6432da493a05c5fe79964ccb95b079569ceb3165eeb83bd9e84a5c332fb19f72

Analysis

max time kernel
93s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
20-09-2024 22:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

main.bat
Size

96KB
MD5

40e807605a1543a9cc58a145c2676371
SHA1

dd441a5fe7fc6883a6994309367a2fff2ce60b52
SHA256

6432da493a05c5fe79964ccb95b079569ceb3165eeb83bd9e84a5c332fb19f72
SHA512

5b812042e12f3259d60946dfb762a417213faa4f722dd6a7ec25055d2e2f929f6b07873ca537ec6c6103f968f31c3de9c0c68e793f47009903c9aebb3bf53e7f
SSDEEP

768:FposY9qsaIZz+QK7ruEDHs2guEDHsaXmh82mnUjQxOn1TbzQeQg+miCmY1p02AzT:FCsYOSm9mnUk01seQg+miCm2AMjMJee

Score

4^/10

execution

Malware Config

Signatures

Launches sc.exe 6 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
4388	sc.exe
3684	sc.exe
4256	sc.exe
3960	sc.exe
464	sc.exe
3316	sc.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
3656	powershell.exe

Checks SCSI registry key(s) 3 TTPs 34 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	pnputil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\000D	pnputil.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0005\en	pnputil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0014	pnputil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{4340a6c5-93fa-4706-972c-7b648008a5a7}\0003	pnputil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	pnputil.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Mfg	pnputil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{4340a6c5-93fa-4706-972c-7b648008a5a7}\0003	pnputil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	pnputil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	pnputil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{4340a6c5-93fa-4706-972c-7b648008a5a7}\0002	pnputil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{4340a6c5-93fa-4706-972c-7b648008a5a7}\000C	pnputil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0005	pnputil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\000A	pnputil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0005	pnputil.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0005\en-US	pnputil.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0005\	pnputil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0009	pnputil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	pnputil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	pnputil.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	pnputil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\000D	pnputil.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0005\	pnputil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{4340a6c5-93fa-4706-972c-7b648008a5a7}\000C	pnputil.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	pnputil.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0005\en-US	pnputil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\000A	pnputil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0014	pnputil.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0005\en	pnputil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	pnputil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0009	pnputil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{4340a6c5-93fa-4706-972c-7b648008a5a7}\0002	pnputil.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	pnputil.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Mfg	pnputil.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3656	powershell.exe
3656	powershell.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
652	Process not Found
652	Process not Found

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLoadDriverPrivilege	3880	pnputil.exe
Token: SeDebugPrivilege	3656	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3848 wrote to memory of 2284	3848	cmd.exe	83
PID 3848 wrote to memory of 2284	3848	cmd.exe	83
PID 3848 wrote to memory of 392	3848	cmd.exe	84
PID 3848 wrote to memory of 392	3848	cmd.exe	84
PID 3848 wrote to memory of 1100	3848	cmd.exe	93
PID 3848 wrote to memory of 1100	3848	cmd.exe	93
PID 1100 wrote to memory of 3860	1100	net.exe	94
PID 1100 wrote to memory of 3860	1100	net.exe	94
PID 3848 wrote to memory of 1780	3848	cmd.exe	95
PID 3848 wrote to memory of 1780	3848	cmd.exe	95
PID 1780 wrote to memory of 2324	1780	net.exe	96
PID 1780 wrote to memory of 2324	1780	net.exe	96
PID 3848 wrote to memory of 5104	3848	cmd.exe	97
PID 3848 wrote to memory of 5104	3848	cmd.exe	97
PID 5104 wrote to memory of 1720	5104	net.exe	98
PID 5104 wrote to memory of 1720	5104	net.exe	98
PID 3848 wrote to memory of 376	3848	cmd.exe	99
PID 3848 wrote to memory of 376	3848	cmd.exe	99
PID 376 wrote to memory of 3484	376	net.exe	100
PID 376 wrote to memory of 3484	376	net.exe	100
PID 3848 wrote to memory of 2344	3848	cmd.exe	101
PID 3848 wrote to memory of 2344	3848	cmd.exe	101
PID 2344 wrote to memory of 2512	2344	net.exe	102
PID 2344 wrote to memory of 2512	2344	net.exe	102
PID 3848 wrote to memory of 1988	3848	cmd.exe	103
PID 3848 wrote to memory of 1988	3848	cmd.exe	103
PID 3848 wrote to memory of 1916	3848	cmd.exe	104
PID 3848 wrote to memory of 1916	3848	cmd.exe	104
PID 3848 wrote to memory of 4880	3848	cmd.exe	105
PID 3848 wrote to memory of 4880	3848	cmd.exe	105
PID 3848 wrote to memory of 3688	3848	cmd.exe	106
PID 3848 wrote to memory of 3688	3848	cmd.exe	106
PID 3688 wrote to memory of 4308	3688	net.exe	107
PID 3688 wrote to memory of 4308	3688	net.exe	107
PID 3848 wrote to memory of 372	3848	cmd.exe	109
PID 3848 wrote to memory of 372	3848	cmd.exe	109
PID 372 wrote to memory of 3824	372	net.exe	110
PID 372 wrote to memory of 3824	372	net.exe	110
PID 3848 wrote to memory of 4240	3848	cmd.exe	111
PID 3848 wrote to memory of 4240	3848	cmd.exe	111
PID 4240 wrote to memory of 2796	4240	net.exe	112
PID 4240 wrote to memory of 2796	4240	net.exe	112
PID 3848 wrote to memory of 5008	3848	cmd.exe	113
PID 3848 wrote to memory of 5008	3848	cmd.exe	113
PID 5008 wrote to memory of 4672	5008	net.exe	114
PID 5008 wrote to memory of 4672	5008	net.exe	114
PID 3848 wrote to memory of 2164	3848	cmd.exe	115
PID 3848 wrote to memory of 2164	3848	cmd.exe	115
PID 2164 wrote to memory of 4896	2164	net.exe	116
PID 2164 wrote to memory of 4896	2164	net.exe	116
PID 3848 wrote to memory of 1428	3848	cmd.exe	118
PID 3848 wrote to memory of 1428	3848	cmd.exe	118
PID 3848 wrote to memory of 4804	3848	cmd.exe	119
PID 3848 wrote to memory of 4804	3848	cmd.exe	119
PID 3848 wrote to memory of 3440	3848	cmd.exe	120
PID 3848 wrote to memory of 3440	3848	cmd.exe	120
PID 3848 wrote to memory of 2296	3848	cmd.exe	121
PID 3848 wrote to memory of 2296	3848	cmd.exe	121
PID 3848 wrote to memory of 3436	3848	cmd.exe	122
PID 3848 wrote to memory of 3436	3848	cmd.exe	122
PID 3848 wrote to memory of 3228	3848	cmd.exe	123
PID 3848 wrote to memory of 3228	3848	cmd.exe	123
PID 3848 wrote to memory of 1256	3848	cmd.exe	124
PID 3848 wrote to memory of 1256	3848	cmd.exe	124

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\main.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:3848
- C:\Windows\system32\chcp.com
  chcp 65001
  2⤵
  PID:2284
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "prompt $H &echo on &for %B in (1) do rem"
  2⤵
  PID:392
- C:\Windows\system32\net.exe
  net stop Audiosrv
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1100
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop Audiosrv
    3⤵
    PID:3860
- C:\Windows\system32\net.exe
  net stop AudioEndpointBuilder
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1780
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop AudioEndpointBuilder
    3⤵
    PID:2324
- C:\Windows\system32\net.exe
  net stop Dhcp
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5104
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop Dhcp
    3⤵
    PID:1720
- C:\Windows\system32\net.exe
  net stop BthHFSrv
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:376
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop BthHFSrv
    3⤵
    PID:3484
- C:\Windows\system32\net.exe
  net stop wlansvc
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2344
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop wlansvc
    3⤵
    PID:2512
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SYSTEM\CurrentControlSet\Services\AudioSrv" /f
  2⤵
  PID:1988
- C:\Windows\system32\reg.exe
  reg add "HKLM\SYSTEM\CurrentControlSet\Services\AudioSrv" /v Start /t REG_DWORD /d 2 /f
  2⤵
  PID:1916
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4D36E96C-E325-11CE-BFC1-08002BE10318}" /f
  2⤵
  PID:4880
- C:\Windows\system32\net.exe
  net start AudioEndpointBuilder
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3688
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 start AudioEndpointBuilder
    3⤵
    PID:4308
- C:\Windows\system32\net.exe
  net start Audiosrv
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:372
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 start Audiosrv
    3⤵
    PID:3824
- C:\Windows\system32\net.exe
  net start Dhcp
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4240
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 start Dhcp
    3⤵
    PID:2796
- C:\Windows\system32\net.exe
  net start BthHFSrv
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5008
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 start BthHFSrv
    3⤵
    PID:4672
- C:\Windows\system32\net.exe
  net start wlansvc
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2164
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 start wlansvc
    3⤵
    PID:4896
- C:\Windows\system32\pnputil.exe
  pnputil.exe /enum-devices /connected
  2⤵
  - Checks SCSI registry key(s)
  PID:1428
- C:\Windows\system32\findstr.exe
  findstr /i "audio"
  2⤵
  PID:4804
- C:\Windows\system32\pnputil.exe
  pnputil.exe /remove-device Device Description: Speakers (High Definition Audio Device)
  2⤵
  PID:3440
- C:\Windows\system32\pnputil.exe
  pnputil.exe /remove-device Class Name: AudioEndpoint
  2⤵
  PID:2296
- C:\Windows\system32\pnputil.exe
  pnputil.exe /remove-device Driver Name: audioendpoint.inf
  2⤵
  PID:3436
- C:\Windows\system32\pnputil.exe
  pnputil.exe /remove-device Device Description: Line In (High Definition Audio Device)
  2⤵
  PID:3228
- C:\Windows\system32\pnputil.exe
  pnputil.exe /remove-device Class Name: AudioEndpoint
  2⤵
  PID:1256
- C:\Windows\system32\pnputil.exe
  pnputil.exe /remove-device Driver Name: audioendpoint.inf
  2⤵
  PID:3476
- C:\Windows\system32\pnputil.exe
  pnputil.exe /remove-device Instance ID: HDAUDIO\FUNC_01&VEN_8086&DEV_0022&SUBSYS_80860022&REV_1001\4&2c5de02&0&0001
  2⤵
  PID:2244
- C:\Windows\system32\pnputil.exe
  pnputil.exe /remove-device Device Description: High Definition Audio Device
  2⤵
  PID:1252
- C:\Windows\system32\pnputil.exe
  pnputil.exe /remove-device Driver Name: hdaudio.inf
  2⤵
  PID:1424
- C:\Windows\system32\pnputil.exe
  pnputil.exe /remove-device Device Description: High Definition Audio Controller
  2⤵
  PID:4688
- C:\Windows\system32\pnputil.exe
  pnputil.exe /scan-devices
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3880
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Multimedia\Audio" /v "DisableAudioEnhancements" /t REG_DWORD /d 0 /f
  2⤵
  PID:4228
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Multimedia\Audio" /v "AllowExclusiveMode" /t REG_DWORD /d 1 /f
  2⤵
  PID:1564
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Multimedia\Audio" /v "AudioBuffer" /t REG_DWORD /d 512 /f
  2⤵
  PID:3624
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Multimedia\Audio\MicBoost" /v "MicBoost" /t REG_DWORD /d 1 /f
  2⤵
  PID:2012
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -Command "Get-WmiObject Win32_SoundDevice | ForEach-Object { $_.ConfigManagerErrorCode = 100 }"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3656
- C:\Windows\system32\sc.exe
  sc config Audiosrv start= auto
  2⤵
  - Launches sc.exe
  PID:3684
- C:\Windows\system32\sc.exe
  sc config AudioEndpointBuilder start= auto
  2⤵
  - Launches sc.exe
  PID:4256
- C:\Windows\system32\sc.exe
  sc config Dhcp start= auto
  2⤵
  - Launches sc.exe
  PID:3960
- C:\Windows\system32\sc.exe
  sc config BthHFSrv start= auto
  2⤵
  - Launches sc.exe
  PID:464
- C:\Windows\system32\sc.exe
  sc config wlansvc start= auto
  2⤵
  - Launches sc.exe
  PID:3316
- C:\Windows\system32\sc.exe
  sc sdset Audiosrv D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPWPDTLOCRRC;;;PU)
  2⤵
  - Launches sc.exe
  PID:4388
- C:\Windows\system32\msdt.exe
  msdt.exe /id AudioPlaybackDiagnostic
  2⤵
  PID:1692
- C:\Windows\system32\msdt.exe
  msdt.exe /id AudioRecordingDiagnostic
  2⤵
  PID:4376
- C:\Windows\system32\sfc.exe
  sfc /scannow
  2⤵
  PID:2284

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:3132

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:960

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_5dvwdrzd.4wq.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Windows\Temp\SDIAG_21cc07f3-9c8d-4b06-92c9-65e6fb690339\DiagPackage.diagpkg

Filesize
29KB

MD5
ba37a7804a0ea9567932d9c79fdf86c7

SHA1
3c28c873cc90ebaa1f41687ea5a77df928e2bbfa

SHA256
403765348c3fde6400630905d9ad9c913ae2468ce1c16327b2c2b21c09462581

SHA512
a69dd5576e6a302159db6a4bcb612bb76ae54d4776cd6fb322c822ed0d4f1fa9dd5fabc29056aa121e1b7beeada9cda81287a831732d452f3b31858932e75d65

Download Submit
C:\Windows\Temp\SDIAG_21cc07f3-9c8d-4b06-92c9-65e6fb690339\DiagPackage.dll

Filesize
172KB

MD5
f3cde2ddbd7b3195cb6e4fb32faf65e1

SHA1
fd41c77dd5300cad8f9647fe2414b7c92a300545

SHA256
d328a748600630a0813aab411417b9dd3414e5d59ff95f7ef7360ac7eeb2db47

SHA512
f737b8b41fc1449164a209fc60e6e3208a92062baae9849e70751abb1f22b93e86e9f1aacae9608f9aae87121473074fa9fbdb39f7210cbf21c7bf8d21cdf698

Download Submit
C:\Windows\Temp\SDIAG_21cc07f3-9c8d-4b06-92c9-65e6fb690339\en-US\DiagPackage.dll.mui

Filesize
12KB

MD5
02c5b02d50c524698fb52bbb91ee6d39

SHA1
78f63fa86fdb75e584f1f57e2d0c575e75b0f0f9

SHA256
b7382437ed8e2a380280cbd2e04c79ebe91f14f51fc16a81010ebda4aad8e72b

SHA512
19a81d86cd185f88ed753be5ea58a3386f4edf735e617080d049561046d5a0211d8bc6354c0a76730c9efc9129f323e5c14dee1efba2f8a224cfba7f55356c14

Download Submit
C:\Windows\Temp\SDIAG_ca327e02-29df-4693-a841-b74f2fc8c25c\DiagPackage.diagpkg

Filesize
30KB

MD5
12c15b9e090dd8bc97a5ce5279a45ca7

SHA1
9daf6abf00f7280c0f137c05e09e1f8846ab2a2e

SHA256
c1fb0ac3a2e678731510cac26309ad10de16410ab5659ffab8155959b22ff630

SHA512
924bdc04488c69364ec8e5be49fdb6aaffcb16afe63d6e8225cba9b0449a9c1b5737041e02428a0c3fe3db61104ccb2a36bfc9064a00196ab356a6ce142960f7

Download Submit
C:\Windows\Temp\SDIAG_ca327e02-29df-4693-a841-b74f2fc8c25c\DiagPackage.dll

Filesize
54KB

MD5
bb16302cbc60cec05abff614bee2842f

SHA1
1762843dc8207d1c733d818b10662a04a08fb0e5

SHA256
e7b2e4ed5d335d3051b3f49ca799f6a07ae6f86d4cb247fb5236c0ad11352736

SHA512
691e7ced4fa7f29e84f9b37c363146022436922ec99cd9f7127d70cd899b1ab336b47296d18e09bba1a28aa014615bd5c920bd28b854e11b29a4007fcc7b0e4d

Download Submit
C:\Windows\Temp\SDIAG_ca327e02-29df-4693-a841-b74f2fc8c25c\en-US\DiagPackage.dll.mui

Filesize
11KB

MD5
2f731de0238c3adc457b7ad272765a9a

SHA1
155a053851f6554e045b19a59ec78dc35df24b84

SHA256
c170cb7e973bc989451bd18af574af948251fb5d9f4ea9d23654d17c153ed158

SHA512
3a536efedd17e794de50457a35a7def7a7ac6da68ab30ce17ce9368e3c9d5c1a094b979f935bdb26830dc5c6f4ba19d95621ac902335fea3f41bb40c6dcf585d

Download Submit
memory/3656-1-0x000001F420220000-0x000001F420242000-memory.dmp

Filesize
136KB

Download