dcrat | bfd1aabb65dfce7b7c5f2d444917baa23fd04d6047e62cd1aaf9cb2a9ca9d3a9

Analysis

max time kernel
150s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
13/01/2025, 12:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fatality.exe
Size

3.3MB
MD5

c883ea559bee9a0cb393aa32dcaf5d80
SHA1

995dfd0d9d504bec628e7d7297962677d8ab32cb
SHA256

bfd1aabb65dfce7b7c5f2d444917baa23fd04d6047e62cd1aaf9cb2a9ca9d3a9
SHA512

9ee8ef8a9912b14bcbeb3c13b2670c92eecc17c4a8a719d6bd9935f17239a244457e2f711c01e374febd767c866d6c563bad97e687680919ca0c017d738626ee
SSDEEP

98304:db5Nf/dq7yqKM1TcGZ6gtq1/Lko4uVa8N7:hMyqKM1TogtqT44NN7

Score

10^/10

dcrat discovery evasion infostealer persistence rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 6 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\blockcomSession\\upfc.exe\", \"C:\\Windows\\appcompat\\upfc.exe\""	containerReview.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\blockcomSession\\upfc.exe\", \"C:\\Windows\\appcompat\\upfc.exe\", \"C:\\blockcomSession\\csrss.exe\""	containerReview.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\blockcomSession\\upfc.exe\", \"C:\\Windows\\appcompat\\upfc.exe\", \"C:\\blockcomSession\\csrss.exe\", \"C:\\Program Files (x86)\\Windows Sidebar\\Shared Gadgets\\conhost.exe\""	containerReview.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\blockcomSession\\upfc.exe\", \"C:\\Windows\\appcompat\\upfc.exe\", \"C:\\blockcomSession\\csrss.exe\", \"C:\\Program Files (x86)\\Windows Sidebar\\Shared Gadgets\\conhost.exe\", \"C:\\Users\\Default\\Application Data\\containerReview.exe\""	containerReview.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\blockcomSession\\upfc.exe\", \"C:\\Windows\\appcompat\\upfc.exe\", \"C:\\blockcomSession\\csrss.exe\", \"C:\\Program Files (x86)\\Windows Sidebar\\Shared Gadgets\\conhost.exe\", \"C:\\Users\\Default\\Application Data\\containerReview.exe\", \"C:\\blockcomSession\\containerReview.exe\""	containerReview.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\blockcomSession\\upfc.exe\""	containerReview.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4492	2388	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1016	2388	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2684	2388	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2908	2388	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2228	2388	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3112	2388	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	864	2388	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3180	2388	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3452	2388	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	740	2388	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1880	2388	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2616	2388	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4780	2388	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3324	2388	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1604	2388	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3440	2388	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4772	2388	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4516	2388	schtasks.exe	92

Checks computer location settings 2 TTPs 16 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	csrss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	csrss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	fatality.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	csrss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	csrss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	csrss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	csrss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	csrss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	csrss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	csrss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	csrss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	csrss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	csrss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	containerReview.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	csrss.exe

Executes dropped EXE 21 IoCs

pid	Process
2512	fatality.exe
2896	icsys.icn.exe
2492	explorer.exe
4984	spoolsv.exe
3256	svchost.exe
4844	spoolsv.exe
1988	containerReview.exe
4332	csrss.exe
5104	csrss.exe
748	csrss.exe
2356	csrss.exe
4456	csrss.exe
3080	csrss.exe
1852	csrss.exe
3192	csrss.exe
2096	csrss.exe
3360	csrss.exe
2280	csrss.exe
1596	csrss.exe
3940	csrss.exe
568	csrss.exe

Adds Run key to start application 2 TTPs 16 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\upfc = "\"C:\\Windows\\appcompat\\upfc.exe\""	containerReview.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\containerReview = "\"C:\\Users\\Default\\Application Data\\containerReview.exe\""	containerReview.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\containerReview = "\"C:\\blockcomSession\\containerReview.exe\""	containerReview.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\upfc = "\"C:\\blockcomSession\\upfc.exe\""	containerReview.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\Program Files (x86)\\Windows Sidebar\\Shared Gadgets\\conhost.exe\""	containerReview.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\containerReview = "\"C:\\Users\\Default\\Application Data\\containerReview.exe\""	containerReview.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\containerReview = "\"C:\\blockcomSession\\containerReview.exe\""	containerReview.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\upfc = "\"C:\\Windows\\appcompat\\upfc.exe\""	containerReview.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\blockcomSession\\csrss.exe\""	containerReview.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\blockcomSession\\csrss.exe\""	containerReview.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\upfc = "\"C:\\blockcomSession\\upfc.exe\""	containerReview.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\Program Files (x86)\\Windows Sidebar\\Shared Gadgets\\conhost.exe\""	containerReview.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\explorer.exe	svchost.exe
File created	\??\c:\Windows\System32\CSCC662F8AF368F4F63B4969969C1117C21.TMP	csc.exe
File created	\??\c:\Windows\System32\lhkpi-.exe	csc.exe
File opened for modification	C:\Windows\SysWOW64\explorer.exe	explorer.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
2512	fatality.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\conhost.exe	containerReview.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\088424020bedd6	containerReview.exe

Drops file in Windows directory 7 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\resources\themes\explorer.exe	icsys.icn.exe
File opened for modification	\??\c:\windows\resources\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\resources\svchost.exe	spoolsv.exe
File created	C:\Windows\appcompat\upfc.exe	containerReview.exe
File created	C:\Windows\appcompat\ea1d8f6d871115	containerReview.exe
File opened for modification	C:\Windows\Resources\tjud.exe	explorer.exe
File opened for modification	C:\Windows\Resources\Themes\icsys.icn.exe	fatality.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fatality.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fatality.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icsys.icn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 7 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
3484	PING.EXE
3444	PING.EXE
2924	PING.EXE
2004	PING.EXE
5064	PING.EXE
4388	PING.EXE
3868	PING.EXE

Modifies registry class 15 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	fatality.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	containerReview.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	csrss.exe

Runs ping.exe 1 TTPs 7 IoCs

Remote System Discovery

T1018

pid	Process
3444	PING.EXE
2924	PING.EXE
2004	PING.EXE
5064	PING.EXE
4388	PING.EXE
3868	PING.EXE
3484	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2228	schtasks.exe
864	schtasks.exe
3324	schtasks.exe
1604	schtasks.exe
4772	schtasks.exe
4516	schtasks.exe
4492	schtasks.exe
1016	schtasks.exe
2684	schtasks.exe
3180	schtasks.exe
740	schtasks.exe
1880	schtasks.exe
2908	schtasks.exe
3112	schtasks.exe
4780	schtasks.exe
3452	schtasks.exe
2616	schtasks.exe
3440	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1056	fatality.exe
1056	fatality.exe
1056	fatality.exe
1056	fatality.exe
1056	fatality.exe
1056	fatality.exe
1056	fatality.exe
1056	fatality.exe
1056	fatality.exe
1056	fatality.exe
1056	fatality.exe
1056	fatality.exe
1056	fatality.exe
1056	fatality.exe
1056	fatality.exe
1056	fatality.exe
1056	fatality.exe
1056	fatality.exe
1056	fatality.exe
1056	fatality.exe
1056	fatality.exe
1056	fatality.exe
1056	fatality.exe
1056	fatality.exe
1056	fatality.exe
1056	fatality.exe
1056	fatality.exe
1056	fatality.exe
1056	fatality.exe
1056	fatality.exe
1056	fatality.exe
1056	fatality.exe
2512	fatality.exe
2512	fatality.exe
2896	icsys.icn.exe
2896	icsys.icn.exe
2896	icsys.icn.exe
2896	icsys.icn.exe
2896	icsys.icn.exe
2896	icsys.icn.exe
2896	icsys.icn.exe
2896	icsys.icn.exe
2896	icsys.icn.exe
2896	icsys.icn.exe
2896	icsys.icn.exe
2896	icsys.icn.exe
2896	icsys.icn.exe
2896	icsys.icn.exe
2896	icsys.icn.exe
2896	icsys.icn.exe
2896	icsys.icn.exe
2896	icsys.icn.exe
2896	icsys.icn.exe
2896	icsys.icn.exe
2896	icsys.icn.exe
2896	icsys.icn.exe
2896	icsys.icn.exe
2896	icsys.icn.exe
2896	icsys.icn.exe
2896	icsys.icn.exe
2896	icsys.icn.exe
2896	icsys.icn.exe
2896	icsys.icn.exe
2896	icsys.icn.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
2492	explorer.exe
3256	svchost.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

description	pid	Process
Token: SeDebugPrivilege	1988	containerReview.exe
Token: SeDebugPrivilege	4332	csrss.exe
Token: SeDebugPrivilege	5104	csrss.exe
Token: SeDebugPrivilege	748	csrss.exe
Token: SeDebugPrivilege	2356	csrss.exe
Token: SeDebugPrivilege	4456	csrss.exe
Token: SeDebugPrivilege	3080	csrss.exe
Token: SeDebugPrivilege	1852	csrss.exe
Token: SeDebugPrivilege	3192	csrss.exe
Token: SeDebugPrivilege	2096	csrss.exe
Token: SeDebugPrivilege	3360	csrss.exe
Token: SeDebugPrivilege	2280	csrss.exe
Token: SeDebugPrivilege	1596	csrss.exe
Token: SeDebugPrivilege	3940	csrss.exe
Token: SeDebugPrivilege	568	csrss.exe

Suspicious use of SetWindowsHookEx 13 IoCs

pid	Process
1056	fatality.exe
1056	fatality.exe
2512	fatality.exe
2896	icsys.icn.exe
2896	icsys.icn.exe
2492	explorer.exe
2492	explorer.exe
4984	spoolsv.exe
4984	spoolsv.exe
3256	svchost.exe
3256	svchost.exe
4844	spoolsv.exe
4844	spoolsv.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1056 wrote to memory of 2512	1056	fatality.exe	82
PID 1056 wrote to memory of 2512	1056	fatality.exe	82
PID 1056 wrote to memory of 2512	1056	fatality.exe	82
PID 1056 wrote to memory of 2896	1056	fatality.exe	83
PID 1056 wrote to memory of 2896	1056	fatality.exe	83
PID 1056 wrote to memory of 2896	1056	fatality.exe	83
PID 2896 wrote to memory of 2492	2896	icsys.icn.exe	84
PID 2896 wrote to memory of 2492	2896	icsys.icn.exe	84
PID 2896 wrote to memory of 2492	2896	icsys.icn.exe	84
PID 2492 wrote to memory of 4984	2492	explorer.exe	85
PID 2492 wrote to memory of 4984	2492	explorer.exe	85
PID 2492 wrote to memory of 4984	2492	explorer.exe	85
PID 4984 wrote to memory of 3256	4984	spoolsv.exe	86
PID 4984 wrote to memory of 3256	4984	spoolsv.exe	86
PID 4984 wrote to memory of 3256	4984	spoolsv.exe	86
PID 3256 wrote to memory of 4844	3256	svchost.exe	87
PID 3256 wrote to memory of 4844	3256	svchost.exe	87
PID 3256 wrote to memory of 4844	3256	svchost.exe	87
PID 2512 wrote to memory of 2168	2512	fatality.exe	88
PID 2512 wrote to memory of 2168	2512	fatality.exe	88
PID 2512 wrote to memory of 2168	2512	fatality.exe	88
PID 2168 wrote to memory of 5116	2168	WScript.exe	93
PID 2168 wrote to memory of 5116	2168	WScript.exe	93
PID 2168 wrote to memory of 5116	2168	WScript.exe	93
PID 5116 wrote to memory of 1988	5116	cmd.exe	95
PID 5116 wrote to memory of 1988	5116	cmd.exe	95
PID 1988 wrote to memory of 4464	1988	containerReview.exe	99
PID 1988 wrote to memory of 4464	1988	containerReview.exe	99
PID 4464 wrote to memory of 3320	4464	csc.exe	101
PID 4464 wrote to memory of 3320	4464	csc.exe	101
PID 1988 wrote to memory of 1420	1988	containerReview.exe	117
PID 1988 wrote to memory of 1420	1988	containerReview.exe	117
PID 1420 wrote to memory of 736	1420	cmd.exe	119
PID 1420 wrote to memory of 736	1420	cmd.exe	119
PID 1420 wrote to memory of 4948	1420	cmd.exe	121
PID 1420 wrote to memory of 4948	1420	cmd.exe	121
PID 1420 wrote to memory of 4332	1420	cmd.exe	124
PID 1420 wrote to memory of 4332	1420	cmd.exe	124
PID 4332 wrote to memory of 4856	4332	csrss.exe	125
PID 4332 wrote to memory of 4856	4332	csrss.exe	125
PID 4856 wrote to memory of 1976	4856	cmd.exe	127
PID 4856 wrote to memory of 1976	4856	cmd.exe	127
PID 4856 wrote to memory of 5072	4856	cmd.exe	128
PID 4856 wrote to memory of 5072	4856	cmd.exe	128
PID 4856 wrote to memory of 5104	4856	cmd.exe	129
PID 4856 wrote to memory of 5104	4856	cmd.exe	129
PID 5104 wrote to memory of 2652	5104	csrss.exe	130
PID 5104 wrote to memory of 2652	5104	csrss.exe	130
PID 2652 wrote to memory of 1952	2652	cmd.exe	132
PID 2652 wrote to memory of 1952	2652	cmd.exe	132
PID 2652 wrote to memory of 5064	2652	cmd.exe	133
PID 2652 wrote to memory of 5064	2652	cmd.exe	133
PID 2652 wrote to memory of 748	2652	cmd.exe	136
PID 2652 wrote to memory of 748	2652	cmd.exe	136
PID 748 wrote to memory of 624	748	csrss.exe	137
PID 748 wrote to memory of 624	748	csrss.exe	137
PID 624 wrote to memory of 1520	624	cmd.exe	139
PID 624 wrote to memory of 1520	624	cmd.exe	139
PID 624 wrote to memory of 1424	624	cmd.exe	140
PID 624 wrote to memory of 1424	624	cmd.exe	140
PID 624 wrote to memory of 2356	624	cmd.exe	141
PID 624 wrote to memory of 2356	624	cmd.exe	141
PID 2356 wrote to memory of 4908	2356	csrss.exe	142
PID 2356 wrote to memory of 4908	2356	csrss.exe	142

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\fatality.exe
"C:\Users\Admin\AppData\Local\Temp\fatality.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1056
- \??\c:\users\admin\appdata\local\temp\fatality.exe
  c:\users\admin\appdata\local\temp\fatality.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2512
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\blockcomSession\RezYUes00TmmVGwINjr2qWMSbF3Etb9Bt2Ra62zGWDtewTBc.vbe"
    3⤵
    - Checks computer location settings
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2168
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\blockcomSession\R3z0peym99fhJdrKbUwEGrQMoM2HpnSPGrE0X0k2hc.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:5116
    - - C:\blockcomSession\containerReview.exe
        
        "C:\blockcomSession/containerReview.exe"
        5⤵
        Modifies WinLogon for persistence
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Program Files directory
        Drops file in Windows directory
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1988
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\wgwstcjm\wgwstcjm.cmdline"
        6⤵
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4464
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCCB6.tmp" "c:\Windows\System32\CSCC662F8AF368F4F63B4969969C1117C21.TMP"
        7⤵
        
        PID:3320
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\aD55r1zOMq.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1420
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        7⤵
        
        PID:736
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:4948
        
        C:\blockcomSession\csrss.exe
        
        "C:\blockcomSession\csrss.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4332
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\eDex15ELeP.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:4856
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        9⤵
        
        PID:1976
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:5072
        
        C:\blockcomSession\csrss.exe
        
        "C:\blockcomSession\csrss.exe"
        9⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5104
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\GCUhdmH1So.bat"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:2652
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        11⤵
        
        PID:1952
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        11⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:5064
        
        C:\blockcomSession\csrss.exe
        
        "C:\blockcomSession\csrss.exe"
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:748
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\eDex15ELeP.bat"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:624
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        13⤵
        
        PID:1520
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:1424
        
        C:\blockcomSession\csrss.exe
        
        "C:\blockcomSession\csrss.exe"
        13⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2356
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\JKWSf9zRCT.bat"
        14⤵
        
        PID:4908
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        15⤵
        
        PID:1644
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        15⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4388
        
        C:\blockcomSession\csrss.exe
        
        "C:\blockcomSession\csrss.exe"
        15⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4456
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\omfVy1urWZ.bat"
        16⤵
        
        PID:4852
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        17⤵
        
        PID:2604
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        17⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3868
        
        C:\blockcomSession\csrss.exe
        
        "C:\blockcomSession\csrss.exe"
        17⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3080
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\zgE5oxkNwR.bat"
        18⤵
        
        PID:4360
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        19⤵
        
        PID:1008
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        19⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3484
        
        C:\blockcomSession\csrss.exe
        
        "C:\blockcomSession\csrss.exe"
        19⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1852
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\fn6aS0VTUV.bat"
        20⤵
        
        PID:1196
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        21⤵
        
        PID:2124
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        21⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3444
        
        C:\blockcomSession\csrss.exe
        
        "C:\blockcomSession\csrss.exe"
        21⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3192
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\czppXKEUSU.bat"
        22⤵
        
        PID:3452
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        23⤵
        
        PID:984
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:3264
        
        C:\blockcomSession\csrss.exe
        
        "C:\blockcomSession\csrss.exe"
        23⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2096
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hv8MUNDtDA.bat"
        24⤵
        
        PID:2680
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        25⤵
        
        PID:3964
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        25⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2924
        
        C:\blockcomSession\csrss.exe
        
        "C:\blockcomSession\csrss.exe"
        25⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3360
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6WkFIbRMFr.bat"
        26⤵
        
        PID:4976
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        27⤵
        
        PID:5060
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        27⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2004
        
        C:\blockcomSession\csrss.exe
        
        "C:\blockcomSession\csrss.exe"
        27⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2280
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\1v3DIijE8M.bat"
        28⤵
        
        PID:1928
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        29⤵
        
        PID:2040
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        29⤵
        
        PID:4960
        
        C:\blockcomSession\csrss.exe
        
        "C:\blockcomSession\csrss.exe"
        29⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1596
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\W8Ig2gXV94.bat"
        30⤵
        
        PID:1584
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        31⤵
        
        PID:4712
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        31⤵
        
        PID:4892
        
        C:\blockcomSession\csrss.exe
        
        "C:\blockcomSession\csrss.exe"
        31⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3940
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\CU0JBUISt3.bat"
        32⤵
        
        PID:4592
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        33⤵
        
        PID:3224
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        33⤵
        
        PID:4484
        
        C:\blockcomSession\csrss.exe
        
        "C:\blockcomSession\csrss.exe"
        33⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:568
- C:\Windows\Resources\Themes\icsys.icn.exe
  C:\Windows\Resources\Themes\icsys.icn.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2896
- - \??\c:\windows\resources\themes\explorer.exe
    c:\windows\resources\themes\explorer.exe
    3⤵
    - Modifies visiblity of hidden/system files in Explorer
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2492
  - - \??\c:\windows\resources\spoolsv.exe
      c:\windows\resources\spoolsv.exe SE
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:4984
    - - \??\c:\windows\resources\svchost.exe
        
        c:\windows\resources\svchost.exe
        5⤵
        Modifies visiblity of hidden/system files in Explorer
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3256
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe PR
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 8 /tr "'C:\blockcomSession\upfc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\blockcomSession\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 8 /tr "'C:\blockcomSession\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 6 /tr "'C:\Windows\appcompat\upfc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Windows\appcompat\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2228

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 13 /tr "'C:\Windows\appcompat\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\blockcomSession\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\blockcomSession\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3180

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\blockcomSession\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "containerReviewc" /sc MINUTE /mo 13 /tr "'C:\Users\Default\Application Data\containerReview.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "containerReview" /sc ONLOGON /tr "'C:\Users\Default\Application Data\containerReview.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "containerReviewc" /sc MINUTE /mo 12 /tr "'C:\Users\Default\Application Data\containerReview.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "containerReviewc" /sc MINUTE /mo 12 /tr "'C:\blockcomSession\containerReview.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3440

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "containerReview" /sc ONLOGON /tr "'C:\blockcomSession\containerReview.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "containerReviewc" /sc MINUTE /mo 6 /tr "'C:\blockcomSession\containerReview.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4516

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\csrss.exe.log

Filesize
1KB

MD5
935ecb30a8e13f625a9a89e3b0fcbf8f

SHA1
41cb046b7b5f89955fd53949efad8e9f3971d731

SHA256
2a7b829afe6a140bb37d24cc7711749c20cdaaf9cc7c4a182ff081180b4d99e9

SHA512
1210281612b0101ce63555a1a7855589ff68e1eac5b8a2461e10808c5b92c5dd111be72406c2923a94e10b687ceda43dc24d8c22a49dab40a4af793ee6b740aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\1v3DIijE8M.bat

Filesize
204B

MD5
52e4afb967c16c5d7b028910c614e992

SHA1
0447f1cc137e8b67d9c039ea71f26a5dc44ea7cc

SHA256
60c0b0cc6dbcfb31448ab00f52339154262a3718b7ad6d38fc58187cdf51007c

SHA512
6373841a5fd4848f35435f185f0b86314d77082a65a5bca95c48ba34e0d84ee090de663ca7cc9c1b944d16766d75071074d4603145c73696eddfd28c08fd045a

Download Submit
C:\Users\Admin\AppData\Local\Temp\6WkFIbRMFr.bat

Filesize
156B

MD5
2c91cf500434b61d8ce61d7040927a77

SHA1
58d911970bac0d7b09abd2b80c4c1b3e3e0cbfa2

SHA256
1100ed7b5e26dbb68a2434789ce9aa7f1de1795884c0fe6e230c8bc613effe72

SHA512
4af62060c008ead81a1c836b8121a9ed2aa8603e49e372a454dde85f800b036eba997c40ab291e9eefff6cfdec318d7d486f1134b1767113d345cba1bd89c7be

Download Submit
C:\Users\Admin\AppData\Local\Temp\CU0JBUISt3.bat

Filesize
204B

MD5
89d7189ecc30b2c47183a5108cf9bca8

SHA1
bbcd184030bdeb98f53cfad7ad3a8788c94b22b0

SHA256
a502d3b19c853f6fc2866381a77857010da57777457fe5af3fa47f3676525313

SHA512
18ef8b50ac29648027476c17a3dea908a59df4ecda2f43b960f48eb1824ae18e1f1285e07aff72162dd5994b6922d77c1560ef91bee10bd4be5c70ee3a3ce378

Download Submit
C:\Users\Admin\AppData\Local\Temp\GCUhdmH1So.bat

Filesize
156B

MD5
90b843bf04be792a8dc1f1c8097a0982

SHA1
3f84005a195f769f6408bbea1bb5875ee8bc0ef4

SHA256
e0e02fa0bafb987bf8b6e8938bfcf731469c9e143f5bf9c3f8785568b292c5bd

SHA512
56c32f053cedd313bab8e1204e2dd91400ee1101262efe77000f3dec60b6670cfa33964d249e002a194e304f5bccdfb8a4db7e303f9e22789695f45a99c47819

Download Submit
C:\Users\Admin\AppData\Local\Temp\JKWSf9zRCT.bat

Filesize
156B

MD5
2187bbfa62d90d0f44565f71ac1f7606

SHA1
a058caf9006eba6234d01f6f1b743d0a5a9cd970

SHA256
87dc54382a755336ce6055c8363a0cc04b1c1e06f047a631bb421fb6aabb3d38

SHA512
554d755467558d1afab270ad530be1cca7a7acb791095e7093108a34109f3c4e3d2eada6618268420d7f8718bcc3c34006c60233b1a65da272926f366c9a4601

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESCCB6.tmp

Filesize
1KB

MD5
0344deba18b79b36253c2477b502a7e3

SHA1
b113ee6406e9050808d992663154125ab86e35bb

SHA256
32ba243ea5fdd191cd1cd069ca3a6472d3fe63d5793f9c6a273fcbe129e8ccbe

SHA512
6dde58039b4710d61725f1d8b8ad5cf2cfb5ef033ad2028bc13a0ad4431cb07db30980e0b211eb3d9136466e763ace89997310bb6455cc73aeaf2a17796549cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\W8Ig2gXV94.bat

Filesize
204B

MD5
d1c9be6b6d86879367549203277884c8

SHA1
61f1ae3a7357cc1434bc1b52ad21050b3d762124

SHA256
e4e879c3791d921814d2b59a80a7dc08dd8ac5cdfeec8aca5f6b410bfe441734

SHA512
ac81c6fdc3ff058aba5abcb614cafb0285aaed5bf65e561b63d5771fd100156b97796f737054850d90a456640973854b6eab51916dadb54b8e9e343542fef277

Download Submit
C:\Users\Admin\AppData\Local\Temp\aD55r1zOMq.bat

Filesize
204B

MD5
12a5fa69d2283f126ac43093bd1b5c1c

SHA1
2fe24925122ec3de328ecfc30855efba97670b1f

SHA256
4f2b33355df64ed908c80215f3a459e42573d38ee8ee315e0e77d78de03d49a2

SHA512
9fbf24dd32f41d87515a5bdaac152d7a3f63b33daeffb7b3932240fc07333baa21c93405e4e183161033f0f87e3338512205e65751332814bd7de32ed3ca3447

Download Submit
C:\Users\Admin\AppData\Local\Temp\czppXKEUSU.bat

Filesize
204B

MD5
e199bc8b2771550e0d8be44415230739

SHA1
769b3ade4cedf27a8d9c0d3f1ca3c9a4d4450767

SHA256
bb3dec3bbb356bfd2bca56be7f23ae649ae646124dd9b0c0dc124f0f8fe31d07

SHA512
f47d2629db572b07d4ae9645dab853b4f38accb98637f7e2d6e4019a96e867e41e631f39643cbcd0a2d359387c099372ae82c205dde950c5712e281bd3a9afe9

Download Submit
C:\Users\Admin\AppData\Local\Temp\eDex15ELeP.bat

Filesize
204B

MD5
292325f29942f4501af3708c683cd3dd

SHA1
4a6f94d1148bfbcd29946d940c5d5c9b95df4a67

SHA256
3699ddf1386b9b0842b3b929dc429309e96f9955d26cbba304be042a545e6503

SHA512
90eb83da12a8d295e32179abd9976098bee8d520ddbb74fa3bb41b75b1795f34d6db4dcc8b7a333f47424904a6f3ca900c8ee03c3d25cefdc5d6431926fc41a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\fatality.exe

Filesize
3.2MB

MD5
a7040b85fc683f088f4c6e5b44052c43

SHA1
7e3d644d1a1fb7b9bcccb6406d2e7fbd062eae66

SHA256
b786f31f1c89c71d0510bbd32510595d9891c67db516f968261b02594a423a8d

SHA512
e225f6f7e114690aad25e9c67460e50f5b84cc8ca87a69ba94ff63ab42415df176a3ed6c3456cddb849927604a4888b17e5e781ac97d2ba0197f9687bbb2c301

Download Submit
C:\Users\Admin\AppData\Local\Temp\fn6aS0VTUV.bat

Filesize
156B

MD5
ffa78a3f207a2140b5d7b58c691a978e

SHA1
f21687477b9221dc87ab35ceec214b99c1855110

SHA256
062f52ee302da5ab0775e5bf8a97824c509a3c8311a2aefaec1895705b08fc63

SHA512
9559180f2df93fbf4d5e35a1690474c8ac9ed71080a6bd7d2c8e9f8da293b214b6d3735dfc7af2d7731846b59839c7841c0aab19a23920895f362e2b19ef0644

Download Submit
C:\Users\Admin\AppData\Local\Temp\hv8MUNDtDA.bat

Filesize
156B

MD5
b887e4e606eaf5dd42fff0a562adca6a

SHA1
ef430e6c8672f2bd0d3c0376b431772d11b61991

SHA256
1106d0cb92e9f9b6b009cf2d86ca073798ec8b9caa3cf4d67e076ec5a9a96190

SHA512
8eb67587da02bb45c9335d2d7274150c9bbdedbfede144f56888dfdcc5035bcb75336b88b50a9435be759d51f1413a0f11cf1ec2e97dbbf03bd8ca4542f069a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\omfVy1urWZ.bat

Filesize
156B

MD5
5282e2e980e94917acd6347f1a5f2d7e

SHA1
af250c346c32d2adb9397b4f9dadb84535774deb

SHA256
fb65658ce81aae82bced8657edba8ac10004f7a1f25dabde169c3f37363faab3

SHA512
65d184a30f064e5b0dc1b671bebf11f8e90474c368607eb4da7e8f3d848c326737c884f8cb893ebb675f70d65cd05f7d0c9e508c61b996213fac7d97562f4789

Download Submit
C:\Users\Admin\AppData\Local\Temp\zgE5oxkNwR.bat

Filesize
156B

MD5
706ed0ff69360876ca2201ab0b61e2c5

SHA1
4967ff993c9dda7a9fb19be9f31aeb03e26f9eef

SHA256
ed09156fb01dd2393749d308149277b900ce4115f4edf46532177502af578567

SHA512
cdece22c5605676fab4c923c19e063d840caa9a3f89ddcd769ddd4e1330f4f16b5d7dba477a29eb468a3228bf6a6af6f0e17c8ffb5351ce96cf826dbeac8047b

Download Submit
C:\Windows\Resources\Themes\explorer.exe

Filesize
135KB

MD5
760e6f2101236d01ca30e896665fa5c7

SHA1
1636ae3dee16bebee5cd8850b3e2591b62cb3544

SHA256
4082d7a546754b1eb88f7a1bdd398d02e48225c16d015d856c6167f210a5d4e0

SHA512
202920ad62ce297e8151f9a7ba5ec7f45892f3373ae3f992bf9e14396c2cbeb7d09bada7f5a765479afbe56d9a214b9808ff734eda4d02ca20af293f9044cbe9

Download Submit
C:\Windows\Resources\Themes\icsys.icn.exe

Filesize
135KB

MD5
d36cc2935ae0e7a5d2936db589a9b8cc

SHA1
082bd58c0ad60fa4783b63a4f681a5c5fad8e1a6

SHA256
4c93adb50768feb3cdea95f1fedc5d6fdc262d59f12c4b66601d377e2709c2e3

SHA512
547452ba0de7c8ebeec8e4bb2d916c7a881b6743e6d1fb6d2761a202b7cf5bb30c3f541957de70c584b46b7171f3f20338b4985341829b408c366aeaeced9290

Download Submit
C:\Windows\Resources\spoolsv.exe

Filesize
135KB

MD5
363bfb08ee321d3882ad5b6a8563491e

SHA1
f6c2c1584fe6dd6d3d2af5c05d8ee8c9b823789a

SHA256
4f1c110a136bb012105f18f8434227cea66cdfa4b2f257f749e5798e662e7396

SHA512
655433f6b72429d8cc9555b8b8f85bf944f2af430bbf0fbbe7c159e05dde282566553f86426fad3062a02d8ea2b9bb9848fb09ed2b7197378153fd53c8d73751

Download Submit
C:\Windows\Resources\svchost.exe

Filesize
135KB

MD5
310aaee0564f05c3ac7c053522c61fa8

SHA1
7f6a69f262bd5820bd31d3642b0f6425d29d9a58

SHA256
7b9f6a842efe9c26728f6426a4b19c0e9747ce9f1d38edaeb09fe89f3a89b254

SHA512
723fcd68fe96441a127233b2a6db36d80b33e063b6b35258c7638ffda13cc5e396d33a86ddaf616afe4a2f4d65ae3072dd5b797094ed736acea13a5f52c2b37a

Download Submit
C:\blockcomSession\R3z0peym99fhJdrKbUwEGrQMoM2HpnSPGrE0X0k2hc.bat

Filesize
89B

MD5
de5b4fde5bc10d0f76a55eb9d249ab56

SHA1
751938b6ab03340842b429805fd2da1aa0d8c964

SHA256
009aa3f866391c87bd840efb9b6b4eb33fc4dcb625cd23e436d0c9383e033f0f

SHA512
58f02657db363b742c6aee66ccd5a6b279280e2dd09d7394b7b9907ca2cd005cd67ee88ca98d533605e30608fc61abc6f51f7d3be4a3813d7414d280b6f16a1f

Download Submit
C:\blockcomSession\RezYUes00TmmVGwINjr2qWMSbF3Etb9Bt2Ra62zGWDtewTBc.vbe

Filesize
236B

MD5
d2dd350044ce1fe408a44a036a7e6a0d

SHA1
3597e45deb69f4aa4749855e9ed452a39a9c7d42

SHA256
487bfe07abff347481f10c648717aab8008c7606c026b920358544f85c25e1b2

SHA512
81147d83dc5ffd1adb10add8486f6dac65df0e7c579f8244ef8f3d6f646ced97fad3f55a178ced9b60f5f23bb77a0e29bccb22651280a9eae135976af71c366a

Download Submit
C:\blockcomSession\containerReview.exe

Filesize
1.9MB

MD5
f568e43bc473cd8ceb2553c58194df61

SHA1
14c0fff25edfd186dab91ee6bcc94450c9bed84d

SHA256
c91375814e8a5bb71736ce61fa429bc7b98a2b7b2a254b9967c51f3fccfacd52

SHA512
47cf66ce90fecd147077c72dc3f06db2199b9bc96e887915d6b0d4bfea7577d60a7345da6e5bc59967d02528fbdf6c8bf86233261338f782b9185c890fbc400e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\wgwstcjm\wgwstcjm.0.cs

Filesize
359B

MD5
b9ff82ecbac67449cc2d6ae1c43ee0f8

SHA1
04c732d748c6f04fb7fa93930dbfb27628d44b72

SHA256
ea640e035cb78c9b839038551825681d541deefa55fc0e2ae38d51ca40f0d3f6

SHA512
5a7743186e59ec5d10e365ce8b8c87920fce10beb48ccd00800ac9924e871092aa0e9f9038d4e74ab787f9719e168d91d774729edd26cbecf93e73fe3ad8da06

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\wgwstcjm\wgwstcjm.cmdline

Filesize
235B

MD5
67512aef17504148c85ad75addc55167

SHA1
075e970c3e5bf6f1ae831a15ff49a495018383e9

SHA256
4dcaf4ae5cb35a10a4111acd87cac2d23eee76e7970e992aa45908e2659d8b44

SHA512
5a4f3c9a6117ffafe85e9dd3f5d4d2d86ed960986f92a2240e74d4e7c64d02adebc9424f45534b4bf881ab5a95272b8760276750ce66996ab6cdf9657213e484

Download Submit
\??\c:\Windows\System32\CSCC662F8AF368F4F63B4969969C1117C21.TMP

Filesize
1KB

MD5
75e32610d8ef6143201c7c28465fcda9

SHA1
b2bae99fade2dda07aecbe1659d184be0fc4e7a6

SHA256
97ee1cac3965d9cc55a60f20206f384719431f19ac96bdc52b93a98de51a639b

SHA512
b303fb99586efd19a08223ba93472fa6d33fcf9198bbf42fb16ba61001db59e5fd5835ea7696ed34e4004d23fa60697e724e6085d1269d788204bf95dfe46abc

Download Submit
memory/748-144-0x000000001DAE0000-0x000000001DC4A000-memory.dmp

Filesize
1.4MB

Download
memory/1056-0-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1056-54-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1988-73-0x0000000001290000-0x000000000129E000-memory.dmp

Filesize
56KB

Download
memory/1988-66-0x0000000002B70000-0x0000000002B8C000-memory.dmp

Filesize
112KB

Download
memory/1988-67-0x000000001B940000-0x000000001B990000-memory.dmp

Filesize
320KB

Download
memory/1988-64-0x0000000000FD0000-0x0000000000FDE000-memory.dmp

Filesize
56KB

Download
memory/1988-69-0x0000000002B90000-0x0000000002BA8000-memory.dmp

Filesize
96KB

Download
memory/1988-62-0x0000000000730000-0x0000000000920000-memory.dmp

Filesize
1.9MB

Download
memory/1988-71-0x0000000000FE0000-0x0000000000FEE000-memory.dmp

Filesize
56KB

Download
memory/1988-75-0x00000000012A0000-0x00000000012AC000-memory.dmp

Filesize
48KB

Download
memory/2356-157-0x000000001D0E0000-0x000000001D24A000-memory.dmp

Filesize
1.4MB

Download
memory/2492-185-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2512-56-0x00000000009D0000-0x0000000000DB1000-memory.dmp

Filesize
3.9MB

Download
memory/2512-8-0x00000000009D0000-0x0000000000DB1000-memory.dmp

Filesize
3.9MB

Download
memory/2896-53-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3080-183-0x000000001D640000-0x000000001D7AA000-memory.dmp

Filesize
1.4MB

Download
memory/3256-186-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4456-170-0x000000001D240000-0x000000001D3AA000-memory.dmp

Filesize
1.4MB

Download
memory/4844-51-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4984-52-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download