Analysis
-
max time kernel
602s -
max time network
603s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
30-04-2024 18:16
Static task
static1
Behavioral task
behavioral1
Sample
Baff-Client.exe
Resource
win10v2004-20240226-en
General
-
Target
Baff-Client.exe
-
Size
2.5MB
-
MD5
9fd0f7db06bff594211a07bf5a8d0c5f
-
SHA1
16d1c8cbf0e88d6f3072496e2cf2e23aa9a8b73c
-
SHA256
c2fe031b82902573e409659f73e1dd19ac2ce404bcc6d15d2f2d41f5988294b6
-
SHA512
d7d1cd5ca652c7a503f71c0f2f606ee8f71ea88b65d2cfebae65e794134bead7612c4684967a2d5f514aaebb0d4aa7eecb74ca8910536e656bcc65cfcaa18c27
-
SSDEEP
49152:9u+uYrkM0Xfv7AMVjp96KqkQQ/+MPZrzru8Rtw:9pE7X6KqJoVvu8
Malware Config
Signatures
-
Detect Umbral payload 2 IoCs
resource yara_rule behavioral1/files/0x0008000000023272-7.dat family_umbral behavioral1/memory/1508-14-0x0000020CC9E10000-0x0000020CC9E50000-memory.dmp family_umbral -
Creates new service(s) 1 TTPs
-
Stops running service(s) 3 TTPs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate wmiprvse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion wmiprvse.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation Baff-Client.exe -
Executes dropped EXE 3 IoCs
pid Process 1508 Umbral.exe 4160 system.exe 1108 taskhostw.exe -
Drops file in System32 directory 15 IoCs
description ioc Process File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules.xml OfficeClickToRun.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506 svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506 svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log powershell.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776 svchost.exe File opened for modification C:\Windows\system32\MRT.exe system.exe File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4UserMode.evtx svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\WebCache\V01.chk DllHost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749 svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A OfficeClickToRun.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A OfficeClickToRun.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\system32\MRT.exe taskhostw.exe -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 4160 set thread context of 4944 4160 system.exe 120 PID 1108 set thread context of 1236 1108 taskhostw.exe 151 PID 1108 set thread context of 4792 1108 taskhostw.exe 153 PID 1108 set thread context of 3588 1108 taskhostw.exe 155 -
Launches sc.exe 14 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 2104 sc.exe 1112 sc.exe 4784 sc.exe 4536 sc.exe 208 sc.exe 4032 sc.exe 4236 sc.exe 1420 sc.exe 4988 sc.exe 4620 sc.exe 3628 sc.exe 2196 sc.exe 4524 sc.exe 4292 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 18 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Service wmiprvse.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName wmiprvse.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000\LogConf wmiprvse.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags wmiprvse.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName wmiprvse.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 wmiprvse.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\CompatibleIDs wmiprvse.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000\LogConf wmiprvse.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs wmiprvse.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Mfg wmiprvse.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID wmiprvse.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags wmiprvse.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 wmiprvse.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\DeviceDesc wmiprvse.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Mfg wmiprvse.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\DeviceDesc wmiprvse.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID wmiprvse.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Service wmiprvse.exe -
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information wmiprvse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString wmiprvse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier wmiprvse.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 wmiprvse.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 wmiprvse.exe Key security queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 wmiprvse.exe -
Enumerates system info in registry 2 TTPs 1 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier wmiprvse.exe -
Modifies data under HKEY_USERS 63 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ powershell.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\RulesEndpoint = "https://nexusrules.officeapps.live.com/nexus/rules?Application=officeclicktorun.exe&Version=16.0.12527.20470&ClientId={2D91B293-3CCF-4F1C-8471-7C9DB36D76A1}&OSEnvironment=10&MsoAppId=37&AudienceName=Production&AudienceGroup=Production&AppVersion=16.0.12527.20470&" OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0 OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" powershell.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\OFFICE\16.0\COMMON\CLIENTTELEMETRY\RULESMETADATA\OFFICECLICKTORUN.EXE\ULSMONITOR OfficeClickToRun.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities = "1329 10,1329 50,1329 15,1329 100,1329 6" OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe = "Tue, 30 Apr 2024 18:18:27 GMT" OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,7202269,17110992,41484365,39965824,7153487,17110988,508368333,17962391,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617" OfficeClickToRun.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections svchost.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe_queried = "1714501103" OfficeClickToRun.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4160 system.exe 4772 powershell.exe 4772 powershell.exe 4772 powershell.exe 4160 system.exe 4160 system.exe 4160 system.exe 4160 system.exe 4160 system.exe 4160 system.exe 4160 system.exe 4160 system.exe 4160 system.exe 4160 system.exe 4160 system.exe 4160 system.exe 4944 dialer.exe 4944 dialer.exe 4160 system.exe 4160 system.exe 4160 system.exe 1108 taskhostw.exe 1744 powershell.exe 1744 powershell.exe 1744 powershell.exe 4944 dialer.exe 4944 dialer.exe 4944 dialer.exe 4944 dialer.exe 4944 dialer.exe 4944 dialer.exe 4944 dialer.exe 4944 dialer.exe 1744 powershell.exe 4944 dialer.exe 4944 dialer.exe 4944 dialer.exe 4944 dialer.exe 4944 dialer.exe 4944 dialer.exe 4944 dialer.exe 4944 dialer.exe 1744 powershell.exe 4944 dialer.exe 4944 dialer.exe 4944 dialer.exe 4944 dialer.exe 4944 dialer.exe 4944 dialer.exe 4944 dialer.exe 4944 dialer.exe 4944 dialer.exe 4944 dialer.exe 1744 powershell.exe 4944 dialer.exe 4944 dialer.exe 4944 dialer.exe 4944 dialer.exe 4944 dialer.exe 4944 dialer.exe 4944 dialer.exe 4944 dialer.exe 1744 powershell.exe 4944 dialer.exe -
Suspicious behavior: LoadsDriver 1 IoCs
pid Process 660 Process not Found -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 1508 Umbral.exe Token: SeIncreaseQuotaPrivilege 3828 wmic.exe Token: SeSecurityPrivilege 3828 wmic.exe Token: SeTakeOwnershipPrivilege 3828 wmic.exe Token: SeLoadDriverPrivilege 3828 wmic.exe Token: SeSystemProfilePrivilege 3828 wmic.exe Token: SeSystemtimePrivilege 3828 wmic.exe Token: SeProfSingleProcessPrivilege 3828 wmic.exe Token: SeIncBasePriorityPrivilege 3828 wmic.exe Token: SeCreatePagefilePrivilege 3828 wmic.exe Token: SeBackupPrivilege 3828 wmic.exe Token: SeRestorePrivilege 3828 wmic.exe Token: SeShutdownPrivilege 3828 wmic.exe Token: SeDebugPrivilege 3828 wmic.exe Token: SeSystemEnvironmentPrivilege 3828 wmic.exe Token: SeRemoteShutdownPrivilege 3828 wmic.exe Token: SeUndockPrivilege 3828 wmic.exe Token: SeManageVolumePrivilege 3828 wmic.exe Token: 33 3828 wmic.exe Token: 34 3828 wmic.exe Token: 35 3828 wmic.exe Token: 36 3828 wmic.exe Token: SeDebugPrivilege 4772 powershell.exe Token: SeIncreaseQuotaPrivilege 3828 wmic.exe Token: SeSecurityPrivilege 3828 wmic.exe Token: SeTakeOwnershipPrivilege 3828 wmic.exe Token: SeLoadDriverPrivilege 3828 wmic.exe Token: SeSystemProfilePrivilege 3828 wmic.exe Token: SeSystemtimePrivilege 3828 wmic.exe Token: SeProfSingleProcessPrivilege 3828 wmic.exe Token: SeIncBasePriorityPrivilege 3828 wmic.exe Token: SeCreatePagefilePrivilege 3828 wmic.exe Token: SeBackupPrivilege 3828 wmic.exe Token: SeRestorePrivilege 3828 wmic.exe Token: SeShutdownPrivilege 3828 wmic.exe Token: SeDebugPrivilege 3828 wmic.exe Token: SeSystemEnvironmentPrivilege 3828 wmic.exe Token: SeRemoteShutdownPrivilege 3828 wmic.exe Token: SeUndockPrivilege 3828 wmic.exe Token: SeManageVolumePrivilege 3828 wmic.exe Token: 33 3828 wmic.exe Token: 34 3828 wmic.exe Token: 35 3828 wmic.exe Token: 36 3828 wmic.exe Token: SeDebugPrivilege 4160 system.exe Token: SeDebugPrivilege 4944 dialer.exe Token: SeShutdownPrivilege 2656 powercfg.exe Token: SeCreatePagefilePrivilege 2656 powercfg.exe Token: SeShutdownPrivilege 5004 powercfg.exe Token: SeCreatePagefilePrivilege 5004 powercfg.exe Token: SeShutdownPrivilege 2976 powercfg.exe Token: SeCreatePagefilePrivilege 2976 powercfg.exe Token: SeShutdownPrivilege 1496 powercfg.exe Token: SeCreatePagefilePrivilege 1496 powercfg.exe Token: SeDebugPrivilege 1744 powershell.exe Token: SeDebugPrivilege 1108 taskhostw.exe Token: SeDebugPrivilege 1236 dialer.exe Token: SeShutdownPrivilege 4712 powercfg.exe Token: SeCreatePagefilePrivilege 4712 powercfg.exe Token: SeShutdownPrivilege 1696 powercfg.exe Token: SeCreatePagefilePrivilege 1696 powercfg.exe Token: SeShutdownPrivilege 4416 powercfg.exe Token: SeCreatePagefilePrivilege 4416 powercfg.exe Token: SeShutdownPrivilege 3148 powercfg.exe -
Suspicious use of UnmapMainImage 1 IoCs
pid Process 3444 RuntimeBroker.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4196 wrote to memory of 1508 4196 Baff-Client.exe 92 PID 4196 wrote to memory of 1508 4196 Baff-Client.exe 92 PID 4196 wrote to memory of 4160 4196 Baff-Client.exe 93 PID 4196 wrote to memory of 4160 4196 Baff-Client.exe 93 PID 1508 wrote to memory of 3828 1508 Umbral.exe 96 PID 1508 wrote to memory of 3828 1508 Umbral.exe 96 PID 1844 wrote to memory of 3556 1844 cmd.exe 103 PID 1844 wrote to memory of 3556 1844 cmd.exe 103 PID 4160 wrote to memory of 4944 4160 system.exe 120 PID 4160 wrote to memory of 4944 4160 system.exe 120 PID 4160 wrote to memory of 4944 4160 system.exe 120 PID 4160 wrote to memory of 4944 4160 system.exe 120 PID 4160 wrote to memory of 4944 4160 system.exe 120 PID 4160 wrote to memory of 4944 4160 system.exe 120 PID 4160 wrote to memory of 4944 4160 system.exe 120 PID 4944 wrote to memory of 616 4944 dialer.exe 5 PID 4944 wrote to memory of 676 4944 dialer.exe 7 PID 4944 wrote to memory of 952 4944 dialer.exe 12 PID 4944 wrote to memory of 1020 4944 dialer.exe 13 PID 4944 wrote to memory of 396 4944 dialer.exe 14 PID 4944 wrote to memory of 1040 4944 dialer.exe 15 PID 4944 wrote to memory of 1056 4944 dialer.exe 16 PID 4944 wrote to memory of 1064 4944 dialer.exe 17 PID 4944 wrote to memory of 1208 4944 dialer.exe 19 PID 4944 wrote to memory of 1244 4944 dialer.exe 20 PID 4944 wrote to memory of 1252 4944 dialer.exe 21 PID 4944 wrote to memory of 1348 4944 dialer.exe 22 PID 4944 wrote to memory of 1384 4944 dialer.exe 23 PID 4944 wrote to memory of 1392 4944 dialer.exe 24 PID 4944 wrote to memory of 1524 4944 dialer.exe 25 PID 4944 wrote to memory of 1532 4944 dialer.exe 26 PID 4944 wrote to memory of 1540 4944 dialer.exe 27 PID 4944 wrote to memory of 1684 4944 dialer.exe 28 PID 4944 wrote to memory of 1724 4944 dialer.exe 29 PID 4944 wrote to memory of 1728 4944 dialer.exe 30 PID 4944 wrote to memory of 1824 4944 dialer.exe 31 PID 4944 wrote to memory of 1848 4944 dialer.exe 32 PID 4944 wrote to memory of 1952 4944 dialer.exe 33 PID 4944 wrote to memory of 1964 4944 dialer.exe 34 PID 4944 wrote to memory of 2028 4944 dialer.exe 35 PID 4944 wrote to memory of 2040 4944 dialer.exe 36 PID 4944 wrote to memory of 2076 4944 dialer.exe 37 PID 4944 wrote to memory of 2172 4944 dialer.exe 39 PID 4944 wrote to memory of 2260 4944 dialer.exe 40 PID 4944 wrote to memory of 2404 4944 dialer.exe 41 PID 4944 wrote to memory of 2412 4944 dialer.exe 42 PID 4944 wrote to memory of 2560 4944 dialer.exe 43 PID 4944 wrote to memory of 2572 4944 dialer.exe 44 PID 4944 wrote to memory of 2580 4944 dialer.exe 45 PID 4944 wrote to memory of 2616 4944 dialer.exe 46 PID 4944 wrote to memory of 2664 4944 dialer.exe 47 PID 4944 wrote to memory of 2704 4944 dialer.exe 48 PID 4944 wrote to memory of 2712 4944 dialer.exe 49 PID 4944 wrote to memory of 2752 4944 dialer.exe 50 PID 4944 wrote to memory of 2824 4944 dialer.exe 51 PID 4944 wrote to memory of 2952 4944 dialer.exe 52 PID 4944 wrote to memory of 1412 4944 dialer.exe 53 PID 4944 wrote to memory of 3160 4944 dialer.exe 54 PID 4944 wrote to memory of 3332 4944 dialer.exe 56 PID 4944 wrote to memory of 3512 4944 dialer.exe 57 PID 4944 wrote to memory of 3712 4944 dialer.exe 58 PID 4944 wrote to memory of 3932 4944 dialer.exe 60 PID 4944 wrote to memory of 3444 4944 dialer.exe 62 PID 4944 wrote to memory of 4704 4944 dialer.exe 64
Processes
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵PID:616
-
C:\Windows\system32\dwm.exe"dwm.exe"2⤵PID:1020
-
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵PID:676
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM1⤵PID:952
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc1⤵PID:396
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService1⤵PID:1040
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts1⤵PID:1056
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc1⤵PID:1064
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule1⤵PID:1208
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}2⤵PID:2824
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc1⤵PID:1244
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog1⤵
- Drops file in System32 directory
PID:1252
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc1⤵PID:1348
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager1⤵PID:1384
-
C:\Windows\system32\sihost.exesihost.exe2⤵PID:2572
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s nsi1⤵PID:1392
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem1⤵PID:1524
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp1⤵PID:1532
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s Themes1⤵PID:1540
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s SENS1⤵PID:1684
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder1⤵PID:1724
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc1⤵PID:1728
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵PID:1824
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s netprofm1⤵PID:1848
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵PID:1952
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache1⤵PID:1964
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository1⤵PID:2028
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection1⤵PID:2040
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe1⤵PID:2076
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation1⤵PID:2172
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc1⤵PID:2260
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT1⤵PID:2404
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent1⤵PID:2412
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc1⤵
- Drops file in System32 directory
PID:2560
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2580
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer1⤵PID:2616
-
C:\Windows\sysmon.exeC:\Windows\sysmon.exe1⤵PID:2664
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks1⤵PID:2704
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService1⤵PID:2712
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt1⤵PID:2752
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker1⤵PID:2952
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵PID:1412
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc1⤵PID:3160
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3332
-
C:\Users\Admin\AppData\Local\Temp\Baff-Client.exe"C:\Users\Admin\AppData\Local\Temp\Baff-Client.exe"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4196 -
C:\Users\Admin\AppData\Local\Temp\Umbral.exe"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1508 -
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid4⤵
- Suspicious use of AdjustPrivilegeToken
PID:3828
-
-
-
C:\Users\Admin\AppData\Local\Temp\system.exe"C:\Users\Admin\AppData\Local\Temp\system.exe"3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4160 -
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4772
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart4⤵
- Suspicious use of WriteProcessMemory
PID:1844 -
C:\Windows\system32\wusa.exewusa /uninstall /kb:890830 /quiet /norestart5⤵PID:3556
-
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop UsoSvc4⤵
- Launches sc.exe
PID:4620
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop WaaSMedicSvc4⤵
- Launches sc.exe
PID:4784
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop wuauserv4⤵
- Launches sc.exe
PID:4236
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop bits4⤵
- Launches sc.exe
PID:1420
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop dosvc4⤵
- Launches sc.exe
PID:4292
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 04⤵
- Suspicious use of AdjustPrivilegeToken
PID:1496
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 04⤵
- Suspicious use of AdjustPrivilegeToken
PID:2656
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-ac 04⤵
- Suspicious use of AdjustPrivilegeToken
PID:2976
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-dc 04⤵
- Suspicious use of AdjustPrivilegeToken
PID:5004
-
-
C:\Windows\system32\dialer.exeC:\Windows\system32\dialer.exe4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4944
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe delete "svchost"4⤵
- Launches sc.exe
PID:4032
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe create "svchost" binpath= "C:\ProgramData\RunDLL\taskhostw.exe" start= "auto"4⤵
- Launches sc.exe
PID:3628
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop eventlog4⤵
- Launches sc.exe
PID:4536
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start "svchost"4⤵
- Launches sc.exe
PID:2104 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵PID:4048
-
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3512
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3712
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3932
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
- Suspicious use of UnmapMainImage
PID:3444
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4704
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc1⤵PID:5040
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc1⤵
- Modifies data under HKEY_USERS
PID:3068
-
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:3272
-
C:\Windows\system32\SppExtComObj.exeC:\Windows\system32\SppExtComObj.exe -Embedding1⤵PID:4936
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc1⤵PID:440
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager1⤵PID:4960
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
- Drops file in System32 directory
PID:3956
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:2368
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k appmodel -p -s camsvc1⤵PID:2780
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window1⤵PID:3008
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=122.0.6261.70 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=122.0.2365.52 --initial-client-data=0x23c,0x240,0x244,0x238,0x260,0x7ffc9b282e98,0x7ffc9b282ea4,0x7ffc9b282eb02⤵PID:4916
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=2756 --field-trial-handle=2656,i,16940681401824032220,151921362336696246,262144 --variations-seed-version /prefetch:32⤵PID:2724
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3684 --field-trial-handle=2656,i,16940681401824032220,151921362336696246,262144 --variations-seed-version /prefetch:82⤵PID:2304
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3692 --field-trial-handle=2656,i,16940681401824032220,151921362336696246,262144 --variations-seed-version /prefetch:82⤵PID:628
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo1⤵PID:64
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe1⤵PID:4232
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding1⤵
- Checks BIOS information in registry
- Checks SCSI registry key(s)
- Checks processor information in registry
- Enumerates system info in registry
PID:4320
-
C:\ProgramData\RunDLL\taskhostw.exeC:\ProgramData\RunDLL\taskhostw.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1108 -
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1744 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:1580
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart2⤵PID:3924
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:216
-
-
C:\Windows\system32\wusa.exewusa /uninstall /kb:890830 /quiet /norestart3⤵PID:448
-
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop UsoSvc2⤵
- Launches sc.exe
PID:208 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:2656
-
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop WaaSMedicSvc2⤵
- Launches sc.exe
PID:1112 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:4224
-
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop wuauserv2⤵
- Launches sc.exe
PID:2196 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:4264
-
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop bits2⤵
- Launches sc.exe
PID:4524 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:1424
-
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop dosvc2⤵
- Launches sc.exe
PID:4988
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 02⤵
- Suspicious use of AdjustPrivilegeToken
PID:1696 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:3676
-
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 02⤵
- Suspicious use of AdjustPrivilegeToken
PID:4416 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:3060
-
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-ac 02⤵
- Suspicious use of AdjustPrivilegeToken
PID:4712 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:1608
-
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-dc 02⤵
- Suspicious use of AdjustPrivilegeToken
PID:3148 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:212
-
-
-
C:\Windows\system32\dialer.exeC:\Windows\system32\dialer.exe2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1236
-
-
C:\Windows\system32\dialer.exeC:\Windows\system32\dialer.exe2⤵PID:4792
-
-
C:\Windows\system32\dialer.exedialer.exe2⤵PID:3588
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
9KB
MD576c49b367b54f74ffc298b94e8fb2749
SHA1ffcf6c7d10e28a8f914a472a997867706affa8f6
SHA256b8aade7cebb2c6e0bb1d1aa8a2a7fa0724588dbcdad3f7b9ab5c27dd6859f7e2
SHA51298dd9efd16964d6721e767ff47a8e3c7e9653a369c1304e9d773e1a12ff335d2d65f8ebff53d81037eb3f67bff07fa60969d2a18ad87b28d51819e006de10001
-
Filesize
46KB
MD544703e6e682c58c76488f32e3c52c6ae
SHA1fda3cc3133c5c10a7a4b310d2883d3fa7bf8a893
SHA25687b1297e47d3844b8ec08ffe6520f009c1b236256102354d1563a690dca9c532
SHA512ef9a72bf82219a7fa65c183aad4be41d6bff85c251ac89923b37cee3258c7f37d57d3c1a793aba8dcd2c5e5a7b79d663fd2305cac7a677a1aef1b2a5378c49ba
-
Filesize
46KB
MD5343bf4520e1059b2b14f5810dcd90447
SHA1707579ccc1e6aed831ce3b4817d827a82b04bffe
SHA2569f9802fb67a1d4dfd5bd3952a95d76a4869a9d4eaf48dfdd8f9e6138b5705d47
SHA5127420525fb03bb1c48f90195f778baacc7bb57944e89c2998240f0ba8811b67abc7fe85f457fc98e0fff2ed7d3d8d55d871d22c78c52396a028e7cbe100ecc069
-
Filesize
229KB
MD5ac6dc91bec5d51b9b8f7b36642f875db
SHA1ebf088795549ec27047225f14b3263c7b022168e
SHA256cb32d0fc4534e19ae8009edacbe41b2aac5755b8c7bf233fd4c9b39a00f9b318
SHA512d44f953ea4aac986c5eea7242ad0d0b6143117781ab9f35537523ad0f4cf95b23c5aeb223ba74febba96afd9006b3f20edbc2bba2113661aa6d56368c93598da
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
2.8MB
MD5ee2b8fbe45fc687d5c663faf123f2a83
SHA13bfb69e0b6b37daca5aa2ab775f0f001bedb65fb
SHA256074ba9e9844deb09b96c1f5cd9ef62272ca42c93867b4f7c13e57df7e91fc55c
SHA5125f7ba11ca5509356c135e92e4de28196945250c27bf182586fdeaba944af3f5ddeba48beca286a96fc6f4156ea934306218c5fb470dd28d11f8157b9e5d5bf17
-
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506
Filesize330B
MD529033a2c8141b1dc550b4eeb895477d5
SHA1a09ff811444ce4a20b43fc40221232d4ac532904
SHA2562740f55bbbd74253f36e0ec8b0168c097a922d6bbf6988a3fd2a186c060b09f1
SHA512deb1298f2f376c4969a689ec5e70ebea8f448fabb3439e7329c2444ed1ea2da5a75d6a8589cbf4e400ab4f04f108bf0f762419712ac6719ea4ed51712a72ef9f
-
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749
Filesize330B
MD509bbe6367b4ddc82b484f7eb11dc1f9e
SHA1da3bd70e118da63239b3a6c7429a4ceef7bf7c91
SHA256cd95a962e23e685a719f3dfef56041a520348cb619247051a35caf5fa9653dfc
SHA5128cfe08bd93f20962c73056bdbbbcfa1ee353bb05a4b624034a187a02197b676ffe2de0ce8fd58847753da8626edefa8ed5357e51674ee3028556649db169e3d6
-
C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A
Filesize412B
MD5417e81158d3215e5c6fda263dd57b724
SHA1c887c0e6f89bed483feff000ce71b767412a0b6b
SHA25627207f627ecd769bff777c7a79fbf40c938856ddf036c5efe9ffa85516c1cb0c
SHA51242bb1d5f8b83710e1c3f8b9da8dde2ad4eec60eadc99c2bf7e792acfca8c9897533aa3c1db25575ae8a83c72051bd4fc3a8a1ae9a51dedfa6e57dcb74d941be8