darkvision | 72c704ce89bd5a7fb3d10caba3ac0bdfa0b900242ed810f506f0433f80bb7ee1

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
08/01/2025, 14:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

72c704ce89bd5a7fb3d10caba3ac0bdfa0b900242ed810f506f0433f80bb7ee1.exe
Size

4.1MB
MD5

929f19e57b30f2d144df83fa0b1efeee
SHA1

240655dd6ba465964c5a7551e7dcd0aa9b86eec6
SHA256

72c704ce89bd5a7fb3d10caba3ac0bdfa0b900242ed810f506f0433f80bb7ee1
SHA512

407420916228bbfb869f5a2e265f5a3a4a2044c1f5454dc99fc631ca873d92fadc5dbe815d7bf91b70e0c420d5c09618fb69dbd191334626babda1e50daa07f8
SSDEEP

49152:2cGISHmeux/2ueo7KX26WugPDCx5cWHiL7PCSUaDv/xOdv:UPHFRJg+3cC87PCD2BOt

Score

10^/10

darkvision execution rat

Malware Config

Extracted

Family

darkvision

powernmoney.ddns.net

Signatures

DarkVision Rat
DarkVision Rat is a trojan written in C++.
rat darkvision
Darkvision family
darkvision

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
4612	powershell.exe
2144	powershell.exe

Checks BIOS information in registry 2 TTPs 64 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	72c704ce89bd5a7fb3d10caba3ac0bdfa0b900242ed810f506f0433f80bb7ee1.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	cmd.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorers.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	cmd.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	cmd.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	cmd.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	cmd.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	cmd.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	cmd.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	cmd.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	cmd.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	cmd.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	72c704ce89bd5a7fb3d10caba3ac0bdfa0b900242ed810f506f0433f80bb7ee1.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	cmd.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorers.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	cmd.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	cmd.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	cmd.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	cmd.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	cmd.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	cmd.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	cmd.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	cmd.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	svchost.exe

Drops startup file 31 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\{3170EC04-83DB-4D95-A866-F665F781749F}.lnk	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\{3170EC04-83DB-4D95-A866-F665F781749F}.lnk	explorer.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\{3170EC04-83DB-4D95-A866-F665F781749F}.lnk	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\{3170EC04-83DB-4D95-A866-F665F781749F}.lnk	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\{3170EC04-83DB-4D95-A866-F665F781749F}.lnk	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\{3170EC04-83DB-4D95-A866-F665F781749F}.lnk	explorer.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\{3170EC04-83DB-4D95-A866-F665F781749F}.lnk	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\{3170EC04-83DB-4D95-A866-F665F781749F}.lnk	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\{3170EC04-83DB-4D95-A866-F665F781749F}.lnk	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\{3170EC04-83DB-4D95-A866-F665F781749F}.lnk	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\{3170EC04-83DB-4D95-A866-F665F781749F}.lnk	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\{3170EC04-83DB-4D95-A866-F665F781749F}.lnk	explorer.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\{3170EC04-83DB-4D95-A866-F665F781749F}.lnk	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\{3170EC04-83DB-4D95-A866-F665F781749F}.lnk	explorer.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\{3170EC04-83DB-4D95-A866-F665F781749F}.lnk	explorer.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\{3170EC04-83DB-4D95-A866-F665F781749F}.lnk	explorer.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\{3170EC04-83DB-4D95-A866-F665F781749F}.lnk	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\{3170EC04-83DB-4D95-A866-F665F781749F}.lnk	explorer.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\{3170EC04-83DB-4D95-A866-F665F781749F}.lnk	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\{3170EC04-83DB-4D95-A866-F665F781749F}.lnk	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\{3170EC04-83DB-4D95-A866-F665F781749F}.lnk	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\{3170EC04-83DB-4D95-A866-F665F781749F}.lnk	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\{3170EC04-83DB-4D95-A866-F665F781749F}.lnk	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\{3170EC04-83DB-4D95-A866-F665F781749F}.lnk	explorer.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\{3170EC04-83DB-4D95-A866-F665F781749F}.lnk	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\{3170EC04-83DB-4D95-A866-F665F781749F}.lnk	explorer.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\{3170EC04-83DB-4D95-A866-F665F781749F}.lnk	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\{3170EC04-83DB-4D95-A866-F665F781749F}.lnk	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\{3170EC04-83DB-4D95-A866-F665F781749F}.lnk	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\{3170EC04-83DB-4D95-A866-F665F781749F}.lnk	explorer.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\{3170EC04-83DB-4D95-A866-F665F781749F}.lnk	svchost.exe

Executes dropped EXE 1 IoCs

pid	Process
5112	explorers.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4612	powershell.exe
4612	powershell.exe
2144	powershell.exe
2144	powershell.exe

Suspicious behavior: MapViewOfSection 64 IoCs

pid	Process
5112	explorers.exe
5112	explorers.exe
5112	explorers.exe
5112	explorers.exe
5112	explorers.exe
5112	explorers.exe
5112	explorers.exe
5112	explorers.exe
5112	explorers.exe
5112	explorers.exe
5112	explorers.exe
5112	explorers.exe
5112	explorers.exe
5112	explorers.exe
5112	explorers.exe
5112	explorers.exe
5112	explorers.exe
5112	explorers.exe
5112	explorers.exe
5112	explorers.exe
5112	explorers.exe
5112	explorers.exe
5112	explorers.exe
5112	explorers.exe
5112	explorers.exe
5112	explorers.exe
5112	explorers.exe
5112	explorers.exe
5112	explorers.exe
5112	explorers.exe
5112	explorers.exe
5112	explorers.exe
5112	explorers.exe
5112	explorers.exe
5112	explorers.exe
5112	explorers.exe
5112	explorers.exe
5112	explorers.exe
5112	explorers.exe
5112	explorers.exe
5112	explorers.exe
5112	explorers.exe
5112	explorers.exe
5112	explorers.exe
5112	explorers.exe
5112	explorers.exe
5112	explorers.exe
5112	explorers.exe
5112	explorers.exe
5112	explorers.exe
5112	explorers.exe
5112	explorers.exe
5112	explorers.exe
5112	explorers.exe
5112	explorers.exe
5112	explorers.exe
5112	explorers.exe
5112	explorers.exe
5112	explorers.exe
5112	explorers.exe
5112	explorers.exe
5112	explorers.exe
5112	explorers.exe
5112	explorers.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4612	powershell.exe
Token: SeDebugPrivilege	2144	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3204 wrote to memory of 3552	3204	72c704ce89bd5a7fb3d10caba3ac0bdfa0b900242ed810f506f0433f80bb7ee1.exe	82
PID 3204 wrote to memory of 3552	3204	72c704ce89bd5a7fb3d10caba3ac0bdfa0b900242ed810f506f0433f80bb7ee1.exe	82
PID 3204 wrote to memory of 5112	3204	72c704ce89bd5a7fb3d10caba3ac0bdfa0b900242ed810f506f0433f80bb7ee1.exe	84
PID 3204 wrote to memory of 5112	3204	72c704ce89bd5a7fb3d10caba3ac0bdfa0b900242ed810f506f0433f80bb7ee1.exe	84
PID 3552 wrote to memory of 4612	3552	cmd.exe	85
PID 3552 wrote to memory of 4612	3552	cmd.exe	85
PID 5112 wrote to memory of 2220	5112	explorers.exe	86
PID 5112 wrote to memory of 2220	5112	explorers.exe	86
PID 5112 wrote to memory of 2516	5112	explorers.exe	87
PID 5112 wrote to memory of 2516	5112	explorers.exe	87
PID 2220 wrote to memory of 2144	2220	cmd.exe	89
PID 2220 wrote to memory of 2144	2220	cmd.exe	89
PID 5112 wrote to memory of 4276	5112	explorers.exe	90
PID 5112 wrote to memory of 4276	5112	explorers.exe	90
PID 5112 wrote to memory of 2168	5112	explorers.exe	91
PID 5112 wrote to memory of 2168	5112	explorers.exe	91
PID 5112 wrote to memory of 2596	5112	explorers.exe	93
PID 5112 wrote to memory of 2596	5112	explorers.exe	93
PID 5112 wrote to memory of 524	5112	explorers.exe	96
PID 5112 wrote to memory of 524	5112	explorers.exe	96
PID 5112 wrote to memory of 4528	5112	explorers.exe	100
PID 5112 wrote to memory of 4528	5112	explorers.exe	100
PID 5112 wrote to memory of 2540	5112	explorers.exe	105
PID 5112 wrote to memory of 2540	5112	explorers.exe	105
PID 5112 wrote to memory of 2100	5112	explorers.exe	107
PID 5112 wrote to memory of 2100	5112	explorers.exe	107
PID 5112 wrote to memory of 2492	5112	explorers.exe	108
PID 5112 wrote to memory of 2492	5112	explorers.exe	108
PID 5112 wrote to memory of 2784	5112	explorers.exe	110
PID 5112 wrote to memory of 2784	5112	explorers.exe	110
PID 5112 wrote to memory of 3080	5112	explorers.exe	111
PID 5112 wrote to memory of 3080	5112	explorers.exe	111
PID 5112 wrote to memory of 4000	5112	explorers.exe	112
PID 5112 wrote to memory of 4000	5112	explorers.exe	112
PID 5112 wrote to memory of 3172	5112	explorers.exe	114
PID 5112 wrote to memory of 3172	5112	explorers.exe	114
PID 5112 wrote to memory of 3260	5112	explorers.exe	115
PID 5112 wrote to memory of 3260	5112	explorers.exe	115
PID 5112 wrote to memory of 1768	5112	explorers.exe	116
PID 5112 wrote to memory of 1768	5112	explorers.exe	116
PID 5112 wrote to memory of 2448	5112	explorers.exe	118
PID 5112 wrote to memory of 2448	5112	explorers.exe	118
PID 5112 wrote to memory of 868	5112	explorers.exe	119
PID 5112 wrote to memory of 868	5112	explorers.exe	119
PID 5112 wrote to memory of 3244	5112	explorers.exe	120
PID 5112 wrote to memory of 3244	5112	explorers.exe	120
PID 5112 wrote to memory of 4724	5112	explorers.exe	122
PID 5112 wrote to memory of 4724	5112	explorers.exe	122
PID 5112 wrote to memory of 3164	5112	explorers.exe	123
PID 5112 wrote to memory of 3164	5112	explorers.exe	123
PID 5112 wrote to memory of 3116	5112	explorers.exe	124
PID 5112 wrote to memory of 3116	5112	explorers.exe	124
PID 5112 wrote to memory of 4008	5112	explorers.exe	126
PID 5112 wrote to memory of 4008	5112	explorers.exe	126
PID 5112 wrote to memory of 2416	5112	explorers.exe	127
PID 5112 wrote to memory of 2416	5112	explorers.exe	127
PID 5112 wrote to memory of 4512	5112	explorers.exe	128
PID 5112 wrote to memory of 4512	5112	explorers.exe	128
PID 5112 wrote to memory of 4020	5112	explorers.exe	130
PID 5112 wrote to memory of 4020	5112	explorers.exe	130
PID 5112 wrote to memory of 2836	5112	explorers.exe	131
PID 5112 wrote to memory of 2836	5112	explorers.exe	131
PID 5112 wrote to memory of 1736	5112	explorers.exe	132
PID 5112 wrote to memory of 1736	5112	explorers.exe	132

C:\Users\Admin\AppData\Local\Temp\72c704ce89bd5a7fb3d10caba3ac0bdfa0b900242ed810f506f0433f80bb7ee1.exe
"C:\Users\Admin\AppData\Local\Temp\72c704ce89bd5a7fb3d10caba3ac0bdfa0b900242ed810f506f0433f80bb7ee1.exe"
1⤵
- Checks BIOS information in registry
- Suspicious use of WriteProcessMemory
PID:3204
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath 'C:\ProgramData\explorers'
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3552
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe Add-MpPreference -ExclusionPath 'C:\ProgramData\explorers'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4612
- C:\ProgramData\explorers\explorers.exe
  "C:\ProgramData\explorers\explorers.exe" {5697EAB0-86D6-4B52-825F-6D2297C291E6}
  2⤵
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:5112
- - C:\Windows\SYSTEM32\cmd.exe
    cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath 'C:\ProgramData\explorers'
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2220
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe Add-MpPreference -ExclusionPath 'C:\ProgramData\explorers'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2144
- - C:\Windows\explorer.exe
    "C:\Windows\explorer.exe"
    3⤵
    PID:2516
- - C:\Windows\system32\svchost.exe
    "C:\Windows\system32\svchost.exe"
    3⤵
    - Checks BIOS information in registry
    - Drops startup file
    PID:4276
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe"
    3⤵
    - Checks BIOS information in registry
    - Drops startup file
    PID:2168
- - C:\Windows\explorer.exe
    "C:\Windows\explorer.exe"
    3⤵
    - Checks BIOS information in registry
    - Drops startup file
    PID:2596
- - C:\Windows\system32\svchost.exe
    "C:\Windows\system32\svchost.exe"
    3⤵
    - Checks BIOS information in registry
    - Drops startup file
    PID:524
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe"
    3⤵
    - Checks BIOS information in registry
    - Drops startup file
    PID:4528
- - C:\Windows\explorer.exe
    "C:\Windows\explorer.exe"
    3⤵
    - Checks BIOS information in registry
    - Drops startup file
    PID:2540
- - C:\Windows\system32\svchost.exe
    "C:\Windows\system32\svchost.exe"
    3⤵
    - Checks BIOS information in registry
    - Drops startup file
    PID:2100
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe"
    3⤵
    - Checks BIOS information in registry
    - Drops startup file
    PID:2492
- - C:\Windows\explorer.exe
    "C:\Windows\explorer.exe"
    3⤵
    - Checks BIOS information in registry
    - Drops startup file
    PID:2784
- - C:\Windows\system32\svchost.exe
    "C:\Windows\system32\svchost.exe"
    3⤵
    - Checks BIOS information in registry
    - Drops startup file
    PID:3080
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe"
    3⤵
    - Checks BIOS information in registry
    - Drops startup file
    PID:4000
- - C:\Windows\explorer.exe
    "C:\Windows\explorer.exe"
    3⤵
    - Checks BIOS information in registry
    - Drops startup file
    PID:3172
- - C:\Windows\system32\svchost.exe
    "C:\Windows\system32\svchost.exe"
    3⤵
    - Checks BIOS information in registry
    - Drops startup file
    PID:3260
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe"
    3⤵
    - Checks BIOS information in registry
    - Drops startup file
    PID:1768
- - C:\Windows\explorer.exe
    "C:\Windows\explorer.exe"
    3⤵
    - Checks BIOS information in registry
    - Drops startup file
    PID:2448
- - C:\Windows\system32\svchost.exe
    "C:\Windows\system32\svchost.exe"
    3⤵
    - Checks BIOS information in registry
    - Drops startup file
    PID:868
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe"
    3⤵
    - Checks BIOS information in registry
    - Drops startup file
    PID:3244
- - C:\Windows\explorer.exe
    "C:\Windows\explorer.exe"
    3⤵
    - Checks BIOS information in registry
    - Drops startup file
    PID:4724
- - C:\Windows\system32\svchost.exe
    "C:\Windows\system32\svchost.exe"
    3⤵
    - Checks BIOS information in registry
    - Drops startup file
    PID:3164
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe"
    3⤵
    - Checks BIOS information in registry
    - Drops startup file
    PID:3116
- - C:\Windows\explorer.exe
    "C:\Windows\explorer.exe"
    3⤵
    - Checks BIOS information in registry
    - Drops startup file
    PID:4008
- - C:\Windows\system32\svchost.exe
    "C:\Windows\system32\svchost.exe"
    3⤵
    - Checks BIOS information in registry
    - Drops startup file
    PID:2416
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe"
    3⤵
    - Checks BIOS information in registry
    - Drops startup file
    PID:4512
- - C:\Windows\explorer.exe
    "C:\Windows\explorer.exe"
    3⤵
    - Checks BIOS information in registry
    - Drops startup file
    PID:4020
- - C:\Windows\system32\svchost.exe
    "C:\Windows\system32\svchost.exe"
    3⤵
    - Checks BIOS information in registry
    - Drops startup file
    PID:2836
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe"
    3⤵
    - Checks BIOS information in registry
    - Drops startup file
    PID:1736
- - C:\Windows\explorer.exe
    "C:\Windows\explorer.exe"
    3⤵
    - Checks BIOS information in registry
    - Drops startup file
    PID:4504
- - C:\Windows\system32\svchost.exe
    "C:\Windows\system32\svchost.exe"
    3⤵
    - Checks BIOS information in registry
    - Drops startup file
    PID:4544
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe"
    3⤵
    - Checks BIOS information in registry
    - Drops startup file
    PID:3060
- - C:\Windows\explorer.exe
    "C:\Windows\explorer.exe"
    3⤵
    - Checks BIOS information in registry
    - Drops startup file
    PID:3200
- - C:\Windows\system32\svchost.exe
    "C:\Windows\system32\svchost.exe"
    3⤵
    - Checks BIOS information in registry
    - Drops startup file
    PID:2124
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe"
    3⤵
    PID:4100

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\explorers\explorers.exe

Filesize
4.1MB

MD5
929f19e57b30f2d144df83fa0b1efeee

SHA1
240655dd6ba465964c5a7551e7dcd0aa9b86eec6

SHA256
72c704ce89bd5a7fb3d10caba3ac0bdfa0b900242ed810f506f0433f80bb7ee1

SHA512
407420916228bbfb869f5a2e265f5a3a4a2044c1f5454dc99fc631ca873d92fadc5dbe815d7bf91b70e0c420d5c09618fb69dbd191334626babda1e50daa07f8

Download Submit
C:\ProgramData\{F5793314-B631-4CD1-A887-5FEF46A1029C}\{1BB7ADF2-790D-45BD-B5C1-051705E06510}.bat

Filesize
105B

MD5
925d217185307c285570f80ec506aeae

SHA1
9e2d7ea7d127aa62c60251cea7a8c6c7560abd72

SHA256
9c3df114848f2fc3edc9758b0aad34554757d5e81d63756e18b8de67bb5c1fc4

SHA512
4a5544460f7c44c6bdfc8f8fe21b0bd75d84a9e14e50dff2898ee0274bba1471deefa2707d6348bfd50298b05f5641b512649809aa278fb050721513a3256f82

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
56def0b01827e13a5894412967d51be9

SHA1
65bef5a257bd6bd083da5e4516b52c6b12736c41

SHA256
b9d0edc9081756ca692fbf51caba6d6fe5abb8602aa0ec3bb50407df7fc211d8

SHA512
7848f0f18533ea9aaf777f4f6330a648daf15f3faab5e843652a30939dd5478ca9d2adbf57874525a3ae06875df9ac2adf08eaa642707372ea5f02e42688e829

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_25a4j2bs.elg.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\{3170EC04-83DB-4D95-A866-F665F781749F}.lnk

Filesize
1KB

MD5
b33bab357308944330747295e573e46d

SHA1
81d0e78b0864e8346056cf2b12aac9e0720f7569

SHA256
327913c0e0ff706e390ca033f9e36a752f51aff2eb86fee2c3f634761e4c1ae3

SHA512
2dad6bfb1dd8d425812d3d48326e6c891b945bf8ca267ce3094b25f1fce2d2067d4cc2dde8bd9b2b806e1ca271bd6d39b01df342f0593bccb33692796a1765ea

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\{3170EC04-83DB-4D95-A866-F665F781749F}.lnk

Filesize
1KB

MD5
dcdf412fb2865fbfa3b8283159d00fe4

SHA1
d4fb46210555e6626b4a67bc1ef79a7a8d1877e5

SHA256
e6770ce47049827b9b47b535002bdf9b62a27a080f2360bfeb56131458d76678

SHA512
8cbb09bc0b780a5ffeb7e54d3067fcd037d1719e065ef9e4c57b48ec75a07e397328302efe27ae11f3982f0456a1bf6639ea33808c0303843a95fa48e9317f8e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\{3170EC04-83DB-4D95-A866-F665F781749F}.lnk

Filesize
1KB

MD5
644da0a0b789c8c0f5a1d4fc76c0f449

SHA1
1efcc4a3c3b2e2db6c2980b0b9faac6544a4c36d

SHA256
5e42df6374b7e46fd9a5f1962743152496e2f17c0b49220dd6a932627c65619b

SHA512
2f05945dafe5895f7a9830a18a0bc30c4b2b23f60777b73b6ff88df55c151a3f2e05a3ccf5be026173921e38aa0027c992689ed641ad075ea35e68ec3d5a3847

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\{3170EC04-83DB-4D95-A866-F665F781749F}.lnk

Filesize
1KB

MD5
769d9aa6141a5bfb866d249b7595c5fa

SHA1
9b80962a14d552903bba7ee2ade0fd0a35ccd01b

SHA256
c45d9eb1294732ac7917c0c55b07946f1c436ea43e8a0d35e3c06c72fe1b29c3

SHA512
371afe48e723f1d65c1bfa3cc86792a8e15dacfab5074724a598a203e589fa04411ea3bafe60991f9a4e6f44b539ce2419ff042beffe7240e0e84ffb7e5311ef

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\{3170EC04-83DB-4D95-A866-F665F781749F}.lnk

Filesize
1KB

MD5
5b2782705bf62234c485f67e96f613cd

SHA1
58e6f59620b0d876c5feb0e1f8a63574fc092f32

SHA256
cd078e89e879a5dda501f83826e2eaca12e5a110b07096b702a916cd51ebcc9b

SHA512
131fcfb7eceeffd96d5904a8e7bbe2ab61dd130ed35844d2fefb45ba33e2ddb37b1762622a569cfbdd643585a01a58594cb8c81b7b53b3803fc755f9555156d0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\{3170EC04-83DB-4D95-A866-F665F781749F}.lnk

Filesize
1KB

MD5
f3838004f28f91aa70f94c65a55ba177

SHA1
d420848ce87c393f5d63a6028109760b7cf559d9

SHA256
03290b955ae72e38920465be45b19b2bcf058f7a03f224ff8ca0c30ac2dc6a66

SHA512
a65062c1ce72c86ce2ac1944ca141d029d9514086b7a5df3e7fa8586c8a223daf10177351f3b818b1565d1edf468dfadc537feb7bbbfc9838cfaf7f89d929bd4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\{3170EC04-83DB-4D95-A866-F665F781749F}.lnk

Filesize
1KB

MD5
54d229d2f74a6b6230e06abbe91a0137

SHA1
ac32c20e0cab2b756b8de4091fc64ff5b335a776

SHA256
82d273134794557b5df02f603609399f5046bfdd4bd91c3b33f2efe35f46d34b

SHA512
683677f6cd884ccb9cfb98126f3f5061a26b165cc80d8677f981dc15f27da7ac8f68235322abdbc7fcac1418c1d2cd5defeeda257eb099512e7b768a029c0860

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\{3170EC04-83DB-4D95-A866-F665F781749F}.lnk

Filesize
1KB

MD5
be72edf11d458fd6ae3c9e3220840493

SHA1
b3c72f333a1480da73c9906fd02a5fad6e06755a

SHA256
198b44a56452732975795f2d992e18fbfb6a1e883a08bfd45adbfa8fbec19026

SHA512
48832569c22994a546cd15d7324f47c926fafc0d682cd03ca92c7c5a2c24cd96a146398505e882f1797506008bcf384e95ac3b9d742e326fc372ba260186352b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\{3170EC04-83DB-4D95-A866-F665F781749F}.lnk

Filesize
1KB

MD5
bfc080cf454d4764c91c3699f9663cec

SHA1
11c6fa1088d5ab8eb7243748ad9757727901822e

SHA256
2621b1355b6fa3cfcadc468584522a485b8c99256c374b6d08a70292da9acde9

SHA512
332dbbe651871faf5ecd2e445d37fa0e9b0253e4bcedfeb42d0946695610656e554e985186a52e630b995100bad76acc2471f53b94269d0d3b72c8fa39ff99a5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\{3170EC04-83DB-4D95-A866-F665F781749F}.lnk

Filesize
1KB

MD5
1b309ab8bd857c8a797ca18a62215a5c

SHA1
e4d3af81aa7194ccbb0b051c7e25e1682aa1cfbf

SHA256
ee2ba46e544e09f9c05b1af1a9960a87a14e4776d8c9e4b36b47eb7b6ca8298d

SHA512
631e401f2729470251e89af15f9829509005629b215243672d7dcf55443bfa57749247925768d9debb295106dad87604f94d958ed647e2beaf4f7b05cf64c9b8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\{3170EC04-83DB-4D95-A866-F665F781749F}.lnk

Filesize
1KB

MD5
6c6a702f6c8dad49d93197cf1a65504f

SHA1
481abef0eaa63d20452a1b2e8ad808a74790d373

SHA256
986a446e0f674d309c04aec1994ec667276e41690efb953699f25829dde603c9

SHA512
ec57874c344fa3c488411134d1536c0c2d7033de6cb8dd510f22c66eac83125e80d8b5498f9a9040845c4ae918a554ce61428fdfb6e83349a96a864c9d633c92

Download Submit
memory/2516-32-0x00000000026E0000-0x0000000002AFE000-memory.dmp

Filesize
4.1MB

Download
memory/2516-37-0x00000000026E0000-0x0000000002AFE000-memory.dmp

Filesize
4.1MB

Download
memory/2516-49-0x00000000026E0000-0x0000000002AFE000-memory.dmp

Filesize
4.1MB

Download
memory/2516-51-0x00000000026E0000-0x0000000002AFE000-memory.dmp

Filesize
4.1MB

Download
memory/2516-53-0x00000000026E0000-0x0000000002AFE000-memory.dmp

Filesize
4.1MB

Download
memory/2516-52-0x00000000026E0000-0x0000000002AFE000-memory.dmp

Filesize
4.1MB

Download
memory/2516-50-0x00000000026E0000-0x0000000002AFE000-memory.dmp

Filesize
4.1MB

Download
memory/2516-48-0x00000000026E0000-0x0000000002AFE000-memory.dmp

Filesize
4.1MB

Download
memory/2516-47-0x00000000026E0000-0x0000000002AFE000-memory.dmp

Filesize
4.1MB

Download
memory/2516-46-0x00000000026E0000-0x0000000002AFE000-memory.dmp

Filesize
4.1MB

Download
memory/2516-35-0x00000000026E0000-0x0000000002AFE000-memory.dmp

Filesize
4.1MB

Download
memory/2516-34-0x00000000026E0000-0x0000000002AFE000-memory.dmp

Filesize
4.1MB

Download
memory/2516-24-0x00000000026E0000-0x0000000002AFE000-memory.dmp

Filesize
4.1MB

Download
memory/2516-43-0x00000000026E0000-0x0000000002AFE000-memory.dmp

Filesize
4.1MB

Download
memory/2516-42-0x00000000026E0000-0x0000000002AFE000-memory.dmp

Filesize
4.1MB

Download
memory/2516-41-0x00000000026E0000-0x0000000002AFE000-memory.dmp

Filesize
4.1MB

Download
memory/2516-40-0x00000000026E0000-0x0000000002AFE000-memory.dmp

Filesize
4.1MB

Download
memory/2516-39-0x00000000026E0000-0x0000000002AFE000-memory.dmp

Filesize
4.1MB

Download
memory/2516-38-0x00000000026E0000-0x0000000002AFE000-memory.dmp

Filesize
4.1MB

Download
memory/2516-44-0x00000000026E0000-0x0000000002AFE000-memory.dmp

Filesize
4.1MB

Download
memory/2516-36-0x00000000026E0000-0x0000000002AFE000-memory.dmp

Filesize
4.1MB

Download
memory/2516-45-0x00000000026E0000-0x0000000002AFE000-memory.dmp

Filesize
4.1MB

Download
memory/2516-71-0x00000000026E0000-0x0000000002AFE000-memory.dmp

Filesize
4.1MB

Download
memory/2516-54-0x00000000026E0000-0x0000000002AFE000-memory.dmp

Filesize
4.1MB

Download
memory/2516-23-0x0000000000540000-0x0000000000541000-memory.dmp

Filesize
4KB

Download
memory/2516-33-0x00000000026E0000-0x0000000002AFE000-memory.dmp

Filesize
4.1MB

Download
memory/2516-31-0x00000000026E0000-0x0000000002AFE000-memory.dmp

Filesize
4.1MB

Download
memory/3204-7-0x00007FF757410000-0x00007FF75782E000-memory.dmp

Filesize
4.1MB

Download
memory/3204-0-0x00007FF757410000-0x00007FF75782E000-memory.dmp

Filesize
4.1MB

Download
memory/3204-1-0x00007FFAC0C10000-0x00007FFAC0C12000-memory.dmp

Filesize
8KB

Download
memory/4276-96-0x000002191B5C0000-0x000002191B9DE000-memory.dmp

Filesize
4.1MB

Download
memory/4612-66-0x00007FFAC0B70000-0x00007FFAC0D65000-memory.dmp

Filesize
2.0MB

Download
memory/4612-19-0x00000244A0B20000-0x00000244A0B42000-memory.dmp

Filesize
136KB

Download
memory/4612-17-0x00007FFAC0B70000-0x00007FFAC0D65000-memory.dmp

Filesize
2.0MB

Download
memory/4612-11-0x00007FFAC0B70000-0x00007FFAC0D65000-memory.dmp

Filesize
2.0MB

Download
memory/4612-10-0x00007FFAC0B70000-0x00007FFAC0D65000-memory.dmp

Filesize
2.0MB

Download
memory/5112-165-0x00007FF639260000-0x00007FF63967E000-memory.dmp

Filesize
4.1MB

Download
memory/5112-9-0x00007FF639260000-0x00007FF63967E000-memory.dmp

Filesize
4.1MB

Download
memory/5112-8-0x00007FFAC0B70000-0x00007FFAC0D65000-memory.dmp

Filesize
2.0MB

Download
memory/5112-164-0x00007FFAC0B70000-0x00007FFAC0D65000-memory.dmp

Filesize
2.0MB

Download