c4d74e49c44c880ec1b4cdede24423872f931e617b33d6bdba31e0534a12b809

Resubmissions

09/11/2024, 22:49

241109-2r2veatfrl 10

09/11/2024, 22:47

09/11/2024, 22:46

09/11/2024, 22:44

07/11/2024, 16:00

10/02/2024, 17:17

Analysis

max time kernel
120s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
09/11/2024, 22:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ggpermV3/woof.bat
Size

1KB
MD5

9dfe4e730dcc5e0d3951038ad2a095a1
SHA1

e033d9a40234b9544606ec4d603add264cb38841
SHA256

bfffd2faf6710e02912de0eec63b593f35a8bebef114932b4a4bc9c67fad59b8
SHA512

297e9950fd207687af957a94c5fb7d073bb89dcebdd6ee047fa0465f55bb95b42563c7310980bf1e41ca671a1f8c824e86dfe515b844f99f307965d199d8dbfd

Score

8^/10

evasion execution

Malware Config

Signatures

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Drops file in System32 directory 14 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\wbem\repository\INDEX.BTR	svchost.exe
File opened for modification	C:\Windows\system32\wbem\repository	svchost.exe
File opened for modification	C:\Windows\system32\wbem\repository\MAPPING1.MAP	svchost.exe
File opened for modification	C:\Windows\system32\wbem\repository	svchost.exe
File opened for modification	C:\Windows\system32\wbem\repository\MAPPING2.MAP	svchost.exe
File opened for modification	C:\Windows\system32\wbem\repository\WRITABLE.TST	svchost.exe
File opened for modification	C:\Windows\system32\wbem\repository\OBJECTS.DATA	svchost.exe
File opened for modification	C:\Windows\system32\wbem\repository\OBJECTS.DATA	svchost.exe
File opened for modification	C:\Windows\system32\wbem\repository\MAPPING3.MAP	svchost.exe
File opened for modification	C:\Windows\system32\wbem\repository\INDEX.BTR	svchost.exe
File opened for modification	C:\Windows\system32\wbem\repository\WRITABLE.TST	svchost.exe
File opened for modification	C:\Windows\system32\wbem\repository\MAPPING3.MAP	svchost.exe
File opened for modification	C:\Windows\system32\wbem\repository\MAPPING2.MAP	svchost.exe
File opened for modification	C:\Windows\system32\wbem\repository\MAPPING1.MAP	svchost.exe

Launches sc.exe 2 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
320	sc.exe
4076	sc.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
1688	ipconfig.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 32 IoCs

pid	Process
1916	taskmgr.exe
1916	taskmgr.exe
1916	taskmgr.exe
1916	taskmgr.exe
1916	taskmgr.exe
1916	taskmgr.exe
1916	taskmgr.exe
1916	taskmgr.exe
1916	taskmgr.exe
1916	taskmgr.exe
1916	taskmgr.exe
1916	taskmgr.exe
1916	taskmgr.exe
1916	taskmgr.exe
1916	taskmgr.exe
1916	taskmgr.exe
1916	taskmgr.exe
1916	taskmgr.exe
1916	taskmgr.exe
1916	taskmgr.exe
1916	taskmgr.exe
1916	taskmgr.exe
1916	taskmgr.exe
1916	taskmgr.exe
1916	taskmgr.exe
1916	taskmgr.exe
1916	taskmgr.exe
1916	taskmgr.exe
1916	taskmgr.exe
1916	taskmgr.exe
1916	taskmgr.exe
1916	taskmgr.exe

Suspicious behavior: LoadsDriver 26 IoCs

pid	Process
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeAssignPrimaryTokenPrivilege	3664	svchost.exe
Token: SeIncreaseQuotaPrivilege	3664	svchost.exe
Token: SeSecurityPrivilege	3664	svchost.exe
Token: SeTakeOwnershipPrivilege	3664	svchost.exe
Token: SeLoadDriverPrivilege	3664	svchost.exe
Token: SeBackupPrivilege	3664	svchost.exe
Token: SeRestorePrivilege	3664	svchost.exe
Token: SeShutdownPrivilege	3664	svchost.exe
Token: SeSystemEnvironmentPrivilege	3664	svchost.exe
Token: SeManageVolumePrivilege	3664	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	3664	svchost.exe
Token: SeIncreaseQuotaPrivilege	3664	svchost.exe
Token: SeSecurityPrivilege	3664	svchost.exe
Token: SeTakeOwnershipPrivilege	3664	svchost.exe
Token: SeLoadDriverPrivilege	3664	svchost.exe
Token: SeSystemtimePrivilege	3664	svchost.exe
Token: SeBackupPrivilege	3664	svchost.exe
Token: SeRestorePrivilege	3664	svchost.exe
Token: SeShutdownPrivilege	3664	svchost.exe
Token: SeSystemEnvironmentPrivilege	3664	svchost.exe
Token: SeUndockPrivilege	3664	svchost.exe
Token: SeManageVolumePrivilege	3664	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	3664	svchost.exe
Token: SeIncreaseQuotaPrivilege	3664	svchost.exe
Token: SeSecurityPrivilege	3664	svchost.exe
Token: SeTakeOwnershipPrivilege	3664	svchost.exe
Token: SeLoadDriverPrivilege	3664	svchost.exe
Token: SeSystemtimePrivilege	3664	svchost.exe
Token: SeBackupPrivilege	3664	svchost.exe
Token: SeRestorePrivilege	3664	svchost.exe
Token: SeShutdownPrivilege	3664	svchost.exe
Token: SeSystemEnvironmentPrivilege	3664	svchost.exe
Token: SeUndockPrivilege	3664	svchost.exe
Token: SeManageVolumePrivilege	3664	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	3664	svchost.exe
Token: SeIncreaseQuotaPrivilege	3664	svchost.exe
Token: SeSecurityPrivilege	3664	svchost.exe
Token: SeTakeOwnershipPrivilege	3664	svchost.exe
Token: SeLoadDriverPrivilege	3664	svchost.exe
Token: SeSystemtimePrivilege	3664	svchost.exe
Token: SeBackupPrivilege	3664	svchost.exe
Token: SeRestorePrivilege	3664	svchost.exe
Token: SeShutdownPrivilege	3664	svchost.exe
Token: SeSystemEnvironmentPrivilege	3664	svchost.exe
Token: SeUndockPrivilege	3664	svchost.exe
Token: SeManageVolumePrivilege	3664	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	3664	svchost.exe
Token: SeIncreaseQuotaPrivilege	3664	svchost.exe
Token: SeSecurityPrivilege	3664	svchost.exe
Token: SeTakeOwnershipPrivilege	3664	svchost.exe
Token: SeLoadDriverPrivilege	3664	svchost.exe
Token: SeSystemtimePrivilege	3664	svchost.exe
Token: SeBackupPrivilege	3664	svchost.exe
Token: SeRestorePrivilege	3664	svchost.exe
Token: SeShutdownPrivilege	3664	svchost.exe
Token: SeSystemEnvironmentPrivilege	3664	svchost.exe
Token: SeUndockPrivilege	3664	svchost.exe
Token: SeManageVolumePrivilege	3664	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	3664	svchost.exe
Token: SeIncreaseQuotaPrivilege	3664	svchost.exe
Token: SeSecurityPrivilege	3664	svchost.exe
Token: SeTakeOwnershipPrivilege	3664	svchost.exe
Token: SeLoadDriverPrivilege	3664	svchost.exe
Token: SeSystemtimePrivilege	3664	svchost.exe

Suspicious use of FindShellTrayWindow 48 IoCs

pid	Process
1916	taskmgr.exe
1916	taskmgr.exe
1916	taskmgr.exe
1916	taskmgr.exe
1916	taskmgr.exe
1916	taskmgr.exe
1916	taskmgr.exe
1916	taskmgr.exe
1916	taskmgr.exe
1916	taskmgr.exe
1916	taskmgr.exe
1916	taskmgr.exe
1916	taskmgr.exe
1916	taskmgr.exe
1916	taskmgr.exe
1916	taskmgr.exe
1916	taskmgr.exe
1916	taskmgr.exe
1916	taskmgr.exe
1916	taskmgr.exe
1916	taskmgr.exe
1916	taskmgr.exe
1916	taskmgr.exe
1916	taskmgr.exe
1916	taskmgr.exe
1916	taskmgr.exe
1916	taskmgr.exe
1916	taskmgr.exe
1916	taskmgr.exe
1916	taskmgr.exe
1916	taskmgr.exe
1916	taskmgr.exe
1916	taskmgr.exe
1916	taskmgr.exe
1916	taskmgr.exe
1916	taskmgr.exe
1916	taskmgr.exe
1916	taskmgr.exe
1916	taskmgr.exe
1916	taskmgr.exe
1916	taskmgr.exe
1916	taskmgr.exe
1916	taskmgr.exe
1916	taskmgr.exe
1916	taskmgr.exe
1916	taskmgr.exe
1916	taskmgr.exe
1916	taskmgr.exe

Suspicious use of SendNotifyMessage 48 IoCs

pid	Process
1916	taskmgr.exe
1916	taskmgr.exe
1916	taskmgr.exe
1916	taskmgr.exe
1916	taskmgr.exe
1916	taskmgr.exe
1916	taskmgr.exe
1916	taskmgr.exe
1916	taskmgr.exe
1916	taskmgr.exe
1916	taskmgr.exe
1916	taskmgr.exe
1916	taskmgr.exe
1916	taskmgr.exe
1916	taskmgr.exe
1916	taskmgr.exe
1916	taskmgr.exe
1916	taskmgr.exe
1916	taskmgr.exe
1916	taskmgr.exe
1916	taskmgr.exe
1916	taskmgr.exe
1916	taskmgr.exe
1916	taskmgr.exe
1916	taskmgr.exe
1916	taskmgr.exe
1916	taskmgr.exe
1916	taskmgr.exe
1916	taskmgr.exe
1916	taskmgr.exe
1916	taskmgr.exe
1916	taskmgr.exe
1916	taskmgr.exe
1916	taskmgr.exe
1916	taskmgr.exe
1916	taskmgr.exe
1916	taskmgr.exe
1916	taskmgr.exe
1916	taskmgr.exe
1916	taskmgr.exe
1916	taskmgr.exe
1916	taskmgr.exe
1916	taskmgr.exe
1916	taskmgr.exe
1916	taskmgr.exe
1916	taskmgr.exe
1916	taskmgr.exe
1916	taskmgr.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3928 wrote to memory of 4864	3928	cmd.exe	84
PID 3928 wrote to memory of 4864	3928	cmd.exe	84
PID 3928 wrote to memory of 3552	3928	cmd.exe	85
PID 3928 wrote to memory of 3552	3928	cmd.exe	85
PID 3928 wrote to memory of 4284	3928	cmd.exe	87
PID 3928 wrote to memory of 4284	3928	cmd.exe	87
PID 3928 wrote to memory of 2472	3928	cmd.exe	88
PID 3928 wrote to memory of 2472	3928	cmd.exe	88
PID 3928 wrote to memory of 1496	3928	cmd.exe	89
PID 3928 wrote to memory of 1496	3928	cmd.exe	89
PID 3928 wrote to memory of 2840	3928	cmd.exe	90
PID 3928 wrote to memory of 2840	3928	cmd.exe	90
PID 3928 wrote to memory of 2268	3928	cmd.exe	91
PID 3928 wrote to memory of 2268	3928	cmd.exe	91
PID 3928 wrote to memory of 4636	3928	cmd.exe	92
PID 3928 wrote to memory of 4636	3928	cmd.exe	92
PID 3928 wrote to memory of 1732	3928	cmd.exe	93
PID 3928 wrote to memory of 1732	3928	cmd.exe	93
PID 3928 wrote to memory of 2248	3928	cmd.exe	94
PID 3928 wrote to memory of 2248	3928	cmd.exe	94
PID 3928 wrote to memory of 4872	3928	cmd.exe	95
PID 3928 wrote to memory of 4872	3928	cmd.exe	95
PID 3928 wrote to memory of 3880	3928	cmd.exe	96
PID 3928 wrote to memory of 3880	3928	cmd.exe	96
PID 3928 wrote to memory of 2020	3928	cmd.exe	97
PID 3928 wrote to memory of 2020	3928	cmd.exe	97
PID 3928 wrote to memory of 4704	3928	cmd.exe	98
PID 3928 wrote to memory of 4704	3928	cmd.exe	98
PID 3928 wrote to memory of 3960	3928	cmd.exe	99
PID 3928 wrote to memory of 3960	3928	cmd.exe	99
PID 3928 wrote to memory of 4360	3928	cmd.exe	100
PID 3928 wrote to memory of 4360	3928	cmd.exe	100
PID 3928 wrote to memory of 4808	3928	cmd.exe	101
PID 3928 wrote to memory of 4808	3928	cmd.exe	101
PID 3928 wrote to memory of 1500	3928	cmd.exe	102
PID 3928 wrote to memory of 1500	3928	cmd.exe	102
PID 3928 wrote to memory of 1832	3928	cmd.exe	104
PID 3928 wrote to memory of 1832	3928	cmd.exe	104
PID 3928 wrote to memory of 2996	3928	cmd.exe	105
PID 3928 wrote to memory of 2996	3928	cmd.exe	105
PID 3928 wrote to memory of 2836	3928	cmd.exe	106
PID 3928 wrote to memory of 2836	3928	cmd.exe	106
PID 3928 wrote to memory of 764	3928	cmd.exe	107
PID 3928 wrote to memory of 764	3928	cmd.exe	107
PID 3928 wrote to memory of 3616	3928	cmd.exe	108
PID 3928 wrote to memory of 3616	3928	cmd.exe	108
PID 3928 wrote to memory of 1696	3928	cmd.exe	110
PID 3928 wrote to memory of 1696	3928	cmd.exe	110
PID 3928 wrote to memory of 2540	3928	cmd.exe	111
PID 3928 wrote to memory of 2540	3928	cmd.exe	111
PID 3928 wrote to memory of 3540	3928	cmd.exe	112
PID 3928 wrote to memory of 3540	3928	cmd.exe	112
PID 3928 wrote to memory of 2904	3928	cmd.exe	113
PID 3928 wrote to memory of 2904	3928	cmd.exe	113
PID 2904 wrote to memory of 4920	2904	net.exe	114
PID 2904 wrote to memory of 4920	2904	net.exe	114
PID 3928 wrote to memory of 2220	3928	cmd.exe	121
PID 3928 wrote to memory of 2220	3928	cmd.exe	121
PID 2220 wrote to memory of 216	2220	net.exe	122
PID 2220 wrote to memory of 216	2220	net.exe	122
PID 3928 wrote to memory of 320	3928	cmd.exe	123
PID 3928 wrote to memory of 320	3928	cmd.exe	123
PID 3928 wrote to memory of 4076	3928	cmd.exe	124
PID 3928 wrote to memory of 4076	3928	cmd.exe	124

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ggpermV3\woof.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:3928
- C:\Users\Admin\AppData\Local\Temp\ggpermV3\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /SS 1359515080620915275
  2⤵
  PID:4864
- C:\Users\Admin\AppData\Local\Temp\ggpermV3\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /SS 184281164685525346
  2⤵
  PID:3552
- C:\Users\Admin\AppData\Local\Temp\ggpermV3\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /BS 2393222718149408448
  2⤵
  PID:4284
- C:\Users\Admin\AppData\Local\Temp\ggpermV3\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /SV 31112321982815329518
  2⤵
  PID:2472
- C:\Users\Admin\AppData\Local\Temp\ggpermV3\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /BV 1522132601769823273
  2⤵
  PID:1496
- C:\Users\Admin\AppData\Local\Temp\ggpermV3\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /CS 208929886632422994
  2⤵
  PID:2840
- C:\Users\Admin\AppData\Local\Temp\ggpermV3\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /PSN 20552326721455730984
  2⤵
  PID:2268
- C:\Users\Admin\AppData\Local\Temp\ggpermV3\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /SU AUTO
  2⤵
  PID:4636
- C:\Users\Admin\AppData\Local\Temp\ggpermV3\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /PAT 28627135071546827315
  2⤵
  PID:1732
- C:\Users\Admin\AppData\Local\Temp\ggpermV3\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /PPN 302198105218357330
  2⤵
  PID:2248
- C:\Users\Admin\AppData\Local\Temp\ggpermV3\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /IV 2018673362004120215
  2⤵
  PID:4872
- C:\Users\Admin\AppData\Local\Temp\ggpermV3\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /SM 6183304935661801
  2⤵
  PID:3880
- C:\Users\Admin\AppData\Local\Temp\ggpermV3\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /SP 9463286753165622283
  2⤵
  PID:2020
- C:\Users\Admin\AppData\Local\Temp\ggpermV3\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /BS 153204804326358339
  2⤵
  PID:4704
- C:\Users\Admin\AppData\Local\Temp\ggpermV3\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /SF 5247195342421723870
  2⤵
  PID:3960
- C:\Users\Admin\AppData\Local\Temp\ggpermV3\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /BM 22704308261497418986
  2⤵
  PID:4360
- C:\Users\Admin\AppData\Local\Temp\ggpermV3\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /BP 113582285760814404
  2⤵
  PID:4808
- C:\Users\Admin\AppData\Local\Temp\ggpermV3\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /BT 2761161643628858
  2⤵
  PID:1500
- C:\Users\Admin\AppData\Local\Temp\ggpermV3\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /BLC 14483223911432415796
  2⤵
  PID:1832
- C:\Users\Admin\AppData\Local\Temp\ggpermV3\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /CM 23229197082396827455
  2⤵
  PID:2996
- C:\Users\Admin\AppData\Local\Temp\ggpermV3\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /CT 25265160281497921641
  2⤵
  PID:2836
- C:\Users\Admin\AppData\Local\Temp\ggpermV3\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /CV 26424120531259920820
  2⤵
  PID:764
- C:\Users\Admin\AppData\Local\Temp\ggpermV3\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /CA 88002771791956053
  2⤵
  PID:3616
- C:\Users\Admin\AppData\Local\Temp\ggpermV3\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /CO 72707815573226044
  2⤵
  PID:1696
- C:\Users\Admin\AppData\Local\Temp\ggpermV3\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /CSK 3221725152126102121
  2⤵
  PID:2540
- C:\Users\Admin\AppData\Local\Temp\ggpermV3\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /SK 19709811726934317
  2⤵
  PID:3540
- C:\Windows\system32\net.exe
  net stop winmgmt /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2904
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop winmgmt /y
    3⤵
    PID:4920
- C:\Windows\system32\net.exe
  net start winmgmt /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2220
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 start winmgmt /y
    3⤵
    PID:216
- C:\Windows\system32\sc.exe
  sc stop winmgmt
  2⤵
  - Launches sc.exe
  PID:320
- C:\Windows\system32\sc.exe
  sc start winmgmt
  2⤵
  - Launches sc.exe
  PID:4076
- C:\Windows\system32\ipconfig.exe
  ipconfig /flushdns
  2⤵
  - Gathers network information
  PID:1688

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:3664

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4284

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
- Drops file in System32 directory
PID:4236

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /7
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1916

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system32\wbem\repository\MAPPING3.MAP

Filesize
207KB

MD5
ccef225b2c0c8fbb37b24de18e87a320

SHA1
4d3ca45da62bde453bee76cd2ba44c0797285a30

SHA256
0cf3af3e88a585b9107d624e13f703e0d01b3ff30f1010c54dd0855a8ea95375

SHA512
da0951e0bc29273cebd032f071e290d7ede2f6e1ef478e694624468139e9883ed18b253227ebe7673c5aeb152aa15a6468d7760c18bdbf2246c311f6753ac625

Download Submit
memory/1916-2-0x000001F7BC750000-0x000001F7BC751000-memory.dmp

Filesize
4KB

Download
memory/1916-4-0x000001F7BC750000-0x000001F7BC751000-memory.dmp

Filesize
4KB

Download
memory/1916-3-0x000001F7BC750000-0x000001F7BC751000-memory.dmp

Filesize
4KB

Download
memory/1916-14-0x000001F7BC750000-0x000001F7BC751000-memory.dmp

Filesize
4KB

Download
memory/1916-13-0x000001F7BC750000-0x000001F7BC751000-memory.dmp

Filesize
4KB

Download
memory/1916-12-0x000001F7BC750000-0x000001F7BC751000-memory.dmp

Filesize
4KB

Download
memory/1916-11-0x000001F7BC750000-0x000001F7BC751000-memory.dmp

Filesize
4KB

Download
memory/1916-10-0x000001F7BC750000-0x000001F7BC751000-memory.dmp

Filesize
4KB

Download
memory/1916-9-0x000001F7BC750000-0x000001F7BC751000-memory.dmp

Filesize
4KB

Download
memory/1916-8-0x000001F7BC750000-0x000001F7BC751000-memory.dmp

Filesize
4KB

Download