warzonerat | 538b973f12e7eb9390b9b64cb36818b73b139bee73af7d5c7b8c5d72a0dc037a

Analysis

max time kernel
42s
max time network
151s
platform
windows10_x64
resource
win10v20210408
submitted
13-07-2021 13:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dd10f0c6c5a43d2280e8ae8b610b8912.exe
Size

465KB
MD5

dd10f0c6c5a43d2280e8ae8b610b8912
SHA1

7f5c5806316149520f1c34ea22178ee3ee62dc72
SHA256

538b973f12e7eb9390b9b64cb36818b73b139bee73af7d5c7b8c5d72a0dc037a
SHA512

cab30d141ee3e71039f28dfea38474bac6127284cb7c885156943124023db498050555a3b6b409a45b2657fb04f24efc5aa3032e7f8162c2340ca95d7ba4651e

Score

10^/10

warzonerat infostealer rat

Malware Config

Extracted

Family

warzonerat

byx.z86.ru:5200

Signatures

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
3528	powershell.exe
184	powershell.exe
3528	powershell.exe
184	powershell.exe
3760	powershell.exe
3760	powershell.exe
184	powershell.exe
3528	powershell.exe
388	powershell.exe
3760	powershell.exe
388	powershell.exe
1308	powershell.exe
3936	powershell.exe
388	powershell.exe
1308	powershell.exe
3684	powershell.exe
4220	powershell.exe
4220	powershell.exe
3936	powershell.exe
3936	powershell.exe
1308	powershell.exe
1308	powershell.exe
3684	powershell.exe
3684	powershell.exe
4432	powershell.exe
4432	powershell.exe
4220	powershell.exe
3936	powershell.exe
4644	powershell.exe
4644	powershell.exe
3684	powershell.exe
4432	powershell.exe
4220	powershell.exe
4836	powershell.exe
4836	powershell.exe
5004	powershell.exe
5004	powershell.exe
4644	powershell.exe
4432	powershell.exe
4432	powershell.exe
4212	powershell.exe
4212	powershell.exe
4836	powershell.exe
4632	powershell.exe
4632	powershell.exe
5004	powershell.exe
5044	powershell.exe
5044	powershell.exe
4644	powershell.exe
4644	powershell.exe
4836	powershell.exe
4836	powershell.exe
4212	powershell.exe
4688	powershell.exe
4688	powershell.exe
4400	powershell.exe
4400	powershell.exe
5004	powershell.exe
5004	powershell.exe
4632	powershell.exe
4632	powershell.exe
5044	powershell.exe
5284	powershell.exe
5284	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	3528	powershell.exe
Token: SeDebugPrivilege	184	powershell.exe
Token: SeDebugPrivilege	3760	powershell.exe
Token: SeDebugPrivilege	388	powershell.exe
Token: SeDebugPrivilege	1308	powershell.exe
Token: SeDebugPrivilege	3936	powershell.exe
Token: SeDebugPrivilege	3684	powershell.exe
Token: SeIncreaseQuotaPrivilege	3528	powershell.exe
Token: SeSecurityPrivilege	3528	powershell.exe
Token: SeTakeOwnershipPrivilege	3528	powershell.exe
Token: SeLoadDriverPrivilege	3528	powershell.exe
Token: SeSystemProfilePrivilege	3528	powershell.exe
Token: SeSystemtimePrivilege	3528	powershell.exe
Token: SeProfSingleProcessPrivilege	3528	powershell.exe
Token: SeIncBasePriorityPrivilege	3528	powershell.exe
Token: SeCreatePagefilePrivilege	3528	powershell.exe
Token: SeBackupPrivilege	3528	powershell.exe
Token: SeRestorePrivilege	3528	powershell.exe
Token: SeShutdownPrivilege	3528	powershell.exe
Token: SeDebugPrivilege	3528	powershell.exe
Token: SeSystemEnvironmentPrivilege	3528	powershell.exe
Token: SeRemoteShutdownPrivilege	3528	powershell.exe
Token: SeUndockPrivilege	3528	powershell.exe
Token: SeManageVolumePrivilege	3528	powershell.exe
Token: 33	3528	powershell.exe
Token: 34	3528	powershell.exe
Token: 35	3528	powershell.exe
Token: 36	3528	powershell.exe
Token: SeIncreaseQuotaPrivilege	184	powershell.exe
Token: SeSecurityPrivilege	184	powershell.exe
Token: SeTakeOwnershipPrivilege	184	powershell.exe
Token: SeLoadDriverPrivilege	184	powershell.exe
Token: SeSystemProfilePrivilege	184	powershell.exe
Token: SeSystemtimePrivilege	184	powershell.exe
Token: SeProfSingleProcessPrivilege	184	powershell.exe
Token: SeIncBasePriorityPrivilege	184	powershell.exe
Token: SeCreatePagefilePrivilege	184	powershell.exe
Token: SeBackupPrivilege	184	powershell.exe
Token: SeRestorePrivilege	184	powershell.exe
Token: SeShutdownPrivilege	184	powershell.exe
Token: SeDebugPrivilege	184	powershell.exe
Token: SeSystemEnvironmentPrivilege	184	powershell.exe
Token: SeRemoteShutdownPrivilege	184	powershell.exe
Token: SeUndockPrivilege	184	powershell.exe
Token: SeManageVolumePrivilege	184	powershell.exe
Token: 33	184	powershell.exe
Token: 34	184	powershell.exe
Token: 35	184	powershell.exe
Token: 36	184	powershell.exe
Token: SeIncreaseQuotaPrivilege	3760	powershell.exe
Token: SeSecurityPrivilege	3760	powershell.exe
Token: SeTakeOwnershipPrivilege	3760	powershell.exe
Token: SeLoadDriverPrivilege	3760	powershell.exe
Token: SeSystemProfilePrivilege	3760	powershell.exe
Token: SeSystemtimePrivilege	3760	powershell.exe
Token: SeProfSingleProcessPrivilege	3760	powershell.exe
Token: SeIncBasePriorityPrivilege	3760	powershell.exe
Token: SeCreatePagefilePrivilege	3760	powershell.exe
Token: SeBackupPrivilege	3760	powershell.exe
Token: SeRestorePrivilege	3760	powershell.exe
Token: SeShutdownPrivilege	3760	powershell.exe
Token: SeDebugPrivilege	3760	powershell.exe
Token: SeSystemEnvironmentPrivilege	3760	powershell.exe
Token: SeRemoteShutdownPrivilege	3760	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

dd10f0c6c5a43d2280e8ae8b610b8912.exe

description	pid	process	target process
PID 568 wrote to memory of 3528	568	dd10f0c6c5a43d2280e8ae8b610b8912.exe	powershell.exe
PID 568 wrote to memory of 3528	568	dd10f0c6c5a43d2280e8ae8b610b8912.exe	powershell.exe
PID 568 wrote to memory of 3528	568	dd10f0c6c5a43d2280e8ae8b610b8912.exe	powershell.exe
PID 568 wrote to memory of 184	568	dd10f0c6c5a43d2280e8ae8b610b8912.exe	powershell.exe
PID 568 wrote to memory of 184	568	dd10f0c6c5a43d2280e8ae8b610b8912.exe	powershell.exe
PID 568 wrote to memory of 184	568	dd10f0c6c5a43d2280e8ae8b610b8912.exe	powershell.exe
PID 568 wrote to memory of 3760	568	dd10f0c6c5a43d2280e8ae8b610b8912.exe	powershell.exe
PID 568 wrote to memory of 3760	568	dd10f0c6c5a43d2280e8ae8b610b8912.exe	powershell.exe
PID 568 wrote to memory of 3760	568	dd10f0c6c5a43d2280e8ae8b610b8912.exe	powershell.exe
PID 568 wrote to memory of 388	568	dd10f0c6c5a43d2280e8ae8b610b8912.exe	powershell.exe
PID 568 wrote to memory of 388	568	dd10f0c6c5a43d2280e8ae8b610b8912.exe	powershell.exe
PID 568 wrote to memory of 388	568	dd10f0c6c5a43d2280e8ae8b610b8912.exe	powershell.exe
PID 568 wrote to memory of 1308	568	dd10f0c6c5a43d2280e8ae8b610b8912.exe	powershell.exe
PID 568 wrote to memory of 1308	568	dd10f0c6c5a43d2280e8ae8b610b8912.exe	powershell.exe
PID 568 wrote to memory of 1308	568	dd10f0c6c5a43d2280e8ae8b610b8912.exe	powershell.exe
PID 568 wrote to memory of 3936	568	dd10f0c6c5a43d2280e8ae8b610b8912.exe	powershell.exe
PID 568 wrote to memory of 3936	568	dd10f0c6c5a43d2280e8ae8b610b8912.exe	powershell.exe
PID 568 wrote to memory of 3936	568	dd10f0c6c5a43d2280e8ae8b610b8912.exe	powershell.exe
PID 568 wrote to memory of 3684	568	dd10f0c6c5a43d2280e8ae8b610b8912.exe	powershell.exe
PID 568 wrote to memory of 3684	568	dd10f0c6c5a43d2280e8ae8b610b8912.exe	powershell.exe
PID 568 wrote to memory of 3684	568	dd10f0c6c5a43d2280e8ae8b610b8912.exe	powershell.exe
PID 568 wrote to memory of 4220	568	dd10f0c6c5a43d2280e8ae8b610b8912.exe	powershell.exe
PID 568 wrote to memory of 4220	568	dd10f0c6c5a43d2280e8ae8b610b8912.exe	powershell.exe
PID 568 wrote to memory of 4220	568	dd10f0c6c5a43d2280e8ae8b610b8912.exe	powershell.exe
PID 568 wrote to memory of 4432	568	dd10f0c6c5a43d2280e8ae8b610b8912.exe	powershell.exe
PID 568 wrote to memory of 4432	568	dd10f0c6c5a43d2280e8ae8b610b8912.exe	powershell.exe
PID 568 wrote to memory of 4432	568	dd10f0c6c5a43d2280e8ae8b610b8912.exe	powershell.exe
PID 568 wrote to memory of 4644	568	dd10f0c6c5a43d2280e8ae8b610b8912.exe	powershell.exe
PID 568 wrote to memory of 4644	568	dd10f0c6c5a43d2280e8ae8b610b8912.exe	powershell.exe
PID 568 wrote to memory of 4644	568	dd10f0c6c5a43d2280e8ae8b610b8912.exe	powershell.exe
PID 568 wrote to memory of 4836	568	dd10f0c6c5a43d2280e8ae8b610b8912.exe	powershell.exe
PID 568 wrote to memory of 4836	568	dd10f0c6c5a43d2280e8ae8b610b8912.exe	powershell.exe
PID 568 wrote to memory of 4836	568	dd10f0c6c5a43d2280e8ae8b610b8912.exe	powershell.exe
PID 568 wrote to memory of 5004	568	dd10f0c6c5a43d2280e8ae8b610b8912.exe	powershell.exe
PID 568 wrote to memory of 5004	568	dd10f0c6c5a43d2280e8ae8b610b8912.exe	powershell.exe
PID 568 wrote to memory of 5004	568	dd10f0c6c5a43d2280e8ae8b610b8912.exe	powershell.exe
PID 568 wrote to memory of 4212	568	dd10f0c6c5a43d2280e8ae8b610b8912.exe	powershell.exe
PID 568 wrote to memory of 4212	568	dd10f0c6c5a43d2280e8ae8b610b8912.exe	powershell.exe
PID 568 wrote to memory of 4212	568	dd10f0c6c5a43d2280e8ae8b610b8912.exe	powershell.exe
PID 568 wrote to memory of 4632	568	dd10f0c6c5a43d2280e8ae8b610b8912.exe	powershell.exe
PID 568 wrote to memory of 4632	568	dd10f0c6c5a43d2280e8ae8b610b8912.exe	powershell.exe
PID 568 wrote to memory of 4632	568	dd10f0c6c5a43d2280e8ae8b610b8912.exe	powershell.exe
PID 568 wrote to memory of 5044	568	dd10f0c6c5a43d2280e8ae8b610b8912.exe	powershell.exe
PID 568 wrote to memory of 5044	568	dd10f0c6c5a43d2280e8ae8b610b8912.exe	powershell.exe
PID 568 wrote to memory of 5044	568	dd10f0c6c5a43d2280e8ae8b610b8912.exe	powershell.exe
PID 568 wrote to memory of 4688	568	dd10f0c6c5a43d2280e8ae8b610b8912.exe	powershell.exe
PID 568 wrote to memory of 4688	568	dd10f0c6c5a43d2280e8ae8b610b8912.exe	powershell.exe
PID 568 wrote to memory of 4688	568	dd10f0c6c5a43d2280e8ae8b610b8912.exe	powershell.exe
PID 568 wrote to memory of 4400	568	dd10f0c6c5a43d2280e8ae8b610b8912.exe	powershell.exe
PID 568 wrote to memory of 4400	568	dd10f0c6c5a43d2280e8ae8b610b8912.exe	powershell.exe
PID 568 wrote to memory of 4400	568	dd10f0c6c5a43d2280e8ae8b610b8912.exe	powershell.exe
PID 568 wrote to memory of 5284	568	dd10f0c6c5a43d2280e8ae8b610b8912.exe	powershell.exe
PID 568 wrote to memory of 5284	568	dd10f0c6c5a43d2280e8ae8b610b8912.exe	powershell.exe
PID 568 wrote to memory of 5284	568	dd10f0c6c5a43d2280e8ae8b610b8912.exe	powershell.exe
PID 568 wrote to memory of 5556	568	dd10f0c6c5a43d2280e8ae8b610b8912.exe	powershell.exe
PID 568 wrote to memory of 5556	568	dd10f0c6c5a43d2280e8ae8b610b8912.exe	powershell.exe
PID 568 wrote to memory of 5556	568	dd10f0c6c5a43d2280e8ae8b610b8912.exe	powershell.exe
PID 568 wrote to memory of 5856	568	dd10f0c6c5a43d2280e8ae8b610b8912.exe	powershell.exe
PID 568 wrote to memory of 5856	568	dd10f0c6c5a43d2280e8ae8b610b8912.exe	powershell.exe
PID 568 wrote to memory of 5856	568	dd10f0c6c5a43d2280e8ae8b610b8912.exe	powershell.exe
PID 568 wrote to memory of 6132	568	dd10f0c6c5a43d2280e8ae8b610b8912.exe	powershell.exe
PID 568 wrote to memory of 6132	568	dd10f0c6c5a43d2280e8ae8b610b8912.exe	powershell.exe
PID 568 wrote to memory of 6132	568	dd10f0c6c5a43d2280e8ae8b610b8912.exe	powershell.exe
PID 568 wrote to memory of 5364	568	dd10f0c6c5a43d2280e8ae8b610b8912.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\dd10f0c6c5a43d2280e8ae8b610b8912.exe
"C:\Users\Admin\AppData\Local\Temp\dd10f0c6c5a43d2280e8ae8b610b8912.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:568

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3528

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:184

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3760

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:388

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1308

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3936

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3684

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4220

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4432

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4644

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4836

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:5004

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4212

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4632

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:5044

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4688

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4400

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:5284

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
2⤵
PID:5556

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
2⤵
PID:5856

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
2⤵
PID:6132

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
2⤵
PID:5364

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
2⤵
PID:5740

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
2⤵
PID:5596

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
2⤵
PID:5660

C:\Users\Admin\AppData\Local\Temp\dd10f0c6c5a43d2280e8ae8b610b8912.exe
C:\Users\Admin\AppData\Local\Temp\dd10f0c6c5a43d2280e8ae8b610b8912.exe
2⤵
PID:5688

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /f /v Load /t REG_SZ /d "C:\ProgramData\svchost.exe"
3⤵
PID:3172

C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /f /v Load /t REG_SZ /d "C:\ProgramData\svchost.exe"
4⤵
PID:6648

C:\ProgramData\svchost.exe
"C:\ProgramData\svchost.exe"
3⤵
PID:4556

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
4⤵
PID:6428

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
4⤵
PID:6604

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
4⤵
PID:6844

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
4⤵
PID:7100

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
4⤵
PID:6196

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
4⤵
PID:6244

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
4⤵
PID:6840

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
4⤵
PID:5688

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
4⤵
PID:6620

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
4⤵
PID:5720

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
4⤵
PID:6520

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
4⤵
PID:6508

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
4⤵
PID:7196

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
4⤵
PID:7444

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
4⤵
PID:7692

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
4⤵
PID:7940

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
4⤵
PID:8164

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
4⤵
PID:7464

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
4⤵
PID:7756

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
4⤵
PID:8160

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
4⤵
PID:7552

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
4⤵
PID:8052

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
4⤵
PID:6788

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
4⤵
PID:7252

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
4⤵
PID:5752

C:\Users\Admin\AppData\Local\Temp\svchost.exe
C:\Users\Admin\AppData\Local\Temp\svchost.exe
4⤵
PID:8632

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe"
5⤵
PID:8972

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\svchost.exe
MD5
dd10f0c6c5a43d2280e8ae8b610b8912

SHA1
7f5c5806316149520f1c34ea22178ee3ee62dc72

SHA256
538b973f12e7eb9390b9b64cb36818b73b139bee73af7d5c7b8c5d72a0dc037a

SHA512
cab30d141ee3e71039f28dfea38474bac6127284cb7c885156943124023db498050555a3b6b409a45b2657fb04f24efc5aa3032e7f8162c2340ca95d7ba4651e

Download Submit
C:\ProgramData\svchost.exe
MD5
dd10f0c6c5a43d2280e8ae8b610b8912

SHA1
7f5c5806316149520f1c34ea22178ee3ee62dc72

SHA256
538b973f12e7eb9390b9b64cb36818b73b139bee73af7d5c7b8c5d72a0dc037a

SHA512
cab30d141ee3e71039f28dfea38474bac6127284cb7c885156943124023db498050555a3b6b409a45b2657fb04f24efc5aa3032e7f8162c2340ca95d7ba4651e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
c2d06c11dd1f1a8b1dedc1a311ca8cdc

SHA1
75c07243f9cb80a9c7aed2865f9c5192cc920e7e

SHA256
91ac15f1f176f74f02ce89ecdc443d8e33e0064c7bc69a87c7b2da145449d586

SHA512
db00860292c3e7430b1534f459c2f0f9778df3a94c51d622dcf1cde390a5539bdc6d60a0d41e6f1ed99a989f17ecb109abd4c17faac4cd398945536f1d0ebb4d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
c2d06c11dd1f1a8b1dedc1a311ca8cdc

SHA1
75c07243f9cb80a9c7aed2865f9c5192cc920e7e

SHA256
91ac15f1f176f74f02ce89ecdc443d8e33e0064c7bc69a87c7b2da145449d586

SHA512
db00860292c3e7430b1534f459c2f0f9778df3a94c51d622dcf1cde390a5539bdc6d60a0d41e6f1ed99a989f17ecb109abd4c17faac4cd398945536f1d0ebb4d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
c2d06c11dd1f1a8b1dedc1a311ca8cdc

SHA1
75c07243f9cb80a9c7aed2865f9c5192cc920e7e

SHA256
91ac15f1f176f74f02ce89ecdc443d8e33e0064c7bc69a87c7b2da145449d586

SHA512
db00860292c3e7430b1534f459c2f0f9778df3a94c51d622dcf1cde390a5539bdc6d60a0d41e6f1ed99a989f17ecb109abd4c17faac4cd398945536f1d0ebb4d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
c2d06c11dd1f1a8b1dedc1a311ca8cdc

SHA1
75c07243f9cb80a9c7aed2865f9c5192cc920e7e

SHA256
91ac15f1f176f74f02ce89ecdc443d8e33e0064c7bc69a87c7b2da145449d586

SHA512
db00860292c3e7430b1534f459c2f0f9778df3a94c51d622dcf1cde390a5539bdc6d60a0d41e6f1ed99a989f17ecb109abd4c17faac4cd398945536f1d0ebb4d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
c2d06c11dd1f1a8b1dedc1a311ca8cdc

SHA1
75c07243f9cb80a9c7aed2865f9c5192cc920e7e

SHA256
91ac15f1f176f74f02ce89ecdc443d8e33e0064c7bc69a87c7b2da145449d586

SHA512
db00860292c3e7430b1534f459c2f0f9778df3a94c51d622dcf1cde390a5539bdc6d60a0d41e6f1ed99a989f17ecb109abd4c17faac4cd398945536f1d0ebb4d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
c2d06c11dd1f1a8b1dedc1a311ca8cdc

SHA1
75c07243f9cb80a9c7aed2865f9c5192cc920e7e

SHA256
91ac15f1f176f74f02ce89ecdc443d8e33e0064c7bc69a87c7b2da145449d586

SHA512
db00860292c3e7430b1534f459c2f0f9778df3a94c51d622dcf1cde390a5539bdc6d60a0d41e6f1ed99a989f17ecb109abd4c17faac4cd398945536f1d0ebb4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.exe
MD5
dd10f0c6c5a43d2280e8ae8b610b8912

SHA1
7f5c5806316149520f1c34ea22178ee3ee62dc72

SHA256
538b973f12e7eb9390b9b64cb36818b73b139bee73af7d5c7b8c5d72a0dc037a

SHA512
cab30d141ee3e71039f28dfea38474bac6127284cb7c885156943124023db498050555a3b6b409a45b2657fb04f24efc5aa3032e7f8162c2340ca95d7ba4651e

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.exe
MD5
dd10f0c6c5a43d2280e8ae8b610b8912

SHA1
7f5c5806316149520f1c34ea22178ee3ee62dc72

SHA256
538b973f12e7eb9390b9b64cb36818b73b139bee73af7d5c7b8c5d72a0dc037a

SHA512
cab30d141ee3e71039f28dfea38474bac6127284cb7c885156943124023db498050555a3b6b409a45b2657fb04f24efc5aa3032e7f8162c2340ca95d7ba4651e

Download Submit
memory/184-135-0x0000000000A20000-0x0000000000A21000-memory.dmp

Filesize
4KB

Download
memory/184-153-0x0000000007E10000-0x0000000007E11000-memory.dmp

Filesize
4KB

Download
memory/184-127-0x0000000000000000-mapping.dmp

Download
memory/184-208-0x0000000007EE0000-0x0000000007EE1000-memory.dmp

Filesize
4KB

Download
memory/184-210-0x0000000008B80000-0x0000000008B81000-memory.dmp

Filesize
4KB

Download
memory/184-137-0x0000000000A22000-0x0000000000A23000-memory.dmp

Filesize
4KB

Download
memory/184-206-0x0000000008BF0000-0x0000000008BF1000-memory.dmp

Filesize
4KB

Download
memory/184-362-0x0000000000A23000-0x0000000000A24000-memory.dmp

Filesize
4KB

Download
memory/184-144-0x0000000007590000-0x0000000007591000-memory.dmp

Filesize
4KB

Download
memory/388-164-0x0000000007430000-0x0000000007431000-memory.dmp

Filesize
4KB

Download
memory/388-171-0x0000000007432000-0x0000000007433000-memory.dmp

Filesize
4KB

Download
memory/388-468-0x0000000007433000-0x0000000007434000-memory.dmp

Filesize
4KB

Download
memory/388-157-0x0000000000000000-mapping.dmp

Download
memory/568-116-0x00000000051F0000-0x00000000051F1000-memory.dmp

Filesize
4KB

Download
memory/568-119-0x0000000004CF0000-0x00000000051EE000-memory.dmp

Filesize
5.0MB

Download
memory/568-117-0x0000000004D90000-0x0000000004D91000-memory.dmp

Filesize
4KB

Download
memory/568-118-0x0000000004D10000-0x0000000004D11000-memory.dmp

Filesize
4KB

Download
memory/568-114-0x0000000000320000-0x0000000000321000-memory.dmp

Filesize
4KB

Download
memory/568-120-0x0000000004CF0000-0x00000000051EE000-memory.dmp

Filesize
5.0MB

Download
memory/1308-168-0x0000000000000000-mapping.dmp

Download
memory/1308-186-0x00000000041F0000-0x00000000041F1000-memory.dmp

Filesize
4KB

Download
memory/1308-187-0x00000000041F2000-0x00000000041F3000-memory.dmp

Filesize
4KB

Download
memory/1308-533-0x00000000041F3000-0x00000000041F4000-memory.dmp

Filesize
4KB

Download
memory/3172-800-0x0000000000000000-mapping.dmp

Download
memory/3528-134-0x0000000007202000-0x0000000007203000-memory.dmp

Filesize
4KB

Download
memory/3528-331-0x0000000007203000-0x0000000007204000-memory.dmp

Filesize
4KB

Download
memory/3528-121-0x0000000000000000-mapping.dmp

Download
memory/3528-124-0x0000000004CB0000-0x0000000004CB1000-memory.dmp

Filesize
4KB

Download
memory/3528-125-0x0000000007200000-0x0000000007201000-memory.dmp

Filesize
4KB

Download
memory/3528-126-0x0000000007840000-0x0000000007841000-memory.dmp

Filesize
4KB

Download
memory/3528-129-0x0000000007730000-0x0000000007731000-memory.dmp

Filesize
4KB

Download
memory/3528-146-0x00000000089F0000-0x00000000089F1000-memory.dmp

Filesize
4KB

Download
memory/3528-132-0x0000000007FE0000-0x0000000007FE1000-memory.dmp

Filesize
4KB

Download
memory/3528-141-0x0000000008050000-0x0000000008051000-memory.dmp

Filesize
4KB

Download
memory/3528-136-0x00000000077D0000-0x00000000077D1000-memory.dmp

Filesize
4KB

Download
memory/3684-769-0x00000000048F3000-0x00000000048F4000-memory.dmp

Filesize
4KB

Download
memory/3684-227-0x00000000048F2000-0x00000000048F3000-memory.dmp

Filesize
4KB

Download
memory/3684-226-0x00000000048F0000-0x00000000048F1000-memory.dmp

Filesize
4KB

Download
memory/3684-196-0x0000000000000000-mapping.dmp

Download
memory/3760-143-0x0000000000000000-mapping.dmp

Download
memory/3760-162-0x0000000006C52000-0x0000000006C53000-memory.dmp

Filesize
4KB

Download
memory/3760-367-0x0000000006C53000-0x0000000006C54000-memory.dmp

Filesize
4KB

Download
memory/3760-161-0x0000000006C50000-0x0000000006C51000-memory.dmp

Filesize
4KB

Download
memory/3936-199-0x0000000004E20000-0x0000000004E21000-memory.dmp

Filesize
4KB

Download
memory/3936-690-0x0000000004E23000-0x0000000004E24000-memory.dmp

Filesize
4KB

Download
memory/3936-200-0x0000000004E22000-0x0000000004E23000-memory.dmp

Filesize
4KB

Download
memory/3936-183-0x0000000000000000-mapping.dmp

Download
memory/4212-308-0x0000000000000000-mapping.dmp

Download
memory/4212-353-0x0000000004680000-0x0000000004681000-memory.dmp

Filesize
4KB

Download
memory/4212-355-0x0000000004682000-0x0000000004683000-memory.dmp

Filesize
4KB

Download
memory/4220-789-0x0000000004E53000-0x0000000004E54000-memory.dmp

Filesize
4KB

Download
memory/4220-243-0x0000000004E52000-0x0000000004E53000-memory.dmp

Filesize
4KB

Download
memory/4220-242-0x0000000004E50000-0x0000000004E51000-memory.dmp

Filesize
4KB

Download
memory/4220-222-0x0000000000000000-mapping.dmp

Download
memory/4400-464-0x0000000006BB0000-0x0000000006BB1000-memory.dmp

Filesize
4KB

Download
memory/4400-411-0x0000000000000000-mapping.dmp

Download
memory/4400-474-0x0000000006BB2000-0x0000000006BB3000-memory.dmp

Filesize
4KB

Download
memory/4432-240-0x0000000000000000-mapping.dmp

Download
memory/4432-265-0x0000000000AD2000-0x0000000000AD3000-memory.dmp

Filesize
4KB

Download
memory/4432-263-0x0000000000AD0000-0x0000000000AD1000-memory.dmp

Filesize
4KB

Download
memory/4556-806-0x0000000000000000-mapping.dmp

Download
memory/4556-834-0x0000000005A01000-0x0000000005A02000-memory.dmp

Filesize
4KB

Download
memory/4556-861-0x0000000005A12000-0x0000000005A13000-memory.dmp

Filesize
4KB

Download
memory/4632-327-0x0000000000000000-mapping.dmp

Download
memory/4632-366-0x0000000004422000-0x0000000004423000-memory.dmp

Filesize
4KB

Download
memory/4632-360-0x0000000004420000-0x0000000004421000-memory.dmp

Filesize
4KB

Download
memory/4644-279-0x0000000006C12000-0x0000000006C13000-memory.dmp

Filesize
4KB

Download
memory/4644-277-0x0000000006C10000-0x0000000006C11000-memory.dmp

Filesize
4KB

Download
memory/4644-258-0x0000000000000000-mapping.dmp

Download
memory/4688-382-0x0000000000000000-mapping.dmp

Download
memory/4688-458-0x0000000004B72000-0x0000000004B73000-memory.dmp

Filesize
4KB

Download
memory/4688-453-0x0000000004B70000-0x0000000004B71000-memory.dmp

Filesize
4KB

Download
memory/4836-296-0x0000000006A72000-0x0000000006A73000-memory.dmp

Filesize
4KB

Download
memory/4836-275-0x0000000000000000-mapping.dmp

Download
memory/4836-293-0x0000000006A70000-0x0000000006A71000-memory.dmp

Filesize
4KB

Download
memory/5004-289-0x0000000000000000-mapping.dmp

Download
memory/5004-311-0x00000000041E0000-0x00000000041E1000-memory.dmp

Filesize
4KB

Download
memory/5004-312-0x00000000041E2000-0x00000000041E3000-memory.dmp

Filesize
4KB

Download
memory/5044-395-0x0000000004AB0000-0x0000000004AB1000-memory.dmp

Filesize
4KB

Download
memory/5044-349-0x0000000000000000-mapping.dmp

Download
memory/5044-402-0x0000000004AB2000-0x0000000004AB3000-memory.dmp

Filesize
4KB

Download
memory/5284-524-0x0000000006AB2000-0x0000000006AB3000-memory.dmp

Filesize
4KB

Download
memory/5284-452-0x0000000000000000-mapping.dmp

Download
memory/5284-521-0x0000000006AB0000-0x0000000006AB1000-memory.dmp

Filesize
4KB

Download
memory/5364-637-0x0000000007382000-0x0000000007383000-memory.dmp

Filesize
4KB

Download
memory/5364-635-0x0000000007380000-0x0000000007381000-memory.dmp

Filesize
4KB

Download
memory/5364-578-0x0000000000000000-mapping.dmp

Download
memory/5556-491-0x0000000000000000-mapping.dmp

Download
memory/5556-538-0x0000000004602000-0x0000000004603000-memory.dmp

Filesize
4KB

Download
memory/5556-529-0x0000000004600000-0x0000000004601000-memory.dmp

Filesize
4KB

Download
memory/5596-688-0x0000000004A92000-0x0000000004A93000-memory.dmp

Filesize
4KB

Download
memory/5596-687-0x0000000004A90000-0x0000000004A91000-memory.dmp

Filesize
4KB

Download
memory/5596-638-0x0000000000000000-mapping.dmp

Download
memory/5660-663-0x0000000000000000-mapping.dmp

Download
memory/5660-719-0x0000000006B90000-0x0000000006B91000-memory.dmp

Filesize
4KB

Download
memory/5660-722-0x0000000006B92000-0x0000000006B93000-memory.dmp

Filesize
4KB

Download
memory/5688-758-0x0000000000405E28-mapping.dmp

Download
memory/5688-1018-0x0000000000000000-mapping.dmp

Download
memory/5688-771-0x0000000000400000-0x000000000055E000-memory.dmp

Filesize
1.4MB

Download
memory/5720-1055-0x0000000000000000-mapping.dmp

Download
memory/5740-658-0x00000000049C2000-0x00000000049C3000-memory.dmp

Filesize
4KB

Download
memory/5740-655-0x00000000049C0000-0x00000000049C1000-memory.dmp

Filesize
4KB

Download
memory/5740-609-0x0000000000000000-mapping.dmp

Download
memory/5752-1425-0x0000000000000000-mapping.dmp

Download
memory/5856-582-0x0000000006B10000-0x0000000006B11000-memory.dmp

Filesize
4KB

Download
memory/5856-586-0x0000000006B12000-0x0000000006B13000-memory.dmp

Filesize
4KB

Download
memory/5856-522-0x0000000000000000-mapping.dmp

Download
memory/6132-614-0x00000000067B2000-0x00000000067B3000-memory.dmp

Filesize
4KB

Download
memory/6132-610-0x00000000067B0000-0x00000000067B1000-memory.dmp

Filesize
4KB

Download
memory/6132-557-0x0000000000000000-mapping.dmp

Download
memory/6196-950-0x0000000000000000-mapping.dmp

Download
memory/6244-973-0x0000000000000000-mapping.dmp

Download
memory/6428-862-0x0000000000000000-mapping.dmp

Download
memory/6428-903-0x0000000004700000-0x0000000004701000-memory.dmp

Filesize
4KB

Download
memory/6508-1093-0x0000000000000000-mapping.dmp

Download
memory/6520-1077-0x0000000000000000-mapping.dmp

Download
memory/6604-880-0x0000000000000000-mapping.dmp

Download
memory/6620-1037-0x0000000000000000-mapping.dmp

Download
memory/6648-886-0x0000000000000000-mapping.dmp

Download
memory/6788-1375-0x0000000000000000-mapping.dmp

Download
memory/6840-996-0x0000000000000000-mapping.dmp

Download
memory/6844-907-0x0000000000000000-mapping.dmp

Download
memory/7100-928-0x0000000000000000-mapping.dmp

Download
memory/7196-1123-0x0000000000000000-mapping.dmp

Download
memory/7252-1402-0x0000000000000000-mapping.dmp

Download
memory/7444-1148-0x0000000000000000-mapping.dmp

Download
memory/7464-1258-0x0000000000000000-mapping.dmp

Download
memory/7552-1329-0x0000000000000000-mapping.dmp

Download
memory/7692-1184-0x0000000000000000-mapping.dmp

Download
memory/7756-1286-0x0000000000000000-mapping.dmp

Download
memory/7940-1208-0x0000000000000000-mapping.dmp

Download
memory/8052-1346-0x0000000000000000-mapping.dmp

Download
memory/8160-1310-0x0000000000000000-mapping.dmp

Download
memory/8164-1233-0x0000000000000000-mapping.dmp

Download
memory/8632-1489-0x0000000000405E28-mapping.dmp

Download
memory/8972-1533-0x0000000000000000-mapping.dmp

Download