aa212361c56bc3c307df12dd1ef574bb21c03f28a3cacc94a5a683d217b27ebc

Analysis

max time kernel
104s
max time network
148s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
14-06-2024 19:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

installer2.exe
Size

16.2MB
MD5

5aece647826a6f39a8bb8b17cd4186d6
SHA1

446ba99bb2ca06fed22c0019a5e8671e7e3f1e62
SHA256

aa212361c56bc3c307df12dd1ef574bb21c03f28a3cacc94a5a683d217b27ebc
SHA512

3997bf2eed4ebd50d7ba558bfd0c54222b53e6f1776e1499edc77de4ee8075bb0b712fde9a9a4c287f964bb86fcc3bd99f78e3012d2c7870b38810821939e9f4
SSDEEP

393216:A/53AXVAd5y2XjI4j10HlDR4K55RUGOtdMPFSeUP:GqUy+j1a9yPkFvU

Score

8^/10

evasion execution persistence

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
3016	powershell.exe
536	powershell.exe

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File created	C:\Windows\system32\drivers\etc\hosts	installer2.exe
File created	C:\Windows\system32\drivers\etc\hosts	WindowsAutHost

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WindowsAutHost\ImagePath = "C:\\ProgramData\\WindowsServices\\WindowsAutHost"	services.exe

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Executes dropped EXE 1 IoCs

pid	Process
2644	WindowsAutHost

Loads dropped DLL 2 IoCs

pid	Process
476	services.exe
476	services.exe

Drops file in System32 directory 22 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\MRT.exe	installer2.exe
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Known Folders API Service.evtx	svchost.exe
File created	C:\Windows\system32\wbem\Performance\WmiApRpl_new.ini	WMIADAP.EXE
File created	C:\Windows\system32\perfc007.dat	WMIADAP.EXE
File created	C:\Windows\system32\perfh007.dat	WMIADAP.EXE
File created	C:\Windows\system32\perfc009.dat	WMIADAP.EXE
File created	C:\Windows\system32\perfh009.dat	WMIADAP.EXE
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File created	C:\Windows\system32\perfc011.dat	WMIADAP.EXE
File created	C:\Windows\system32\perfh011.dat	WMIADAP.EXE
File created	C:\Windows\system32\PerfStringBackup.TMP	WMIADAP.EXE
File created	C:\Windows\system32\perfc00A.dat	WMIADAP.EXE
File created	C:\Windows\system32\wbem\Performance\WmiApRpl_new.h	WMIADAP.EXE
File created	C:\Windows\system32\perfh00A.dat	WMIADAP.EXE
File created	C:\Windows\system32\perfc00C.dat	WMIADAP.EXE
File opened for modification	C:\Windows\system32\PerfStringBackup.INI	WMIADAP.EXE
File opened for modification	C:\Windows\System32\Winevt\Logs\Setup.evtx	svchost.exe
File created	C:\Windows\system32\perfc010.dat	WMIADAP.EXE
File created	C:\Windows\system32\perfh010.dat	WMIADAP.EXE
File created	C:\Windows\system32\perfh00C.dat	WMIADAP.EXE
File opened for modification	C:\Windows\system32\MRT.exe	WindowsAutHost
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

pid	Process
2884	installer2.exe
2884	installer2.exe
2644	WindowsAutHost
2644	WindowsAutHost

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2884 set thread context of 3056	2884	installer2.exe	51
PID 2644 set thread context of 1752	2644	WindowsAutHost	81
PID 2644 set thread context of 684	2644	WindowsAutHost	84
PID 2644 set thread context of 444	2644	WindowsAutHost	86

Drops file in Windows directory 6 IoCs

description	ioc	Process
File created	C:\Windows\wusa.lock	wusa.exe
File created	C:\Windows\wusa.lock	wusa.exe
File opened for modification	C:\Windows\appcompat\programs\RecentFileCache.bcf	svchost.exe
File created	C:\Windows\inf\WmiApRpl\WmiApRpl.h	WMIADAP.EXE
File opened for modification	C:\Windows\inf\WmiApRpl\WmiApRpl.h	WMIADAP.EXE
File created	C:\Windows\inf\WmiApRpl\0009\WmiApRpl.ini	WMIADAP.EXE

Launches sc.exe 14 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2560	sc.exe
1988	sc.exe
1084	sc.exe
2740	sc.exe
2480	sc.exe
2140	sc.exe
2636	sc.exe
2788	sc.exe
1332	sc.exe
1140	sc.exe
932	sc.exe
1624	sc.exe
2624	sc.exe
2936	sc.exe

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	wmiprvse.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wmiprvse.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wmiprvse.exe
Key security queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	wmiprvse.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage	powershell.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = e010751e95beda01	powershell.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2884	installer2.exe
2884	installer2.exe
3016	powershell.exe
2884	installer2.exe
2884	installer2.exe
2884	installer2.exe
2884	installer2.exe
2884	installer2.exe
2884	installer2.exe
2884	installer2.exe
2884	installer2.exe
2884	installer2.exe
2884	installer2.exe
2884	installer2.exe
2884	installer2.exe
3056	dialer.exe
3056	dialer.exe
3056	dialer.exe
3056	dialer.exe
3056	dialer.exe
3056	dialer.exe
2884	installer2.exe
3056	dialer.exe
3056	dialer.exe
3056	dialer.exe
3056	dialer.exe
2884	installer2.exe
2884	installer2.exe
3056	dialer.exe
3056	dialer.exe
3056	dialer.exe
3056	dialer.exe
3056	dialer.exe
3056	dialer.exe
3056	dialer.exe
3056	dialer.exe
3056	dialer.exe
3056	dialer.exe
3056	dialer.exe
3056	dialer.exe
3056	dialer.exe
3056	dialer.exe
3056	dialer.exe
3056	dialer.exe
3056	dialer.exe
3056	dialer.exe
3056	dialer.exe
3056	dialer.exe
3056	dialer.exe
3056	dialer.exe
3056	dialer.exe
3056	dialer.exe
2644	WindowsAutHost
3056	dialer.exe
3056	dialer.exe
2644	WindowsAutHost
3056	dialer.exe
3056	dialer.exe
3056	dialer.exe
3056	dialer.exe
3056	dialer.exe
3056	dialer.exe
536	powershell.exe
3056	dialer.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3016	powershell.exe
Token: SeDebugPrivilege	2884	installer2.exe
Token: SeShutdownPrivilege	2484	powercfg.exe
Token: SeShutdownPrivilege	2476	powercfg.exe
Token: SeDebugPrivilege	3056	dialer.exe
Token: SeShutdownPrivilege	2492	powercfg.exe
Token: SeShutdownPrivilege	2540	powercfg.exe
Token: SeAuditPrivilege	852	svchost.exe
Token: SeDebugPrivilege	536	powershell.exe
Token: SeDebugPrivilege	2644	WindowsAutHost
Token: SeDebugPrivilege	1752	dialer.exe
Token: SeShutdownPrivilege	2904	powercfg.exe
Token: SeShutdownPrivilege	1256	powercfg.exe
Token: SeShutdownPrivilege	2300	powercfg.exe
Token: SeShutdownPrivilege	2100	powercfg.exe
Token: SeLockMemoryPrivilege	444	dialer.exe
Token: SeAssignPrimaryTokenPrivilege	852	svchost.exe
Token: SeIncreaseQuotaPrivilege	852	svchost.exe
Token: SeSecurityPrivilege	852	svchost.exe
Token: SeTakeOwnershipPrivilege	852	svchost.exe
Token: SeLoadDriverPrivilege	852	svchost.exe
Token: SeSystemtimePrivilege	852	svchost.exe
Token: SeBackupPrivilege	852	svchost.exe
Token: SeRestorePrivilege	852	svchost.exe
Token: SeShutdownPrivilege	852	svchost.exe
Token: SeSystemEnvironmentPrivilege	852	svchost.exe
Token: SeUndockPrivilege	852	svchost.exe
Token: SeManageVolumePrivilege	852	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	852	svchost.exe
Token: SeIncreaseQuotaPrivilege	852	svchost.exe
Token: SeSecurityPrivilege	852	svchost.exe
Token: SeTakeOwnershipPrivilege	852	svchost.exe
Token: SeLoadDriverPrivilege	852	svchost.exe
Token: SeSystemtimePrivilege	852	svchost.exe
Token: SeBackupPrivilege	852	svchost.exe
Token: SeRestorePrivilege	852	svchost.exe
Token: SeShutdownPrivilege	852	svchost.exe
Token: SeSystemEnvironmentPrivilege	852	svchost.exe
Token: SeUndockPrivilege	852	svchost.exe
Token: SeManageVolumePrivilege	852	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	852	svchost.exe
Token: SeIncreaseQuotaPrivilege	852	svchost.exe
Token: SeSecurityPrivilege	852	svchost.exe
Token: SeTakeOwnershipPrivilege	852	svchost.exe
Token: SeLoadDriverPrivilege	852	svchost.exe
Token: SeSystemtimePrivilege	852	svchost.exe
Token: SeBackupPrivilege	852	svchost.exe
Token: SeRestorePrivilege	852	svchost.exe
Token: SeShutdownPrivilege	852	svchost.exe
Token: SeSystemEnvironmentPrivilege	852	svchost.exe
Token: SeUndockPrivilege	852	svchost.exe
Token: SeManageVolumePrivilege	852	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	852	svchost.exe
Token: SeIncreaseQuotaPrivilege	852	svchost.exe
Token: SeSecurityPrivilege	852	svchost.exe
Token: SeTakeOwnershipPrivilege	852	svchost.exe
Token: SeLoadDriverPrivilege	852	svchost.exe
Token: SeSystemtimePrivilege	852	svchost.exe
Token: SeBackupPrivilege	852	svchost.exe
Token: SeRestorePrivilege	852	svchost.exe
Token: SeShutdownPrivilege	852	svchost.exe
Token: SeSystemEnvironmentPrivilege	852	svchost.exe
Token: SeUndockPrivilege	852	svchost.exe
Token: SeManageVolumePrivilege	852	svchost.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1380	Explorer.EXE
1380	Explorer.EXE

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1380	Explorer.EXE
1380	Explorer.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2580 wrote to memory of 2600	2580	cmd.exe	34
PID 2580 wrote to memory of 2600	2580	cmd.exe	34
PID 2580 wrote to memory of 2600	2580	cmd.exe	34
PID 2884 wrote to memory of 3056	2884	installer2.exe	51
PID 2884 wrote to memory of 3056	2884	installer2.exe	51
PID 2884 wrote to memory of 3056	2884	installer2.exe	51
PID 2884 wrote to memory of 3056	2884	installer2.exe	51
PID 2884 wrote to memory of 3056	2884	installer2.exe	51
PID 2884 wrote to memory of 3056	2884	installer2.exe	51
PID 2884 wrote to memory of 3056	2884	installer2.exe	51
PID 3056 wrote to memory of 432	3056	dialer.exe	5
PID 3056 wrote to memory of 476	3056	dialer.exe	6
PID 3056 wrote to memory of 492	3056	dialer.exe	7
PID 3056 wrote to memory of 500	3056	dialer.exe	8
PID 3056 wrote to memory of 600	3056	dialer.exe	9
PID 3056 wrote to memory of 668	3056	dialer.exe	10
PID 3056 wrote to memory of 740	3056	dialer.exe	11
PID 3056 wrote to memory of 804	3056	dialer.exe	12
PID 3056 wrote to memory of 852	3056	dialer.exe	13
PID 3056 wrote to memory of 988	3056	dialer.exe	15
PID 3056 wrote to memory of 288	3056	dialer.exe	16
PID 3056 wrote to memory of 976	3056	dialer.exe	17
PID 3056 wrote to memory of 328	3056	dialer.exe	18
PID 3056 wrote to memory of 1236	3056	dialer.exe	19
PID 3056 wrote to memory of 1340	3056	dialer.exe	20
PID 3056 wrote to memory of 1380	3056	dialer.exe	21
PID 3056 wrote to memory of 1680	3056	dialer.exe	23
PID 3056 wrote to memory of 1304	3056	dialer.exe	24
PID 3056 wrote to memory of 2248	3056	dialer.exe	25
PID 3056 wrote to memory of 2884	3056	dialer.exe	27
PID 3056 wrote to memory of 2476	3056	dialer.exe	43
PID 3056 wrote to memory of 2484	3056	dialer.exe	44
PID 3056 wrote to memory of 2492	3056	dialer.exe	45
PID 3056 wrote to memory of 2504	3056	dialer.exe	46
PID 3056 wrote to memory of 2540	3056	dialer.exe	49
PID 3056 wrote to memory of 2548	3056	dialer.exe	47
PID 3056 wrote to memory of 2396	3056	dialer.exe	48
PID 3056 wrote to memory of 2816	3056	dialer.exe	50
PID 3056 wrote to memory of 2936	3056	dialer.exe	52
PID 3056 wrote to memory of 1060	3056	dialer.exe	53
PID 3056 wrote to memory of 2560	3056	dialer.exe	54
PID 3056 wrote to memory of 2900	3056	dialer.exe	55
PID 3056 wrote to memory of 2140	3056	dialer.exe	56
PID 3056 wrote to memory of 2624	3056	dialer.exe	57
PID 3056 wrote to memory of 2408	3056	dialer.exe	58
PID 3056 wrote to memory of 2800	3056	dialer.exe	59
PID 3056 wrote to memory of 2644	3056	dialer.exe	60
PID 476 wrote to memory of 2644	476	services.exe	60
PID 476 wrote to memory of 2644	476	services.exe	60
PID 476 wrote to memory of 2644	476	services.exe	60
PID 3056 wrote to memory of 2644	3056	dialer.exe	60
PID 3056 wrote to memory of 536	3056	dialer.exe	61
PID 3056 wrote to memory of 700	3056	dialer.exe	62
PID 1768 wrote to memory of 1088	1768	cmd.exe	67
PID 1768 wrote to memory of 1088	1768	cmd.exe	67
PID 1768 wrote to memory of 1088	1768	cmd.exe	67
PID 3056 wrote to memory of 932	3056	dialer.exe	74
PID 3056 wrote to memory of 948	3056	dialer.exe	75
PID 2644 wrote to memory of 1752	2644	WindowsAutHost	81
PID 2644 wrote to memory of 1752	2644	WindowsAutHost	81
PID 2644 wrote to memory of 1752	2644	WindowsAutHost	81
PID 2644 wrote to memory of 1752	2644	WindowsAutHost	81
PID 2644 wrote to memory of 1752	2644	WindowsAutHost	81
PID 2644 wrote to memory of 1752	2644	WindowsAutHost	81

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:432

C:\Windows\system32\services.exe
C:\Windows\system32\services.exe
1⤵
- Sets service image path in registry
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:476
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k DcomLaunch
  2⤵
  PID:600
- - C:\Windows\system32\DllHost.exe
    C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
    3⤵
    PID:1680
- - C:\Windows\system32\wbem\wmiprvse.exe
    C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
    3⤵
    - Checks processor information in registry
    PID:2056
- - C:\Windows\system32\wbem\wmiprvse.exe
    C:\Windows\system32\wbem\wmiprvse.exe -Embedding
    3⤵
    PID:2796
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k RPCSS
  2⤵
  PID:668
- C:\Windows\System32\svchost.exe
  C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
  2⤵
  - Drops file in System32 directory
  PID:740
- C:\Windows\System32\svchost.exe
  C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
  2⤵
  PID:804
- - C:\Windows\system32\Dwm.exe
    "C:\Windows\system32\Dwm.exe"
    3⤵
    PID:1340
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k netsvcs
  2⤵
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  PID:852
- - C:\Windows\system32\wbem\WMIADAP.EXE
    wmiadap.exe /F /T /R
    3⤵
    - Drops file in System32 directory
    - Drops file in Windows directory
    PID:3020
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalService
  2⤵
  PID:988
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k NetworkService
  2⤵
  PID:288
- C:\Windows\System32\spoolsv.exe
  C:\Windows\System32\spoolsv.exe
  2⤵
  PID:976
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
  2⤵
  PID:328
- C:\Windows\system32\taskhost.exe
  "taskhost.exe"
  2⤵
  PID:1236
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
  2⤵
  PID:1304
- C:\Windows\system32\sppsvc.exe
  C:\Windows\system32\sppsvc.exe
  2⤵
  PID:2248
- C:\ProgramData\WindowsServices\WindowsAutHost
  C:\ProgramData\WindowsServices\WindowsAutHost
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2644
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Drops file in System32 directory
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:536
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1768
  - - C:\Windows\system32\wusa.exe
      wusa /uninstall /kb:890830 /quiet /norestart
      4⤵
      Drops file in Windows directory
      PID:1088
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:1988
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:1084
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop wuauserv
    3⤵
    - Launches sc.exe
    PID:1332
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop bits
    3⤵
    - Launches sc.exe
    PID:1140
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop dosvc
    3⤵
    - Launches sc.exe
    PID:932
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2904
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1256
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2100
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2300
- - C:\Windows\system32\dialer.exe
    C:\Windows\system32\dialer.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1752
- - C:\Windows\system32\dialer.exe
    C:\Windows\system32\dialer.exe
    3⤵
    PID:684
- - C:\Windows\system32\dialer.exe
    dialer.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:444

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:492

C:\Windows\system32\lsm.exe
C:\Windows\system32\lsm.exe
1⤵
PID:500

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1380
- C:\Users\Admin\AppData\Local\Temp\installer2.exe
  "C:\Users\Admin\AppData\Local\Temp\installer2.exe"
  2⤵
  - Drops file in Drivers directory
  - Drops file in System32 directory
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2884
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3016
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2580
  - - C:\Windows\system32\wusa.exe
      wusa /uninstall /kb:890830 /quiet /norestart
      4⤵
      Drops file in Windows directory
      PID:2600
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:2740
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:2480
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop wuauserv
    3⤵
    - Launches sc.exe
    PID:2636
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop bits
    3⤵
    - Launches sc.exe
    PID:2788
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop dosvc
    3⤵
    - Launches sc.exe
    PID:1624
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2476
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2484
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2492
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2540
- - C:\Windows\system32\dialer.exe
    C:\Windows\system32\dialer.exe
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3056
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe delete "WindowsAutHost"
    3⤵
    - Launches sc.exe
    PID:2936
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe create "WindowsAutHost" binpath= "C:\ProgramData\WindowsServices\WindowsAutHost" start= "auto"
    3⤵
    - Launches sc.exe
    PID:2560
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop eventlog
    3⤵
    - Launches sc.exe
    PID:2140
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe start "WindowsAutHost"
    3⤵
    - Launches sc.exe
    PID:2624

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "971403760-242680082491373967-1465486219-1023917253-16853753171704139353-1861231059"
1⤵
PID:2504

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-15697623574309027471997887761-670912422-5576545821393660230-136357642-1912639326"
1⤵
PID:2548

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1928595639-391000312-1564616572379665693-14174355891716748532929757081312571491"
1⤵
PID:2396

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "197417493311156821026637542761830244808-1073825485-2140438362-30067245727760139"
1⤵
PID:2816

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "213947904315447800231513134208-22673191611815382461915151011421157813856397693"
1⤵
PID:1060

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-443647442-13389371742130454766-1871170792-5826473881523965321-1226723154-1044000520"
1⤵
PID:2900

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-2118291159-217010244-1475244304-2012536494-2202332951886878023-5004324501526669720"
1⤵
PID:2408

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1510987486211453566213120189201561118029575446285-20088571851013907360-1329096422"
1⤵
PID:2800

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1751049416299206510-18384520831271899527867997707-170746579610495421112575638"
1⤵
PID:700

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "9833067752115314206-1779697081-1557117724-146737824512625435771586620037558454962"
1⤵
PID:948

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1252458756-20856332631848787981-1198910589-965202024-14685203931832939140378074090"
1⤵
PID:2184

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "986131141-563199690858758502-110614307308056974942810467607932461108843636"
1⤵
PID:2292

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-2134987960-1929312048826453260-1541602140-647404019-601228362790366643-1002460713"
1⤵
PID:268

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-495060021-18757445731936353299-192173208116641602849174945241818206663-2059223842"
1⤵
PID:348

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System32\perfc007.dat

Filesize
141KB

MD5
cea1b98ec0c3919cc62c836e00c68863

SHA1
e02600d4cb930ce357e0df3a1acf3a33ad238fa3

SHA256
8f44cd24382a3719b6fe3b0866286f4543257629b087fba76bc43158c22faed6

SHA512
af44659dfa613c9a30761b996453e5ff6b5d7ed1e5e5b1003b2f2d6348507bbc4ccd54ced36981fb50706ce880cea69994cfbafccfeb1e19f23c05623c198644

Download Submit
C:\Windows\System32\perfc00A.dat

Filesize
150KB

MD5
5fe26038676903a26f9b5c18cb89a3af

SHA1
7733ca2859fd63d4031cae579ef969b3c1c40697

SHA256
c93baa487d4cc947ade03b8198e8031a2e85285e3a8681d8b42b35bdfc2bba6f

SHA512
2e3ed43d68df58b6fa15bd13587ddcccf6396d688a27f7122f89f56373af2f46356f7279fd08a41d673903e82af159d383b245f73bfc69de370e5bb699b03c4a

Download Submit
C:\Windows\System32\perfc00C.dat

Filesize
145KB

MD5
649979c27165dfc93c1cf11775428da6

SHA1
cbf7455fc81cdbf71ae3314450a61fd4302d7fde

SHA256
1f213394b70127c4ee8547152d86df351542480db8c4fc7e420f39d17b51fe12

SHA512
c1eb80c52d8a9385436f4f4e8c0c0b442fd57f8edbec513457ed2657a43f11ddebb607686886458d662091251fbcc1f70f1c9a3fda4aad149e7db62c85516479

Download Submit
C:\Windows\System32\perfc010.dat

Filesize
142KB

MD5
71b854c727e136df2704232789a09457

SHA1
015010461e0c9f499047591ae850c9d013a04f33

SHA256
aa180f83eff8188abc3594032c36a545bb81d9fa01973aa74cf3977f2eeb2459

SHA512
17e31ecf14815d4387acc86f34591ce16ccc099557bc2265135be62314d4c6f0946d9472690de8c43313d1839112556ffeee91322dcd656830be234511b1a9f0

Download Submit
C:\Windows\System32\perfc011.dat

Filesize
114KB

MD5
bee5d91b496fb80f633b314b1dbb55eb

SHA1
25c99dd2d14166bdb16a3b0238204fa8c0094780

SHA256
60f1cd5bc3deb6245e628c6be28bb5425e9c9c24437832929f4d55265ce51334

SHA512
468c5745197bf8a044236dcb86ee398d269e35ef1c93bceb171c9e99bd2bcb39240cbe8280daa8f3d0af4f93b616a47d5d73188c3d2fce244f9ad2e089e2f460

Download Submit
C:\Windows\System32\perfh007.dat

Filesize
680KB

MD5
220df61b175833576d19fff523852821

SHA1
4317536eb410fea8d973f206b738cd75c9a47206

SHA256
d2f2cc2ff9a6456c906e1fe2ff5a984816bebd39bf8dc4cf3754544217417957

SHA512
a4803c2ffa8ef6376a710557d671b774fe2ed348f361acf6993107c58edba8ece44bfd3418be53983b6f7e5de333d5372d69fa322187eb05643c624a4e25b5dc

Download Submit
C:\Windows\System32\perfh009.dat

Filesize
646KB

MD5
37885b76096a2f23812cf8bcb3c8c5b6

SHA1
f10982bf72c9789536c91c0215249df22275ae4f

SHA256
367d652538db898659975b0d4cdab0d315371f033620190a00e1ed1d26cf0869

SHA512
5da9405912668c32278734baa7b22091177517e7c6a14008574be5457ab9c16ee1dc5cb0536aba52ba81290d79e15845d50166f66ad687ae3622767b320e77c8

Download Submit
C:\Windows\System32\perfh00A.dat

Filesize
727KB

MD5
2eba25ba6040e2d53c5db7c8fecefa23

SHA1
34eb445305ab9d79ce384e55896d4ee137c79988

SHA256
fe17cf4c5bff5dd43b0d2fde70a94ff6dabdf09432de91ca579ac156fb0dc8a3

SHA512
1a1f0fa7bfb22115fc79efb097d043afe78c0bc2db0bcd8b1d94e8f2d649b2d72c193b9aca29a11f0b106a6a3b79811840d3322e25658ff221409af258e053d0

Download Submit
C:\Windows\System32\perfh00C.dat

Filesize
727KB

MD5
78551fda9730bb582b9622a3f2b71eef

SHA1
51aad2de44090656938526b2f974a2253b77b6b2

SHA256
3b01e337147a2415e22ea0aae0af4617e8a368a80eeb590765982edacc23e8c3

SHA512
a4e725ea80aceee54d74682cf436649e1cfca140a7db1b8909556b2e2c2c0d3b5b890fe44c614c17a7d8544a178e1871edf9bb9d1c99e96f3799de6a7936af7b

Download Submit
C:\Windows\System32\perfh010.dat

Filesize
722KB

MD5
37997b4a765e0df0944deb7b3c68fc9f

SHA1
7f70b0f88f8353e6e382f80b38d47736e2de81ca

SHA256
f82abb5bf658ddc5bbf83b786d83636f830494a3c259140cab60e52582c87ac6

SHA512
e28605ce84f795aa8b100c8da3129a8ed370861bd229265f0a1093fbb0ec5ed13e78657f30f266a707848e1f651543b4dc5fdf5ad61ed5e61b1e68ff03dcb25c

Download Submit
C:\Windows\System32\perfh011.dat

Filesize
406KB

MD5
0e026eb49e299091e1b0052091c3054d

SHA1
bc2ba534a80f8eb70513fc3a21b8189bcb66e7a3

SHA256
7c61b56375d8dea0a9e1992763fd118b717898fe3a58270288026caad3c29e44

SHA512
b4eff969eb5ae37219fa865b9b3649a64aa4f022cc4d1bacb44af06bdaf0bb6d8ff764cc0f2d0d5596895a24a8e30ffdbff28065ed84e3fcfdfe1087c417b2a8

Download Submit
C:\Windows\System32\wbem\Performance\WmiApRpl.h

Filesize
3KB

MD5
b133a676d139032a27de3d9619e70091

SHA1
1248aa89938a13640252a79113930ede2f26f1fa

SHA256
ae2b6236d3eeb4822835714ae9444e5dcd21bc60f7a909f2962c43bc743c7b15

SHA512
c6b99e13d854ce7a6874497473614ee4bd81c490802783db1349ab851cd80d1dc06df8c1f6e434aba873a5bbf6125cc64104709064e19a9dc1c66dcde3f898f5

Download Submit
C:\Windows\System32\wbem\Performance\WmiApRpl.ini

Filesize
27KB

MD5
46d08e3a55f007c523ac64dce6dcf478

SHA1
62edf88697e98d43f32090a2197bead7e7244245

SHA256
5b15b1fc32713447c3fbc952a0fb02f1fd78c6f9ac69087bdb240625b0282614

SHA512
b1f42e70c0ba866a9ed34eb531dbcbae1a659d7349c1e1a14b18b9e23d8cbd302d8509c6d3a28bc7509dd92e83bcb400201fb5d5a70f613421d81fe649d02e42

Download Submit
C:\Windows\system32\drivers\etc\hosts

Filesize
1KB

MD5
f7892522ff70f44411dd60ed28638405

SHA1
ab16eb12875ff707bb10949670a2b6d6659b41c5

SHA256
32f44736ff15641ef054638c865384fcc4de2ac5bccc6bb123f19b55bd90d522

SHA512
d4e5c97a84d5202044c2c7739a6a75ab6c4ff70efaed2af4789c9fcc278ce39b064f280de93a61b638b626ab40a25b1d110253244807704601456791c1384bdc

Download Submit
\ProgramData\WindowsServices\WindowsAutHost

Filesize
16.2MB

MD5
5aece647826a6f39a8bb8b17cd4186d6

SHA1
446ba99bb2ca06fed22c0019a5e8671e7e3f1e62

SHA256
aa212361c56bc3c307df12dd1ef574bb21c03f28a3cacc94a5a683d217b27ebc

SHA512
3997bf2eed4ebd50d7ba558bfd0c54222b53e6f1776e1499edc77de4ee8075bb0b712fde9a9a4c287f964bb86fcc3bd99f78e3012d2c7870b38810821939e9f4

Download Submit
memory/432-60-0x000007FEBE4B0000-0x000007FEBE4C0000-memory.dmp

Filesize
64KB

Download
memory/432-42-0x0000000000B80000-0x0000000000BA4000-memory.dmp

Filesize
144KB

Download
memory/432-40-0x0000000000B80000-0x0000000000BA4000-memory.dmp

Filesize
144KB

Download
memory/432-43-0x0000000000BB0000-0x0000000000BDB000-memory.dmp

Filesize
172KB

Download
memory/432-61-0x0000000037960000-0x0000000037970000-memory.dmp

Filesize
64KB

Download
memory/476-64-0x0000000037960000-0x0000000037970000-memory.dmp

Filesize
64KB

Download
memory/476-47-0x0000000000200000-0x000000000022B000-memory.dmp

Filesize
172KB

Download
memory/476-63-0x000007FEBE4B0000-0x000007FEBE4C0000-memory.dmp

Filesize
64KB

Download
memory/492-72-0x0000000037960000-0x0000000037970000-memory.dmp

Filesize
64KB

Download
memory/492-71-0x000007FEBE4B0000-0x000007FEBE4C0000-memory.dmp

Filesize
64KB

Download
memory/492-69-0x0000000000240000-0x000000000026B000-memory.dmp

Filesize
172KB

Download
memory/536-344-0x000000001A140000-0x000000001A422000-memory.dmp

Filesize
2.9MB

Download
memory/536-345-0x0000000000A90000-0x0000000000A98000-memory.dmp

Filesize
32KB

Download
memory/2884-0-0x000000013F983000-0x000000014009E000-memory.dmp

Filesize
7.1MB

Download
memory/2884-8-0x0000000077AE0000-0x0000000077AE2000-memory.dmp

Filesize
8KB

Download
memory/2884-5-0x0000000077AD0000-0x0000000077AD2000-memory.dmp

Filesize
8KB

Download
memory/2884-1-0x0000000077AD0000-0x0000000077AD2000-memory.dmp

Filesize
8KB

Download
memory/2884-3-0x0000000077AD0000-0x0000000077AD2000-memory.dmp

Filesize
8KB

Download
memory/2884-6-0x0000000077AE0000-0x0000000077AE2000-memory.dmp

Filesize
8KB

Download
memory/2884-11-0x000000013F440000-0x00000001410DC000-memory.dmp

Filesize
28.6MB

Download
memory/2884-14-0x000000013F440000-0x00000001410DC000-memory.dmp

Filesize
28.6MB

Download
memory/2884-314-0x000000013F440000-0x00000001410DC000-memory.dmp

Filesize
28.6MB

Download
memory/2884-278-0x000000013F983000-0x000000014009E000-memory.dmp

Filesize
7.1MB

Download
memory/2884-10-0x0000000077AE0000-0x0000000077AE2000-memory.dmp

Filesize
8KB

Download
memory/3016-20-0x000000001B4F0000-0x000000001B7D2000-memory.dmp

Filesize
2.9MB

Download
memory/3016-25-0x000007FEF5F60000-0x000007FEF68FD000-memory.dmp

Filesize
9.6MB

Download
memory/3016-27-0x000007FEF5F60000-0x000007FEF68FD000-memory.dmp

Filesize
9.6MB

Download
memory/3016-24-0x000007FEF5F60000-0x000007FEF68FD000-memory.dmp

Filesize
9.6MB

Download
memory/3016-23-0x000007FEF5F60000-0x000007FEF68FD000-memory.dmp

Filesize
9.6MB

Download
memory/3016-21-0x0000000002300000-0x0000000002308000-memory.dmp

Filesize
32KB

Download
memory/3016-22-0x000007FEF5F60000-0x000007FEF68FD000-memory.dmp

Filesize
9.6MB

Download
memory/3016-26-0x000007FEF5F60000-0x000007FEF68FD000-memory.dmp

Filesize
9.6MB

Download
memory/3016-19-0x000007FEF621E000-0x000007FEF621F000-memory.dmp

Filesize
4KB

Download
memory/3056-30-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/3056-31-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/3056-32-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/3056-37-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/3056-36-0x0000000077800000-0x000000007791F000-memory.dmp

Filesize
1.1MB

Download
memory/3056-29-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/3056-34-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/3056-35-0x0000000077920000-0x0000000077AC9000-memory.dmp

Filesize
1.7MB

Download