dcrat | 1771060a61273b3e508afad18244ba53155e715d22bc9b503224658ccf48dfd8

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
03-12-2024 09:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1771060a61273b3e508afad18244ba53155e715d22bc9b503224658ccf48dfd8.exe
Size

1.9MB
MD5

447eece2bd8956409434aa2a41f94c23
SHA1

bce3ace0ee29acf1b7e2e957aeacdbdeccb9537f
SHA256

1771060a61273b3e508afad18244ba53155e715d22bc9b503224658ccf48dfd8
SHA512

f7ea67a4fcc417381002c0f991c1d3910468b62a1d7ecd797d24bffdce4e609c2a29eb9889aacecf7932f3ad816ccb4f1df6b6d62ba1ed2499d48a42008e49ec
SSDEEP

49152:zES0GzPDPtGUE/Nb8HdX+rKXJyCnKhgLn0Hcx:zES0qybydXUyfK2LCM

Score

10^/10

dcrat discovery execution infostealer persistence rat spyware stealer

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 6 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\VideoLAN\\wininit.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\spoolsv.exe\", \"C:\\Program Files (x86)\\Common Files\\Services\\sppsvc.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\OSPPSVC.exe\", \"C:\\Recovery\\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\\audiodg.exe\", \"C:\\Users\\Admin\\AppData\\Local\\Temp\\1771060a61273b3e508afad18244ba53155e715d22bc9b503224658ccf48dfd8.exe\""	1771060a61273b3e508afad18244ba53155e715d22bc9b503224658ccf48dfd8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\VideoLAN\\wininit.exe\""	1771060a61273b3e508afad18244ba53155e715d22bc9b503224658ccf48dfd8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\VideoLAN\\wininit.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\spoolsv.exe\""	1771060a61273b3e508afad18244ba53155e715d22bc9b503224658ccf48dfd8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\VideoLAN\\wininit.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\spoolsv.exe\", \"C:\\Program Files (x86)\\Common Files\\Services\\sppsvc.exe\""	1771060a61273b3e508afad18244ba53155e715d22bc9b503224658ccf48dfd8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\VideoLAN\\wininit.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\spoolsv.exe\", \"C:\\Program Files (x86)\\Common Files\\Services\\sppsvc.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\OSPPSVC.exe\""	1771060a61273b3e508afad18244ba53155e715d22bc9b503224658ccf48dfd8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\VideoLAN\\wininit.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\spoolsv.exe\", \"C:\\Program Files (x86)\\Common Files\\Services\\sppsvc.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\OSPPSVC.exe\", \"C:\\Recovery\\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\\audiodg.exe\""	1771060a61273b3e508afad18244ba53155e715d22bc9b503224658ccf48dfd8.exe

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2148	2080	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2896	2080	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2872	2080	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2360	2080	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2520	2080	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1256	2080	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	772	2080	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2776	2080	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1840	2080	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	476	2080	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	784	2080	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2608	2080	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	532	2080	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1940	2080	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2160	2080	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2044	2080	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	828	2080	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1696	2080	schtasks.exe	30

Command and Scripting Interpreter: PowerShell 1 TTPs 18 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2172	powershell.exe
2168	powershell.exe
2276	powershell.exe
2200	powershell.exe
2396	powershell.exe
2072	powershell.exe
1568	powershell.exe
896	powershell.exe
3012	powershell.exe
692	powershell.exe
644	powershell.exe
2288	powershell.exe
1448	powershell.exe
2056	powershell.exe
2680	powershell.exe
2400	powershell.exe
2092	powershell.exe
2328	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
1268	spoolsv.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OSPPSVC = "\"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\OSPPSVC.exe\""	1771060a61273b3e508afad18244ba53155e715d22bc9b503224658ccf48dfd8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\Recovery\\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\\audiodg.exe\""	1771060a61273b3e508afad18244ba53155e715d22bc9b503224658ccf48dfd8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\1771060a61273b3e508afad18244ba53155e715d22bc9b503224658ccf48dfd8 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\1771060a61273b3e508afad18244ba53155e715d22bc9b503224658ccf48dfd8.exe\""	1771060a61273b3e508afad18244ba53155e715d22bc9b503224658ccf48dfd8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\spoolsv.exe\""	1771060a61273b3e508afad18244ba53155e715d22bc9b503224658ccf48dfd8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Program Files\\VideoLAN\\wininit.exe\""	1771060a61273b3e508afad18244ba53155e715d22bc9b503224658ccf48dfd8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\spoolsv.exe\""	1771060a61273b3e508afad18244ba53155e715d22bc9b503224658ccf48dfd8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Program Files (x86)\\Common Files\\Services\\sppsvc.exe\""	1771060a61273b3e508afad18244ba53155e715d22bc9b503224658ccf48dfd8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Program Files (x86)\\Common Files\\Services\\sppsvc.exe\""	1771060a61273b3e508afad18244ba53155e715d22bc9b503224658ccf48dfd8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\OSPPSVC = "\"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\OSPPSVC.exe\""	1771060a61273b3e508afad18244ba53155e715d22bc9b503224658ccf48dfd8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\Recovery\\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\\audiodg.exe\""	1771060a61273b3e508afad18244ba53155e715d22bc9b503224658ccf48dfd8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\1771060a61273b3e508afad18244ba53155e715d22bc9b503224658ccf48dfd8 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\1771060a61273b3e508afad18244ba53155e715d22bc9b503224658ccf48dfd8.exe\""	1771060a61273b3e508afad18244ba53155e715d22bc9b503224658ccf48dfd8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Program Files\\VideoLAN\\wininit.exe\""	1771060a61273b3e508afad18244ba53155e715d22bc9b503224658ccf48dfd8.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	\??\c:\Windows\System32\CSC846DE14B5CDE446686DEF280B3DE9C7.TMP	csc.exe
File created	\??\c:\Windows\System32\_f1q_j.exe	csc.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Common Files\Services\sppsvc.exe	1771060a61273b3e508afad18244ba53155e715d22bc9b503224658ccf48dfd8.exe
File created	C:\Program Files (x86)\Common Files\Services\0a1fd5f707cd16	1771060a61273b3e508afad18244ba53155e715d22bc9b503224658ccf48dfd8.exe
File created	C:\Program Files\VideoLAN\wininit.exe	1771060a61273b3e508afad18244ba53155e715d22bc9b503224658ccf48dfd8.exe
File created	C:\Program Files\VideoLAN\56085415360792	1771060a61273b3e508afad18244ba53155e715d22bc9b503224658ccf48dfd8.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\servicing\de-DE\dwm.exe	1771060a61273b3e508afad18244ba53155e715d22bc9b503224658ccf48dfd8.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2216	PING.EXE

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2216	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
772	schtasks.exe
2608	schtasks.exe
1940	schtasks.exe
2160	schtasks.exe
828	schtasks.exe
2872	schtasks.exe
1256	schtasks.exe
1840	schtasks.exe
476	schtasks.exe
532	schtasks.exe
2044	schtasks.exe
2148	schtasks.exe
2360	schtasks.exe
784	schtasks.exe
2896	schtasks.exe
2520	schtasks.exe
2776	schtasks.exe
1696	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2424	1771060a61273b3e508afad18244ba53155e715d22bc9b503224658ccf48dfd8.exe
2424	1771060a61273b3e508afad18244ba53155e715d22bc9b503224658ccf48dfd8.exe
2424	1771060a61273b3e508afad18244ba53155e715d22bc9b503224658ccf48dfd8.exe
2424	1771060a61273b3e508afad18244ba53155e715d22bc9b503224658ccf48dfd8.exe
2424	1771060a61273b3e508afad18244ba53155e715d22bc9b503224658ccf48dfd8.exe
2424	1771060a61273b3e508afad18244ba53155e715d22bc9b503224658ccf48dfd8.exe
2424	1771060a61273b3e508afad18244ba53155e715d22bc9b503224658ccf48dfd8.exe
2424	1771060a61273b3e508afad18244ba53155e715d22bc9b503224658ccf48dfd8.exe
2424	1771060a61273b3e508afad18244ba53155e715d22bc9b503224658ccf48dfd8.exe
2424	1771060a61273b3e508afad18244ba53155e715d22bc9b503224658ccf48dfd8.exe
2424	1771060a61273b3e508afad18244ba53155e715d22bc9b503224658ccf48dfd8.exe
2424	1771060a61273b3e508afad18244ba53155e715d22bc9b503224658ccf48dfd8.exe
2424	1771060a61273b3e508afad18244ba53155e715d22bc9b503224658ccf48dfd8.exe
2424	1771060a61273b3e508afad18244ba53155e715d22bc9b503224658ccf48dfd8.exe
2424	1771060a61273b3e508afad18244ba53155e715d22bc9b503224658ccf48dfd8.exe
2424	1771060a61273b3e508afad18244ba53155e715d22bc9b503224658ccf48dfd8.exe
2424	1771060a61273b3e508afad18244ba53155e715d22bc9b503224658ccf48dfd8.exe
2424	1771060a61273b3e508afad18244ba53155e715d22bc9b503224658ccf48dfd8.exe
2424	1771060a61273b3e508afad18244ba53155e715d22bc9b503224658ccf48dfd8.exe
2424	1771060a61273b3e508afad18244ba53155e715d22bc9b503224658ccf48dfd8.exe
2424	1771060a61273b3e508afad18244ba53155e715d22bc9b503224658ccf48dfd8.exe
2424	1771060a61273b3e508afad18244ba53155e715d22bc9b503224658ccf48dfd8.exe
2424	1771060a61273b3e508afad18244ba53155e715d22bc9b503224658ccf48dfd8.exe
2424	1771060a61273b3e508afad18244ba53155e715d22bc9b503224658ccf48dfd8.exe
2424	1771060a61273b3e508afad18244ba53155e715d22bc9b503224658ccf48dfd8.exe
2424	1771060a61273b3e508afad18244ba53155e715d22bc9b503224658ccf48dfd8.exe
2424	1771060a61273b3e508afad18244ba53155e715d22bc9b503224658ccf48dfd8.exe
2424	1771060a61273b3e508afad18244ba53155e715d22bc9b503224658ccf48dfd8.exe
2424	1771060a61273b3e508afad18244ba53155e715d22bc9b503224658ccf48dfd8.exe
2424	1771060a61273b3e508afad18244ba53155e715d22bc9b503224658ccf48dfd8.exe
2424	1771060a61273b3e508afad18244ba53155e715d22bc9b503224658ccf48dfd8.exe
2424	1771060a61273b3e508afad18244ba53155e715d22bc9b503224658ccf48dfd8.exe
2424	1771060a61273b3e508afad18244ba53155e715d22bc9b503224658ccf48dfd8.exe
2424	1771060a61273b3e508afad18244ba53155e715d22bc9b503224658ccf48dfd8.exe
2424	1771060a61273b3e508afad18244ba53155e715d22bc9b503224658ccf48dfd8.exe
2424	1771060a61273b3e508afad18244ba53155e715d22bc9b503224658ccf48dfd8.exe
2424	1771060a61273b3e508afad18244ba53155e715d22bc9b503224658ccf48dfd8.exe
2424	1771060a61273b3e508afad18244ba53155e715d22bc9b503224658ccf48dfd8.exe
2424	1771060a61273b3e508afad18244ba53155e715d22bc9b503224658ccf48dfd8.exe
2424	1771060a61273b3e508afad18244ba53155e715d22bc9b503224658ccf48dfd8.exe
2424	1771060a61273b3e508afad18244ba53155e715d22bc9b503224658ccf48dfd8.exe
2424	1771060a61273b3e508afad18244ba53155e715d22bc9b503224658ccf48dfd8.exe
2424	1771060a61273b3e508afad18244ba53155e715d22bc9b503224658ccf48dfd8.exe
2424	1771060a61273b3e508afad18244ba53155e715d22bc9b503224658ccf48dfd8.exe
2424	1771060a61273b3e508afad18244ba53155e715d22bc9b503224658ccf48dfd8.exe
2424	1771060a61273b3e508afad18244ba53155e715d22bc9b503224658ccf48dfd8.exe
2424	1771060a61273b3e508afad18244ba53155e715d22bc9b503224658ccf48dfd8.exe
2424	1771060a61273b3e508afad18244ba53155e715d22bc9b503224658ccf48dfd8.exe
2424	1771060a61273b3e508afad18244ba53155e715d22bc9b503224658ccf48dfd8.exe
2424	1771060a61273b3e508afad18244ba53155e715d22bc9b503224658ccf48dfd8.exe
2424	1771060a61273b3e508afad18244ba53155e715d22bc9b503224658ccf48dfd8.exe
2424	1771060a61273b3e508afad18244ba53155e715d22bc9b503224658ccf48dfd8.exe
2424	1771060a61273b3e508afad18244ba53155e715d22bc9b503224658ccf48dfd8.exe
2424	1771060a61273b3e508afad18244ba53155e715d22bc9b503224658ccf48dfd8.exe
2424	1771060a61273b3e508afad18244ba53155e715d22bc9b503224658ccf48dfd8.exe
2424	1771060a61273b3e508afad18244ba53155e715d22bc9b503224658ccf48dfd8.exe
2424	1771060a61273b3e508afad18244ba53155e715d22bc9b503224658ccf48dfd8.exe
2424	1771060a61273b3e508afad18244ba53155e715d22bc9b503224658ccf48dfd8.exe
2424	1771060a61273b3e508afad18244ba53155e715d22bc9b503224658ccf48dfd8.exe
2424	1771060a61273b3e508afad18244ba53155e715d22bc9b503224658ccf48dfd8.exe
2424	1771060a61273b3e508afad18244ba53155e715d22bc9b503224658ccf48dfd8.exe
2424	1771060a61273b3e508afad18244ba53155e715d22bc9b503224658ccf48dfd8.exe
2424	1771060a61273b3e508afad18244ba53155e715d22bc9b503224658ccf48dfd8.exe
2424	1771060a61273b3e508afad18244ba53155e715d22bc9b503224658ccf48dfd8.exe

Suspicious use of AdjustPrivilegeToken 20 IoCs

description	pid	Process
Token: SeDebugPrivilege	2424	1771060a61273b3e508afad18244ba53155e715d22bc9b503224658ccf48dfd8.exe
Token: SeDebugPrivilege	644	powershell.exe
Token: SeDebugPrivilege	2168	powershell.exe
Token: SeDebugPrivilege	2092	powershell.exe
Token: SeDebugPrivilege	2056	powershell.exe
Token: SeDebugPrivilege	2288	powershell.exe
Token: SeDebugPrivilege	2200	powershell.exe
Token: SeDebugPrivilege	2172	powershell.exe
Token: SeDebugPrivilege	2396	powershell.exe
Token: SeDebugPrivilege	2680	powershell.exe
Token: SeDebugPrivilege	1568	powershell.exe
Token: SeDebugPrivilege	2072	powershell.exe
Token: SeDebugPrivilege	896	powershell.exe
Token: SeDebugPrivilege	2328	powershell.exe
Token: SeDebugPrivilege	3012	powershell.exe
Token: SeDebugPrivilege	2276	powershell.exe
Token: SeDebugPrivilege	2400	powershell.exe
Token: SeDebugPrivilege	1448	powershell.exe
Token: SeDebugPrivilege	692	powershell.exe
Token: SeDebugPrivilege	1268	spoolsv.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2424 wrote to memory of 2876	2424	1771060a61273b3e508afad18244ba53155e715d22bc9b503224658ccf48dfd8.exe	34
PID 2424 wrote to memory of 2876	2424	1771060a61273b3e508afad18244ba53155e715d22bc9b503224658ccf48dfd8.exe	34
PID 2424 wrote to memory of 2876	2424	1771060a61273b3e508afad18244ba53155e715d22bc9b503224658ccf48dfd8.exe	34
PID 2876 wrote to memory of 2720	2876	csc.exe	36
PID 2876 wrote to memory of 2720	2876	csc.exe	36
PID 2876 wrote to memory of 2720	2876	csc.exe	36
PID 2424 wrote to memory of 2200	2424	1771060a61273b3e508afad18244ba53155e715d22bc9b503224658ccf48dfd8.exe	52
PID 2424 wrote to memory of 2200	2424	1771060a61273b3e508afad18244ba53155e715d22bc9b503224658ccf48dfd8.exe	52
PID 2424 wrote to memory of 2200	2424	1771060a61273b3e508afad18244ba53155e715d22bc9b503224658ccf48dfd8.exe	52
PID 2424 wrote to memory of 2288	2424	1771060a61273b3e508afad18244ba53155e715d22bc9b503224658ccf48dfd8.exe	53
PID 2424 wrote to memory of 2288	2424	1771060a61273b3e508afad18244ba53155e715d22bc9b503224658ccf48dfd8.exe	53
PID 2424 wrote to memory of 2288	2424	1771060a61273b3e508afad18244ba53155e715d22bc9b503224658ccf48dfd8.exe	53
PID 2424 wrote to memory of 2276	2424	1771060a61273b3e508afad18244ba53155e715d22bc9b503224658ccf48dfd8.exe	54
PID 2424 wrote to memory of 2276	2424	1771060a61273b3e508afad18244ba53155e715d22bc9b503224658ccf48dfd8.exe	54
PID 2424 wrote to memory of 2276	2424	1771060a61273b3e508afad18244ba53155e715d22bc9b503224658ccf48dfd8.exe	54
PID 2424 wrote to memory of 2092	2424	1771060a61273b3e508afad18244ba53155e715d22bc9b503224658ccf48dfd8.exe	55
PID 2424 wrote to memory of 2092	2424	1771060a61273b3e508afad18244ba53155e715d22bc9b503224658ccf48dfd8.exe	55
PID 2424 wrote to memory of 2092	2424	1771060a61273b3e508afad18244ba53155e715d22bc9b503224658ccf48dfd8.exe	55
PID 2424 wrote to memory of 2400	2424	1771060a61273b3e508afad18244ba53155e715d22bc9b503224658ccf48dfd8.exe	56
PID 2424 wrote to memory of 2400	2424	1771060a61273b3e508afad18244ba53155e715d22bc9b503224658ccf48dfd8.exe	56
PID 2424 wrote to memory of 2400	2424	1771060a61273b3e508afad18244ba53155e715d22bc9b503224658ccf48dfd8.exe	56
PID 2424 wrote to memory of 896	2424	1771060a61273b3e508afad18244ba53155e715d22bc9b503224658ccf48dfd8.exe	57
PID 2424 wrote to memory of 896	2424	1771060a61273b3e508afad18244ba53155e715d22bc9b503224658ccf48dfd8.exe	57
PID 2424 wrote to memory of 896	2424	1771060a61273b3e508afad18244ba53155e715d22bc9b503224658ccf48dfd8.exe	57
PID 2424 wrote to memory of 2172	2424	1771060a61273b3e508afad18244ba53155e715d22bc9b503224658ccf48dfd8.exe	59
PID 2424 wrote to memory of 2172	2424	1771060a61273b3e508afad18244ba53155e715d22bc9b503224658ccf48dfd8.exe	59
PID 2424 wrote to memory of 2172	2424	1771060a61273b3e508afad18244ba53155e715d22bc9b503224658ccf48dfd8.exe	59
PID 2424 wrote to memory of 2056	2424	1771060a61273b3e508afad18244ba53155e715d22bc9b503224658ccf48dfd8.exe	60
PID 2424 wrote to memory of 2056	2424	1771060a61273b3e508afad18244ba53155e715d22bc9b503224658ccf48dfd8.exe	60
PID 2424 wrote to memory of 2056	2424	1771060a61273b3e508afad18244ba53155e715d22bc9b503224658ccf48dfd8.exe	60
PID 2424 wrote to memory of 1448	2424	1771060a61273b3e508afad18244ba53155e715d22bc9b503224658ccf48dfd8.exe	62
PID 2424 wrote to memory of 1448	2424	1771060a61273b3e508afad18244ba53155e715d22bc9b503224658ccf48dfd8.exe	62
PID 2424 wrote to memory of 1448	2424	1771060a61273b3e508afad18244ba53155e715d22bc9b503224658ccf48dfd8.exe	62
PID 2424 wrote to memory of 2396	2424	1771060a61273b3e508afad18244ba53155e715d22bc9b503224658ccf48dfd8.exe	64
PID 2424 wrote to memory of 2396	2424	1771060a61273b3e508afad18244ba53155e715d22bc9b503224658ccf48dfd8.exe	64
PID 2424 wrote to memory of 2396	2424	1771060a61273b3e508afad18244ba53155e715d22bc9b503224658ccf48dfd8.exe	64
PID 2424 wrote to memory of 2680	2424	1771060a61273b3e508afad18244ba53155e715d22bc9b503224658ccf48dfd8.exe	65
PID 2424 wrote to memory of 2680	2424	1771060a61273b3e508afad18244ba53155e715d22bc9b503224658ccf48dfd8.exe	65
PID 2424 wrote to memory of 2680	2424	1771060a61273b3e508afad18244ba53155e715d22bc9b503224658ccf48dfd8.exe	65
PID 2424 wrote to memory of 2072	2424	1771060a61273b3e508afad18244ba53155e715d22bc9b503224658ccf48dfd8.exe	66
PID 2424 wrote to memory of 2072	2424	1771060a61273b3e508afad18244ba53155e715d22bc9b503224658ccf48dfd8.exe	66
PID 2424 wrote to memory of 2072	2424	1771060a61273b3e508afad18244ba53155e715d22bc9b503224658ccf48dfd8.exe	66
PID 2424 wrote to memory of 2168	2424	1771060a61273b3e508afad18244ba53155e715d22bc9b503224658ccf48dfd8.exe	67
PID 2424 wrote to memory of 2168	2424	1771060a61273b3e508afad18244ba53155e715d22bc9b503224658ccf48dfd8.exe	67
PID 2424 wrote to memory of 2168	2424	1771060a61273b3e508afad18244ba53155e715d22bc9b503224658ccf48dfd8.exe	67
PID 2424 wrote to memory of 3012	2424	1771060a61273b3e508afad18244ba53155e715d22bc9b503224658ccf48dfd8.exe	68
PID 2424 wrote to memory of 3012	2424	1771060a61273b3e508afad18244ba53155e715d22bc9b503224658ccf48dfd8.exe	68
PID 2424 wrote to memory of 3012	2424	1771060a61273b3e508afad18244ba53155e715d22bc9b503224658ccf48dfd8.exe	68
PID 2424 wrote to memory of 1568	2424	1771060a61273b3e508afad18244ba53155e715d22bc9b503224658ccf48dfd8.exe	69
PID 2424 wrote to memory of 1568	2424	1771060a61273b3e508afad18244ba53155e715d22bc9b503224658ccf48dfd8.exe	69
PID 2424 wrote to memory of 1568	2424	1771060a61273b3e508afad18244ba53155e715d22bc9b503224658ccf48dfd8.exe	69
PID 2424 wrote to memory of 2328	2424	1771060a61273b3e508afad18244ba53155e715d22bc9b503224658ccf48dfd8.exe	70
PID 2424 wrote to memory of 2328	2424	1771060a61273b3e508afad18244ba53155e715d22bc9b503224658ccf48dfd8.exe	70
PID 2424 wrote to memory of 2328	2424	1771060a61273b3e508afad18244ba53155e715d22bc9b503224658ccf48dfd8.exe	70
PID 2424 wrote to memory of 644	2424	1771060a61273b3e508afad18244ba53155e715d22bc9b503224658ccf48dfd8.exe	71
PID 2424 wrote to memory of 644	2424	1771060a61273b3e508afad18244ba53155e715d22bc9b503224658ccf48dfd8.exe	71
PID 2424 wrote to memory of 644	2424	1771060a61273b3e508afad18244ba53155e715d22bc9b503224658ccf48dfd8.exe	71
PID 2424 wrote to memory of 692	2424	1771060a61273b3e508afad18244ba53155e715d22bc9b503224658ccf48dfd8.exe	72
PID 2424 wrote to memory of 692	2424	1771060a61273b3e508afad18244ba53155e715d22bc9b503224658ccf48dfd8.exe	72
PID 2424 wrote to memory of 692	2424	1771060a61273b3e508afad18244ba53155e715d22bc9b503224658ccf48dfd8.exe	72
PID 2424 wrote to memory of 2668	2424	1771060a61273b3e508afad18244ba53155e715d22bc9b503224658ccf48dfd8.exe	88
PID 2424 wrote to memory of 2668	2424	1771060a61273b3e508afad18244ba53155e715d22bc9b503224658ccf48dfd8.exe	88
PID 2424 wrote to memory of 2668	2424	1771060a61273b3e508afad18244ba53155e715d22bc9b503224658ccf48dfd8.exe	88
PID 2668 wrote to memory of 1704	2668	cmd.exe	90

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\1771060a61273b3e508afad18244ba53155e715d22bc9b503224658ccf48dfd8.exe
"C:\Users\Admin\AppData\Local\Temp\1771060a61273b3e508afad18244ba53155e715d22bc9b503224658ccf48dfd8.exe"
1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2424
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\c0s1ve3u\c0s1ve3u.cmdline"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2876
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA7D3.tmp" "c:\Windows\System32\CSC846DE14B5CDE446686DEF280B3DE9C7.TMP"
    3⤵
    PID:2720
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2200
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2288
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2276
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2092
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2400
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:896
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2172
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2056
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:1448
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2396
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2680
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2072
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\VideoLAN\wininit.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2168
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\spoolsv.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:3012
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Common Files\Services\sppsvc.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:1568
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\OSPPSVC.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2328
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\audiodg.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:644
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\1771060a61273b3e508afad18244ba53155e715d22bc9b503224658ccf48dfd8.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:692
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ZxX24fve0K.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2668
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:1704
- - C:\Windows\system32\PING.EXE
    ping -n 10 localhost
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:2216
- - C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\spoolsv.exe
    "C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\spoolsv.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:1268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Program Files\VideoLAN\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2148

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Program Files\VideoLAN\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2360

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1256

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Common Files\Services\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\Services\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Common Files\Services\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:476

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 5 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 12 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2160

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "1771060a61273b3e508afad18244ba53155e715d22bc9b503224658ccf48dfd81" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\AppData\Local\Temp\1771060a61273b3e508afad18244ba53155e715d22bc9b503224658ccf48dfd8.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "1771060a61273b3e508afad18244ba53155e715d22bc9b503224658ccf48dfd8" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\1771060a61273b3e508afad18244ba53155e715d22bc9b503224658ccf48dfd8.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "1771060a61273b3e508afad18244ba53155e715d22bc9b503224658ccf48dfd81" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\AppData\Local\Temp\1771060a61273b3e508afad18244ba53155e715d22bc9b503224658ccf48dfd8.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1696

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\VideoLAN\wininit.exe

Filesize
1.9MB

MD5
447eece2bd8956409434aa2a41f94c23

SHA1
bce3ace0ee29acf1b7e2e957aeacdbdeccb9537f

SHA256
1771060a61273b3e508afad18244ba53155e715d22bc9b503224658ccf48dfd8

SHA512
f7ea67a4fcc417381002c0f991c1d3910468b62a1d7ecd797d24bffdce4e609c2a29eb9889aacecf7932f3ad816ccb4f1df6b6d62ba1ed2499d48a42008e49ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESA7D3.tmp

Filesize
1KB

MD5
2e6e36ddac1f48c4510ac5d6aea98609

SHA1
83eb90ba42b3c5901a486fedf04cd8d909dce73a

SHA256
3324cba16b3f9856dde99a1c543795b2973a4b092c40336a2d4aa167d3a071dc

SHA512
5bd77e751fefa0559cbb7db06f44ec2cdb7984bc0c327517cfcc816af7910962ce2cf032831f298fd25626ac0ac8d215c80f7c28b002cc386df8b5ae4869ff13

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZxX24fve0K.bat

Filesize
215B

MD5
30253d741ec559cdc2c6a2933c7547b6

SHA1
b323ffcd6778245153e5c89fc29ccb2ba36f6cfb

SHA256
8b0aebf1d9a695068a1d3cf5ba0d147c091ed41dc4a3ad0379b99861fd467c51

SHA512
908e234a7e829ee32086e8be5a8ee4336de8d30d2846a23d92acf6ed8de01e4eb7b93f1e8a0a695dc887faa92c0c6a4d66feeb47f89e3225f1b8094e2909fbd5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
bddf9751d7b6d3714b3764ace50de482

SHA1
9a294d8e03758bd6ecabcd632b63b3b934a1e0d1

SHA256
e0c9e75c713a925c2f7cb3145460c7a7b2b14899d337190160e3e86c68d83830

SHA512
2fea71e9763945662bc52a3fdf72ea0a112931cf0102d347b3118fd015083630dab6175a07182072d6084f5a90d288e55b2a475df586ac82003c8b20f691d563

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\c0s1ve3u\c0s1ve3u.0.cs

Filesize
369B

MD5
9f18a74d1d7e9ac4d4e4aefb55629ff9

SHA1
e8612937de393fa11a860ea781ba93788e15e7ff

SHA256
1b6ae32d4704c0a8ebe566851cc7e262dee75e1aef5d63fbd3817f6ed15f4e1c

SHA512
0632d833f3e3d9c41afc52349fd5bdf93f3fc8cdfa754d03f79cc8a0269d47210f9cbd38c04c773192c5c27cd7ebe6511b5a9fe6e233cc8709102199acf1ab93

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\c0s1ve3u\c0s1ve3u.cmdline

Filesize
235B

MD5
5be107c9d23bb6be1d9b373212a084fc

SHA1
b8844bd511c3d5ef71ceea43b0fa7429c6856290

SHA256
133443530e94b8c324551b5425d1b13983a8616817904737ce8c6e4704a818e6

SHA512
2f0e49764f3d5feddab01344f133df16aa5c9e34a88f8436e2000408e12aea0d56eaa29f0c5116a731f44667855f30ff1a2f0083c4b7988ae54d9bbd1bdcb405

Download Submit
\??\c:\Windows\System32\CSC846DE14B5CDE446686DEF280B3DE9C7.TMP

Filesize
1KB

MD5
fccbcfaf29fdccaabada579f7aaf3ae7

SHA1
f9b179b6aab6b96908d89b35aab3f503478a956d

SHA256
e70bc8ad14a70d490fe92ed86e79c40fc133a64428a2781e14514b16d83a9b02

SHA512
ac047b4ba060e72e224c1afdebbdafecbfd705a67cb8f0cd5c82bf7980c2baa23bdb5bf5d821836bc0c426069a61d8e112b45239887d2d81b8a6d4fa839c1e10

Download Submit
memory/644-83-0x0000000002290000-0x0000000002298000-memory.dmp

Filesize
32KB

Download
memory/644-82-0x000000001B770000-0x000000001BA52000-memory.dmp

Filesize
2.9MB

Download
memory/1268-148-0x0000000000CC0000-0x0000000000EB8000-memory.dmp

Filesize
2.0MB

Download
memory/2424-9-0x00000000005C0000-0x00000000005DC000-memory.dmp

Filesize
112KB

Download
memory/2424-36-0x000007FEF5B70000-0x000007FEF655C000-memory.dmp

Filesize
9.9MB

Download
memory/2424-20-0x0000000000620000-0x000000000062C000-memory.dmp

Filesize
48KB

Download
memory/2424-19-0x000007FEF5B70000-0x000007FEF655C000-memory.dmp

Filesize
9.9MB

Download
memory/2424-21-0x000007FEF5B70000-0x000007FEF655C000-memory.dmp

Filesize
9.9MB

Download
memory/2424-25-0x000007FEF5B70000-0x000007FEF655C000-memory.dmp

Filesize
9.9MB

Download
memory/2424-15-0x0000000000320000-0x000000000032C000-memory.dmp

Filesize
48KB

Download
memory/2424-34-0x000007FEF5B70000-0x000007FEF655C000-memory.dmp

Filesize
9.9MB

Download
memory/2424-35-0x000007FEF5B70000-0x000007FEF655C000-memory.dmp

Filesize
9.9MB

Download
memory/2424-17-0x0000000000600000-0x000000000060E000-memory.dmp

Filesize
56KB

Download
memory/2424-13-0x0000000000310000-0x000000000031E000-memory.dmp

Filesize
56KB

Download
memory/2424-11-0x00000000005E0000-0x00000000005F8000-memory.dmp

Filesize
96KB

Download
memory/2424-0-0x000007FEF5B73000-0x000007FEF5B74000-memory.dmp

Filesize
4KB

Download
memory/2424-7-0x000007FEF5B70000-0x000007FEF655C000-memory.dmp

Filesize
9.9MB

Download
memory/2424-6-0x0000000000300000-0x000000000030E000-memory.dmp

Filesize
56KB

Download
memory/2424-4-0x000007FEF5B70000-0x000007FEF655C000-memory.dmp

Filesize
9.9MB

Download
memory/2424-84-0x000007FEF5B70000-0x000007FEF655C000-memory.dmp

Filesize
9.9MB

Download
memory/2424-3-0x000007FEF5B70000-0x000007FEF655C000-memory.dmp

Filesize
9.9MB

Download
memory/2424-2-0x000007FEF5B70000-0x000007FEF655C000-memory.dmp

Filesize
9.9MB

Download
memory/2424-1-0x0000000001140000-0x0000000001338000-memory.dmp

Filesize
2.0MB

Download