024e5a2bef86fcfab4c9ee4d540e0468a2281b889e632366a2a0ce788becd27e

Analysis

max time kernel
207s
max time network
250s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
26-11-2022 09:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

s11111etup-hall.exe
Size

26.0MB
MD5

5d67bb43360716d0c964ce9e7946300e
SHA1

1b00bb81f660f738a9d0c1bdb0caa4e770888999
SHA256

930cd80a6be9bc4be07c14e47f0f3b1cd7718e9cc6f609ef4d527d083fac423a
SHA512

9bd129d2120a1302e874d58c1fd965edb84fa809747bd9fe570934d474308fbfd4654472cf6109b13230ed1a990d154336af347c781429081a11616a2503a290
SSDEEP

393216:G5oeevFjjV3IxQILWalbLSGcuO7ilnrgv0TQT0ntb70cgrgnZP2oFCJKhxbz:QoTdFalb+G3Omlnu0ntjbZP2oFAG

Score

9^/10

discovery exploit upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 6 IoCs

Detects file using ACProtect software.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\{0908A48C-1CCD-467A-A7CA-6EF37AEACE43}\Disk1\ISSetup.dll	acprotect
C:\Users\Admin\AppData\Local\Temp\{0908A48C-1CCD-467A-A7CA-6EF37AEACE43}\Disk1\ISSetup.dll	acprotect
C:\Users\Admin\AppData\Local\Temp\{A0F7FC44-F048-4AAA-9971-91581DF9359C}\{759741C0-97A5-436A-B95E-94DC8B86BF2B}\isrt.dll	acprotect
C:\Users\Admin\AppData\Local\Temp\{A0F7FC44-F048-4AAA-9971-91581DF9359C}\{759741C0-97A5-436A-B95E-94DC8B86BF2B}\isrt.dll	acprotect
C:\Users\Admin\AppData\Local\Temp\{A0F7FC44-F048-4AAA-9971-91581DF9359C}\{759741C0-97A5-436A-B95E-94DC8B86BF2B}\_IsRes.dll	acprotect
C:\Users\Admin\AppData\Local\Temp\{A0F7FC44-F048-4AAA-9971-91581DF9359C}\{759741C0-97A5-436A-B95E-94DC8B86BF2B}\_IsRes.dll	acprotect

Drops file in Drivers directory 2 IoCs

Processes:

qp.exe

description ioc process

File opened for modification C:\Windows\SysWOW64\drivers\Beep.sys qp.exe
File created C:\Windows\SysWOW64\drivers\Beep.sys qp.exe
Executes dropped EXE 4 IoCs

Processes:

qp.exe9.exe22.exeISBEW64.exe

pid process

3952 qp.exe
2236 9.exe
4724 22.exe
4476 ISBEW64.exe
Possible privilege escalation attempt 6 IoCs
exploit

Processes:

icacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exe

pid process

5016 icacls.exe
1524 takeown.exe
4524 icacls.exe
4520 takeown.exe
2736 icacls.exe
1380 takeown.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\drivers\Beep.sys	qp.exe
File created	C:\Windows\SysWOW64\drivers\Beep.sys	qp.exe

pid	process
5016	icacls.exe
1524	takeown.exe
4524	icacls.exe
4520	takeown.exe
2736	icacls.exe
1380	takeown.exe

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\{0908A48C-1CCD-467A-A7CA-6EF37AEACE43}\Disk1\ISSetup.dll	upx
C:\Users\Admin\AppData\Local\Temp\{0908A48C-1CCD-467A-A7CA-6EF37AEACE43}\Disk1\ISSetup.dll	upx
behavioral2/memory/2236-146-0x0000000002820000-0x00000000029B7000-memory.dmp	upx
behavioral2/memory/2236-151-0x0000000002820000-0x00000000029B7000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\{A0F7FC44-F048-4AAA-9971-91581DF9359C}\{759741C0-97A5-436A-B95E-94DC8B86BF2B}\isrt.dll	upx
C:\Users\Admin\AppData\Local\Temp\{A0F7FC44-F048-4AAA-9971-91581DF9359C}\{759741C0-97A5-436A-B95E-94DC8B86BF2B}\isrt.dll	upx
behavioral2/memory/2236-154-0x0000000004EA0000-0x0000000004F2E000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\{A0F7FC44-F048-4AAA-9971-91581DF9359C}\{759741C0-97A5-436A-B95E-94DC8B86BF2B}\_IsRes.dll	upx
C:\Users\Admin\AppData\Local\Temp\{A0F7FC44-F048-4AAA-9971-91581DF9359C}\{759741C0-97A5-436A-B95E-94DC8B86BF2B}\_IsRes.dll	upx
behavioral2/memory/2236-162-0x0000000004120000-0x0000000004169000-memory.dmp	upx

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

s11111etup-hall.exeqp.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	s11111etup-hall.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	qp.exe

Loads dropped DLL 10 IoCs

Processes:

9.exe

pid process

2236 9.exe
2236 9.exe
2236 9.exe
2236 9.exe
2236 9.exe
2236 9.exe
2236 9.exe
2236 9.exe
2236 9.exe
2236 9.exe
Modifies file permissions 1 TTPs 6 IoCs
discovery

File Permissions Modification
T1222

Processes:

icacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exe

pid process

5016 icacls.exe
1524 takeown.exe
4524 icacls.exe
4520 takeown.exe
2736 icacls.exe
1380 takeown.exe
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3652 2060 WerFault.exe IEXPLORE.EXE

pid	process
2236	9.exe
2236	9.exe
2236	9.exe
2236	9.exe
2236	9.exe
2236	9.exe
2236	9.exe
2236	9.exe
2236	9.exe
2236	9.exe

pid	process
5016	icacls.exe
1524	takeown.exe
4524	icacls.exe
4520	takeown.exe
2736	icacls.exe
1380	takeown.exe

pid	pid_target	process	target process
3652	2060	WerFault.exe	IEXPLORE.EXE

Drops file in System32 directory 6 IoCs

Processes:

22.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\123FF5B.tmp	22.exe
File created	C:\Windows\SysWOW64\dllcache\iphlpapi.dll	22.exe
File opened for modification	C:\Windows\SysWOW64\123A09D.tmp	22.exe
File created	C:\Windows\SysWOW64\dllcache\rasadhlp.dll	22.exe
File opened for modification	C:\Windows\SysWOW64\123BBC7.tmp	22.exe
File created	C:\Windows\SysWOW64\dllcache\midimap.dll	22.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

qp.exe

description pid process target process

PID 3952 set thread context of 2060 3952 qp.exe IEXPLORE.EXE
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	pid	process	target process
PID 3952 set thread context of 2060	3952	qp.exe	IEXPLORE.EXE

Modifies registry class 24 IoCs

Processes:

9.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{7B90789A-10ED-4F8A-B537-8AB74FED0023}\1.0	9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{101A9FA5-98CB-4AC3-B67C-3DC040C45996}\ProxyStubClsid32	9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{101A9FA5-98CB-4AC3-B67C-3DC040C45996}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{101A9FA5-98CB-4AC3-B67C-3DC040C45996}\TypeLib\ = "{7B90789A-10ED-4F8A-B537-8AB74FED0023}"	9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{7B90789A-10ED-4F8A-B537-8AB74FED0023}\1.0\FLAGS	9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{101A9FA5-98CB-4AC3-B67C-3DC040C45996}\ = "IISBEW64Utils"	9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{101A9FA5-98CB-4AC3-B67C-3DC040C45996}\TypeLib	9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{7B90789A-10ED-4F8A-B537-8AB74FED0023}\1.0\0	9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{7B90789A-10ED-4F8A-B537-8AB74FED0023}\1.0\0\win32	9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{7B90789A-10ED-4F8A-B537-8AB74FED0023}\1.0\0\win32\ = "C:\\ProgramData\\InstallShield\\ISEngine12.0\\IsBE.dll"	9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{7B90789A-10ED-4F8A-B537-8AB74FED0023}\1.0\HELPDIR\ = "C:\\ProgramData\\InstallShield\\ISEngine12.0"	9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{101A9FA5-98CB-4AC3-B67C-3DC040C45996}\ = "IISBEW64Utils"	9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{101A9FA5-98CB-4AC3-B67C-3DC040C45996}\ProxyStubClsid32	9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{101A9FA5-98CB-4AC3-B67C-3DC040C45996}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{101A9FA5-98CB-4AC3-B67C-3DC040C45996}\TypeLib	9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{101A9FA5-98CB-4AC3-B67C-3DC040C45996}\TypeLib\ = "{7B90789A-10ED-4F8A-B537-8AB74FED0023}"	9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{101A9FA5-98CB-4AC3-B67C-3DC040C45996}\TypeLib\Version = "1.0"	9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{101A9FA5-98CB-4AC3-B67C-3DC040C45996}	9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{7B90789A-10ED-4F8A-B537-8AB74FED0023}	9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{7B90789A-10ED-4F8A-B537-8AB74FED0023}\1.0\ = "ISENG64Lib"	9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{7B90789A-10ED-4F8A-B537-8AB74FED0023}\1.0\FLAGS\ = "0"	9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{7B90789A-10ED-4F8A-B537-8AB74FED0023}\1.0\HELPDIR	9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{101A9FA5-98CB-4AC3-B67C-3DC040C45996}	9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{101A9FA5-98CB-4AC3-B67C-3DC040C45996}\TypeLib\Version = "1.0"	9.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

Processes:

qp.exe

pid	process
3952	qp.exe
3952	qp.exe
3952	qp.exe
3952	qp.exe
3952	qp.exe
3952	qp.exe
3952	qp.exe
3952	qp.exe
3952	qp.exe
3952	qp.exe
3952	qp.exe
3952	qp.exe
3952	qp.exe
3952	qp.exe
3952	qp.exe
3952	qp.exe
3952	qp.exe
3952	qp.exe
3952	qp.exe
3952	qp.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

652
652

pid	process
652
652

Suspicious use of AdjustPrivilegeToken 14 IoCs

Processes:

qp.exe22.exetakeown.exetakeown.exetakeown.exe

description	pid	process
Token: SeDebugPrivilege	3952	qp.exe
Token: SeDebugPrivilege	3952	qp.exe
Token: SeDebugPrivilege	3952	qp.exe
Token: SeDebugPrivilege	3952	qp.exe
Token: SeDebugPrivilege	3952	qp.exe
Token: SeDebugPrivilege	3952	qp.exe
Token: SeDebugPrivilege	3952	qp.exe
Token: SeDebugPrivilege	3952	qp.exe
Token: SeDebugPrivilege	3952	qp.exe
Token: SeDebugPrivilege	3952	qp.exe
Token: SeDebugPrivilege	4724	22.exe
Token: SeTakeOwnershipPrivilege	4520	takeown.exe
Token: SeTakeOwnershipPrivilege	1380	takeown.exe
Token: SeTakeOwnershipPrivilege	1524	takeown.exe

Suspicious use of FindShellTrayWindow 12 IoCs

Processes:

22.exe

pid process

4724 22.exe
4724 22.exe
4724 22.exe
4724 22.exe
4724 22.exe
4724 22.exe
4724 22.exe
4724 22.exe
4724 22.exe
4724 22.exe
4724 22.exe
4724 22.exe

pid	process
4724	22.exe
4724	22.exe
4724	22.exe
4724	22.exe
4724	22.exe
4724	22.exe
4724	22.exe
4724	22.exe
4724	22.exe
4724	22.exe
4724	22.exe
4724	22.exe

Suspicious use of WriteProcessMemory 52 IoCs

Processes:

s11111etup-hall.exeqp.exe22.execmd.execmd.exe9.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 116 wrote to memory of 3952	116	s11111etup-hall.exe	qp.exe
PID 116 wrote to memory of 3952	116	s11111etup-hall.exe	qp.exe
PID 116 wrote to memory of 3952	116	s11111etup-hall.exe	qp.exe
PID 3952 wrote to memory of 2060	3952	qp.exe	IEXPLORE.EXE
PID 3952 wrote to memory of 2060	3952	qp.exe	IEXPLORE.EXE
PID 3952 wrote to memory of 2060	3952	qp.exe	IEXPLORE.EXE
PID 3952 wrote to memory of 2060	3952	qp.exe	IEXPLORE.EXE
PID 3952 wrote to memory of 2060	3952	qp.exe	IEXPLORE.EXE
PID 3952 wrote to memory of 2236	3952	qp.exe	9.exe
PID 3952 wrote to memory of 2236	3952	qp.exe	9.exe
PID 3952 wrote to memory of 2236	3952	qp.exe	9.exe
PID 3952 wrote to memory of 4724	3952	qp.exe	22.exe
PID 3952 wrote to memory of 4724	3952	qp.exe	22.exe
PID 3952 wrote to memory of 4724	3952	qp.exe	22.exe
PID 4724 wrote to memory of 2644	4724	22.exe	cmd.exe
PID 4724 wrote to memory of 2644	4724	22.exe	cmd.exe
PID 4724 wrote to memory of 2644	4724	22.exe	cmd.exe
PID 2644 wrote to memory of 2152	2644	cmd.exe	cmd.exe
PID 2644 wrote to memory of 2152	2644	cmd.exe	cmd.exe
PID 2644 wrote to memory of 2152	2644	cmd.exe	cmd.exe
PID 2152 wrote to memory of 4520	2152	cmd.exe	takeown.exe
PID 2152 wrote to memory of 4520	2152	cmd.exe	takeown.exe
PID 2152 wrote to memory of 4520	2152	cmd.exe	takeown.exe
PID 2644 wrote to memory of 2736	2644	cmd.exe	icacls.exe
PID 2644 wrote to memory of 2736	2644	cmd.exe	icacls.exe
PID 2644 wrote to memory of 2736	2644	cmd.exe	icacls.exe
PID 2236 wrote to memory of 4476	2236	9.exe	ISBEW64.exe
PID 2236 wrote to memory of 4476	2236	9.exe	ISBEW64.exe
PID 4724 wrote to memory of 856	4724	22.exe	cmd.exe
PID 4724 wrote to memory of 856	4724	22.exe	cmd.exe
PID 4724 wrote to memory of 856	4724	22.exe	cmd.exe
PID 856 wrote to memory of 1804	856	cmd.exe	cmd.exe
PID 856 wrote to memory of 1804	856	cmd.exe	cmd.exe
PID 856 wrote to memory of 1804	856	cmd.exe	cmd.exe
PID 1804 wrote to memory of 1380	1804	cmd.exe	takeown.exe
PID 1804 wrote to memory of 1380	1804	cmd.exe	takeown.exe
PID 1804 wrote to memory of 1380	1804	cmd.exe	takeown.exe
PID 856 wrote to memory of 5016	856	cmd.exe	icacls.exe
PID 856 wrote to memory of 5016	856	cmd.exe	icacls.exe
PID 856 wrote to memory of 5016	856	cmd.exe	icacls.exe
PID 4724 wrote to memory of 4080	4724	22.exe	cmd.exe
PID 4724 wrote to memory of 4080	4724	22.exe	cmd.exe
PID 4724 wrote to memory of 4080	4724	22.exe	cmd.exe
PID 4080 wrote to memory of 2628	4080	cmd.exe	cmd.exe
PID 4080 wrote to memory of 2628	4080	cmd.exe	cmd.exe
PID 4080 wrote to memory of 2628	4080	cmd.exe	cmd.exe
PID 2628 wrote to memory of 1524	2628	cmd.exe	takeown.exe
PID 2628 wrote to memory of 1524	2628	cmd.exe	takeown.exe
PID 2628 wrote to memory of 1524	2628	cmd.exe	takeown.exe
PID 4080 wrote to memory of 4524	4080	cmd.exe	icacls.exe
PID 4080 wrote to memory of 4524	4080	cmd.exe	icacls.exe
PID 4080 wrote to memory of 4524	4080	cmd.exe	icacls.exe

C:\Users\Admin\AppData\Local\Temp\s11111etup-hall.exe
"C:\Users\Admin\AppData\Local\Temp\s11111etup-hall.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:116

C:\WINDOWS\temp\qp.exe
"C:\WINDOWS\temp\qp.exe"
2⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3952

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" -fuck "C:\WINDOWS\temp\qp.exe"
3⤵
PID:2060

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2060 -s 12
4⤵
- Program crash
PID:3652

C:\Users\Admin\AppData\Local\Temp\9.exe
"C:\Users\Admin\AppData\Local\Temp\9.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2236

C:\Users\Admin\AppData\Local\Temp\{A0F7FC44-F048-4AAA-9971-91581DF9359C}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{A0F7FC44-F048-4AAA-9971-91581DF9359C}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{CD6F4D28-9A45-4447-93E9-44CD30F94E38}
4⤵
- Executes dropped EXE
PID:4476

C:\Users\Admin\AppData\Local\Temp\22.exe
"C:\Users\Admin\AppData\Local\Temp\22.exe"
3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4724

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 2.bat
4⤵
- Suspicious use of WriteProcessMemory
PID:2644

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c takeown /f "C:\Windows\System32"
5⤵
- Suspicious use of WriteProcessMemory
PID:2152

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32"
6⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4520

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32" /grant administrators:F
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2736

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 2.bat
4⤵
- Suspicious use of WriteProcessMemory
PID:856

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c takeown /f "C:\Windows\System32"
5⤵
- Suspicious use of WriteProcessMemory
PID:1804

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32"
6⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1380

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32" /grant administrators:F
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:5016

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 2.bat
4⤵
- Suspicious use of WriteProcessMemory
PID:4080

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c takeown /f "C:\Windows\System32"
5⤵
- Suspicious use of WriteProcessMemory
PID:2628

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32"
6⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1524

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32" /grant administrators:F
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4524

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2060 -ip 2060
1⤵
PID:2116

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Permissions Modification

T1222

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\InstallShield\ISEngine12.0\IsBE.dll
Filesize
52KB

MD5
9cf7faee57a20bf15a2fc9b423ebc512

SHA1
12cbf4d0a941bd5a8f847754fdaf4841e7751cce

SHA256
d34f26d85bfb94a5f017fdaf58b94ecf9553919d2aa9a9955ff0a2e3d7c11e4a

SHA512
44c715be4a98b9ce99c6d926500be3e365f8a08a4d8c85ae9342dc9ce76de29544f14acbf42d69f7f9e40ebdf0c6faa8cb5d4b3fc9d523479b12cf0823678672

Download Submit
C:\Users\Admin\AppData\Local\Temp\22.exe
Filesize
26KB

MD5
b1ad667fb56079aba14fedd502e56ea1

SHA1
c047bd23a5a4ddf47e002f3ee646f78ee4f3d178

SHA256
1e4504bbb9b219b1576320f142f9b180de35889a4b3687cbf5352989a11eb7ae

SHA512
c52f3ed9e8f11f39d47f288bae4e594fe8f3a298b92df5c26c23c645e9662ca2ffda05572ffe6f74f16726853124c3234c1fc9eb4f8f864e3c8c459b972f5ed4

Download Submit
C:\Users\Admin\AppData\Local\Temp\22.exe
Filesize
26KB

MD5
b1ad667fb56079aba14fedd502e56ea1

SHA1
c047bd23a5a4ddf47e002f3ee646f78ee4f3d178

SHA256
1e4504bbb9b219b1576320f142f9b180de35889a4b3687cbf5352989a11eb7ae

SHA512
c52f3ed9e8f11f39d47f288bae4e594fe8f3a298b92df5c26c23c645e9662ca2ffda05572ffe6f74f16726853124c3234c1fc9eb4f8f864e3c8c459b972f5ed4

Download Submit
C:\Users\Admin\AppData\Local\Temp\9.exe
Filesize
27.0MB

MD5
2c8c6ae0ae31f13f2fdbe9feaa02db13

SHA1
f51007fa74f3b39a6c73ddf66f5b4dd2563276bd

SHA256
0539ccc3d939b8e8581668273bf2c69b7be8c5ffdfe8f54c809a98957d68f0f9

SHA512
7769f025fdaa47ac1e30a78e4360bc2738de0de5a3dcd9f425186cc60a41ce82498f8b08890d7b04a162db4013fa0eaf282c79ffbb362a5caa4d725df322b5c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\9.exe
Filesize
27.0MB

MD5
2c8c6ae0ae31f13f2fdbe9feaa02db13

SHA1
f51007fa74f3b39a6c73ddf66f5b4dd2563276bd

SHA256
0539ccc3d939b8e8581668273bf2c69b7be8c5ffdfe8f54c809a98957d68f0f9

SHA512
7769f025fdaa47ac1e30a78e4360bc2738de0de5a3dcd9f425186cc60a41ce82498f8b08890d7b04a162db4013fa0eaf282c79ffbb362a5caa4d725df322b5c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\{0908A48C-1CCD-467A-A7CA-6EF37AEACE43}\Disk1\ISSetup.dll
Filesize
539KB

MD5
a06ed9fcd8f114e270aa64c46063d8c3

SHA1
e091914d4e2ba90e468ef4e13420bed24146bac6

SHA256
4663e033c1f188ed66d3c413064bfa104f6c307ed10a918afd2b8373130a779a

SHA512
46393550796bc8211ecd96e31ccb5bf65c437d6d1857d548dbd8836192aa6b299feefb617b59fc9c7a251cb259c6dc477f17d044d201621ad315b06db5749102

Download Submit
C:\Users\Admin\AppData\Local\Temp\{0908A48C-1CCD-467A-A7CA-6EF37AEACE43}\Disk1\ISSetup.dll
Filesize
539KB

MD5
a06ed9fcd8f114e270aa64c46063d8c3

SHA1
e091914d4e2ba90e468ef4e13420bed24146bac6

SHA256
4663e033c1f188ed66d3c413064bfa104f6c307ed10a918afd2b8373130a779a

SHA512
46393550796bc8211ecd96e31ccb5bf65c437d6d1857d548dbd8836192aa6b299feefb617b59fc9c7a251cb259c6dc477f17d044d201621ad315b06db5749102

Download Submit
C:\Users\Admin\AppData\Local\Temp\{0908A48C-1CCD-467A-A7CA-6EF37AEACE43}\_Setup.dll
Filesize
376KB

MD5
2985a79020ec96afc2d1c8ab318b866f

SHA1
01e801eaa82ace4d521c651dadddacfb4fb278d9

SHA256
f9a007b9ec4a20fecfc004662028226e11ada038be69eab586c03a903c73fbad

SHA512
b496d72a942d3f95a062807fdd7c487d836e2c850ec5422967fbb5fe5bdb467806be24b09fa1ee035494e73ed9725e2fa441ec807d94423e873abef8eae94b55

Download Submit
C:\Users\Admin\AppData\Local\Temp\{0908A48C-1CCD-467A-A7CA-6EF37AEACE43}\_Setup.dll
Filesize
376KB

MD5
2985a79020ec96afc2d1c8ab318b866f

SHA1
01e801eaa82ace4d521c651dadddacfb4fb278d9

SHA256
f9a007b9ec4a20fecfc004662028226e11ada038be69eab586c03a903c73fbad

SHA512
b496d72a942d3f95a062807fdd7c487d836e2c850ec5422967fbb5fe5bdb467806be24b09fa1ee035494e73ed9725e2fa441ec807d94423e873abef8eae94b55

Download Submit
C:\Users\Admin\AppData\Local\Temp\{A0F7FC44-F048-4AAA-9971-91581DF9359C}\ISBEW64.exe
Filesize
68KB

MD5
4b56c021299344676f123fcb48f53c1e

SHA1
cbef3152c477c9176120030b164a4a807b527d8e

SHA256
0444971c7c19df0c4e5f8ad75c12ac277638470460eb7747122539960ed5e99f

SHA512
097bbc9f0140e9a14e494b6569e38b88ad390d6befa03e75a8c671e2e5fd93ee55ad50994733c957c32c85f2061d6f4d32b4b8257b3b44d5924ca10e940f779a

Download Submit
C:\Users\Admin\AppData\Local\Temp\{A0F7FC44-F048-4AAA-9971-91581DF9359C}\ISBEW64.exe
Filesize
68KB

MD5
4b56c021299344676f123fcb48f53c1e

SHA1
cbef3152c477c9176120030b164a4a807b527d8e

SHA256
0444971c7c19df0c4e5f8ad75c12ac277638470460eb7747122539960ed5e99f

SHA512
097bbc9f0140e9a14e494b6569e38b88ad390d6befa03e75a8c671e2e5fd93ee55ad50994733c957c32c85f2061d6f4d32b4b8257b3b44d5924ca10e940f779a

Download Submit
C:\Users\Admin\AppData\Local\Temp\{A0F7FC44-F048-4AAA-9971-91581DF9359C}\{759741C0-97A5-436A-B95E-94DC8B86BF2B}\_ISUser.dll
Filesize
96KB

MD5
38ca1a941889635bb8b150885a583b8d

SHA1
5bb6c5dc31f6d5725ac9ea04e517d929566e8c94

SHA256
73bee5b4dede9117096156d46ea9838832cb8409647f94d1ff9cc544903b1235

SHA512
65b62ffab2e6b23a7db72bd616eb35fae2fa6003df4069dd87199ebc200797ddc54a505c6e5e8df8661b6a67962c95adfd430d61933d6d3f80fbd679ebfa335a

Download Submit
C:\Users\Admin\AppData\Local\Temp\{A0F7FC44-F048-4AAA-9971-91581DF9359C}\{759741C0-97A5-436A-B95E-94DC8B86BF2B}\_ISUser.dll
Filesize
96KB

MD5
38ca1a941889635bb8b150885a583b8d

SHA1
5bb6c5dc31f6d5725ac9ea04e517d929566e8c94

SHA256
73bee5b4dede9117096156d46ea9838832cb8409647f94d1ff9cc544903b1235

SHA512
65b62ffab2e6b23a7db72bd616eb35fae2fa6003df4069dd87199ebc200797ddc54a505c6e5e8df8661b6a67962c95adfd430d61933d6d3f80fbd679ebfa335a

Download Submit
C:\Users\Admin\AppData\Local\Temp\{A0F7FC44-F048-4AAA-9971-91581DF9359C}\{759741C0-97A5-436A-B95E-94DC8B86BF2B}\_IsRes.dll
Filesize
82KB

MD5
72927c6e0d47e9f9f99977834e95e30f

SHA1
3ce88569ec60b41ad2c9ceea9db88d7af16887ac

SHA256
ed4790f99f36678635aefc403e3ff89e7f2b116fbdf3add1bc7c3f4ff914b6fe

SHA512
793e0f9b9dda2cda72e43877156b85fcc8f0c436f6b12bc0fdd3cee66eee44d41f92ba3e82b1249866b9db84c8b93254080b05d948f25d25c3b94596707220a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\{A0F7FC44-F048-4AAA-9971-91581DF9359C}\{759741C0-97A5-436A-B95E-94DC8B86BF2B}\_IsRes.dll
Filesize
82KB

MD5
72927c6e0d47e9f9f99977834e95e30f

SHA1
3ce88569ec60b41ad2c9ceea9db88d7af16887ac

SHA256
ed4790f99f36678635aefc403e3ff89e7f2b116fbdf3add1bc7c3f4ff914b6fe

SHA512
793e0f9b9dda2cda72e43877156b85fcc8f0c436f6b12bc0fdd3cee66eee44d41f92ba3e82b1249866b9db84c8b93254080b05d948f25d25c3b94596707220a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\{A0F7FC44-F048-4AAA-9971-91581DF9359C}\{759741C0-97A5-436A-B95E-94DC8B86BF2B}\isrt.dll
Filesize
203KB

MD5
b35dde51d14f9400e73196693148734e

SHA1
9410c5268f5558e57d044780d0d5dcc7aa181299

SHA256
70fa7f0aa2feb397597b2785a4bfdb2c9cd36e0edb51f4f0dfe6ac086290ac86

SHA512
6bb24c8864078c923007c1818bb0a590ebe84e2fbe6f2642dc951b05c42da1c33861f150c4ea8943657259c1c309a69b8cb1817b6a207cb9e577bc3aa8bfa79d

Download Submit
C:\Users\Admin\AppData\Local\Temp\{A0F7FC44-F048-4AAA-9971-91581DF9359C}\{759741C0-97A5-436A-B95E-94DC8B86BF2B}\isrt.dll
Filesize
203KB

MD5
b35dde51d14f9400e73196693148734e

SHA1
9410c5268f5558e57d044780d0d5dcc7aa181299

SHA256
70fa7f0aa2feb397597b2785a4bfdb2c9cd36e0edb51f4f0dfe6ac086290ac86

SHA512
6bb24c8864078c923007c1818bb0a590ebe84e2fbe6f2642dc951b05c42da1c33861f150c4ea8943657259c1c309a69b8cb1817b6a207cb9e577bc3aa8bfa79d

Download Submit
C:\WINDOWS\temp\2.bat
Filesize
110B

MD5
12e768a105dc0d143a5f5becdd12167a

SHA1
8f82f11fc9b8921b1a80eb23b600d243a8756766

SHA256
0f909a1c0e0cddb3f99f0a7bac66a86797f25635b15fb25faa0bffcc5e702056

SHA512
3ba416aa4d0575fe281b24b1cc7401254ad2c38de37b340a780e8796f34738d48f6a89801596bbfaed009c1fb74255cf0caf49997cf1e679ea6075b02b758c77

Download Submit
C:\WINDOWS\temp\2.bat
Filesize
110B

MD5
12e768a105dc0d143a5f5becdd12167a

SHA1
8f82f11fc9b8921b1a80eb23b600d243a8756766

SHA256
0f909a1c0e0cddb3f99f0a7bac66a86797f25635b15fb25faa0bffcc5e702056

SHA512
3ba416aa4d0575fe281b24b1cc7401254ad2c38de37b340a780e8796f34738d48f6a89801596bbfaed009c1fb74255cf0caf49997cf1e679ea6075b02b758c77

Download Submit
C:\WINDOWS\temp\2.bat
Filesize
110B

MD5
12e768a105dc0d143a5f5becdd12167a

SHA1
8f82f11fc9b8921b1a80eb23b600d243a8756766

SHA256
0f909a1c0e0cddb3f99f0a7bac66a86797f25635b15fb25faa0bffcc5e702056

SHA512
3ba416aa4d0575fe281b24b1cc7401254ad2c38de37b340a780e8796f34738d48f6a89801596bbfaed009c1fb74255cf0caf49997cf1e679ea6075b02b758c77

Download Submit
C:\WINDOWS\temp\qp.exe
Filesize
27.0MB

MD5
4c872e397e2ea9f822342013fa02f5c9

SHA1
0afb8f2062c7d1f3cae5db3b24b0571360b2c3df

SHA256
29e1526c36933fe8e6d6c0089924d2b2b0da15ab46520a737ed2d86c9852feb8

SHA512
24db889a1c59e08127b5c0d3f4a458f22f754f85d81a4007f7024dedefeefbe49c79eee5f7b6613316c45c1aaf75472a38d186467ce854d968baee9250aadefa

Download Submit
C:\Windows\SysWOW64\123A09D.tmp
Filesize
12KB

MD5
c1db9f7354d2f4a79b261b3ffd34cd2c

SHA1
5d93dbca028162c1e157bce7f4b99d8f806ca2b5

SHA256
c54fafe066480e1702822a1904a31c864a60154900ffe557f4cc42ddee8c703b

SHA512
f31e75f97be456d1bcc6106c375dcbb8269e46336bb493da62efbba714e16ece5de63a739eead81686d58cb327fda6ab8172e3984725f7b81b24987855f53023

Download Submit
C:\Windows\SysWOW64\123A09D.tmp
Filesize
12KB

MD5
9936cb0ca376b02afdad243af3d54cfe

SHA1
9f448a16fbc4b93e2642ab5fbd83d8b1417e37d6

SHA256
491bb277e0eeaf2cabdf9d129fce13c485e9b9e0c48a55c399fc869122ad9acf

SHA512
7e5a36e184709676578f76502f0f753b8e7031923af01e30985ac1daa3ea4c5bd0dda467036ee91461c9ce0808ea30c701e72a77a9426396b44ebd6e1a7eb478

Download Submit
C:\Windows\SysWOW64\123BBC7.tmp
Filesize
18KB

MD5
1168192f4871ffa51129435f37fedbc4

SHA1
8dbe0e254563d21fb2d2ab2c0400ae2f200b9b2c

SHA256
7586ad459835579e71f88bbb9c05e6f9174ff0721d5826eb990b4669655a1033

SHA512
528b63d398e571d64adb7200370822cb9335e75a25b7022302aa2518f5acb31975d93b310e78914a97903e52bd7a731599336a0c5acff417201a614bf519a639

Download Submit
C:\Windows\SysWOW64\123FF5B.tmp
Filesize
192KB

MD5
34153e39b10468c9ae8ec7f68dfbc423

SHA1
68e2cd47c99122786fb494453380ec8dd24bbf39

SHA256
5c2ba6d0d9578b3f18e27710a7b5f65d858c38448b201d29fde9d44ea7bfb9fd

SHA512
513bf7c8c8ffddc25b6989c88f1efb3e3079f81ca544cd27c99135f6fabd99578dccc1091e56e144e0436f99ede939565a52ca8f6fe08f3ad8b190d523a97820

Download Submit
C:\Windows\SysWOW64\dllcache\iphlpapi.dll
Filesize
192KB

MD5
aafe4cc189edd5a9808503eede104c85

SHA1
609dce661aff6d63e0a0f7bd8a4db024afeadfff

SHA256
fe52d53b0d9966276f312eb15da23a01db52da5b608086d6c4f3c41aa6209ef5

SHA512
cb464b41a3e85a53042ce13086f63b36b5fc44eeecac7244099cec0ebc7633f3705289ead6efd32d47f7467b8b2cd289f7c8f5c13806eb257a9f5025949d4eea

Download Submit
C:\Windows\Temp\qp.exe
Filesize
27.0MB

MD5
4c872e397e2ea9f822342013fa02f5c9

SHA1
0afb8f2062c7d1f3cae5db3b24b0571360b2c3df

SHA256
29e1526c36933fe8e6d6c0089924d2b2b0da15ab46520a737ed2d86c9852feb8

SHA512
24db889a1c59e08127b5c0d3f4a458f22f754f85d81a4007f7024dedefeefbe49c79eee5f7b6613316c45c1aaf75472a38d186467ce854d968baee9250aadefa

Download Submit
memory/856-164-0x0000000000000000-mapping.dmp

Download
memory/1380-167-0x0000000000000000-mapping.dmp

Download
memory/1524-175-0x0000000000000000-mapping.dmp

Download
memory/1804-166-0x0000000000000000-mapping.dmp

Download
memory/2152-148-0x0000000000000000-mapping.dmp

Download
memory/2236-162-0x0000000004120000-0x0000000004169000-memory.dmp

Filesize
292KB

Download
memory/2236-135-0x0000000000000000-mapping.dmp

Download
memory/2236-146-0x0000000002820000-0x00000000029B7000-memory.dmp

Filesize
1.6MB

Download
memory/2236-154-0x0000000004EA0000-0x0000000004F2E000-memory.dmp

Filesize
568KB

Download
memory/2236-151-0x0000000002820000-0x00000000029B7000-memory.dmp

Filesize
1.6MB

Download
memory/2628-174-0x0000000000000000-mapping.dmp

Download
memory/2644-141-0x0000000000000000-mapping.dmp

Download
memory/2736-150-0x0000000000000000-mapping.dmp

Download
memory/3952-132-0x0000000000000000-mapping.dmp

Download
memory/4080-172-0x0000000000000000-mapping.dmp

Download
memory/4476-159-0x0000000000000000-mapping.dmp

Download
memory/4520-149-0x0000000000000000-mapping.dmp

Download
memory/4524-176-0x0000000000000000-mapping.dmp

Download
memory/4724-138-0x0000000000000000-mapping.dmp

Download
memory/5016-168-0x0000000000000000-mapping.dmp

Download