dcrat | bfd1aabb65dfce7b7c5f2d444917baa23fd04d6047e62cd1aaf9cb2a9ca9d3a9

Analysis

max time kernel
150s
max time network
150s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
13/01/2025, 12:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fatality.exe
Size

3.3MB
MD5

c883ea559bee9a0cb393aa32dcaf5d80
SHA1

995dfd0d9d504bec628e7d7297962677d8ab32cb
SHA256

bfd1aabb65dfce7b7c5f2d444917baa23fd04d6047e62cd1aaf9cb2a9ca9d3a9
SHA512

9ee8ef8a9912b14bcbeb3c13b2670c92eecc17c4a8a719d6bd9935f17239a244457e2f711c01e374febd767c866d6c563bad97e687680919ca0c017d738626ee
SSDEEP

98304:db5Nf/dq7yqKM1TcGZ6gtq1/Lko4uVa8N7:hMyqKM1TogtqT44NN7

Score

10^/10

dcrat discovery evasion infostealer persistence rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 6 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\dwm.exe\", \"C:\\Program Files (x86)\\Windows Mail\\sppsvc.exe\""	containerReview.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\dwm.exe\", \"C:\\Program Files (x86)\\Windows Mail\\sppsvc.exe\", \"C:\\Program Files\\Mozilla Firefox\\browser\\VisualElements\\System.exe\""	containerReview.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\dwm.exe\", \"C:\\Program Files (x86)\\Windows Mail\\sppsvc.exe\", \"C:\\Program Files\\Mozilla Firefox\\browser\\VisualElements\\System.exe\", \"C:\\Program Files\\Reference Assemblies\\Microsoft\\spoolsv.exe\""	containerReview.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\dwm.exe\", \"C:\\Program Files (x86)\\Windows Mail\\sppsvc.exe\", \"C:\\Program Files\\Mozilla Firefox\\browser\\VisualElements\\System.exe\", \"C:\\Program Files\\Reference Assemblies\\Microsoft\\spoolsv.exe\", \"C:\\blockcomSession\\explorer.exe\""	containerReview.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\dwm.exe\", \"C:\\Program Files (x86)\\Windows Mail\\sppsvc.exe\", \"C:\\Program Files\\Mozilla Firefox\\browser\\VisualElements\\System.exe\", \"C:\\Program Files\\Reference Assemblies\\Microsoft\\spoolsv.exe\", \"C:\\blockcomSession\\explorer.exe\", \"C:\\blockcomSession\\containerReview.exe\""	containerReview.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\dwm.exe\""	containerReview.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2160	528	schtasks.exe	44
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1884	528	schtasks.exe	44
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1984	528	schtasks.exe	44
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	628	528	schtasks.exe	44
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1508	528	schtasks.exe	44
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2856	528	schtasks.exe	44
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1332	528	schtasks.exe	44
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1616	528	schtasks.exe	44
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1976	528	schtasks.exe	44
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1716	528	schtasks.exe	44
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	680	528	schtasks.exe	44
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1648	528	schtasks.exe	44
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1808	528	schtasks.exe	44
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1452	528	schtasks.exe	44
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2108	528	schtasks.exe	44
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2296	528	schtasks.exe	44
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1756	528	schtasks.exe	44
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3016	528	schtasks.exe	44

Executes dropped EXE 18 IoCs

pid	Process
2660	fatality.exe
2608	icsys.icn.exe
2920	explorer.exe
2504	spoolsv.exe
2204	svchost.exe
1448	spoolsv.exe
1344	containerReview.exe
2892	spoolsv.exe
1992	spoolsv.exe
2244	spoolsv.exe
2452	spoolsv.exe
2628	spoolsv.exe
2864	spoolsv.exe
1588	spoolsv.exe
1888	spoolsv.exe
1220	spoolsv.exe
2536	spoolsv.exe
1964	spoolsv.exe

Loads dropped DLL 8 IoCs

pid	Process
1796	fatality.exe
1796	fatality.exe
2608	icsys.icn.exe
2920	explorer.exe
2504	spoolsv.exe
2204	svchost.exe
544	cmd.exe
544	cmd.exe

Adds Run key to start application 2 TTPs 16 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\containerReview = "\"C:\\blockcomSession\\containerReview.exe\""	containerReview.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\blockcomSession\\explorer.exe\""	containerReview.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Program Files (x86)\\Windows Mail\\sppsvc.exe\""	containerReview.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\blockcomSession\\explorer.exe\""	containerReview.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\dwm.exe\""	containerReview.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Program Files\\Mozilla Firefox\\browser\\VisualElements\\System.exe\""	containerReview.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Program Files\\Mozilla Firefox\\browser\\VisualElements\\System.exe\""	containerReview.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Program Files\\Reference Assemblies\\Microsoft\\spoolsv.exe\""	containerReview.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Program Files\\Reference Assemblies\\Microsoft\\spoolsv.exe\""	containerReview.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\dwm.exe\""	containerReview.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Program Files (x86)\\Windows Mail\\sppsvc.exe\""	containerReview.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\containerReview = "\"C:\\blockcomSession\\containerReview.exe\""	containerReview.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	svchost.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	\??\c:\Windows\System32\8wawgv.exe	csc.exe
File opened for modification	C:\Windows\SysWOW64\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\explorer.exe	svchost.exe
File created	\??\c:\Windows\System32\CSC809C7BE76086411B8022ADE7861D8C97.TMP	csc.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
2660	fatality.exe

Drops file in Program Files directory 6 IoCs

description	ioc	Process
File created	C:\Program Files\Reference Assemblies\Microsoft\spoolsv.exe	containerReview.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\f3b6ecef712a24	containerReview.exe
File created	C:\Program Files\Mozilla Firefox\browser\VisualElements\System.exe	containerReview.exe
File created	C:\Program Files\Mozilla Firefox\browser\VisualElements\27d1bcfc3c54e0	containerReview.exe
File created	C:\Program Files (x86)\Windows Mail\sppsvc.exe	containerReview.exe
File created	C:\Program Files (x86)\Windows Mail\0a1fd5f707cd16	containerReview.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Resources\Themes\icsys.icn.exe	fatality.exe
File opened for modification	\??\c:\windows\resources\themes\explorer.exe	icsys.icn.exe
File opened for modification	\??\c:\windows\resources\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\resources\svchost.exe	spoolsv.exe
File opened for modification	C:\Windows\Resources\tjud.exe	explorer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fatality.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fatality.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icsys.icn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 6 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2360	PING.EXE
2772	PING.EXE
1720	PING.EXE
2520	PING.EXE
2400	PING.EXE
1564	PING.EXE

Runs ping.exe 1 TTPs 6 IoCs

Remote System Discovery

T1018

pid	Process
2772	PING.EXE
1720	PING.EXE
2520	PING.EXE
2400	PING.EXE
1564	PING.EXE
2360	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 21 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2856	schtasks.exe
1616	schtasks.exe
1976	schtasks.exe
1808	schtasks.exe
1452	schtasks.exe
3016	schtasks.exe
2160	schtasks.exe
628	schtasks.exe
1332	schtasks.exe
1716	schtasks.exe
1756	schtasks.exe
1648	schtasks.exe
2108	schtasks.exe
1552	schtasks.exe
2752	schtasks.exe
2212	schtasks.exe
1884	schtasks.exe
1984	schtasks.exe
1508	schtasks.exe
680	schtasks.exe
2296	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1796	fatality.exe
1796	fatality.exe
1796	fatality.exe
1796	fatality.exe
1796	fatality.exe
1796	fatality.exe
1796	fatality.exe
1796	fatality.exe
1796	fatality.exe
1796	fatality.exe
1796	fatality.exe
1796	fatality.exe
1796	fatality.exe
1796	fatality.exe
1796	fatality.exe
1796	fatality.exe
2660	fatality.exe
2608	icsys.icn.exe
2608	icsys.icn.exe
2608	icsys.icn.exe
2608	icsys.icn.exe
2608	icsys.icn.exe
2608	icsys.icn.exe
2608	icsys.icn.exe
2608	icsys.icn.exe
2608	icsys.icn.exe
2608	icsys.icn.exe
2608	icsys.icn.exe
2608	icsys.icn.exe
2608	icsys.icn.exe
2608	icsys.icn.exe
2608	icsys.icn.exe
2608	icsys.icn.exe
2608	icsys.icn.exe
2920	explorer.exe
2920	explorer.exe
2920	explorer.exe
2920	explorer.exe
2920	explorer.exe
2920	explorer.exe
2920	explorer.exe
2920	explorer.exe
2920	explorer.exe
2920	explorer.exe
2920	explorer.exe
2920	explorer.exe
2920	explorer.exe
2920	explorer.exe
2920	explorer.exe
2920	explorer.exe
2204	svchost.exe
2204	svchost.exe
2204	svchost.exe
2204	svchost.exe
2204	svchost.exe
2204	svchost.exe
2204	svchost.exe
2204	svchost.exe
2204	svchost.exe
2204	svchost.exe
2204	svchost.exe
2204	svchost.exe
2204	svchost.exe
2204	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
2920	explorer.exe
2204	svchost.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeDebugPrivilege	1344	containerReview.exe
Token: SeDebugPrivilege	2892	spoolsv.exe
Token: SeDebugPrivilege	1992	spoolsv.exe
Token: SeDebugPrivilege	2244	spoolsv.exe
Token: SeDebugPrivilege	2452	spoolsv.exe
Token: SeDebugPrivilege	2628	spoolsv.exe
Token: SeDebugPrivilege	2864	spoolsv.exe
Token: SeDebugPrivilege	1588	spoolsv.exe
Token: SeDebugPrivilege	1888	spoolsv.exe
Token: SeDebugPrivilege	1220	spoolsv.exe
Token: SeDebugPrivilege	2536	spoolsv.exe
Token: SeDebugPrivilege	1964	spoolsv.exe

Suspicious use of SetWindowsHookEx 13 IoCs

pid	Process
1796	fatality.exe
1796	fatality.exe
2660	fatality.exe
2608	icsys.icn.exe
2608	icsys.icn.exe
2920	explorer.exe
2920	explorer.exe
2504	spoolsv.exe
2504	spoolsv.exe
2204	svchost.exe
2204	svchost.exe
1448	spoolsv.exe
1448	spoolsv.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1796 wrote to memory of 2660	1796	fatality.exe	30
PID 1796 wrote to memory of 2660	1796	fatality.exe	30
PID 1796 wrote to memory of 2660	1796	fatality.exe	30
PID 1796 wrote to memory of 2660	1796	fatality.exe	30
PID 1796 wrote to memory of 2608	1796	fatality.exe	31
PID 1796 wrote to memory of 2608	1796	fatality.exe	31
PID 1796 wrote to memory of 2608	1796	fatality.exe	31
PID 1796 wrote to memory of 2608	1796	fatality.exe	31
PID 2608 wrote to memory of 2920	2608	icsys.icn.exe	32
PID 2608 wrote to memory of 2920	2608	icsys.icn.exe	32
PID 2608 wrote to memory of 2920	2608	icsys.icn.exe	32
PID 2608 wrote to memory of 2920	2608	icsys.icn.exe	32
PID 2660 wrote to memory of 2616	2660	fatality.exe	33
PID 2660 wrote to memory of 2616	2660	fatality.exe	33
PID 2660 wrote to memory of 2616	2660	fatality.exe	33
PID 2660 wrote to memory of 2616	2660	fatality.exe	33
PID 2920 wrote to memory of 2504	2920	explorer.exe	34
PID 2920 wrote to memory of 2504	2920	explorer.exe	34
PID 2920 wrote to memory of 2504	2920	explorer.exe	34
PID 2920 wrote to memory of 2504	2920	explorer.exe	34
PID 2504 wrote to memory of 2204	2504	spoolsv.exe	35
PID 2504 wrote to memory of 2204	2504	spoolsv.exe	35
PID 2504 wrote to memory of 2204	2504	spoolsv.exe	35
PID 2504 wrote to memory of 2204	2504	spoolsv.exe	35
PID 2204 wrote to memory of 1448	2204	svchost.exe	36
PID 2204 wrote to memory of 1448	2204	svchost.exe	36
PID 2204 wrote to memory of 1448	2204	svchost.exe	36
PID 2204 wrote to memory of 1448	2204	svchost.exe	36
PID 2920 wrote to memory of 620	2920	explorer.exe	37
PID 2920 wrote to memory of 620	2920	explorer.exe	37
PID 2920 wrote to memory of 620	2920	explorer.exe	37
PID 2920 wrote to memory of 620	2920	explorer.exe	37
PID 2204 wrote to memory of 2212	2204	svchost.exe	38
PID 2204 wrote to memory of 2212	2204	svchost.exe	38
PID 2204 wrote to memory of 2212	2204	svchost.exe	38
PID 2204 wrote to memory of 2212	2204	svchost.exe	38
PID 2616 wrote to memory of 544	2616	WScript.exe	41
PID 2616 wrote to memory of 544	2616	WScript.exe	41
PID 2616 wrote to memory of 544	2616	WScript.exe	41
PID 2616 wrote to memory of 544	2616	WScript.exe	41
PID 544 wrote to memory of 1344	544	cmd.exe	43
PID 544 wrote to memory of 1344	544	cmd.exe	43
PID 544 wrote to memory of 1344	544	cmd.exe	43
PID 544 wrote to memory of 1344	544	cmd.exe	43
PID 1344 wrote to memory of 2092	1344	containerReview.exe	48
PID 1344 wrote to memory of 2092	1344	containerReview.exe	48
PID 1344 wrote to memory of 2092	1344	containerReview.exe	48
PID 2092 wrote to memory of 880	2092	csc.exe	50
PID 2092 wrote to memory of 880	2092	csc.exe	50
PID 2092 wrote to memory of 880	2092	csc.exe	50
PID 1344 wrote to memory of 1932	1344	containerReview.exe	66
PID 1344 wrote to memory of 1932	1344	containerReview.exe	66
PID 1344 wrote to memory of 1932	1344	containerReview.exe	66
PID 1932 wrote to memory of 2760	1932	cmd.exe	68
PID 1932 wrote to memory of 2760	1932	cmd.exe	68
PID 1932 wrote to memory of 2760	1932	cmd.exe	68
PID 1932 wrote to memory of 2772	1932	cmd.exe	69
PID 1932 wrote to memory of 2772	1932	cmd.exe	69
PID 1932 wrote to memory of 2772	1932	cmd.exe	69
PID 1932 wrote to memory of 2892	1932	cmd.exe	71
PID 1932 wrote to memory of 2892	1932	cmd.exe	71
PID 1932 wrote to memory of 2892	1932	cmd.exe	71
PID 2892 wrote to memory of 2508	2892	spoolsv.exe	72
PID 2892 wrote to memory of 2508	2892	spoolsv.exe	72

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\fatality.exe
"C:\Users\Admin\AppData\Local\Temp\fatality.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1796
- \??\c:\users\admin\appdata\local\temp\fatality.exe
  c:\users\admin\appdata\local\temp\fatality.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2660
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\blockcomSession\RezYUes00TmmVGwINjr2qWMSbF3Etb9Bt2Ra62zGWDtewTBc.vbe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2616
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\blockcomSession\R3z0peym99fhJdrKbUwEGrQMoM2HpnSPGrE0X0k2hc.bat" "
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:544
    - - C:\blockcomSession\containerReview.exe
        
        "C:\blockcomSession/containerReview.exe"
        5⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Program Files directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1344
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\fjwcviiy\fjwcviiy.cmdline"
        6⤵
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2092
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB912.tmp" "c:\Windows\System32\CSC809C7BE76086411B8022ADE7861D8C97.TMP"
        7⤵
        
        PID:880
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\HW1p3dTEiq.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1932
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        7⤵
        
        PID:2760
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        7⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2772
        
        C:\Program Files\Reference Assemblies\Microsoft\spoolsv.exe
        
        "C:\Program Files\Reference Assemblies\Microsoft\spoolsv.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2892
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\w6HeTDdWXW.bat"
        8⤵
        
        PID:2508
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        9⤵
        
        PID:2404
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:2880
        
        C:\Program Files\Reference Assemblies\Microsoft\spoolsv.exe
        
        "C:\Program Files\Reference Assemblies\Microsoft\spoolsv.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1992
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\VvHaJEFDnD.bat"
        10⤵
        
        PID:2028
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        11⤵
        
        PID:2952
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:848
        
        C:\Program Files\Reference Assemblies\Microsoft\spoolsv.exe
        
        "C:\Program Files\Reference Assemblies\Microsoft\spoolsv.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2244
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ImsszXQrCQ.bat"
        12⤵
        
        PID:896
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        13⤵
        
        PID:2976
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        13⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1720
        
        C:\Program Files\Reference Assemblies\Microsoft\spoolsv.exe
        
        "C:\Program Files\Reference Assemblies\Microsoft\spoolsv.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2452
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\cHG0lItX2O.bat"
        14⤵
        
        PID:1064
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        15⤵
        
        PID:1660
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:2436
        
        C:\Program Files\Reference Assemblies\Microsoft\spoolsv.exe
        
        "C:\Program Files\Reference Assemblies\Microsoft\spoolsv.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2628
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\N0qXQFLliw.bat"
        16⤵
        
        PID:2672
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        17⤵
        
        PID:1628
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        17⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2520
        
        C:\Program Files\Reference Assemblies\Microsoft\spoolsv.exe
        
        "C:\Program Files\Reference Assemblies\Microsoft\spoolsv.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2864
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\fGOYhFobNz.bat"
        18⤵
        
        PID:2376
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        19⤵
        
        PID:2232
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        19⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2400
        
        C:\Program Files\Reference Assemblies\Microsoft\spoolsv.exe
        
        "C:\Program Files\Reference Assemblies\Microsoft\spoolsv.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1588
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\4op7oIQpKO.bat"
        20⤵
        
        PID:2972
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        21⤵
        
        PID:1696
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        21⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1564
        
        C:\Program Files\Reference Assemblies\Microsoft\spoolsv.exe
        
        "C:\Program Files\Reference Assemblies\Microsoft\spoolsv.exe"
        21⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1888
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\iPELUvEZwh.bat"
        22⤵
        
        PID:344
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        23⤵
        
        PID:1752
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:2776
        
        C:\Program Files\Reference Assemblies\Microsoft\spoolsv.exe
        
        "C:\Program Files\Reference Assemblies\Microsoft\spoolsv.exe"
        23⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1220
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Styje6hwPL.bat"
        24⤵
        
        PID:992
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        25⤵
        
        PID:2912
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        25⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2360
        
        C:\Program Files\Reference Assemblies\Microsoft\spoolsv.exe
        
        "C:\Program Files\Reference Assemblies\Microsoft\spoolsv.exe"
        25⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2536
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ndC0udATSD.bat"
        26⤵
        
        PID:1848
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        27⤵
        
        PID:2104
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        27⤵
        
        PID:1444
        
        C:\Program Files\Reference Assemblies\Microsoft\spoolsv.exe
        
        "C:\Program Files\Reference Assemblies\Microsoft\spoolsv.exe"
        27⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1964
- C:\Windows\Resources\Themes\icsys.icn.exe
  C:\Windows\Resources\Themes\icsys.icn.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2608
- - \??\c:\windows\resources\themes\explorer.exe
    c:\windows\resources\themes\explorer.exe
    3⤵
    - Modifies visiblity of hidden/system files in Explorer
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2920
  - - \??\c:\windows\resources\spoolsv.exe
      c:\windows\resources\spoolsv.exe SE
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2504
    - - \??\c:\windows\resources\svchost.exe
        
        c:\windows\resources\svchost.exe
        5⤵
        Modifies visiblity of hidden/system files in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2204
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe PR
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1448
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 12:27 /f
        6⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:2212
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 12:28 /f
        6⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:1552
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 12:29 /f
        6⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:2752
  - - C:\Windows\Explorer.exe
      C:\Windows\Explorer.exe
      4⤵
      PID:620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2160

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Mail\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Mail\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Program Files\Mozilla Firefox\browser\VisualElements\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\browser\VisualElements\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Program Files\Mozilla Firefox\browser\VisualElements\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Program Files\Reference Assemblies\Microsoft\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Program Files\Reference Assemblies\Microsoft\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\blockcomSession\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\blockcomSession\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\blockcomSession\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "containerReviewc" /sc MINUTE /mo 6 /tr "'C:\blockcomSession\containerReview.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "containerReview" /sc ONLOGON /tr "'C:\blockcomSession\containerReview.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "containerReviewc" /sc MINUTE /mo 9 /tr "'C:\blockcomSession\containerReview.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3016

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\4op7oIQpKO.bat

Filesize
187B

MD5
7bfaa2044b36a0de8c221c538cfce927

SHA1
c232ac8c5182e0e2ab0326b35e66655214443141

SHA256
246ce9b1163bab9289ad13e2c37ab6cbd24db38b9723ca889325628d2d4bd35a

SHA512
66f7ef4330d70f5dabccfebc9ced83fc7d196866c42d7452719062d8c542218ae07f9211458dc6ede53d775919ddcddd325077a1f9dcb584feaccca8f1ec5452

Download Submit
C:\Users\Admin\AppData\Local\Temp\HW1p3dTEiq.bat

Filesize
187B

MD5
510296c8f14f5f093dc910c2cd835fdd

SHA1
c3fa75fc4ccdccf83d7b8a8501a60d651b3dfb77

SHA256
edacaa1e80b0bbe8ac8f1c0904a1a5baa44002b8d692c7094a8d42084cae6099

SHA512
ac68bbd336f0ad19825c0d1b9c69cc4a21c4425f0cd38b8e10f9bb5742a7d6ce67e1531bb127dffb78a1129b674fb129cf8e851072981a66e6db3edf5adfeab9

Download Submit
C:\Users\Admin\AppData\Local\Temp\ImsszXQrCQ.bat

Filesize
187B

MD5
fa78bbb2d39aa02fef2c40dd6d7937fd

SHA1
ca9f7429753a7bcbe25708dd8c5cc9c21d0d3dfe

SHA256
244fff2ce1fb5603d490fb4c89e24b8fb29cf2ec5ba626428a4087c43bf0754f

SHA512
a6cc1eb5246a165b33cad1dcdfb05526fde65877c599ea9473df9c60e4a3484c7d8f62becc0861bb11e9a26f613ae92d3230000d616c587f2787a5a7f0e9d75e

Download Submit
C:\Users\Admin\AppData\Local\Temp\N0qXQFLliw.bat

Filesize
187B

MD5
46d5d8aa99b45a5a3c1a4c8ef32a93a5

SHA1
8cda07c978bc6d9bae4c898d1abd0cd6e9dcc7b6

SHA256
ec9550434368751eb3c48967213221ce482a16e43f6257821ec6d695c51426de

SHA512
cacc05eb6d56de1c030edfb23d683f6d6639f0a75d98357295324be3ba04d0f6eb264185cc02727993c921a20af3e43923294a0bde8cb6f49cb7605996030b80

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESB912.tmp

Filesize
1KB

MD5
17b8cdcac3dbe328e5f1cdc676cd7a92

SHA1
08f12930d699c973bae8b958fed1ce991b07630a

SHA256
f8f33e6507bb940c10f1a9adca21960ff5f1857fbae4e7bd1d7a0f68d03ee960

SHA512
9988d8130ddccb1c14bd9d32b5a2e5ad979229dd35bcd6bd2f0067eda94476b363cfde6f3030256a59eb2fda87475cc6a16c9f7983f1eda5098f101d2cdf13b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Styje6hwPL.bat

Filesize
187B

MD5
72414c70179359e56612f31f2d4ef501

SHA1
5180e33070324faa0f974cdb750179c9d143f45f

SHA256
07b211bd79fbabe2a3906dc7cb4c9426944bb3f72b3fa871d7be2f8ca82903c1

SHA512
a9ee2473ad63f322a801ac7b42519dbcdb6ea9a6d3d583760d9ae71fffd68840ac5a09486f50ad33e8a8d0f69c7fe57e1e43fbdea5dcef3fdfa2900de24c5cbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\VvHaJEFDnD.bat

Filesize
235B

MD5
7be3664e7306a933b85fa6b8d01c36fb

SHA1
a454f64f19455b018678e7a36f3a6a639379ef43

SHA256
f221e28937a1f5573aa4e6946cd996d3fa38023cd366d80c5cc7f83f91521db5

SHA512
4752c2b3848ae55d732b1508a53075c24d5fe4f7bd98960b1647cc0d8987d18b3d102853ef413b9d20ba3c8bf74225abd767305beb03a6a3f37e05cfa5a300c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\cHG0lItX2O.bat

Filesize
235B

MD5
dd6c2767cc70f8b2fd988bcc5daf409e

SHA1
33992011a08d5cf89790c13175f822543c529f3d

SHA256
4d5d343db36da8db67a5da0703bf1c2f01f2222d2da898a1e0075364dcf3fe4a

SHA512
96f2bba5f4d570b882917c62d178e80df175853021795305b83091e90b156cb51068fe9878e78d94abb653eaeca6b592137f4a87085c7f8a9e12f9621e1dbe47

Download Submit
C:\Users\Admin\AppData\Local\Temp\fGOYhFobNz.bat

Filesize
187B

MD5
f38540d0a4a46b80c0d8e5b598e2286e

SHA1
332721d19c1b0a061f60adeeb18f038f3ac55e73

SHA256
d17910a97d4aed018a5d84865341b46b7c46f4b530293d09f40ba16a4a93de3c

SHA512
5bff61acc592f707255527d3b04fd33a4d10ff04311e54040d095f9623b2d457e606b9130806445316a7d633d3f00db7cf08eb0e8dd9f429ce1c39219258f2f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\iPELUvEZwh.bat

Filesize
235B

MD5
3e449c1c32d8bbd1ff011f5c2cadfc44

SHA1
635a928fa17cb05a1c70b67c425294621a411e3d

SHA256
abe648ce7d8931eb3577cf7ae7213c4fa33c3fe6897ca6a5da177c9f6b1c4a26

SHA512
2010a940039773b158dd05e372651daa2dfaf7ef31844680fe5d00b8a654f7babc9f76d48fa0045070875190d7f40e560f7528cd45f685c6792ab3e61994fa72

Download Submit
C:\Users\Admin\AppData\Local\Temp\ndC0udATSD.bat

Filesize
235B

MD5
df446176877f4eaeddc03fdab3885515

SHA1
caa8aaf98932ef0fdaec1ee1f8a9ae0bc9a4f756

SHA256
278281594648598b0c7ff1c56bca89727cbb9fe8bd48396f2ebc6e08591bf4a3

SHA512
3fce4cac96d6bd9ddd7ec51b1e29f44073bc8bba72e6df1e4ee15d6eef9405a8f64a6364cf62ec4c762a59abea07283aa3a58a0d85feb0811f17741b9ac98f7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\w6HeTDdWXW.bat

Filesize
235B

MD5
6164eff20b754b434031ccb0515da53c

SHA1
d529abe72a74ed3751de3de65b875ae821a24b55

SHA256
6b1270440f50d540b49d99ffebca1d78afb561820e6e62bdb3d997120509356f

SHA512
99ed81ff920324c8191ae7f9541e9161a577d830c8e21821685aa8e7417c039e8aa4066d67d83b19a9b36687104b3f521b76931398f908659f7e391fe606d0b1

Download Submit
C:\Windows\Resources\Themes\explorer.exe

Filesize
135KB

MD5
2588d622027124ad8d26c9fe0b2d3252

SHA1
274c58e6c9cb82694a852ad750b28fa245400f6d

SHA256
471600a38417c4f4fe2ae0345057cbda15eb3acacf85dfe3f2c77caa7c70edc5

SHA512
a429e75cdeea2f867f031359aefce0b49469af1212c742c9499b1ab023c384259d3ff867062f21d3c93bcfd75ead544975fe8e3fc09677cb7bf52b632dacb746

Download Submit
C:\blockcomSession\R3z0peym99fhJdrKbUwEGrQMoM2HpnSPGrE0X0k2hc.bat

Filesize
89B

MD5
de5b4fde5bc10d0f76a55eb9d249ab56

SHA1
751938b6ab03340842b429805fd2da1aa0d8c964

SHA256
009aa3f866391c87bd840efb9b6b4eb33fc4dcb625cd23e436d0c9383e033f0f

SHA512
58f02657db363b742c6aee66ccd5a6b279280e2dd09d7394b7b9907ca2cd005cd67ee88ca98d533605e30608fc61abc6f51f7d3be4a3813d7414d280b6f16a1f

Download Submit
C:\blockcomSession\RezYUes00TmmVGwINjr2qWMSbF3Etb9Bt2Ra62zGWDtewTBc.vbe

Filesize
236B

MD5
d2dd350044ce1fe408a44a036a7e6a0d

SHA1
3597e45deb69f4aa4749855e9ed452a39a9c7d42

SHA256
487bfe07abff347481f10c648717aab8008c7606c026b920358544f85c25e1b2

SHA512
81147d83dc5ffd1adb10add8486f6dac65df0e7c579f8244ef8f3d6f646ced97fad3f55a178ced9b60f5f23bb77a0e29bccb22651280a9eae135976af71c366a

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\fjwcviiy\fjwcviiy.0.cs

Filesize
407B

MD5
59c8b0e59b3aa7bb5622ba29b30bdde9

SHA1
6b64ee6ab372c58d06bf1025de6263ade71cea10

SHA256
00055402cf17ecb71837df3980a09a850590c786ae012de93389dae87688f5b3

SHA512
8c568838222836b202e43e2211a5d2145bbfa0220450fac2a25d1674e3f49e2f475d642fbe06493f5e0b4207d81cb8158fd7f15e9db784faca737deb96478210

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\fjwcviiy\fjwcviiy.cmdline

Filesize
235B

MD5
c0060e56b9c1e6c1065130e169a2c439

SHA1
5fd482d07ec2c9d41c948906d9d2fc7b595094e0

SHA256
c546b8bb84839f116d7fd3650e4693a21228cdfebf5961d6a40e912558a3a5cb

SHA512
aa46fec2f2b274d748cd05ebf2df108d2e3f4ba3f4f6e49e61b1d5737994100c2e400cd73bd7a9b54e56af32cf12bcde170edd6c84ce077d592052f4a2dc1ecc

Download Submit
\??\c:\Windows\System32\CSC809C7BE76086411B8022ADE7861D8C97.TMP

Filesize
1KB

MD5
028d4cd290ab6fe13d6fecce144a32cc

SHA1
e1d9531cb2e6bc9cab285b1f19e5d627257a3394

SHA256
3f42f68eb3df49cf836fbb0019b8206af735e22f3d528e7b122fa9b2541fdde3

SHA512
2f99d37a56444831298f8efaef425e5dadec938ac459bfc0cdaf3708ef8662f12bd8d687a58fc1dd6bbdac6c806214b65a21489a24d3160c1e8575968e3caa6e

Download Submit
\Users\Admin\AppData\Local\Temp\fatality.exe

Filesize
3.2MB

MD5
a7040b85fc683f088f4c6e5b44052c43

SHA1
7e3d644d1a1fb7b9bcccb6406d2e7fbd062eae66

SHA256
b786f31f1c89c71d0510bbd32510595d9891c67db516f968261b02594a423a8d

SHA512
e225f6f7e114690aad25e9c67460e50f5b84cc8ca87a69ba94ff63ab42415df176a3ed6c3456cddb849927604a4888b17e5e781ac97d2ba0197f9687bbb2c301

Download Submit
\Windows\Resources\Themes\icsys.icn.exe

Filesize
135KB

MD5
d36cc2935ae0e7a5d2936db589a9b8cc

SHA1
082bd58c0ad60fa4783b63a4f681a5c5fad8e1a6

SHA256
4c93adb50768feb3cdea95f1fedc5d6fdc262d59f12c4b66601d377e2709c2e3

SHA512
547452ba0de7c8ebeec8e4bb2d916c7a881b6743e6d1fb6d2761a202b7cf5bb30c3f541957de70c584b46b7171f3f20338b4985341829b408c366aeaeced9290

Download Submit
\Windows\Resources\spoolsv.exe

Filesize
135KB

MD5
a2922c52a31951be01f9c55cb826b4cd

SHA1
a48cb1681273cf88b4890b4ab7670de86cd677a2

SHA256
35e9483a545e5dbf822e945cb0d316dd1d7fd663cb0f4b2a9cf4ff20713c414a

SHA512
a498a90b8346ae8c8cf2df0862795a5c244fc5c31049108ac08d395802ee51bfeb6b92a0332b35672dd17b47c8fc3868069b3765cf3d21defe972a14e586578a

Download Submit
\Windows\Resources\svchost.exe

Filesize
135KB

MD5
93ec4b253c2de76889397313165c8714

SHA1
8b60746538d638fbf367a1f91300be652454572b

SHA256
b2753a294d4e96fbf220f5b562c2567d141d23cb821c8e02ee3eec74dbebd180

SHA512
8eb72d3825cddd518de6d1392a58d32e26bc45a2c5e8a3af0081b1ba534624b06b5c48a714b0c433f860f387b84f258d784451b86b59172b8ef7dcf44fdc953a

Download Submit
\blockcomSession\containerReview.exe

Filesize
1.9MB

MD5
f568e43bc473cd8ceb2553c58194df61

SHA1
14c0fff25edfd186dab91ee6bcc94450c9bed84d

SHA256
c91375814e8a5bb71736ce61fa429bc7b98a2b7b2a254b9967c51f3fccfacd52

SHA512
47cf66ce90fecd147077c72dc3f06db2199b9bc96e887915d6b0d4bfea7577d60a7345da6e5bc59967d02528fbdf6c8bf86233261338f782b9185c890fbc400e

Download Submit
memory/1344-84-0x0000000000660000-0x000000000067C000-memory.dmp

Filesize
112KB

Download
memory/1344-80-0x00000000008D0000-0x0000000000AC0000-memory.dmp

Filesize
1.9MB

Download
memory/1344-86-0x0000000000680000-0x0000000000698000-memory.dmp

Filesize
96KB

Download
memory/1344-88-0x0000000000420000-0x000000000042E000-memory.dmp

Filesize
56KB

Download
memory/1344-90-0x00000000004B0000-0x00000000004BE000-memory.dmp

Filesize
56KB

Download
memory/1344-92-0x00000000004C0000-0x00000000004CC000-memory.dmp

Filesize
48KB

Download
memory/1344-82-0x0000000000210000-0x000000000021E000-memory.dmp

Filesize
56KB

Download
memory/1448-70-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1796-74-0x0000000000420000-0x0000000000422000-memory.dmp

Filesize
8KB

Download
memory/1796-9-0x0000000002CB0000-0x0000000003091000-memory.dmp

Filesize
3.9MB

Download
memory/1796-16-0x0000000000420000-0x000000000043F000-memory.dmp

Filesize
124KB

Download
memory/1796-0-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1796-64-0x0000000002CB0000-0x0000000003091000-memory.dmp

Filesize
3.9MB

Download
memory/1796-73-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2204-184-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2204-185-0x0000000000300000-0x000000000031F000-memory.dmp

Filesize
124KB

Download
memory/2204-65-0x0000000000300000-0x000000000031F000-memory.dmp

Filesize
124KB

Download
memory/2504-56-0x00000000003D0000-0x00000000003EF000-memory.dmp

Filesize
124KB

Download
memory/2504-71-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2608-26-0x0000000000320000-0x000000000033F000-memory.dmp

Filesize
124KB

Download
memory/2608-72-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2660-44-0x0000000000170000-0x0000000000551000-memory.dmp

Filesize
3.9MB

Download
memory/2660-12-0x0000000000170000-0x0000000000551000-memory.dmp

Filesize
3.9MB

Download
memory/2892-123-0x00000000012B0000-0x00000000014A0000-memory.dmp

Filesize
1.9MB

Download
memory/2920-183-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download