dcrat | e3b04ffe1c3222f16e71be15978a33b03fa6bdd92e276d7fa933f04e6929aed1

Analysis

max time kernel
49s
max time network
154s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
13-11-2024 03:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e3b04ffe1c3222f16e71be15978a33b03fa6bdd92e276d7fa933f04e6929aed1.exe
Size

2.2MB
MD5

83539ba7c5103e90cf7230812873abb5
SHA1

aa84fc6f29b943e714f7be00e4cc7af957484381
SHA256

e3b04ffe1c3222f16e71be15978a33b03fa6bdd92e276d7fa933f04e6929aed1
SHA512

e8183cbd06ae2f1930cf7a2d417562d1c90cc1e5bbe580f0049d2b303ab4699f59981d6ab6a3f774c01dc014e9f1c7cc1933e1e6aeaea62404f42e1e07d27487
SSDEEP

24576:2TbBv5rUyXVijPqBdzumpuWIax7RAxXo6MA17qm8w4tBPP+3wVwLsvMlDF/3cWA3:IBJiSr41q9FtBPW3+elDNMWAgPrc7H

Score

10^/10

dcrat discovery execution infostealer persistence rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 6 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

Local Security Authority Process.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\spoolsv.exe\", \"C:\\Recovery\\31f19e42-8726-11ef-be9a-dab21757c799\\Idle.exe\", \"C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\cmd.exe\""	Local Security Authority Process.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\spoolsv.exe\", \"C:\\Recovery\\31f19e42-8726-11ef-be9a-dab21757c799\\Idle.exe\", \"C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\cmd.exe\", \"C:\\Recovery\\31f19e42-8726-11ef-be9a-dab21757c799\\spoolsv.exe\""	Local Security Authority Process.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\spoolsv.exe\", \"C:\\Recovery\\31f19e42-8726-11ef-be9a-dab21757c799\\Idle.exe\", \"C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\cmd.exe\", \"C:\\Recovery\\31f19e42-8726-11ef-be9a-dab21757c799\\spoolsv.exe\", \"C:\\Program Files (x86)\\Windows Defender\\en-US\\cmd.exe\""	Local Security Authority Process.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\spoolsv.exe\", \"C:\\Recovery\\31f19e42-8726-11ef-be9a-dab21757c799\\Idle.exe\", \"C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\cmd.exe\", \"C:\\Recovery\\31f19e42-8726-11ef-be9a-dab21757c799\\spoolsv.exe\", \"C:\\Program Files (x86)\\Windows Defender\\en-US\\cmd.exe\", \"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Local Security Authority Process.exe\""	Local Security Authority Process.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\spoolsv.exe\""	Local Security Authority Process.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\spoolsv.exe\", \"C:\\Recovery\\31f19e42-8726-11ef-be9a-dab21757c799\\Idle.exe\""	Local Security Authority Process.exe

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2104	1660	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2396	1660	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1584	1660	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2200	1660	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2700	1660	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3028	1660	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2568	1660	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2900	1660	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1996	1660	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1744	1660	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2188	1660	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2272	1660	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2260	1660	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2512	1660	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2220	1660	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2052	1660	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2216	1660	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1408	1660	schtasks.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 18 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
2420	powershell.exe
1244	powershell.exe
1000	powershell.exe
456	powershell.exe
1992	powershell.exe
1756	powershell.exe
1052	powershell.exe
1932	powershell.exe
680	powershell.exe
388	powershell.exe
1944	powershell.exe
2020	powershell.exe
1488	powershell.exe
568	powershell.exe
2476	powershell.exe
1724	powershell.exe
1636	powershell.exe
920	powershell.exe

Executes dropped EXE 2 IoCs

Processes:

Local Security Authority Process.exespoolsv.exe

pid process

2148 Local Security Authority Process.exe
2824 spoolsv.exe
Loads dropped DLL 2 IoCs

Processes:

cmd.exe

pid process

2872 cmd.exe
2872 cmd.exe

pid	process
2872	cmd.exe
2872	cmd.exe

Adds Run key to start application 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Local Security Authority Process.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Local Security Authority Process = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Local Security Authority Process.exe\""	Local Security Authority Process.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\spoolsv.exe\""	Local Security Authority Process.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Recovery\\31f19e42-8726-11ef-be9a-dab21757c799\\Idle.exe\""	Local Security Authority Process.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\cmd = "\"C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\cmd.exe\""	Local Security Authority Process.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cmd = "\"C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\cmd.exe\""	Local Security Authority Process.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Recovery\\31f19e42-8726-11ef-be9a-dab21757c799\\spoolsv.exe\""	Local Security Authority Process.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\cmd = "\"C:\\Program Files (x86)\\Windows Defender\\en-US\\cmd.exe\""	Local Security Authority Process.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\Local Security Authority Process = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Local Security Authority Process.exe\""	Local Security Authority Process.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\spoolsv.exe\""	Local Security Authority Process.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Recovery\\31f19e42-8726-11ef-be9a-dab21757c799\\Idle.exe\""	Local Security Authority Process.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Recovery\\31f19e42-8726-11ef-be9a-dab21757c799\\spoolsv.exe\""	Local Security Authority Process.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cmd = "\"C:\\Program Files (x86)\\Windows Defender\\en-US\\cmd.exe\""	Local Security Authority Process.exe

Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 ipinfo.io
5 ipinfo.io

flow	ioc
4	ipinfo.io
5	ipinfo.io

Drops file in System32 directory 2 IoCs

Processes:

csc.exe

description	ioc	process
File created	\??\c:\Windows\System32\CSC7CDD1307E47649F298158A29485B2620.TMP	csc.exe
File created	\??\c:\Windows\System32\hi5-9c.exe	csc.exe

Drops file in Program Files directory 7 IoCs

Processes:

Local Security Authority Process.exe

description	ioc	process
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\f3b6ecef712a24	Local Security Authority Process.exe
File created	C:\Program Files (x86)\Windows Defender\en-US\cmd.exe	Local Security Authority Process.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\en-US\cmd.exe	Local Security Authority Process.exe
File created	C:\Program Files (x86)\Windows Defender\en-US\ebf1f9fa8afd6d	Local Security Authority Process.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\cmd.exe	Local Security Authority Process.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ebf1f9fa8afd6d	Local Security Authority Process.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\spoolsv.exe	Local Security Authority Process.exe

Drops file in Windows directory 1 IoCs

Processes:

Local Security Authority Process.exe

description ioc process

File created C:\Windows\diagnostics\scheduled\cmd.exe Local Security Authority Process.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
File created	C:\Windows\diagnostics\scheduled\cmd.exe	Local Security Authority Process.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

cmd.exee3b04ffe1c3222f16e71be15978a33b03fa6bdd92e276d7fa933f04e6929aed1.exeWScript.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e3b04ffe1c3222f16e71be15978a33b03fa6bdd92e276d7fa933f04e6929aed1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

Local Security Authority Process.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	Local Security Authority Process.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	Local Security Authority Process.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

pid	process
2104	schtasks.exe
2188	schtasks.exe
2272	schtasks.exe
2216	schtasks.exe
3028	schtasks.exe
1996	schtasks.exe
2512	schtasks.exe
2220	schtasks.exe
2396	schtasks.exe
1584	schtasks.exe
2200	schtasks.exe
2568	schtasks.exe
2900	schtasks.exe
2260	schtasks.exe
2052	schtasks.exe
1408	schtasks.exe
2700	schtasks.exe
1744	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

Local Security Authority Process.exe

pid	process
2148	Local Security Authority Process.exe
2148	Local Security Authority Process.exe
2148	Local Security Authority Process.exe
2148	Local Security Authority Process.exe
2148	Local Security Authority Process.exe
2148	Local Security Authority Process.exe
2148	Local Security Authority Process.exe
2148	Local Security Authority Process.exe
2148	Local Security Authority Process.exe
2148	Local Security Authority Process.exe
2148	Local Security Authority Process.exe
2148	Local Security Authority Process.exe
2148	Local Security Authority Process.exe
2148	Local Security Authority Process.exe
2148	Local Security Authority Process.exe
2148	Local Security Authority Process.exe
2148	Local Security Authority Process.exe
2148	Local Security Authority Process.exe
2148	Local Security Authority Process.exe
2148	Local Security Authority Process.exe
2148	Local Security Authority Process.exe
2148	Local Security Authority Process.exe
2148	Local Security Authority Process.exe
2148	Local Security Authority Process.exe
2148	Local Security Authority Process.exe
2148	Local Security Authority Process.exe
2148	Local Security Authority Process.exe
2148	Local Security Authority Process.exe
2148	Local Security Authority Process.exe
2148	Local Security Authority Process.exe
2148	Local Security Authority Process.exe
2148	Local Security Authority Process.exe
2148	Local Security Authority Process.exe
2148	Local Security Authority Process.exe
2148	Local Security Authority Process.exe
2148	Local Security Authority Process.exe
2148	Local Security Authority Process.exe
2148	Local Security Authority Process.exe
2148	Local Security Authority Process.exe
2148	Local Security Authority Process.exe
2148	Local Security Authority Process.exe
2148	Local Security Authority Process.exe
2148	Local Security Authority Process.exe
2148	Local Security Authority Process.exe
2148	Local Security Authority Process.exe
2148	Local Security Authority Process.exe
2148	Local Security Authority Process.exe
2148	Local Security Authority Process.exe
2148	Local Security Authority Process.exe
2148	Local Security Authority Process.exe
2148	Local Security Authority Process.exe
2148	Local Security Authority Process.exe
2148	Local Security Authority Process.exe
2148	Local Security Authority Process.exe
2148	Local Security Authority Process.exe
2148	Local Security Authority Process.exe
2148	Local Security Authority Process.exe
2148	Local Security Authority Process.exe
2148	Local Security Authority Process.exe
2148	Local Security Authority Process.exe
2148	Local Security Authority Process.exe
2148	Local Security Authority Process.exe
2148	Local Security Authority Process.exe
2148	Local Security Authority Process.exe

Suspicious use of AdjustPrivilegeToken 20 IoCs

Processes:

Local Security Authority Process.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exespoolsv.exe

description	pid	process
Token: SeDebugPrivilege	2148	Local Security Authority Process.exe
Token: SeDebugPrivilege	2020	powershell.exe
Token: SeDebugPrivilege	1724	powershell.exe
Token: SeDebugPrivilege	1244	powershell.exe
Token: SeDebugPrivilege	1756	powershell.exe
Token: SeDebugPrivilege	2420	powershell.exe
Token: SeDebugPrivilege	1052	powershell.exe
Token: SeDebugPrivilege	1000	powershell.exe
Token: SeDebugPrivilege	920	powershell.exe
Token: SeDebugPrivilege	568	powershell.exe
Token: SeDebugPrivilege	2476	powershell.exe
Token: SeDebugPrivilege	1636	powershell.exe
Token: SeDebugPrivilege	1944	powershell.exe
Token: SeDebugPrivilege	456	powershell.exe
Token: SeDebugPrivilege	680	powershell.exe
Token: SeDebugPrivilege	1488	powershell.exe
Token: SeDebugPrivilege	1992	powershell.exe
Token: SeDebugPrivilege	1932	powershell.exe
Token: SeDebugPrivilege	388	powershell.exe
Token: SeDebugPrivilege	2824	spoolsv.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

e3b04ffe1c3222f16e71be15978a33b03fa6bdd92e276d7fa933f04e6929aed1.exeWScript.execmd.exeLocal Security Authority Process.execsc.exe

description	pid	process	target process
PID 392 wrote to memory of 2184	392	e3b04ffe1c3222f16e71be15978a33b03fa6bdd92e276d7fa933f04e6929aed1.exe	WScript.exe
PID 392 wrote to memory of 2184	392	e3b04ffe1c3222f16e71be15978a33b03fa6bdd92e276d7fa933f04e6929aed1.exe	WScript.exe
PID 392 wrote to memory of 2184	392	e3b04ffe1c3222f16e71be15978a33b03fa6bdd92e276d7fa933f04e6929aed1.exe	WScript.exe
PID 392 wrote to memory of 2184	392	e3b04ffe1c3222f16e71be15978a33b03fa6bdd92e276d7fa933f04e6929aed1.exe	WScript.exe
PID 2184 wrote to memory of 2872	2184	WScript.exe	cmd.exe
PID 2184 wrote to memory of 2872	2184	WScript.exe	cmd.exe
PID 2184 wrote to memory of 2872	2184	WScript.exe	cmd.exe
PID 2184 wrote to memory of 2872	2184	WScript.exe	cmd.exe
PID 2872 wrote to memory of 2148	2872	cmd.exe	Local Security Authority Process.exe
PID 2872 wrote to memory of 2148	2872	cmd.exe	Local Security Authority Process.exe
PID 2872 wrote to memory of 2148	2872	cmd.exe	Local Security Authority Process.exe
PID 2872 wrote to memory of 2148	2872	cmd.exe	Local Security Authority Process.exe
PID 2148 wrote to memory of 580	2148	Local Security Authority Process.exe	csc.exe
PID 2148 wrote to memory of 580	2148	Local Security Authority Process.exe	csc.exe
PID 2148 wrote to memory of 580	2148	Local Security Authority Process.exe	csc.exe
PID 580 wrote to memory of 3056	580	csc.exe	cvtres.exe
PID 580 wrote to memory of 3056	580	csc.exe	cvtres.exe
PID 580 wrote to memory of 3056	580	csc.exe	cvtres.exe
PID 2148 wrote to memory of 1636	2148	Local Security Authority Process.exe	powershell.exe
PID 2148 wrote to memory of 1636	2148	Local Security Authority Process.exe	powershell.exe
PID 2148 wrote to memory of 1636	2148	Local Security Authority Process.exe	powershell.exe
PID 2148 wrote to memory of 2420	2148	Local Security Authority Process.exe	powershell.exe
PID 2148 wrote to memory of 2420	2148	Local Security Authority Process.exe	powershell.exe
PID 2148 wrote to memory of 2420	2148	Local Security Authority Process.exe	powershell.exe
PID 2148 wrote to memory of 1244	2148	Local Security Authority Process.exe	powershell.exe
PID 2148 wrote to memory of 1244	2148	Local Security Authority Process.exe	powershell.exe
PID 2148 wrote to memory of 1244	2148	Local Security Authority Process.exe	powershell.exe
PID 2148 wrote to memory of 1052	2148	Local Security Authority Process.exe	powershell.exe
PID 2148 wrote to memory of 1052	2148	Local Security Authority Process.exe	powershell.exe
PID 2148 wrote to memory of 1052	2148	Local Security Authority Process.exe	powershell.exe
PID 2148 wrote to memory of 1932	2148	Local Security Authority Process.exe	powershell.exe
PID 2148 wrote to memory of 1932	2148	Local Security Authority Process.exe	powershell.exe
PID 2148 wrote to memory of 1932	2148	Local Security Authority Process.exe	powershell.exe
PID 2148 wrote to memory of 1000	2148	Local Security Authority Process.exe	powershell.exe
PID 2148 wrote to memory of 1000	2148	Local Security Authority Process.exe	powershell.exe
PID 2148 wrote to memory of 1000	2148	Local Security Authority Process.exe	powershell.exe
PID 2148 wrote to memory of 680	2148	Local Security Authority Process.exe	powershell.exe
PID 2148 wrote to memory of 680	2148	Local Security Authority Process.exe	powershell.exe
PID 2148 wrote to memory of 680	2148	Local Security Authority Process.exe	powershell.exe
PID 2148 wrote to memory of 456	2148	Local Security Authority Process.exe	powershell.exe
PID 2148 wrote to memory of 456	2148	Local Security Authority Process.exe	powershell.exe
PID 2148 wrote to memory of 456	2148	Local Security Authority Process.exe	powershell.exe
PID 2148 wrote to memory of 388	2148	Local Security Authority Process.exe	powershell.exe
PID 2148 wrote to memory of 388	2148	Local Security Authority Process.exe	powershell.exe
PID 2148 wrote to memory of 388	2148	Local Security Authority Process.exe	powershell.exe
PID 2148 wrote to memory of 1944	2148	Local Security Authority Process.exe	powershell.exe
PID 2148 wrote to memory of 1944	2148	Local Security Authority Process.exe	powershell.exe
PID 2148 wrote to memory of 1944	2148	Local Security Authority Process.exe	powershell.exe
PID 2148 wrote to memory of 1488	2148	Local Security Authority Process.exe	powershell.exe
PID 2148 wrote to memory of 1488	2148	Local Security Authority Process.exe	powershell.exe
PID 2148 wrote to memory of 1488	2148	Local Security Authority Process.exe	powershell.exe
PID 2148 wrote to memory of 1724	2148	Local Security Authority Process.exe	powershell.exe
PID 2148 wrote to memory of 1724	2148	Local Security Authority Process.exe	powershell.exe
PID 2148 wrote to memory of 1724	2148	Local Security Authority Process.exe	powershell.exe
PID 2148 wrote to memory of 2476	2148	Local Security Authority Process.exe	powershell.exe
PID 2148 wrote to memory of 2476	2148	Local Security Authority Process.exe	powershell.exe
PID 2148 wrote to memory of 2476	2148	Local Security Authority Process.exe	powershell.exe
PID 2148 wrote to memory of 2020	2148	Local Security Authority Process.exe	powershell.exe
PID 2148 wrote to memory of 2020	2148	Local Security Authority Process.exe	powershell.exe
PID 2148 wrote to memory of 2020	2148	Local Security Authority Process.exe	powershell.exe
PID 2148 wrote to memory of 568	2148	Local Security Authority Process.exe	powershell.exe
PID 2148 wrote to memory of 568	2148	Local Security Authority Process.exe	powershell.exe
PID 2148 wrote to memory of 568	2148	Local Security Authority Process.exe	powershell.exe
PID 2148 wrote to memory of 1992	2148	Local Security Authority Process.exe	powershell.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\e3b04ffe1c3222f16e71be15978a33b03fa6bdd92e276d7fa933f04e6929aed1.exe
"C:\Users\Admin\AppData\Local\Temp\e3b04ffe1c3222f16e71be15978a33b03fa6bdd92e276d7fa933f04e6929aed1.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:392
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\qp9vGmuwSr0nkeo7qSVAnhO3kZyMkfu12RZ0OBiQNAI58E5ZggR.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2184
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Roaming\Microsoft\ZkitL4SswB6Acn9KQ4n8phMXm8v73bXNMxhzpq69L79HkSe5Tb.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2872
  - - C:\Users\Admin\AppData\Roaming\Microsoft\Local Security Authority Process.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft/Local Security Authority Process.exe"
      4⤵
      Modifies WinLogon for persistence
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Program Files directory
      Drops file in Windows directory
      Modifies system certificate store
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2148
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\h1ugpcqy\h1ugpcqy.cmdline"
        5⤵
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:580
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9BE2.tmp" "c:\Windows\System32\CSC7CDD1307E47649F298158A29485B2620.TMP"
        6⤵
        
        PID:3056
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1636
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2420
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1244
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1052
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1932
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1000
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:680
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:456
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:388
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1944
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1488
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1724
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Mozilla Maintenance Service\logs\spoolsv.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2476
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\Idle.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2020
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\cmd.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:568
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\spoolsv.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1992
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Defender\en-US\cmd.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1756
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Local Security Authority Process.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:920
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\nb39RGiKTM.bat"
        5⤵
        
        PID:1940
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:1916
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:2424
      - C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\spoolsv.exe
        
        "C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2200

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 11 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 8 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2188

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2272

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Defender\en-US\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2260

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\en-US\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Defender\en-US\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2220

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Local Security Authority ProcessL" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\AppData\Roaming\Microsoft\Local Security Authority Process.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Local Security Authority Process" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Roaming\Microsoft\Local Security Authority Process.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Local Security Authority ProcessL" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\AppData\Roaming\Microsoft\Local Security Authority Process.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1408

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES9BE2.tmp

Filesize
1KB

MD5
94445c7fc978debc3ba5f5757c417070

SHA1
5703e538e8be4fc017346bafb152939bd50d6245

SHA256
f394ea6c678d28f6cf87f9e3b433496be40a14b4bc84b797cf154c9f9da8d322

SHA512
72e2cad8181bfc68e018a59c44bbce528f482bf72e98521a843a0a9db3eec897f9c1b35b2199d5532fab4e44d8b1ee89870be62501cc01e20cddf41237482fb2

Download Submit
C:\Users\Admin\AppData\Local\Temp\nb39RGiKTM.bat

Filesize
236B

MD5
b90d5b11cf6cc3ab12db0620e7202028

SHA1
80a0a6da1c455c0322f4aefb293273ed050685bf

SHA256
57fa3ed4bdf75c8a9710bdc97afb8988a51c2cdab29a14218b8fbfe069777fce

SHA512
77c2f01101dc0138fcb740d83cc901b209185ff01e495e6f60b71d30c71d0b370970a46af149339d73f369863bc858c45114ddbd91eaeaa2d57331f4d50d35f9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Local Security Authority Process.exe

Filesize
1.9MB

MD5
4ba31fe7c90af2148e83fe198cf99d7b

SHA1
bd86eece0e892752950a13282cb323e0775ecae4

SHA256
196706cf85ccf38343444deecaeaced58faf7c22963fe45aaa8ea9938fe19a0e

SHA512
79991360ad8d5c8968f2aa4836b3b7b39074c99ad28aa25cc69931c4bdf2115921042d818d4cc319984cfa0ed8a9ee015506f3b4b8c026aeda82c5b03a5328f7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
48594c26c2717043d04c58c8913cbc00

SHA1
4ed03edc1037d5831ca35996227f223dcb1c737f

SHA256
adddc854568dac8d0227974dee2a2b290cfdb6bdefba1ffaf7b498b8fd7de374

SHA512
2aefda6a7b0c0da195b62cfe2ed690b37dd2a695c17ffab91aa5a2c0ce6bde56d72f9d28988f1d5560840c542e5a67778932a7a08328698440cb5d6ff6466788

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\ZkitL4SswB6Acn9KQ4n8phMXm8v73bXNMxhzpq69L79HkSe5Tb.bat

Filesize
93B

MD5
fb55729d3f331e20fb5c1e5377634743

SHA1
ad5d1b461d7608598e2683d66eeee3c2a38c625f

SHA256
8603cadb532a5ab019b7f07a2c9652905a459f88c8cfe74d387f0d9594f323c9

SHA512
2ed609b4ad5d0d9da2d12c12947091e0ce2937a12856d95979a7d2c4248b1d5244e5fc3616d0be8a1fd8febc888eeb0bb6fe08fe38a359ceb2345510645d1870

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\qp9vGmuwSr0nkeo7qSVAnhO3kZyMkfu12RZ0OBiQNAI58E5ZggR.vbe

Filesize
245B

MD5
dde897c67a0ad3384e01f44658e986d0

SHA1
51e5a863d22d2305da3d6e82ed2da727a6db5ffa

SHA256
f3ea38d1aea5a693f1b87b3d1152f8a1de82391b34e2061ee0fbb29f2ec6dc57

SHA512
901990365c1539d432871ef01d36261f537e0928e3afbd93f0833d04355a55464dbe2ca07c59d7d495bb93ad0bf73ed33db748e5856d75941c18f232503c1892

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\h1ugpcqy\h1ugpcqy.0.cs

Filesize
399B

MD5
04a63964b5fc49aee332c1e403c03dab

SHA1
a79ce356e7f9db0e467568cf87d41c4935186dfc

SHA256
b450e2a36bc63080a1f3bd84faf731d11fe85f6de9b52c2d9082863fbd294656

SHA512
97e0a204e1b13b3e96be4402a45cb02b2b114e738e346bfb3b0ea80385127f8e8f32dac5c77f968506d2560ee90bd84029f19ac1e7fb061692fb658dd11784fa

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\h1ugpcqy\h1ugpcqy.cmdline

Filesize
235B

MD5
21d850e2905f570bf95faaa3f77c09e3

SHA1
152bb352dda28517cf55c49c1e60f1c0785717b6

SHA256
4c05a9b69a1458903ed3498e51ed7d69f1a038c9a190deb6529d8a44a4fd7e7d

SHA512
d82533c154b6c54494abfac72236661f87638ed593483e140b50966c983b31c4ef95e116768a93e26d6e5e8a6daae0ab5d9387a41ffcb7839ccd1c2b1734995a

Download Submit
\??\c:\Windows\System32\CSC7CDD1307E47649F298158A29485B2620.TMP

Filesize
1KB

MD5
60a1ebb8f840aad127346a607d80fc19

SHA1
c8b7e9ad601ac19ab90b3e36f811960e8badf354

SHA256
9d6a9d38b7a86cc88e551a0c1172a3fb387b1a5f928ac13993ec3387d39cc243

SHA512
44830cefb264bac520174b4b884312dd0393be33a193d4f0fee3cc3c14deb86ca39e43ef281232f9169fd204d19b22e8a7aad72fa448ca52d5cbc3ee1dbb18a4

Download Submit
memory/920-70-0x000000001B260000-0x000000001B542000-memory.dmp

Filesize
2.9MB

Download
memory/2020-91-0x0000000001CD0000-0x0000000001CD8000-memory.dmp

Filesize
32KB

Download
memory/2148-15-0x0000000000390000-0x000000000039E000-memory.dmp

Filesize
56KB

Download
memory/2148-25-0x0000000000560000-0x000000000056C000-memory.dmp

Filesize
48KB

Download
memory/2148-23-0x00000000003B0000-0x00000000003B8000-memory.dmp

Filesize
32KB

Download
memory/2148-21-0x00000000003A0000-0x00000000003AE000-memory.dmp

Filesize
56KB

Download
memory/2148-19-0x0000000000A10000-0x0000000000A28000-memory.dmp

Filesize
96KB

Download
memory/2148-17-0x00000000003C0000-0x00000000003DC000-memory.dmp

Filesize
112KB

Download
memory/2148-13-0x0000000000C80000-0x0000000000E68000-memory.dmp

Filesize
1.9MB

Download
memory/2824-144-0x0000000000A40000-0x0000000000C28000-memory.dmp

Filesize
1.9MB

Download