684f42e6a5df6f24c4abb47675b6165f78d943495020434cd34a8aaf410493f8

Analysis

max time kernel
149s
max time network
119s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
10/06/2024, 13:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

684f42e6a5df6f24c4abb47675b6165f78d943495020434cd34a8aaf410493f8.exe
Size

1.6MB
MD5

473b7f17dc89295dc1bd1f540f4539bf
SHA1

f07f180a3b81156847ee250b34256ae5679a3522
SHA256

684f42e6a5df6f24c4abb47675b6165f78d943495020434cd34a8aaf410493f8
SHA512

cbd70416f6371b2a32288c34b8f7b653dbb6b681cd303fa8297a2a1ea153d4f847c794a54a6a021b98d4112f8a5113e6d29b31dc792e73dd9426ba8500286d98
SSDEEP

49152:PabH/NhGZdu9EUpowUjIXjlhabH/EhGZdu9EUpowUjIXjSIy:E4ZwVUjITl4ZwVUjITSIy

Score

10^/10

evasion execution

Malware Config

Signatures

Disables service(s) 3 TTPs
evasion execution

Windows Service
T1543.003

Service Stop
T1489

Service Execution
T1569.002
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098

Executes dropped EXE 2 IoCs

pid	Process
2800	UpdatAuto.exe
2088	684f42e6a5df6f24c4abb47675b6165f78d943495020434cd34a8aaf410493f8~4.exe

Loads dropped DLL 7 IoCs

pid	Process
1764	684f42e6a5df6f24c4abb47675b6165f78d943495020434cd34a8aaf410493f8.exe
2800	UpdatAuto.exe
2800	UpdatAuto.exe
2800	UpdatAuto.exe
1764	684f42e6a5df6f24c4abb47675b6165f78d943495020434cd34a8aaf410493f8.exe
2088	684f42e6a5df6f24c4abb47675b6165f78d943495020434cd34a8aaf410493f8~4.exe
2088	684f42e6a5df6f24c4abb47675b6165f78d943495020434cd34a8aaf410493f8~4.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Option.bat	684f42e6a5df6f24c4abb47675b6165f78d943495020434cd34a8aaf410493f8.exe
File opened for modification	C:\Windows\SysWOW64\UpdatAuto.exe	684f42e6a5df6f24c4abb47675b6165f78d943495020434cd34a8aaf410493f8.exe
File opened for modification	C:\Windows\SysWOW64\Option.bat	UpdatAuto.exe
File opened for modification	C:\Windows\SysWOW64\UpdatAuto.exe	UpdatAuto.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jarsigner.exe	684f42e6a5df6f24c4abb47675b6165f78d943495020434cd34a8aaf410493f8.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\keytool.exe	684f42e6a5df6f24c4abb47675b6165f78d943495020434cd34a8aaf410493f8.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\native2ascii.exe	684f42e6a5df6f24c4abb47675b6165f78d943495020434cd34a8aaf410493f8.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec64.exe	684f42e6a5df6f24c4abb47675b6165f78d943495020434cd34a8aaf410493f8.exe
File opened for modification	C:\Program Files\Java\jre7\bin\java-rmi.exe	684f42e6a5df6f24c4abb47675b6165f78d943495020434cd34a8aaf410493f8.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javap.exe	UpdatAuto.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javacpl.exe	UpdatAuto.exe
File opened for modification	C:\Program Files\Java\jre7\bin\ktab.exe	UpdatAuto.exe
File opened for modification	C:\Program Files\Java\jre7\bin\klist.exe	684f42e6a5df6f24c4abb47675b6165f78d943495020434cd34a8aaf410493f8.exe
File opened for modification	C:\Program Files\Java\jre7\bin\pack200.exe	UpdatAuto.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javafxpackager.exe	UpdatAuto.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\native2ascii.exe	UpdatAuto.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\xjc.exe	UpdatAuto.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\launcher.exe	UpdatAuto.exe
File opened for modification	C:\Program Files\Java\jre7\bin\java.exe	684f42e6a5df6f24c4abb47675b6165f78d943495020434cd34a8aaf410493f8.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jar.exe	684f42e6a5df6f24c4abb47675b6165f78d943495020434cd34a8aaf410493f8.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jdb.exe	684f42e6a5df6f24c4abb47675b6165f78d943495020434cd34a8aaf410493f8.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmiregistry.exe	UpdatAuto.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jabswitch.exe	684f42e6a5df6f24c4abb47675b6165f78d943495020434cd34a8aaf410493f8.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\servertool.exe	UpdatAuto.exe
File opened for modification	C:\Program Files\Microsoft Games\Chess\Chess.exe	684f42e6a5df6f24c4abb47675b6165f78d943495020434cd34a8aaf410493f8.exe
File opened for modification	C:\Program Files\Microsoft Games\Purble Place\PurblePlace.exe	UpdatAuto.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmiregistry.exe	684f42e6a5df6f24c4abb47675b6165f78d943495020434cd34a8aaf410493f8.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jabswitch.exe	684f42e6a5df6f24c4abb47675b6165f78d943495020434cd34a8aaf410493f8.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\wsgen.exe	684f42e6a5df6f24c4abb47675b6165f78d943495020434cd34a8aaf410493f8.exe
File opened for modification	C:\Program Files\Microsoft Games\Hearts\Hearts.exe	684f42e6a5df6f24c4abb47675b6165f78d943495020434cd34a8aaf410493f8.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe	684f42e6a5df6f24c4abb47675b6165f78d943495020434cd34a8aaf410493f8.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jps.exe	UpdatAuto.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jvisualvm.exe	684f42e6a5df6f24c4abb47675b6165f78d943495020434cd34a8aaf410493f8.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\kinit.exe	684f42e6a5df6f24c4abb47675b6165f78d943495020434cd34a8aaf410493f8.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\schemagen.exe	UpdatAuto.exe
File opened for modification	C:\Program Files\Java\jre7\bin\jabswitch.exe	UpdatAuto.exe
File opened for modification	C:\Program Files\DVD Maker\DVDMaker.exe	UpdatAuto.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	684f42e6a5df6f24c4abb47675b6165f78d943495020434cd34a8aaf410493f8.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\kinit.exe	UpdatAuto.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jabswitch.exe	UpdatAuto.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\extcheck.exe	684f42e6a5df6f24c4abb47675b6165f78d943495020434cd34a8aaf410493f8.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe	UpdatAuto.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javaws.exe	UpdatAuto.exe
File opened for modification	C:\Program Files\Microsoft Games\Solitaire\Solitaire.exe	684f42e6a5df6f24c4abb47675b6165f78d943495020434cd34a8aaf410493f8.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstatd.exe	684f42e6a5df6f24c4abb47675b6165f78d943495020434cd34a8aaf410493f8.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstat.exe	684f42e6a5df6f24c4abb47675b6165f78d943495020434cd34a8aaf410493f8.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java-rmi.exe	UpdatAuto.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\unpack200.exe	UpdatAuto.exe
File opened for modification	C:\Program Files\Java\jre7\bin\policytool.exe	UpdatAuto.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jconsole.exe	UpdatAuto.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstack.exe	684f42e6a5df6f24c4abb47675b6165f78d943495020434cd34a8aaf410493f8.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\keytool.exe	UpdatAuto.exe
File opened for modification	C:\Program Files\DVD Maker\DVDMaker.exe	684f42e6a5df6f24c4abb47675b6165f78d943495020434cd34a8aaf410493f8.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	684f42e6a5df6f24c4abb47675b6165f78d943495020434cd34a8aaf410493f8.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe	UpdatAuto.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javac.exe	UpdatAuto.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\wsgen.exe	UpdatAuto.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\orbd.exe	UpdatAuto.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javaws.exe	UpdatAuto.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java-rmi.exe	684f42e6a5df6f24c4abb47675b6165f78d943495020434cd34a8aaf410493f8.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmid.exe	684f42e6a5df6f24c4abb47675b6165f78d943495020434cd34a8aaf410493f8.exe
File opened for modification	C:\Program Files\Java\jre7\bin\rmiregistry.exe	684f42e6a5df6f24c4abb47675b6165f78d943495020434cd34a8aaf410493f8.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\java-rmi.exe	UpdatAuto.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jinfo.exe	UpdatAuto.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javaws.exe	684f42e6a5df6f24c4abb47675b6165f78d943495020434cd34a8aaf410493f8.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jmc.exe	684f42e6a5df6f24c4abb47675b6165f78d943495020434cd34a8aaf410493f8.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\ktab.exe	684f42e6a5df6f24c4abb47675b6165f78d943495020434cd34a8aaf410493f8.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jps.exe	684f42e6a5df6f24c4abb47675b6165f78d943495020434cd34a8aaf410493f8.exe

Launches sc.exe 5 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2516	sc.exe
1420	sc.exe
1416	sc.exe
3004	sc.exe
2392	sc.exe

Runs net.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1764	684f42e6a5df6f24c4abb47675b6165f78d943495020434cd34a8aaf410493f8.exe
2800	UpdatAuto.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1764 wrote to memory of 2360	1764	684f42e6a5df6f24c4abb47675b6165f78d943495020434cd34a8aaf410493f8.exe	28
PID 1764 wrote to memory of 2360	1764	684f42e6a5df6f24c4abb47675b6165f78d943495020434cd34a8aaf410493f8.exe	28
PID 1764 wrote to memory of 2360	1764	684f42e6a5df6f24c4abb47675b6165f78d943495020434cd34a8aaf410493f8.exe	28
PID 1764 wrote to memory of 2360	1764	684f42e6a5df6f24c4abb47675b6165f78d943495020434cd34a8aaf410493f8.exe	28
PID 1764 wrote to memory of 2360	1764	684f42e6a5df6f24c4abb47675b6165f78d943495020434cd34a8aaf410493f8.exe	28
PID 1764 wrote to memory of 2360	1764	684f42e6a5df6f24c4abb47675b6165f78d943495020434cd34a8aaf410493f8.exe	28
PID 1764 wrote to memory of 2360	1764	684f42e6a5df6f24c4abb47675b6165f78d943495020434cd34a8aaf410493f8.exe	28
PID 1764 wrote to memory of 2800	1764	684f42e6a5df6f24c4abb47675b6165f78d943495020434cd34a8aaf410493f8.exe	30
PID 1764 wrote to memory of 2800	1764	684f42e6a5df6f24c4abb47675b6165f78d943495020434cd34a8aaf410493f8.exe	30
PID 1764 wrote to memory of 2800	1764	684f42e6a5df6f24c4abb47675b6165f78d943495020434cd34a8aaf410493f8.exe	30
PID 1764 wrote to memory of 2800	1764	684f42e6a5df6f24c4abb47675b6165f78d943495020434cd34a8aaf410493f8.exe	30
PID 1764 wrote to memory of 2800	1764	684f42e6a5df6f24c4abb47675b6165f78d943495020434cd34a8aaf410493f8.exe	30
PID 1764 wrote to memory of 2800	1764	684f42e6a5df6f24c4abb47675b6165f78d943495020434cd34a8aaf410493f8.exe	30
PID 1764 wrote to memory of 2800	1764	684f42e6a5df6f24c4abb47675b6165f78d943495020434cd34a8aaf410493f8.exe	30
PID 2800 wrote to memory of 2724	2800	UpdatAuto.exe	31
PID 2800 wrote to memory of 2724	2800	UpdatAuto.exe	31
PID 2800 wrote to memory of 2724	2800	UpdatAuto.exe	31
PID 2800 wrote to memory of 2724	2800	UpdatAuto.exe	31
PID 2800 wrote to memory of 2724	2800	UpdatAuto.exe	31
PID 2800 wrote to memory of 2724	2800	UpdatAuto.exe	31
PID 2800 wrote to memory of 2724	2800	UpdatAuto.exe	31
PID 1764 wrote to memory of 2088	1764	684f42e6a5df6f24c4abb47675b6165f78d943495020434cd34a8aaf410493f8.exe	33
PID 1764 wrote to memory of 2088	1764	684f42e6a5df6f24c4abb47675b6165f78d943495020434cd34a8aaf410493f8.exe	33
PID 1764 wrote to memory of 2088	1764	684f42e6a5df6f24c4abb47675b6165f78d943495020434cd34a8aaf410493f8.exe	33
PID 1764 wrote to memory of 2088	1764	684f42e6a5df6f24c4abb47675b6165f78d943495020434cd34a8aaf410493f8.exe	33
PID 1764 wrote to memory of 2088	1764	684f42e6a5df6f24c4abb47675b6165f78d943495020434cd34a8aaf410493f8.exe	33
PID 1764 wrote to memory of 2088	1764	684f42e6a5df6f24c4abb47675b6165f78d943495020434cd34a8aaf410493f8.exe	33
PID 1764 wrote to memory of 2088	1764	684f42e6a5df6f24c4abb47675b6165f78d943495020434cd34a8aaf410493f8.exe	33
PID 1764 wrote to memory of 2552	1764	684f42e6a5df6f24c4abb47675b6165f78d943495020434cd34a8aaf410493f8.exe	34
PID 1764 wrote to memory of 2552	1764	684f42e6a5df6f24c4abb47675b6165f78d943495020434cd34a8aaf410493f8.exe	34
PID 1764 wrote to memory of 2552	1764	684f42e6a5df6f24c4abb47675b6165f78d943495020434cd34a8aaf410493f8.exe	34
PID 1764 wrote to memory of 2552	1764	684f42e6a5df6f24c4abb47675b6165f78d943495020434cd34a8aaf410493f8.exe	34
PID 1764 wrote to memory of 2552	1764	684f42e6a5df6f24c4abb47675b6165f78d943495020434cd34a8aaf410493f8.exe	34
PID 1764 wrote to memory of 2552	1764	684f42e6a5df6f24c4abb47675b6165f78d943495020434cd34a8aaf410493f8.exe	34
PID 1764 wrote to memory of 2552	1764	684f42e6a5df6f24c4abb47675b6165f78d943495020434cd34a8aaf410493f8.exe	34
PID 1764 wrote to memory of 2996	1764	684f42e6a5df6f24c4abb47675b6165f78d943495020434cd34a8aaf410493f8.exe	35
PID 1764 wrote to memory of 2996	1764	684f42e6a5df6f24c4abb47675b6165f78d943495020434cd34a8aaf410493f8.exe	35
PID 1764 wrote to memory of 2996	1764	684f42e6a5df6f24c4abb47675b6165f78d943495020434cd34a8aaf410493f8.exe	35
PID 1764 wrote to memory of 2996	1764	684f42e6a5df6f24c4abb47675b6165f78d943495020434cd34a8aaf410493f8.exe	35
PID 1764 wrote to memory of 2996	1764	684f42e6a5df6f24c4abb47675b6165f78d943495020434cd34a8aaf410493f8.exe	35
PID 1764 wrote to memory of 2996	1764	684f42e6a5df6f24c4abb47675b6165f78d943495020434cd34a8aaf410493f8.exe	35
PID 1764 wrote to memory of 2996	1764	684f42e6a5df6f24c4abb47675b6165f78d943495020434cd34a8aaf410493f8.exe	35
PID 1764 wrote to memory of 2700	1764	684f42e6a5df6f24c4abb47675b6165f78d943495020434cd34a8aaf410493f8.exe	37
PID 1764 wrote to memory of 2700	1764	684f42e6a5df6f24c4abb47675b6165f78d943495020434cd34a8aaf410493f8.exe	37
PID 1764 wrote to memory of 2700	1764	684f42e6a5df6f24c4abb47675b6165f78d943495020434cd34a8aaf410493f8.exe	37
PID 1764 wrote to memory of 2700	1764	684f42e6a5df6f24c4abb47675b6165f78d943495020434cd34a8aaf410493f8.exe	37
PID 1764 wrote to memory of 2700	1764	684f42e6a5df6f24c4abb47675b6165f78d943495020434cd34a8aaf410493f8.exe	37
PID 1764 wrote to memory of 2700	1764	684f42e6a5df6f24c4abb47675b6165f78d943495020434cd34a8aaf410493f8.exe	37
PID 1764 wrote to memory of 2700	1764	684f42e6a5df6f24c4abb47675b6165f78d943495020434cd34a8aaf410493f8.exe	37
PID 1764 wrote to memory of 2696	1764	684f42e6a5df6f24c4abb47675b6165f78d943495020434cd34a8aaf410493f8.exe	38
PID 1764 wrote to memory of 2696	1764	684f42e6a5df6f24c4abb47675b6165f78d943495020434cd34a8aaf410493f8.exe	38
PID 1764 wrote to memory of 2696	1764	684f42e6a5df6f24c4abb47675b6165f78d943495020434cd34a8aaf410493f8.exe	38
PID 1764 wrote to memory of 2696	1764	684f42e6a5df6f24c4abb47675b6165f78d943495020434cd34a8aaf410493f8.exe	38
PID 1764 wrote to memory of 2696	1764	684f42e6a5df6f24c4abb47675b6165f78d943495020434cd34a8aaf410493f8.exe	38
PID 1764 wrote to memory of 2696	1764	684f42e6a5df6f24c4abb47675b6165f78d943495020434cd34a8aaf410493f8.exe	38
PID 1764 wrote to memory of 2696	1764	684f42e6a5df6f24c4abb47675b6165f78d943495020434cd34a8aaf410493f8.exe	38
PID 1764 wrote to memory of 2752	1764	684f42e6a5df6f24c4abb47675b6165f78d943495020434cd34a8aaf410493f8.exe	40
PID 1764 wrote to memory of 2752	1764	684f42e6a5df6f24c4abb47675b6165f78d943495020434cd34a8aaf410493f8.exe	40
PID 1764 wrote to memory of 2752	1764	684f42e6a5df6f24c4abb47675b6165f78d943495020434cd34a8aaf410493f8.exe	40
PID 1764 wrote to memory of 2752	1764	684f42e6a5df6f24c4abb47675b6165f78d943495020434cd34a8aaf410493f8.exe	40
PID 1764 wrote to memory of 2752	1764	684f42e6a5df6f24c4abb47675b6165f78d943495020434cd34a8aaf410493f8.exe	40
PID 1764 wrote to memory of 2752	1764	684f42e6a5df6f24c4abb47675b6165f78d943495020434cd34a8aaf410493f8.exe	40
PID 1764 wrote to memory of 2752	1764	684f42e6a5df6f24c4abb47675b6165f78d943495020434cd34a8aaf410493f8.exe	40
PID 1764 wrote to memory of 2548	1764	684f42e6a5df6f24c4abb47675b6165f78d943495020434cd34a8aaf410493f8.exe	43

C:\Users\Admin\AppData\Local\Temp\684f42e6a5df6f24c4abb47675b6165f78d943495020434cd34a8aaf410493f8.exe
"C:\Users\Admin\AppData\Local\Temp\684f42e6a5df6f24c4abb47675b6165f78d943495020434cd34a8aaf410493f8.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1764
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\system32\Option.bat
  2⤵
  PID:2360
- C:\Windows\SysWOW64\UpdatAuto.exe
  C:\Windows\system32\UpdatAuto.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2800
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Windows\system32\Option.bat
    3⤵
    PID:2724
- C:\Users\Admin\AppData\Local\Temp\684f42e6a5df6f24c4abb47675b6165f78d943495020434cd34a8aaf410493f8~4.exe
  684f42e6a5df6f24c4abb47675b6165f78d943495020434cd34a8aaf410493f8~4.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2088
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop sharedaccess
  2⤵
  PID:2552
- - C:\Windows\SysWOW64\net.exe
    net stop sharedaccess
    3⤵
    PID:2816
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop sharedaccess
      4⤵
      PID:1948
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop wuauserv
  2⤵
  PID:2996
- - C:\Windows\SysWOW64\net.exe
    net stop wuauserv
    3⤵
    PID:1580
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop wuauserv
      4⤵
      PID:1624
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop wscsvc
  2⤵
  PID:2700
- - C:\Windows\SysWOW64\net.exe
    net stop wscsvc
    3⤵
    PID:2956
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop wscsvc
      4⤵
      PID:1724
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop srservice
  2⤵
  PID:2696
- - C:\Windows\SysWOW64\net.exe
    net stop srservice
    3⤵
    PID:1700
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop srservice
      4⤵
      PID:2200
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net start TlntSvr
  2⤵
  PID:2752
- - C:\Windows\SysWOW64\net.exe
    net start TlntSvr
    3⤵
    PID:1888
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 start TlntSvr
      4⤵
      PID:2404
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net user helpassistant 123456
  2⤵
  PID:2548
- - C:\Windows\SysWOW64\net.exe
    net user helpassistant 123456
    3⤵
    PID:296
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 user helpassistant 123456
      4⤵
      PID:1616
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net localgroup administrators helpassistant /add
  2⤵
  PID:2592
- - C:\Windows\SysWOW64\net.exe
    net localgroup administrators helpassistant /add
    3⤵
    PID:1972
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 localgroup administrators helpassistant /add
      4⤵
      PID:2336
- C:\Windows\SysWOW64\sc.exe
  sc config srservice start= disabled
  2⤵
  - Launches sc.exe
  PID:3004
- C:\Windows\SysWOW64\sc.exe
  sc config SharedAccess start= disabled
  2⤵
  - Launches sc.exe
  PID:2392
- C:\Windows\SysWOW64\sc.exe
  sc config wuauserv start= disabled
  2⤵
  - Launches sc.exe
  PID:1416
- C:\Windows\SysWOW64\sc.exe
  sc config wscsvc start= disabled
  2⤵
  - Launches sc.exe
  PID:1420
- C:\Windows\SysWOW64\sc.exe
  sc config srservice start= disabled
  2⤵
  - Launches sc.exe
  PID:2516

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

T1569

Service Execution

T1569.002

Persistence

Account Manipulation

T1098

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Account Manipulation

T1098

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe

Filesize
1.6MB

MD5
a818e80acd145bfa1ad2b73e49454867

SHA1
57f07ec64d39276864d1cc5467fdedb5814969af

SHA256
7871852e1c15ef80a02801e69db5d22f11769b960e3ab93e3e681b021e5180d0

SHA512
742884239266ca548dc53d46b34c6686a709c96a6f60cdb7580a2fc041b8c8789222855e91410c3a8334da05d32ad3709cf0790fc21e438aa413230cdaa37300

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe

Filesize
2.5MB

MD5
1b35de5675056ebc0fe0e4fe61683259

SHA1
f0d30ba27cf7356e8d6440f4ff90397cb4407718

SHA256
27b1339ce645c232d602f6696b66c348251b112a6677b58344ccf5a9675a8990

SHA512
47d766a1c54dd41b7ebd8c8f51923cbd9609907693bb082726ef9cbaa4a82365382feb09066dc79a234bca3d6bffcbe15cf595f55bc8e5113137cd3b6a944e34

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\DW20.EXE

Filesize
2.2MB

MD5
805070ec883f90d8eec9f6d98b30450a

SHA1
42c3e0c76687ded435bf11bd114cc68898d559ea

SHA256
294c023e6a2c7414f892692117e2d0dc89218291ea208141f6b670484100db87

SHA512
7471b6409bb47bcbeb2f43d3ad57a0f091100a91eeb7e4c9ec78c9082094279b73788295fe5dffde2201085ca0586843fba98541fb2edeebb05fda21318c5a37

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwtrig20.exe

Filesize
1.9MB

MD5
c635f97f537dc0f97cc03132178dc6e3

SHA1
ec2a27c9952bef942fa624921702d74d2cf98a70

SHA256
b3a6482c684064b7fe0953056479b9223a71762aeed4b143cce9c2dc912194a8

SHA512
a60ecf4f3d0f2d07c0acad7e5d99b9a0bda6a52e7f85760460926813f9ed5030d0bc7d82820e8689f5501e5e13c072c6da5fd43f2f94f8ca846117d21579d5c4

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
2.0MB

MD5
7dc3573f4c77981bb5ae1d6effbae790

SHA1
87bbfd613639ee92734d0129bbe8f789e324e3ac

SHA256
1060cd1a22a18f4580b9f6fe9686715783d8e1a95b0ffd2c775e27da3dd9181e

SHA512
f1acb7b324ddd048b6f5ce47f0cb89d789fbbee015bd8bb33ecfa7cf2e4b69c46f3095c0241dec88c5eca7da2ccc38ad106e92e672d0fc2b707a99d0a14bac76

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
2.3MB

MD5
5559e329ac9941adce1a591dee5514fa

SHA1
dbdd4f9a82b60e76fdf7e9182febff9dfaa34ae7

SHA256
a94d40fa9543a8c2576e85ee2cc00157151b59cfd36b69cdd2e87eba7946bb4a

SHA512
2a4abcec1c909918ce6ac732504e7d9db07067c4a0a3311c8ae7caf7c72882b080bf4e024c32c418e774a5b16d4e52d7a86440d0962c49f0d8f1d4f517e165b3

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
2.1MB

MD5
fed4fba98124c7201924bcb614525d32

SHA1
f711702ae308b053e673a27cfe67f5b7123ba8f8

SHA256
3331f5996ff65a2ce3d7f11ba42d7a0e6e66b7ed73890d07387c163305a3fdff

SHA512
a62a29360ba8de26831eabf1a41edbe3a2ae4ce8ca16d033d9ba88c75f0f2f4b2c20e78944975f56ee03abcf536dd5463fd20ff5beee714e60ab7ef0f1a7df55

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.5MB

MD5
d87e49221a76552745f3e1778b00c75d

SHA1
4f520f4795b2adbf805e5f2569c96c01191c092f

SHA256
498fe89bf0a8c19c5e6e0af8e7ef1eedafc11a37412d05c5397153bbe7b800da

SHA512
787659288b1c6d770a82d4810e96589149633bb40ed7d8371902e61f163643daa1c18498bfa135e1fa0e18f474f1ef1a4ff51d24f2b9957a464f156928cc7ae1

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

Filesize
5.7MB

MD5
53ca4af9842a791881a4183adb03f428

SHA1
e6cc23f3ef9bdc1e7a067a96e6b4d300e53212ce

SHA256
602724a12a2e43faee753fcea0d4178330ba27ca5d1017495317775c6027f10f

SHA512
1542afbd0fcae61ec299f23a3f3a303376bbd3ed1776526c52f0bf3a5ad51402eb8e7c65910b5999932d89818f58d4cdd5baacb73e77fd30990390164ca82233

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe

Filesize
3.1MB

MD5
fe311cc54811f1fee384814366b563be

SHA1
7370cf83c4d21dd3d07eacc7eb014b373a0ef02f

SHA256
a0548cef625e493c7b210ee3e836d0a043267474af1c7a664ecdc58da0552f8e

SHA512
6a0eab3da978c9aac0803c774a86c656c6f877b5432a311a8cdc465bdc1dc4bd118a0bcae3ae8701cf8202a7b4b7328b26a5480465b8391be7ac1ee27dd1686c

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
3.0MB

MD5
cc8cb0da94ca9fd4284596842840186c

SHA1
20c08c1b068790c2f6f331520a19ff831ec10b6d

SHA256
128d43ed4182c798bd1494f038696f366b0572b58b07bba3fba29dc0569e1bc1

SHA512
98ab3dadb258cac1a0740cae984cf22c71be483ad85f5e68dcd848e675d6acdf2cfde0af8ccb5a9183296c0c8c9d29cd40cb3f12c098514a2426dc74132a84e3

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe

Filesize
2.6MB

MD5
8ea7736c04edbc348e0e5108d8d2b696

SHA1
966ac31a6d8cd22b6c5d1ddca12de154d7e10ddb

SHA256
15671afd7603024248302951c2a4a3bf1172795103a0c4c74578be9ef24c5e1e

SHA512
a212a8a8c97e53a4170fceee2af4a0cb4095412b0e9f7dba9b901a252e32e3777539c2039bdc862d14acdc98f3ae6dfd1af3905d71326b21e86d33cf202bd8d3

Download Submit
C:\Program Files\Google\Chrome\Application\chrome.exe

Filesize
4.2MB

MD5
54b3cde94d2562d6803c5a28ded8156e

SHA1
893e1fb7bf939a3d89c5c9a0ba5c6a5f971e2ab5

SHA256
f01ac491c179c23825eccf4c8bd5ebe717c3b6aa8a694093b250283e0c53a34e

SHA512
dfd6066ef9b9344a8050b162a873dad56b07c59a92505de736fc75852d439d5774b0842e1174e0547c939c3c3c87faf0987bb099055e33bcdc62b89d6b97ae30

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
2.4MB

MD5
14533b2d3a92ab17cb7cb43f7000b3ea

SHA1
accf470576bc5191ee9d810d851019a66f05d417

SHA256
99a1eb31900d0f7f1429b5645a4e276324003e80907b5599d342133f2b81e04c

SHA512
b9a4bd95dfea0693b4a62bd87dc4e06980450997ea0855dcc260bf2d7cbd641a08ea6a88d99953248d7b9b31b5cac2897568c00ddfc955a7bc317be9a9bc0f99

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\appletviewer.exe

Filesize
1.5MB

MD5
47243c43144aa2282d9a61bb15f772d9

SHA1
014bf58afe22a2a8a9b86781d38e4dd632d8b96c

SHA256
48a4ee5bd89de891c48e081c4ae5655d5a036d7c7ee8c67733d9e2059af815e1

SHA512
5146ac23da803716b807dbea1f24ee4590e6865055dde71a2ef350d8cdc29a07b8a6ab41702b5c1695e299d254eb5d4bdf8f9d503c4faebcd9386abd23a1e002

Download Submit
C:\Users\Admin\AppData\Local\Temp\684f42e6a5df6f24c4abb47675b6165f78d943495020434cd34a8aaf410493f8~4.exe

Filesize
147KB

MD5
7e61cd917599566316aa56d504dc6c91

SHA1
b651973f01cea1f4c33aac472da5aea6431832ec

SHA256
a5fb3ea9b8efb3bef5a48900be49b9ca38efd77b2367e1153ef16a36ceec1118

SHA512
a9988526a164c729137c9b911ba89f239b65c0ff1b02710c74fef77caf5f0ceba26c653aeff43f5dc0f80f8142a38470a7d66fcc80d24203277cb30ac99acc18

Download Submit
C:\Windows\SysWOW64\Option.bat

Filesize
53B

MD5
1d04abf39e9df55eed1d04430cc21eb8

SHA1
b8292861dfd4e046eb9625e1571cc08c26094d41

SHA256
0bc485263cf8a962e64db0b88f156f2a9af1b81ecfdb1cf9111d497e85df70f3

SHA512
a2cccc03dadecf6a298b274a6735675aeec1cc280f84432498e9df31aa4a543d2557a2fd06bac4fc8778a774b30bbd31f91c1d0d3ace480b6217654c8d63a7d0

Download Submit
\??\c:\ntldr~6

Filesize
1.4MB

MD5
c3275594b29bc643a9b4aa003b61347f

SHA1
4c8af5286868ca4ab57ede1a5b66399e859db9d8

SHA256
2beb28a99b568fad436e59bac6d2f4f5b1d39e2367aa9e5998f6e9a2eabc6a71

SHA512
8fe88911da8e78bd742b191739634a8281eca7bd9251dbc5ff4a201c3e308960073056648f866ae7810ca72a20e6c869861fb7399cebfd7bfcde535fb6ac6a88

Download Submit
\??\c:\ntldr~6

Filesize
1.4MB

MD5
d658cf24cbe1913a221b47e653f91e09

SHA1
db74e55233f06b4ddd6ef206d6fbda17fd1d694a

SHA256
6c7f603989fc3ecfc514998e7bf4bcbf6ac232f5e9b9cc67206ae4be82b47cf2

SHA512
1fe97dfb97d11891a24104c68142aff7f0624c9a8e5ad48f6c0de4a39df429001c4cd1abf56eaeb2ef9ebfd349ef9c3383d1e29ba3cb065050bee63fee553424

Download Submit
\??\c:\ntldr~6

Filesize
1.4MB

MD5
8cc98a1c6b569b5583ce0fc2c4d4b0ac

SHA1
39aa58be48c9842725bd1ab6f2b5b97b83cb94f3

SHA256
43ea8d0294d3f959a50dc528727c3ec1f8e1ad0eabeb98c8e64f4efc4277e13f

SHA512
1de26ee4f3e0776d6241b4b596a1ed3e24c95ebcc365232fc609a3331dc2c868162ec420e0bec3908b100d41151d69d2a78fcf299927952d5671ed3cc2ebea3a

Download Submit
\??\c:\ntldr~6

Filesize
1.4MB

MD5
66d6c080c80348dc2dec0f2b7d98f58d

SHA1
7889da05169a825179758e343c32486832a4af8e

SHA256
12b8765d45660ff760bdcace1ce328251b57b38c66dbb576c7a106a6282a4c3d

SHA512
26acdc0d17088e601f7272fbdcefe7dfe611802aff424c40a139e6aaf8a31332091db78dc4d35d5f50f5facb6572120d63ade642e2b999423db8b91c081e0055

Download Submit
\??\c:\ntldr~6

Filesize
1.4MB

MD5
419860920e72e5e43231733f936e71be

SHA1
8746d84f1064d23fd418eba57d46a70209b229a7

SHA256
734bfb202216374a537d221ace091a3444073583eb0bd4e87e0b184bb69d96ef

SHA512
c3e0b9fed4d8f552eabbf44287ef7d9a99910e3e4d6c03c683b991f187f66474e0bfe44c05f91833712b5bfcd5fb0924183911ae11b5406d0ddb5fe68c5d6242

Download Submit
\??\c:\ntldr~6

Filesize
1.4MB

MD5
a8f7b9be62273150e53f253ea5a71074

SHA1
f28b93363954eb5ee916888793eb0234ffeb622f

SHA256
d9e7a48bb5074c870eadf1b78a991809f407373d9b4e02809482058fa39ecd3e

SHA512
3ae9b0e35aab4f56da823dbb94941138079809da16e69201da4f74cdd2156e54b2752203da4608c1dbae8ef5d208be9f3c48fee777df399dfcd387b58a44c232

Download Submit
\??\c:\ntldr~6

Filesize
1.4MB

MD5
d0ebdc26e859862e8b10d50cba1c8aaf

SHA1
8ad2f3f733a5c0c76c2eb3c745ef41cab4a73d13

SHA256
bdd48c8319795851a879202b5932f8418ddc6b89fbfe4b20a799183a01a5b278

SHA512
dd361b90ba029536d6ebff2a56eb34ce66dde902f97c627c6aed3fc17e398a8bca68555b03472b2a0f6212c34dccc5dc1cb2b91705ff5ff7aaa9fe07a4266441

Download Submit
\??\c:\ntldr~6

Filesize
1.4MB

MD5
21f4bcd8cfc1423796d50db817b4a251

SHA1
b3ea6bad925199c22242ad354fe9bc2fe053094a

SHA256
51ddee491f130c296b3327877ad9ff8fb3663873a709b3c2117e0b878112b2f6

SHA512
507d27e70d06b462e0b8551d4272b2a01003fc6514c5f5d38b03c348f3d4f14782e484c1691521ff5c5d31a96bd283d4b6d62876912460ea074d379ee8d92031

Download Submit
\??\c:\ntldr~6

Filesize
1.4MB

MD5
c667ba03168a0a9fe1fb3122eadb248a

SHA1
3b8c80f63573a37b107267005dec5123afb18c3a

SHA256
8a2df542db04272b180ee8330172f683391ec4bc6bc4e96f94551652c628f019

SHA512
20c0123dcdd0e2fd98279e6f32ea70ac23d5c6961c89dea0d8138595ffc6628310dd33cf60cf9797d209ff02aebdc355887f340b3a118268c01240ae7dc84ed8

Download Submit
\Windows\SysWOW64\UpdatAuto.exe

Filesize
1.4MB

MD5
ba2ee988f7eafd89072c13ff80a582cf

SHA1
ded12a274cec7f52b34552cd4fcae09ea0249b28

SHA256
9b67b644068bfc4b8971ae21e7b2c375107229932e01b163abd3267389965548

SHA512
09829cd83f3959d0071871aec4418888337739cec4ef3e07e6803ebb322ad7956f0a0a1b83f48b041a7bf0babf9412a97454543b8c82b7362f8c76f986bc3894

Download Submit