dcrat | 0b80872ae84d5a7de900b51596d85e09361774ae22cd577ec4898b4350737a53

Analysis

max time kernel
126s
max time network
136s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
30/06/2024, 01:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

hatabat.exe
Size

13.0MB
MD5

5038e381411591332b285c540d4b6bef
SHA1

4af0f013e8652e3d03c296a59c67c70508e39612
SHA256

0b80872ae84d5a7de900b51596d85e09361774ae22cd577ec4898b4350737a53
SHA512

3055db5a385b9e27cd6e7718a45bf1695ac0d9d798f7089276baf0542227768d5b1d6eb72ddb493a27b346af77c0d40a6a4474beddf77c24eed7b9cf3b06769b
SSDEEP

393216:064QwP3EQ5H+i4IDzQTj4pUbZFdoPgY2:0647P3J5eRInQT0pkFmP2

Score

10^/10

dcrat xworm execution infostealer persistence rat trojan upx

Malware Config

Extracted

Family

xworm

147.185.221.17:14348

147.185.221.17:14348:14348

Attributes

Install_directory
%AppData%
install_file
sgredgkrtf09weut3r435.exe
telegram
https://api.telegram.org/bot7150716400:AAE41jshl4_joK29lZ3HuflfsurF6ZZKlDg/sendMessage?chat_id=5187782651

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Detect Xworm Payload 4 IoCs

resource	yara_rule
behavioral1/files/0x0008000000014f71-44.dat	family_xworm
behavioral1/memory/2652-47-0x00000000002A0000-0x00000000002B6000-memory.dmp	family_xworm
behavioral1/memory/2336-309-0x00000000002D0000-0x00000000002E6000-memory.dmp	family_xworm
behavioral1/memory/720-312-0x0000000001280000-0x0000000001296000-memory.dmp	family_xworm

Modifies WinLogon for persistence 2 TTPs 8 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\MSBuild\\winlogon.exe\", \"C:\\Users\\Admin\\amamamsus.exe\", \"C:\\Program Files (x86)\\Microsoft SQL Server Compact Edition\\v3.5\\setup.exe\", \"C:\\Windows\\addins\\spoolsv.exe\", \"C:\\Users\\Default\\conhost.exe\", \"C:\\Recovery\\5b7985c2-d100-11ee-bb00-c695cbc44580\\spoolsv.exe\", \"C:\\Recovery\\5b7985c2-d100-11ee-bb00-c695cbc44580\\sppsvc.exe\", \"C:\\Windows\\Temp\\Crashpad\\attachments\\lsm.exe\""	amamamsus.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\MSBuild\\winlogon.exe\""	amamamsus.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\MSBuild\\winlogon.exe\", \"C:\\Users\\Admin\\amamamsus.exe\""	amamamsus.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\MSBuild\\winlogon.exe\", \"C:\\Users\\Admin\\amamamsus.exe\", \"C:\\Program Files (x86)\\Microsoft SQL Server Compact Edition\\v3.5\\setup.exe\""	amamamsus.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\MSBuild\\winlogon.exe\", \"C:\\Users\\Admin\\amamamsus.exe\", \"C:\\Program Files (x86)\\Microsoft SQL Server Compact Edition\\v3.5\\setup.exe\", \"C:\\Windows\\addins\\spoolsv.exe\""	amamamsus.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\MSBuild\\winlogon.exe\", \"C:\\Users\\Admin\\amamamsus.exe\", \"C:\\Program Files (x86)\\Microsoft SQL Server Compact Edition\\v3.5\\setup.exe\", \"C:\\Windows\\addins\\spoolsv.exe\", \"C:\\Users\\Default\\conhost.exe\""	amamamsus.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\MSBuild\\winlogon.exe\", \"C:\\Users\\Admin\\amamamsus.exe\", \"C:\\Program Files (x86)\\Microsoft SQL Server Compact Edition\\v3.5\\setup.exe\", \"C:\\Windows\\addins\\spoolsv.exe\", \"C:\\Users\\Default\\conhost.exe\", \"C:\\Recovery\\5b7985c2-d100-11ee-bb00-c695cbc44580\\spoolsv.exe\""	amamamsus.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\MSBuild\\winlogon.exe\", \"C:\\Users\\Admin\\amamamsus.exe\", \"C:\\Program Files (x86)\\Microsoft SQL Server Compact Edition\\v3.5\\setup.exe\", \"C:\\Windows\\addins\\spoolsv.exe\", \"C:\\Users\\Default\\conhost.exe\", \"C:\\Recovery\\5b7985c2-d100-11ee-bb00-c695cbc44580\\spoolsv.exe\", \"C:\\Recovery\\5b7985c2-d100-11ee-bb00-c695cbc44580\\sppsvc.exe\""	amamamsus.exe

Process spawned unexpected child process 24 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1700	2392	schtasks.exe	58
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2640	2392	schtasks.exe	58
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2436	2392	schtasks.exe	58
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2108	2392	schtasks.exe	58
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2552	2392	schtasks.exe	58
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2572	2392	schtasks.exe	58
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2496	2392	schtasks.exe	58
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2504	2392	schtasks.exe	58
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2816	2392	schtasks.exe	58
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2780	2392	schtasks.exe	58
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1476	2392	schtasks.exe	58
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2184	2392	schtasks.exe	58
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1288	2392	schtasks.exe	58
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2732	2392	schtasks.exe	58
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2764	2392	schtasks.exe	58
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2512	2392	schtasks.exe	58
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2900	2392	schtasks.exe	58
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1780	2392	schtasks.exe	58
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1624	2392	schtasks.exe	58
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2316	2392	schtasks.exe	58
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1944	2392	schtasks.exe	58
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1820	2392	schtasks.exe	58
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1760	2392	schtasks.exe	58
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1396	2392	schtasks.exe	58

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

DCRat payload 3 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0007000000014b63-29.dat	dcrat
behavioral1/files/0x0006000000015d79-142.dat	dcrat
behavioral1/memory/1684-145-0x00000000009B0000-0x0000000000CC8000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 16 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2600	powershell.exe
2412	powershell.exe
984	powershell.exe
488	powershell.exe
1088	powershell.exe
1328	powershell.exe
1712	powershell.exe
2400	powershell.exe
2128	powershell.exe
776	powershell.exe
2004	powershell.exe
2748	powershell.exe
840	powershell.exe
2072	powershell.exe
548	powershell.exe
1008	powershell.exe

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sgredgkrtf09weut3r435.lnk	scvhost.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sgredgkrtf09weut3r435.lnk	scvhost.exe

Executes dropped EXE 12 IoCs

pid	Process
2352	adb.exe
2656	dllhost.exe
2592	fastboot.exe
2652	scvhost.exe
2432	setup.exe
2320	setup.exe
1684	amamamsus.exe
2276	amamamsus.exe
1196	Process not Found
2244	amamamsus.exe
2336	sgredgkrtf09weut3r435.exe
720	sgredgkrtf09weut3r435.exe

Loads dropped DLL 9 IoCs

pid	Process
2352	adb.exe
2352	adb.exe
2592	fastboot.exe
2592	fastboot.exe
2512	hatabat.exe
2432	setup.exe
2320	setup.exe
912	cmd.exe
1196	Process not Found

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0006000000016c4a-102.dat	upx
behavioral1/memory/2320-106-0x000007FEF2730000-0x000007FEF2D18000-memory.dmp	upx

Adds Run key to start application 2 TTPs 17 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Program Files (x86)\\MSBuild\\winlogon.exe\""	amamamsus.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Program Files (x86)\\MSBuild\\winlogon.exe\""	amamamsus.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Windows\\addins\\spoolsv.exe\""	amamamsus.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\amamamsus = "\"C:\\Users\\Admin\\amamamsus.exe\""	amamamsus.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\Users\\Default\\conhost.exe\""	amamamsus.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\Users\\Default\\conhost.exe\""	amamamsus.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Recovery\\5b7985c2-d100-11ee-bb00-c695cbc44580\\spoolsv.exe\""	amamamsus.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Recovery\\5b7985c2-d100-11ee-bb00-c695cbc44580\\spoolsv.exe\""	amamamsus.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Recovery\\5b7985c2-d100-11ee-bb00-c695cbc44580\\sppsvc.exe\""	amamamsus.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Windows\\Temp\\Crashpad\\attachments\\lsm.exe\""	amamamsus.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\amamamsus = "\"C:\\Users\\Admin\\amamamsus.exe\""	amamamsus.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Windows\\addins\\spoolsv.exe\""	amamamsus.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\sgredgkrtf09weut3r435 = "C:\\Users\\Admin\\AppData\\Roaming\\sgredgkrtf09weut3r435.exe"	scvhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\setup = "\"C:\\Program Files (x86)\\Microsoft SQL Server Compact Edition\\v3.5\\setup.exe\""	amamamsus.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\setup = "\"C:\\Program Files (x86)\\Microsoft SQL Server Compact Edition\\v3.5\\setup.exe\""	amamamsus.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Recovery\\5b7985c2-d100-11ee-bb00-c695cbc44580\\sppsvc.exe\""	amamamsus.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Windows\\Temp\\Crashpad\\attachments\\lsm.exe\""	amamamsus.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\G:	WScript.exe
File opened (read-only)	\??\Q:	WScript.exe
File opened (read-only)	\??\S:	WScript.exe
File opened (read-only)	\??\U:	WScript.exe
File opened (read-only)	\??\Y:	WScript.exe
File opened (read-only)	\??\A:	WScript.exe
File opened (read-only)	\??\B:	WScript.exe
File opened (read-only)	\??\P:	WScript.exe
File opened (read-only)	\??\T:	WScript.exe
File opened (read-only)	\??\L:	WScript.exe
File opened (read-only)	\??\O:	WScript.exe
File opened (read-only)	\??\M:	WScript.exe
File opened (read-only)	\??\Z:	WScript.exe
File opened (read-only)	\??\I:	WScript.exe
File opened (read-only)	\??\K:	WScript.exe
File opened (read-only)	\??\J:	WScript.exe
File opened (read-only)	\??\N:	WScript.exe
File opened (read-only)	\??\R:	WScript.exe
File opened (read-only)	\??\V:	WScript.exe
File opened (read-only)	\??\W:	WScript.exe
File opened (read-only)	\??\X:	WScript.exe
File opened (read-only)	\??\E:	WScript.exe
File opened (read-only)	\??\H:	WScript.exe

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\MSBuild\winlogon.exe	amamamsus.exe
File opened for modification	C:\Program Files (x86)\MSBuild\winlogon.exe	amamamsus.exe
File created	C:\Program Files (x86)\MSBuild\cc11b995f2a76d	amamamsus.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\setup.exe	amamamsus.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\826420e65ec10f	amamamsus.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\addins\f3b6ecef712a24	amamamsus.exe
File created	C:\Windows\addins\spoolsv.exe	amamamsus.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 25 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1780	schtasks.exe
2492	schtasks.exe
1288	schtasks.exe
2732	schtasks.exe
1760	schtasks.exe
1700	schtasks.exe
2572	schtasks.exe
2496	schtasks.exe
2900	schtasks.exe
2436	schtasks.exe
2816	schtasks.exe
2764	schtasks.exe
1820	schtasks.exe
2640	schtasks.exe
2780	schtasks.exe
1476	schtasks.exe
2184	schtasks.exe
1396	schtasks.exe
2504	schtasks.exe
2552	schtasks.exe
2512	schtasks.exe
2316	schtasks.exe
1624	schtasks.exe
1944	schtasks.exe
2108	schtasks.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
2072	powershell.exe
2412	powershell.exe
1328	powershell.exe
548	powershell.exe
1684	amamamsus.exe
1684	amamamsus.exe
1684	amamamsus.exe
1684	amamamsus.exe
1684	amamamsus.exe
1684	amamamsus.exe
1684	amamamsus.exe
2128	powershell.exe
1712	powershell.exe
776	powershell.exe
488	powershell.exe
984	powershell.exe
2004	powershell.exe
1008	powershell.exe
840	powershell.exe
2748	powershell.exe
1088	powershell.exe
2400	powershell.exe
2600	powershell.exe
2652	scvhost.exe

Suspicious use of AdjustPrivilegeToken 23 IoCs

description	pid	Process
Token: SeDebugPrivilege	2652	scvhost.exe
Token: SeDebugPrivilege	2072	powershell.exe
Token: SeDebugPrivilege	2412	powershell.exe
Token: SeDebugPrivilege	1684	amamamsus.exe
Token: SeDebugPrivilege	1328	powershell.exe
Token: SeDebugPrivilege	2276	amamamsus.exe
Token: SeDebugPrivilege	548	powershell.exe
Token: SeDebugPrivilege	2128	powershell.exe
Token: SeDebugPrivilege	1712	powershell.exe
Token: SeDebugPrivilege	776	powershell.exe
Token: SeDebugPrivilege	488	powershell.exe
Token: SeDebugPrivilege	984	powershell.exe
Token: SeDebugPrivilege	2004	powershell.exe
Token: SeDebugPrivilege	1008	powershell.exe
Token: SeDebugPrivilege	840	powershell.exe
Token: SeDebugPrivilege	2748	powershell.exe
Token: SeDebugPrivilege	1088	powershell.exe
Token: SeDebugPrivilege	2400	powershell.exe
Token: SeDebugPrivilege	2600	powershell.exe
Token: SeDebugPrivilege	2652	scvhost.exe
Token: SeDebugPrivilege	2244	amamamsus.exe
Token: SeDebugPrivilege	2336	sgredgkrtf09weut3r435.exe
Token: SeDebugPrivilege	720	sgredgkrtf09weut3r435.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2652	scvhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2512 wrote to memory of 2352	2512	hatabat.exe	28
PID 2512 wrote to memory of 2352	2512	hatabat.exe	28
PID 2512 wrote to memory of 2352	2512	hatabat.exe	28
PID 2512 wrote to memory of 2352	2512	hatabat.exe	28
PID 2512 wrote to memory of 1700	2512	hatabat.exe	30
PID 2512 wrote to memory of 1700	2512	hatabat.exe	30
PID 2512 wrote to memory of 1700	2512	hatabat.exe	30
PID 2512 wrote to memory of 2656	2512	hatabat.exe	32
PID 2512 wrote to memory of 2656	2512	hatabat.exe	32
PID 2512 wrote to memory of 2656	2512	hatabat.exe	32
PID 2512 wrote to memory of 2656	2512	hatabat.exe	32
PID 2512 wrote to memory of 2592	2512	hatabat.exe	33
PID 2512 wrote to memory of 2592	2512	hatabat.exe	33
PID 2512 wrote to memory of 2592	2512	hatabat.exe	33
PID 2512 wrote to memory of 2592	2512	hatabat.exe	33
PID 2512 wrote to memory of 2012	2512	hatabat.exe	35
PID 2512 wrote to memory of 2012	2512	hatabat.exe	35
PID 2512 wrote to memory of 2012	2512	hatabat.exe	35
PID 2512 wrote to memory of 2652	2512	hatabat.exe	36
PID 2512 wrote to memory of 2652	2512	hatabat.exe	36
PID 2512 wrote to memory of 2652	2512	hatabat.exe	36
PID 2512 wrote to memory of 2432	2512	hatabat.exe	37
PID 2512 wrote to memory of 2432	2512	hatabat.exe	37
PID 2512 wrote to memory of 2432	2512	hatabat.exe	37
PID 2512 wrote to memory of 3020	2512	hatabat.exe	38
PID 2512 wrote to memory of 3020	2512	hatabat.exe	38
PID 2512 wrote to memory of 3020	2512	hatabat.exe	38
PID 2512 wrote to memory of 2792	2512	hatabat.exe	40
PID 2512 wrote to memory of 2792	2512	hatabat.exe	40
PID 2512 wrote to memory of 2792	2512	hatabat.exe	40
PID 2432 wrote to memory of 2320	2432	setup.exe	41
PID 2432 wrote to memory of 2320	2432	setup.exe	41
PID 2432 wrote to memory of 2320	2432	setup.exe	41
PID 2656 wrote to memory of 1036	2656	dllhost.exe	42
PID 2656 wrote to memory of 1036	2656	dllhost.exe	42
PID 2656 wrote to memory of 1036	2656	dllhost.exe	42
PID 2656 wrote to memory of 1036	2656	dllhost.exe	42
PID 2656 wrote to memory of 2784	2656	dllhost.exe	43
PID 2656 wrote to memory of 2784	2656	dllhost.exe	43
PID 2656 wrote to memory of 2784	2656	dllhost.exe	43
PID 2656 wrote to memory of 2784	2656	dllhost.exe	43
PID 2652 wrote to memory of 2072	2652	scvhost.exe	44
PID 2652 wrote to memory of 2072	2652	scvhost.exe	44
PID 2652 wrote to memory of 2072	2652	scvhost.exe	44
PID 2652 wrote to memory of 2412	2652	scvhost.exe	46
PID 2652 wrote to memory of 2412	2652	scvhost.exe	46
PID 2652 wrote to memory of 2412	2652	scvhost.exe	46
PID 2012 wrote to memory of 1492	2012	WScript.exe	48
PID 2012 wrote to memory of 1492	2012	WScript.exe	48
PID 2012 wrote to memory of 1492	2012	WScript.exe	48
PID 1492 wrote to memory of 1684	1492	cmd.exe	50
PID 1492 wrote to memory of 1684	1492	cmd.exe	50
PID 1492 wrote to memory of 1684	1492	cmd.exe	50
PID 2652 wrote to memory of 1328	2652	scvhost.exe	51
PID 2652 wrote to memory of 1328	2652	scvhost.exe	51
PID 2652 wrote to memory of 1328	2652	scvhost.exe	51
PID 1036 wrote to memory of 912	1036	WScript.exe	53
PID 1036 wrote to memory of 912	1036	WScript.exe	53
PID 1036 wrote to memory of 912	1036	WScript.exe	53
PID 1036 wrote to memory of 912	1036	WScript.exe	53
PID 912 wrote to memory of 2276	912	cmd.exe	55
PID 912 wrote to memory of 2276	912	cmd.exe	55
PID 912 wrote to memory of 2276	912	cmd.exe	55
PID 912 wrote to memory of 2276	912	cmd.exe	55

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\hatabat.exe
"C:\Users\Admin\AppData\Local\Temp\hatabat.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2512
- C:\Users\Admin\AppData\Roaming\adb.exe
  "C:\Users\Admin\AppData\Roaming\adb.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2352
- C:\Windows\system32\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Roaming\bat.bat" "
  2⤵
  PID:1700
- C:\Users\Admin\AppData\Roaming\dllhost.exe
  "C:\Users\Admin\AppData\Roaming\dllhost.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2656
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\gsdrgrgsehufgewhtfewutahetgr5s543t\1K70CMgSeGxLkKeGse1VkEk.vbe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1036
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Roaming\gsdrgrgsehufgewhtfewutahetgr5s543t\WQrCS9t0V.bat" "
      4⤵
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:912
    - - C:\Users\Admin\AppData\Roaming\gsdrgrgsehufgewhtfewutahetgr5s543t\amamamsus.exe
        
        "C:\Users\Admin\AppData\Roaming\gsdrgrgsehufgewhtfewutahetgr5s543t\amamamsus.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2276
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\gsdrgrgsehufgewhtfewutahetgr5s543t\file.vbs"
    3⤵
    PID:2784
- C:\Users\Admin\AppData\Roaming\fastboot.exe
  "C:\Users\Admin\AppData\Roaming\fastboot.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2592
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\msg.vbe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2012
- - C:\Windows\System32\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Roaming\gsdrgrgsehufgewhtfewutahetgr5s543t\WQrCS9t0V.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1492
  - - C:\Users\Admin\AppData\Roaming\gsdrgrgsehufgewhtfewutahetgr5s543t\amamamsus.exe
      "C:\Users\Admin\AppData\Roaming\gsdrgrgsehufgewhtfewutahetgr5s543t\amamamsus.exe"
      4⤵
      Modifies WinLogon for persistence
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1684
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2128
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:984
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1712
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:488
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:776
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1008
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2004
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1088
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2748
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2600
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2400
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:840
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\CuZuW6RkB0.bat"
        5⤵
        
        PID:1984
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:2084
      - C:\Users\Admin\AppData\Roaming\gsdrgrgsehufgewhtfewutahetgr5s543t\amamamsus.exe
        
        "C:\Users\Admin\AppData\Roaming\gsdrgrgsehufgewhtfewutahetgr5s543t\amamamsus.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2244
- C:\Users\Admin\AppData\Roaming\scvhost.exe
  "C:\Users\Admin\AppData\Roaming\scvhost.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2652
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\scvhost.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2072
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'scvhost.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2412
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\sgredgkrtf09weut3r435.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1328
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'sgredgkrtf09weut3r435.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:548
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "sgredgkrtf09weut3r435" /tr "C:\Users\Admin\AppData\Roaming\sgredgkrtf09weut3r435.exe"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2492
- C:\Users\Admin\AppData\Roaming\setup.exe
  "C:\Users\Admin\AppData\Roaming\setup.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2432
- - C:\Users\Admin\AppData\Roaming\setup.exe
    "C:\Users\Admin\AppData\Roaming\setup.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2320
- C:\Windows\system32\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Roaming\sus.bat" "
  2⤵
  PID:3020
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\vbs.vbs"
  2⤵
  - Enumerates connected drives
  PID:2792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\MSBuild\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\MSBuild\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "amamamsusa" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\amamamsus.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "amamamsus" /sc ONLOGON /tr "'C:\Users\Admin\amamamsus.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "amamamsusa" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\amamamsus.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "setups" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\setup.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2496

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "setup" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\setup.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2504

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "setups" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\setup.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Windows\addins\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\addins\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1476

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Windows\addins\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2184

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\Users\Default\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1288

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Users\Default\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 12 /tr "'C:\Users\Default\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 14 /tr "'C:\Windows\Temp\Crashpad\attachments\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Windows\Temp\Crashpad\attachments\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 12 /tr "'C:\Windows\Temp\Crashpad\attachments\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1396

C:\Windows\system32\taskeng.exe
taskeng.exe {0436261E-C125-4F6E-984D-CCC5CC0C42F8} S-1-5-21-1298544033-3225604241-2703760938-1000:IZKCKOTP\Admin:Interactive:[1]
1⤵
PID:2532
- C:\Users\Admin\AppData\Roaming\sgredgkrtf09weut3r435.exe
  C:\Users\Admin\AppData\Roaming\sgredgkrtf09weut3r435.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2336
- C:\Users\Admin\AppData\Roaming\sgredgkrtf09weut3r435.exe
  C:\Users\Admin\AppData\Roaming\sgredgkrtf09weut3r435.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:720

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\CuZuW6RkB0.bat

Filesize
244B

MD5
97f75848d1082e8962337748dc13825f

SHA1
f62f3ed5dc677d04e7cdedd53c49d34772d14c58

SHA256
af134cc163f479d0214b1bfd5a4f3a368676e6d2b78d93561cb3913d9c58e92e

SHA512
eefd6040e4cb1578202cdc516fcfaf82b8cdc99654f2531e742011c783cc547f7374318a1a841f01c7eb62e2d1dddd4f196b3773dac29bebe86b246e1b052021

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI24322\python311.dll

Filesize
1.6MB

MD5
bb46b85029b543b70276ad8e4c238799

SHA1
123bdcd9eebcac1ec0fd2764a37e5e5476bb0c1c

SHA256
72c24e1db1ba4df791720a93ca9502d77c3738eebf8b9092a5d82aa8d80121d0

SHA512
5e993617509c1cf434938d6a467eb0494e04580ad242535a04937f7c174d429da70a6e71792fc3de69e103ffc5d9de51d29001a4df528cfffefdaa2cef4eaf31

Download Submit
C:\Users\Admin\AppData\Roaming\AdbWinApi.dll

Filesize
95KB

MD5
ed5a809dc0024d83cbab4fb9933d598d

SHA1
0bc5a82327f8641d9287101e4cc7041af20bad57

SHA256
d60103a5e99bc9888f786ee916f5d6e45493c3247972cb053833803de7e95cf9

SHA512
1fdb74ee5912fbdd2c0cba501e998349fecfbef5f4f743c7978c38996aa7e1f38e8ac750f2dc8f84b8094de3dd6fa3f983a29f290b3fa2cdbdaed691748baf17

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
53f13e9d57c3ef3d6420aeb25db461b4

SHA1
483a83c956cc07a56a00d3a27cc493881ec8dae9

SHA256
5774773eb1bde8cab4711cd156854afd8fe0373e22648817b7e2f8e5567c8d32

SHA512
626473a96430b954c6e0692f0386214003424a13e29b09cb7bd0a65ece6032cc8494b7cbde2b93db61185048b89b9bb043ce0a6d38692faa539b2a5f0f61587f

Download Submit
C:\Users\Admin\AppData\Roaming\adb.exe

Filesize
1.7MB

MD5
884242fb6cbbec1f7711b946ef669e0e

SHA1
7b2bc3c03909e705da759b7c21907683db668cc5

SHA256
65210cb4139672b53acaa2222b1005d036b0b02c437aa47e0e7b616fab0e2f6f

SHA512
c73ed5875dd0a3f0c400794a10336b00602950fa3ff6fb99ce9a772681fb8c5237c5c3cba2d0b7d254e497383d634d3a97342039cc40d295f262c583d0839768

Download Submit
C:\Users\Admin\AppData\Roaming\bat.bat

Filesize
60B

MD5
d55a01e2758ef91cd8ddccc7703517e2

SHA1
0d0d35d7d0007bdc0ddb74feae218b9eb6bb5e56

SHA256
db0c0c5b991e98b03da0dfdc60d3b63af434ef52cf62a523eb28e17f5827f456

SHA512
db9eee55674f8f5639803471159c5373fafddfbab7a36422aa2da05064215f0dd23b6b5772eb936620cf13657944bef9f63d2092cf7cb2c0172ca436fc5fc543

Download Submit
C:\Users\Admin\AppData\Roaming\dllhost.exe

Filesize
3.4MB

MD5
de586ed62cbe8aa67b7d2ea749e37e58

SHA1
3b8f0e80be45995bccd9aad044cf8ceef7fa1fdf

SHA256
041b5ae270b886ab3945f54a4dbdbb0e462ff2e4fa33a3acb0fe8e8d063eff8c

SHA512
57c80030b7524cb868a1afe8a337bbf93c19d9a301b9a28c28a3dee8aca256cf06df3f95cd847dd82e27d6251ff32bcf3d176dfb565ab4c64edc9ee1184d3054

Download Submit
C:\Users\Admin\AppData\Roaming\fastboot.exe

Filesize
833KB

MD5
0875abb1c7b403b3f95631326eafb6c2

SHA1
45faf0c7b005b72145f25186b1a735f282332246

SHA256
d794004af6dfedb5dbf118c20b4fda20ecdb38744191e859f1233287291cf0c7

SHA512
e7749ca3490851c854a036147041c04327203aacd9f9ec6577023ff4adfb9f3ae494baa312dbd12eedce21601ce8a0d2fd20f6f130ed0b2b134ee289db47f09b

Download Submit
C:\Users\Admin\AppData\Roaming\gsdrgrgsehufgewhtfewutahetgr5s543t\amamamsus.exe

Filesize
3.1MB

MD5
7f37a8b5d7f8477374b5b59e9258b0f4

SHA1
5dd21643eab2b7dc44cb58acfb01b94ac1fecf3a

SHA256
acc383151665d737cdedbcd7c639d59063a64b7ce5e622143b92ce7f765551ab

SHA512
70c066075df0450d64acc9eb864e091fe16f081f9f60815fba3967e90f4c86a4c3903c1d88aab54828e60728b71b22abb5eaaf1ffdc29c679991b5574333242c

Download Submit
C:\Users\Admin\AppData\Roaming\gsdrgrgsehufgewhtfewutahetgr5s543t\file.vbs

Filesize
34B

MD5
677cc4360477c72cb0ce00406a949c61

SHA1
b679e8c3427f6c5fc47c8ac46cd0e56c9424de05

SHA256
f1cccb5ae4aa51d293bd3c7d2a1a04cb7847d22c5db8e05ac64e9a6d7455aa0b

SHA512
7cfe2cc92f9e659f0a15a295624d611b3363bd01eb5bcf9bc7681ea9b70b0564d192d570d294657c8dc2c93497fa3b4526c975a9bf35d69617c31d9936573c6a

Download Submit
C:\Users\Admin\AppData\Roaming\msg.vbe

Filesize
227B

MD5
f2c31772e7c91f2ff0d5a3799216245b

SHA1
7e4229eee244481cc48bf4744cea662676d0b53a

SHA256
fec6e35115ab887bbffc816e64363b321d776f1af26a58e935a54f3568aa437c

SHA512
9f3db7c0ba6ba33840fe00c12a890bbbb9684023129b997d4ae7a986de024086152e1de14f0288fd24de9f8127d82c161c5ccab3e28b22709d249f063ad91ca4

Download Submit
C:\Users\Admin\AppData\Roaming\scvhost.exe

Filesize
61KB

MD5
9db6d927f9fa97d5419f15ee5b633b3d

SHA1
832bdd728fc29bd360a3126da5d48dce3a4ebd31

SHA256
c608942ef98e1dd95df33e11104962e91ea360e01b455fbd666f881afc116526

SHA512
2ec400d834a83dee4d2db4074e72029098a7fe0a5f5913f41d82f32cc53f7cf16c7fd6fb2dbe22f30dd8defaa344390c0b46625594b61c15ee2a727766174275

Download Submit
C:\Users\Admin\AppData\Roaming\sus.bat

Filesize
54B

MD5
7b448e495d5ab244be8065bf0b5491d8

SHA1
1177a30a6aad0ed07295e445b57e23b9bfb0c8f8

SHA256
d9daef7c9edb752480402b9e5499049c92018006bca6d51c26d54b5895699090

SHA512
328f5682b4dd5e872f5d6fe364870375323965fe77915aeb983eb5b833bd413b6b3a4159b4fe88ca772e515cb4c010532ef6d2ad80d7e1fb0ce515564380c3be

Download Submit
C:\Users\Admin\AppData\Roaming\vbs.vbs

Filesize
236B

MD5
fc0095fbf5911c7f6a487621fd3f9f30

SHA1
3ff379b9eee2140cf03ecdc72779eee9adfe95e0

SHA256
0001254296d73292f955d193f8922aada45057ffc5de65e8b983f9c6d1140618

SHA512
88752695000e85a029153b5e368b5e45ed085f35170b7c7888b1ca071889d387d8d437ca40013d1137e333f0d3f04d7709efcc5466cd7a554a2da209e20b4f80

Download Submit
\Users\Admin\AppData\Roaming\AdbWinUsbApi.dll

Filesize
61KB

MD5
0e24119daf1909e398fa1850b6112077

SHA1
293eedadb3172e756a421790d551e407457e0a8c

SHA256
25207c506d29c4e8dceb61b4bd50e8669ba26012988a43fbf26a890b1e60fc97

SHA512
9cbb26e555ab40b019a446337db58770b9a0c9c08316ff1e1909c4b6d99c00bd33522d05890870a91b4b581e20c7dce87488ab0d22fc3c4bbdd7e9b38f164b43

Download Submit
\Users\Admin\AppData\Roaming\setup.exe

Filesize
6.9MB

MD5
e6911d67b1557e060469e3bcbb3f1b26

SHA1
d8e26462769918eccae2ca6c15348f810eb6568e

SHA256
1420115bb23121fd0ab3a7d9a6ba8ddcd4a718724b258c8c214403c070f1cb18

SHA512
b19cfb6214209ce31cf10620f199f03c1c3f344109378e69b05b3651322f13f461232954aafddbe6910887d807126b91258f0902c1e54d3e9f0136cbf265a04d

Download Submit
memory/548-170-0x00000000027E0000-0x00000000027E8000-memory.dmp

Filesize
32KB

Download
memory/720-312-0x0000000001280000-0x0000000001296000-memory.dmp

Filesize
88KB

Download
memory/1328-153-0x0000000001F00000-0x0000000001F08000-memory.dmp

Filesize
32KB

Download
memory/1328-152-0x000000001B6F0000-0x000000001B9D2000-memory.dmp

Filesize
2.9MB

Download
memory/1684-179-0x0000000002530000-0x0000000002538000-memory.dmp

Filesize
32KB

Download
memory/1684-184-0x000000001AFD0000-0x000000001AFDE000-memory.dmp

Filesize
56KB

Download
memory/1684-186-0x000000001B0F0000-0x000000001B0F8000-memory.dmp

Filesize
32KB

Download
memory/1684-187-0x000000001B100000-0x000000001B10C000-memory.dmp

Filesize
48KB

Download
memory/1684-185-0x000000001AFE0000-0x000000001AFE8000-memory.dmp

Filesize
32KB

Download
memory/1684-182-0x000000001ADE0000-0x000000001ADEA000-memory.dmp

Filesize
40KB

Download
memory/1684-183-0x000000001AF40000-0x000000001AF4E000-memory.dmp

Filesize
56KB

Download
memory/1684-181-0x000000001ADD0000-0x000000001ADDC000-memory.dmp

Filesize
48KB

Download
memory/1684-180-0x000000001ADC0000-0x000000001ADCC000-memory.dmp

Filesize
48KB

Download
memory/1684-178-0x0000000002520000-0x000000000252C000-memory.dmp

Filesize
48KB

Download
memory/1684-145-0x00000000009B0000-0x0000000000CC8000-memory.dmp

Filesize
3.1MB

Download
memory/1684-177-0x000000001A9E0000-0x000000001A9F2000-memory.dmp

Filesize
72KB

Download
memory/1684-176-0x000000001A9D0000-0x000000001A9D8000-memory.dmp

Filesize
32KB

Download
memory/1684-175-0x000000001A9C0000-0x000000001A9CC000-memory.dmp

Filesize
48KB

Download
memory/1684-156-0x0000000000440000-0x000000000044E000-memory.dmp

Filesize
56KB

Download
memory/1684-157-0x0000000000650000-0x000000000065E000-memory.dmp

Filesize
56KB

Download
memory/1684-159-0x0000000000670000-0x000000000068C000-memory.dmp

Filesize
112KB

Download
memory/1684-158-0x0000000000660000-0x0000000000668000-memory.dmp

Filesize
32KB

Download
memory/1684-160-0x0000000000690000-0x0000000000698000-memory.dmp

Filesize
32KB

Download
memory/1684-163-0x00000000009A0000-0x00000000009B2000-memory.dmp

Filesize
72KB

Download
memory/1684-162-0x0000000000980000-0x0000000000988000-memory.dmp

Filesize
32KB

Download
memory/1684-161-0x0000000000960000-0x0000000000976000-memory.dmp

Filesize
88KB

Download
memory/1684-174-0x00000000024F0000-0x00000000024FC000-memory.dmp

Filesize
48KB

Download
memory/1684-169-0x0000000002350000-0x000000000235C000-memory.dmp

Filesize
48KB

Download
memory/1684-171-0x0000000000990000-0x0000000000998000-memory.dmp

Filesize
32KB

Download
memory/1684-172-0x0000000002340000-0x0000000002350000-memory.dmp

Filesize
64KB

Download
memory/1684-173-0x000000001AEF0000-0x000000001AF46000-memory.dmp

Filesize
344KB

Download
memory/2072-134-0x0000000002860000-0x0000000002868000-memory.dmp

Filesize
32KB

Download
memory/2072-133-0x000000001B4D0000-0x000000001B7B2000-memory.dmp

Filesize
2.9MB

Download
memory/2128-215-0x000000001B610000-0x000000001B8F2000-memory.dmp

Filesize
2.9MB

Download
memory/2128-221-0x0000000001E10000-0x0000000001E18000-memory.dmp

Filesize
32KB

Download
memory/2320-106-0x000007FEF2730000-0x000007FEF2D18000-memory.dmp

Filesize
5.9MB

Download
memory/2336-309-0x00000000002D0000-0x00000000002E6000-memory.dmp

Filesize
88KB

Download
memory/2352-24-0x0000000000400000-0x00000000005D7000-memory.dmp

Filesize
1.8MB

Download
memory/2412-144-0x00000000023C0000-0x00000000023C8000-memory.dmp

Filesize
32KB

Download
memory/2412-143-0x000000001B630000-0x000000001B912000-memory.dmp

Filesize
2.9MB

Download
memory/2512-1-0x0000000000270000-0x0000000000F78000-memory.dmp

Filesize
13.0MB

Download
memory/2512-0-0x000007FEF5D73000-0x000007FEF5D74000-memory.dmp

Filesize
4KB

Download
memory/2592-45-0x0000000000400000-0x00000000004D9000-memory.dmp

Filesize
868KB

Download
memory/2652-47-0x00000000002A0000-0x00000000002B6000-memory.dmp

Filesize
88KB

Download
memory/2792-109-0x0000000002040000-0x000000000204A000-memory.dmp

Filesize
40KB

Download
memory/2792-110-0x0000000002040000-0x000000000204A000-memory.dmp

Filesize
40KB

Download
memory/2792-111-0x0000000002040000-0x000000000204A000-memory.dmp

Filesize
40KB

Download
memory/2792-112-0x0000000002040000-0x000000000204A000-memory.dmp

Filesize
40KB

Download
memory/2792-300-0x0000000002040000-0x000000000204A000-memory.dmp

Filesize
40KB

Download
memory/2792-305-0x0000000002040000-0x000000000204A000-memory.dmp

Filesize
40KB

Download
memory/2792-304-0x0000000002040000-0x000000000204A000-memory.dmp

Filesize
40KB

Download
memory/2792-303-0x0000000002040000-0x000000000204A000-memory.dmp

Filesize
40KB

Download
memory/2792-302-0x0000000002040000-0x000000000204A000-memory.dmp

Filesize
40KB

Download
memory/2792-301-0x0000000002040000-0x000000000204A000-memory.dmp

Filesize
40KB

Download
memory/2792-113-0x0000000002040000-0x000000000204A000-memory.dmp

Filesize
40KB

Download
memory/2792-114-0x0000000002040000-0x000000000204A000-memory.dmp

Filesize
40KB

Download