Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
14/01/2025, 03:06
Static task
static1
Behavioral task
behavioral1
Sample
bfd1aabb65dfce7b7c5f2d444917baa23fd04d6047e62cd1aaf9cb2a9ca9d3a9.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
bfd1aabb65dfce7b7c5f2d444917baa23fd04d6047e62cd1aaf9cb2a9ca9d3a9.exe
Resource
win10v2004-20241007-en
General
-
Target
bfd1aabb65dfce7b7c5f2d444917baa23fd04d6047e62cd1aaf9cb2a9ca9d3a9.exe
-
Size
3.3MB
-
MD5
c883ea559bee9a0cb393aa32dcaf5d80
-
SHA1
995dfd0d9d504bec628e7d7297962677d8ab32cb
-
SHA256
bfd1aabb65dfce7b7c5f2d444917baa23fd04d6047e62cd1aaf9cb2a9ca9d3a9
-
SHA512
9ee8ef8a9912b14bcbeb3c13b2670c92eecc17c4a8a719d6bd9935f17239a244457e2f711c01e374febd767c866d6c563bad97e687680919ca0c017d738626ee
-
SSDEEP
98304:db5Nf/dq7yqKM1TcGZ6gtq1/Lko4uVa8N7:hMyqKM1TogtqT44NN7
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Modifies WinLogon for persistence 2 TTPs 6 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\audiodg.exe\"" containerReview.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\audiodg.exe\", \"C:\\blockcomSession\\lsm.exe\"" containerReview.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\audiodg.exe\", \"C:\\blockcomSession\\lsm.exe\", \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\lsass.exe\"" containerReview.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\audiodg.exe\", \"C:\\blockcomSession\\lsm.exe\", \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\lsass.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\csrss.exe\"" containerReview.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\audiodg.exe\", \"C:\\blockcomSession\\lsm.exe\", \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\lsass.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\csrss.exe\", \"C:\\Program Files (x86)\\Google\\Update\\Install\\System.exe\"" containerReview.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\audiodg.exe\", \"C:\\blockcomSession\\lsm.exe\", \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\lsass.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\csrss.exe\", \"C:\\Program Files (x86)\\Google\\Update\\Install\\System.exe\", \"C:\\blockcomSession\\containerReview.exe\"" containerReview.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" svchost.exe -
Process spawned unexpected child process 18 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2168 2384 schtasks.exe 45 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1592 2384 schtasks.exe 45 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 704 2384 schtasks.exe 45 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 112 2384 schtasks.exe 45 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1912 2384 schtasks.exe 45 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2096 2384 schtasks.exe 45 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1228 2384 schtasks.exe 45 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1960 2384 schtasks.exe 45 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1508 2384 schtasks.exe 45 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 960 2384 schtasks.exe 45 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 604 2384 schtasks.exe 45 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1252 2384 schtasks.exe 45 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2340 2384 schtasks.exe 45 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2292 2384 schtasks.exe 45 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2440 2384 schtasks.exe 45 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1280 2384 schtasks.exe 45 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2312 2384 schtasks.exe 45 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1764 2384 schtasks.exe 45 -
Executes dropped EXE 18 IoCs
pid Process 2492 bfd1aabb65dfce7b7c5f2d444917baa23fd04d6047e62cd1aaf9cb2a9ca9d3a9.exe 2376 icsys.icn.exe 848 explorer.exe 2708 spoolsv.exe 2748 svchost.exe 2672 spoolsv.exe 468 containerReview.exe 2716 lsass.exe 2800 lsass.exe 1564 lsass.exe 1868 lsass.exe 2688 lsass.exe 2772 lsass.exe 1460 lsass.exe 3004 lsass.exe 1620 lsass.exe 2224 lsass.exe 1160 lsass.exe -
Loads dropped DLL 8 IoCs
pid Process 1224 bfd1aabb65dfce7b7c5f2d444917baa23fd04d6047e62cd1aaf9cb2a9ca9d3a9.exe 1224 bfd1aabb65dfce7b7c5f2d444917baa23fd04d6047e62cd1aaf9cb2a9ca9d3a9.exe 2376 icsys.icn.exe 848 explorer.exe 2708 spoolsv.exe 2748 svchost.exe 1728 cmd.exe 1728 cmd.exe -
Adds Run key to start application 2 TTPs 16 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\csrss.exe\"" containerReview.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\containerReview = "\"C:\\blockcomSession\\containerReview.exe\"" containerReview.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\blockcomSession\\lsm.exe\"" containerReview.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\lsass.exe\"" containerReview.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\audiodg.exe\"" containerReview.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\lsass.exe\"" containerReview.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\audiodg.exe\"" containerReview.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\blockcomSession\\lsm.exe\"" containerReview.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\csrss.exe\"" containerReview.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Program Files (x86)\\Google\\Update\\Install\\System.exe\"" containerReview.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Program Files (x86)\\Google\\Update\\Install\\System.exe\"" containerReview.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\containerReview = "\"C:\\blockcomSession\\containerReview.exe\"" containerReview.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" svchost.exe -
Drops file in System32 directory 4 IoCs
description ioc Process File created \??\c:\Windows\System32\3kmwe8.exe csc.exe File opened for modification C:\Windows\SysWOW64\explorer.exe svchost.exe File opened for modification C:\Windows\SysWOW64\explorer.exe explorer.exe File created \??\c:\Windows\System32\CSCD4B85F26F6A145799AFCEFEC453478.TMP csc.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 2492 bfd1aabb65dfce7b7c5f2d444917baa23fd04d6047e62cd1aaf9cb2a9ca9d3a9.exe -
Drops file in Program Files directory 5 IoCs
description ioc Process File created C:\Program Files (x86)\Google\Update\Install\System.exe containerReview.exe File opened for modification C:\Program Files (x86)\Google\Update\Install\System.exe containerReview.exe File created C:\Program Files (x86)\Google\Update\Install\27d1bcfc3c54e0 containerReview.exe File created C:\Program Files (x86)\Microsoft.NET\RedistList\csrss.exe containerReview.exe File created C:\Program Files (x86)\Microsoft.NET\RedistList\886983d96e3d3e containerReview.exe -
Drops file in Windows directory 5 IoCs
description ioc Process File opened for modification C:\Windows\Resources\Themes\icsys.icn.exe bfd1aabb65dfce7b7c5f2d444917baa23fd04d6047e62cd1aaf9cb2a9ca9d3a9.exe File opened for modification \??\c:\windows\resources\themes\explorer.exe icsys.icn.exe File opened for modification \??\c:\windows\resources\spoolsv.exe explorer.exe File opened for modification \??\c:\windows\resources\svchost.exe spoolsv.exe File opened for modification C:\Windows\Resources\tjud.exe explorer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 12 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bfd1aabb65dfce7b7c5f2d444917baa23fd04d6047e62cd1aaf9cb2a9ca9d3a9.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bfd1aabb65dfce7b7c5f2d444917baa23fd04d6047e62cd1aaf9cb2a9ca9d3a9.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icsys.icn.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 8 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 2152 PING.EXE 1848 PING.EXE 2124 PING.EXE 2080 PING.EXE 936 PING.EXE 1276 PING.EXE 940 PING.EXE 2144 PING.EXE -
Runs ping.exe 1 TTPs 8 IoCs
pid Process 2080 PING.EXE 936 PING.EXE 1276 PING.EXE 940 PING.EXE 2144 PING.EXE 2152 PING.EXE 1848 PING.EXE 2124 PING.EXE -
Scheduled Task/Job: Scheduled Task 1 TTPs 21 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 604 schtasks.exe 1252 schtasks.exe 2292 schtasks.exe 2440 schtasks.exe 2312 schtasks.exe 2948 schtasks.exe 1592 schtasks.exe 1508 schtasks.exe 960 schtasks.exe 1280 schtasks.exe 704 schtasks.exe 112 schtasks.exe 1228 schtasks.exe 1960 schtasks.exe 2320 schtasks.exe 1056 schtasks.exe 1912 schtasks.exe 2340 schtasks.exe 1764 schtasks.exe 2168 schtasks.exe 2096 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1224 bfd1aabb65dfce7b7c5f2d444917baa23fd04d6047e62cd1aaf9cb2a9ca9d3a9.exe 1224 bfd1aabb65dfce7b7c5f2d444917baa23fd04d6047e62cd1aaf9cb2a9ca9d3a9.exe 1224 bfd1aabb65dfce7b7c5f2d444917baa23fd04d6047e62cd1aaf9cb2a9ca9d3a9.exe 1224 bfd1aabb65dfce7b7c5f2d444917baa23fd04d6047e62cd1aaf9cb2a9ca9d3a9.exe 1224 bfd1aabb65dfce7b7c5f2d444917baa23fd04d6047e62cd1aaf9cb2a9ca9d3a9.exe 1224 bfd1aabb65dfce7b7c5f2d444917baa23fd04d6047e62cd1aaf9cb2a9ca9d3a9.exe 1224 bfd1aabb65dfce7b7c5f2d444917baa23fd04d6047e62cd1aaf9cb2a9ca9d3a9.exe 1224 bfd1aabb65dfce7b7c5f2d444917baa23fd04d6047e62cd1aaf9cb2a9ca9d3a9.exe 1224 bfd1aabb65dfce7b7c5f2d444917baa23fd04d6047e62cd1aaf9cb2a9ca9d3a9.exe 1224 bfd1aabb65dfce7b7c5f2d444917baa23fd04d6047e62cd1aaf9cb2a9ca9d3a9.exe 1224 bfd1aabb65dfce7b7c5f2d444917baa23fd04d6047e62cd1aaf9cb2a9ca9d3a9.exe 1224 bfd1aabb65dfce7b7c5f2d444917baa23fd04d6047e62cd1aaf9cb2a9ca9d3a9.exe 1224 bfd1aabb65dfce7b7c5f2d444917baa23fd04d6047e62cd1aaf9cb2a9ca9d3a9.exe 1224 bfd1aabb65dfce7b7c5f2d444917baa23fd04d6047e62cd1aaf9cb2a9ca9d3a9.exe 1224 bfd1aabb65dfce7b7c5f2d444917baa23fd04d6047e62cd1aaf9cb2a9ca9d3a9.exe 1224 bfd1aabb65dfce7b7c5f2d444917baa23fd04d6047e62cd1aaf9cb2a9ca9d3a9.exe 2492 bfd1aabb65dfce7b7c5f2d444917baa23fd04d6047e62cd1aaf9cb2a9ca9d3a9.exe 2376 icsys.icn.exe 2376 icsys.icn.exe 2376 icsys.icn.exe 2376 icsys.icn.exe 2376 icsys.icn.exe 2376 icsys.icn.exe 2376 icsys.icn.exe 2376 icsys.icn.exe 2376 icsys.icn.exe 2376 icsys.icn.exe 2376 icsys.icn.exe 2376 icsys.icn.exe 2376 icsys.icn.exe 2376 icsys.icn.exe 2376 icsys.icn.exe 2376 icsys.icn.exe 2376 icsys.icn.exe 848 explorer.exe 848 explorer.exe 848 explorer.exe 848 explorer.exe 848 explorer.exe 848 explorer.exe 848 explorer.exe 848 explorer.exe 848 explorer.exe 848 explorer.exe 848 explorer.exe 848 explorer.exe 848 explorer.exe 848 explorer.exe 848 explorer.exe 848 explorer.exe 2748 svchost.exe 2748 svchost.exe 2748 svchost.exe 2748 svchost.exe 2748 svchost.exe 2748 svchost.exe 2748 svchost.exe 2748 svchost.exe 2748 svchost.exe 2748 svchost.exe 2748 svchost.exe 2748 svchost.exe 2748 svchost.exe 2748 svchost.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 2748 svchost.exe 848 explorer.exe -
Suspicious use of AdjustPrivilegeToken 12 IoCs
description pid Process Token: SeDebugPrivilege 468 containerReview.exe Token: SeDebugPrivilege 2716 lsass.exe Token: SeDebugPrivilege 2800 lsass.exe Token: SeDebugPrivilege 1564 lsass.exe Token: SeDebugPrivilege 1868 lsass.exe Token: SeDebugPrivilege 2688 lsass.exe Token: SeDebugPrivilege 2772 lsass.exe Token: SeDebugPrivilege 1460 lsass.exe Token: SeDebugPrivilege 3004 lsass.exe Token: SeDebugPrivilege 1620 lsass.exe Token: SeDebugPrivilege 2224 lsass.exe Token: SeDebugPrivilege 1160 lsass.exe -
Suspicious use of SetWindowsHookEx 13 IoCs
pid Process 1224 bfd1aabb65dfce7b7c5f2d444917baa23fd04d6047e62cd1aaf9cb2a9ca9d3a9.exe 1224 bfd1aabb65dfce7b7c5f2d444917baa23fd04d6047e62cd1aaf9cb2a9ca9d3a9.exe 2492 bfd1aabb65dfce7b7c5f2d444917baa23fd04d6047e62cd1aaf9cb2a9ca9d3a9.exe 2376 icsys.icn.exe 2376 icsys.icn.exe 848 explorer.exe 848 explorer.exe 2708 spoolsv.exe 2708 spoolsv.exe 2748 svchost.exe 2748 svchost.exe 2672 spoolsv.exe 2672 spoolsv.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1224 wrote to memory of 2492 1224 bfd1aabb65dfce7b7c5f2d444917baa23fd04d6047e62cd1aaf9cb2a9ca9d3a9.exe 31 PID 1224 wrote to memory of 2492 1224 bfd1aabb65dfce7b7c5f2d444917baa23fd04d6047e62cd1aaf9cb2a9ca9d3a9.exe 31 PID 1224 wrote to memory of 2492 1224 bfd1aabb65dfce7b7c5f2d444917baa23fd04d6047e62cd1aaf9cb2a9ca9d3a9.exe 31 PID 1224 wrote to memory of 2492 1224 bfd1aabb65dfce7b7c5f2d444917baa23fd04d6047e62cd1aaf9cb2a9ca9d3a9.exe 31 PID 1224 wrote to memory of 2376 1224 bfd1aabb65dfce7b7c5f2d444917baa23fd04d6047e62cd1aaf9cb2a9ca9d3a9.exe 32 PID 1224 wrote to memory of 2376 1224 bfd1aabb65dfce7b7c5f2d444917baa23fd04d6047e62cd1aaf9cb2a9ca9d3a9.exe 32 PID 1224 wrote to memory of 2376 1224 bfd1aabb65dfce7b7c5f2d444917baa23fd04d6047e62cd1aaf9cb2a9ca9d3a9.exe 32 PID 1224 wrote to memory of 2376 1224 bfd1aabb65dfce7b7c5f2d444917baa23fd04d6047e62cd1aaf9cb2a9ca9d3a9.exe 32 PID 2376 wrote to memory of 848 2376 icsys.icn.exe 33 PID 2376 wrote to memory of 848 2376 icsys.icn.exe 33 PID 2376 wrote to memory of 848 2376 icsys.icn.exe 33 PID 2376 wrote to memory of 848 2376 icsys.icn.exe 33 PID 2492 wrote to memory of 2864 2492 bfd1aabb65dfce7b7c5f2d444917baa23fd04d6047e62cd1aaf9cb2a9ca9d3a9.exe 34 PID 2492 wrote to memory of 2864 2492 bfd1aabb65dfce7b7c5f2d444917baa23fd04d6047e62cd1aaf9cb2a9ca9d3a9.exe 34 PID 2492 wrote to memory of 2864 2492 bfd1aabb65dfce7b7c5f2d444917baa23fd04d6047e62cd1aaf9cb2a9ca9d3a9.exe 34 PID 2492 wrote to memory of 2864 2492 bfd1aabb65dfce7b7c5f2d444917baa23fd04d6047e62cd1aaf9cb2a9ca9d3a9.exe 34 PID 848 wrote to memory of 2708 848 explorer.exe 35 PID 848 wrote to memory of 2708 848 explorer.exe 35 PID 848 wrote to memory of 2708 848 explorer.exe 35 PID 848 wrote to memory of 2708 848 explorer.exe 35 PID 2708 wrote to memory of 2748 2708 spoolsv.exe 36 PID 2708 wrote to memory of 2748 2708 spoolsv.exe 36 PID 2708 wrote to memory of 2748 2708 spoolsv.exe 36 PID 2708 wrote to memory of 2748 2708 spoolsv.exe 36 PID 2748 wrote to memory of 2672 2748 svchost.exe 37 PID 2748 wrote to memory of 2672 2748 svchost.exe 37 PID 2748 wrote to memory of 2672 2748 svchost.exe 37 PID 2748 wrote to memory of 2672 2748 svchost.exe 37 PID 848 wrote to memory of 2632 848 explorer.exe 38 PID 848 wrote to memory of 2632 848 explorer.exe 38 PID 848 wrote to memory of 2632 848 explorer.exe 38 PID 848 wrote to memory of 2632 848 explorer.exe 38 PID 2748 wrote to memory of 1056 2748 svchost.exe 39 PID 2748 wrote to memory of 1056 2748 svchost.exe 39 PID 2748 wrote to memory of 1056 2748 svchost.exe 39 PID 2748 wrote to memory of 1056 2748 svchost.exe 39 PID 2864 wrote to memory of 1728 2864 WScript.exe 42 PID 2864 wrote to memory of 1728 2864 WScript.exe 42 PID 2864 wrote to memory of 1728 2864 WScript.exe 42 PID 2864 wrote to memory of 1728 2864 WScript.exe 42 PID 1728 wrote to memory of 468 1728 cmd.exe 44 PID 1728 wrote to memory of 468 1728 cmd.exe 44 PID 1728 wrote to memory of 468 1728 cmd.exe 44 PID 1728 wrote to memory of 468 1728 cmd.exe 44 PID 468 wrote to memory of 1300 468 containerReview.exe 49 PID 468 wrote to memory of 1300 468 containerReview.exe 49 PID 468 wrote to memory of 1300 468 containerReview.exe 49 PID 1300 wrote to memory of 1680 1300 csc.exe 51 PID 1300 wrote to memory of 1680 1300 csc.exe 51 PID 1300 wrote to memory of 1680 1300 csc.exe 51 PID 468 wrote to memory of 1648 468 containerReview.exe 67 PID 468 wrote to memory of 1648 468 containerReview.exe 67 PID 468 wrote to memory of 1648 468 containerReview.exe 67 PID 1648 wrote to memory of 2940 1648 cmd.exe 69 PID 1648 wrote to memory of 2940 1648 cmd.exe 69 PID 1648 wrote to memory of 2940 1648 cmd.exe 69 PID 1648 wrote to memory of 2144 1648 cmd.exe 70 PID 1648 wrote to memory of 2144 1648 cmd.exe 70 PID 1648 wrote to memory of 2144 1648 cmd.exe 70 PID 1648 wrote to memory of 2716 1648 cmd.exe 71 PID 1648 wrote to memory of 2716 1648 cmd.exe 71 PID 1648 wrote to memory of 2716 1648 cmd.exe 71 PID 2716 wrote to memory of 2364 2716 lsass.exe 72 PID 2716 wrote to memory of 2364 2716 lsass.exe 72 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\bfd1aabb65dfce7b7c5f2d444917baa23fd04d6047e62cd1aaf9cb2a9ca9d3a9.exe"C:\Users\Admin\AppData\Local\Temp\bfd1aabb65dfce7b7c5f2d444917baa23fd04d6047e62cd1aaf9cb2a9ca9d3a9.exe"1⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1224 -
\??\c:\users\admin\appdata\local\temp\bfd1aabb65dfce7b7c5f2d444917baa23fd04d6047e62cd1aaf9cb2a9ca9d3a9.exec:\users\admin\appdata\local\temp\bfd1aabb65dfce7b7c5f2d444917baa23fd04d6047e62cd1aaf9cb2a9ca9d3a9.exe2⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2492 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\blockcomSession\RezYUes00TmmVGwINjr2qWMSbF3Etb9Bt2Ra62zGWDtewTBc.vbe"3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2864 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\blockcomSession\R3z0peym99fhJdrKbUwEGrQMoM2HpnSPGrE0X0k2hc.bat" "4⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1728 -
C:\blockcomSession\containerReview.exe"C:\blockcomSession/containerReview.exe"5⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:468 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\sxflkvv2\sxflkvv2.cmdline"6⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1300 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES11CC.tmp" "c:\Windows\System32\CSCD4B85F26F6A145799AFCEFEC453478.TMP"7⤵PID:1680
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\POH9bVQEfn.bat"6⤵
- Suspicious use of WriteProcessMemory
PID:1648 -
C:\Windows\system32\chcp.comchcp 650017⤵PID:2940
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost7⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2144
-
-
C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\lsass.exe"C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\lsass.exe"7⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2716 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\MF6Ow2NaEZ.bat"8⤵PID:2364
-
C:\Windows\system32\chcp.comchcp 650019⤵PID:3036
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost9⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2152
-
-
C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\lsass.exe"C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\lsass.exe"9⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2800 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6ZwY0m3aI8.bat"10⤵PID:3056
-
C:\Windows\system32\chcp.comchcp 6500111⤵PID:3028
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost11⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1848
-
-
C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\lsass.exe"C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\lsass.exe"11⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1564 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6C8kMSA4ag.bat"12⤵PID:1444
-
C:\Windows\system32\chcp.comchcp 6500113⤵PID:564
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost13⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2124
-
-
C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\lsass.exe"C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\lsass.exe"13⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1868 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\s6L5myzuOs.bat"14⤵PID:1580
-
C:\Windows\system32\chcp.comchcp 6500115⤵PID:1364
-
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:215⤵PID:2392
-
-
C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\lsass.exe"C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\lsass.exe"15⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2688 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\XDDaR1k0wv.bat"16⤵PID:1428
-
C:\Windows\system32\chcp.comchcp 6500117⤵PID:3048
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost17⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2080
-
-
C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\lsass.exe"C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\lsass.exe"17⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2772 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Pk8wsQHxqc.bat"18⤵PID:2452
-
C:\Windows\system32\chcp.comchcp 6500119⤵PID:2056
-
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:219⤵PID:2200
-
-
C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\lsass.exe"C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\lsass.exe"19⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1460 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Lvud1u8Gv5.bat"20⤵PID:2252
-
C:\Windows\system32\chcp.comchcp 6500121⤵PID:372
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost21⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:936
-
-
C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\lsass.exe"C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\lsass.exe"21⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3004 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\FuUFRpewDb.bat"22⤵PID:784
-
C:\Windows\system32\chcp.comchcp 6500123⤵PID:2248
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost23⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1276
-
-
C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\lsass.exe"C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\lsass.exe"23⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1620 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\kJRy2Wx8TR.bat"24⤵PID:2760
-
C:\Windows\system32\chcp.comchcp 6500125⤵PID:1972
-
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:225⤵PID:2632
-
-
C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\lsass.exe"C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\lsass.exe"25⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2224 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\aehWhM7TGU.bat"26⤵PID:2868
-
C:\Windows\system32\chcp.comchcp 6500127⤵PID:944
-
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:227⤵PID:444
-
-
C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\lsass.exe"C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\lsass.exe"27⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1160 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\4XCyKdTKaY.bat"28⤵PID:2300
-
C:\Windows\system32\chcp.comchcp 6500129⤵PID:2156
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost29⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:940
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\Resources\Themes\icsys.icn.exeC:\Windows\Resources\Themes\icsys.icn.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2376 -
\??\c:\windows\resources\themes\explorer.exec:\windows\resources\themes\explorer.exe3⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:848 -
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe SE4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2708 -
\??\c:\windows\resources\svchost.exec:\windows\resources\svchost.exe5⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2748 -
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe PR6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2672
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 03:08 /f6⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:1056
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 03:09 /f6⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2948
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 03:10 /f6⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2320
-
-
-
-
C:\Windows\Explorer.exeC:\Windows\Explorer.exe4⤵PID:2632
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\audiodg.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2168
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1592
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:704
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 10 /tr "'C:\blockcomSession\lsm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:112
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\blockcomSession\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1912
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 11 /tr "'C:\blockcomSession\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2096
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1228
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1960
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1508
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:960
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:604
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1252
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Google\Update\Install\System.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2340
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Update\Install\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2292
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Google\Update\Install\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2440
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "containerReviewc" /sc MINUTE /mo 10 /tr "'C:\blockcomSession\containerReview.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1280
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "containerReview" /sc ONLOGON /tr "'C:\blockcomSession\containerReview.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2312
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "containerReviewc" /sc MINUTE /mo 6 /tr "'C:\blockcomSession\containerReview.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1764
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Modify Registry
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
200B
MD5b804544661164db70d5e76a6832f008c
SHA12a2467e74c0b30a18598bcff2104d88ebc82d874
SHA256fefe34ce62090a6a320c5ac1bd45cd69684b0df6d4bc038b3765e68062c8a325
SHA512a623fbc1d0cc79688eee030d17e6ffa5e985ce23f7d40a606855c0d5fd5ed2c20a7fef90fc8be5073962844dac2bf7ad21022c5ea1442681f914158517c6bfa1
-
Filesize
200B
MD5a8f306adf3870fb0dd37d2a240de4245
SHA1beb0d21b637bac7f113f06e00d69126870c563d6
SHA25692dd99e9482c705e7c6e04f790bfd5d31d2a887caa0e5dad9155ca7fd965e911
SHA512a2761aae97f951807af415d80341e330d1bb48076677690761f88e8f0cceacfdf4a10e7e65dafca51ad42281036f5a254d4ab28581431fc0580d937bd00eb6e9
-
Filesize
200B
MD57835b622c694c49dd5ad1863b6331846
SHA1dd77325b97a98d1b225ea185bc9c0aa202579af4
SHA256da8737883a2d6d665199d05e1816ea34063b86c18cd8929f57b3e73963fa37bf
SHA512f5791d8ed7f803a29b36deae4c869420f3cbfdab60320665e6ca7814e546ad5c419a1f8a734d70d7a227cb098f79d6d149fe443d524290b1420febf97bc90412
-
Filesize
200B
MD563955944041fe222649e0cf4ac4a04d2
SHA16a7e0c0422ee0b1ad4aa05796cf3dd70d67f8c77
SHA256a04159b6dc74ed32a0af26f48bd2d57294c11be991ba72643d69a17980bf6223
SHA512fa790c7166a0e30dee80e3fbb746e037d642f13577eb8f2ae5554446f9156721da3093d93d88e5e4e0b84f6638acdaf86dad4648cddbf136a213c056874c1c11
-
Filesize
200B
MD56d3a7e135ac221fe33898dcabeb4742b
SHA140497a94a3874bc30ad2def11de9acfbfb3f163f
SHA25697282649e5c8cb41e1f459b4025a58331fb1689e15fc856dfb6c38a32ba24707
SHA5125243168cd833ed66e8fedb1a738f5a76cdc35c43bb2046c150f6622967cdc4648b0c375a58837f368caf190a677efb08a10886370054924b7b60094d3152961d
-
Filesize
200B
MD55abd90957ecde75260b5abd58922d5aa
SHA117dc20dfd55c2aea047e11860a5b8f51349ac130
SHA25645bda3d77aec584391d632f441b738285a4f7aff323e66bf7e0057296b7da10b
SHA512d1f9921e3d17071f97671f39a5c122c50ed85ab326f8fac98d26cb26468f3207028295a8e926bf93189831f31f8f132149a6be1faa688a3f1ae19f59834fffb2
-
Filesize
200B
MD5e5d28aeb0df7577b2b87b1177dee5bd7
SHA168a358e41b9dbe14abff53260479ff25fcdac783
SHA25655b0677f5d29dc997dafa370ccda978a6482d81389e368930f9e4d403c661a9f
SHA51270fdbbefbb74a1df3e5ee9dbefbddb650a34cb117eb403924a2f0f14c7a3e3b7a8021da17cc22e4da21874054842fec6bf45a45775f52abbf95b4878daedcea9
-
Filesize
248B
MD584658c3b335c4728f51168804cc61c53
SHA1225aa146653fd9f28a0e90a9de8392a7cc7cf55a
SHA256d4dc0c64850b2deba37b03f13835b92bf8e544e01e0d6deae3b9d72a03aef352
SHA512d50cf0f71d9e114aa4b00eb784e95b5c8b4fb404e01c95d948a70702c773e4892621f5741322dd59d902c170c1bb77d31a5a3ea2507efab91d065adeabf9673e
-
Filesize
1KB
MD54070ff48ab67b82b24adc084a6838a34
SHA1f0946187bf9b89f36a7bc9e26ab901da3a46c3b3
SHA25660bc4dac568ae0c26a193d62de51bd8b5c7d536360b0d8a414c98f39756edbef
SHA51214c9926b044f8b7b7f4d255821b8b43d9c031630954166a1a3378d31477008235d138511135b28feacad533e43b02159db215c9b589fe5c130f78d1bfac434fa
-
Filesize
200B
MD5c356b0d79c88b79d5704ba9cdac9c2c6
SHA1ba60ce05fae2af9023a2e40611bdf9362160150c
SHA25698d82f504d1260976dbad96e9be6511914e9707503dbd54b0dae44be85e0d9ba
SHA5126006a3389276518fb6243805f4a0a2daef865c3aa1e37ffce4f1549f8e503ea3fedfbaa281172a39ec0cc6273db571d493dea778979dd36ac721f103a5b530c3
-
Filesize
248B
MD5074a029ea9e1701523225f4676d06080
SHA163e42f25d1cd7cb6bf469c2a5036bb7d0bf03dcb
SHA2565a90e644bcf53c169bb072eba28cf2d8721df3ff24fb6da42168a331656efda0
SHA512c5f628c357d917a1e353ae775a25af1acf265320829fc1a197039332c54e7d22a310b5ffb7986576d005048c5ca7919cb4dcee26c6fa744c6263d49fcb5ba51d
-
Filesize
248B
MD55a8eae2195b61e5ff6c41bd3bb5bcf56
SHA11df4f849b3cc45ac75dd4479a0f4af922ef435e0
SHA25606292e46a84af14008a27662cc2fed08f3e18fa6df676dd403a6d3db76d37077
SHA51237d9357e596ed3b8531e07d7fb7dcb62c7a0c05bc357f356ba2f00fb5cc00c20a88a44a77cb155981d90de02578077d8ca273747e6e4d2b9a6265dd4747857e6
-
Filesize
248B
MD509c54612a27f347ade33114b43e03e74
SHA11bbdbd25286d895bcb10d92da32c8eb6a6c6ee1d
SHA2569396fdfbfb46afb9603d64347f8e4c271dd654ac38f523b0d7bb38bd557c2723
SHA512999eb86554265a2aa1ed4f7575fb9426e30d541aaadd09e3b209b331584a6c2a8c6a0c2d85fb0520c8762cc9827adf323104adfe9b0a3c1c610abdc434b906fe
-
Filesize
89B
MD5de5b4fde5bc10d0f76a55eb9d249ab56
SHA1751938b6ab03340842b429805fd2da1aa0d8c964
SHA256009aa3f866391c87bd840efb9b6b4eb33fc4dcb625cd23e436d0c9383e033f0f
SHA51258f02657db363b742c6aee66ccd5a6b279280e2dd09d7394b7b9907ca2cd005cd67ee88ca98d533605e30608fc61abc6f51f7d3be4a3813d7414d280b6f16a1f
-
Filesize
236B
MD5d2dd350044ce1fe408a44a036a7e6a0d
SHA13597e45deb69f4aa4749855e9ed452a39a9c7d42
SHA256487bfe07abff347481f10c648717aab8008c7606c026b920358544f85c25e1b2
SHA51281147d83dc5ffd1adb10add8486f6dac65df0e7c579f8244ef8f3d6f646ced97fad3f55a178ced9b60f5f23bb77a0e29bccb22651280a9eae135976af71c366a
-
Filesize
406B
MD5569bdfd2147d3622c6f7b078024a547e
SHA106a1c3802844bc7a8689b3951a69a0430747020d
SHA25681f5329eb783eaa46b8ce78b8d32d4bb3875cdbb973b6a177180cdafe0509d3e
SHA512f68efd8d6fb79b387aacba2ea33bbe26de6983a9417fbe56b60053abb0e14ba23ec161117f3c55f591455bb48935f4c5ec165e2b63dfd3bf9704bbac835ffa6d
-
Filesize
235B
MD518756f59d0382307947beab254aef492
SHA12bbf9262e03538a09c2e8c5ef8ce88e615c85cab
SHA256ee4c59a40b10231587e44fd9c52a37d7956b50efb47e545943e58cd4db5bcf20
SHA5120b09daff869ab74334e44d5bbb1619b433c1f4fb049f14cce2f180adc25752ac7737a54ea6ecba58c3515598fd2afedfccf8efc65919181c9ee3430301e4b452
-
Filesize
1KB
MD58c85ef91c6071d33745325a8fa351c3e
SHA1e3311ceef28823eec99699cc35be27c94eca52d2
SHA2568db3e3a5515da1933036688a9b1918cfc3339fc687008c5325461271904b2d41
SHA5122bb89b07fe46b1c406ed6a560e88cb2b8402b1d61bb71e10887bad661751f64f1e5317fd6c1b301ea4766785b915da31b64e0475cfe36c1f950b32915b5dab7d
-
\Users\Admin\AppData\Local\Temp\bfd1aabb65dfce7b7c5f2d444917baa23fd04d6047e62cd1aaf9cb2a9ca9d3a9.exe
Filesize3.2MB
MD5a7040b85fc683f088f4c6e5b44052c43
SHA17e3d644d1a1fb7b9bcccb6406d2e7fbd062eae66
SHA256b786f31f1c89c71d0510bbd32510595d9891c67db516f968261b02594a423a8d
SHA512e225f6f7e114690aad25e9c67460e50f5b84cc8ca87a69ba94ff63ab42415df176a3ed6c3456cddb849927604a4888b17e5e781ac97d2ba0197f9687bbb2c301
-
Filesize
135KB
MD5e05ffb0ad335a107f2893085ba2c0d3b
SHA14ef14146f3d487e2284834e3487d7f445567eece
SHA256e3b0f1ce04670bf7ba36124b563b907a006315723519802bbdec39d1e63339bc
SHA5124db925028acd86225a8ced92e62cecca4543cbbd4aa7121de8874541d6c9fefdb2ba6fb56d6ced50353aa08d78096149b278037c0b4ac34198c61bf2c40ac02c
-
Filesize
135KB
MD5d36cc2935ae0e7a5d2936db589a9b8cc
SHA1082bd58c0ad60fa4783b63a4f681a5c5fad8e1a6
SHA2564c93adb50768feb3cdea95f1fedc5d6fdc262d59f12c4b66601d377e2709c2e3
SHA512547452ba0de7c8ebeec8e4bb2d916c7a881b6743e6d1fb6d2761a202b7cf5bb30c3f541957de70c584b46b7171f3f20338b4985341829b408c366aeaeced9290
-
Filesize
135KB
MD51eef77a8a94c623b83588f99a7976b1c
SHA1b2f316476f94090d9279226b4318421f2c467c8a
SHA256a5e739ca15cb9eb451a5e7934ba291704080cca980c31efc759d5a7f5638c9e7
SHA512d38436494bd90d3917097916c5613536de527651dd844abb223d506e870b3cb3d004b1d5fade66ba96de6ef32e117f82e813a6b0bae208f46a8de3fde2f636d8
-
Filesize
135KB
MD5b346d42c44ad024eb0903785f9c2bbdc
SHA13687899d039dd34d73273946176d808aefc97fc1
SHA25613823200ee21d700a6ebf39963aa16913b0a2ed2ca4f465d37f8daa5330c28ef
SHA5122eb89dcb3f540c0688961c32b5fc7b647a1afbe26886f6ee7a3de415fed4bffb757664240f9caf70c663e79a4b0ff6f65921d63b4bb81d98a19187018e4968da
-
Filesize
1.9MB
MD5f568e43bc473cd8ceb2553c58194df61
SHA114c0fff25edfd186dab91ee6bcc94450c9bed84d
SHA256c91375814e8a5bb71736ce61fa429bc7b98a2b7b2a254b9967c51f3fccfacd52
SHA51247cf66ce90fecd147077c72dc3f06db2199b9bc96e887915d6b0d4bfea7577d60a7345da6e5bc59967d02528fbdf6c8bf86233261338f782b9185c890fbc400e