Analysis
-
max time kernel
255s -
max time network
245s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
13-06-2024 18:04
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://outbyte.com/
Resource
win10v2004-20240508-en
General
-
Target
https://outbyte.com/
Malware Config
Signatures
-
Drops file in System32 directory 12 IoCs
Processes:
svchost.exesvchost.exedescription ioc process File opened for modification C:\Windows\system32\SRU\SRUDB.dat svchost.exe File opened for modification C:\Windows\system32\SRU\SRUDB.jfm svchost.exe File created C:\Windows\System32\DriverStore\FileRepository\netrtl64.inf_amd64_8e9c2368fe308df2\netrtl64.PNF svchost.exe File created C:\Windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\{ce5eb88c-7c22-4c8c-bd27-d65c9eb9572a}\snapshot.etl svchost.exe File opened for modification C:\Windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\{ce5eb88c-7c22-4c8c-bd27-d65c9eb9572a}\snapshot.etl svchost.exe File opened for modification C:\Windows\system32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-4124900551-4068476067-3491212533-1000_UserData.bin svchost.exe File opened for modification C:\Windows\system32\SRU\SRU.chk svchost.exe File opened for modification C:\Windows\system32\SRU\SRU.log svchost.exe File created C:\Windows\system32\NDF\{3C61E142-3D7B-49C2-B4B6-06189CAAD4EC}-temp-06132024-1806.etl svchost.exe File opened for modification C:\Windows\system32\NDF\{3C61E142-3D7B-49C2-B4B6-06189CAAD4EC}-temp-06132024-1806.etl svchost.exe File opened for modification C:\Windows\system32\WDI\BootPerformanceDiagnostics_SystemData.bin svchost.exe File created C:\Windows\system32\wdi\LogFiles\StartupInfo\S-1-5-21-4124900551-4068476067-3491212533-1000_StartupInfo3.xml svchost.exe -
Drops file in Windows directory 1 IoCs
Processes:
svchost.exedescription ioc process File created C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Network\Connections\Pbk\_hiddenPbk\rasphone.pbk svchost.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
svchost.exedescription ioc process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz svchost.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe -
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
Processes:
ipconfig.exepid process 4164 ipconfig.exe -
Modifies data under HKEY_USERS 4 IoCs
Processes:
svchost.exesvchost.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-19\SOFTWARE\Classes\Local Settings\MuiCache\2a\52C64B7E\@%SystemRoot%\system32\hnetcfgclient.dll,-201 = "HNetCfg Client" svchost.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\RAS AutoDial svchost.exe Key created \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\RAS AutoDial\Default svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@%SystemRoot%\system32\hnetcfgclient.dll,-201 = "HNetCfg Client" svchost.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
msedge.exemsedge.exeidentity_helper.exesdiagnhost.exesvchost.exemsedge.exepid process 3148 msedge.exe 3148 msedge.exe 5064 msedge.exe 5064 msedge.exe 1824 identity_helper.exe 1824 identity_helper.exe 5960 sdiagnhost.exe 5960 sdiagnhost.exe 4576 svchost.exe 4576 svchost.exe 6116 msedge.exe 6116 msedge.exe 6116 msedge.exe 6116 msedge.exe -
Suspicious behavior: LoadsDriver 14 IoCs
Processes:
pid 4 4 4 4 4 668 4 4 4 4 4 4 4 4 -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 11 IoCs
Processes:
msedge.exepid process 5064 msedge.exe 5064 msedge.exe 5064 msedge.exe 5064 msedge.exe 5064 msedge.exe 5064 msedge.exe 5064 msedge.exe 5064 msedge.exe 5064 msedge.exe 5064 msedge.exe 5064 msedge.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
sdiagnhost.exedescription pid process Token: SeDebugPrivilege 5960 sdiagnhost.exe -
Suspicious use of FindShellTrayWindow 26 IoCs
Processes:
msedge.exemsdt.exepid process 5064 msedge.exe 5064 msedge.exe 5064 msedge.exe 5064 msedge.exe 5064 msedge.exe 5064 msedge.exe 5064 msedge.exe 5064 msedge.exe 5064 msedge.exe 5064 msedge.exe 5064 msedge.exe 5064 msedge.exe 5064 msedge.exe 5064 msedge.exe 5064 msedge.exe 5064 msedge.exe 5064 msedge.exe 5064 msedge.exe 5064 msedge.exe 5064 msedge.exe 5064 msedge.exe 5064 msedge.exe 5064 msedge.exe 5064 msedge.exe 5064 msedge.exe 4304 msdt.exe -
Suspicious use of SendNotifyMessage 24 IoCs
Processes:
msedge.exepid process 5064 msedge.exe 5064 msedge.exe 5064 msedge.exe 5064 msedge.exe 5064 msedge.exe 5064 msedge.exe 5064 msedge.exe 5064 msedge.exe 5064 msedge.exe 5064 msedge.exe 5064 msedge.exe 5064 msedge.exe 5064 msedge.exe 5064 msedge.exe 5064 msedge.exe 5064 msedge.exe 5064 msedge.exe 5064 msedge.exe 5064 msedge.exe 5064 msedge.exe 5064 msedge.exe 5064 msedge.exe 5064 msedge.exe 5064 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
msedge.exedescription pid process target process PID 5064 wrote to memory of 1800 5064 msedge.exe msedge.exe PID 5064 wrote to memory of 1800 5064 msedge.exe msedge.exe PID 5064 wrote to memory of 4228 5064 msedge.exe msedge.exe PID 5064 wrote to memory of 4228 5064 msedge.exe msedge.exe PID 5064 wrote to memory of 4228 5064 msedge.exe msedge.exe PID 5064 wrote to memory of 4228 5064 msedge.exe msedge.exe PID 5064 wrote to memory of 4228 5064 msedge.exe msedge.exe PID 5064 wrote to memory of 4228 5064 msedge.exe msedge.exe PID 5064 wrote to memory of 4228 5064 msedge.exe msedge.exe PID 5064 wrote to memory of 4228 5064 msedge.exe msedge.exe PID 5064 wrote to memory of 4228 5064 msedge.exe msedge.exe PID 5064 wrote to memory of 4228 5064 msedge.exe msedge.exe PID 5064 wrote to memory of 4228 5064 msedge.exe msedge.exe PID 5064 wrote to memory of 4228 5064 msedge.exe msedge.exe PID 5064 wrote to memory of 4228 5064 msedge.exe msedge.exe PID 5064 wrote to memory of 4228 5064 msedge.exe msedge.exe PID 5064 wrote to memory of 4228 5064 msedge.exe msedge.exe PID 5064 wrote to memory of 4228 5064 msedge.exe msedge.exe PID 5064 wrote to memory of 4228 5064 msedge.exe msedge.exe PID 5064 wrote to memory of 4228 5064 msedge.exe msedge.exe PID 5064 wrote to memory of 4228 5064 msedge.exe msedge.exe PID 5064 wrote to memory of 4228 5064 msedge.exe msedge.exe PID 5064 wrote to memory of 4228 5064 msedge.exe msedge.exe PID 5064 wrote to memory of 4228 5064 msedge.exe msedge.exe PID 5064 wrote to memory of 4228 5064 msedge.exe msedge.exe PID 5064 wrote to memory of 4228 5064 msedge.exe msedge.exe PID 5064 wrote to memory of 4228 5064 msedge.exe msedge.exe PID 5064 wrote to memory of 4228 5064 msedge.exe msedge.exe PID 5064 wrote to memory of 4228 5064 msedge.exe msedge.exe PID 5064 wrote to memory of 4228 5064 msedge.exe msedge.exe PID 5064 wrote to memory of 4228 5064 msedge.exe msedge.exe PID 5064 wrote to memory of 4228 5064 msedge.exe msedge.exe PID 5064 wrote to memory of 4228 5064 msedge.exe msedge.exe PID 5064 wrote to memory of 4228 5064 msedge.exe msedge.exe PID 5064 wrote to memory of 4228 5064 msedge.exe msedge.exe PID 5064 wrote to memory of 4228 5064 msedge.exe msedge.exe PID 5064 wrote to memory of 4228 5064 msedge.exe msedge.exe PID 5064 wrote to memory of 4228 5064 msedge.exe msedge.exe PID 5064 wrote to memory of 4228 5064 msedge.exe msedge.exe PID 5064 wrote to memory of 4228 5064 msedge.exe msedge.exe PID 5064 wrote to memory of 4228 5064 msedge.exe msedge.exe PID 5064 wrote to memory of 4228 5064 msedge.exe msedge.exe PID 5064 wrote to memory of 3148 5064 msedge.exe msedge.exe PID 5064 wrote to memory of 3148 5064 msedge.exe msedge.exe PID 5064 wrote to memory of 380 5064 msedge.exe msedge.exe PID 5064 wrote to memory of 380 5064 msedge.exe msedge.exe PID 5064 wrote to memory of 380 5064 msedge.exe msedge.exe PID 5064 wrote to memory of 380 5064 msedge.exe msedge.exe PID 5064 wrote to memory of 380 5064 msedge.exe msedge.exe PID 5064 wrote to memory of 380 5064 msedge.exe msedge.exe PID 5064 wrote to memory of 380 5064 msedge.exe msedge.exe PID 5064 wrote to memory of 380 5064 msedge.exe msedge.exe PID 5064 wrote to memory of 380 5064 msedge.exe msedge.exe PID 5064 wrote to memory of 380 5064 msedge.exe msedge.exe PID 5064 wrote to memory of 380 5064 msedge.exe msedge.exe PID 5064 wrote to memory of 380 5064 msedge.exe msedge.exe PID 5064 wrote to memory of 380 5064 msedge.exe msedge.exe PID 5064 wrote to memory of 380 5064 msedge.exe msedge.exe PID 5064 wrote to memory of 380 5064 msedge.exe msedge.exe PID 5064 wrote to memory of 380 5064 msedge.exe msedge.exe PID 5064 wrote to memory of 380 5064 msedge.exe msedge.exe PID 5064 wrote to memory of 380 5064 msedge.exe msedge.exe PID 5064 wrote to memory of 380 5064 msedge.exe msedge.exe PID 5064 wrote to memory of 380 5064 msedge.exe msedge.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://outbyte.com/1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5064 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9272c46f8,0x7ff9272c4708,0x7ff9272c47182⤵PID:1800
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2004,3740937609882013255,4241714151573262789,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2052 /prefetch:22⤵PID:4228
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2004,3740937609882013255,4241714151573262789,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2444 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:3148 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2004,3740937609882013255,4241714151573262789,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2772 /prefetch:82⤵PID:380
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2004,3740937609882013255,4241714151573262789,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:12⤵PID:544
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2004,3740937609882013255,4241714151573262789,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:12⤵PID:3900
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2004,3740937609882013255,4241714151573262789,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4776 /prefetch:82⤵PID:1940
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2004,3740937609882013255,4241714151573262789,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4776 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:1824 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2004,3740937609882013255,4241714151573262789,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4772 /prefetch:12⤵PID:2916
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2004,3740937609882013255,4241714151573262789,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4892 /prefetch:12⤵PID:4140
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2004,3740937609882013255,4241714151573262789,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4320 /prefetch:12⤵PID:2636
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2004,3740937609882013255,4241714151573262789,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5204 /prefetch:12⤵PID:1852
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2004,3740937609882013255,4241714151573262789,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5428 /prefetch:12⤵PID:4144
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2004,3740937609882013255,4241714151573262789,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3468 /prefetch:12⤵PID:4720
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2004,3740937609882013255,4241714151573262789,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5108 /prefetch:12⤵PID:208
-
C:\Windows\system32\msdt.exe-modal "262608" -skip TRUE -path "C:\Windows\diagnostics\system\networking" -af "C:\Users\Admin\AppData\Local\Temp\NDFC9A9.tmp" -ep "NetworkDiagnosticsWeb"2⤵
- Suspicious use of FindShellTrayWindow
PID:4304 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2004,3740937609882013255,4241714151573262789,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5012 /prefetch:12⤵PID:3276
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2004,3740937609882013255,4241714151573262789,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3324 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:6116 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2004,3740937609882013255,4241714151573262789,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3920 /prefetch:12⤵PID:1796
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4476
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2492
-
C:\Windows\System32\sdiagnhost.exeC:\Windows\System32\sdiagnhost.exe -Embedding1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5960 -
C:\Windows\system32\netsh.exe"C:\Windows\system32\netsh.exe" trace diagnose Scenario=NetworkSnapshot Mode=NetTroubleshooter2⤵PID:6136
-
C:\Windows\system32\netsh.exe"C:\Windows\system32\netsh.exe" trace diagnose Scenario=NetworkSnapshot Mode=NetTroubleshooter2⤵PID:5140
-
C:\Windows\system32\ipconfig.exe"C:\Windows\system32\ipconfig.exe" /all2⤵
- Gathers network information
PID:4164 -
C:\Windows\system32\ROUTE.EXE"C:\Windows\system32\ROUTE.EXE" print2⤵PID:3464
-
C:\Windows\system32\makecab.exe"C:\Windows\system32\makecab.exe" /f NetworkConfiguration.ddf2⤵PID:5728
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNoNetwork -p -s DPS1⤵
- Drops file in System32 directory
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:4576
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s WdiServiceHost1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2688 -
C:\Windows\System32\rundll32.exe"C:\Windows\System32\rundll32.exe" "C:\Windows\System32\winethc.dll",ForceProxyDetectionOnNextRun2⤵PID:5608
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s WdiSystemHost1⤵PID:4124
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s Netman1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:5340
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD5a8e767fd33edd97d306efb6905f93252
SHA1a6f80ace2b57599f64b0ae3c7381f34e9456f9d3
SHA256c8077a9fc79e2691ef321d556c4ce9933ca0570f2bbaa32fa32999dfd5f908bb
SHA51207b748582fe222795bce74919aa06e9a09025c14493edb6f3b1f112d9a97ac2225fe0904cac9adf2a62c98c42f7877076e409803014f0afd395f4cc8be207241
-
Filesize
152B
MD5439b5e04ca18c7fb02cf406e6eb24167
SHA1e0c5bb6216903934726e3570b7d63295b9d28987
SHA256247d0658695a1eb44924a32363906e37e9864ba742fe35362a71f3a520ad2654
SHA512d0241e397060eebd4535197de4f1ae925aa88ae413a3a9ded6e856b356c4324dfd45dddfef9a536f04e4a258e8fe5dc1586d92d1d56b649f75ded8eddeb1f3e2
-
Filesize
5KB
MD544b079541f2e7530202737549cf7f58d
SHA13dfad95a74708115f8c18b4aa18f1184680da93a
SHA256e92ee3be0874b3a117fc215467f5bdc95ee50c91e15c547ad9d531045031a964
SHA5124cae5f982b430a71b3c18a7174c2ec4182f2ebe0d9cb34fc0c35cf9c7c43b61809c4f0603bcecb9e556178cbaeb75a8850cf42c5430e3401584507bac4a9416b
-
Filesize
6KB
MD5456df303f4ea0ca68d7df830feb6f21d
SHA1a9e655b522785bff2110569a5c83a5b97defb189
SHA25693e46f7077146fd345f70d61e28c0fc6ff4127c31be1b720650c5ac6aee37e26
SHA51252c0fe1744ef1ce51c66503ffd6fc865408a5ee98c3ca2860a489cb8ee466bc40620d661c2ce77da891f7147fa2729d1be28002455d8ef1a3d1c88f0425c5540
-
Filesize
6KB
MD50d59d50e07b4a433fc3170fd3d842a77
SHA18194825b3f7dcdc5131c87af99827685ed9f7624
SHA256d1e8fac513356fa238bd8f49348bec4eff4f0d350723de58dc10e4cb05ba8d4b
SHA5120e79f8d0ae6a4f6fce1a2d73b3a31928c624a18ffbefa4584956ac72b523b86b63da9d73eb489c28d71ef1ea92fa589bfcc835a282169d71648b6eb85a23e1e2
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
8KB
MD50087133621408b75fe9c24d0ba0ee00c
SHA1a951a8de6b85383ab7b917a5f6227de2ab11c5a1
SHA256845ef5a9f93b4bbae8567cc2b7c3d629ab7c09da3a50df22d46fff42c6ec9aca
SHA512e46e81a9782fd4c84adaecae2f3498cc5f0a904f85e9f88d422db439c30ec91a3f8e5bf746105e902bd1b2b27b9f2e835f9faf4d88894ff9455abdff2d757787
-
Filesize
8KB
MD557183737f300c733245a4dad80fa940c
SHA1d64c3aba6a087eb0bad233f8f8724b3174522656
SHA25657fe5f2bc2853938518b17242c8a2d398432add73c517c8e0fc388f23d48e761
SHA512e42880c73675c4b27d5c9c7951be8202c419f4979e7a7f9ce0d3586d581a9f511526c25569c98f58a5628406d27874e495aa55100ffb0e5ab81f83725ae3613d
-
Filesize
3KB
MD512217afc08ab8d3664213d7a77455b86
SHA10546acef3466b363da32f2bf8b415b304ff35c2e
SHA25602315eb7eb7ab6f1dc5a2020e94171778ce5767ecc7fe81ba300ae82d99e8778
SHA5120c62b7a745f3a2e625cbe85c60b863d3d4cf3fa4728d1bbc0e70f9f326324e00353b3da017b162249312e5b78c4f7498d2026eef95af8753f0c43b21193c5a3b
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
1KB
MD5788a9c1404777043844218a12c4ca310
SHA102cdf3fcd19b37e54577189fa829293343cf5162
SHA25634b161175b07dfb4745cef646998ec19b50393fc521f9cf3799a22eb303a4282
SHA512dc35246099bada474d501e12766951899506a7cc73b8b56a71f96708e9aba8d51d2b6bdb625da95deaaa9a75306818ad9ba40ca8a70136cd71fdfc6bb1e4e3ea
-
Filesize
231B
MD500848049d4218c485d9e9d7a54aa3b5f
SHA1d1d5f388221417985c365e8acaec127b971c40d0
SHA256ffeafbb8e7163fd7ec9abc029076796c73cd7b4eddaeeda9ba394c547419769e
SHA5123a4874a5289682e2b32108740feea586cb9ccdad9ca08bf30f67c9742370c081ad943ea714f08dbf722f9f98f3b0bb307619a8ba47f96b24301c68b0fd1086d9
-
Filesize
1KB
MD5afa78a5be72e93358ee33253e1774c22
SHA1724dee0f14e48842ff67f6223fe2571f4d8a4ffb
SHA256146bbdb4658ed2b02fd40eaf6090d96958d451fcdaf271fb60bf3aa815810cc1
SHA512ff1677af99dfe9fc7cb6f75b230e3c736eafdb47610a07eb5e8823cb5763594d4d240c887460e6d052ae9f634621b1ab01b923ceae8906d9de8e8a2f93253230
-
Filesize
4KB
MD51b0d07b9068519fac1c1098540245e27
SHA15a679289a28e14c0cabf2282832261380397f2fb
SHA256ba4b343fc9abbe875f7789aef20d5911b369edda1aefa454761a00292b407ba4
SHA512e077c291dc32f9a16ac1b6f3eb50a560d0f6e6dfb3944b545ecffc13d52225c7aae5763d95909dcb33a3add9d1cd0039aeefee6b31dcfcd1f228a7060124eb0c
-
Filesize
978B
MD521263baf67687be5670aa167f957704f
SHA101a4920bed3b672fa7f2fe43d8f895bc722f4b95
SHA25654958138011f11cf3b33433ecd0bffb9def59bc6db0d2c787804fa1523d83732
SHA5129d1fb787ca6307c897c2e48e96dadb0f1c6242f8f1e08d43d27e5c18f23b797beaf79cc9d29ec2805191a8edb28c244f92b5cb93540382e8603825964672259f
-
Filesize
283B
MD595b00c0e658dd2f09c4e501e27625a11
SHA116a2f2668025038323f5ba1ef7dd5bcd84f62939
SHA2564a218aeb63cd046c015e748a6e145e3b3e3f71372d304993cfe02bc31bcc24b5
SHA5126a7d286bdbd0cd9954c918aedfee39e68d6930d515b7b0092d750f31b75df528cca354ae9818df4dab27fc7b6933372b86c4288bec437df02484fa030e098fbc
-
Filesize
11KB
MD5d213491a2d74b38a9535d616b9161217
SHA1bde94742d1e769638e2de84dfb099f797adcc217
SHA2564662c3c94e0340a243c2a39ca8a88fd9f65c74fb197644a11d4ffcae6b191211
SHA5125fd8b91b27935711495934e5d7ca14f9dd72bc40a38072595879ef334a47f99e0608087ddc62668c6f783938d9f22a3688c5cdef3a9ad6c3575f3cfa5a3b0104
-
Filesize
25KB
MD5d0cfc204ca3968b891f7ce0dccfb2eda
SHA156dad1716554d8dc573d0ea391f808e7857b2206
SHA256e3940266b4368c04333db89804246cb89bf2073626f22b8de72bea27c522282a
SHA5124d2225b599ad8af8ba8516f12cfddca5ec0ce69c5c80b133a6a323e9aaf5e0312efbcfa54d2e4462a5095f9a7c42b9d5b39f3204e0be72c3b1992cf33b22087c
-
Filesize
10KB
MD59b222d8ec4b20860f10ebf303035b984
SHA1b30eea35c2516afcab2c49ef6531af94efaf7e1a
SHA256a32e13da40ac4b9e1dac7dd28bc1d25e2f2136b61ff93be943018b20796f15bc
SHA5128331337ccb6e3137b01aeec03e6921fd3b9e56c44fa1b17545ae5c7bfcdd39fcd8a90192884b3a82f56659009e24b63ce7f500e8766fd01e8d4e60a52de0fe67
-
Filesize
567B
MD5a660422059d953c6d681b53a6977100e
SHA10c95dd05514d062354c0eecc9ae8d437123305bb
SHA256d19677234127c38a52aec23686775a8eb3f4e3a406f4a11804d97602d6c31813
SHA51226f8cf9ac95ff649ecc2ed349bc6c7c3a04b188594d5c3289af8f2768ab59672bc95ffefcc83ed3ffa44edd0afeb16a4c2490e633a89fce7965843674d94b523
-
Filesize
53KB
MD5c912faa190464ce7dec867464c35a8dc
SHA1d1c6482dad37720db6bdc594c4757914d1b1dd70
SHA2563891846307aa9e83bca66b13198455af72af45bf721a2fbd41840d47e2a91201
SHA5125c34352d36459fd8fcda5b459a2e48601a033af31d802a90ed82c443a5a346b9480880d30c64db7ad0e4a8c35b98c98f69eceedad72f2a70d9c6cca74dce826a
-
Filesize
2KB
MD50c75ae5e75c3e181d13768909c8240ba
SHA1288403fc4bedaacebccf4f74d3073f082ef70eb9
SHA256de5c231c645d3ae1e13694284997721509f5de64ee5c96c966cdfda9e294db3f
SHA5128fc944515f41a837c61a6c4e5181ca273607a89e48fbf86cf8eb8db837aed095aa04fc3043029c3b5cb3710d59abfd86f086ac198200f634bfb1a5dd0823406b
-
Filesize
5KB
MD5380768979618b7097b0476179ec494ed
SHA1af2a03a17c546e4eeb896b230e4f2a52720545ab
SHA2560637af30fc3b3544b1f516f6196a8f821ffbfa5d36d65a8798aeeadbf2e8a7c2
SHA512b9ef59e9bfdbd49052a4e754ead8cd54b77e79cc428e7aee2b80055ff5f0b038584af519bd2d66258cf3c01f8cc71384f6959ee32111eac4399c47e1c2352302
-
Filesize
478KB
MD5580dc3658fa3fe42c41c99c52a9ce6b0
SHA13c4be12c6e3679a6c2267f88363bbd0e6e00cac5
SHA2565b7aa413e4a64679c550c77e6599a1c940ee947cbdf77d310e142a07a237aad2
SHA51268c52cd7b762b8f5d2f546092ed9c4316924fa04bd3ab748ab99541a8b4e7d9aec70acf5c9594d1457ad3a2f207d0c189ec58421d4352ddbc7eae453324d13f2
-
Filesize
17KB
MD544c4385447d4fa46b407fc47c8a467d0
SHA141e4e0e83b74943f5c41648f263b832419c05256
SHA2568be175e8fbdae0dade54830fece6c6980d1345dbeb4a06c07f7efdb1152743f4
SHA512191cd534e85323a4cd9649a1fc372312ed4a600f6252dffc4435793650f9dd40d0c0e615ba5eb9aa437a58af334146aac7c0ba08e0a1bf24ec4837a40f966005
-
C:\Windows\Temp\SDIAG_5a54ca88-c3ad-480e-86fe-a266d1f2f45f\result\3C61E142-3D7B-49C2-B4B6-06189CAAD4EC.Diagnose.Admin.0.etl
Filesize320KB
MD527bed8ae6b963e825cf93ba7bf8455e3
SHA1a0d48dd95eccd49e0fb7597352e20f3bab109718
SHA25670a49a92218eaa9deadf7ad23e73527f52bb1d492a4b2cd19e336b584a18de47
SHA51257c8931bdf97e974f0e89678906d2234152d29ac0fd3fa43be86939ee5b1c9d8b6ab51bc26b41997168e42ddc50ee63cedc77cbeb92203dc7a69ce5caf9945dd
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e