Analysis
-
max time kernel
150s -
max time network
143s -
platform
windows11-21h2_x64 -
resource
win11-20240508-en -
resource tags
arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system -
submitted
03-06-2024 04:06
Static task
static1
Behavioral task
behavioral1
Sample
c88dbfa8510ba03e204e2458434be95cb232f34a0b530a299ba6fdecd3c39820.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral2
Sample
c88dbfa8510ba03e204e2458434be95cb232f34a0b530a299ba6fdecd3c39820.exe
Resource
win11-20240508-en
General
-
Target
c88dbfa8510ba03e204e2458434be95cb232f34a0b530a299ba6fdecd3c39820.exe
-
Size
5.3MB
-
MD5
3974c5d0b92366bbc9af950c8d7f898d
-
SHA1
1b141b9cced64d1b86cd9d3460062ee7ecd34357
-
SHA256
c88dbfa8510ba03e204e2458434be95cb232f34a0b530a299ba6fdecd3c39820
-
SHA512
6b786fcf6ad40c3f8007e55242db7794f640177f3394a49a3ac9dc3b6cf3588eefe8e3db8ed21d9fcc3962de50d48c6c28867ab92a7da324389e19b9642170fa
-
SSDEEP
98304:6dabsLaGmmo105PwezFkinGRvGmWxsEI9KHkfK7JwzlHhvSasMwpHNr:6E1m1iiEuf9WN6Qm5
Malware Config
Signatures
-
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 1848 powershell.exe 4408 powershell.exe -
Creates new service(s) 2 TTPs
-
Drops file in Drivers directory 2 IoCs
description ioc Process File created C:\Windows\system32\drivers\etc\hosts c88dbfa8510ba03e204e2458434be95cb232f34a0b530a299ba6fdecd3c39820.exe File created C:\Windows\system32\drivers\etc\hosts updater.exe -
Executes dropped EXE 1 IoCs
pid Process 2276 updater.exe -
Drops file in System32 directory 6 IoCs
description ioc Process File opened for modification C:\Windows\system32\MRT.exe c88dbfa8510ba03e204e2458434be95cb232f34a0b530a299ba6fdecd3c39820.exe File opened for modification C:\Windows\System32\Winevt\Logs\Setup.evtx svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log powershell.exe File opened for modification C:\Windows\system32\MRT.exe updater.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules.xml OfficeClickToRun.exe -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 1216 set thread context of 2220 1216 c88dbfa8510ba03e204e2458434be95cb232f34a0b530a299ba6fdecd3c39820.exe 88 PID 2276 set thread context of 4764 2276 updater.exe 111 PID 2276 set thread context of 3344 2276 updater.exe 114 PID 2276 set thread context of 2980 2276 updater.exe 117 -
Launches sc.exe 4 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 4952 sc.exe 2840 sc.exe 408 sc.exe 2440 sc.exe -
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier wmiprvse.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 wmiprvse.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 wmiprvse.exe Key security queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 wmiprvse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information wmiprvse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString wmiprvse.exe -
Modifies data under HKEY_USERS 60 IoCs
description ioc Process Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\OFFICE\16.0\COMMON\CLIENTTELEMETRY\RULESMETADATA\OFFICECLICKTORUN.EXE\ULSMONITOR OfficeClickToRun.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities = "1329 10,1329 50,1329 15,1329 100,1329 6" OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe_queried = "1717387691" OfficeClickToRun.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe = "Mon, 03 Jun 2024 04:08:13 GMT" OfficeClickToRun.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\RulesEndpoint = "https://nexusrules.officeapps.live.com/nexus/rules?Application=officeclicktorun.exe&Version=16.0.12527.20470&ClientId={429B9DBB-3190-43E3-8E20-2F0160FF5EEB}&OSEnvironment=10&MsoAppId=37&AudienceName=Production&AudienceGroup=Production&AppVersion=16.0.12527.20470&" OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0 OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,7202269,17110992,41484365,39965824,7153487,17110988,508368333,17962391,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617" OfficeClickToRun.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1216 c88dbfa8510ba03e204e2458434be95cb232f34a0b530a299ba6fdecd3c39820.exe 1848 powershell.exe 1848 powershell.exe 1216 c88dbfa8510ba03e204e2458434be95cb232f34a0b530a299ba6fdecd3c39820.exe 1216 c88dbfa8510ba03e204e2458434be95cb232f34a0b530a299ba6fdecd3c39820.exe 1216 c88dbfa8510ba03e204e2458434be95cb232f34a0b530a299ba6fdecd3c39820.exe 1216 c88dbfa8510ba03e204e2458434be95cb232f34a0b530a299ba6fdecd3c39820.exe 1216 c88dbfa8510ba03e204e2458434be95cb232f34a0b530a299ba6fdecd3c39820.exe 1216 c88dbfa8510ba03e204e2458434be95cb232f34a0b530a299ba6fdecd3c39820.exe 1216 c88dbfa8510ba03e204e2458434be95cb232f34a0b530a299ba6fdecd3c39820.exe 2220 dialer.exe 2220 dialer.exe 2220 dialer.exe 2220 dialer.exe 1216 c88dbfa8510ba03e204e2458434be95cb232f34a0b530a299ba6fdecd3c39820.exe 1216 c88dbfa8510ba03e204e2458434be95cb232f34a0b530a299ba6fdecd3c39820.exe 1216 c88dbfa8510ba03e204e2458434be95cb232f34a0b530a299ba6fdecd3c39820.exe 2276 updater.exe 4408 powershell.exe 4408 powershell.exe 2220 dialer.exe 2220 dialer.exe 2220 dialer.exe 2220 dialer.exe 4408 powershell.exe 2220 dialer.exe 2220 dialer.exe 2220 dialer.exe 2220 dialer.exe 2220 dialer.exe 2220 dialer.exe 4408 powershell.exe 2220 dialer.exe 2220 dialer.exe 2220 dialer.exe 2220 dialer.exe 2220 dialer.exe 2220 dialer.exe 2220 dialer.exe 2220 dialer.exe 2220 dialer.exe 4408 powershell.exe 2220 dialer.exe 2220 dialer.exe 2220 dialer.exe 2220 dialer.exe 2220 dialer.exe 2220 dialer.exe 2220 dialer.exe 2276 updater.exe 2276 updater.exe 2276 updater.exe 2276 updater.exe 2276 updater.exe 2276 updater.exe 2276 updater.exe 2220 dialer.exe 2220 dialer.exe 4764 dialer.exe 4764 dialer.exe 2276 updater.exe 2220 dialer.exe 2220 dialer.exe 2220 dialer.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 1848 powershell.exe Token: SeDebugPrivilege 2220 dialer.exe Token: SeShutdownPrivilege 1312 powercfg.exe Token: SeCreatePagefilePrivilege 1312 powercfg.exe Token: SeShutdownPrivilege 4252 powercfg.exe Token: SeCreatePagefilePrivilege 4252 powercfg.exe Token: SeShutdownPrivilege 1400 powercfg.exe Token: SeCreatePagefilePrivilege 1400 powercfg.exe Token: SeShutdownPrivilege 3612 powercfg.exe Token: SeCreatePagefilePrivilege 3612 powercfg.exe Token: SeDebugPrivilege 4408 powershell.exe Token: SeDebugPrivilege 4764 dialer.exe Token: SeShutdownPrivilege 4620 powercfg.exe Token: SeCreatePagefilePrivilege 4620 powercfg.exe Token: SeShutdownPrivilege 3464 powercfg.exe Token: SeCreatePagefilePrivilege 3464 powercfg.exe Token: SeShutdownPrivilege 1216 powercfg.exe Token: SeCreatePagefilePrivilege 1216 powercfg.exe Token: SeShutdownPrivilege 2740 powercfg.exe Token: SeCreatePagefilePrivilege 2740 powercfg.exe Token: SeLockMemoryPrivilege 2980 dialer.exe Token: SeAssignPrimaryTokenPrivilege 2712 svchost.exe Token: SeIncreaseQuotaPrivilege 2712 svchost.exe Token: SeSecurityPrivilege 2712 svchost.exe Token: SeTakeOwnershipPrivilege 2712 svchost.exe Token: SeLoadDriverPrivilege 2712 svchost.exe Token: SeSystemtimePrivilege 2712 svchost.exe Token: SeBackupPrivilege 2712 svchost.exe Token: SeRestorePrivilege 2712 svchost.exe Token: SeShutdownPrivilege 2712 svchost.exe Token: SeSystemEnvironmentPrivilege 2712 svchost.exe Token: SeUndockPrivilege 2712 svchost.exe Token: SeManageVolumePrivilege 2712 svchost.exe Token: SeAssignPrimaryTokenPrivilege 2712 svchost.exe Token: SeIncreaseQuotaPrivilege 2712 svchost.exe Token: SeSecurityPrivilege 2712 svchost.exe Token: SeTakeOwnershipPrivilege 2712 svchost.exe Token: SeLoadDriverPrivilege 2712 svchost.exe Token: SeSystemtimePrivilege 2712 svchost.exe Token: SeBackupPrivilege 2712 svchost.exe Token: SeRestorePrivilege 2712 svchost.exe Token: SeShutdownPrivilege 2712 svchost.exe Token: SeSystemEnvironmentPrivilege 2712 svchost.exe Token: SeUndockPrivilege 2712 svchost.exe Token: SeManageVolumePrivilege 2712 svchost.exe Token: SeAssignPrimaryTokenPrivilege 2712 svchost.exe Token: SeIncreaseQuotaPrivilege 2712 svchost.exe Token: SeSecurityPrivilege 2712 svchost.exe Token: SeTakeOwnershipPrivilege 2712 svchost.exe Token: SeLoadDriverPrivilege 2712 svchost.exe Token: SeSystemtimePrivilege 2712 svchost.exe Token: SeBackupPrivilege 2712 svchost.exe Token: SeRestorePrivilege 2712 svchost.exe Token: SeShutdownPrivilege 2712 svchost.exe Token: SeSystemEnvironmentPrivilege 2712 svchost.exe Token: SeUndockPrivilege 2712 svchost.exe Token: SeManageVolumePrivilege 2712 svchost.exe Token: SeAssignPrimaryTokenPrivilege 2712 svchost.exe Token: SeIncreaseQuotaPrivilege 2712 svchost.exe Token: SeSecurityPrivilege 2712 svchost.exe Token: SeTakeOwnershipPrivilege 2712 svchost.exe Token: SeLoadDriverPrivilege 2712 svchost.exe Token: SeSystemtimePrivilege 2712 svchost.exe Token: SeBackupPrivilege 2712 svchost.exe -
Suspicious use of UnmapMainImage 1 IoCs
pid Process 3264 Explorer.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1216 wrote to memory of 2220 1216 c88dbfa8510ba03e204e2458434be95cb232f34a0b530a299ba6fdecd3c39820.exe 88 PID 1216 wrote to memory of 2220 1216 c88dbfa8510ba03e204e2458434be95cb232f34a0b530a299ba6fdecd3c39820.exe 88 PID 1216 wrote to memory of 2220 1216 c88dbfa8510ba03e204e2458434be95cb232f34a0b530a299ba6fdecd3c39820.exe 88 PID 1216 wrote to memory of 2220 1216 c88dbfa8510ba03e204e2458434be95cb232f34a0b530a299ba6fdecd3c39820.exe 88 PID 1216 wrote to memory of 2220 1216 c88dbfa8510ba03e204e2458434be95cb232f34a0b530a299ba6fdecd3c39820.exe 88 PID 1216 wrote to memory of 2220 1216 c88dbfa8510ba03e204e2458434be95cb232f34a0b530a299ba6fdecd3c39820.exe 88 PID 1216 wrote to memory of 2220 1216 c88dbfa8510ba03e204e2458434be95cb232f34a0b530a299ba6fdecd3c39820.exe 88 PID 2220 wrote to memory of 636 2220 dialer.exe 5 PID 2220 wrote to memory of 688 2220 dialer.exe 7 PID 2220 wrote to memory of 988 2220 dialer.exe 12 PID 2220 wrote to memory of 448 2220 dialer.exe 13 PID 2220 wrote to memory of 640 2220 dialer.exe 14 PID 2220 wrote to memory of 720 2220 dialer.exe 15 PID 688 wrote to memory of 2668 688 lsass.exe 45 PID 688 wrote to memory of 2668 688 lsass.exe 45 PID 2220 wrote to memory of 1092 2220 dialer.exe 17 PID 688 wrote to memory of 2668 688 lsass.exe 45 PID 688 wrote to memory of 2668 688 lsass.exe 45 PID 688 wrote to memory of 2668 688 lsass.exe 45 PID 688 wrote to memory of 2668 688 lsass.exe 45 PID 2220 wrote to memory of 1196 2220 dialer.exe 18 PID 2220 wrote to memory of 1204 2220 dialer.exe 19 PID 2220 wrote to memory of 1244 2220 dialer.exe 20 PID 752 wrote to memory of 1676 752 cmd.exe 102 PID 752 wrote to memory of 1676 752 cmd.exe 102 PID 688 wrote to memory of 2668 688 lsass.exe 45 PID 2220 wrote to memory of 1292 2220 dialer.exe 21 PID 2220 wrote to memory of 1320 2220 dialer.exe 22 PID 2220 wrote to memory of 1360 2220 dialer.exe 23 PID 2220 wrote to memory of 1452 2220 dialer.exe 24 PID 2220 wrote to memory of 1464 2220 dialer.exe 25 PID 2220 wrote to memory of 1528 2220 dialer.exe 26 PID 2220 wrote to memory of 1548 2220 dialer.exe 27 PID 2220 wrote to memory of 1704 2220 dialer.exe 28 PID 688 wrote to memory of 2668 688 lsass.exe 45 PID 688 wrote to memory of 2668 688 lsass.exe 45 PID 2220 wrote to memory of 1752 2220 dialer.exe 29 PID 688 wrote to memory of 2668 688 lsass.exe 45 PID 2220 wrote to memory of 1780 2220 dialer.exe 30 PID 2220 wrote to memory of 1812 2220 dialer.exe 31 PID 2220 wrote to memory of 1856 2220 dialer.exe 32 PID 2220 wrote to memory of 1864 2220 dialer.exe 33 PID 2220 wrote to memory of 1880 2220 dialer.exe 34 PID 2220 wrote to memory of 1968 2220 dialer.exe 35 PID 2220 wrote to memory of 1988 2220 dialer.exe 36 PID 2220 wrote to memory of 2068 2220 dialer.exe 37 PID 2220 wrote to memory of 2244 2220 dialer.exe 39 PID 2220 wrote to memory of 2376 2220 dialer.exe 40 PID 2220 wrote to memory of 2532 2220 dialer.exe 41 PID 2220 wrote to memory of 2540 2220 dialer.exe 42 PID 2220 wrote to memory of 2596 2220 dialer.exe 43 PID 2220 wrote to memory of 2660 2220 dialer.exe 44 PID 2220 wrote to memory of 2668 2220 dialer.exe 45 PID 2220 wrote to memory of 2704 2220 dialer.exe 46 PID 2220 wrote to memory of 2712 2220 dialer.exe 47 PID 2220 wrote to memory of 2720 2220 dialer.exe 48 PID 2220 wrote to memory of 2876 2220 dialer.exe 49 PID 2220 wrote to memory of 2904 2220 dialer.exe 50 PID 2220 wrote to memory of 3096 2220 dialer.exe 51 PID 2220 wrote to memory of 3264 2220 dialer.exe 52 PID 2220 wrote to memory of 3440 2220 dialer.exe 53 PID 2220 wrote to memory of 3480 2220 dialer.exe 54 PID 2220 wrote to memory of 3852 2220 dialer.exe 57 PID 2220 wrote to memory of 3948 2220 dialer.exe 58
Processes
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵PID:636
-
C:\Windows\system32\dwm.exe"dwm.exe"2⤵PID:448
-
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵
- Suspicious use of WriteProcessMemory
PID:688
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM1⤵PID:988
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc1⤵PID:640
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts1⤵PID:720
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService1⤵PID:1092
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule1⤵PID:1196
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc1⤵PID:1204
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s nsi1⤵PID:1244
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc1⤵PID:1292
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc1⤵PID:1320
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netprofm -p -s netprofm1⤵PID:1360
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog1⤵
- Drops file in System32 directory
PID:1452
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager1⤵PID:1464
-
C:\Windows\system32\sihost.exesihost.exe2⤵PID:2876
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem1⤵PID:1528
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s Themes1⤵PID:1548
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s SENS1⤵PID:1704
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder1⤵PID:1752
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p1⤵PID:1780
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵PID:1812
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵PID:1856
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp1⤵PID:1864
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵PID:1880
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection1⤵PID:1968
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository1⤵PID:1988
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe1⤵PID:2068
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation1⤵PID:2244
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc1⤵PID:2376
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT1⤵PID:2532
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent1⤵PID:2540
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p1⤵PID:2596
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer1⤵PID:2660
-
C:\Windows\sysmon.exeC:\Windows\sysmon.exe1⤵PID:2668
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks1⤵PID:2704
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2712
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService1⤵PID:2720
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2904
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵PID:3096
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of UnmapMainImage
PID:3264 -
C:\Users\Admin\AppData\Local\Temp\c88dbfa8510ba03e204e2458434be95cb232f34a0b530a299ba6fdecd3c39820.exe"C:\Users\Admin\AppData\Local\Temp\c88dbfa8510ba03e204e2458434be95cb232f34a0b530a299ba6fdecd3c39820.exe"2⤵
- Drops file in Drivers directory
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1216 -
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1848
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart3⤵
- Suspicious use of WriteProcessMemory
PID:752 -
C:\Windows\system32\wusa.exewusa /uninstall /kb:890830 /quiet /norestart4⤵PID:1676
-
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 03⤵
- Suspicious use of AdjustPrivilegeToken
PID:1312
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 03⤵
- Suspicious use of AdjustPrivilegeToken
PID:4252
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-ac 03⤵
- Suspicious use of AdjustPrivilegeToken
PID:1400
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-dc 03⤵
- Suspicious use of AdjustPrivilegeToken
PID:3612
-
-
C:\Windows\system32\dialer.exeC:\Windows\system32\dialer.exe3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2220
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe delete "GoogleUpdateTaskMachineQC"3⤵
- Launches sc.exe
PID:2840
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe create "GoogleUpdateTaskMachineQC" binpath= "C:\ProgramData\Google\Chrome\updater.exe" start= "auto"3⤵
- Launches sc.exe
PID:408
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop eventlog3⤵
- Launches sc.exe
PID:4952
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start "GoogleUpdateTaskMachineQC"3⤵
- Launches sc.exe
PID:2440 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵PID:1520
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3440
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo1⤵PID:3480
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3852
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3948
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UdkSvcGroup -s UdkUserSvc1⤵PID:4040
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:4060
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{973D20D7-562D-44B9-B70B-5A0F49CCDF3F}1⤵PID:4340
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k osprivacy -p -s camsvc1⤵PID:4448
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV1⤵PID:3380
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc1⤵PID:1112
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc1⤵PID:2296
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc1⤵
- Modifies data under HKEY_USERS
PID:3104
-
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:664
-
C:\Windows\system32\SppExtComObj.exeC:\Windows\system32\SppExtComObj.exe -Embedding1⤵PID:2504
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager1⤵PID:3140
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc1⤵PID:3488
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3432
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:760
-
C:\ProgramData\Google\Chrome\updater.exeC:\ProgramData\Google\Chrome\updater.exe1⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:2276 -
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4408 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:3700
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart2⤵PID:1088
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:5076
-
-
C:\Windows\system32\wusa.exewusa /uninstall /kb:890830 /quiet /norestart3⤵PID:4964
-
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 02⤵
- Suspicious use of AdjustPrivilegeToken
PID:3464 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:1572
-
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 02⤵
- Suspicious use of AdjustPrivilegeToken
PID:1216 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:2920
-
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-ac 02⤵
- Suspicious use of AdjustPrivilegeToken
PID:4620 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:4820
-
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-dc 02⤵
- Suspicious use of AdjustPrivilegeToken
PID:2740 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:1252
-
-
-
C:\Windows\system32\dialer.exeC:\Windows\system32\dialer.exe2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4764
-
-
C:\Windows\system32\dialer.exeC:\Windows\system32\dialer.exe2⤵PID:3344
-
-
C:\Windows\system32\dialer.exedialer.exe2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2980
-
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding1⤵
- Checks processor information in registry
PID:4608
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5.3MB
MD53974c5d0b92366bbc9af950c8d7f898d
SHA11b141b9cced64d1b86cd9d3460062ee7ecd34357
SHA256c88dbfa8510ba03e204e2458434be95cb232f34a0b530a299ba6fdecd3c39820
SHA5126b786fcf6ad40c3f8007e55242db7794f640177f3394a49a3ac9dc3b6cf3588eefe8e3db8ed21d9fcc3962de50d48c6c28867ab92a7da324389e19b9642170fa
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
3KB
MD500930b40cba79465b7a38ed0449d1449
SHA14b25a89ee28b20ba162f23772ddaf017669092a5
SHA256eda1aae2c8fce700e3bdbe0186cf3db88400cf0ac13ec736e84dacba61628a01
SHA512cbe4760ec041e7da7ab86474d5c82969cfccb8ccc5dbdac9436862d5b1b86210ab90754d3c8da5724176570d8842e57a716a281acba8719e90098a6f61a17c62