dcrat | b786f31f1c89c71d0510bbd32510595d9891c67db516f968261b02594a423a8d

Analysis

max time kernel
144s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
14/01/2025, 03:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b786f31f1c89c71d0510bbd32510595d9891c67db516f968261b02594a423a8d.exe
Size

3.2MB
MD5

a7040b85fc683f088f4c6e5b44052c43
SHA1

7e3d644d1a1fb7b9bcccb6406d2e7fbd062eae66
SHA256

b786f31f1c89c71d0510bbd32510595d9891c67db516f968261b02594a423a8d
SHA512

e225f6f7e114690aad25e9c67460e50f5b84cc8ca87a69ba94ff63ab42415df176a3ed6c3456cddb849927604a4888b17e5e781ac97d2ba0197f9687bbb2c301
SSDEEP

98304:hb5Nf/dq7yqKM1TcGZ6gtq1/Lko4uVa8Nb:FMyqKM1TogtqT44NNb

Score

10^/10

dcrat discovery infostealer persistence rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 6 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\Application Data\\sysmon.exe\""	containerReview.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\Application Data\\sysmon.exe\", \"C:\\Windows\\fr-FR\\conhost.exe\""	containerReview.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\Application Data\\sysmon.exe\", \"C:\\Windows\\fr-FR\\conhost.exe\", \"C:\\Program Files\\7-Zip\\Lang\\explorer.exe\""	containerReview.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\Application Data\\sysmon.exe\", \"C:\\Windows\\fr-FR\\conhost.exe\", \"C:\\Program Files\\7-Zip\\Lang\\explorer.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\SearchApp.exe\""	containerReview.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\Application Data\\sysmon.exe\", \"C:\\Windows\\fr-FR\\conhost.exe\", \"C:\\Program Files\\7-Zip\\Lang\\explorer.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\SearchApp.exe\", \"C:\\Program Files\\7-Zip\\Lang\\unsecapp.exe\""	containerReview.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\Application Data\\sysmon.exe\", \"C:\\Windows\\fr-FR\\conhost.exe\", \"C:\\Program Files\\7-Zip\\Lang\\explorer.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\SearchApp.exe\", \"C:\\Program Files\\7-Zip\\Lang\\unsecapp.exe\", \"C:\\blockcomSession\\containerReview.exe\""	containerReview.exe

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2908	3740	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4484	3740	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3796	3740	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	468	3740	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2412	3740	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3052	3740	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4312	3740	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3176	3740	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4272	3740	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1676	3740	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2784	3740	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5064	3740	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4904	3740	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4128	3740	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1028	3740	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4268	3740	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1664	3740	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2972	3740	schtasks.exe	91

Checks computer location settings 2 TTPs 18 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	b786f31f1c89c71d0510bbd32510595d9891c67db516f968261b02594a423a8d.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	containerReview.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	containerReview.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	containerReview.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	containerReview.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	containerReview.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	containerReview.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	containerReview.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	containerReview.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	containerReview.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	containerReview.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	containerReview.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	containerReview.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	containerReview.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	containerReview.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	containerReview.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	containerReview.exe

Executes dropped EXE 16 IoCs

pid	Process
216	containerReview.exe
732	containerReview.exe
2804	containerReview.exe
972	containerReview.exe
2692	containerReview.exe
528	containerReview.exe
4400	containerReview.exe
1676	containerReview.exe
2628	containerReview.exe
1912	containerReview.exe
4680	containerReview.exe
3588	containerReview.exe
3464	containerReview.exe
3056	containerReview.exe
3556	containerReview.exe
3692	containerReview.exe

Adds Run key to start application 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SearchApp = "\"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\SearchApp.exe\""	containerReview.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysmon = "\"C:\\Users\\Admin\\Application Data\\sysmon.exe\""	containerReview.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\Windows\\fr-FR\\conhost.exe\""	containerReview.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SearchApp = "\"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\SearchApp.exe\""	containerReview.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Program Files\\7-Zip\\Lang\\explorer.exe\""	containerReview.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\unsecapp = "\"C:\\Program Files\\7-Zip\\Lang\\unsecapp.exe\""	containerReview.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\unsecapp = "\"C:\\Program Files\\7-Zip\\Lang\\unsecapp.exe\""	containerReview.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\containerReview = "\"C:\\blockcomSession\\containerReview.exe\""	containerReview.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\containerReview = "\"C:\\blockcomSession\\containerReview.exe\""	containerReview.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysmon = "\"C:\\Users\\Admin\\Application Data\\sysmon.exe\""	containerReview.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\Windows\\fr-FR\\conhost.exe\""	containerReview.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Program Files\\7-Zip\\Lang\\explorer.exe\""	containerReview.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	\??\c:\Windows\System32\xqt5sk.exe	csc.exe
File created	\??\c:\Windows\System32\CSC40B6B0BA63A54583B0B07E7C6776DD78.TMP	csc.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
1436	b786f31f1c89c71d0510bbd32510595d9891c67db516f968261b02594a423a8d.exe

Drops file in Program Files directory 7 IoCs

description	ioc	Process
File created	C:\Program Files\7-Zip\Lang\explorer.exe	containerReview.exe
File created	C:\Program Files\7-Zip\Lang\7a0fd90576e088	containerReview.exe
File created	C:\Program Files\7-Zip\Lang\unsecapp.exe	containerReview.exe
File opened for modification	C:\Program Files\7-Zip\Lang\unsecapp.exe	containerReview.exe
File created	C:\Program Files\7-Zip\Lang\29c1c3cc0f7685	containerReview.exe
File created	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\SearchApp.exe	containerReview.exe
File created	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\38384e6a620884	containerReview.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\fr-FR\conhost.exe	containerReview.exe
File created	C:\Windows\fr-FR\088424020bedd6	containerReview.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b786f31f1c89c71d0510bbd32510595d9891c67db516f968261b02594a423a8d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 6 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
4996	PING.EXE
4148	PING.EXE
1272	PING.EXE
3564	PING.EXE
1976	PING.EXE
3968	PING.EXE

Modifies registry class 17 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	containerReview.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	containerReview.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	containerReview.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	containerReview.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	containerReview.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	containerReview.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	containerReview.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	containerReview.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	containerReview.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	containerReview.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	b786f31f1c89c71d0510bbd32510595d9891c67db516f968261b02594a423a8d.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	containerReview.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	containerReview.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	containerReview.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	containerReview.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	containerReview.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	containerReview.exe

Runs ping.exe 1 TTPs 6 IoCs

Remote System Discovery

T1018

pid	Process
4996	PING.EXE
4148	PING.EXE
1272	PING.EXE
3564	PING.EXE
1976	PING.EXE
3968	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3796	schtasks.exe
468	schtasks.exe
4312	schtasks.exe
4128	schtasks.exe
1028	schtasks.exe
1664	schtasks.exe
2908	schtasks.exe
4484	schtasks.exe
2412	schtasks.exe
3176	schtasks.exe
1676	schtasks.exe
4268	schtasks.exe
3052	schtasks.exe
4272	schtasks.exe
2784	schtasks.exe
5064	schtasks.exe
4904	schtasks.exe
2972	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1436	b786f31f1c89c71d0510bbd32510595d9891c67db516f968261b02594a423a8d.exe
1436	b786f31f1c89c71d0510bbd32510595d9891c67db516f968261b02594a423a8d.exe
216	containerReview.exe
216	containerReview.exe
216	containerReview.exe
216	containerReview.exe
216	containerReview.exe
216	containerReview.exe
216	containerReview.exe
216	containerReview.exe
216	containerReview.exe
216	containerReview.exe
216	containerReview.exe
216	containerReview.exe
216	containerReview.exe
216	containerReview.exe
216	containerReview.exe
216	containerReview.exe
216	containerReview.exe
216	containerReview.exe
216	containerReview.exe
216	containerReview.exe
216	containerReview.exe
216	containerReview.exe
216	containerReview.exe
216	containerReview.exe
216	containerReview.exe
216	containerReview.exe
216	containerReview.exe
216	containerReview.exe
216	containerReview.exe
216	containerReview.exe
216	containerReview.exe
216	containerReview.exe
216	containerReview.exe
216	containerReview.exe
216	containerReview.exe
216	containerReview.exe
216	containerReview.exe
216	containerReview.exe
216	containerReview.exe
216	containerReview.exe
216	containerReview.exe
216	containerReview.exe
216	containerReview.exe
216	containerReview.exe
216	containerReview.exe
216	containerReview.exe
216	containerReview.exe
216	containerReview.exe
216	containerReview.exe
216	containerReview.exe
216	containerReview.exe
216	containerReview.exe
216	containerReview.exe
216	containerReview.exe
216	containerReview.exe
216	containerReview.exe
216	containerReview.exe
216	containerReview.exe
216	containerReview.exe
216	containerReview.exe
216	containerReview.exe
216	containerReview.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeDebugPrivilege	216	containerReview.exe
Token: SeDebugPrivilege	732	containerReview.exe
Token: SeDebugPrivilege	2804	containerReview.exe
Token: SeDebugPrivilege	972	containerReview.exe
Token: SeDebugPrivilege	2692	containerReview.exe
Token: SeDebugPrivilege	528	containerReview.exe
Token: SeDebugPrivilege	4400	containerReview.exe
Token: SeDebugPrivilege	1676	containerReview.exe
Token: SeDebugPrivilege	2628	containerReview.exe
Token: SeDebugPrivilege	1912	containerReview.exe
Token: SeDebugPrivilege	4680	containerReview.exe
Token: SeDebugPrivilege	3588	containerReview.exe
Token: SeDebugPrivilege	3464	containerReview.exe
Token: SeDebugPrivilege	3056	containerReview.exe
Token: SeDebugPrivilege	3556	containerReview.exe
Token: SeDebugPrivilege	3692	containerReview.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1436	b786f31f1c89c71d0510bbd32510595d9891c67db516f968261b02594a423a8d.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1436 wrote to memory of 3692	1436	b786f31f1c89c71d0510bbd32510595d9891c67db516f968261b02594a423a8d.exe	85
PID 1436 wrote to memory of 3692	1436	b786f31f1c89c71d0510bbd32510595d9891c67db516f968261b02594a423a8d.exe	85
PID 1436 wrote to memory of 3692	1436	b786f31f1c89c71d0510bbd32510595d9891c67db516f968261b02594a423a8d.exe	85
PID 3692 wrote to memory of 1188	3692	WScript.exe	86
PID 3692 wrote to memory of 1188	3692	WScript.exe	86
PID 3692 wrote to memory of 1188	3692	WScript.exe	86
PID 1188 wrote to memory of 216	1188	cmd.exe	88
PID 1188 wrote to memory of 216	1188	cmd.exe	88
PID 216 wrote to memory of 740	216	containerReview.exe	96
PID 216 wrote to memory of 740	216	containerReview.exe	96
PID 740 wrote to memory of 2428	740	csc.exe	98
PID 740 wrote to memory of 2428	740	csc.exe	98
PID 216 wrote to memory of 4888	216	containerReview.exe	116
PID 216 wrote to memory of 4888	216	containerReview.exe	116
PID 4888 wrote to memory of 3084	4888	cmd.exe	118
PID 4888 wrote to memory of 3084	4888	cmd.exe	118
PID 4888 wrote to memory of 5116	4888	cmd.exe	119
PID 4888 wrote to memory of 5116	4888	cmd.exe	119
PID 4888 wrote to memory of 732	4888	cmd.exe	122
PID 4888 wrote to memory of 732	4888	cmd.exe	122
PID 732 wrote to memory of 1260	732	containerReview.exe	127
PID 732 wrote to memory of 1260	732	containerReview.exe	127
PID 1260 wrote to memory of 4944	1260	cmd.exe	129
PID 1260 wrote to memory of 4944	1260	cmd.exe	129
PID 1260 wrote to memory of 1272	1260	cmd.exe	130
PID 1260 wrote to memory of 1272	1260	cmd.exe	130
PID 1260 wrote to memory of 2804	1260	cmd.exe	134
PID 1260 wrote to memory of 2804	1260	cmd.exe	134
PID 2804 wrote to memory of 4300	2804	containerReview.exe	136
PID 2804 wrote to memory of 4300	2804	containerReview.exe	136
PID 4300 wrote to memory of 2936	4300	cmd.exe	138
PID 4300 wrote to memory of 2936	4300	cmd.exe	138
PID 4300 wrote to memory of 3212	4300	cmd.exe	139
PID 4300 wrote to memory of 3212	4300	cmd.exe	139
PID 4300 wrote to memory of 972	4300	cmd.exe	141
PID 4300 wrote to memory of 972	4300	cmd.exe	141
PID 972 wrote to memory of 4776	972	containerReview.exe	144
PID 972 wrote to memory of 4776	972	containerReview.exe	144
PID 4776 wrote to memory of 2248	4776	cmd.exe	146
PID 4776 wrote to memory of 2248	4776	cmd.exe	146
PID 4776 wrote to memory of 3500	4776	cmd.exe	147
PID 4776 wrote to memory of 3500	4776	cmd.exe	147
PID 4776 wrote to memory of 2692	4776	cmd.exe	149
PID 4776 wrote to memory of 2692	4776	cmd.exe	149
PID 2692 wrote to memory of 1760	2692	containerReview.exe	152
PID 2692 wrote to memory of 1760	2692	containerReview.exe	152
PID 1760 wrote to memory of 2776	1760	cmd.exe	154
PID 1760 wrote to memory of 2776	1760	cmd.exe	154
PID 1760 wrote to memory of 3836	1760	cmd.exe	155
PID 1760 wrote to memory of 3836	1760	cmd.exe	155
PID 1760 wrote to memory of 528	1760	cmd.exe	157
PID 1760 wrote to memory of 528	1760	cmd.exe	157
PID 528 wrote to memory of 1984	528	containerReview.exe	160
PID 528 wrote to memory of 1984	528	containerReview.exe	160
PID 1984 wrote to memory of 3512	1984	cmd.exe	162
PID 1984 wrote to memory of 3512	1984	cmd.exe	162
PID 1984 wrote to memory of 3564	1984	cmd.exe	163
PID 1984 wrote to memory of 3564	1984	cmd.exe	163
PID 1984 wrote to memory of 4400	1984	cmd.exe	165
PID 1984 wrote to memory of 4400	1984	cmd.exe	165
PID 4400 wrote to memory of 184	4400	containerReview.exe	168
PID 4400 wrote to memory of 184	4400	containerReview.exe	168
PID 184 wrote to memory of 2552	184	cmd.exe	170
PID 184 wrote to memory of 2552	184	cmd.exe	170

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\b786f31f1c89c71d0510bbd32510595d9891c67db516f968261b02594a423a8d.exe
"C:\Users\Admin\AppData\Local\Temp\b786f31f1c89c71d0510bbd32510595d9891c67db516f968261b02594a423a8d.exe"
1⤵
- Checks computer location settings
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1436
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\blockcomSession\RezYUes00TmmVGwINjr2qWMSbF3Etb9Bt2Ra62zGWDtewTBc.vbe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3692
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\blockcomSession\R3z0peym99fhJdrKbUwEGrQMoM2HpnSPGrE0X0k2hc.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1188
  - - C:\blockcomSession\containerReview.exe
      "C:\blockcomSession/containerReview.exe"
      4⤵
      Modifies WinLogon for persistence
      Checks computer location settings
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Program Files directory
      Drops file in Windows directory
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:216
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\u135wbs2\u135wbs2.cmdline"
        5⤵
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:740
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB4AA.tmp" "c:\Windows\System32\CSC40B6B0BA63A54583B0B07E7C6776DD78.TMP"
        6⤵
        
        PID:2428
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ZAOZF0g5WT.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4888
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:3084
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:5116
      - C:\blockcomSession\containerReview.exe
        
        "C:\blockcomSession\containerReview.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:732
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\usSWzSdfMb.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:1260
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:4944
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        8⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1272
        
        C:\blockcomSession\containerReview.exe
        
        "C:\blockcomSession\containerReview.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2804
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ZPsODb7c4Z.bat"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:4300
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        10⤵
        
        PID:2936
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:3212
        
        C:\blockcomSession\containerReview.exe
        
        "C:\blockcomSession\containerReview.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:972
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\9ZQNubuJrx.bat"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:4776
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        12⤵
        
        PID:2248
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:3500
        
        C:\blockcomSession\containerReview.exe
        
        "C:\blockcomSession\containerReview.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2692
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\pv802QeGaw.bat"
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:1760
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        14⤵
        
        PID:2776
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:3836
        
        C:\blockcomSession\containerReview.exe
        
        "C:\blockcomSession\containerReview.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:528
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\WwD8E48ugj.bat"
        15⤵
        Suspicious use of WriteProcessMemory
        
        PID:1984
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        16⤵
        
        PID:3512
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        16⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3564
        
        C:\blockcomSession\containerReview.exe
        
        "C:\blockcomSession\containerReview.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4400
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\pv802QeGaw.bat"
        17⤵
        Suspicious use of WriteProcessMemory
        
        PID:184
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        18⤵
        
        PID:2552
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:4148
        
        C:\blockcomSession\containerReview.exe
        
        "C:\blockcomSession\containerReview.exe"
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1676
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tdcOVhdoAh.bat"
        19⤵
        
        PID:1028
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        20⤵
        
        PID:1124
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        20⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1976
        
        C:\blockcomSession\containerReview.exe
        
        "C:\blockcomSession\containerReview.exe"
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2628
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wle9X4LEtL.bat"
        21⤵
        
        PID:3556
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        22⤵
        
        PID:3752
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        22⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3968
        
        C:\blockcomSession\containerReview.exe
        
        "C:\blockcomSession\containerReview.exe"
        22⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1912
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\fa12eP5s1A.bat"
        23⤵
        
        PID:3828
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        24⤵
        
        PID:1940
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:512
        
        C:\blockcomSession\containerReview.exe
        
        "C:\blockcomSession\containerReview.exe"
        24⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4680
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\A9s0LWASh3.bat"
        25⤵
        
        PID:3876
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        26⤵
        
        PID:2504
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        26⤵
        
        PID:4872
        
        C:\blockcomSession\containerReview.exe
        
        "C:\blockcomSession\containerReview.exe"
        26⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3588
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\7gEkM0BkJD.bat"
        27⤵
        
        PID:184
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        28⤵
        
        PID:1788
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        28⤵
        
        PID:4692
        
        C:\blockcomSession\containerReview.exe
        
        "C:\blockcomSession\containerReview.exe"
        28⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3464
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ItcmNmazXC.bat"
        29⤵
        
        PID:3988
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        30⤵
        
        PID:4156
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        30⤵
        
        PID:2100
        
        C:\blockcomSession\containerReview.exe
        
        "C:\blockcomSession\containerReview.exe"
        30⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3056
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\9ZQNubuJrx.bat"
        31⤵
        
        PID:2600
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        32⤵
        
        PID:1300
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        32⤵
        
        PID:1452
        
        C:\blockcomSession\containerReview.exe
        
        "C:\blockcomSession\containerReview.exe"
        32⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3556
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\usSWzSdfMb.bat"
        33⤵
        
        PID:2408
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        34⤵
        
        PID:3512
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        34⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4996
        
        C:\blockcomSession\containerReview.exe
        
        "C:\blockcomSession\containerReview.exe"
        34⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3692
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6RObsEBt7I.bat"
        35⤵
        
        PID:3232
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        36⤵
        
        PID:4160
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        36⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4148

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\Application Data\sysmon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Users\Admin\Application Data\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\Application Data\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 12 /tr "'C:\Windows\fr-FR\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Windows\fr-FR\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2412

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 13 /tr "'C:\Windows\fr-FR\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Program Files\7-Zip\Lang\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4312

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3176

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Program Files\7-Zip\Lang\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4272

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\SearchApp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 8 /tr "'C:\Program Files\7-Zip\Lang\unsecapp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4128

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 7 /tr "'C:\Program Files\7-Zip\Lang\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "containerReviewc" /sc MINUTE /mo 9 /tr "'C:\blockcomSession\containerReview.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "containerReview" /sc ONLOGON /tr "'C:\blockcomSession\containerReview.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "containerReviewc" /sc MINUTE /mo 13 /tr "'C:\blockcomSession\containerReview.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2972

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\containerReview.exe.log

Filesize
1KB

MD5
af6acd95d59de87c04642509c30e81c1

SHA1
f9549ae93fdb0a5861a79a08f60aa81c4b32377b

SHA256
7521ee2d065a78efcab55a194fbd78492f84b70595f139263875f4ea92b194d6

SHA512
93ab99bcf588fde553de3240e0d2b0cbd4e4bc5ef5e99d53f45a267d7ff30103a80b5a7aa1c52d6eff1e070af0ec82d2c0b8aafb7099742aa16810edc1815c3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\6RObsEBt7I.bat

Filesize
166B

MD5
be80f173263c712ac34cc091c60bdf35

SHA1
91c18225290b3c8f1bee4eddc733e21a5c76daf6

SHA256
65a0f8fcdd08c47d4a8e3410f215cf87d6b01f30030b90a04ccd09c6d8344942

SHA512
265abfcaaab024895b0758ff3913626bc3f055f7b0cc1e9ad8b206ceafab3ceb23501777cbd786d720c5e5dfad61a1aea4ed47a62d3af9fa5ca8e4d0f25fb28f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7gEkM0BkJD.bat

Filesize
214B

MD5
361b5785f8b22cedf5fac6dc337e9c28

SHA1
a69e4ea96fec016b0b41f1960916091bf16f2695

SHA256
4dc95ec0d65c69948c8f356c1ea5668b80bb7c0bcdfd22c8b11e5e4ce33c78b1

SHA512
3e114c808b0e3d8e71e7e130e0950e5ad2700b00e33f916f09d257bf507545215452a9ea7f4e3519820d31bf2523c2e5b4007ddef50abe054a2aa50c7d74ef57

Download Submit
C:\Users\Admin\AppData\Local\Temp\9ZQNubuJrx.bat

Filesize
214B

MD5
f80ec99efbffcc76f4bcd499c8286e9d

SHA1
065454ae2c7833d5891bca8ad6704f7d74b4134d

SHA256
37b0dd0c286cd3733ebd44cc4bcd0469f92d2828c74051e2c2d1f2075294a907

SHA512
72a372e5bdd24f7a2d88980811e1ed8ceee3b4db7fc1844243f6b426ab8bca6a23c643d8664f809dab5cadc75fdfee8a85d4ad2496e6b67fcb5d839460385904

Download Submit
C:\Users\Admin\AppData\Local\Temp\A9s0LWASh3.bat

Filesize
214B

MD5
33c812e422c08b01ac42aadada9f0b36

SHA1
3d7f12b4025f2469db69532f89b1285c3e0a65ef

SHA256
3c66b0d7448437f34fae5f6cb7b9e300be1c82e94774810b59b2337e34cbfb05

SHA512
3f685519413443200bfe6a87930ea9f042e8cdacae5a4fbd1bc27223e99df1ba7923c355d4709748c4f58f5645d279edbcf01f78d00658853d1af25d8abc427d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ItcmNmazXC.bat

Filesize
214B

MD5
4eb72519ab365966bd190697fa54e815

SHA1
be1520a0368ade047c1d61196eba24ed9f8cc26a

SHA256
6a3c815fc013a426d63e7b65bb7087fd89d830737855b9ffd71ba983c106ae09

SHA512
24e21966ec33d9c9f683d0068619b01d927330525d4bb4628a32501e7e20e294f241489fd18572aa0751dcee24a10446e65326dfc89545eb4c84d30b5c64f84d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESB4AA.tmp

Filesize
1KB

MD5
183331ef873d2e5eb9b86de03e185fe5

SHA1
78e580da6cf367c23a4aa161c88074a4fe92cafb

SHA256
22085922a8a99e7fa7e9f7c1665941417993468217c80ab3aa2141f930872e22

SHA512
f7ead853f99a3817888c844ad6230de2b1f714afa75ff47853f3f4cbf4bb8dfdf81da61662d70297e345122e8a3d5b7e8d4aac7f0b834ff8652f3f19d9c92a14

Download Submit
C:\Users\Admin\AppData\Local\Temp\WwD8E48ugj.bat

Filesize
166B

MD5
32637943fc3f416c6ba5967da0ff2c1e

SHA1
f45c4bd23010b7c782333fd8d44cfb2f3cbccd3a

SHA256
305725928e952d81c3af088a1cbe9b88b07a8e0aba14973cc0b80ec15101fded

SHA512
d3bdb2533473a4d4e262cfcf76bd2cfe809d5cf25016ff6b8a042d48a75b47cf97935f20b3bfe3a34413937445fccf818eb044cc15419db9b90eb6511cfb029f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZAOZF0g5WT.bat

Filesize
214B

MD5
b50a74ddf79d649c1592185b3b20104b

SHA1
92b9f23e85a362f714cb4bc71839fd6d0a799631

SHA256
a6f63168d5633bd76b74fe839ffe5d15035a020ac06cf9d8465f07482a0beaae

SHA512
ff971b4c31794d23a232088966fddcc887c5d18380126831d1238ca95eb5f0c472ecf7debf66cdc27ab9ebf660331fb8d8a91b6c874d0a8f7efc189edeba4341

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZPsODb7c4Z.bat

Filesize
214B

MD5
bf0dca3dc24c6dc90af686c9da7904e6

SHA1
adc37f13153eeb34cf241198544f6b82309d6dfb

SHA256
47d827a3d82738bc8d8d2966ce26945fcd4acf56dbbe82cd956afc16c703a0c8

SHA512
5be4ab49615693cfe1c57979704a1bf68759676cf7ce5dfaf81d8b1944ed86c745b9b441b0778c5effb3fad3689d94bb95291830feed695e221e57c6d4662228

Download Submit
C:\Users\Admin\AppData\Local\Temp\fa12eP5s1A.bat

Filesize
214B

MD5
b913d38fc332cf5a151c9d5c0738ed36

SHA1
cc2d32d18dd91d4bd7da96a1cf8600bb60bab722

SHA256
ec89528b064a1eafdab922635560301f6d1f841c2be3aa8eb6047e8a10a38ee0

SHA512
cc94cfce939e6a25e1d3a1ff05e49bd255ee6ac79599b6a149098013bd1d0cd1c8a4a3165580810a3de93090cd7fc6493ebb16e879ed56738dfd754ff4295b74

Download Submit
C:\Users\Admin\AppData\Local\Temp\pv802QeGaw.bat

Filesize
214B

MD5
b7e4ca183f4d57867ca48b872ce8bd5b

SHA1
015aac92231943907bcebf469a0a348fbeb60064

SHA256
9e9a747953621ab6b95b31f8ce8e2f7a73a00b03a225fb913c959ebff51df1e1

SHA512
f863f8358f465d251b706926da1f07db47916b7a1f2c7e45cd6d41093f4929d4a923a51eaf3ccb465a8146903d44627a17c81b4fd51d44644fc0ba9dd16eda49

Download Submit
C:\Users\Admin\AppData\Local\Temp\tdcOVhdoAh.bat

Filesize
166B

MD5
1f302f675e758f9f669f52b39d0c82fd

SHA1
74ef13879eb363aa98e087265c4f958f4a7f8b29

SHA256
c01a2c834057f296bff431a2384dad9d4db5907044e3f751db41e2244636dce8

SHA512
0b2ee247a9f2007899280105729c912d5079d3234366a21cdcc2c9a11cfe2079568f2395a5092aae1006a3fa8bb1f8ce221f2c265d576604fd88aa7a8be9edb9

Download Submit
C:\Users\Admin\AppData\Local\Temp\usSWzSdfMb.bat

Filesize
166B

MD5
734dc11db2e425eb767454c11b0abcb4

SHA1
301bf0664d71ab509dee0d8098b8ce51e128f248

SHA256
0f70b7d0e3a780c4d4043ddb688c098392ac9913dc10042b3884f7fb02c20367

SHA512
e1ecbc2db7b1df32b17a4dcfca4e74d180bb9a27907ccd171ff87ec507876256abbbce3e309e3a165902e1650f5287d7a9c4b7570014817ae42e48a16037dad6

Download Submit
C:\Users\Admin\AppData\Local\Temp\wle9X4LEtL.bat

Filesize
166B

MD5
2b0208d2f17e90080d3950921c24f832

SHA1
21a88a51e1d8e67c84fec26b43275efb88a4b0c1

SHA256
0dc4343eef682f87d51eb4c2834359b15330fd517f4fc80d4d4ebd23b7b38372

SHA512
03d50c98b669ec8baa3915bbce83f3cba33a65f854e2aaac42ccd18789c8ed494658e4311389755528e0445c9595a32e1d629d2d2e86d15d224f6cba28bbe287

Download Submit
C:\blockcomSession\R3z0peym99fhJdrKbUwEGrQMoM2HpnSPGrE0X0k2hc.bat

Filesize
89B

MD5
de5b4fde5bc10d0f76a55eb9d249ab56

SHA1
751938b6ab03340842b429805fd2da1aa0d8c964

SHA256
009aa3f866391c87bd840efb9b6b4eb33fc4dcb625cd23e436d0c9383e033f0f

SHA512
58f02657db363b742c6aee66ccd5a6b279280e2dd09d7394b7b9907ca2cd005cd67ee88ca98d533605e30608fc61abc6f51f7d3be4a3813d7414d280b6f16a1f

Download Submit
C:\blockcomSession\RezYUes00TmmVGwINjr2qWMSbF3Etb9Bt2Ra62zGWDtewTBc.vbe

Filesize
236B

MD5
d2dd350044ce1fe408a44a036a7e6a0d

SHA1
3597e45deb69f4aa4749855e9ed452a39a9c7d42

SHA256
487bfe07abff347481f10c648717aab8008c7606c026b920358544f85c25e1b2

SHA512
81147d83dc5ffd1adb10add8486f6dac65df0e7c579f8244ef8f3d6f646ced97fad3f55a178ced9b60f5f23bb77a0e29bccb22651280a9eae135976af71c366a

Download Submit
C:\blockcomSession\containerReview.exe

Filesize
1.9MB

MD5
f568e43bc473cd8ceb2553c58194df61

SHA1
14c0fff25edfd186dab91ee6bcc94450c9bed84d

SHA256
c91375814e8a5bb71736ce61fa429bc7b98a2b7b2a254b9967c51f3fccfacd52

SHA512
47cf66ce90fecd147077c72dc3f06db2199b9bc96e887915d6b0d4bfea7577d60a7345da6e5bc59967d02528fbdf6c8bf86233261338f782b9185c890fbc400e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\u135wbs2\u135wbs2.0.cs

Filesize
374B

MD5
e9f1dd05c5fd1bab2d94c6caa325f87f

SHA1
46626d9baa8779ae859830fb88a0853debbd25bd

SHA256
82ec7bf40a93265a2bee2d386d9362a95c3bef626bd5620b03112ec8c574750c

SHA512
5457032baf7360c059703280433d502531416670ec4ef5a19bb2611ce0815ba04cb773db918d3eb589f59bdd1d5cabf3e78738a0bd04e913656e0c4baa0845cf

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\u135wbs2\u135wbs2.cmdline

Filesize
235B

MD5
a679213d21783197ee3f44651c94777b

SHA1
a1389f0d94f1eff0a2ddfe8d14ba32e164e4eeb7

SHA256
179e82d19149af6ef62039c01ae310a6cae62c88acb5d9cabc69dbb29eb638cd

SHA512
03b78ab12df30ec693d8a09c0bf8c822780272daae9ecc14c679e47913486d60f2b1bf32490a80689763c15ee120575b0170d52262f2bfa719d9f88e07f43210

Download Submit
\??\c:\Windows\System32\CSC40B6B0BA63A54583B0B07E7C6776DD78.TMP

Filesize
1KB

MD5
ad61927912f86c7c9f1e72720f4ef0ef

SHA1
dbb61d9d5c7310c85716fe9f445fee2151cef437

SHA256
bf2696fc2183af293d74c988add5772c1c7257c2e85ae754e43cbe0e1d105a1e

SHA512
33b6f9f93672bd0ecb68e553de0ce92dd6b773c62da7721c9544171df7de8b8588e9ba42e13836db5d5ffc078ca656993f8d06a857dda5a27e1d639d5a6fb3ee

Download Submit
memory/216-29-0x000000001AF50000-0x000000001AF5C000-memory.dmp

Filesize
48KB

Download
memory/216-27-0x000000001AF00000-0x000000001AF0E000-memory.dmp

Filesize
56KB

Download
memory/216-25-0x000000001AEF0000-0x000000001AEFE000-memory.dmp

Filesize
56KB

Download
memory/216-23-0x000000001AF30000-0x000000001AF48000-memory.dmp

Filesize
96KB

Download
memory/216-21-0x000000001AF80000-0x000000001AFD0000-memory.dmp

Filesize
320KB

Download
memory/216-20-0x000000001AF10000-0x000000001AF2C000-memory.dmp

Filesize
112KB

Download
memory/216-18-0x0000000002470000-0x000000000247E000-memory.dmp

Filesize
56KB

Download
memory/216-16-0x00000000000F0000-0x00000000002E0000-memory.dmp

Filesize
1.9MB

Download
memory/216-15-0x00007FFB1A373000-0x00007FFB1A375000-memory.dmp

Filesize
8KB

Download
memory/1436-0-0x0000000000920000-0x0000000000D01000-memory.dmp

Filesize
3.9MB

Download
memory/1436-10-0x0000000000920000-0x0000000000D01000-memory.dmp

Filesize
3.9MB

Download