wannacry | 483c7fa66d9cf56e48741b7c4516906c78d71a89ef64529266d607ff7e0544e6

General

Target

483c7fa66d9cf56e48741b7c4516906c78d71a89ef64529266d607ff7e0544e6.exe
Size

5.4MB
MD5

a755f76611af191caac97da04633b012
SHA1

ee2fba5a45e09e560c67f5107f76cf6e9a36ab53
SHA256

483c7fa66d9cf56e48741b7c4516906c78d71a89ef64529266d607ff7e0544e6
SHA512

b53fee6fb2b1013989e963b67f11924b8498e198b779fcfb49dc2154ca1a61c89f5abb32b91ed1052052a9c40f7ee1c2c58abf6ee1877b712d7b5899f2d97840

Score

10^/10

wannacry discovery evasion persistence ransomware upx worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

CPUInfo.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ CPUInfo.exe
Drops file in Drivers directory 1 IoCs

Processes:

cmd.exe

description ioc process

File opened for modification C:\Windows\system32\drivers\etc\hosts cmd.exe
Executes dropped EXE 1 IoCs

Processes:

CPUInfo.exe

pid process

4592 CPUInfo.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	CPUInfo.exe

description	ioc	process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	cmd.exe

Sets file execution options in registry 2 TTPs 21 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wax.exe	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wuauc1t.exe	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wuauc1t.exe\debugger = "taskkill.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\1.exe	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\svchostr.exe\debugger = "taskkill.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\csrss..exe\debugger = "taskkill.exe"	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\svchost.exe	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\2.exe\debugger = "taskkill.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\1.exe\debugger = "taskkill.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nanol.exe	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\svchostr.exe	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Systmss.exe	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Systmss.exe\debugger = "taskkill.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ystmss.exe	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ystmss.exe\debugger = "taskkill.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\2.exe	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\3.exe	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nanol.exe\debugger = "taskkill.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\csrss..exe	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wax.exe\debugger = "taskkill.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\3.exe\debugger = "taskkill.exe"	reg.exe

Sets file to hidden 1 TTPs 13 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1158

Processes:

attrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exe

pid	process
4016	attrib.exe
3784	attrib.exe
1056	attrib.exe
4840	attrib.exe
2800	attrib.exe
3464	attrib.exe
4456	attrib.exe
2756	attrib.exe
1052	attrib.exe
3992	attrib.exe
4356	attrib.exe
4920	attrib.exe
5032	attrib.exe

Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/2964-132-0x0000000000400000-0x0000000000A2E000-memory.dmp	upx
behavioral2/memory/2964-153-0x0000000000400000-0x0000000000A2E000-memory.dmp	upx

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

483c7fa66d9cf56e48741b7c4516906c78d71a89ef64529266d607ff7e0544e6.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	483c7fa66d9cf56e48741b7c4516906c78d71a89ef64529266d607ff7e0544e6.exe

Modifies file permissions 1 TTPs 3 IoCs
discovery

File Permissions Modification
T1222

Processes:

takeown.exetakeown.exetakeown.exe

pid process

1860 takeown.exe
240 takeown.exe
1448 takeown.exe

pid	process
1860	takeown.exe
240	takeown.exe
1448	takeown.exe

Drops file in System32 directory 18 IoCs

Processes:

CPUInfo.exeattrib.exeattrib.exeattrib.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content	CPUInfo.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\ips138[1].htm	CPUInfo.exe
File opened for modification	C:\Windows\SysWOW64\ftp.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\ftp.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5	CPUInfo.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData	CPUInfo.exe
File opened for modification	C:\Windows\SysWOW64\WUDHostServices.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE	CPUInfo.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3FE2BD01AB6BC312BF0DADE7F797388F_F2379ADA3CBEBD919394FF2BE001D546	CPUInfo.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\G8L4QUQX.txt	CPUInfo.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3FE2BD01AB6BC312BF0DADE7F797388F_F2379ADA3CBEBD919394FF2BE001D546	CPUInfo.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\D56B4E335E80143B4541C1723368A393_DB64D7F70B0B0BA362A66F89CB02358F	CPUInfo.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache	CPUInfo.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\D56B4E335E80143B4541C1723368A393_DB64D7F70B0B0BA362A66F89CB02358F	CPUInfo.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5	CPUInfo.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies	CPUInfo.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\ips138[1].asp	CPUInfo.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft	CPUInfo.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

CPUInfo.exe

pid process

4592 CPUInfo.exe
Drops file in Program Files directory 2 IoCs

Processes:

attrib.exeattrib.exe

description ioc process

File opened for modification C:\program files (x86)\stormii attrib.exe
File opened for modification C:\Progra~1\dll attrib.exe

description	ioc	process
File opened for modification	C:\program files (x86)\stormii	attrib.exe
File opened for modification	C:\Progra~1\dll	attrib.exe

Drops file in Windows directory 64 IoCs

Processes:

483c7fa66d9cf56e48741b7c4516906c78d71a89ef64529266d607ff7e0544e6.exeCPUInfo.exeattrib.exeattrib.exe

description	ioc	process
File created	\??\c:\windows\demc.bat	483c7fa66d9cf56e48741b7c4516906c78d71a89ef64529266d607ff7e0544e6.exe
File created	\??\c:\windows\demo.bat	483c7fa66d9cf56e48741b7c4516906c78d71a89ef64529266d607ff7e0544e6.exe
File created	C:\windows\IIS\adfw.dll	CPUInfo.exe
File created	C:\windows\IIS\exma-1.dll	CPUInfo.exe
File created	C:\windows\IIS\adfw-2.dll	CPUInfo.exe
File created	C:\windows\IIS\cnli-1.dll	CPUInfo.exe
File created	C:\windows\IIS\exma.dll	CPUInfo.exe
File created	C:\windows\IIS\Eternalchampion-2.0.0.xml	CPUInfo.exe
File created	C:\windows\IIS\Esteemaudit-2.1.0.exe	CPUInfo.exe
File created	C:\windows\IIS\ssleay32.dll	CPUInfo.exe
File created	C:\windows\IIS\esco-0.dll	CPUInfo.exe
File created	C:\windows\IIS\riar-2.dll	CPUInfo.exe
File created	C:\windows\IIS\trfo-0.dll	CPUInfo.exe
File opened for modification	C:\windows\IIS\x64.dll	483c7fa66d9cf56e48741b7c4516906c78d71a89ef64529266d607ff7e0544e6.exe
File created	C:\windows\IIS\trfo-2.dll	CPUInfo.exe
File created	C:\windows\IIS\x86.dll	483c7fa66d9cf56e48741b7c4516906c78d71a89ef64529266d607ff7e0544e6.exe
File opened for modification	C:\Windows\srvany.exe	attrib.exe
File created	C:\windows\IIS\x86.dll	CPUInfo.exe
File created	C:\windows\IIS\Eternalblue-2.2.0.fb	CPUInfo.exe
File created	C:\windows\IIS\posh.dll	CPUInfo.exe
File created	C:\windows\IIS\trfo.dll	CPUInfo.exe
File created	C:\windows\IIS\2.txt	CPUInfo.exe
File opened for modification	C:\Windows\svchost.exe	attrib.exe
File created	C:\windows\IIS\crli-0.dll	CPUInfo.exe
File created	C:\windows\IIS\dmgd-4.dll	CPUInfo.exe
File created	C:\windows\IIS\etebCore-2.x64.dll	CPUInfo.exe
File created	C:\windows\IIS\etebCore-2.x86.dll	CPUInfo.exe
File created	C:\windows\IIS\tibe-1.dll	CPUInfo.exe
File created	C:\windows\IIS\x64.dll	483c7fa66d9cf56e48741b7c4516906c78d71a89ef64529266d607ff7e0544e6.exe
File created	C:\windows\IIS\Esteemaudittouch-2.1.0.fb	CPUInfo.exe
File created	C:\windows\IIS\Eternalchampion-2.0.0.fb	CPUInfo.exe
File created	C:\windows\IIS\pcre-0.dll	CPUInfo.exe
File created	C:\windows\IIS\pcreposix-0.dll	CPUInfo.exe
File created	C:\windows\IIS\tucl.dll	CPUInfo.exe
File created	C:\windows\IIS\zibe.dll	CPUInfo.exe
File created	C:\windows\IIS\free.bat	483c7fa66d9cf56e48741b7c4516906c78d71a89ef64529266d607ff7e0544e6.exe
File created	C:\windows\IIS\Doublepulsar-1.3.1.exe	CPUInfo.exe
File created	C:\windows\IIS\dmgd-1.dll	CPUInfo.exe
File created	C:\windows\IIS\etch-0.dll	CPUInfo.exe
File created	C:\windows\IIS\libxml2.dll	CPUInfo.exe
File created	C:\windows\IIS\posh-0.dll	CPUInfo.exe
File created	C:\windows\IIS\riar.dll	CPUInfo.exe
File created	C:\windows\IIS\CPUInfo.exe	483c7fa66d9cf56e48741b7c4516906c78d71a89ef64529266d607ff7e0544e6.exe
File created	C:\windows\IIS\Doublepulsar-1.3.1.xml	CPUInfo.exe
File created	C:\windows\IIS\Eternalblue-2.2.0.xml	CPUInfo.exe
File created	C:\windows\IIS\etchCore-0.x64.dll	CPUInfo.exe
File created	C:\windows\IIS\libcurl.dll	CPUInfo.exe
File created	C:\windows\IIS\libeay32.dll	CPUInfo.exe
File created	C:\windows\IIS\zlib1.dll	CPUInfo.exe
File created	C:\windows\IIS\Esteemaudittouch-2.1.0.exe	CPUInfo.exe
File created	C:\windows\IIS\Eternalchampion-2.0.0.exe	CPUInfo.exe
File created	C:\windows\IIS\etchCore-0.x86.dll	CPUInfo.exe
File created	C:\windows\IIS\tibe.dll	CPUInfo.exe
File created	C:\windows\IIS\tibe-2.dll	CPUInfo.exe
File created	C:\windows\IIS\xdvl-0.dll	CPUInfo.exe
File created	C:\windows\IIS\s.exe	CPUInfo.exe
File created	C:\windows\IIS\coli-0.dll	CPUInfo.exe
File created	C:\windows\IIS\eteb-2.dll	CPUInfo.exe
File created	C:\windows\IIS\pcla-0.dll	CPUInfo.exe
File created	C:\windows\IIS\pcrecpp-0.dll	CPUInfo.exe
File opened for modification	C:\windows\IIS\x86.dll	483c7fa66d9cf56e48741b7c4516906c78d71a89ef64529266d607ff7e0544e6.exe
File created	C:\windows\IIS\Esteemaudittouch-2.1.0.xml	CPUInfo.exe
File created	C:\windows\IIS\cnli-0.dll	CPUInfo.exe
File created	C:\windows\IIS\trch.dll	CPUInfo.exe

Launches sc.exe 25 IoCs

Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid	process
4304	sc.exe
3984	sc.exe
1636	sc.exe
5068	sc.exe
3140	sc.exe
4020	sc.exe
3576	sc.exe
3124	sc.exe
384	sc.exe
4852	sc.exe
4932	sc.exe
1532	sc.exe
1412	sc.exe
444	sc.exe
1300	sc.exe
3928	sc.exe
4444	sc.exe
916	sc.exe
2760	sc.exe
1644	sc.exe
1992	sc.exe
3288	sc.exe
2668	sc.exe
4608	sc.exe
420	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

4864 schtasks.exe
4748 schtasks.exe
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command-Line Interface
T1059

Processes:

ipconfig.exe

pid process

648 ipconfig.exe

pid	process
4864	schtasks.exe
4748	schtasks.exe

pid	process
648	ipconfig.exe

Kills process with WMI 12 IoCs

evasion

Processes:

WMIC.exeWMIC.exeWMIC.exeWMIC.exeWMIC.exeWMIC.exeWMIC.exeWMIC.exeWMIC.exeWMIC.exeWMIC.exeWMIC.exe

pid	process
3316	WMIC.exe
4340	WMIC.exe
2980	WMIC.exe
240	WMIC.exe
1320	WMIC.exe
2756	WMIC.exe
2412	WMIC.exe
2088	WMIC.exe
752	WMIC.exe
1404	WMIC.exe
2044	WMIC.exe
3056	WMIC.exe

Kills process with taskkill 42 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid	process
4876	taskkill.exe
1956	taskkill.exe
3320	taskkill.exe
5068	taskkill.exe
2764	taskkill.exe
3104	taskkill.exe
4272	taskkill.exe
4944	taskkill.exe
3532	taskkill.exe
4204	taskkill.exe
2312	taskkill.exe
2644	taskkill.exe
1456	taskkill.exe
3352	taskkill.exe
4476	taskkill.exe
3780	taskkill.exe
2676	taskkill.exe
3852	taskkill.exe
1944	taskkill.exe
1836	taskkill.exe
2864	taskkill.exe
3112	taskkill.exe
1548	taskkill.exe
4428	taskkill.exe
3360	taskkill.exe
3128	taskkill.exe
1936	taskkill.exe
1332	taskkill.exe
2744	taskkill.exe
2308	taskkill.exe
2660	taskkill.exe
876	taskkill.exe
2236	taskkill.exe
4500	taskkill.exe
4148	taskkill.exe
5080	taskkill.exe
824	taskkill.exe
432	taskkill.exe
4036	taskkill.exe
4532	taskkill.exe
2100	taskkill.exe
1260	taskkill.exe

Modifies data under HKEY_USERS 9 IoCs

Processes:

CPUInfo.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	CPUInfo.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	CPUInfo.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	CPUInfo.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	CPUInfo.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	CPUInfo.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	CPUInfo.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	CPUInfo.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	CPUInfo.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	CPUInfo.exe

Modifies registry class 1 IoCs

Processes:

483c7fa66d9cf56e48741b7c4516906c78d71a89ef64529266d607ff7e0544e6.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_Classes\Local Settings	483c7fa66d9cf56e48741b7c4516906c78d71a89ef64529266d607ff7e0544e6.exe

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXE

pid process

3112 PING.EXE
1336 PING.EXE

pid	process
3112	PING.EXE
1336	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

CPUInfo.exe

pid	process
4592	CPUInfo.exe
4592	CPUInfo.exe
4592	CPUInfo.exe
4592	CPUInfo.exe
4592	CPUInfo.exe
4592	CPUInfo.exe
4592	CPUInfo.exe
4592	CPUInfo.exe
4592	CPUInfo.exe
4592	CPUInfo.exe
4592	CPUInfo.exe
4592	CPUInfo.exe
4592	CPUInfo.exe
4592	CPUInfo.exe
4592	CPUInfo.exe
4592	CPUInfo.exe
4592	CPUInfo.exe
4592	CPUInfo.exe
4592	CPUInfo.exe
4592	CPUInfo.exe
4592	CPUInfo.exe
4592	CPUInfo.exe
4592	CPUInfo.exe
4592	CPUInfo.exe
4592	CPUInfo.exe
4592	CPUInfo.exe
4592	CPUInfo.exe
4592	CPUInfo.exe
4592	CPUInfo.exe
4592	CPUInfo.exe
4592	CPUInfo.exe
4592	CPUInfo.exe
4592	CPUInfo.exe
4592	CPUInfo.exe
4592	CPUInfo.exe
4592	CPUInfo.exe
4592	CPUInfo.exe
4592	CPUInfo.exe
4592	CPUInfo.exe
4592	CPUInfo.exe
4592	CPUInfo.exe
4592	CPUInfo.exe
4592	CPUInfo.exe
4592	CPUInfo.exe
4592	CPUInfo.exe
4592	CPUInfo.exe
4592	CPUInfo.exe
4592	CPUInfo.exe
4592	CPUInfo.exe
4592	CPUInfo.exe
4592	CPUInfo.exe
4592	CPUInfo.exe
4592	CPUInfo.exe
4592	CPUInfo.exe
4592	CPUInfo.exe
4592	CPUInfo.exe
4592	CPUInfo.exe
4592	CPUInfo.exe
4592	CPUInfo.exe
4592	CPUInfo.exe
4592	CPUInfo.exe
4592	CPUInfo.exe
4592	CPUInfo.exe
4592	CPUInfo.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

WMIC.exeWMIC.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	2756	WMIC.exe
Token: SeSecurityPrivilege	2756	WMIC.exe
Token: SeTakeOwnershipPrivilege	2756	WMIC.exe
Token: SeLoadDriverPrivilege	2756	WMIC.exe
Token: SeSystemProfilePrivilege	2756	WMIC.exe
Token: SeSystemtimePrivilege	2756	WMIC.exe
Token: SeProfSingleProcessPrivilege	2756	WMIC.exe
Token: SeIncBasePriorityPrivilege	2756	WMIC.exe
Token: SeCreatePagefilePrivilege	2756	WMIC.exe
Token: SeBackupPrivilege	2756	WMIC.exe
Token: SeRestorePrivilege	2756	WMIC.exe
Token: SeShutdownPrivilege	2756	WMIC.exe
Token: SeDebugPrivilege	2756	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2756	WMIC.exe
Token: SeRemoteShutdownPrivilege	2756	WMIC.exe
Token: SeUndockPrivilege	2756	WMIC.exe
Token: SeManageVolumePrivilege	2756	WMIC.exe
Token: 33	2756	WMIC.exe
Token: 34	2756	WMIC.exe
Token: 35	2756	WMIC.exe
Token: 36	2756	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2756	WMIC.exe
Token: SeSecurityPrivilege	2756	WMIC.exe
Token: SeTakeOwnershipPrivilege	2756	WMIC.exe
Token: SeLoadDriverPrivilege	2756	WMIC.exe
Token: SeSystemProfilePrivilege	2756	WMIC.exe
Token: SeSystemtimePrivilege	2756	WMIC.exe
Token: SeProfSingleProcessPrivilege	2756	WMIC.exe
Token: SeIncBasePriorityPrivilege	2756	WMIC.exe
Token: SeCreatePagefilePrivilege	2756	WMIC.exe
Token: SeBackupPrivilege	2756	WMIC.exe
Token: SeRestorePrivilege	2756	WMIC.exe
Token: SeShutdownPrivilege	2756	WMIC.exe
Token: SeDebugPrivilege	2756	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2756	WMIC.exe
Token: SeRemoteShutdownPrivilege	2756	WMIC.exe
Token: SeUndockPrivilege	2756	WMIC.exe
Token: SeManageVolumePrivilege	2756	WMIC.exe
Token: 33	2756	WMIC.exe
Token: 34	2756	WMIC.exe
Token: 35	2756	WMIC.exe
Token: 36	2756	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2412	WMIC.exe
Token: SeSecurityPrivilege	2412	WMIC.exe
Token: SeTakeOwnershipPrivilege	2412	WMIC.exe
Token: SeLoadDriverPrivilege	2412	WMIC.exe
Token: SeSystemProfilePrivilege	2412	WMIC.exe
Token: SeSystemtimePrivilege	2412	WMIC.exe
Token: SeProfSingleProcessPrivilege	2412	WMIC.exe
Token: SeIncBasePriorityPrivilege	2412	WMIC.exe
Token: SeCreatePagefilePrivilege	2412	WMIC.exe
Token: SeBackupPrivilege	2412	WMIC.exe
Token: SeRestorePrivilege	2412	WMIC.exe
Token: SeShutdownPrivilege	2412	WMIC.exe
Token: SeDebugPrivilege	2412	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2412	WMIC.exe
Token: SeRemoteShutdownPrivilege	2412	WMIC.exe
Token: SeUndockPrivilege	2412	WMIC.exe
Token: SeManageVolumePrivilege	2412	WMIC.exe
Token: 33	2412	WMIC.exe
Token: 34	2412	WMIC.exe
Token: 35	2412	WMIC.exe
Token: 36	2412	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2412	WMIC.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

483c7fa66d9cf56e48741b7c4516906c78d71a89ef64529266d607ff7e0544e6.exeCPUInfo.exe

pid	process
2964	483c7fa66d9cf56e48741b7c4516906c78d71a89ef64529266d607ff7e0544e6.exe
2964	483c7fa66d9cf56e48741b7c4516906c78d71a89ef64529266d607ff7e0544e6.exe
4592	CPUInfo.exe
4592	CPUInfo.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

483c7fa66d9cf56e48741b7c4516906c78d71a89ef64529266d607ff7e0544e6.execmd.execmd.exe

description	pid	process	target process
PID 2964 wrote to memory of 3428	2964	483c7fa66d9cf56e48741b7c4516906c78d71a89ef64529266d607ff7e0544e6.exe	cmd.exe
PID 2964 wrote to memory of 3428	2964	483c7fa66d9cf56e48741b7c4516906c78d71a89ef64529266d607ff7e0544e6.exe	cmd.exe
PID 2964 wrote to memory of 3428	2964	483c7fa66d9cf56e48741b7c4516906c78d71a89ef64529266d607ff7e0544e6.exe	cmd.exe
PID 2964 wrote to memory of 3316	2964	483c7fa66d9cf56e48741b7c4516906c78d71a89ef64529266d607ff7e0544e6.exe	cmd.exe
PID 2964 wrote to memory of 3316	2964	483c7fa66d9cf56e48741b7c4516906c78d71a89ef64529266d607ff7e0544e6.exe	cmd.exe
PID 2964 wrote to memory of 3316	2964	483c7fa66d9cf56e48741b7c4516906c78d71a89ef64529266d607ff7e0544e6.exe	cmd.exe
PID 3316 wrote to memory of 3928	3316	cmd.exe	sc.exe
PID 3316 wrote to memory of 3928	3316	cmd.exe	sc.exe
PID 3316 wrote to memory of 3928	3316	cmd.exe	sc.exe
PID 3428 wrote to memory of 2756	3428	cmd.exe	WMIC.exe
PID 3428 wrote to memory of 2756	3428	cmd.exe	WMIC.exe
PID 3428 wrote to memory of 2756	3428	cmd.exe	WMIC.exe
PID 3316 wrote to memory of 5068	3316	cmd.exe	sc.exe
PID 3316 wrote to memory of 5068	3316	cmd.exe	sc.exe
PID 3316 wrote to memory of 5068	3316	cmd.exe	sc.exe
PID 3316 wrote to memory of 4376	3316	cmd.exe	schtasks.exe
PID 3316 wrote to memory of 4376	3316	cmd.exe	schtasks.exe
PID 3316 wrote to memory of 4376	3316	cmd.exe	schtasks.exe
PID 3316 wrote to memory of 3120	3316	cmd.exe	schtasks.exe
PID 3316 wrote to memory of 3120	3316	cmd.exe	schtasks.exe
PID 3316 wrote to memory of 3120	3316	cmd.exe	schtasks.exe
PID 3316 wrote to memory of 4864	3316	cmd.exe	schtasks.exe
PID 3316 wrote to memory of 4864	3316	cmd.exe	schtasks.exe
PID 3316 wrote to memory of 4864	3316	cmd.exe	schtasks.exe
PID 3316 wrote to memory of 4748	3316	cmd.exe	schtasks.exe
PID 3316 wrote to memory of 4748	3316	cmd.exe	schtasks.exe
PID 3316 wrote to memory of 4748	3316	cmd.exe	schtasks.exe
PID 3316 wrote to memory of 3992	3316	cmd.exe	attrib.exe
PID 3316 wrote to memory of 3992	3316	cmd.exe	attrib.exe
PID 3316 wrote to memory of 3992	3316	cmd.exe	attrib.exe
PID 3316 wrote to memory of 4356	3316	cmd.exe	attrib.exe
PID 3316 wrote to memory of 4356	3316	cmd.exe	attrib.exe
PID 3316 wrote to memory of 4356	3316	cmd.exe	attrib.exe
PID 3428 wrote to memory of 4480	3428	cmd.exe	cmd.exe
PID 3428 wrote to memory of 4480	3428	cmd.exe	cmd.exe
PID 3428 wrote to memory of 4480	3428	cmd.exe	cmd.exe
PID 3428 wrote to memory of 3328	3428	cmd.exe	cacls.exe
PID 3428 wrote to memory of 3328	3428	cmd.exe	cacls.exe
PID 3428 wrote to memory of 3328	3428	cmd.exe	cacls.exe
PID 3316 wrote to memory of 2084	3316	cmd.exe	schtasks.exe
PID 3316 wrote to memory of 2084	3316	cmd.exe	schtasks.exe
PID 3316 wrote to memory of 2084	3316	cmd.exe	schtasks.exe
PID 3428 wrote to memory of 4920	3428	cmd.exe	attrib.exe
PID 3428 wrote to memory of 4920	3428	cmd.exe	attrib.exe
PID 3428 wrote to memory of 4920	3428	cmd.exe	attrib.exe
PID 3428 wrote to memory of 1060	3428	cmd.exe	cmd.exe
PID 3428 wrote to memory of 1060	3428	cmd.exe	cmd.exe
PID 3428 wrote to memory of 1060	3428	cmd.exe	cmd.exe
PID 3428 wrote to memory of 1132	3428	cmd.exe	cacls.exe
PID 3428 wrote to memory of 1132	3428	cmd.exe	cacls.exe
PID 3428 wrote to memory of 1132	3428	cmd.exe	cacls.exe
PID 3428 wrote to memory of 2412	3428	cmd.exe	WMIC.exe
PID 3428 wrote to memory of 2412	3428	cmd.exe	WMIC.exe
PID 3428 wrote to memory of 2412	3428	cmd.exe	WMIC.exe
PID 2964 wrote to memory of 1468	2964	483c7fa66d9cf56e48741b7c4516906c78d71a89ef64529266d607ff7e0544e6.exe	WScript.exe
PID 2964 wrote to memory of 1468	2964	483c7fa66d9cf56e48741b7c4516906c78d71a89ef64529266d607ff7e0544e6.exe	WScript.exe
PID 2964 wrote to memory of 1468	2964	483c7fa66d9cf56e48741b7c4516906c78d71a89ef64529266d607ff7e0544e6.exe	WScript.exe
PID 3428 wrote to memory of 3140	3428	cmd.exe	sc.exe
PID 3428 wrote to memory of 3140	3428	cmd.exe	sc.exe
PID 3428 wrote to memory of 3140	3428	cmd.exe	sc.exe
PID 3428 wrote to memory of 4204	3428	cmd.exe	taskkill.exe
PID 3428 wrote to memory of 4204	3428	cmd.exe	taskkill.exe
PID 3428 wrote to memory of 4204	3428	cmd.exe	taskkill.exe
PID 3428 wrote to memory of 240	3428	cmd.exe	takeown.exe

Views/modifies file attributes 1 TTPs 15 IoCs

evasion

Hidden Files and Directories

T1158

Processes:

attrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exe

pid	process
3992	attrib.exe
4920	attrib.exe
3784	attrib.exe
1056	attrib.exe
2800	attrib.exe
1408	attrib.exe
872	attrib.exe
2756	attrib.exe
1052	attrib.exe
4840	attrib.exe
4356	attrib.exe
4016	attrib.exe
3464	attrib.exe
4456	attrib.exe
5032	attrib.exe

C:\Users\Admin\AppData\Local\Temp\483c7fa66d9cf56e48741b7c4516906c78d71a89ef64529266d607ff7e0544e6.exe
"C:\Users\Admin\AppData\Local\Temp\483c7fa66d9cf56e48741b7c4516906c78d71a89ef64529266d607ff7e0544e6.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2964

C:\Windows\SysWOW64\cmd.exe
cmd /c c:\windows\demc.bat
2⤵
- Drops file in Drivers directory
- Suspicious use of WriteProcessMemory
PID:3428

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic process where "name='server.exe' and ExecutablePath='C:\\program files (x86)\\stormii\\server.exe'" call Terminate
3⤵
- Kills process with WMI
- Suspicious use of AdjustPrivilegeToken
PID:2756

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:4480

C:\Windows\SysWOW64\cacls.exe
cacls "C:\program files (x86)\stormii\server.exe" /d everyone
3⤵
PID:3328

C:\Windows\SysWOW64\attrib.exe
attrib +s +h +r +a "C:\program files (x86)\stormii"
3⤵
- Sets file to hidden
- Drops file in Program Files directory
- Views/modifies file attributes
PID:4920

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:1060

C:\Windows\SysWOW64\cacls.exe
cacls "C:\program files (x86)\stormii" /d everyone
3⤵
PID:1132

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic process where "name='conhost.exe' and ExecutablePath='C:\\program files (x86)\\windows nt\\conhost.exe'" call Terminate
3⤵
- Kills process with WMI
- Suspicious use of AdjustPrivilegeToken
PID:2412

C:\Windows\SysWOW64\sc.exe
sc delete SuperProServerST
3⤵
- Launches sc.exe
PID:3140

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /t /im ftp.exe
3⤵
- Kills process with taskkill
PID:4204

C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\SysWOW64\ftp.exe /a
3⤵
- Modifies file permissions
PID:240

C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\System32\ftp.exe /a
3⤵
- Modifies file permissions
PID:1448

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:3952

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\System32\ftp.exe /g users:f
3⤵
PID:2844

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:3696

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\ftp.exe /g users:f
3⤵
PID:3236

C:\Windows\SysWOW64\attrib.exe
attrib +s +h +r C:\Windows\SysWOW64\ftp.exe
3⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
PID:3784

C:\Windows\SysWOW64\attrib.exe
attrib +s +h +r C:\Windows\System32\ftp.exe
3⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
PID:2800

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:4392

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\ftp.exe /d everyone
3⤵
PID:1316

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:5072

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\System32\ftp.exe /d everyone
3⤵
PID:1536

C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\system32\Drivers\etc\hosts /a
3⤵
- Modifies file permissions
PID:1860

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:1660

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\Drivers\etc\hosts /g users:f
3⤵
PID:4016

C:\Windows\SysWOW64\attrib.exe
attrib -s -h -a -r C:\Windows\system32\Drivers\etc\hosts
3⤵
- Views/modifies file attributes
PID:1408

C:\Windows\SysWOW64\attrib.exe
attrib +s +h +a +r C:\Windows\system32\Drivers\etc\hosts
3⤵
- Sets file to hidden
- Views/modifies file attributes
PID:1056

C:\Windows\SysWOW64\ipconfig.exe
ipconfig /flushdns
3⤵
- Gathers network information
PID:648

C:\Windows\SysWOW64\attrib.exe
attrib -h -r -s -a C:\ProgramData
3⤵
- Views/modifies file attributes
PID:872

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /t /im CPUInfo.exe
3⤵
- Kills process with taskkill
PID:3360

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /t /im up.exe
3⤵
- Kills process with taskkill
PID:3352

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /t /im block.exe
3⤵
- Kills process with taskkill
PID:3128

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /t /im cpu.exe
3⤵
- Kills process with taskkill
PID:2764

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /t /im svshostr.exe
3⤵
- Kills process with taskkill
PID:1936

C:\Windows\SysWOW64\sc.exe
sc stop xtfya
3⤵
- Launches sc.exe
PID:4020

C:\Windows\SysWOW64\sc.exe
sc delete xtfya
3⤵
- Launches sc.exe
PID:2668

C:\Windows\SysWOW64\sc.exe
sc stop "Network Support"
3⤵
- Launches sc.exe
PID:4444

C:\Windows\SysWOW64\sc.exe
sc delete "Network Support"
3⤵
- Launches sc.exe
PID:916

C:\Windows\SysWOW64\sc.exe
sc stop "HomeGroup Support"
3⤵
- Launches sc.exe
PID:3124

C:\Windows\SysWOW64\sc.exe
sc delete "HomeGroup Support"
3⤵
- Launches sc.exe
PID:4932

C:\Windows\SysWOW64\sc.exe
sc stop xtfy
3⤵
- Launches sc.exe
PID:4304

C:\Windows\SysWOW64\sc.exe
sc delete xtfy
3⤵
- Launches sc.exe
PID:4608

C:\Windows\SysWOW64\sc.exe
sc stop Natioanl
3⤵
- Launches sc.exe
PID:420

C:\Windows\SysWOW64\sc.exe
sc delete Natioanl
3⤵
- Launches sc.exe
PID:1532

C:\Windows\SysWOW64\sc.exe
sc stop Natihial
3⤵
- Launches sc.exe
PID:1644

C:\Windows\SysWOW64\sc.exe
sc delete Natihial
3⤵
- Launches sc.exe
PID:384

C:\Windows\SysWOW64\sc.exe
sc stop "Interactive Services Detection Report"
3⤵
- Launches sc.exe
PID:1412

C:\Windows\SysWOW64\sc.exe
sc delete "Interactive Services Detection Report"
3⤵
- Launches sc.exe
PID:1992

C:\Windows\SysWOW64\sc.exe
sc stop "mssecsvc2.0"
3⤵
- Launches sc.exe
PID:3984

C:\Windows\SysWOW64\sc.exe
sc delete "mssecsvc2.0"
3⤵
- Launches sc.exe
PID:4852

C:\Windows\SysWOW64\sc.exe
sc stop "mssecsvc2.1"
3⤵
- Launches sc.exe
PID:444

C:\Windows\SysWOW64\sc.exe
sc delete "mssecsvc2.1"
3⤵
- Launches sc.exe
PID:1300

C:\Windows\SysWOW64\sc.exe
sc stop ServiceMais
3⤵
- Launches sc.exe
PID:3288

C:\Windows\SysWOW64\sc.exe
sc delete ServiceMais
3⤵
- Launches sc.exe
PID:1636

C:\Windows\SysWOW64\sc.exe
sc stop ServiceMaims
3⤵
- Launches sc.exe
PID:2760

C:\Windows\SysWOW64\sc.exe
sc delete ServiceMaims
3⤵
- Launches sc.exe
PID:3576

C:\Windows\SysWOW64\attrib.exe
attrib +s +h +r C:\ProgramData\dll
3⤵
- Sets file to hidden
- Views/modifies file attributes
PID:3464

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:2200

C:\Windows\SysWOW64\cacls.exe
cacls C:\ProgramData\dll /d everyone
3⤵
PID:3956

C:\Windows\SysWOW64\attrib.exe
attrib +s +h +r C:\Progra~1\dll
3⤵
- Sets file to hidden
- Drops file in Program Files directory
- Views/modifies file attributes
PID:4456

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:2184

C:\Windows\SysWOW64\cacls.exe
cacls C:\Progra~1\dll /d everyone
3⤵
PID:2796

C:\Windows\SysWOW64\attrib.exe
attrib +s +h +r c:\wax.exe
3⤵
- Sets file to hidden
- Views/modifies file attributes
PID:2756

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:3992

C:\Windows\SysWOW64\cacls.exe
cacls c:\wax.exe /d everyone
3⤵
PID:4496

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:600

C:\Windows\SysWOW64\cacls.exe
cacls C:\ProgramData\Natihial\svshostr.exe /d everyone
3⤵
PID:1188

C:\Windows\SysWOW64\cacls.exe
cacls C:\ProgramData\Microsoft\Natihial\cmd.exe /d everyone
3⤵
PID:2012

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:1684

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:4508

C:\Windows\SysWOW64\cacls.exe
cacls C:\ProgramData\expl0rer.exe /d everyone
3⤵
PID:5064

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:1500

C:\Windows\SysWOW64\cacls.exe
cacls C:\windows\svchost.exe /d everyone
3⤵
PID:4920

C:\Windows\SysWOW64\Wbem\WMIC.exe
Wmic Process Where "Name='cmd.exe' And ExecutablePath='C:\\ProgramData\\Microsoft\\Natihial\\cmd.exe'" Call Terminate
3⤵
- Kills process with WMI
PID:3316

C:\Windows\SysWOW64\schtasks.exe
schtasks /delete /tn "Adobe Flash Player Updaters" /f
3⤵
PID:4084

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic process where "name='svchost.exe' and ExecutablePath='C:\\Windows\\svchost.exe'" call Terminate
3⤵
- Kills process with WMI
PID:4340

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic process where "name='svchost.exe' and ExecutablePath='C:\\ProgramData\\dll\\svchost.exe'" call Terminate
3⤵
- Kills process with WMI
PID:2088

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic process where "name='csrss.exe' and ExecutablePath='C:\\ProgramData\\dll\\csrss.exe'" call Terminate
3⤵
- Kills process with WMI
PID:752

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic process where "name='svchost.exe' and ExecutablePath='C:\\ProgramData\\Natioanl\\svchostr.exe'" call Terminate
3⤵
- Kills process with WMI
PID:2980

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic process where "name='csrss.exe' and ExecutablePath='C:\\ProgramData\\Microsoft\\Natioanl\\csrss..exe'" call Terminate
3⤵
- Kills process with WMI
PID:1404

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic process where "name='csrss.exe' and ExecutablePath='C:\\ProgramData\\nm\\winlogin.exe'" call Terminate
3⤵
- Kills process with WMI
PID:240

C:\Windows\SysWOW64\attrib.exe
attrib +s +h +r C:\Windows\svchost.exe
3⤵
- Sets file to hidden
- Drops file in Windows directory
- Views/modifies file attributes
PID:1052

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:3772

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\svchost.exe /d everyone
3⤵
PID:1784

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /t /im tasksche.exe
3⤵
- Kills process with taskkill
PID:3780

C:\Windows\SysWOW64\attrib.exe
attrib +s +h +r C:\Windows\tasksche.exe
3⤵
- Sets file to hidden
- Views/modifies file attributes
PID:4840

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:3652

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\tasksche.exe /d everyone
3⤵
PID:3240

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /t /im srvany.exe
3⤵
- Kills process with taskkill
PID:4148

C:\Windows\SysWOW64\attrib.exe
attrib +s +h +r C:\Windows\srvany.exe
3⤵
- Sets file to hidden
- Drops file in Windows directory
- Views/modifies file attributes
PID:5032

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:1536

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\srvany.exe /d everyone
3⤵
PID:2432

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /t /im WUDHostServices.exe
3⤵
- Kills process with taskkill
PID:2676

C:\Windows\SysWOW64\attrib.exe
attrib +s +h +r C:\Windows\System32\WUDHostServices.exe
3⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
PID:4016

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:1212

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\System32\WUDHostServices.exe /d everyone
3⤵
PID:1408

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im wbmoney.exe
3⤵
- Kills process with taskkill
PID:2660

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im GGtbviewer.exe
3⤵
- Kills process with taskkill
PID:5080

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /t /im Netohad.pif
3⤵
- Kills process with taskkill
PID:3112

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /t /im Qrhkveb.com
3⤵
- Kills process with taskkill
PID:824

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /t /im Tnntknl.com
3⤵
- Kills process with taskkill
PID:432

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /t /im Snwhtdw.bat
3⤵
- Kills process with taskkill
PID:4036

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /t /im dllhsot.exe
3⤵
- Kills process with taskkill
PID:3852

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /t /im Tasksvr.exe
3⤵
- Kills process with taskkill
PID:1944

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /t /im serices.exe
3⤵
- Kills process with taskkill
PID:2644

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /t /im seever.exe
3⤵
- Kills process with taskkill
PID:876

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /t /im mssecsvc.exe
3⤵
- Kills process with taskkill
PID:1456

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /t /im svchsot.exe
3⤵
- Kills process with taskkill
PID:1548

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /t /im lsacs.exe
3⤵
- Kills process with taskkill
PID:4532

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /t /im nsa.exe
3⤵
- Kills process with taskkill
PID:4428

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /t /im csrs.exe
3⤵
- Kills process with taskkill
PID:1836

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im WerFault.exe
3⤵
- Kills process with taskkill
PID:2864

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im WScript.exe
3⤵
- Kills process with taskkill
PID:3320

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /t /im NV-NO.exe
3⤵
- Kills process with taskkill
PID:2100

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /t /im NV.exe
3⤵
- Kills process with taskkill
PID:2744

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /t /im Eternalblue-2.2.0.exe
3⤵
- Kills process with taskkill
PID:4944

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /t /im Eternalchampion-2.0.0.exe
3⤵
- Kills process with taskkill
PID:2236

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /t /im Doublepulsar-1.3.1.exe
3⤵
- Kills process with taskkill
PID:1260

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic process where "name='explorer.exe' and ExecutablePath='C:\\Windows\\system\\explorer.exe'" call Terminate
3⤵
- Kills process with WMI
PID:2044

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic process where "name='explorer.exe' and ExecutablePath='C:\\Windows\\Fonts\\explorer.exe'" call Terminate
3⤵
- Kills process with WMI
PID:3056

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic process where "name='conhost.exe' and ExecutablePath='C:\\Windows\\Fonts\\conhost.exe'" call Terminate
3⤵
- Kills process with WMI
PID:1320

C:\Windows\SysWOW64\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\smss.exe" /f
3⤵
PID:3272

C:\Windows\SysWOW64\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\svchost.exe" /f
3⤵
- Sets file execution options in registry
PID:2400

C:\Windows\SysWOW64\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rundllhost.exe" /f
3⤵
PID:3356

C:\Windows\SysWOW64\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sc.exe" /f
3⤵
PID:1116

C:\Windows\SysWOW64\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\schtasks.exe" /f
3⤵
PID:1300

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wax.exe" /v "debugger" /d taskkill.exe /f
3⤵
- Sets file execution options in registry
PID:3348

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Systmss.exe" /v "debugger" /d taskkill.exe /f
3⤵
- Sets file execution options in registry
PID:3768

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ystmss.exe" /v "debugger" /d taskkill.exe /f
3⤵
- Sets file execution options in registry
PID:4728

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wuauc1t.exe" /v "debugger" /d taskkill.exe /f
3⤵
- Sets file execution options in registry
PID:556

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\2.exe" /v "debugger" /d taskkill.exe /f
3⤵
- Sets file execution options in registry
PID:4296

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\1.exe" /v "debugger" /d taskkill.exe /f
3⤵
- Sets file execution options in registry
PID:4364

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\3.exe" /v "debugger" /d taskkill.exe /f
3⤵
- Sets file execution options in registry
PID:4660

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nanol.exe" /v "debugger" /d taskkill.exe /f
3⤵
- Sets file execution options in registry
PID:1656

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\svchostr.exe" /v "debugger" /d taskkill.exe /f
3⤵
- Sets file execution options in registry
PID:3960

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\csrss..exe" /v "debugger" /d taskkill.exe /f
3⤵
- Sets file execution options in registry
PID:208

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /t /im lservice.exe
3⤵
- Kills process with taskkill
PID:3532

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /t /im ystmss.exe
3⤵
- Kills process with taskkill
PID:5068

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /t /im wuauc1t.exe
3⤵
- Kills process with taskkill
PID:4500

C:\Windows\SysWOW64\cmd.exe
cmd /c c:\windows\demo.bat
2⤵
- Suspicious use of WriteProcessMemory
PID:3316

C:\Windows\SysWOW64\sc.exe
sc config Schedule start= auto
3⤵
- Launches sc.exe
PID:3928

C:\Windows\SysWOW64\sc.exe
sc start Schedule
3⤵
- Launches sc.exe
PID:5068

C:\Windows\SysWOW64\schtasks.exe
schtasks /delete /tn RavTask /f
3⤵
PID:4376

C:\Windows\SysWOW64\schtasks.exe
schtasks /delete /tn GooglePinginConfigs /f
3⤵
PID:3120

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 240 /tn "RavTask" /tr "C:\windows\IIS\free.bat" /ru "system" /f
3⤵
- Creates scheduled task(s)
PID:4864

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn "GooglePinginConfigs" /tr "C:\windows\IIS\CPUInfo.exe" /sc onstart /ru "system" /f
3⤵
- Creates scheduled task(s)
PID:4748

C:\Windows\SysWOW64\attrib.exe
C:\Windows\System32\attrib +s +h C:\WINDOWS\Tasks\RavTask.job
3⤵
- Sets file to hidden
- Views/modifies file attributes
PID:3992

C:\Windows\SysWOW64\attrib.exe
C:\Windows\System32\attrib +s +h C:\WINDOWS\Tasks\GooglePinginConfigs.job
3⤵
- Sets file to hidden
- Views/modifies file attributes
PID:4356

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /tn "RavTask"
3⤵
PID:2084

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\tem.vbs"
2⤵
PID:1468

C:\Windows\SYSTEM32\cmd.exe
C:\Windows\SYSTEM32\cmd.exe /c "C:\windows\IIS\free.bat"
1⤵
PID:3808

C:\Windows\system32\PING.EXE
ping -n 2 127.0.0.1
2⤵
- Runs ping.exe
PID:3112

C:\Windows\system32\taskkill.exe
taskkill /f /t /im NV-NO.exe
2⤵
- Kills process with taskkill
PID:2308

C:\Windows\system32\taskkill.exe
taskkill /f /t /im NV.exe
2⤵
- Kills process with taskkill
PID:4476

C:\Windows\system32\taskkill.exe
taskkill /f /t /im Eternalblue-2.2.0.exe
2⤵
- Kills process with taskkill
PID:4876

C:\Windows\system32\taskkill.exe
taskkill /f /t /im Eternalchampion-2.0.0.exe
2⤵
- Kills process with taskkill
PID:1332

C:\Windows\system32\taskkill.exe
taskkill /f /t /im Doublepulsar-1.3.1.exe
2⤵
- Kills process with taskkill
PID:3104

C:\Windows\system32\taskkill.exe
taskkill /f /im mysqld.exe
2⤵
- Kills process with taskkill
PID:4272

C:\Windows\system32\taskkill.exe
taskkill /f /im CPUInfo.exe
2⤵
- Kills process with taskkill
PID:1956

C:\Windows\system32\taskkill.exe
taskkill /f /im jvav.exe
2⤵
- Kills process with taskkill
PID:2312

C:\Windows\system32\PING.EXE
ping -n 5 127.0.0.1
2⤵
- Runs ping.exe
PID:1336

C:\Windows\system32\schtasks.exe
schtasks /run /tn "GooglePinginConfigs"
2⤵
PID:3188

C:\windows\IIS\CPUInfo.exe
C:\windows\IIS\CPUInfo.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4592

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Command-Line Interface

1

T1059

Persistence

Registry Run Keys / Startup Folder

1

T1060

Hidden Files and Directories

2

T1158

Modify Existing Service

1

T1031

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Virtualization/Sandbox Evasion

1

T1497

Modify Registry

1

T1112

Hidden Files and Directories

2

T1158

Impair Defenses

1

T1562

File Permissions Modification

1

T1222

Credential Access

Discovery

Query Registry

2

T1012

Virtualization/Sandbox Evasion

1

T1497

System Information Discovery

3

T1082

Remote System Discovery

1

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Service Stop

1

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tem.vbs
Filesize
275B

MD5
ef1c7052536cd8a4ed2912e520c2a730

SHA1
372c30cd30ec0ba499ed497453295bb84e89b86b

SHA256
060183c7d23452e3f89d914049218eae7e84ce725e10d315638dc644a23873fc

SHA512
7bdc914f8e002fc6141cdab3b4619a54735555ccb8fd508a57d341bfe2967f159b464b35954a120fdd38b6e9422663511964367fbfea07994f2653d9b9f85fae

Download Submit
C:\Windows\IIS\CPUInfo.exe
Filesize
5.3MB

MD5
1065f9b7c189f4a22d7f11626f16b976

SHA1
562ea85b1d91f08448b2885d8346231f311d656f

SHA256
3889f6902bcbcb7cc477c599b3fec4864ffe0ce6c34a6079473232d5bf5c1de0

SHA512
bd112a5741087ba50dcfb201b39a23202030107bd069067f20e38a5706492fb134a00b117952e29479b42da2a04a498ce5df06187c34e065cea94538bed60c41

Download Submit
C:\windows\IIS\CPUInfo.exe
Filesize
5.3MB

MD5
1065f9b7c189f4a22d7f11626f16b976

SHA1
562ea85b1d91f08448b2885d8346231f311d656f

SHA256
3889f6902bcbcb7cc477c599b3fec4864ffe0ce6c34a6079473232d5bf5c1de0

SHA512
bd112a5741087ba50dcfb201b39a23202030107bd069067f20e38a5706492fb134a00b117952e29479b42da2a04a498ce5df06187c34e065cea94538bed60c41

Download Submit
C:\windows\IIS\free.bat
Filesize
379B

MD5
857fc3145d5aee4399bf6c9fd9dc8245

SHA1
18c27ecbebc5a3095e95690f2399c7b5e92e40fd

SHA256
2401f4b6f34644668ee50911fb7e9d51c82b65776eea940f0e8e16ff9ec9d68e

SHA512
289da4490f7623cca94adb6f19006dfa5628a1080ac963199e05fdca65a1f2d7db888f5aa63ee264c5c6c781cb802e8a8d07cec14c8ab4cf7be2ad07516caf35

Download Submit
\??\c:\windows\demc.bat
Filesize
7KB

MD5
a17bd95441d3fa37660e87842dc896aa

SHA1
83951f95e5739593ac0a2d71b56075509298e542

SHA256
3457579ecd591d2905e833be4aa7215e0302623447c1072bb55586c4a0284203

SHA512
bd7cb5dbc9f11ace523bc89486b8d097f6c092a9f09b1dc847d7b4854db7f42a292aef20bd4d3d89a743f67607ebb0156327644def83fd5ea30c239297e53b1f

Download Submit
\??\c:\windows\demo.bat
Filesize
511B

MD5
11275993a1a8f44371ab48820422b273

SHA1
01a96b635ffea21d3d7ac6c4694ce1da25bcbb33

SHA256
59f0d74e831cbd6b08b14e7c4efbe383b0ea8b7463fda81c35acee799c983e6e

SHA512
db1df17de51e48d18cfc145983b1d9851e94f9fc908e99d5534516b81677e1e8c353d438422b45fd9702b85e0d9103297a86313b6bdc654703f01f23f4aab74c

Download Submit
memory/240-157-0x0000000000000000-mapping.dmp

Download
memory/420-198-0x0000000000000000-mapping.dmp

Download
memory/648-175-0x0000000000000000-mapping.dmp

Download
memory/872-177-0x0000000000000000-mapping.dmp

Download
memory/916-190-0x0000000000000000-mapping.dmp

Download
memory/1056-174-0x0000000000000000-mapping.dmp

Download
memory/1060-148-0x0000000000000000-mapping.dmp

Download
memory/1132-149-0x0000000000000000-mapping.dmp

Download
memory/1316-167-0x0000000000000000-mapping.dmp

Download
memory/1332-185-0x0000000000000000-mapping.dmp

Download
memory/1408-173-0x0000000000000000-mapping.dmp

Download
memory/1448-159-0x0000000000000000-mapping.dmp

Download
memory/1468-151-0x0000000000000000-mapping.dmp

Download
memory/1532-199-0x0000000000000000-mapping.dmp

Download
memory/1536-169-0x0000000000000000-mapping.dmp

Download
memory/1660-171-0x0000000000000000-mapping.dmp

Download
memory/1860-170-0x0000000000000000-mapping.dmp

Download
memory/1936-184-0x0000000000000000-mapping.dmp

Download
memory/1956-194-0x0000000000000000-mapping.dmp

Download
memory/2084-146-0x0000000000000000-mapping.dmp

Download
memory/2308-176-0x0000000000000000-mapping.dmp

Download
memory/2312-197-0x0000000000000000-mapping.dmp

Download
memory/2412-150-0x0000000000000000-mapping.dmp

Download
memory/2668-188-0x0000000000000000-mapping.dmp

Download
memory/2756-136-0x0000000000000000-mapping.dmp

Download
memory/2764-182-0x0000000000000000-mapping.dmp

Download
memory/2800-165-0x0000000000000000-mapping.dmp

Download
memory/2844-161-0x0000000000000000-mapping.dmp

Download
memory/2964-153-0x0000000000400000-0x0000000000A2E000-memory.dmp

Filesize
6.2MB

Download
memory/2964-132-0x0000000000400000-0x0000000000A2E000-memory.dmp

Filesize
6.2MB

Download
memory/3104-186-0x0000000000000000-mapping.dmp

Download
memory/3112-158-0x0000000000000000-mapping.dmp

Download
memory/3120-139-0x0000000000000000-mapping.dmp

Download
memory/3124-192-0x0000000000000000-mapping.dmp

Download
memory/3128-180-0x0000000000000000-mapping.dmp

Download
memory/3140-152-0x0000000000000000-mapping.dmp

Download
memory/3236-163-0x0000000000000000-mapping.dmp

Download
memory/3316-131-0x0000000000000000-mapping.dmp

Download
memory/3328-145-0x0000000000000000-mapping.dmp

Download
memory/3352-179-0x0000000000000000-mapping.dmp

Download
memory/3360-178-0x0000000000000000-mapping.dmp

Download
memory/3428-130-0x0000000000000000-mapping.dmp

Download
memory/3696-162-0x0000000000000000-mapping.dmp

Download
memory/3784-164-0x0000000000000000-mapping.dmp

Download
memory/3928-135-0x0000000000000000-mapping.dmp

Download
memory/3952-160-0x0000000000000000-mapping.dmp

Download
memory/3992-142-0x0000000000000000-mapping.dmp

Download
memory/4016-172-0x0000000000000000-mapping.dmp

Download
memory/4020-187-0x0000000000000000-mapping.dmp

Download
memory/4204-155-0x0000000000000000-mapping.dmp

Download
memory/4272-191-0x0000000000000000-mapping.dmp

Download
memory/4304-195-0x0000000000000000-mapping.dmp

Download
memory/4356-143-0x0000000000000000-mapping.dmp

Download
memory/4376-138-0x0000000000000000-mapping.dmp

Download
memory/4392-166-0x0000000000000000-mapping.dmp

Download
memory/4444-189-0x0000000000000000-mapping.dmp

Download
memory/4476-181-0x0000000000000000-mapping.dmp

Download
memory/4480-144-0x0000000000000000-mapping.dmp

Download
memory/4592-206-0x00000000771E0000-0x0000000077383000-memory.dmp

Filesize
1.6MB

Download
memory/4592-205-0x0000000000400000-0x0000000000F53000-memory.dmp

Filesize
11.3MB

Download
memory/4592-204-0x0000000000400000-0x0000000000F53000-memory.dmp

Filesize
11.3MB

Download
memory/4592-207-0x0000000000400000-0x0000000000F53000-memory.dmp

Filesize
11.3MB

Download
memory/4592-202-0x0000000000400000-0x0000000000F53000-memory.dmp

Filesize
11.3MB

Download
memory/4592-203-0x00000000771E0000-0x0000000077383000-memory.dmp

Filesize
1.6MB

Download
memory/4608-196-0x0000000000000000-mapping.dmp

Download
memory/4748-141-0x0000000000000000-mapping.dmp

Download
memory/4864-140-0x0000000000000000-mapping.dmp

Download
memory/4876-183-0x0000000000000000-mapping.dmp

Download
memory/4920-147-0x0000000000000000-mapping.dmp

Download
memory/4932-193-0x0000000000000000-mapping.dmp

Download
memory/5068-137-0x0000000000000000-mapping.dmp

Download
memory/5072-168-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads