dcrat | bfd1aabb65dfce7b7c5f2d444917baa23fd04d6047e62cd1aaf9cb2a9ca9d3a9

Resubmissions

14/01/2025, 04:25

250114-e2erasypan 10

14/01/2025, 03:06

250114-dl14xsxmdn 10

Analysis

max time kernel
150s
max time network
150s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
14/01/2025, 03:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bfd1aabb65dfce7b7c5f2d444917baa23fd04d6047e62cd1aaf9cb2a9ca9d3a9.exe
Size

3.3MB
MD5

c883ea559bee9a0cb393aa32dcaf5d80
SHA1

995dfd0d9d504bec628e7d7297962677d8ab32cb
SHA256

bfd1aabb65dfce7b7c5f2d444917baa23fd04d6047e62cd1aaf9cb2a9ca9d3a9
SHA512

9ee8ef8a9912b14bcbeb3c13b2670c92eecc17c4a8a719d6bd9935f17239a244457e2f711c01e374febd767c866d6c563bad97e687680919ca0c017d738626ee
SSDEEP

98304:db5Nf/dq7yqKM1TcGZ6gtq1/Lko4uVa8N7:hMyqKM1TogtqT44NN7

Score

10^/10

dcrat discovery evasion infostealer persistence rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 6 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\audiodg.exe\""	containerReview.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\audiodg.exe\", \"C:\\blockcomSession\\lsm.exe\""	containerReview.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\audiodg.exe\", \"C:\\blockcomSession\\lsm.exe\", \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\lsass.exe\""	containerReview.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\audiodg.exe\", \"C:\\blockcomSession\\lsm.exe\", \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\lsass.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\csrss.exe\""	containerReview.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\audiodg.exe\", \"C:\\blockcomSession\\lsm.exe\", \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\lsass.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\csrss.exe\", \"C:\\Program Files (x86)\\Google\\Update\\Install\\System.exe\""	containerReview.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\audiodg.exe\", \"C:\\blockcomSession\\lsm.exe\", \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\lsass.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\csrss.exe\", \"C:\\Program Files (x86)\\Google\\Update\\Install\\System.exe\", \"C:\\blockcomSession\\containerReview.exe\""	containerReview.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2168	2384	schtasks.exe	45
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1592	2384	schtasks.exe	45
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	704	2384	schtasks.exe	45
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	112	2384	schtasks.exe	45
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1912	2384	schtasks.exe	45
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2096	2384	schtasks.exe	45
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1228	2384	schtasks.exe	45
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1960	2384	schtasks.exe	45
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1508	2384	schtasks.exe	45
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	960	2384	schtasks.exe	45
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	604	2384	schtasks.exe	45
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1252	2384	schtasks.exe	45
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2340	2384	schtasks.exe	45
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2292	2384	schtasks.exe	45
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2440	2384	schtasks.exe	45
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1280	2384	schtasks.exe	45
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2312	2384	schtasks.exe	45
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1764	2384	schtasks.exe	45

Executes dropped EXE 18 IoCs

pid	Process
2492	bfd1aabb65dfce7b7c5f2d444917baa23fd04d6047e62cd1aaf9cb2a9ca9d3a9.exe
2376	icsys.icn.exe
848	explorer.exe
2708	spoolsv.exe
2748	svchost.exe
2672	spoolsv.exe
468	containerReview.exe
2716	lsass.exe
2800	lsass.exe
1564	lsass.exe
1868	lsass.exe
2688	lsass.exe
2772	lsass.exe
1460	lsass.exe
3004	lsass.exe
1620	lsass.exe
2224	lsass.exe
1160	lsass.exe

Loads dropped DLL 8 IoCs

pid	Process
1224	bfd1aabb65dfce7b7c5f2d444917baa23fd04d6047e62cd1aaf9cb2a9ca9d3a9.exe
1224	bfd1aabb65dfce7b7c5f2d444917baa23fd04d6047e62cd1aaf9cb2a9ca9d3a9.exe
2376	icsys.icn.exe
848	explorer.exe
2708	spoolsv.exe
2748	svchost.exe
1728	cmd.exe
1728	cmd.exe

Adds Run key to start application 2 TTPs 16 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\csrss.exe\""	containerReview.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\containerReview = "\"C:\\blockcomSession\\containerReview.exe\""	containerReview.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\blockcomSession\\lsm.exe\""	containerReview.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\lsass.exe\""	containerReview.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\audiodg.exe\""	containerReview.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\lsass.exe\""	containerReview.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\audiodg.exe\""	containerReview.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\blockcomSession\\lsm.exe\""	containerReview.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\csrss.exe\""	containerReview.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Program Files (x86)\\Google\\Update\\Install\\System.exe\""	containerReview.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Program Files (x86)\\Google\\Update\\Install\\System.exe\""	containerReview.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\containerReview = "\"C:\\blockcomSession\\containerReview.exe\""	containerReview.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	svchost.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	\??\c:\Windows\System32\3kmwe8.exe	csc.exe
File opened for modification	C:\Windows\SysWOW64\explorer.exe	svchost.exe
File opened for modification	C:\Windows\SysWOW64\explorer.exe	explorer.exe
File created	\??\c:\Windows\System32\CSCD4B85F26F6A145799AFCEFEC453478.TMP	csc.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
2492	bfd1aabb65dfce7b7c5f2d444917baa23fd04d6047e62cd1aaf9cb2a9ca9d3a9.exe

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Google\Update\Install\System.exe	containerReview.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\System.exe	containerReview.exe
File created	C:\Program Files (x86)\Google\Update\Install\27d1bcfc3c54e0	containerReview.exe
File created	C:\Program Files (x86)\Microsoft.NET\RedistList\csrss.exe	containerReview.exe
File created	C:\Program Files (x86)\Microsoft.NET\RedistList\886983d96e3d3e	containerReview.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Resources\Themes\icsys.icn.exe	bfd1aabb65dfce7b7c5f2d444917baa23fd04d6047e62cd1aaf9cb2a9ca9d3a9.exe
File opened for modification	\??\c:\windows\resources\themes\explorer.exe	icsys.icn.exe
File opened for modification	\??\c:\windows\resources\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\resources\svchost.exe	spoolsv.exe
File opened for modification	C:\Windows\Resources\tjud.exe	explorer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bfd1aabb65dfce7b7c5f2d444917baa23fd04d6047e62cd1aaf9cb2a9ca9d3a9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bfd1aabb65dfce7b7c5f2d444917baa23fd04d6047e62cd1aaf9cb2a9ca9d3a9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icsys.icn.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 8 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2152	PING.EXE
1848	PING.EXE
2124	PING.EXE
2080	PING.EXE
936	PING.EXE
1276	PING.EXE
940	PING.EXE
2144	PING.EXE

Runs ping.exe 1 TTPs 8 IoCs

Remote System Discovery

T1018

pid	Process
2080	PING.EXE
936	PING.EXE
1276	PING.EXE
940	PING.EXE
2144	PING.EXE
2152	PING.EXE
1848	PING.EXE
2124	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 21 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
604	schtasks.exe
1252	schtasks.exe
2292	schtasks.exe
2440	schtasks.exe
2312	schtasks.exe
2948	schtasks.exe
1592	schtasks.exe
1508	schtasks.exe
960	schtasks.exe
1280	schtasks.exe
704	schtasks.exe
112	schtasks.exe
1228	schtasks.exe
1960	schtasks.exe
2320	schtasks.exe
1056	schtasks.exe
1912	schtasks.exe
2340	schtasks.exe
1764	schtasks.exe
2168	schtasks.exe
2096	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1224	bfd1aabb65dfce7b7c5f2d444917baa23fd04d6047e62cd1aaf9cb2a9ca9d3a9.exe
1224	bfd1aabb65dfce7b7c5f2d444917baa23fd04d6047e62cd1aaf9cb2a9ca9d3a9.exe
1224	bfd1aabb65dfce7b7c5f2d444917baa23fd04d6047e62cd1aaf9cb2a9ca9d3a9.exe
1224	bfd1aabb65dfce7b7c5f2d444917baa23fd04d6047e62cd1aaf9cb2a9ca9d3a9.exe
1224	bfd1aabb65dfce7b7c5f2d444917baa23fd04d6047e62cd1aaf9cb2a9ca9d3a9.exe
1224	bfd1aabb65dfce7b7c5f2d444917baa23fd04d6047e62cd1aaf9cb2a9ca9d3a9.exe
1224	bfd1aabb65dfce7b7c5f2d444917baa23fd04d6047e62cd1aaf9cb2a9ca9d3a9.exe
1224	bfd1aabb65dfce7b7c5f2d444917baa23fd04d6047e62cd1aaf9cb2a9ca9d3a9.exe
1224	bfd1aabb65dfce7b7c5f2d444917baa23fd04d6047e62cd1aaf9cb2a9ca9d3a9.exe
1224	bfd1aabb65dfce7b7c5f2d444917baa23fd04d6047e62cd1aaf9cb2a9ca9d3a9.exe
1224	bfd1aabb65dfce7b7c5f2d444917baa23fd04d6047e62cd1aaf9cb2a9ca9d3a9.exe
1224	bfd1aabb65dfce7b7c5f2d444917baa23fd04d6047e62cd1aaf9cb2a9ca9d3a9.exe
1224	bfd1aabb65dfce7b7c5f2d444917baa23fd04d6047e62cd1aaf9cb2a9ca9d3a9.exe
1224	bfd1aabb65dfce7b7c5f2d444917baa23fd04d6047e62cd1aaf9cb2a9ca9d3a9.exe
1224	bfd1aabb65dfce7b7c5f2d444917baa23fd04d6047e62cd1aaf9cb2a9ca9d3a9.exe
1224	bfd1aabb65dfce7b7c5f2d444917baa23fd04d6047e62cd1aaf9cb2a9ca9d3a9.exe
2492	bfd1aabb65dfce7b7c5f2d444917baa23fd04d6047e62cd1aaf9cb2a9ca9d3a9.exe
2376	icsys.icn.exe
2376	icsys.icn.exe
2376	icsys.icn.exe
2376	icsys.icn.exe
2376	icsys.icn.exe
2376	icsys.icn.exe
2376	icsys.icn.exe
2376	icsys.icn.exe
2376	icsys.icn.exe
2376	icsys.icn.exe
2376	icsys.icn.exe
2376	icsys.icn.exe
2376	icsys.icn.exe
2376	icsys.icn.exe
2376	icsys.icn.exe
2376	icsys.icn.exe
2376	icsys.icn.exe
848	explorer.exe
848	explorer.exe
848	explorer.exe
848	explorer.exe
848	explorer.exe
848	explorer.exe
848	explorer.exe
848	explorer.exe
848	explorer.exe
848	explorer.exe
848	explorer.exe
848	explorer.exe
848	explorer.exe
848	explorer.exe
848	explorer.exe
848	explorer.exe
2748	svchost.exe
2748	svchost.exe
2748	svchost.exe
2748	svchost.exe
2748	svchost.exe
2748	svchost.exe
2748	svchost.exe
2748	svchost.exe
2748	svchost.exe
2748	svchost.exe
2748	svchost.exe
2748	svchost.exe
2748	svchost.exe
2748	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
2748	svchost.exe
848	explorer.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeDebugPrivilege	468	containerReview.exe
Token: SeDebugPrivilege	2716	lsass.exe
Token: SeDebugPrivilege	2800	lsass.exe
Token: SeDebugPrivilege	1564	lsass.exe
Token: SeDebugPrivilege	1868	lsass.exe
Token: SeDebugPrivilege	2688	lsass.exe
Token: SeDebugPrivilege	2772	lsass.exe
Token: SeDebugPrivilege	1460	lsass.exe
Token: SeDebugPrivilege	3004	lsass.exe
Token: SeDebugPrivilege	1620	lsass.exe
Token: SeDebugPrivilege	2224	lsass.exe
Token: SeDebugPrivilege	1160	lsass.exe

Suspicious use of SetWindowsHookEx 13 IoCs

pid	Process
1224	bfd1aabb65dfce7b7c5f2d444917baa23fd04d6047e62cd1aaf9cb2a9ca9d3a9.exe
1224	bfd1aabb65dfce7b7c5f2d444917baa23fd04d6047e62cd1aaf9cb2a9ca9d3a9.exe
2492	bfd1aabb65dfce7b7c5f2d444917baa23fd04d6047e62cd1aaf9cb2a9ca9d3a9.exe
2376	icsys.icn.exe
2376	icsys.icn.exe
848	explorer.exe
848	explorer.exe
2708	spoolsv.exe
2708	spoolsv.exe
2748	svchost.exe
2748	svchost.exe
2672	spoolsv.exe
2672	spoolsv.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1224 wrote to memory of 2492	1224	bfd1aabb65dfce7b7c5f2d444917baa23fd04d6047e62cd1aaf9cb2a9ca9d3a9.exe	31
PID 1224 wrote to memory of 2492	1224	bfd1aabb65dfce7b7c5f2d444917baa23fd04d6047e62cd1aaf9cb2a9ca9d3a9.exe	31
PID 1224 wrote to memory of 2492	1224	bfd1aabb65dfce7b7c5f2d444917baa23fd04d6047e62cd1aaf9cb2a9ca9d3a9.exe	31
PID 1224 wrote to memory of 2492	1224	bfd1aabb65dfce7b7c5f2d444917baa23fd04d6047e62cd1aaf9cb2a9ca9d3a9.exe	31
PID 1224 wrote to memory of 2376	1224	bfd1aabb65dfce7b7c5f2d444917baa23fd04d6047e62cd1aaf9cb2a9ca9d3a9.exe	32
PID 1224 wrote to memory of 2376	1224	bfd1aabb65dfce7b7c5f2d444917baa23fd04d6047e62cd1aaf9cb2a9ca9d3a9.exe	32
PID 1224 wrote to memory of 2376	1224	bfd1aabb65dfce7b7c5f2d444917baa23fd04d6047e62cd1aaf9cb2a9ca9d3a9.exe	32
PID 1224 wrote to memory of 2376	1224	bfd1aabb65dfce7b7c5f2d444917baa23fd04d6047e62cd1aaf9cb2a9ca9d3a9.exe	32
PID 2376 wrote to memory of 848	2376	icsys.icn.exe	33
PID 2376 wrote to memory of 848	2376	icsys.icn.exe	33
PID 2376 wrote to memory of 848	2376	icsys.icn.exe	33
PID 2376 wrote to memory of 848	2376	icsys.icn.exe	33
PID 2492 wrote to memory of 2864	2492	bfd1aabb65dfce7b7c5f2d444917baa23fd04d6047e62cd1aaf9cb2a9ca9d3a9.exe	34
PID 2492 wrote to memory of 2864	2492	bfd1aabb65dfce7b7c5f2d444917baa23fd04d6047e62cd1aaf9cb2a9ca9d3a9.exe	34
PID 2492 wrote to memory of 2864	2492	bfd1aabb65dfce7b7c5f2d444917baa23fd04d6047e62cd1aaf9cb2a9ca9d3a9.exe	34
PID 2492 wrote to memory of 2864	2492	bfd1aabb65dfce7b7c5f2d444917baa23fd04d6047e62cd1aaf9cb2a9ca9d3a9.exe	34
PID 848 wrote to memory of 2708	848	explorer.exe	35
PID 848 wrote to memory of 2708	848	explorer.exe	35
PID 848 wrote to memory of 2708	848	explorer.exe	35
PID 848 wrote to memory of 2708	848	explorer.exe	35
PID 2708 wrote to memory of 2748	2708	spoolsv.exe	36
PID 2708 wrote to memory of 2748	2708	spoolsv.exe	36
PID 2708 wrote to memory of 2748	2708	spoolsv.exe	36
PID 2708 wrote to memory of 2748	2708	spoolsv.exe	36
PID 2748 wrote to memory of 2672	2748	svchost.exe	37
PID 2748 wrote to memory of 2672	2748	svchost.exe	37
PID 2748 wrote to memory of 2672	2748	svchost.exe	37
PID 2748 wrote to memory of 2672	2748	svchost.exe	37
PID 848 wrote to memory of 2632	848	explorer.exe	38
PID 848 wrote to memory of 2632	848	explorer.exe	38
PID 848 wrote to memory of 2632	848	explorer.exe	38
PID 848 wrote to memory of 2632	848	explorer.exe	38
PID 2748 wrote to memory of 1056	2748	svchost.exe	39
PID 2748 wrote to memory of 1056	2748	svchost.exe	39
PID 2748 wrote to memory of 1056	2748	svchost.exe	39
PID 2748 wrote to memory of 1056	2748	svchost.exe	39
PID 2864 wrote to memory of 1728	2864	WScript.exe	42
PID 2864 wrote to memory of 1728	2864	WScript.exe	42
PID 2864 wrote to memory of 1728	2864	WScript.exe	42
PID 2864 wrote to memory of 1728	2864	WScript.exe	42
PID 1728 wrote to memory of 468	1728	cmd.exe	44
PID 1728 wrote to memory of 468	1728	cmd.exe	44
PID 1728 wrote to memory of 468	1728	cmd.exe	44
PID 1728 wrote to memory of 468	1728	cmd.exe	44
PID 468 wrote to memory of 1300	468	containerReview.exe	49
PID 468 wrote to memory of 1300	468	containerReview.exe	49
PID 468 wrote to memory of 1300	468	containerReview.exe	49
PID 1300 wrote to memory of 1680	1300	csc.exe	51
PID 1300 wrote to memory of 1680	1300	csc.exe	51
PID 1300 wrote to memory of 1680	1300	csc.exe	51
PID 468 wrote to memory of 1648	468	containerReview.exe	67
PID 468 wrote to memory of 1648	468	containerReview.exe	67
PID 468 wrote to memory of 1648	468	containerReview.exe	67
PID 1648 wrote to memory of 2940	1648	cmd.exe	69
PID 1648 wrote to memory of 2940	1648	cmd.exe	69
PID 1648 wrote to memory of 2940	1648	cmd.exe	69
PID 1648 wrote to memory of 2144	1648	cmd.exe	70
PID 1648 wrote to memory of 2144	1648	cmd.exe	70
PID 1648 wrote to memory of 2144	1648	cmd.exe	70
PID 1648 wrote to memory of 2716	1648	cmd.exe	71
PID 1648 wrote to memory of 2716	1648	cmd.exe	71
PID 1648 wrote to memory of 2716	1648	cmd.exe	71
PID 2716 wrote to memory of 2364	2716	lsass.exe	72
PID 2716 wrote to memory of 2364	2716	lsass.exe	72

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\bfd1aabb65dfce7b7c5f2d444917baa23fd04d6047e62cd1aaf9cb2a9ca9d3a9.exe
"C:\Users\Admin\AppData\Local\Temp\bfd1aabb65dfce7b7c5f2d444917baa23fd04d6047e62cd1aaf9cb2a9ca9d3a9.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1224
- \??\c:\users\admin\appdata\local\temp\bfd1aabb65dfce7b7c5f2d444917baa23fd04d6047e62cd1aaf9cb2a9ca9d3a9.exe
  c:\users\admin\appdata\local\temp\bfd1aabb65dfce7b7c5f2d444917baa23fd04d6047e62cd1aaf9cb2a9ca9d3a9.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2492
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\blockcomSession\RezYUes00TmmVGwINjr2qWMSbF3Etb9Bt2Ra62zGWDtewTBc.vbe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2864
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\blockcomSession\R3z0peym99fhJdrKbUwEGrQMoM2HpnSPGrE0X0k2hc.bat" "
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1728
    - - C:\blockcomSession\containerReview.exe
        
        "C:\blockcomSession/containerReview.exe"
        5⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Program Files directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:468
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\sxflkvv2\sxflkvv2.cmdline"
        6⤵
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1300
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES11CC.tmp" "c:\Windows\System32\CSCD4B85F26F6A145799AFCEFEC453478.TMP"
        7⤵
        
        PID:1680
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\POH9bVQEfn.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1648
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        7⤵
        
        PID:2940
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        7⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2144
        
        C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\lsass.exe
        
        "C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\lsass.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2716
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\MF6Ow2NaEZ.bat"
        8⤵
        
        PID:2364
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        9⤵
        
        PID:3036
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        9⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2152
        
        C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\lsass.exe
        
        "C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\lsass.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2800
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6ZwY0m3aI8.bat"
        10⤵
        
        PID:3056
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        11⤵
        
        PID:3028
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        11⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1848
        
        C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\lsass.exe
        
        "C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\lsass.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1564
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6C8kMSA4ag.bat"
        12⤵
        
        PID:1444
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        13⤵
        
        PID:564
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        13⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2124
        
        C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\lsass.exe
        
        "C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\lsass.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1868
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\s6L5myzuOs.bat"
        14⤵
        
        PID:1580
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        15⤵
        
        PID:1364
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:2392
        
        C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\lsass.exe
        
        "C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\lsass.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2688
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\XDDaR1k0wv.bat"
        16⤵
        
        PID:1428
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        17⤵
        
        PID:3048
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        17⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2080
        
        C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\lsass.exe
        
        "C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\lsass.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2772
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Pk8wsQHxqc.bat"
        18⤵
        
        PID:2452
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        19⤵
        
        PID:2056
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:2200
        
        C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\lsass.exe
        
        "C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\lsass.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1460
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Lvud1u8Gv5.bat"
        20⤵
        
        PID:2252
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        21⤵
        
        PID:372
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        21⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:936
        
        C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\lsass.exe
        
        "C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\lsass.exe"
        21⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3004
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\FuUFRpewDb.bat"
        22⤵
        
        PID:784
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        23⤵
        
        PID:2248
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        23⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1276
        
        C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\lsass.exe
        
        "C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\lsass.exe"
        23⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1620
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\kJRy2Wx8TR.bat"
        24⤵
        
        PID:2760
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        25⤵
        
        PID:1972
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:2632
        
        C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\lsass.exe
        
        "C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\lsass.exe"
        25⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2224
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\aehWhM7TGU.bat"
        26⤵
        
        PID:2868
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        27⤵
        
        PID:944
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        27⤵
        
        PID:444
        
        C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\lsass.exe
        
        "C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\lsass.exe"
        27⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1160
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\4XCyKdTKaY.bat"
        28⤵
        
        PID:2300
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        29⤵
        
        PID:2156
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        29⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:940
- C:\Windows\Resources\Themes\icsys.icn.exe
  C:\Windows\Resources\Themes\icsys.icn.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2376
- - \??\c:\windows\resources\themes\explorer.exe
    c:\windows\resources\themes\explorer.exe
    3⤵
    - Modifies visiblity of hidden/system files in Explorer
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:848
  - - \??\c:\windows\resources\spoolsv.exe
      c:\windows\resources\spoolsv.exe SE
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2708
    - - \??\c:\windows\resources\svchost.exe
        
        c:\windows\resources\svchost.exe
        5⤵
        Modifies visiblity of hidden/system files in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2748
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe PR
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2672
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 03:08 /f
        6⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:1056
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 03:09 /f
        6⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:2948
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 03:10 /f
        6⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:2320
  - - C:\Windows\Explorer.exe
      C:\Windows\Explorer.exe
      4⤵
      PID:2632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2168

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 10 /tr "'C:\blockcomSession\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\blockcomSession\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 11 /tr "'C:\blockcomSession\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2096

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1228

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1252

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Google\Update\Install\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2340

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Update\Install\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Google\Update\Install\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2440

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "containerReviewc" /sc MINUTE /mo 10 /tr "'C:\blockcomSession\containerReview.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1280

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "containerReview" /sc ONLOGON /tr "'C:\blockcomSession\containerReview.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2312

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "containerReviewc" /sc MINUTE /mo 6 /tr "'C:\blockcomSession\containerReview.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1764

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\4XCyKdTKaY.bat

Filesize
200B

MD5
b804544661164db70d5e76a6832f008c

SHA1
2a2467e74c0b30a18598bcff2104d88ebc82d874

SHA256
fefe34ce62090a6a320c5ac1bd45cd69684b0df6d4bc038b3765e68062c8a325

SHA512
a623fbc1d0cc79688eee030d17e6ffa5e985ce23f7d40a606855c0d5fd5ed2c20a7fef90fc8be5073962844dac2bf7ad21022c5ea1442681f914158517c6bfa1

Download Submit
C:\Users\Admin\AppData\Local\Temp\6C8kMSA4ag.bat

Filesize
200B

MD5
a8f306adf3870fb0dd37d2a240de4245

SHA1
beb0d21b637bac7f113f06e00d69126870c563d6

SHA256
92dd99e9482c705e7c6e04f790bfd5d31d2a887caa0e5dad9155ca7fd965e911

SHA512
a2761aae97f951807af415d80341e330d1bb48076677690761f88e8f0cceacfdf4a10e7e65dafca51ad42281036f5a254d4ab28581431fc0580d937bd00eb6e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\6ZwY0m3aI8.bat

Filesize
200B

MD5
7835b622c694c49dd5ad1863b6331846

SHA1
dd77325b97a98d1b225ea185bc9c0aa202579af4

SHA256
da8737883a2d6d665199d05e1816ea34063b86c18cd8929f57b3e73963fa37bf

SHA512
f5791d8ed7f803a29b36deae4c869420f3cbfdab60320665e6ca7814e546ad5c419a1f8a734d70d7a227cb098f79d6d149fe443d524290b1420febf97bc90412

Download Submit
C:\Users\Admin\AppData\Local\Temp\FuUFRpewDb.bat

Filesize
200B

MD5
63955944041fe222649e0cf4ac4a04d2

SHA1
6a7e0c0422ee0b1ad4aa05796cf3dd70d67f8c77

SHA256
a04159b6dc74ed32a0af26f48bd2d57294c11be991ba72643d69a17980bf6223

SHA512
fa790c7166a0e30dee80e3fbb746e037d642f13577eb8f2ae5554446f9156721da3093d93d88e5e4e0b84f6638acdaf86dad4648cddbf136a213c056874c1c11

Download Submit
C:\Users\Admin\AppData\Local\Temp\Lvud1u8Gv5.bat

Filesize
200B

MD5
6d3a7e135ac221fe33898dcabeb4742b

SHA1
40497a94a3874bc30ad2def11de9acfbfb3f163f

SHA256
97282649e5c8cb41e1f459b4025a58331fb1689e15fc856dfb6c38a32ba24707

SHA512
5243168cd833ed66e8fedb1a738f5a76cdc35c43bb2046c150f6622967cdc4648b0c375a58837f368caf190a677efb08a10886370054924b7b60094d3152961d

Download Submit
C:\Users\Admin\AppData\Local\Temp\MF6Ow2NaEZ.bat

Filesize
200B

MD5
5abd90957ecde75260b5abd58922d5aa

SHA1
17dc20dfd55c2aea047e11860a5b8f51349ac130

SHA256
45bda3d77aec584391d632f441b738285a4f7aff323e66bf7e0057296b7da10b

SHA512
d1f9921e3d17071f97671f39a5c122c50ed85ab326f8fac98d26cb26468f3207028295a8e926bf93189831f31f8f132149a6be1faa688a3f1ae19f59834fffb2

Download Submit
C:\Users\Admin\AppData\Local\Temp\POH9bVQEfn.bat

Filesize
200B

MD5
e5d28aeb0df7577b2b87b1177dee5bd7

SHA1
68a358e41b9dbe14abff53260479ff25fcdac783

SHA256
55b0677f5d29dc997dafa370ccda978a6482d81389e368930f9e4d403c661a9f

SHA512
70fdbbefbb74a1df3e5ee9dbefbddb650a34cb117eb403924a2f0f14c7a3e3b7a8021da17cc22e4da21874054842fec6bf45a45775f52abbf95b4878daedcea9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Pk8wsQHxqc.bat

Filesize
248B

MD5
84658c3b335c4728f51168804cc61c53

SHA1
225aa146653fd9f28a0e90a9de8392a7cc7cf55a

SHA256
d4dc0c64850b2deba37b03f13835b92bf8e544e01e0d6deae3b9d72a03aef352

SHA512
d50cf0f71d9e114aa4b00eb784e95b5c8b4fb404e01c95d948a70702c773e4892621f5741322dd59d902c170c1bb77d31a5a3ea2507efab91d065adeabf9673e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES11CC.tmp

Filesize
1KB

MD5
4070ff48ab67b82b24adc084a6838a34

SHA1
f0946187bf9b89f36a7bc9e26ab901da3a46c3b3

SHA256
60bc4dac568ae0c26a193d62de51bd8b5c7d536360b0d8a414c98f39756edbef

SHA512
14c9926b044f8b7b7f4d255821b8b43d9c031630954166a1a3378d31477008235d138511135b28feacad533e43b02159db215c9b589fe5c130f78d1bfac434fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\XDDaR1k0wv.bat

Filesize
200B

MD5
c356b0d79c88b79d5704ba9cdac9c2c6

SHA1
ba60ce05fae2af9023a2e40611bdf9362160150c

SHA256
98d82f504d1260976dbad96e9be6511914e9707503dbd54b0dae44be85e0d9ba

SHA512
6006a3389276518fb6243805f4a0a2daef865c3aa1e37ffce4f1549f8e503ea3fedfbaa281172a39ec0cc6273db571d493dea778979dd36ac721f103a5b530c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\aehWhM7TGU.bat

Filesize
248B

MD5
074a029ea9e1701523225f4676d06080

SHA1
63e42f25d1cd7cb6bf469c2a5036bb7d0bf03dcb

SHA256
5a90e644bcf53c169bb072eba28cf2d8721df3ff24fb6da42168a331656efda0

SHA512
c5f628c357d917a1e353ae775a25af1acf265320829fc1a197039332c54e7d22a310b5ffb7986576d005048c5ca7919cb4dcee26c6fa744c6263d49fcb5ba51d

Download Submit
C:\Users\Admin\AppData\Local\Temp\kJRy2Wx8TR.bat

Filesize
248B

MD5
5a8eae2195b61e5ff6c41bd3bb5bcf56

SHA1
1df4f849b3cc45ac75dd4479a0f4af922ef435e0

SHA256
06292e46a84af14008a27662cc2fed08f3e18fa6df676dd403a6d3db76d37077

SHA512
37d9357e596ed3b8531e07d7fb7dcb62c7a0c05bc357f356ba2f00fb5cc00c20a88a44a77cb155981d90de02578077d8ca273747e6e4d2b9a6265dd4747857e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\s6L5myzuOs.bat

Filesize
248B

MD5
09c54612a27f347ade33114b43e03e74

SHA1
1bbdbd25286d895bcb10d92da32c8eb6a6c6ee1d

SHA256
9396fdfbfb46afb9603d64347f8e4c271dd654ac38f523b0d7bb38bd557c2723

SHA512
999eb86554265a2aa1ed4f7575fb9426e30d541aaadd09e3b209b331584a6c2a8c6a0c2d85fb0520c8762cc9827adf323104adfe9b0a3c1c610abdc434b906fe

Download Submit
C:\blockcomSession\R3z0peym99fhJdrKbUwEGrQMoM2HpnSPGrE0X0k2hc.bat

Filesize
89B

MD5
de5b4fde5bc10d0f76a55eb9d249ab56

SHA1
751938b6ab03340842b429805fd2da1aa0d8c964

SHA256
009aa3f866391c87bd840efb9b6b4eb33fc4dcb625cd23e436d0c9383e033f0f

SHA512
58f02657db363b742c6aee66ccd5a6b279280e2dd09d7394b7b9907ca2cd005cd67ee88ca98d533605e30608fc61abc6f51f7d3be4a3813d7414d280b6f16a1f

Download Submit
C:\blockcomSession\RezYUes00TmmVGwINjr2qWMSbF3Etb9Bt2Ra62zGWDtewTBc.vbe

Filesize
236B

MD5
d2dd350044ce1fe408a44a036a7e6a0d

SHA1
3597e45deb69f4aa4749855e9ed452a39a9c7d42

SHA256
487bfe07abff347481f10c648717aab8008c7606c026b920358544f85c25e1b2

SHA512
81147d83dc5ffd1adb10add8486f6dac65df0e7c579f8244ef8f3d6f646ced97fad3f55a178ced9b60f5f23bb77a0e29bccb22651280a9eae135976af71c366a

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\sxflkvv2\sxflkvv2.0.cs

Filesize
406B

MD5
569bdfd2147d3622c6f7b078024a547e

SHA1
06a1c3802844bc7a8689b3951a69a0430747020d

SHA256
81f5329eb783eaa46b8ce78b8d32d4bb3875cdbb973b6a177180cdafe0509d3e

SHA512
f68efd8d6fb79b387aacba2ea33bbe26de6983a9417fbe56b60053abb0e14ba23ec161117f3c55f591455bb48935f4c5ec165e2b63dfd3bf9704bbac835ffa6d

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\sxflkvv2\sxflkvv2.cmdline

Filesize
235B

MD5
18756f59d0382307947beab254aef492

SHA1
2bbf9262e03538a09c2e8c5ef8ce88e615c85cab

SHA256
ee4c59a40b10231587e44fd9c52a37d7956b50efb47e545943e58cd4db5bcf20

SHA512
0b09daff869ab74334e44d5bbb1619b433c1f4fb049f14cce2f180adc25752ac7737a54ea6ecba58c3515598fd2afedfccf8efc65919181c9ee3430301e4b452

Download Submit
\??\c:\Windows\System32\CSCD4B85F26F6A145799AFCEFEC453478.TMP

Filesize
1KB

MD5
8c85ef91c6071d33745325a8fa351c3e

SHA1
e3311ceef28823eec99699cc35be27c94eca52d2

SHA256
8db3e3a5515da1933036688a9b1918cfc3339fc687008c5325461271904b2d41

SHA512
2bb89b07fe46b1c406ed6a560e88cb2b8402b1d61bb71e10887bad661751f64f1e5317fd6c1b301ea4766785b915da31b64e0475cfe36c1f950b32915b5dab7d

Download Submit
\Users\Admin\AppData\Local\Temp\bfd1aabb65dfce7b7c5f2d444917baa23fd04d6047e62cd1aaf9cb2a9ca9d3a9.exe

Filesize
3.2MB

MD5
a7040b85fc683f088f4c6e5b44052c43

SHA1
7e3d644d1a1fb7b9bcccb6406d2e7fbd062eae66

SHA256
b786f31f1c89c71d0510bbd32510595d9891c67db516f968261b02594a423a8d

SHA512
e225f6f7e114690aad25e9c67460e50f5b84cc8ca87a69ba94ff63ab42415df176a3ed6c3456cddb849927604a4888b17e5e781ac97d2ba0197f9687bbb2c301

Download Submit
\Windows\Resources\Themes\explorer.exe

Filesize
135KB

MD5
e05ffb0ad335a107f2893085ba2c0d3b

SHA1
4ef14146f3d487e2284834e3487d7f445567eece

SHA256
e3b0f1ce04670bf7ba36124b563b907a006315723519802bbdec39d1e63339bc

SHA512
4db925028acd86225a8ced92e62cecca4543cbbd4aa7121de8874541d6c9fefdb2ba6fb56d6ced50353aa08d78096149b278037c0b4ac34198c61bf2c40ac02c

Download Submit
\Windows\Resources\Themes\icsys.icn.exe

Filesize
135KB

MD5
d36cc2935ae0e7a5d2936db589a9b8cc

SHA1
082bd58c0ad60fa4783b63a4f681a5c5fad8e1a6

SHA256
4c93adb50768feb3cdea95f1fedc5d6fdc262d59f12c4b66601d377e2709c2e3

SHA512
547452ba0de7c8ebeec8e4bb2d916c7a881b6743e6d1fb6d2761a202b7cf5bb30c3f541957de70c584b46b7171f3f20338b4985341829b408c366aeaeced9290

Download Submit
\Windows\Resources\spoolsv.exe

Filesize
135KB

MD5
1eef77a8a94c623b83588f99a7976b1c

SHA1
b2f316476f94090d9279226b4318421f2c467c8a

SHA256
a5e739ca15cb9eb451a5e7934ba291704080cca980c31efc759d5a7f5638c9e7

SHA512
d38436494bd90d3917097916c5613536de527651dd844abb223d506e870b3cb3d004b1d5fade66ba96de6ef32e117f82e813a6b0bae208f46a8de3fde2f636d8

Download Submit
\Windows\Resources\svchost.exe

Filesize
135KB

MD5
b346d42c44ad024eb0903785f9c2bbdc

SHA1
3687899d039dd34d73273946176d808aefc97fc1

SHA256
13823200ee21d700a6ebf39963aa16913b0a2ed2ca4f465d37f8daa5330c28ef

SHA512
2eb89dcb3f540c0688961c32b5fc7b647a1afbe26886f6ee7a3de415fed4bffb757664240f9caf70c663e79a4b0ff6f65921d63b4bb81d98a19187018e4968da

Download Submit
\blockcomSession\containerReview.exe

Filesize
1.9MB

MD5
f568e43bc473cd8ceb2553c58194df61

SHA1
14c0fff25edfd186dab91ee6bcc94450c9bed84d

SHA256
c91375814e8a5bb71736ce61fa429bc7b98a2b7b2a254b9967c51f3fccfacd52

SHA512
47cf66ce90fecd147077c72dc3f06db2199b9bc96e887915d6b0d4bfea7577d60a7345da6e5bc59967d02528fbdf6c8bf86233261338f782b9185c890fbc400e

Download Submit
memory/468-86-0x00000000005F0000-0x0000000000608000-memory.dmp

Filesize
96KB

Download
memory/468-88-0x0000000000330000-0x000000000033E000-memory.dmp

Filesize
56KB

Download
memory/468-90-0x0000000000340000-0x000000000034E000-memory.dmp

Filesize
56KB

Download
memory/468-92-0x0000000000610000-0x000000000061C000-memory.dmp

Filesize
48KB

Download
memory/468-84-0x0000000000350000-0x000000000036C000-memory.dmp

Filesize
112KB

Download
memory/468-82-0x0000000000320000-0x000000000032E000-memory.dmp

Filesize
56KB

Download
memory/468-80-0x0000000000A20000-0x0000000000C10000-memory.dmp

Filesize
1.9MB

Download
memory/848-45-0x00000000005E0000-0x00000000005FF000-memory.dmp

Filesize
124KB

Download
memory/848-182-0x00000000005E0000-0x00000000005FF000-memory.dmp

Filesize
124KB

Download
memory/848-181-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1160-253-0x0000000000B80000-0x0000000000D70000-memory.dmp

Filesize
1.9MB

Download
memory/1224-74-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1224-10-0x0000000002D40000-0x0000000003121000-memory.dmp

Filesize
3.9MB

Download
memory/1224-15-0x0000000000290000-0x00000000002AF000-memory.dmp

Filesize
124KB

Download
memory/1224-62-0x0000000002D40000-0x0000000003121000-memory.dmp

Filesize
3.9MB

Download
memory/1224-0-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1620-227-0x00000000002B0000-0x00000000004A0000-memory.dmp

Filesize
1.9MB

Download
memory/1868-161-0x0000000000110000-0x0000000000300000-memory.dmp

Filesize
1.9MB

Download
memory/2224-240-0x0000000000210000-0x0000000000400000-memory.dmp

Filesize
1.9MB

Download
memory/2376-73-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2492-54-0x00000000012C0000-0x00000000016A1000-memory.dmp

Filesize
3.9MB

Download
memory/2492-12-0x00000000012C0000-0x00000000016A1000-memory.dmp

Filesize
3.9MB

Download
memory/2672-71-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2688-174-0x0000000000FF0000-0x00000000011E0000-memory.dmp

Filesize
1.9MB

Download
memory/2708-59-0x00000000003E0000-0x00000000003FF000-memory.dmp

Filesize
124KB

Download
memory/2708-53-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2708-72-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2716-123-0x0000000000D20000-0x0000000000F10000-memory.dmp

Filesize
1.9MB

Download
memory/2748-188-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2800-136-0x0000000000350000-0x0000000000540000-memory.dmp

Filesize
1.9MB

Download