Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
600s -
max time network
598s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system -
submitted
20/08/2024, 07:20
Static task
static1
Behavioral task
behavioral1
Sample
build.exe
Resource
win10-20240404-en
Behavioral task
behavioral2
Sample
build.exe
Resource
win7-20240708-en
Behavioral task
behavioral3
Sample
build.exe
Resource
win10-20240404-en
Behavioral task
behavioral4
Sample
build.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral5
Sample
build.exe
Resource
win11-20240802-en
General
-
Target
build.exe
-
Size
7.1MB
-
MD5
03b4a7f20fdad6d69d148a3426b499af
-
SHA1
29c2f0d4a32776ba00c8dd882d35fdbfaec343ad
-
SHA256
54ec62ac33637ed3bf49e914bfb9e5245e12fbebfb91e44705cd08b29e05b59c
-
SHA512
a2ba94f54a34a6e40d312ad63d71dec427ee3a80f300e97381f9541a6ac3fb67bc7095df38e045d088c893e92cc24058a93e02d9087c963cfbf1f6baf02c0b78
-
SSDEEP
196608:B/4iA3qoIyI47/Q3D+h6Pkvct9GcemuYX:B/3AaZDQ/Q3D+hEkUacxX
Malware Config
Signatures
-
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 3464 powershell.exe 1696 powershell.exe -
Creates new service(s) 2 TTPs
-
Executes dropped EXE 1 IoCs
pid Process 3484 yrzhndhoiexf.exe -
Indicator Removal: Clear Windows Event Logs 1 TTPs 2 IoCs
Clear Windows Event Logs to hide the activity of an intrusion.
description ioc Process File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Storage-Storport%4Operational.evtx svchost.exe File opened for modification C:\Windows\System32\Winevt\Logs\Setup.evtx svchost.exe -
Drops file in System32 directory 18 IoCs
description ioc Process File opened for modification C:\Windows\system32\MRT.exe build.exe File opened for modification C:\Windows\system32\MRT.exe yrzhndhoiexf.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04 svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9 svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506 svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log powershell.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules.xml OfficeClickToRun.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9 OfficeClickToRun.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6D1A73D92C4DC2751A4B5A2404E1BDCC svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776 svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\9C237ECACBCB4101A3BE740DF0E53F83 svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749 svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506 svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 OfficeClickToRun.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9 OfficeClickToRun.exe -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 3616 set thread context of 1460 3616 build.exe 88 PID 3484 set thread context of 3908 3484 yrzhndhoiexf.exe 113 PID 3484 set thread context of 1196 3484 yrzhndhoiexf.exe 114 PID 3484 set thread context of 5100 3484 yrzhndhoiexf.exe 115 -
Launches sc.exe 14 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 4960 sc.exe 5028 sc.exe 4188 sc.exe 4304 sc.exe 2516 sc.exe 2444 sc.exe 4428 sc.exe 2516 sc.exe 3124 sc.exe 4952 sc.exe 4360 sc.exe 2040 sc.exe 1720 sc.exe 1696 sc.exe -
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 wmiprvse.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 wmiprvse.exe Key security queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 wmiprvse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information wmiprvse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString wmiprvse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier wmiprvse.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe_queried = "1724138549" OfficeClickToRun.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA\CTLs svchost.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA\CTLs svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,7202269,17110992,41484365,39965824,7153487,17110988,508368333,17962391,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617" OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\OFFICE\16.0\COMMON\CLIENTTELEMETRY\RULESMETADATA\OFFICECLICKTORUN.EXE\ULSMONITOR OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache svchost.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA svchost.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root\CTLs svchost.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust\CTLs svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" powershell.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata OfficeClickToRun.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs svchost.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities = "1329 10,1329 50,1329 15,1329 100,1329 6" OfficeClickToRun.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root\CRLs svchost.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople svchost.exe Key created \REGISTRY\USER\S-1-5-20\Software\Classes\Local Settings\MuiCache\1a\52C64B7E svchost.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA\CRLs svchost.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs svchost.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates svchost.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe = "Tue, 20 Aug 2024 07:22:30 GMT" OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing OfficeClickToRun.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust\CRLs svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed svchost.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0 OfficeClickToRun.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA\CRLs svchost.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root\Certificates svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA\Certificates svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache OfficeClickToRun.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs svchost.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates svchost.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3616 build.exe 3464 powershell.exe 3464 powershell.exe 3464 powershell.exe 3616 build.exe 3616 build.exe 3616 build.exe 3616 build.exe 3616 build.exe 3616 build.exe 3616 build.exe 3616 build.exe 1460 dialer.exe 1460 dialer.exe 3616 build.exe 3616 build.exe 3616 build.exe 1460 dialer.exe 1460 dialer.exe 3484 yrzhndhoiexf.exe 1460 dialer.exe 1460 dialer.exe 1460 dialer.exe 1460 dialer.exe 1696 powershell.exe 1696 powershell.exe 1460 dialer.exe 1460 dialer.exe 1696 powershell.exe 1460 dialer.exe 1460 dialer.exe 1460 dialer.exe 1460 dialer.exe 1460 dialer.exe 1460 dialer.exe 1460 dialer.exe 1460 dialer.exe 1696 powershell.exe 1460 dialer.exe 1460 dialer.exe 1460 dialer.exe 1460 dialer.exe 3484 yrzhndhoiexf.exe 3484 yrzhndhoiexf.exe 1460 dialer.exe 1460 dialer.exe 3484 yrzhndhoiexf.exe 3484 yrzhndhoiexf.exe 1460 dialer.exe 1460 dialer.exe 1460 dialer.exe 3484 yrzhndhoiexf.exe 3484 yrzhndhoiexf.exe 3484 yrzhndhoiexf.exe 3484 yrzhndhoiexf.exe 3908 dialer.exe 3908 dialer.exe 3484 yrzhndhoiexf.exe 1460 dialer.exe 1460 dialer.exe 1460 dialer.exe 1460 dialer.exe 3908 dialer.exe 3908 dialer.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 3464 powershell.exe Token: SeIncreaseQuotaPrivilege 3464 powershell.exe Token: SeSecurityPrivilege 3464 powershell.exe Token: SeTakeOwnershipPrivilege 3464 powershell.exe Token: SeLoadDriverPrivilege 3464 powershell.exe Token: SeSystemProfilePrivilege 3464 powershell.exe Token: SeSystemtimePrivilege 3464 powershell.exe Token: SeProfSingleProcessPrivilege 3464 powershell.exe Token: SeIncBasePriorityPrivilege 3464 powershell.exe Token: SeCreatePagefilePrivilege 3464 powershell.exe Token: SeBackupPrivilege 3464 powershell.exe Token: SeRestorePrivilege 3464 powershell.exe Token: SeShutdownPrivilege 3464 powershell.exe Token: SeDebugPrivilege 3464 powershell.exe Token: SeSystemEnvironmentPrivilege 3464 powershell.exe Token: SeRemoteShutdownPrivilege 3464 powershell.exe Token: SeUndockPrivilege 3464 powershell.exe Token: SeManageVolumePrivilege 3464 powershell.exe Token: 33 3464 powershell.exe Token: 34 3464 powershell.exe Token: 35 3464 powershell.exe Token: 36 3464 powershell.exe Token: SeDebugPrivilege 3616 build.exe Token: SeDebugPrivilege 1460 dialer.exe Token: SeDebugPrivilege 1696 powershell.exe Token: SeAssignPrimaryTokenPrivilege 1696 powershell.exe Token: SeIncreaseQuotaPrivilege 1696 powershell.exe Token: SeSecurityPrivilege 1696 powershell.exe Token: SeTakeOwnershipPrivilege 1696 powershell.exe Token: SeLoadDriverPrivilege 1696 powershell.exe Token: SeSystemtimePrivilege 1696 powershell.exe Token: SeBackupPrivilege 1696 powershell.exe Token: SeRestorePrivilege 1696 powershell.exe Token: SeShutdownPrivilege 1696 powershell.exe Token: SeSystemEnvironmentPrivilege 1696 powershell.exe Token: SeUndockPrivilege 1696 powershell.exe Token: SeManageVolumePrivilege 1696 powershell.exe Token: SeDebugPrivilege 3484 yrzhndhoiexf.exe Token: SeDebugPrivilege 3908 dialer.exe Token: SeLockMemoryPrivilege 5100 dialer.exe Token: SeAssignPrimaryTokenPrivilege 2480 svchost.exe Token: SeIncreaseQuotaPrivilege 2480 svchost.exe Token: SeSecurityPrivilege 2480 svchost.exe Token: SeTakeOwnershipPrivilege 2480 svchost.exe Token: SeLoadDriverPrivilege 2480 svchost.exe Token: SeSystemtimePrivilege 2480 svchost.exe Token: SeBackupPrivilege 2480 svchost.exe Token: SeRestorePrivilege 2480 svchost.exe Token: SeShutdownPrivilege 2480 svchost.exe Token: SeSystemEnvironmentPrivilege 2480 svchost.exe Token: SeUndockPrivilege 2480 svchost.exe Token: SeManageVolumePrivilege 2480 svchost.exe Token: SeAssignPrimaryTokenPrivilege 2480 svchost.exe Token: SeIncreaseQuotaPrivilege 2480 svchost.exe Token: SeSecurityPrivilege 2480 svchost.exe Token: SeTakeOwnershipPrivilege 2480 svchost.exe Token: SeLoadDriverPrivilege 2480 svchost.exe Token: SeSystemtimePrivilege 2480 svchost.exe Token: SeBackupPrivilege 2480 svchost.exe Token: SeRestorePrivilege 2480 svchost.exe Token: SeShutdownPrivilege 2480 svchost.exe Token: SeSystemEnvironmentPrivilege 2480 svchost.exe Token: SeUndockPrivilege 2480 svchost.exe Token: SeManageVolumePrivilege 2480 svchost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4964 wrote to memory of 3856 4964 cmd.exe 79 PID 4964 wrote to memory of 3856 4964 cmd.exe 79 PID 3616 wrote to memory of 1460 3616 build.exe 88 PID 3616 wrote to memory of 1460 3616 build.exe 88 PID 3616 wrote to memory of 1460 3616 build.exe 88 PID 3616 wrote to memory of 1460 3616 build.exe 88 PID 3616 wrote to memory of 1460 3616 build.exe 88 PID 3616 wrote to memory of 1460 3616 build.exe 88 PID 3616 wrote to memory of 1460 3616 build.exe 88 PID 1460 wrote to memory of 584 1460 dialer.exe 5 PID 1460 wrote to memory of 636 1460 dialer.exe 7 PID 1460 wrote to memory of 740 1460 dialer.exe 10 PID 1460 wrote to memory of 900 1460 dialer.exe 13 PID 1460 wrote to memory of 992 1460 dialer.exe 14 PID 1460 wrote to memory of 360 1460 dialer.exe 15 PID 1460 wrote to memory of 404 1460 dialer.exe 16 PID 1460 wrote to memory of 1028 1460 dialer.exe 17 PID 1460 wrote to memory of 1068 1460 dialer.exe 19 PID 1460 wrote to memory of 1076 1460 dialer.exe 20 PID 1460 wrote to memory of 1172 1460 dialer.exe 21 PID 1460 wrote to memory of 1204 1460 dialer.exe 22 PID 1460 wrote to memory of 1300 1460 dialer.exe 23 PID 1460 wrote to memory of 1308 1460 dialer.exe 24 PID 1460 wrote to memory of 1324 1460 dialer.exe 25 PID 1460 wrote to memory of 1444 1460 dialer.exe 26 PID 1460 wrote to memory of 1476 1460 dialer.exe 27 PID 1460 wrote to memory of 1484 1460 dialer.exe 28 PID 1460 wrote to memory of 1540 1460 dialer.exe 29 PID 1460 wrote to memory of 1560 1460 dialer.exe 30 PID 1460 wrote to memory of 1672 1460 dialer.exe 31 PID 1460 wrote to memory of 1772 1460 dialer.exe 32 PID 1460 wrote to memory of 1784 1460 dialer.exe 33 PID 1460 wrote to memory of 1800 1460 dialer.exe 34 PID 1460 wrote to memory of 1824 1460 dialer.exe 35 PID 1460 wrote to memory of 1936 1460 dialer.exe 36 PID 1460 wrote to memory of 2012 1460 dialer.exe 37 PID 1460 wrote to memory of 1864 1460 dialer.exe 38 PID 1460 wrote to memory of 2276 1460 dialer.exe 39 PID 1460 wrote to memory of 2284 1460 dialer.exe 40 PID 1460 wrote to memory of 2316 1460 dialer.exe 41 PID 1460 wrote to memory of 2420 1460 dialer.exe 42 PID 1460 wrote to memory of 2452 1460 dialer.exe 43 PID 1460 wrote to memory of 2464 1460 dialer.exe 44 PID 1460 wrote to memory of 2472 1460 dialer.exe 45 PID 1460 wrote to memory of 2480 1460 dialer.exe 46 PID 1460 wrote to memory of 2488 1460 dialer.exe 47 PID 1460 wrote to memory of 2572 1460 dialer.exe 48 PID 1460 wrote to memory of 2936 1460 dialer.exe 49 PID 1460 wrote to memory of 2976 1460 dialer.exe 50 PID 1460 wrote to memory of 3000 1460 dialer.exe 51 PID 1460 wrote to memory of 3100 1460 dialer.exe 52 PID 1460 wrote to memory of 3144 1460 dialer.exe 53 PID 1460 wrote to memory of 3288 1460 dialer.exe 54 PID 1460 wrote to memory of 3816 1460 dialer.exe 57 PID 1460 wrote to memory of 4076 1460 dialer.exe 59 PID 1460 wrote to memory of 4756 1460 dialer.exe 60 PID 1460 wrote to memory of 3028 1460 dialer.exe 62 PID 1460 wrote to memory of 3488 1460 dialer.exe 63 PID 1460 wrote to memory of 2948 1460 dialer.exe 64 PID 1460 wrote to memory of 5096 1460 dialer.exe 65 PID 1460 wrote to memory of 4056 1460 dialer.exe 66 PID 1460 wrote to memory of 3740 1460 dialer.exe 67 PID 1460 wrote to memory of 3776 1460 dialer.exe 68 PID 1460 wrote to memory of 3324 1460 dialer.exe 69
Processes
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵PID:584
-
C:\Windows\system32\dwm.exe"dwm.exe"2⤵PID:992
-
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵PID:636
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k dcomlaunch -s PlugPlay1⤵PID:740
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k dcomlaunch -s LSM1⤵PID:900
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservicenetworkrestricted -s lmhosts1⤵PID:360
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s gpsvc1⤵PID:404
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservicenetworkrestricted -s EventLog1⤵
- Indicator Removal: Clear Windows Event Logs
PID:1028
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s NcbService1⤵PID:1068
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Schedule1⤵PID:1076
-
c:\windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}2⤵PID:3100
-
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservice -s nsi1⤵PID:1172
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s ProfSvc1⤵PID:1204
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservicenetworkrestricted -s Dhcp1⤵PID:1300
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Themes1⤵PID:1308
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservice -s EventSystem1⤵PID:1324
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s SENS1⤵PID:1444
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s UserManager1⤵PID:1476
-
c:\windows\system32\sihost.exesihost.exe2⤵PID:2976
-
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s AudioEndpointBuilder1⤵PID:1484
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k networkservice -s NlaSvc1⤵PID:1540
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k networkservice -s Dnscache1⤵PID:1560
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted1⤵PID:1672
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservice -s netprofm1⤵PID:1772
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted1⤵PID:1784
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted1⤵PID:1800
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k appmodel -s StateRepository1⤵PID:1824
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s ShellHWDetection1⤵PID:1936
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe1⤵PID:2012
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k networkservice -s LanmanWorkstation1⤵PID:1864
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s IKEEXT1⤵PID:2276
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k networkservicenetworkrestricted -s PolicyAgent1⤵PID:2284
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s LanmanServer1⤵PID:2316
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k networkservice -s CryptSvc1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2420
-
C:\Windows\sysmon.exeC:\Windows\sysmon.exe1⤵PID:2452
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k appmodel -s tiledatamodelsvc1⤵PID:2464
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s TrkWks1⤵PID:2472
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Winmgmt1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2480
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s WpnService1⤵PID:2488
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Browser1⤵PID:2572
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵PID:2936
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k unistacksvcgroup -s CDPUserSvc1⤵PID:3000
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s TokenBroker1⤵PID:3144
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3288
-
C:\Users\Admin\AppData\Local\Temp\build.exe"C:\Users\Admin\AppData\Local\Temp\build.exe"2⤵
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3616 -
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3464
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart3⤵
- Suspicious use of WriteProcessMemory
PID:4964 -
C:\Windows\system32\wusa.exewusa /uninstall /kb:890830 /quiet /norestart4⤵PID:3856
-
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop UsoSvc3⤵
- Launches sc.exe
PID:2516
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop WaaSMedicSvc3⤵
- Launches sc.exe
PID:4960
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop wuauserv3⤵
- Launches sc.exe
PID:2040
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop bits3⤵
- Launches sc.exe
PID:2444
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop dosvc3⤵
- Launches sc.exe
PID:5028
-
-
C:\Windows\system32\dialer.exeC:\Windows\system32\dialer.exe3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1460
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe delete "ZPGRVBPA"3⤵
- Launches sc.exe
PID:1696
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe create "ZPGRVBPA" binpath= "C:\ProgramData\gauhbkggpybj\yrzhndhoiexf.exe" start= "auto"3⤵
- Launches sc.exe
PID:1720
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop eventlog3⤵
- Launches sc.exe
PID:4428 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵PID:3976
-
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start "ZPGRVBPA"3⤵
- Launches sc.exe
PID:4188 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵PID:1332
-
-
-
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3816
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:4076
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservice -s CDPSvc1⤵PID:4756
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localserviceandnoimpersonation -s SSDPSRV1⤵PID:3028
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -s WinHttpAutoProxySvc1⤵
- Modifies data under HKEY_USERS
PID:3488
-
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2948
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s wlidsvc1⤵PID:5096
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:4056
-
C:\Windows\system32\ApplicationFrameHost.exeC:\Windows\system32\ApplicationFrameHost.exe -Embedding1⤵PID:3740
-
C:\Windows\System32\InstallAgent.exeC:\Windows\System32\InstallAgent.exe -Embedding1⤵PID:3776
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{973D20D7-562D-44B9-B70B-5A0F49CCDF3F}1⤵PID:3324
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding1⤵PID:516
-
C:\ProgramData\gauhbkggpybj\yrzhndhoiexf.exeC:\ProgramData\gauhbkggpybj\yrzhndhoiexf.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3484 -
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1696 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:4656
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart2⤵PID:3960
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:2644
-
-
C:\Windows\system32\wusa.exewusa /uninstall /kb:890830 /quiet /norestart3⤵PID:5112
-
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop UsoSvc2⤵
- Launches sc.exe
PID:4952 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:4924
-
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop WaaSMedicSvc2⤵
- Launches sc.exe
PID:4360
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop wuauserv2⤵
- Launches sc.exe
PID:2516 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:1092
-
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop bits2⤵
- Launches sc.exe
PID:3124
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop dosvc2⤵
- Launches sc.exe
PID:4304
-
-
C:\Windows\system32\dialer.exeC:\Windows\system32\dialer.exe2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3908
-
-
C:\Windows\system32\dialer.exeC:\Windows\system32\dialer.exe2⤵PID:1196
-
-
C:\Windows\system32\dialer.exedialer.exe2⤵
- Suspicious use of AdjustPrivilegeToken
PID:5100
-
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding1⤵
- Checks processor information in registry
PID:3068
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
7.1MB
MD503b4a7f20fdad6d69d148a3426b499af
SHA129c2f0d4a32776ba00c8dd882d35fdbfaec343ad
SHA25654ec62ac33637ed3bf49e914bfb9e5245e12fbebfb91e44705cd08b29e05b59c
SHA512a2ba94f54a34a6e40d312ad63d71dec427ee3a80f300e97381f9541a6ac3fb67bc7095df38e045d088c893e92cc24058a93e02d9087c963cfbf1f6baf02c0b78
-
Filesize
1B
MD5c4ca4238a0b923820dcc509a6f75849b
SHA1356a192b7913b04c54574d18c28d46e6395428ab
SHA2566b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA5124dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a
-
C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157
Filesize338B
MD58c65d5c1e9db211c8151eb20af89420c
SHA1f55dda1bcb89bcef64da4d29a0fb63abd8016e3a
SHA256273dfbef8892b0d728b513b59a4e2888e968c39bda6d2174674ec49a0fa6b8ff
SHA5127903ba694214b0f2bf2547c3586a7d14a9681a612c605e890fe9f76979e88ce0e1689908a9c36c56e7ecfedc287467acf565a91abfb11a9ba3650992e7c6c538
-
C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9
Filesize420B
MD56a0d5f241d2e7d3b9faebb4c126a27db
SHA1ccd01e54160a6ef67c1cd2c4f2c638bfc0abf75f
SHA2567d35a863c928fdb5b8147a7357e3f68b7ad9b6a14f722a528b19e33ccaddd43b
SHA512c57a776c80fbe4548c5c0aafafb2733b69fef310c51c11c8a8bfa91d1456084012e9c1ea9083127aa24d78f167017a359de89757eec826a0443b881b41d57912