787d15b6681907876da506ec782434fad8f04e41c2371ce9900bdf7148962495

Analysis

max time kernel
93s
max time network
125s
platform
windows10-1703_x64
resource
win10-20240221-en
resource tags

arch:x64arch:x86image:win10-20240221-enlocale:en-usos:windows10-1703-x64system
submitted
25-02-2024 11:02

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

KMSAuto++.exe
Size

17.3MB
MD5

2cb529469604258cdfdba8274b5b2421
SHA1

4dd974f9a65c10c6e224d4475733ed3229160ba3
SHA256

9e073291b0a34663a7052207e6fbcbaa924ddcb24665ee0615954b114bd95b29
SHA512

05566816ab0809833f047b1d160efc8f4583ee8845d70fadd6caa1824b1e2250c6e24f76e9f1eb38ce39a8ba3935c90137dca9ff6b628f10142db0742ba08e39
SSDEEP

393216:UdAG/8OKtOWhC6mlaF+J9hM/SonN+yibB+FmABoQMkkgKMh7o+:UmG0OIJYEF+J9wSoN+/d+o4oQZkgKMP

Score

10^/10

evasion upx

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://officecdn.microsoft.com/pr/5030841d-c919-4594-8d2d-84ae4f96e58e/Office/Data/v32.cab

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://officecdn.microsoft.com/pr/5030841d-c919-4594-8d2d-84ae4f96e58e/Office/Data/v32.cab

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://officecdn.microsoft.com/pr/5030841d-c919-4594-8d2d-84ae4f96e58e/Office/Data/v32.cab

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://officecdn.microsoft.com/pr/5030841d-c919-4594-8d2d-84ae4f96e58e/Office/Data/v32.cab

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://officecdn.microsoft.com/pr/5030841d-c919-4594-8d2d-84ae4f96e58e/Office/Data/16.0.14332.20637/i640.cab

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
21	2540	powershell.exe

Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Executes dropped EXE 4 IoCs

pid	Process
4188	signtool.exe
804	gatherosstate.exe
3232	OInstallLite.exe
948	files.dat

Loads dropped DLL 2 IoCs

pid	Process
804	gatherosstate.exe
804	gatherosstate.exe

UPX packed file 14 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/4272-0-0x0000000000400000-0x00000000016F2000-memory.dmp	upx
behavioral1/memory/4272-12-0x0000000000400000-0x00000000016F2000-memory.dmp	upx
behavioral1/memory/4272-13-0x0000000000400000-0x00000000016F2000-memory.dmp	upx
behavioral1/memory/4272-14-0x0000000000400000-0x00000000016F2000-memory.dmp	upx
behavioral1/memory/4272-29-0x0000000000400000-0x00000000016F2000-memory.dmp	upx
behavioral1/memory/4272-67-0x0000000000400000-0x00000000016F2000-memory.dmp	upx
behavioral1/memory/4272-73-0x0000000000400000-0x00000000016F2000-memory.dmp	upx
behavioral1/files/0x000d000000015251-78.dat	upx
behavioral1/files/0x000d000000015251-80.dat	upx
behavioral1/memory/4272-79-0x0000000000400000-0x00000000016F2000-memory.dmp	upx
behavioral1/memory/3232-82-0x0000000000400000-0x000000000163C000-memory.dmp	upx
behavioral1/memory/3232-129-0x0000000000400000-0x000000000163C000-memory.dmp	upx
behavioral1/memory/3232-251-0x0000000000400000-0x000000000163C000-memory.dmp	upx
behavioral1/memory/4272-424-0x0000000000400000-0x00000000016F2000-memory.dmp	upx

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Logs\DPX\setupact.log	expand.exe
File opened for modification	C:\Windows\Logs\DPX\setuperr.log	expand.exe
File opened for modification	C:\Windows\Logs\DPX\setupact.log	expand.exe
File opened for modification	C:\Windows\Logs\DPX\setuperr.log	expand.exe

Launches sc.exe 37 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
4164	sc.exe
4696	sc.exe
4312	sc.exe
2464	sc.exe
3412	sc.exe
2432	sc.exe
2816	sc.exe
376	sc.exe
2116	sc.exe
460	sc.exe
2776	sc.exe
540	sc.exe
1492	sc.exe
2272	sc.exe
896	sc.exe
4316	sc.exe
3948	sc.exe
1396	sc.exe
2764	sc.exe
4780	sc.exe
4872	sc.exe
3468	sc.exe
2124	sc.exe
5016	sc.exe
4244	sc.exe
1908	sc.exe
3488	sc.exe
2692	sc.exe
2652	sc.exe
3976	sc.exe
1512	sc.exe
5068	sc.exe
2844	sc.exe
1508	sc.exe
1868	sc.exe
1704	sc.exe
236	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 15 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs	ClipUp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	gatherosstate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	ClipUp.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	ClipUp.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID	ClipUp.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	ClipUp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	ClipUp.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags	gatherosstate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID	gatherosstate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags	ClipUp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	ClipUp.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	ClipUp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	gatherosstate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	gatherosstate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	ClipUp.exe

Kills process with taskkill 3 IoCs

evasion

pid	Process
4148	taskkill.exe
2484	taskkill.exe
2652	taskkill.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
3624	reg.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000\Software\Microsoft\SystemCertificates\CA\Certificates\D89E3BD43D5D909B47A18977AA9D5CE36CEE184C	signtool.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000\Software\Microsoft\SystemCertificates\CA\Certificates\D89E3BD43D5D909B47A18977AA9D5CE36CEE184C\Blob = 030000000100000014000000d89e3bd43d5d909b47a18977aa9d5ce36cee184c1400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb040000000100000010000000285ec909c4ab0d2d57f5086b225799aa0f000000010000003000000013baa039635f1c5292a8c2f36aae7e1d25c025202e9092f5b0f53f5f752dfa9c71b3d1b8d9a6358fcee6ec75622fabf9190000000100000010000000ea6089055218053dd01e37e1d806eedf5c0000000100000004000000001000001800000001000000100000002aa1c05e2ae606f198c2c5e937c97aa22000000001000000850500003082058130820469a00302010202103972443af922b751d7d36c10dd313595300d06092a864886f70d01010c0500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3139303331323030303030305a170d3238313233313233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a381f23081ef301f0603551d23041830168014a0110a233e96f107ece2af29ef82a57fd030a4b4301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff30110603551d20040a300830060604551d200030430603551d1f043c303a3038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c303406082b0601050507010104283026302406082b060105050730018618687474703a2f2f6f6373702e636f6d6f646f63612e636f6d300d06092a864886f70d01010c05000382010100188751dc74213d9c8ae027b733d02eccecf0e6cb5e11de226f9b758e9e72fee4d6feaa1f9c962def034a7eaef48d6f723c433bc03febb8df5caaa9c6aef2fcd8eea37b43f686367c14e0cdf4f73ffedeb8b48af09196fefd43647efdccd201a17d7df81919c9422b13bf588bbaa4a266047688914e0c8914cea24dc932b3bae8141abc71f15bf0410b98000a220310e50cb1f9cd923719ed3bf1e43ab6f945132675afbbaaef3f7b773bd2c402913d1900d3175c39db3f7b180d45cd9385962f5ddf59164f3f51bdd545183fed4a8ee80661742316b50d50732744477f105d892a6b853114c4e8a96a4c80bc6a78cfb87f8e7672990c9dfed7910816a1a35f95	signtool.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 15 IoCs

pid	Process
2540	powershell.exe
2540	powershell.exe
2540	powershell.exe
1868	powershell.exe
1868	powershell.exe
1868	powershell.exe
692	Conhost.exe
692	Conhost.exe
692	Conhost.exe
3012	powershell.exe
3012	powershell.exe
3012	powershell.exe
2124	powershell.exe
2124	powershell.exe
2124	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3232	OInstallLite.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	4932	WMIC.exe
Token: SeSecurityPrivilege	4932	WMIC.exe
Token: SeTakeOwnershipPrivilege	4932	WMIC.exe
Token: SeLoadDriverPrivilege	4932	WMIC.exe
Token: SeSystemProfilePrivilege	4932	WMIC.exe
Token: SeSystemtimePrivilege	4932	WMIC.exe
Token: SeProfSingleProcessPrivilege	4932	WMIC.exe
Token: SeIncBasePriorityPrivilege	4932	WMIC.exe
Token: SeCreatePagefilePrivilege	4932	WMIC.exe
Token: SeBackupPrivilege	4932	WMIC.exe
Token: SeRestorePrivilege	4932	WMIC.exe
Token: SeShutdownPrivilege	4932	WMIC.exe
Token: SeDebugPrivilege	4932	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4932	WMIC.exe
Token: SeRemoteShutdownPrivilege	4932	WMIC.exe
Token: SeUndockPrivilege	4932	WMIC.exe
Token: SeManageVolumePrivilege	4932	WMIC.exe
Token: 33	4932	WMIC.exe
Token: 34	4932	WMIC.exe
Token: 35	4932	WMIC.exe
Token: 36	4932	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4932	WMIC.exe
Token: SeSecurityPrivilege	4932	WMIC.exe
Token: SeTakeOwnershipPrivilege	4932	WMIC.exe
Token: SeLoadDriverPrivilege	4932	WMIC.exe
Token: SeSystemProfilePrivilege	4932	WMIC.exe
Token: SeSystemtimePrivilege	4932	WMIC.exe
Token: SeProfSingleProcessPrivilege	4932	WMIC.exe
Token: SeIncBasePriorityPrivilege	4932	WMIC.exe
Token: SeCreatePagefilePrivilege	4932	WMIC.exe
Token: SeBackupPrivilege	4932	WMIC.exe
Token: SeRestorePrivilege	4932	WMIC.exe
Token: SeShutdownPrivilege	4932	WMIC.exe
Token: SeDebugPrivilege	4932	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4932	WMIC.exe
Token: SeRemoteShutdownPrivilege	4932	WMIC.exe
Token: SeUndockPrivilege	4932	WMIC.exe
Token: SeManageVolumePrivilege	4932	WMIC.exe
Token: 33	4932	WMIC.exe
Token: 34	4932	WMIC.exe
Token: 35	4932	WMIC.exe
Token: 36	4932	WMIC.exe
Token: SeIncreaseQuotaPrivilege	564	WMIC.exe
Token: SeSecurityPrivilege	564	WMIC.exe
Token: SeTakeOwnershipPrivilege	564	WMIC.exe
Token: SeLoadDriverPrivilege	564	WMIC.exe
Token: SeSystemProfilePrivilege	564	WMIC.exe
Token: SeSystemtimePrivilege	564	WMIC.exe
Token: SeProfSingleProcessPrivilege	564	WMIC.exe
Token: SeIncBasePriorityPrivilege	564	WMIC.exe
Token: SeCreatePagefilePrivilege	564	WMIC.exe
Token: SeBackupPrivilege	564	WMIC.exe
Token: SeRestorePrivilege	564	WMIC.exe
Token: SeShutdownPrivilege	564	WMIC.exe
Token: SeDebugPrivilege	564	WMIC.exe
Token: SeSystemEnvironmentPrivilege	564	WMIC.exe
Token: SeRemoteShutdownPrivilege	564	WMIC.exe
Token: SeUndockPrivilege	564	WMIC.exe
Token: SeManageVolumePrivilege	564	WMIC.exe
Token: 33	564	WMIC.exe
Token: 34	564	WMIC.exe
Token: 35	564	WMIC.exe
Token: 36	564	WMIC.exe
Token: SeIncreaseQuotaPrivilege	564	WMIC.exe

Suspicious use of FindShellTrayWindow 6 IoCs

pid	Process
4272	KMSAuto++.exe
4272	KMSAuto++.exe
4272	KMSAuto++.exe
4272	KMSAuto++.exe
4272	KMSAuto++.exe
4272	KMSAuto++.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4272 wrote to memory of 4756	4272	KMSAuto++.exe	73
PID 4272 wrote to memory of 4756	4272	KMSAuto++.exe	73
PID 4272 wrote to memory of 2976	4272	KMSAuto++.exe	76
PID 4272 wrote to memory of 2976	4272	KMSAuto++.exe	76
PID 4272 wrote to memory of 4188	4272	KMSAuto++.exe	77
PID 4272 wrote to memory of 4188	4272	KMSAuto++.exe	77
PID 4272 wrote to memory of 4188	4272	KMSAuto++.exe	77
PID 2976 wrote to memory of 4932	2976	cmd.exe	79
PID 2976 wrote to memory of 4932	2976	cmd.exe	79
PID 4272 wrote to memory of 4696	4272	KMSAuto++.exe	80
PID 4272 wrote to memory of 4696	4272	KMSAuto++.exe	80
PID 4272 wrote to memory of 3624	4272	KMSAuto++.exe	83
PID 4272 wrote to memory of 3624	4272	KMSAuto++.exe	83
PID 4272 wrote to memory of 1868	4272	KMSAuto++.exe	85
PID 4272 wrote to memory of 1868	4272	KMSAuto++.exe	85
PID 4272 wrote to memory of 4316	4272	KMSAuto++.exe	87
PID 4272 wrote to memory of 4316	4272	KMSAuto++.exe	87
PID 4272 wrote to memory of 4676	4272	KMSAuto++.exe	89
PID 4272 wrote to memory of 4676	4272	KMSAuto++.exe	89
PID 4272 wrote to memory of 2168	4272	KMSAuto++.exe	91
PID 4272 wrote to memory of 2168	4272	KMSAuto++.exe	91
PID 4272 wrote to memory of 3092	4272	KMSAuto++.exe	95
PID 4272 wrote to memory of 3092	4272	KMSAuto++.exe	95
PID 4676 wrote to memory of 564	4676	cmd.exe	93
PID 4676 wrote to memory of 564	4676	cmd.exe	93
PID 4272 wrote to memory of 3468	4272	KMSAuto++.exe	96
PID 4272 wrote to memory of 3468	4272	KMSAuto++.exe	96
PID 4272 wrote to memory of 1512	4272	KMSAuto++.exe	101
PID 4272 wrote to memory of 1512	4272	KMSAuto++.exe	101
PID 4272 wrote to memory of 3944	4272	KMSAuto++.exe	98
PID 4272 wrote to memory of 3944	4272	KMSAuto++.exe	98
PID 3944 wrote to memory of 336	3944	cmd.exe	102
PID 3944 wrote to memory of 336	3944	cmd.exe	102
PID 4272 wrote to memory of 32	4272	KMSAuto++.exe	103
PID 4272 wrote to memory of 32	4272	KMSAuto++.exe	103
PID 32 wrote to memory of 4216	32	cmd.exe	105
PID 32 wrote to memory of 4216	32	cmd.exe	105
PID 4272 wrote to memory of 4804	4272	KMSAuto++.exe	106
PID 4272 wrote to memory of 4804	4272	KMSAuto++.exe	106
PID 4272 wrote to memory of 2308	4272	KMSAuto++.exe	108
PID 4272 wrote to memory of 2308	4272	KMSAuto++.exe	108
PID 4272 wrote to memory of 1704	4272	KMSAuto++.exe	110
PID 4272 wrote to memory of 1704	4272	KMSAuto++.exe	110
PID 4272 wrote to memory of 4244	4272	KMSAuto++.exe	112
PID 4272 wrote to memory of 4244	4272	KMSAuto++.exe	112
PID 4272 wrote to memory of 4304	4272	KMSAuto++.exe	114
PID 4272 wrote to memory of 4304	4272	KMSAuto++.exe	114
PID 4272 wrote to memory of 4304	4272	KMSAuto++.exe	114
PID 4272 wrote to memory of 2148	4272	KMSAuto++.exe	117
PID 4272 wrote to memory of 2148	4272	KMSAuto++.exe	117
PID 2148 wrote to memory of 676	2148	cmd.exe	119
PID 2148 wrote to memory of 676	2148	cmd.exe	119
PID 4272 wrote to memory of 2536	4272	KMSAuto++.exe	121
PID 4272 wrote to memory of 2536	4272	KMSAuto++.exe	121
PID 2536 wrote to memory of 3424	2536	cmd.exe	123
PID 2536 wrote to memory of 3424	2536	cmd.exe	123
PID 4272 wrote to memory of 980	4272	KMSAuto++.exe	124
PID 4272 wrote to memory of 980	4272	KMSAuto++.exe	124
PID 980 wrote to memory of 4164	980	cmd.exe	126
PID 980 wrote to memory of 4164	980	cmd.exe	126
PID 4272 wrote to memory of 4276	4272	KMSAuto++.exe	127
PID 4272 wrote to memory of 4276	4272	KMSAuto++.exe	127
PID 4276 wrote to memory of 5068	4276	cmd.exe	129
PID 4276 wrote to memory of 5068	4276	cmd.exe	129

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\KMSAuto++.exe
"C:\Users\Admin\AppData\Local\Temp\KMSAuto++.exe"
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4272
- C:\Windows\System32\cmd.exe
  "C:\Windows\Sysnative\cmd.exe" /c copy C:\Windows\system32\Tasks\KMSAuto "C:\Users\Admin\AppData\Local\Temp\KMSAuto.tmp" /Y
  2⤵
  PID:4756
- C:\Windows\System32\cmd.exe
  "C:\Windows\Sysnative\cmd.exe" /c WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionPath="C:\Users\Admin\AppData\Local\Temp\KMSAuto++.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2976
- - C:\Windows\System32\Wbem\WMIC.exe
    WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionPath="C:\Users\Admin\AppData\Local\Temp\KMSAuto++.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4932
- C:\Users\Admin\AppData\Local\Temp\signtool.exe
  "C:\Users\Admin\AppData\Local\Temp\signtool.exe" verify /v /ph /sha1 648384a4dee53d4c1c87e10d67cc99307ccc9c98 "C:\Users\Admin\AppData\Local\Temp\KMSAuto++.exe"
  2⤵
  - Executes dropped EXE
  - Modifies system certificate store
  PID:4188
- C:\Windows\System32\reg.exe
  "C:\Windows\Sysnative\reg.exe" query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender" /v DisableAntiSpyware
  2⤵
  PID:4696
- C:\Windows\System32\reg.exe
  "C:\Windows\Sysnative\reg.exe" query "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware
  2⤵
  PID:3624
- C:\Windows\System32\sc.exe
  "C:\Windows\Sysnative\sc.exe" query SecurityHealthService
  2⤵
  - Launches sc.exe
  PID:1868
- C:\Windows\System32\sc.exe
  "C:\Windows\Sysnative\sc.exe" query WinDefend
  2⤵
  - Launches sc.exe
  PID:4316
- C:\Windows\System32\cmd.exe
  "C:\Windows\Sysnative\cmd.exe" /c WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionPath="C:\Users\Admin\AppData\Local\Temp\KMSAuto_Files"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4676
- - C:\Windows\System32\Wbem\WMIC.exe
    WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionPath="C:\Users\Admin\AppData\Local\Temp\KMSAuto_Files"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:564
- C:\Windows\System32\reg.exe
  "C:\Windows\Sysnative\reg.exe" query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender" /v DisableAntiSpyware
  2⤵
  PID:2168
- C:\Windows\System32\reg.exe
  "C:\Windows\Sysnative\reg.exe" query "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware
  2⤵
  PID:3092
- C:\Windows\System32\sc.exe
  "C:\Windows\Sysnative\sc.exe" query SecurityHealthService
  2⤵
  - Launches sc.exe
  PID:3468
- C:\Windows\System32\cmd.exe
  "C:\Windows\Sysnative\cmd.exe" /c WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionPath="C:\Windows\System32\SECOPatcher.dll"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3944
- - C:\Windows\System32\Wbem\WMIC.exe
    WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionPath="C:\Windows\System32\SECOPatcher.dll"
    3⤵
    PID:336
- C:\Windows\System32\sc.exe
  "C:\Windows\Sysnative\sc.exe" query WinDefend
  2⤵
  - Launches sc.exe
  PID:1512
- C:\Windows\System32\cmd.exe
  "C:\Windows\Sysnative\cmd.exe" /c WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionPath="C:\Users\Admin\AppData\Local\Temp\dControl.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:32
- - C:\Windows\System32\Wbem\WMIC.exe
    WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionPath="C:\Users\Admin\AppData\Local\Temp\dControl.exe"
    3⤵
    PID:4216
- C:\Windows\System32\reg.exe
  "C:\Windows\Sysnative\reg.exe" query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender" /v DisableAntiSpyware
  2⤵
  PID:4804
- C:\Windows\System32\reg.exe
  "C:\Windows\Sysnative\reg.exe" query "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware
  2⤵
  PID:2308
- C:\Windows\System32\sc.exe
  "C:\Windows\Sysnative\sc.exe" query SecurityHealthService
  2⤵
  - Launches sc.exe
  PID:1704
- C:\Windows\System32\sc.exe
  "C:\Windows\Sysnative\sc.exe" query WinDefend
  2⤵
  - Launches sc.exe
  PID:4244
- C:\Windows\SysWOW64\Wbem\wmic.exe
  "wmic.exe" path Win32_NetworkAdapter get ServiceName /value /FORMAT:List
  2⤵
  PID:4304
- C:\Windows\System32\cmd.exe
  "C:\Windows\Sysnative\cmd.exe" /c cscript //nologo "C:\Users\Admin\AppData\Local\Temp\slmgr.vbs" /ipk VK7JG-NPHTM-C97JM-9MPGT-3V66T
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2148
- - C:\Windows\system32\cscript.exe
    cscript //nologo "C:\Users\Admin\AppData\Local\Temp\slmgr.vbs" /ipk VK7JG-NPHTM-C97JM-9MPGT-3V66T
    3⤵
    PID:676
- C:\Windows\System32\cmd.exe
  "C:\Windows\Sysnative\cmd.exe" /c cscript //nologo "C:\Users\Admin\AppData\Local\Temp\slmgr.vbs" /xpr
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2536
- - C:\Windows\system32\cscript.exe
    cscript //nologo "C:\Users\Admin\AppData\Local\Temp\slmgr.vbs" /xpr
    3⤵
    PID:3424
- C:\Windows\System32\cmd.exe
  "C:\Windows\Sysnative\cmd.exe" /c C:\Windows\System32\sc.exe qc licensemanager
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:980
- - C:\Windows\System32\sc.exe
    C:\Windows\System32\sc.exe qc licensemanager
    3⤵
    - Launches sc.exe
    PID:4164
- C:\Windows\System32\cmd.exe
  "C:\Windows\Sysnative\cmd.exe" /c C:\Windows\System32\sc.exe qc wuauserv
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4276
- - C:\Windows\System32\sc.exe
    C:\Windows\System32\sc.exe qc wuauserv
    3⤵
    - Launches sc.exe
    PID:5068
- C:\Windows\System32\cmd.exe
  "C:\Windows\Sysnative\cmd.exe" /c C:\Windows\System32\sc.exe config wuauserv start=demand
  2⤵
  PID:3128
- - C:\Windows\System32\sc.exe
    C:\Windows\System32\sc.exe config wuauserv start=demand
    3⤵
    - Launches sc.exe
    PID:4696
- C:\Windows\System32\cmd.exe
  "C:\Windows\Sysnative\cmd.exe" /c C:\Windows\System32\sc.exe qc wlidsvc
  2⤵
  PID:376
- - C:\Windows\System32\sc.exe
    C:\Windows\System32\sc.exe qc wlidsvc
    3⤵
    - Launches sc.exe
    PID:3948
- C:\Windows\System32\cmd.exe
  "C:\Windows\Sysnative\cmd.exe" /c C:\Windows\System32\sc.exe start licensemanager
  2⤵
  PID:3956
- - C:\Windows\System32\sc.exe
    C:\Windows\System32\sc.exe start licensemanager
    3⤵
    - Launches sc.exe
    PID:4312
- C:\Windows\System32\cmd.exe
  "C:\Windows\Sysnative\cmd.exe" /c C:\Windows\System32\sc.exe start wuauserv
  2⤵
  PID:4856
- - C:\Windows\System32\sc.exe
    C:\Windows\System32\sc.exe start wuauserv
    3⤵
    - Launches sc.exe
    PID:2816
- C:\Windows\System32\cmd.exe
  "C:\Windows\Sysnative\cmd.exe" /c C:\Windows\System32\sc.exe start wlidsvc
  2⤵
  PID:1140
- - C:\Windows\System32\sc.exe
    C:\Windows\System32\sc.exe start wlidsvc
    3⤵
    - Launches sc.exe
    PID:1396
- C:\Windows\System32\cmd.exe
  "C:\Windows\Sysnative\cmd.exe" /c reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\Tokens" /f /v "Channel" /t REG_SZ /d Retail
  2⤵
  PID:2780
- - C:\Windows\System32\reg.exe
    reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\Tokens" /f /v "Channel" /t REG_SZ /d Retail
    3⤵
    PID:4396
- C:\Windows\System32\cmd.exe
  "C:\Windows\Sysnative\cmd.exe" /c reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\Tokens\Kernel" /f /v "Kernel-ProductInfo" /t REG_DWORD /d 48
  2⤵
  PID:4448
- - C:\Windows\System32\reg.exe
    reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\Tokens\Kernel" /f /v "Kernel-ProductInfo" /t REG_DWORD /d 48
    3⤵
    PID:460
- C:\Windows\System32\cmd.exe
  "C:\Windows\Sysnative\cmd.exe" /c reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\Tokens\Kernel" /f /v "Security-SPP-GenuineLocalStatus" /t REG_DWORD /d 1
  2⤵
  PID:4776
- - C:\Windows\System32\reg.exe
    reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\Tokens\Kernel" /f /v "Security-SPP-GenuineLocalStatus" /t REG_DWORD /d 1
    3⤵
    PID:408
- C:\Windows\System32\cmd.exe
  "C:\Windows\Sysnative\cmd.exe" /c gatherosstate.exe
  2⤵
  PID:1512
- - C:\Users\Admin\AppData\Local\Temp\BIN\gatherosstate.exe
    gatherosstate.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Checks SCSI registry key(s)
    PID:804
- C:\Windows\System32\cmd.exe
  "C:\Windows\Sysnative\cmd.exe" /c C:\Windows\System32\ClipUp.exe -v -o -altto C:\Users\Admin\AppData\Local\Temp\BIN\
  2⤵
  PID:1336
- - C:\Windows\System32\ClipUp.exe
    C:\Windows\System32\ClipUp.exe -v -o -altto C:\Users\Admin\AppData\Local\Temp\BIN\
    3⤵
    PID:1508
  - - C:\Windows\System32\ClipUp.exe
      C:\Windows\System32\ClipUp.exe -v -o -altto C:\Users\Admin\AppData\Local\Temp\BIN\ -ppl C:\Users\Admin\AppData\Local\Temp\temB08E.tmp
      4⤵
      Checks SCSI registry key(s)
      PID:4176
- C:\Windows\System32\cmd.exe
  "C:\Windows\Sysnative\cmd.exe" /c cscript //nologo "C:\Users\Admin\AppData\Local\Temp\slmgr.vbs" /ato
  2⤵
  PID:4344
- - C:\Windows\system32\cscript.exe
    cscript //nologo "C:\Users\Admin\AppData\Local\Temp\slmgr.vbs" /ato
    3⤵
    PID:4708
- C:\Windows\System32\cmd.exe
  "C:\Windows\Sysnative\cmd.exe" /c reg.exe delete "HKEY_LOCAL_MACHINE\SYSTEM\Tokens" /f
  2⤵
  PID:168
- - C:\Windows\System32\reg.exe
    reg.exe delete "HKEY_LOCAL_MACHINE\SYSTEM\Tokens" /f
    3⤵
    PID:2536
- C:\Windows\System32\cmd.exe
  "C:\Windows\Sysnative\cmd.exe" /c C:\Windows\System32\sc.exe config wuauserv start=disabled
  2⤵
  PID:4692
- - C:\Windows\System32\sc.exe
    C:\Windows\System32\sc.exe config wuauserv start=disabled
    3⤵
    - Launches sc.exe
    PID:2764
- C:\Windows\System32\cmd.exe
  "C:\Windows\Sysnative\cmd.exe" /c C:\Windows\System32\net.exe stop wuauserv /y
  2⤵
  PID:3388
- - C:\Windows\System32\net.exe
    C:\Windows\System32\net.exe stop wuauserv /y
    3⤵
    PID:2692
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop wuauserv /y
      4⤵
      PID:5060
- C:\Windows\System32\cmd.exe
  "C:\Windows\Sysnative\cmd.exe" /c cscript //nologo "C:\Users\Admin\AppData\Local\Temp\slmgr.vbs" /xpr
  2⤵
  PID:4144
- - C:\Windows\system32\cscript.exe
    cscript //nologo "C:\Users\Admin\AppData\Local\Temp\slmgr.vbs" /xpr
    3⤵
    PID:4832
- C:\Windows\System32\cmd.exe
  "C:\Windows\Sysnative\cmd.exe" /c del "C:\Users\Admin\AppData\Local\Temp\slmgr.vbs" /F /Q
  2⤵
  PID:1016
- C:\Windows\System32\reg.exe
  "C:\Windows\Sysnative\reg.exe" query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender" /v DisableAntiSpyware
  2⤵
  PID:3044
- C:\Windows\System32\reg.exe
  "C:\Windows\Sysnative\reg.exe" query "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware
  2⤵
  PID:1140
- C:\Windows\System32\sc.exe
  "C:\Windows\Sysnative\sc.exe" query SecurityHealthService
  2⤵
  - Launches sc.exe
  PID:4780
- C:\Windows\System32\sc.exe
  "C:\Windows\Sysnative\sc.exe" query WinDefend
  2⤵
  - Launches sc.exe
  PID:460
- C:\Windows\System32\reg.exe
  "C:\Windows\Sysnative\reg.exe" query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender" /v DisableAntiSpyware
  2⤵
  PID:456
- C:\Windows\System32\reg.exe
  "C:\Windows\Sysnative\reg.exe" query "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware
  2⤵
  PID:4112
- C:\Windows\System32\sc.exe
  "C:\Windows\Sysnative\sc.exe" query SecurityHealthService
  2⤵
  - Launches sc.exe
  PID:2464
- C:\Windows\System32\sc.exe
  "C:\Windows\Sysnative\sc.exe" query WinDefend
  2⤵
  - Launches sc.exe
  PID:3412
- C:\Windows\System32\reg.exe
  "C:\Windows\Sysnative\reg.exe" query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender" /v DisableAntiSpyware
  2⤵
  PID:4468
- C:\Windows\System32\reg.exe
  "C:\Windows\Sysnative\reg.exe" query "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware
  2⤵
  PID:888
- C:\Windows\System32\sc.exe
  "C:\Windows\Sysnative\sc.exe" query SecurityHealthService
  2⤵
  - Launches sc.exe
  PID:2776
- C:\Windows\System32\sc.exe
  "C:\Windows\Sysnative\sc.exe" query WinDefend
  2⤵
  - Launches sc.exe
  PID:2844
- C:\Windows\System32\reg.exe
  "C:\Windows\Sysnative\reg.exe" query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender" /v DisableAntiSpyware
  2⤵
  PID:4428
- C:\Windows\System32\reg.exe
  "C:\Windows\Sysnative\reg.exe" query "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware
  2⤵
  PID:4836
- C:\Windows\System32\sc.exe
  "C:\Windows\Sysnative\sc.exe" query SecurityHealthService
  2⤵
  - Launches sc.exe
  PID:1908
- C:\Windows\System32\sc.exe
  "C:\Windows\Sysnative\sc.exe" query WinDefend
  2⤵
  - Launches sc.exe
  PID:1508
- C:\Windows\System32\reg.exe
  "C:\Windows\Sysnative\reg.exe" query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender" /v DisableAntiSpyware
  2⤵
  PID:676
- C:\Windows\System32\reg.exe
  "C:\Windows\Sysnative\reg.exe" query "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware
  2⤵
  PID:2648
- C:\Windows\System32\sc.exe
  "C:\Windows\Sysnative\sc.exe" query SecurityHealthService
  2⤵
  - Launches sc.exe
  PID:540
- C:\Windows\System32\sc.exe
  "C:\Windows\Sysnative\sc.exe" query WinDefend
  2⤵
  - Launches sc.exe
  PID:3488
- C:\Windows\System32\reg.exe
  "C:\Windows\Sysnative\reg.exe" query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender" /v DisableAntiSpyware
  2⤵
  PID:4692
- C:\Windows\System32\reg.exe
  "C:\Windows\Sysnative\reg.exe" query "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware
  2⤵
  PID:5036
- C:\Windows\System32\sc.exe
  "C:\Windows\Sysnative\sc.exe" query SecurityHealthService
  2⤵
  - Launches sc.exe
  PID:1492
- C:\Windows\System32\sc.exe
  "C:\Windows\Sysnative\sc.exe" query WinDefend
  2⤵
  - Launches sc.exe
  PID:2692
- C:\Windows\System32\reg.exe
  "C:\Windows\Sysnative\reg.exe" query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender" /v DisableAntiSpyware
  2⤵
  PID:4476
- C:\Windows\System32\reg.exe
  "C:\Windows\Sysnative\reg.exe" query "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware
  2⤵
  PID:4352
- C:\Windows\System32\sc.exe
  "C:\Windows\Sysnative\sc.exe" query SecurityHealthService
  2⤵
  - Launches sc.exe
  PID:376
- C:\Windows\System32\sc.exe
  "C:\Windows\Sysnative\sc.exe" query WinDefend
  2⤵
  - Launches sc.exe
  PID:2652
- C:\Windows\System32\reg.exe
  "C:\Windows\Sysnative\reg.exe" query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender" /v DisableAntiSpyware
  2⤵
  PID:2360
- C:\Windows\System32\reg.exe
  "C:\Windows\Sysnative\reg.exe" query "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware
  2⤵
  PID:1800
- C:\Windows\System32\sc.exe
  "C:\Windows\Sysnative\sc.exe" query SecurityHealthService
  2⤵
  - Launches sc.exe
  PID:2124
- C:\Windows\System32\sc.exe
  "C:\Windows\Sysnative\sc.exe" query WinDefend
  2⤵
  - Launches sc.exe
  PID:5016
- C:\Windows\System32\reg.exe
  "C:\Windows\Sysnative\reg.exe" query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender" /v DisableAntiSpyware
  2⤵
  PID:4792
- C:\Windows\System32\reg.exe
  "C:\Windows\Sysnative\reg.exe" query "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware
  2⤵
  PID:204
- C:\Windows\System32\sc.exe
  "C:\Windows\Sysnative\sc.exe" query SecurityHealthService
  2⤵
  - Launches sc.exe
  PID:3976
- C:\Windows\System32\sc.exe
  "C:\Windows\Sysnative\sc.exe" query WinDefend
  2⤵
  - Launches sc.exe
  PID:2272
- C:\Windows\System32\reg.exe
  "C:\Windows\Sysnative\reg.exe" query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender" /v DisableAntiSpyware
  2⤵
  PID:3936
- C:\Windows\System32\reg.exe
  "C:\Windows\Sysnative\reg.exe" query "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware
  2⤵
  PID:3944
- C:\Windows\System32\sc.exe
  "C:\Windows\Sysnative\sc.exe" query SecurityHealthService
  2⤵
  - Launches sc.exe
  PID:896
- C:\Windows\System32\sc.exe
  "C:\Windows\Sysnative\sc.exe" query WinDefend
  2⤵
  - Launches sc.exe
  PID:236
- C:\Windows\System32\reg.exe
  "C:\Windows\Sysnative\reg.exe" query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender" /v DisableAntiSpyware
  2⤵
  PID:2088
- C:\Windows\System32\reg.exe
  "C:\Windows\Sysnative\reg.exe" query "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware
  2⤵
  PID:4480
- C:\Windows\System32\sc.exe
  "C:\Windows\Sysnative\sc.exe" query SecurityHealthService
  2⤵
  - Launches sc.exe
  PID:2116
- C:\Windows\System32\sc.exe
  "C:\Windows\Sysnative\sc.exe" query WinDefend
  2⤵
  - Launches sc.exe
  PID:2432
- C:\Users\Admin\AppData\Local\Temp\OInstallLite.exe
  "C:\Users\Admin\AppData\Local\Temp\OInstallLite.exe" /x=100 /y=100
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: GetForegroundWindowSpam
  PID:3232
- - C:\Windows\System32\cmd.exe
    "C:\Windows\Sysnative\cmd.exe" /c WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionPath="C:\Users\Admin\AppData\Local\Temp\OInstallLite.exe"
    3⤵
    PID:2688
  - - C:\Windows\System32\Wbem\WMIC.exe
      WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionPath="C:\Users\Admin\AppData\Local\Temp\OInstallLite.exe"
      4⤵
      PID:3912
- - C:\Windows\System32\reg.exe
    "C:\Windows\Sysnative\reg.exe" add "HKLM\SOFTWARE\Microsoft\Windows Script Host\Settings" /v Enabled /t REG_DWORD /d 1 /f
    3⤵
    PID:4896
- - C:\Windows\System32\cmd.exe
    "C:\Windows\Sysnative\cmd.exe" /c WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionPath="C:\Users\Admin\AppData\Local\Temp\files"
    3⤵
    PID:536
  - - C:\Windows\System32\Wbem\WMIC.exe
      WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionPath="C:\Users\Admin\AppData\Local\Temp\files"
      4⤵
      PID:3588
- - C:\Windows\System32\cmd.exe
    "C:\Windows\Sysnative\cmd.exe" /D /c files.dat -y -pkmsauto
    3⤵
    PID:436
  - - C:\Users\Admin\AppData\Local\Temp\files\files.dat
      files.dat -y -pkmsauto
      4⤵
      Executes dropped EXE
      PID:948
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -command "& { (New-Object Net.WebClient).DownloadFile('http://officecdn.microsoft.com/pr/5030841d-c919-4594-8d2d-84ae4f96e58e/Office/Data/v32.cab', 'C:\Users\Admin\AppData\Local\Temp\over987332\v32.cab') }"
    3⤵
    - Blocklisted process makes network request
    - Suspicious behavior: EnumeratesProcesses
    PID:2540
- - C:\Windows\SysWOW64\expand.exe
    "expand" v32.cab -F:VersionDescriptor.xml C:\Users\Admin\AppData\Local\Temp\over987332
    3⤵
    - Drops file in Windows directory
    PID:3916
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -command "& { Get-Content C:\Users\Admin\AppData\Local\Temp\over987332\VersionDescriptor.xml | Set-Content -Encoding ASCII v32.txt }
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1868
- - C:\Windows\System32\reg.exe
    "C:\Windows\Sysnative\reg.exe" add HKLM\Software\Policies\Microsoft\Office\16.0\Common\OfficeUpdate /v UpdateBranch /d PerpetualVL2021 /f
    3⤵
    - Modifies registry key
    PID:3624
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -command "& { (New-Object Net.WebClient).DownloadFile('http://officecdn.microsoft.com/pr/5030841d-c919-4594-8d2d-84ae4f96e58e/Office/Data/v32.cab', 'C:\Users\Admin\AppData\Local\Temp\over496561\v32.cab') }"
    3⤵
    PID:692
- - C:\Windows\SysWOW64\expand.exe
    "expand" v32.cab -F:VersionDescriptor.xml C:\Users\Admin\AppData\Local\Temp\over496561
    3⤵
    - Drops file in Windows directory
    PID:1748
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -command "& { Get-Content C:\Users\Admin\AppData\Local\Temp\over496561\VersionDescriptor.xml | Set-Content -Encoding ASCII v32.txt }
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3012
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -command "& { (New-Object Net.WebClient).DownloadFile('http://officecdn.microsoft.com/pr/5030841d-c919-4594-8d2d-84ae4f96e58e/Office/Data/v32.cab', 'C:\Users\Admin\AppData\Local\Temp\over306273\v32.cab') }"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2124
- - C:\Windows\SysWOW64\expand.exe
    "expand" v32.cab -F:VersionDescriptor.xml C:\Users\Admin\AppData\Local\Temp\over306273
    3⤵
    PID:1500
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -command "& { Get-Content C:\Users\Admin\AppData\Local\Temp\over306273\VersionDescriptor.xml | Set-Content -Encoding ASCII v32.txt }
    3⤵
    PID:3624
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -command "& { (New-Object Net.WebClient).DownloadFile('http://officecdn.microsoft.com/pr/5030841d-c919-4594-8d2d-84ae4f96e58e/Office/Data/v32.cab', 'C:\Users\Admin\AppData\Local\Temp\over737135\v32.cab') }"
    3⤵
    PID:2664
- - C:\Windows\SysWOW64\expand.exe
    "expand" v32.cab -F:VersionDescriptor.xml C:\Users\Admin\AppData\Local\Temp\over737135
    3⤵
    PID:196
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -command "& { Get-Content C:\Users\Admin\AppData\Local\Temp\over737135\VersionDescriptor.xml | Set-Content -Encoding ASCII v32.txt }
    3⤵
    PID:4732
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:692
- - C:\Windows\System32\cmd.exe
    "C:\Windows\Sysnative\cmd.exe" /c sc.exe stop ClickToRunSvc
    3⤵
    PID:3956
  - - C:\Windows\System32\sc.exe
      sc.exe stop ClickToRunSvc
      4⤵
      Launches sc.exe
      PID:4872
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /t /f /IM OfficeClickToRun.exe
    3⤵
    - Kills process with taskkill
    PID:2484
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /t /f /IM IntegratedOffice.exe
    3⤵
    - Kills process with taskkill
    PID:2652
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /t /f /IM OfficeC2RClient.exe
    3⤵
    - Kills process with taskkill
    PID:4148
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -command "& { (New-Object Net.WebClient).DownloadFile('http://officecdn.microsoft.com/pr/5030841d-c919-4594-8d2d-84ae4f96e58e/Office/Data/16.0.14332.20637/i640.cab', 'C:\Users\Admin\AppData\Local\Temp\over737135\i640.cab') }"
    3⤵
    PID:3168
- - C:\Windows\SysWOW64\expand.exe
    "expand" i640.cab -F:* "C:\Program Files\Common Files\microsoft Shared\ClickToRun"
    3⤵
    PID:3624
- C:\Windows\System32\cmd.exe
  "C:\Windows\Sysnative\cmd.exe" /c del "C:\Users\Admin\AppData\Local\Temp\OInstallLite.exe" /F /Q
  2⤵
  PID:532

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x3e4
1⤵
PID:2684

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3af0855 /state1:0x41c64e6d
1⤵
PID:2116

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
1KB

MD5
66382a4ca6c4dcf75ce41417d44be93e

SHA1
8132cbef1c12f8a89a68a6153ade4286bf130812

SHA256
a70acce0f4c6ab59b88ce79d84c38d4abffe19b72b033250499b17d788a2db56

SHA512
2bf66f2850f4a65220085c55a5b3c8866453104d78fe516e5bd6e3e47df783062ce4ea10de580f2eb0274ac8c3ce71965201c49ef55a78f307731ccc8600aadc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
16KB

MD5
e6dcccd82eceab574211f7bfa821d776

SHA1
98e4114890771a728209e1a58a04de3f900eb58a

SHA256
086cbc49f9d182ae6bde2a89e5b9e9321575566ff2c5309a00239ceef7e549b1

SHA512
d916b54ca6cc1f7040954c87a41827f02c04eedb8368a52da4a7a693d5904e6433faf6b3a92c2fcfab1f421ba244c0cdfa99ae0882fbbd1a5443977d6a8d0c24

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
16KB

MD5
529568f05c9a41f8e9a00a75f4cffc66

SHA1
8638778e10f33566b6175bd2c3df243a3e10fdf0

SHA256
e047b45abedef4dcc27b203074316ca82592b98b24b63ac99a19a4273ed58758

SHA512
309a996559993d087ac89e37e44bde30800e084a7120851f0905cb55e8b7b6b72b858c742ccf2aa34585cd6a6d6eeb81fe36e4632a7eb29083d13fab2e0ba7d2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
16KB

MD5
be3352c076237414f6b9969afce03f2a

SHA1
0df22ac47ed463efa51ad63cc49a1cc835efe7ea

SHA256
494fd255da66647842f01defaea1555e08edccad22ec742fc8f766d918282180

SHA512
38c46a59279ebf8feb5767c020146385ff5ef9810535612bf92de9149cf7f14d4207d111d0fd5461ed58ca4dab453f3cf612de6abb51babbcdc4c0244c4511b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
16KB

MD5
b2922835e20b09fb0047b310a3fbc85d

SHA1
c6d2d514b8ea04d8ab2c18abdaa3cf3fc2949801

SHA256
8feda8f9ea4018792ead9c0d42a3a404f49c59f2fc68baab4f3a9a1acc43afdd

SHA512
042b9897bf4243a4d9ce3c8b6497d48c1a1a419f5f8e39d9d548341fa88496a2c894f51cd5119340e66eac4df34167113e58a798ef49878381d206f238dab7d1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
16KB

MD5
c483ff4075c111a730c8589c5d8f2fb4

SHA1
7e73e48ebacf4a10ea8ae409bc740c5196a39b40

SHA256
712998804af32227d5a380d1cd46d4a1f91d7cf608c4f0ec84df7e7f29903fd1

SHA512
3249cd24a7c34bd33654d34bdd3817d9acb0b4c2aaf6f25dd74c223b7f5bae42a7393442b91cebfd04efde2d5b74f42962ed8cec74610e15c1f45d4fe7fb8b4b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
16KB

MD5
5640bab9ac7efe037648620c8cb6a1b9

SHA1
dddaa48e511bac3bd2c8636e78d13cf428ad6df7

SHA256
644efa555ee6b9b59cf87c7c16f51617e0b9427d5bbc8c3a900e4696781ecdba

SHA512
c11ed50a496d8e6e1fc1508d00b90bafaf947a42144356ca38b8266a9fa15368809339c6c9e36115faca4cce3d1b9ac74e1e3ba14b35d300e39ed41ab7f4fc8a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
16KB

MD5
a859120043c6cd6053f5ede8fe2b9051

SHA1
a5932a6e12e9060bb98b9ec44f6da2d1485e7505

SHA256
532565e976509b31e2d8d597061aadd4e181eeb13be371ef78ff088bdbdad7a6

SHA512
08d84b455d4c2f7d3b5c5de8fc9fc324e66d2bb355e9203c52ae0f5f0f53687c50032be312bde484a5203e6d3c78afb41d55d8fa530142210ec2e8a457b97088

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
16KB

MD5
33d9f26104557108729afdffb478ae12

SHA1
d912e46c06277aef69f61cb1d718b25d49ba42f5

SHA256
eb456f9a828d5687c7e6050c39ae60d22242735172af8f109a54a73178d72fbb

SHA512
99dadad500da43e5fbf5922a8576e8b448ca7e5d0af03168957b45bffb675d56afd8fe42494ac0e2600588eb570898000701606a667033a70d6498818b777e67

Download Submit
C:\Users\Admin\AppData\Local\Temp\BIN\GenuineTicket.xml

Filesize
1KB

MD5
4461bfb43f40fa81ee5da0feac85d0e1

SHA1
18d214c71914a1b113f84c0b556f3a8e1382a49a

SHA256
0c661621c1543bef773a6a9572df54afeb25e66ebef6b7cfc08f53a17d101b4e

SHA512
2052537353d895e061b1d6a6bf7d288043648abad5e97de91fae57e31d72ebb7306a53621685a8e02bebbbefb2eb8a53173b5eb7cc357d2d12bd4ef1c24d2058

Download Submit
C:\Users\Admin\AppData\Local\Temp\BIN\gatherosstate.exe

Filesize
1.3MB

MD5
b13bc5b62f54607c334a6464d9b85cc8

SHA1
12721c69acbcb515f7adbee08ec42fc61192c187

SHA256
51791625054b01802fd5aaa6c4a929827b369dfef7b2891b5f55e0fa61af0c7d

SHA512
58a9c4e413992b8c225fd622934929382070cbe8c8999bdb93851a1f46a0129d674135eacce2b3f96a19dfbb7333e3b921b5e39b727339c9897de7a02d2ce3bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\OInstallLite.exe

Filesize
3.8MB

MD5
672aa8961d604cb8297ba113a1c8a002

SHA1
8639d224f6a97db3dc6c6b32a51587a24a79bea0

SHA256
319d2c4147e4d65edcc0e7ea6495dd0fbf8f331c6e2918c51cd2e889ff27c882

SHA512
42138c86f627805a6a469b8391831a09e486f60135ffffce947d5ab4ce9e6f8da00ed106868faecc6bf2929fd6b807a12cf5f9e129db9b450231c3d979cf4a41

Download Submit
C:\Users\Admin\AppData\Local\Temp\OInstallLite.exe

Filesize
3.8MB

MD5
9723d15026616e469a36a44e39f15fd3

SHA1
ab014b5680ee87f31170c582cef0f1d22d87ad09

SHA256
7cb1dc897a0b1377e3e17fde7cff00cc3595b27fb35daf4ac1349c9163883d17

SHA512
75385fe245d1d2a3f276d3c204affe0926ac009f76a80f856dbbbffbe3a311dc4372b61be1c953d22cd99beeb2846db5c8bd79b290db610f537d0ac7be102b9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_jvyblll0.sko.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Temp\files\Configure.xml

Filesize
529B

MD5
9801df68b6028a27454b78d5015fd0fe

SHA1
f62f9cfe1e8069666a2e4df3ee3e8e796c7b3296

SHA256
9a76fd72f232b1eb93a0bc59ed70151ef3d0014ce2e761cfc60043cd4a0d49c6

SHA512
edc517fdcb554d1a5aa9d891c3ccd13cd51180cba844758c58083b967d2edc7c942f4adbd9802827d47c0c3bf760d8fcf528ea9e0eea9853acfc32144cdfeb1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\files\Uninstall.xml

Filesize
59B

MD5
364f86f97324ea82fe0d142cd01cf6dd

SHA1
fc2a45da2ede0c018ab8e46044e6a25765c27d99

SHA256
09d5b42140bab13165ba97fbd0e77792304c3c93555be02c3dce21a7a69c66dd

SHA512
9b0a0944535e25c944e01bed1674efff119505292b176287c0dad3db70ffc4244cff21cccfd1fd94b09dd6d5f84221930b66b210101e482cc4bb5df3311a5fdf

Download Submit
C:\Users\Admin\AppData\Local\Temp\files\configure.xml

Filesize
822B

MD5
ca9851a60687470fe017137298134091

SHA1
3b8a7b94548d40c8c12882947528b340868c9ee0

SHA256
7fe49b7c851236a5451954753e7e8fb0e5edee6944c7c41e90ac51e461486a8d

SHA512
e28add1e1dd5d960d5a8c89e0a2e4a0ae239b9b6a343ac61693a54d956aef12f277f8108b9950f560011e4b7a6d6c351b8596953ae2dfa70596cf1ba48c98eb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\files\files.dat

Filesize
765KB

MD5
bb5569b15d68c10b7ff2d96b45825120

SHA1
d6d2ed450aae4552f550f59bffe3dd42d8377835

SHA256
4e3b13b56bec0e41778e6506430282bbbd75ccaa600fd4b645ce37dd95b44c8e

SHA512
640a9ae2d40c272638485d37fad4ed83c9c215ce60a0bd3d50db9f033aa79d4c7fc276d018b05f0b1d8446f5e84a7350c857ee8097c05a472c26bfb446038957

Download Submit
C:\Users\Admin\AppData\Local\Temp\files\x64\cleanospp.exe

Filesize
28KB

MD5
d3467cb7b83b654c2d05407dc7ba2360

SHA1
af7b4fdde21434f9e8d2e90fbff7b1d64af8a0a3

SHA256
edf85f4e2ef1a427b34265a22f261d664ec78de90c3b5da4174ef28558c8522a

SHA512
0998bc55b4b928077144cececfaaeee6d957f5acfcfab083987b2ba1e039ca9bf2156c633213c8a3c1ccd874d6ea31e5e1b8e0de6fdfd42693f844aca4408c5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\files\x64\msvcr100.dll

Filesize
809KB

MD5
df3ca8d16bded6a54977b30e66864d33

SHA1
b7b9349b33230c5b80886f5c1f0a42848661c883

SHA256
1d1a1ae540ba132f998d60d3622f0297b6e86ae399332c3b47462d7c0f560a36

SHA512
951b2f67c2f2ef1cfcd4b43bd3ee0e486cdba7d04b4ea7259df0e4b3112e360aefb8dcd058becccacd99aca7f56d4f9bd211075bd16b28c2661d562e50b423f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\files\x86\cleanospp.exe

Filesize
25KB

MD5
98821a7a5737d656633d10a3afb724bd

SHA1
0307ba03137de39735c6e5bde8afd22d5279f0f9

SHA256
04ba4487f95290e0b0557b44300c18f637fbaf0872ee96e3111013b8a1539f25

SHA512
5e32cfa18cf6353bd36194ef9f00d0768fb5ec9723582d7ca72fcf60931ba08199d750270307e1c82adf57fb801855be6986f26e09b02aa7a5db74e95e3263ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\files\x86\msvcr100.dll

Filesize
755KB

MD5
bf38660a9125935658cfa3e53fdc7d65

SHA1
0b51fb415ec89848f339f8989d323bea722bfd70

SHA256
60c06e0fa4449314da3a0a87c1a9d9577df99226f943637e06f61188e5862efa

SHA512
25f521ffe25a950d0f1a4de63b04cb62e2a3b0e72e7405799586913208bf8f8fa52aa34e96a9cc6ee47afcd41870f3aa0cd8289c53461d1b6e792d19b750c9a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\over737135\i640.cab

Filesize
1.9MB

MD5
6db0b314d892a62ea10cf3191789e7dc

SHA1
7fb468827674c11e83b64f9523babc55e16fd672

SHA256
55970d57111ce5af7c33b0df0124cab3897260c1eb39a35f473aad90b4b008b3

SHA512
7f33d0c041e458bba348969cd9693cd4730359cbf597ebf46a266a0d142b3ada22a149728d13be43abc3fd0a8442622518db45b456ad1d8a24b527d632e73a57

Download Submit
C:\Users\Admin\AppData\Local\Temp\over987332\VersionDescriptor.xml

Filesize
12KB

MD5
5d5045e8360e54a97c3ad3b6a4ea9689

SHA1
b422886a6d72ed2be9f409a4f043729b5de7ca1b

SHA256
0038b52fa587e4534519fd491fff160999d1c6942b12805d89789759e1c04bb3

SHA512
13adfc656c6690cbbeda4000ee65a89b9859c4e225c4257b1f7d748c60dec53e0c41a5cd6ea5e162aef8341ac175c8a6146ff80717b1ba0700824e9ecbabb66c

Download Submit
C:\Users\Admin\AppData\Local\Temp\over987332\v32.cab

Filesize
10KB

MD5
1ad6af824b8037b08af260e37c207d74

SHA1
9a1863338b885c73a7949df988ae4533616ea6c0

SHA256
9c90643bc7b4530767249c423f64d12e3cd8eff5acc1e8678139e18cdc219072

SHA512
00080f462c0d0c43eef93272955c5d941bda523267eacb7324ec7ef94b3572db5a1c4fa7f6b99ddd05a1b1ab9e521d869b8500cf9704034add90bca29a2064bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\over987332\v32.txt

Filesize
12KB

MD5
c40fc4d24667229805baffaa638dd2ff

SHA1
c5ddd1ca6008de00482d200cb2522d9a756e5fb7

SHA256
cec283130d4b42a10bd7dfefd4636f4bf684b279743027afd80eaa385d3c241d

SHA512
1de7de6c5f4855d2c52aa2efaef2fc7340d7923218698573c243a53dcd68575d870b93af6d3709100fd2eae5ac46fa1c59ac9d7a928243a1bcbcb976b06c26ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\signtool.exe

Filesize
323KB

MD5
05624e6d27eaef0db0673ae627bd6027

SHA1
b155c76bf59992a8d75d0e3a59dc94f24aff2591

SHA256
962a92821f54a1e706aa989973130fdc1072c7bd8b9e6d11ea1050b46eb9d313

SHA512
233304669aefeec9ad5d19bd2dd5bb19ea35ce31da0b3aabe5ab859259608a58725fac5993637c9635e5912138d3eb477773351f0ee81cc3ce756d713163cf31

Download Submit
C:\Users\Admin\AppData\Local\Temp\slmgr.vbs

Filesize
139KB

MD5
3903bcab32a4a853dfa54962112d4d02

SHA1
ba6433fba48797cd43463441358004ac81b76a8b

SHA256
95fc646d222d324db46f603a7f675c329fe59a567ed27fdaed2a572a19206816

SHA512
db27b16ec8f8139c44c433d51350fbda6c8f8113e2e8178ff53298b4dace5ef93d65d7cc422f5a2d544d053471c36392da4acd2b7da8af38bb42344db70dbe0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\temB08E.tmp

Filesize
396B

MD5
a4ddf689da158b5b22edea3907bfe6f4

SHA1
170bc7f8cb70b2c026c985bf87ddf797d2f78564

SHA256
73d162f9c191ee5a658324546db049e3f5d8ec53f8506cb9f858adc43dab6362

SHA512
9c5555811290630fc033e4e4a957fcbf01cd063f1271fadae34f4ea825c86c3b3a57ba9895ee510880265da4163b954442434bbe3571108ad67b5c3040dd278e

Download Submit
C:\Windows\Logs\DPX\setupact.log

Filesize
2KB

MD5
7814fa48a8acc62d69f8721cda360913

SHA1
c5d12d1353cbd37826dab9634823d9dd4e71b7ee

SHA256
8d07ded93aab16b3135102ef58f1c8e65f26f965611ec842a04d97c0bfd40fed

SHA512
c34f6975775f5a82893c495d707c48211d4acb7fb05d7250b1ee96667d3ca5e0a552e1c99405c94e8be5039bee5c1759cc3f49d268422f9bd13759892cd4a2c6

Download Submit
C:\Windows\Logs\DPX\setupact.log

Filesize
3KB

MD5
f5604bd7c4e7ba01d22f1c43ee58add7

SHA1
fe91191e223568c4de8bc0a9fe8857d6986d9b3f

SHA256
e9dd927cead3e335a4f9d02822f6fb90f4ea3dcb24ac15978ee8ea4d0399337a

SHA512
e9876cf38c4363eeda4e9877618c790b329bcd23cac4f7689243b17570b0de3a501e64ad982ae5a976329edf2d749da53f89f2b62e997d149cbda8b581531115

Download Submit
C:\Windows\Logs\DPX\setupact.log

Filesize
4KB

MD5
f0601eb71cdb21c6461621f89b39c634

SHA1
770d3ccc9d65a6cbcb869b6152a264d9a6cb40f1

SHA256
a8d1c226807844d6a34667a682e23537b15dc51165d7682db40397c2dd9b3268

SHA512
922e7af19f62f68aa243b0c760ac545bf33c132f71604b648d0adc1773091f5ca1ca5be942c0a71ca774ac0305789661b6d6a4798e98839e0dbf2edc9bc48b29

Download Submit
C:\Windows\Logs\DPX\setupact.log

Filesize
5KB

MD5
7af59b1490eecbc152e606cbafb6c054

SHA1
03a402eaed1d1d6c8b82fb5de3ca903e686e1fe7

SHA256
9a7c5cd988eb4f4de13c3676597710c425a510caaf5d78bb50c3b74f31a1eada

SHA512
5532c34fd924b6712ce8b9f591e7f8efb4c05df5a9f458b85d7aeed897ddfbdf7ea9da23c7eeca511fdffc4ce5b4e949285c558ed5e4072dc4ef9b63dc459b0f

Download Submit
\Users\Admin\AppData\Local\Temp\BIN\slc.dll

Filesize
13KB

MD5
31e221d3b930629a14ed2af067f777e3

SHA1
aae9a700c9bb97581f3e15ea133f754cc950b690

SHA256
32073d9d5706476785e3fbcb208b65dff56038c6ca9a8a2b15d2ab1590cc8e04

SHA512
0b6900bc5917908e6ef7ee9d5656b55132c4e2cccfde42eb375a58b81db2712ed0c6344f95b509b74f83bbaf91c0617e3649c597419ab90eedfcf924692f688f

Download Submit
memory/692-190-0x00000000074E0000-0x0000000007830000-memory.dmp

Filesize
3.3MB

Download
memory/692-210-0x00000000717E0000-0x0000000071ECE000-memory.dmp

Filesize
6.9MB

Download
memory/692-187-0x00000000717E0000-0x0000000071ECE000-memory.dmp

Filesize
6.9MB

Download
memory/692-189-0x00000000042A0000-0x00000000042B0000-memory.dmp

Filesize
64KB

Download
memory/692-188-0x00000000042A0000-0x00000000042B0000-memory.dmp

Filesize
64KB

Download
memory/692-206-0x00000000042A0000-0x00000000042B0000-memory.dmp

Filesize
64KB

Download
memory/804-24-0x0000000000F10000-0x0000000000F20000-memory.dmp

Filesize
64KB

Download
memory/804-27-0x0000000000F10000-0x0000000000F20000-memory.dmp

Filesize
64KB

Download
memory/804-34-0x0000000000F10000-0x0000000000F20000-memory.dmp

Filesize
64KB

Download
memory/804-33-0x0000000063780000-0x0000000063799000-memory.dmp

Filesize
100KB

Download
memory/804-36-0x0000000000F10000-0x0000000000F20000-memory.dmp

Filesize
64KB

Download
memory/804-31-0x0000000000F10000-0x0000000000F20000-memory.dmp

Filesize
64KB

Download
memory/804-30-0x0000000000F10000-0x0000000000F20000-memory.dmp

Filesize
64KB

Download
memory/804-22-0x0000000000F10000-0x0000000000F20000-memory.dmp

Filesize
64KB

Download
memory/804-21-0x0000000000F10000-0x0000000000F20000-memory.dmp

Filesize
64KB

Download
memory/804-39-0x0000000000F10000-0x0000000000F20000-memory.dmp

Filesize
64KB

Download
memory/804-38-0x0000000000F10000-0x0000000000F20000-memory.dmp

Filesize
64KB

Download
memory/1508-65-0x0000022D9A120000-0x0000022D9A130000-memory.dmp

Filesize
64KB

Download
memory/1508-66-0x0000022D9A120000-0x0000022D9A130000-memory.dmp

Filesize
64KB

Download
memory/1508-45-0x0000022D9A120000-0x0000022D9A130000-memory.dmp

Filesize
64KB

Download
memory/1508-46-0x0000022D9A120000-0x0000022D9A130000-memory.dmp

Filesize
64KB

Download
memory/1508-47-0x0000022D9A120000-0x0000022D9A130000-memory.dmp

Filesize
64KB

Download
memory/1508-43-0x0000022D9A120000-0x0000022D9A130000-memory.dmp

Filesize
64KB

Download
memory/1508-63-0x0000022D9A120000-0x0000022D9A130000-memory.dmp

Filesize
64KB

Download
memory/1508-48-0x0000022D9A120000-0x0000022D9A130000-memory.dmp

Filesize
64KB

Download
memory/1868-168-0x00000000097E0000-0x0000000009802000-memory.dmp

Filesize
136KB

Download
memory/1868-167-0x0000000009B50000-0x0000000009BE4000-memory.dmp

Filesize
592KB

Download
memory/1868-183-0x00000000717E0000-0x0000000071ECE000-memory.dmp

Filesize
6.9MB

Download
memory/1868-180-0x0000000004D70000-0x0000000004D80000-memory.dmp

Filesize
64KB

Download
memory/1868-149-0x00000000717E0000-0x0000000071ECE000-memory.dmp

Filesize
6.9MB

Download
memory/1868-150-0x0000000004D70000-0x0000000004D80000-memory.dmp

Filesize
64KB

Download
memory/1868-151-0x0000000004D70000-0x0000000004D80000-memory.dmp

Filesize
64KB

Download
memory/1868-169-0x000000000A0F0000-0x000000000A5EE000-memory.dmp

Filesize
5.0MB

Download
memory/2124-255-0x00000000717E0000-0x0000000071ECE000-memory.dmp

Filesize
6.9MB

Download
memory/2124-256-0x0000000006AD0000-0x0000000006AE0000-memory.dmp

Filesize
64KB

Download
memory/2124-257-0x0000000006AD0000-0x0000000006AE0000-memory.dmp

Filesize
64KB

Download
memory/2124-277-0x00000000717E0000-0x0000000071ECE000-memory.dmp

Filesize
6.9MB

Download
memory/2124-273-0x0000000006AD0000-0x0000000006AE0000-memory.dmp

Filesize
64KB

Download
memory/2540-109-0x0000000008760000-0x000000000877C000-memory.dmp

Filesize
112KB

Download
memory/2540-102-0x00000000052C0000-0x00000000052F6000-memory.dmp

Filesize
216KB

Download
memory/2540-108-0x00000000083D0000-0x0000000008720000-memory.dmp

Filesize
3.3MB

Download
memory/2540-106-0x00000000080A0000-0x0000000008106000-memory.dmp

Filesize
408KB

Download
memory/2540-111-0x0000000008BD0000-0x0000000008C46000-memory.dmp

Filesize
472KB

Download
memory/2540-110-0x00000000087B0000-0x00000000087FB000-memory.dmp

Filesize
300KB

Download
memory/2540-105-0x0000000008000000-0x0000000008022000-memory.dmp

Filesize
136KB

Download
memory/2540-104-0x0000000007960000-0x0000000007F88000-memory.dmp

Filesize
6.2MB

Download
memory/2540-103-0x0000000005240000-0x0000000005250000-memory.dmp

Filesize
64KB

Download
memory/2540-107-0x0000000008210000-0x0000000008276000-memory.dmp

Filesize
408KB

Download
memory/2540-101-0x0000000005240000-0x0000000005250000-memory.dmp

Filesize
64KB

Download
memory/2540-100-0x00000000717E0000-0x0000000071ECE000-memory.dmp

Filesize
6.9MB

Download
memory/2540-135-0x00000000717E0000-0x0000000071ECE000-memory.dmp

Filesize
6.9MB

Download
memory/2540-130-0x0000000005240000-0x0000000005250000-memory.dmp

Filesize
64KB

Download
memory/2540-126-0x000000000A100000-0x000000000A778000-memory.dmp

Filesize
6.5MB

Download
memory/2540-127-0x00000000098A0000-0x00000000098BA000-memory.dmp

Filesize
104KB

Download
memory/2664-320-0x00000000717E0000-0x0000000071ECE000-memory.dmp

Filesize
6.9MB

Download
memory/3012-219-0x00000000717E0000-0x0000000071ECE000-memory.dmp

Filesize
6.9MB

Download
memory/3012-250-0x00000000717E0000-0x0000000071ECE000-memory.dmp

Filesize
6.9MB

Download
memory/3012-220-0x0000000005010000-0x0000000005020000-memory.dmp

Filesize
64KB

Download
memory/3012-221-0x0000000005010000-0x0000000005020000-memory.dmp

Filesize
64KB

Download
memory/3232-251-0x0000000000400000-0x000000000163C000-memory.dmp

Filesize
18.2MB

Download
memory/3232-129-0x0000000000400000-0x000000000163C000-memory.dmp

Filesize
18.2MB

Download
memory/3232-82-0x0000000000400000-0x000000000163C000-memory.dmp

Filesize
18.2MB

Download
memory/3624-286-0x00000000717E0000-0x0000000071ECE000-memory.dmp

Filesize
6.9MB

Download
memory/3624-316-0x00000000717E0000-0x0000000071ECE000-memory.dmp

Filesize
6.9MB

Download
memory/3624-313-0x0000000006520000-0x0000000006530000-memory.dmp

Filesize
64KB

Download
memory/3624-287-0x0000000006520000-0x0000000006530000-memory.dmp

Filesize
64KB

Download
memory/4176-53-0x000002492CF60000-0x000002492CF70000-memory.dmp

Filesize
64KB

Download
memory/4176-57-0x000002492CF60000-0x000002492CF70000-memory.dmp

Filesize
64KB

Download
memory/4176-51-0x000002492CF60000-0x000002492CF70000-memory.dmp

Filesize
64KB

Download
memory/4176-52-0x000002492CF60000-0x000002492CF70000-memory.dmp

Filesize
64KB

Download
memory/4176-55-0x000002492CF60000-0x000002492CF70000-memory.dmp

Filesize
64KB

Download
memory/4176-61-0x000002492CF60000-0x000002492CF70000-memory.dmp

Filesize
64KB

Download
memory/4176-60-0x000002492CF60000-0x000002492CF70000-memory.dmp

Filesize
64KB

Download
memory/4176-59-0x000002492CF60000-0x000002492CF70000-memory.dmp

Filesize
64KB

Download
memory/4176-54-0x000002492CF60000-0x000002492CF70000-memory.dmp

Filesize
64KB

Download
memory/4176-71-0x000002492CF60000-0x000002492CF70000-memory.dmp

Filesize
64KB

Download
memory/4272-79-0x0000000000400000-0x00000000016F2000-memory.dmp

Filesize
18.9MB

Download
memory/4272-0-0x0000000000400000-0x00000000016F2000-memory.dmp

Filesize
18.9MB

Download
memory/4272-73-0x0000000000400000-0x00000000016F2000-memory.dmp

Filesize
18.9MB

Download
memory/4272-67-0x0000000000400000-0x00000000016F2000-memory.dmp

Filesize
18.9MB

Download
memory/4272-29-0x0000000000400000-0x00000000016F2000-memory.dmp

Filesize
18.9MB

Download
memory/4272-14-0x0000000000400000-0x00000000016F2000-memory.dmp

Filesize
18.9MB

Download
memory/4272-13-0x0000000000400000-0x00000000016F2000-memory.dmp

Filesize
18.9MB

Download
memory/4272-12-0x0000000000400000-0x00000000016F2000-memory.dmp

Filesize
18.9MB

Download
memory/4272-424-0x0000000000400000-0x00000000016F2000-memory.dmp

Filesize
18.9MB

Download

Analysis

Sharing

Errors

General

Malware Config

Extracted

Extracted

Extracted

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads