d2c2b15c69e99bd5d2ccdbea30106328cdd5e3be233c4e837e80

Download Submit
C:\Users\Admin\AppData\Local\Temp\2JCKGyhaxO.bat

Filesize
153B

MD5
4708e56f681055c59447874f1fa3dcae

SHA1
133f7db0d7daeeb4742f66eb31614617ccf07814

SHA256
a8bb36100d2198aaa7ef2bbc8e3b5c947f2f882f5b30b4cdc2b0d61175f05a8a

SHA512
167fe40c18a0da0740fd5cb17abf3b05d7a6a7134778dcac88556eb37d385205cde04f584f9ed075a92f9c78a0b3e6934166371c3b37be0a93bc09474df379f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\A1L3CyIkVD.bat

Filesize
153B

MD5
aba3dd0b46bfed72a127bd02d8f42848

SHA1
2c9387104d4e1d9204ac1dac49ca8aab91f67d35

SHA256
62447b7f0f59865cc23bf32ecb61575d8acde14da3aabfbf282770c5d0a0e7a3

SHA512
63182d50350b351d860b1cc981abf5ef3421faa59d0339bdbb9ebacb3d50ceefccc639f5ba7cdc1b32550eb9e958b1c113264a1891662ab0d4a0f2887f6eb2c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\CU0JBUISt3.bat

Filesize
201B

MD5
90500b42b7d2f435d7c6ea871afc4af5

SHA1
8bbd17ab2bc6a2138dcdc6ba683d73bff78be4be

SHA256
94b0eb741e4d83d2b38d7b04a03f6b2a428ac382fadff7228df187423d612958

SHA512
6c6991f59cd19a46072a416d823a695c1fc5d7a633d1bc617c0ce666f95da3a2d79e7176716e11153de04d7ef563dabe7ed93d18e2e2efecf4b179bf347235b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\EjpRfFHJ5y.bat

Filesize
201B

MD5
60a66b0ef34f4514f08bfd0e93092410

SHA1
ba5adf6e1e80437e9a65d29507388bb4b0895de7

SHA256
0dfa9c09c273d225703cae83e004c079813ec219feefaadc04542e1f328a7cfe

SHA512
95da76fbff349f530020ab899d3f1b3d0585f51e7f54a9bdb8cf6d64eea7c1c072abae1e631314cf56768bad0e9a87a9f59b5ab821a506ff768a379268a6260e

Download Submit
C:\Users\Admin\AppData\Local\Temp\GCUhdmH1So.bat

Filesize
153B

MD5
3465c7f3a02a540bdf154c44791b3978

SHA1
4b23007c9a08eeab0883b1da847559979d812f26

SHA256
bc6c50e9df4f22518f669b76157a77fcff4666f32f77315f1c4e7b4b26f2a92c

SHA512
651cf28ed4bb9258175663f1d906b4908b0e7e6f4ab52de65b75227796c2fab4f1d87f25b6aaa9b48166f385c9e466462e808a99fa0e5c9de1d89d3589fd7655

Download Submit
C:\Users\Admin\AppData\Local\Temp\GrsChc0jod.bat

Filesize
153B

MD5
12da7538ade2bd8b65a8bd494c76437c

SHA1
9947eac98ca27de831893327a6fd828ec9fd8b0f

SHA256
3a83b757dc5e1e7b6946e161b6540ea965ff21192d3fbc91da1602fe7456457e

SHA512
13377f13ad0c4adf2035e826122ab43b2b507972a08b55a8d8b7cb18edddab1870bbd168f8d1ad1fb128262c84c559131acbae78842c5a8322c704d393952e98

Download Submit
C:\Users\Admin\AppData\Local\Temp\I6hKBNza0Y.bat

Filesize
153B

MD5
40f654817d9b2113903b6ea44ce7a49f

SHA1
a273468dffbe16225529239d43ffd80e4873c019

SHA256
8104987e9f439f100898c99429a8268e4c7ad1abc93ef5d3a03bb46b01e9a1f0

SHA512
d1aedec51a59c5d14319677b321783594cfe9a72485ed81be6b7550cff1655915cf2650404be9ca210e1a23c25b30892a2037ba80bd23573bb2262e1567452a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESA96F.tmp

Filesize
1KB

MD5
921d5739182c651f91e1255229b4df8f

SHA1
a7197efeb1659d0be9a3eec7f9640d34d2a12f94

SHA256
6595aef7b2e539451e31afe3d54335ac8c9be20b05a81ad63dfb1f83dfe10460

SHA512
edf9515a9c82e2809755bcf139dd1dc17f15863d7fb36615a20ba35076d8ff008a057ec4159d1aace7913cf1ddc7e2ef0f619fe72a3a42de41322d92deeaf4e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\SlRmWYpFEV.bat

Filesize
153B

MD5
aa955f533c23cddd6e8c67979ca091cc

SHA1
c104703de97cd577930e56d35d4ea2883833b823

SHA256
f552d991f1e8fe1ff781c40d24a9839a4d6221275642548051efe6b9bf1a4019

SHA512
4fd171b713fae181d33dc8bd30f56917d8533c959eb7a677d2f1e64bbc2b578d2fcdf6907d15d93663ce04c4bb00d457f45e543fde2e390f2b69017e574904f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\TtX0d4fx4d.bat

Filesize
201B

MD5
c8c7b98c7a20b22ce77bb4433689faf5

SHA1
4f6fbec9c1bfd6d91ccf880af20a91bbf2aad2b5

SHA256
539cd92f1fe79687fb52e8dc6521dbcd6501b14b6bce0765fae2b47760eb7cb3

SHA512
559d9e22dcbf20128419aee6d53076bc3afd8475f3ef3f4fb0d5af389b175ccd2231227b910914a004132462316501cf4dd48b4ce342b0b9b18dd5c0958bb8eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\YwaRxMoVB5.bat

Filesize
153B

MD5
9238e7450f54f4fcfd905ee93da46912

SHA1
b7d4aeaebc30f01c59dd815cd526889b39a3eba6

SHA256
1992af265f9040710179baefc20471b02ce414c5d4389e74083c9824fc75bcd1

SHA512
57d757d24bc125fe5d4c8260eb4022a442de4fe65d930feb80ed9e46d2c0ab974c8e56afeb6ff10aca1591e57c9706a9b6cdc3b7a4f32a354585727473b4d10b

Download Submit
C:\Users\Admin\AppData\Local\Temp\b5cCzjWvuk.bat

Filesize
153B

MD5
e832b85d1ed581d9c5c6094b9ee2b0f2

SHA1
e0e04e16dc01e8139d0f9ad2922bbcbe6aa1b6ff

SHA256
f9a806fa764b35eae83aa205187092f06403e1ec3fcbbb8458c82733e7325f26

SHA512
a2a7ef667aa39424f0a27611701cb3ecdba7b2fed15cd139e051d25e8df1fd79e81bb4434a3aa950bce8b55952196852755d96ea99dc662debfaca69272e1718

Download Submit
C:\Users\Admin\AppData\Local\Temp\bkzh3ZFdGZ.bat

Filesize
153B

MD5
ec46f4e2f2e62fd9234540ba4b6e6550

SHA1
adb62f95cec5115892cb771bba2dd56073268bd8

SHA256
1e3ea487b5119c7e6f5ab11c80cecdcc18afb701923897f2560dfe6d8a7788d6

SHA512
310a1b5439d8bbd0a65a759e3d2196fdde7758dcfb228aca503731f34bc65e43049353a51df9e7a9ecbbe5d5358f2e958a89b038912e007dc3c99ba55808ccba

Download Submit
C:\Users\Admin\AppData\Local\Temp\fatality.exe

Filesize
3.2MB

MD5
a7040b85fc683f088f4c6e5b44052c43

SHA1
7e3d644d1a1fb7b9bcccb6406d2e7fbd062eae66

SHA256
b786f31f1c89c71d0510bbd32510595d9891c67db516f968261b02594a423a8d

SHA512
e225f6f7e114690aad25e9c67460e50f5b84cc8ca87a69ba94ff63ab42415df176a3ed6c3456cddb849927604a4888b17e5e781ac97d2ba0197f9687bbb2c301

Download Submit
C:\Users\Admin\AppData\Local\Temp\ujuZrulyBl.bat

Filesize
201B

MD5
15e899e623500248ff3cae43955c10ed

SHA1
cb0ae3eb247232b331773c9cd386f5ec29c553fe

SHA256
c681f3da9b5dcbed989dbfde0341e81a8d83f7c7cfc3fe24545088f2c32ca94a

SHA512
c2f3d613289ddd11dd0e125a38f2f0055778977eb50ba4e583e3e8c19efb662303b45ec040dc6960e23ca3e2ba7c62eba27935af9786b69b8dbbc3f1cdbd9b79

Download Submit
C:\Windows\Resources\Themes\explorer.exe

Filesize
135KB

MD5
b5701f8ff67308f09cfc5c794418985c

SHA1
2a27c0c0c970a4962ed4c0bddd369311a3cb7262

SHA256
6ec2ed5dc5191bcb87c460ac69f470c916dbf9d210dbcfec0c2839e77c379f03

SHA512
ffdeb8b08446a352717b38d8cdacc6eb0b6b263302581b7a7106ea538f9b6c08ee7aa6fb78230caf4b5ed26bd0b4401fbcc3609af9c1e44ef4e94fc7dea80987

Download Submit
C:\Windows\Resources\Themes\icsys.icn.exe

Filesize
135KB

MD5
d36cc2935ae0e7a5d2936db589a9b8cc

SHA1
082bd58c0ad60fa4783b63a4f681a5c5fad8e1a6

SHA256
4c93adb50768feb3cdea95f1fedc5d6fdc262d59f12c4b66601d377e2709c2e3

SHA512
547452ba0de7c8ebeec8e4bb2d916c7a881b6743e6d1fb6d2761a202b7cf5bb30c3f541957de70c584b46b7171f3f20338b4985341829b408c366aeaeced9290

Download Submit
C:\Windows\Resources\spoolsv.exe

Filesize
135KB

MD5
63b13fad29707c88338e60ff990b1626

SHA1
3b8746739271727cc8687baae4ac3b2cbd2b372b

SHA256
b74964263f68352edc078756d3add2d1bc3ec671075c286b8649623b7d384b8f

SHA512
d7a5876195ff2477d8196435a253c24f473c35e3df82c7ff273912108d42acc0f37930001be3a14a225237ece7ca62038df7cb47e208ad14032bb6085bc361d6

Download Submit
C:\Windows\Resources\svchost.exe

Filesize
135KB

MD5
7a4dee6cbd3f5886b08d1f5cc38074fe

SHA1
ba8c994093159d147fdcdcafc266bfc2efe0f7ab

SHA256
751e2f6003519ee059722003474978bf845f06e9c1473df1a0c7635ded515ea7

SHA512
9fe58b81869e9d0ca7a54a5c2c7efc72a00df17589e8ef4df798b57d08289f0ad93d7db44a3f7f133c41074f3d59caade00da4cca8dfb1465273116eee1e485a

Download Submit
C:\blockcomSession\R3z0peym99fhJdrKbUwEGrQMoM2HpnSPGrE0X0k2hc.bat

Filesize
89B

MD5
de5b4fde5bc10d0f76a55eb9d249ab56

SHA1
751938b6ab03340842b429805fd2da1aa0d8c964

SHA256
009aa3f866391c87bd840efb9b6b4eb33fc4dcb625cd23e436d0c9383e033f0f

SHA512
58f02657db363b742c6aee66ccd5a6b279280e2dd09d7394b7b9907ca2cd005cd67ee88ca98d533605e30608fc61abc6f51f7d3be4a3813d7414d280b6f16a1f

Download Submit
C:\blockcomSession\RezYUes00TmmVGwINjr2qWMSbF3Etb9Bt2Ra62zGWDtewTBc.vbe

Filesize
236B

MD5
d2dd350044ce1fe408a44a036a7e6a0d

SHA1
3597e45deb69f4aa4749855e9ed452a39a9c7d42

SHA256
487bfe07abff347481f10c648717aab8008c7606c026b920358544f85c25e1b2

SHA512
81147d83dc5ffd1adb10add8486f6dac65df0e7c579f8244ef8f3d6f646ced97fad3f55a178ced9b60f5f23bb77a0e29bccb22651280a9eae135976af71c366a

Download Submit
C:\blockcomSession\containerReview.exe

Filesize
1.9MB

MD5
f568e43bc473cd8ceb2553c58194df61

SHA1
14c0fff25edfd186dab91ee6bcc94450c9bed84d

SHA256
c91375814e8a5bb71736ce61fa429bc7b98a2b7b2a254b9967c51f3fccfacd52

SHA512
47cf66ce90fecd147077c72dc3f06db2199b9bc96e887915d6b0d4bfea7577d60a7345da6e5bc59967d02528fbdf6c8bf86233261338f782b9185c890fbc400e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\32mmcd4a\32mmcd4a.0.cs

Filesize
398B

MD5
f48650ac0ba956a063c9caebdb9a5d42

SHA1
2ae4da5015f03320840b805d870be86c41b2a5aa

SHA256
b73de842428247a03f573be234ea6eb9552630fb26e5d4b0af227b3553ec7747

SHA512
2c10e6e8c6ca6d6870bea63d386a46dc4e25417997b3618ee5242a39c711c97870f7cbf5d86ef452ec9cb5ea9c92047b26ef782633b30ad1291e0cfd2ec285e8

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\32mmcd4a\32mmcd4a.cmdline

Filesize
235B

MD5
ff713bae5b95bc444ccf98e010d828a6

SHA1
8d09f1e2fdada324fafc47c06f6b185ace0c9cf2

SHA256
cf7d50eeab98a2ec0a04ae1feaa6621bfc2f9de89233be5670f4e840a2a6fdfd

SHA512
6cf2ab1744e7968734af0deebb8bece31b4773645225f9a4265319e1ef253ce5ebb9b9836efdf49dcc80acb202463af878b552c8ea8e9cb802ef44fef049e46b

Download Submit
\??\c:\Windows\System32\CSC2CEDF6DFB4214A098371A04383175F24.TMP

Filesize
1KB

MD5
65d5babddb4bd68783c40f9e3678613f

SHA1
71e76abb44dbea735b9faaccb8c0fad345b514f4

SHA256
d61a59849cacd91b8039a8e41a5b92a7f93e2d46c90791b9ba6b5f856008cd8f

SHA512
21223e9a32df265bb75093d1ebaa879880a947d25ac764f3452b9104893b05f2c8fe4150cb2465681df7a0554dcefdb7f623aaf54772ade878270f453ebc1bcf

Download Submit
memory/748-183-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1284-54-0x0000000000810000-0x0000000000BF1000-memory.dmp

Filesize
3.9MB

Download
memory/1284-8-0x0000000000810000-0x0000000000BF1000-memory.dmp

Filesize
3.9MB

Download
memory/1540-74-0x0000000002660000-0x000000000266E000-memory.dmp

Filesize
56KB

Download
memory/1540-67-0x000000001B0B0000-0x000000001B0CC000-memory.dmp

Filesize
112KB

Download
memory/1540-76-0x00000000027D0000-0x00000000027DC000-memory.dmp

Filesize
48KB

Download
memory/1540-63-0x0000000000290000-0x0000000000480000-memory.dmp

Filesize
1.9MB

Download
memory/1540-72-0x0000000002650000-0x000000000265E000-memory.dmp

Filesize
56KB

Download
memory/1540-70-0x000000001B0D0000-0x000000001B0E8000-memory.dmp

Filesize
96KB

Download
memory/1540-68-0x000000001B480000-0x000000001B4D0000-memory.dmp

Filesize
320KB

Download
memory/1540-65-0x0000000000C50000-0x0000000000C5E000-memory.dmp

Filesize
56KB

Download
memory/3228-184-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3612-56-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4052-0-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4052-58-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4160-55-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4160-48-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4268-120-0x000000001CB90000-0x000000001CCFA000-memory.dmp

Filesize
1.4MB

Download
memory/4404-57-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download