hxxps://cylgfcnmnhpodyjrjwp6lkq63xdxmai2lbsdvsgt6osph56vy-ipfs-w3s-linkdtranslatedgoog/jadhtml?_x_tr_hp=bafybeie7b&_x_tr_sl=auto&_x_tr_tl=en&_x_tr_hl=en-US&_x_tr_pto=wapp#chandler-oikjd@ploikdcom

Analysis

max time kernel
210s
max time network
198s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
11-04-2023 03:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://cylgfcnmnhpodyjrjwp6lkq63xdxmai2lbsdvsgt6osph56vy-ipfs-w3s-linkdtranslatedgoog/jadhtml?_x_tr_hp=bafybeie7b&_x_tr_sl=auto&_x_tr_tl=en&_x_tr_hl=en-US&_x_tr_pto=wapp#chandler-oikjd@ploikdcom

Score

5^/10

Malware Config

Signatures

Drops file in System32 directory 11 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\SRU\SRUDB.jfm	svchost.exe
File created	C:\Windows\system32\NDF\{C950265B-D9AF-42C7-93C3-EE7A3CDE62B4}-temp-04112023-0339.etl	svchost.exe
File opened for modification	C:\Windows\system32\NDF\{C950265B-D9AF-42C7-93C3-EE7A3CDE62B4}-temp-04112023-0339.etl	svchost.exe
File created	C:\Windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\{5ebb5ed6-9b48-4650-9bd3-9e5a43721d2d}\snapshot.etl	svchost.exe
File opened for modification	C:\Windows\system32\WDI\BootPerformanceDiagnostics_SystemData.bin	svchost.exe
File created	C:\Windows\system32\wdi\LogFiles\StartupInfo\S-1-5-21-144354903-2550862337-1367551827-1000_StartupInfo3.xml	svchost.exe
File opened for modification	C:\Windows\system32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-144354903-2550862337-1367551827-1000_UserData.bin	svchost.exe
File opened for modification	C:\Windows\system32\SRU\SRU.chk	svchost.exe
File opened for modification	C:\Windows\system32\SRU\SRU.log	svchost.exe
File opened for modification	C:\Windows\system32\SRU\SRUDB.dat	svchost.exe
File opened for modification	C:\Windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\{5ebb5ed6-9b48-4650-9bd3-9e5a43721d2d}\snapshot.etl	svchost.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	svchost.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command-Line Interface

T1059

pid	Process
4020	ipconfig.exe

Modifies Internet Explorer settings 1 TTPs 55 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{535F1800-D81A-11ED-8FFF-7E7B9EA57A36} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\TypedURLs\url2 = "https://www.facebook.com/"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\TypedURLs\url5 = "https://login.live.com/"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\TypedURLsTime\url2 = 0000000000000000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "675692904"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = e077e729276cd901	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\TypedURLsTime\url1 = 814df430276cd901	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\TypedURLs\url3 = "https://login.aliexpress.com/"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\TypedURLsTime\url5 = 0000000000000000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31026215"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\TypedURLsTime\url4 = 0000000000000000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Internet Explorer\IESettingSync	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "387949285"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "690848823"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Internet Explorer\TypedURLsTime	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\TypedURLs\url6 = "https://twitter.com/"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000010d3bb75b0ea114e9ca1233a5a090b7b00000000020000000000106600000001000020000000b4e201bdad6b41e0e590e9ca4c254f678d2439e02cda9bbb52c0e8a4d216a18c000000000e8000000002000020000000253fe0f702037f23cd8568af8f495ec3fcef139a5ca747a5e15878ecee47264e20000000d36b66dd76e78bbe0331b68c3fc4f09266c82b8e1bcc4b353e6901c53b50377b400000003a6a492590c6055f9ebca2e1b9f040b6d8bb6f7bbe4abeafe2aae28a67617668303f4eaf32fb6a974e6ff29a6c833f9b419f925f137474cf8442fac964e6952a	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = d0cf1031276cd901	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "675692904"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31026215"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000010d3bb75b0ea114e9ca1233a5a090b7b000000000200000000001066000000010000200000000b62380a15f86333d01d8d7c518f80fa83bacae8e376d2cbe0e8b8a771b3bd6c000000000e8000000002000020000000e61dc9042efc6056040e313a6ec2e25acc7cac9a66d2cee834750f4f506378ae20000000206543c49651df146a553d9f75a9941a7baa1f5967d4a116cf33fc49ac7e1ad5400000004d0eeb4be2b6f617a31a9ab548ddd660dfc67e8aff9099a150978a923787b24eb72e42478ff2481d13a3571cef272bb01bb0124e1ca7804a51512f2e7fa7deca	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = b019f829276cd901	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31026215"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "6"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000010d3bb75b0ea114e9ca1233a5a090b7b00000000020000000000106600000001000020000000beedc52d2fc20e003fd8001bbc8e3731b4cbae817904242947f5b77746dfd5b5000000000e800000000200002000000012ff02b06b7c0fd500335a953701b57f81821a29b2b691441a1150dc5ce83bec2000000015838da3b55aa31feb3b0961357bc60c2fdfb529f6efd4a993ebc1b9dd6633904000000089a38fefe29ab0a7eb904b9e5b777ec89f6f5c33f4c0c152bd8202cde6daa5e9a2d9b49a612ada79dc7ca206d7d87e9b9241e65182351729e6bc010f6bb31cdd	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\TypedURLsTime\url3 = 0000000000000000	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\TypedURLs\url4 = "https://signin.ebay.com/ws/ebayisapi.dll"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\TypedURLsTime\url6 = 0000000000000000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000010d3bb75b0ea114e9ca1233a5a090b7b00000000020000000000106600000001000020000000526015236c4a6a90387aa4779148eebd99d4112de2285805a04902c68e769f9d000000000e8000000002000020000000bd3842fe2e0c6468b78b457d6208163acbb874dd2681266eccda4b6ef44a412b200000004c413e5b456bab2de8d9c9c15dff59d98ca094a8dcd73564a27d7ac30886ee2340000000d5cc4472d0fe01645b22ecb6863e783cec1ca78f45ece6a4e2e62499218c4c473b2dd866ba3232295dd4e6a115ca76672f25b78aa00f5a12cb023bfb8398a6e3	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Internet Explorer\TypedURLs	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 30adbd2d276cd901	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\TypedURLs\url1 = "https://cylgfcnmnhpodyjrjwp6lkq63xdxmai2lbsdvsgt6osph56vy-ipfs-w3s-linkdtranslatedgoog/jadhtml?_x_tr_hp=bafybeie7b&_x_tr_sl=auto&_x_tr_tl=en&_x_tr_hl=en-US&_x_tr_pto=wapp#chandler-oikjd@ploikdcom"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3096	sdiagnhost.exe
3096	sdiagnhost.exe
1668	svchost.exe
1668	svchost.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3096	sdiagnhost.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
4056	iexplore.exe
3820	msdt.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
4056	iexplore.exe
4056	iexplore.exe
4148	IEXPLORE.EXE
4148	IEXPLORE.EXE
4148	IEXPLORE.EXE
4148	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 4056 wrote to memory of 4148	4056	iexplore.exe	87
PID 4056 wrote to memory of 4148	4056	iexplore.exe	87
PID 4056 wrote to memory of 4148	4056	iexplore.exe	87
PID 4148 wrote to memory of 3820	4148	IEXPLORE.EXE	93
PID 4148 wrote to memory of 3820	4148	IEXPLORE.EXE	93
PID 4148 wrote to memory of 3820	4148	IEXPLORE.EXE	93
PID 3096 wrote to memory of 2064	3096	sdiagnhost.exe	98
PID 3096 wrote to memory of 2064	3096	sdiagnhost.exe	98
PID 3096 wrote to memory of 2064	3096	sdiagnhost.exe	98
PID 3096 wrote to memory of 1364	3096	sdiagnhost.exe	104
PID 3096 wrote to memory of 1364	3096	sdiagnhost.exe	104
PID 3096 wrote to memory of 1364	3096	sdiagnhost.exe	104
PID 3096 wrote to memory of 4020	3096	sdiagnhost.exe	108
PID 3096 wrote to memory of 4020	3096	sdiagnhost.exe	108
PID 3096 wrote to memory of 4020	3096	sdiagnhost.exe	108
PID 3096 wrote to memory of 3012	3096	sdiagnhost.exe	109
PID 3096 wrote to memory of 3012	3096	sdiagnhost.exe	109
PID 3096 wrote to memory of 3012	3096	sdiagnhost.exe	109
PID 3096 wrote to memory of 3880	3096	sdiagnhost.exe	110
PID 3096 wrote to memory of 3880	3096	sdiagnhost.exe	110
PID 3096 wrote to memory of 3880	3096	sdiagnhost.exe	110

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://cylgfcnmnhpodyjrjwp6lkq63xdxmai2lbsdvsgt6osph56vy-ipfs-w3s-linkdtranslatedgoog/jadhtml?_x_tr_hp=bafybeie7b&_x_tr_sl=auto&_x_tr_tl=en&_x_tr_hl=en-US&_x_tr_pto=wapp#chandler-oikjd@ploikdcom
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4056
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4056 CREDAT:17410 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4148
- - C:\Windows\SysWOW64\msdt.exe
    -modal "524336" -skip TRUE -path "C:\Windows\diagnostics\system\networking" -af "C:\Users\Admin\AppData\Local\Temp\NDFF11B.tmp" -ep "NetworkDiagnosticsWeb"
    3⤵
    - Suspicious use of FindShellTrayWindow
    PID:3820

C:\Windows\SysWOW64\sdiagnhost.exe
C:\Windows\SysWOW64\sdiagnhost.exe -Embedding
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3096
- C:\Windows\SysWOW64\netsh.exe
  "C:\Windows\system32\netsh.exe" trace diagnose Scenario=NetworkSnapshot Mode=NetTroubleshooter
  2⤵
  PID:2064
- C:\Windows\SysWOW64\netsh.exe
  "C:\Windows\system32\netsh.exe" trace diagnose Scenario=NetworkSnapshot Mode=NetTroubleshooter
  2⤵
  PID:1364
- C:\Windows\SysWOW64\ipconfig.exe
  "C:\Windows\system32\ipconfig.exe" /all
  2⤵
  - Gathers network information
  PID:4020
- C:\Windows\SysWOW64\ROUTE.EXE
  "C:\Windows\system32\ROUTE.EXE" print
  2⤵
  PID:3012
- C:\Windows\SysWOW64\makecab.exe
  "C:\Windows\system32\makecab.exe" /f NetworkConfiguration.ddf
  2⤵
  PID:3880

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNoNetwork -p -s DPS
1⤵
- Drops file in System32 directory
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:1668

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s WdiServiceHost
1⤵
- Drops file in System32 directory
PID:4788
- C:\Windows\System32\rundll32.exe
  "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\winethc.dll",ForceProxyDetectionOnNextRun
  2⤵
  PID:876

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s WdiSystemHost
1⤵
PID:4124

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

T1059

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
471B

MD5
9d7d180f2de0b32edd9f9ba978b4eb0d

SHA1
9bf1008285df462813b1e16c7f8076cd51845ea9

SHA256
a15a3c7ba09d8274c9ac4af92269a12079065383d57b0db0fae614a2936ef64b

SHA512
77b7b8f810d51f1923a41838cfe1fde471b03bd65e571e422f9c8ed8eb00191e536a61d4f82f42c27c03df87d4e497abedef00156e24bedbc57f9f465e0bdf68

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
404B

MD5
e45957210a82b89e75a062fc125be1be

SHA1
5fbbf38206a71984fddd14faf7dbc71d99097ac6

SHA256
395893c096bede05140877cddaf2f2b2de2894669c5c77e92db09e4b348153b3

SHA512
c03745b9b352bf3a342a0d8f577eba54d88857df559527a42576a7a1e1551031fb094ae49bcb50fe5e799892ca8d24e156f9a91ae6df0fb3bb29ee29e33f58ed

Download Submit
C:\Users\Admin\AppData\Local\ElevatedDiagnostics\460911090\2023041103.000\NetworkDiagnostics.debugreport.xml

Filesize
210KB

MD5
5a04f866018a0795470eb8b552f465b9

SHA1
d6bb68f20cd06e2d432927dade0306e86b06b11c

SHA256
a5c458d4eaf357e555026b8b6b2441be18efccea85c9e3db0d6e0d5a32c9b8f4

SHA512
b7c21f2d1a4981e97e3c114f3f2773199d171bde5ac83f307702a490e1f760a2d4bfc517204f59a3017014c20a010932cfe756b6e4604671335b94e77f9c0b3d

Download Submit
C:\Users\Admin\AppData\Local\ElevatedDiagnostics\460911090\2023041103.000\ResultReport.xml

Filesize
37KB

MD5
67fca0a7b1fbc97e0b92700e06905884

SHA1
372c3643c650958adebc4f580442316ec31b7e07

SHA256
222b5ea0eead6cd12d09794c1ac8de1230e20e8541e0ad082f40f033a3a71f71

SHA512
90c88b00b2be49816b53279e3b574bd32e75d77e3063df7e6c7b1d671805b485660ca583d382fc65719d39a09eadbc08028e0793bc49457610c0633c7cfa9cb8

Download Submit
C:\Users\Admin\AppData\Local\ElevatedDiagnostics\460911090\2023041103.000\results.xsl

Filesize
47KB

MD5
310e1da2344ba6ca96666fb639840ea9

SHA1
e8694edf9ee68782aa1de05470b884cc1a0e1ded

SHA256
67401342192babc27e62d4c1e0940409cc3f2bd28f77399e71d245eae8d3f63c

SHA512
62ab361ffea1f0b6ff1cc76c74b8e20c2499d72f3eb0c010d47dba7e6d723f9948dba3397ea26241a1a995cffce2a68cd0aaa1bb8d917dd8f4c8f3729fa6d244

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\NetTraces\NdfSession-04112023-0339.etl

Filesize
192KB

MD5
87cd88b4d9d66adc8974268075f635ac

SHA1
c4ed62281217508a9a36662dfb931f1a73d3dfc0

SHA256
e7fc35c2c9be43339a8d64100faed86031ba1a60bb764c6a1039d1c75a776153

SHA512
672fcaa7ccaee9ec5c1b01eaaa6431e2b16613d5596cbb2dd5b906884e0991adc856dce9e9f5d6da5c1a9132439f4887a68e0340d7b5bf5ff846186ac27304ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\39K1WZBJ\suggestions[1].en-US

Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\NDFF11B.tmp

Filesize
4KB

MD5
135bf6938ca8d104205b87f5fd843c31

SHA1
77c201f9341ef52f0dee00786ab2a85749b4eb16

SHA256
78f651319371f0b42e10ac5857742b08e038b37a9042df0f9def4e921ed08f91

SHA512
3c0f292a370993d40c70f8601b7b0305a2d3d29e0718690c5d5595674b7ab047ae593791662766730bc6021505dccee79f9a72ba9fcacbd9a292c82c1edefa85

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_tvejna5w.m5y.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp4314.tmp\NetworkConfiguration.cab

Filesize
1KB

MD5
9a279be117f62521e2c28d42d3543bac

SHA1
c0c49dceba2d86265d62801b427d552dfd3bf50c

SHA256
5ffe2e3e71885eabfbf26cc69ba0bc181037d85e9ca639cca5da4ee11df24597

SHA512
3e5054bcb9704ed81143ca838001ad692b8762f046d0e4c42daac047f85b82c46627ecebfe9d82a476cfa8d63a1e272072630355a7857cf6f0185848d722771b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp4314.tmp\NetworkConfiguration.ddf

Filesize
231B

MD5
00848049d4218c485d9e9d7a54aa3b5f

SHA1
d1d5f388221417985c365e8acaec127b971c40d0

SHA256
ffeafbb8e7163fd7ec9abc029076796c73cd7b4eddaeeda9ba394c547419769e

SHA512
3a4874a5289682e2b32108740feea586cb9ccdad9ca08bf30f67c9742370c081ad943ea714f08dbf722f9f98f3b0bb307619a8ba47f96b24301c68b0fd1086d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp4314.tmp\ipconfig.all.txt

Filesize
1KB

MD5
c25097654929c233c4bb1583472317d3

SHA1
9da2fafab3b390c8fd7aff3c06891a101f55d579

SHA256
f96bc3c58c1b6c8e70dcbbddc694b9714d3c43d65ca717f889b98bbe751b10d4

SHA512
25d5b5be794664de23bcd3bdf78d0ed4e7dbd2435befcb05526b33de920fee43411c6b9d19a0328cabdc38e425145138bd88b42aaacd2f094773de8fc01f0e7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp4314.tmp\route.print.txt

Filesize
4KB

MD5
763ada679c41dff8c14fc4ca68161c1d

SHA1
460abac62474083f7e23a2b963aba604e1787702

SHA256
cbc4d8616ec5a6011ee3d4ac743ae27add621811a8218d1bfba9261d0fe2f600

SHA512
79f3132fa3b5f32f9751ff3347ab58b2e5e386b4ff67b3698652bb567ac41e086a4ed143dd8d20032351366fd48e608a46f647a58c3573acd384ddc80db8d789

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp4314.tmp\setup.inf

Filesize
978B

MD5
e3ecf71e6cb12693089462a71ab6e66b

SHA1
b47b544a89f9e903413a1b0c7a4eff61a302e1c2

SHA256
b88238d95e9ee445badc2ab7a9ec08fc042663ccf2acfe3658a6861a73528503

SHA512
f77889da5418c6e1df1076818724ba69dd74255c3fb278e7ac1ba54089e9c4b613facfba0cde190a2b7772f62739ce234e4ec8e668d66c3c9b540da6f8d74541

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp4314.tmp\setup.rpt

Filesize
283B

MD5
e1d6ebcb7d32e7271ae3252b7732768d

SHA1
5bcec4f7d24bdee05ed6fd11ad464452d7a56e52

SHA256
3f3ddb3487eeac90c2ce6df31d1973e1271440a406a174e675e4f4cfcc7ea794

SHA512
09528c2603d772be1eef4faa1121e64e10c8eb88c8942e80787adfe10699f9d6082c7541f8649a7d90e3b73fd8c931eefa9b1989cee940527a4b994994621fb2

Download Submit
C:\Windows\TEMP\SDIAG_b14d2f0f-fe6d-496c-abed-d5794b6d0571\NetworkDiagnosticsResolve.ps1

Filesize
11KB

MD5
d213491a2d74b38a9535d616b9161217

SHA1
bde94742d1e769638e2de84dfb099f797adcc217

SHA256
4662c3c94e0340a243c2a39ca8a88fd9f65c74fb197644a11d4ffcae6b191211

SHA512
5fd8b91b27935711495934e5d7ca14f9dd72bc40a38072595879ef334a47f99e0608087ddc62668c6f783938d9f22a3688c5cdef3a9ad6c3575f3cfa5a3b0104

Download Submit
C:\Windows\TEMP\SDIAG_b14d2f0f-fe6d-496c-abed-d5794b6d0571\NetworkDiagnosticsTroubleshoot.ps1

Filesize
25KB

MD5
d0cfc204ca3968b891f7ce0dccfb2eda

SHA1
56dad1716554d8dc573d0ea391f808e7857b2206

SHA256
e3940266b4368c04333db89804246cb89bf2073626f22b8de72bea27c522282a

SHA512
4d2225b599ad8af8ba8516f12cfddca5ec0ce69c5c80b133a6a323e9aaf5e0312efbcfa54d2e4462a5095f9a7c42b9d5b39f3204e0be72c3b1992cf33b22087c

Download Submit
C:\Windows\TEMP\SDIAG_b14d2f0f-fe6d-496c-abed-d5794b6d0571\NetworkDiagnosticsVerify.ps1

Filesize
10KB

MD5
9b222d8ec4b20860f10ebf303035b984

SHA1
b30eea35c2516afcab2c49ef6531af94efaf7e1a

SHA256
a32e13da40ac4b9e1dac7dd28bc1d25e2f2136b61ff93be943018b20796f15bc

SHA512
8331337ccb6e3137b01aeec03e6921fd3b9e56c44fa1b17545ae5c7bfcdd39fcd8a90192884b3a82f56659009e24b63ce7f500e8766fd01e8d4e60a52de0fe67

Download Submit
C:\Windows\TEMP\SDIAG_b14d2f0f-fe6d-496c-abed-d5794b6d0571\StartDPSService.ps1

Filesize
567B

MD5
a660422059d953c6d681b53a6977100e

SHA1
0c95dd05514d062354c0eecc9ae8d437123305bb

SHA256
d19677234127c38a52aec23686775a8eb3f4e3a406f4a11804d97602d6c31813

SHA512
26f8cf9ac95ff649ecc2ed349bc6c7c3a04b188594d5c3289af8f2768ab59672bc95ffefcc83ed3ffa44edd0afeb16a4c2490e633a89fce7965843674d94b523

Download Submit
C:\Windows\TEMP\SDIAG_b14d2f0f-fe6d-496c-abed-d5794b6d0571\UtilityFunctions.ps1

Filesize
53KB

MD5
c912faa190464ce7dec867464c35a8dc

SHA1
d1c6482dad37720db6bdc594c4757914d1b1dd70

SHA256
3891846307aa9e83bca66b13198455af72af45bf721a2fbd41840d47e2a91201

SHA512
5c34352d36459fd8fcda5b459a2e48601a033af31d802a90ed82c443a5a346b9480880d30c64db7ad0e4a8c35b98c98f69eceedad72f2a70d9c6cca74dce826a

Download Submit
C:\Windows\TEMP\SDIAG_b14d2f0f-fe6d-496c-abed-d5794b6d0571\UtilitySetConstants.ps1

Filesize
2KB

MD5
0c75ae5e75c3e181d13768909c8240ba

SHA1
288403fc4bedaacebccf4f74d3073f082ef70eb9

SHA256
de5c231c645d3ae1e13694284997721509f5de64ee5c96c966cdfda9e294db3f

SHA512
8fc944515f41a837c61a6c4e5181ca273607a89e48fbf86cf8eb8db837aed095aa04fc3043029c3b5cb3710d59abfd86f086ac198200f634bfb1a5dd0823406b

Download Submit
C:\Windows\TEMP\SDIAG_b14d2f0f-fe6d-496c-abed-d5794b6d0571\en-US\LocalizationData.psd1

Filesize
5KB

MD5
380768979618b7097b0476179ec494ed

SHA1
af2a03a17c546e4eeb896b230e4f2a52720545ab

SHA256
0637af30fc3b3544b1f516f6196a8f821ffbfa5d36d65a8798aeeadbf2e8a7c2

SHA512
b9ef59e9bfdbd49052a4e754ead8cd54b77e79cc428e7aee2b80055ff5f0b038584af519bd2d66258cf3c01f8cc71384f6959ee32111eac4399c47e1c2352302

Download Submit
C:\Windows\Temp\SDIAG_b14d2f0f-fe6d-496c-abed-d5794b6d0571\DiagPackage.dll

Filesize
478KB

MD5
580dc3658fa3fe42c41c99c52a9ce6b0

SHA1
3c4be12c6e3679a6c2267f88363bbd0e6e00cac5

SHA256
5b7aa413e4a64679c550c77e6599a1c940ee947cbdf77d310e142a07a237aad2

SHA512
68c52cd7b762b8f5d2f546092ed9c4316924fa04bd3ab748ab99541a8b4e7d9aec70acf5c9594d1457ad3a2f207d0c189ec58421d4352ddbc7eae453324d13f2

Download Submit
C:\Windows\Temp\SDIAG_b14d2f0f-fe6d-496c-abed-d5794b6d0571\en-US\DiagPackage.dll.mui

Filesize
17KB

MD5
44c4385447d4fa46b407fc47c8a467d0

SHA1
41e4e0e83b74943f5c41648f263b832419c05256

SHA256
8be175e8fbdae0dade54830fece6c6980d1345dbeb4a06c07f7efdb1152743f4

SHA512
191cd534e85323a4cd9649a1fc372312ed4a600f6252dffc4435793650f9dd40d0c0e615ba5eb9aa437a58af334146aac7c0ba08e0a1bf24ec4837a40f966005

Download Submit
C:\Windows\Temp\SDIAG_b14d2f0f-fe6d-496c-abed-d5794b6d0571\result\C950265B-D9AF-42C7-93C3-EE7A3CDE62B4.Diagnose.Admin.0.etl

Filesize
192KB

MD5
87cd88b4d9d66adc8974268075f635ac

SHA1
c4ed62281217508a9a36662dfb931f1a73d3dfc0

SHA256
e7fc35c2c9be43339a8d64100faed86031ba1a60bb764c6a1039d1c75a776153

SHA512
672fcaa7ccaee9ec5c1b01eaaa6431e2b16613d5596cbb2dd5b906884e0991adc856dce9e9f5d6da5c1a9132439f4887a68e0340d7b5bf5ff846186ac27304ed

Download Submit
C:\Windows\Temp\SDIAG_b14d2f0f-fe6d-496c-abed-d5794b6d0571\result\NetworkConfiguration.cab

Filesize
1KB

MD5
9a279be117f62521e2c28d42d3543bac

SHA1
c0c49dceba2d86265d62801b427d552dfd3bf50c

SHA256
5ffe2e3e71885eabfbf26cc69ba0bc181037d85e9ca639cca5da4ee11df24597

SHA512
3e5054bcb9704ed81143ca838001ad692b8762f046d0e4c42daac047f85b82c46627ecebfe9d82a476cfa8d63a1e272072630355a7857cf6f0185848d722771b

Download Submit
memory/1668-530-0x0000012DD45B0000-0x0000012DD45C0000-memory.dmp

Filesize
64KB

Download
memory/1668-667-0x0000012DDA2D0000-0x0000012DDA2D1000-memory.dmp

Filesize
4KB

Download
memory/1668-534-0x0000012DD4B00000-0x0000012DD4B10000-memory.dmp

Filesize
64KB

Download
memory/1668-676-0x0000012DD4F00000-0x0000012DD4F01000-memory.dmp

Filesize
4KB

Download
memory/1668-673-0x0000012DD4FB0000-0x0000012DD4FB1000-memory.dmp

Filesize
4KB

Download
memory/1668-671-0x0000012DD4FB0000-0x0000012DD4FB1000-memory.dmp

Filesize
4KB

Download
memory/1668-670-0x0000012DD4FC0000-0x0000012DD4FC1000-memory.dmp

Filesize
4KB

Download
memory/1668-538-0x0000012DD4FB0000-0x0000012DD4FB1000-memory.dmp

Filesize
4KB

Download
memory/1668-668-0x0000012DDA2C0000-0x0000012DDA2C1000-memory.dmp

Filesize
4KB

Download
memory/3096-520-0x00000000075C0000-0x0000000007626000-memory.dmp

Filesize
408KB

Download
memory/3096-511-0x0000000005860000-0x000000000587A000-memory.dmp

Filesize
104KB

Download
memory/3096-516-0x0000000005AB0000-0x0000000005B16000-memory.dmp

Filesize
408KB

Download
memory/3096-515-0x0000000005930000-0x0000000005952000-memory.dmp

Filesize
136KB

Download
memory/3096-514-0x00000000059A0000-0x0000000005A36000-memory.dmp

Filesize
600KB

Download
memory/3096-513-0x0000000006920000-0x0000000006F9A000-memory.dmp

Filesize
6.5MB

Download
memory/3096-512-0x00000000058C0000-0x00000000058F6000-memory.dmp

Filesize
216KB

Download
memory/3096-517-0x0000000006FA0000-0x0000000007544000-memory.dmp

Filesize
5.6MB

Download
memory/3096-507-0x0000000005630000-0x0000000005640000-memory.dmp

Filesize
64KB

Download
memory/3096-500-0x0000000005C70000-0x0000000006298000-memory.dmp

Filesize
6.2MB

Download
memory/3096-518-0x0000000005A70000-0x0000000005A8E000-memory.dmp

Filesize
120KB

Download
memory/3096-519-0x0000000005B70000-0x0000000005BBA000-memory.dmp

Filesize
296KB

Download
memory/3096-521-0x0000000007840000-0x0000000007862000-memory.dmp

Filesize
136KB

Download
memory/3096-526-0x0000000005630000-0x0000000005640000-memory.dmp

Filesize
64KB

Download
memory/3096-527-0x0000000005630000-0x0000000005640000-memory.dmp

Filesize
64KB

Download
memory/3096-529-0x0000000005630000-0x0000000005640000-memory.dmp

Filesize
64KB

Download