Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
241s -
max time network
597s -
platform
windows11-21h2_x64 -
resource
win11-20240802-en -
resource tags
arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system -
submitted
20/08/2024, 07:20
Static task
static1
Behavioral task
behavioral1
Sample
build.exe
Resource
win10-20240404-en
Behavioral task
behavioral2
Sample
build.exe
Resource
win7-20240708-en
Behavioral task
behavioral3
Sample
build.exe
Resource
win10-20240404-en
Behavioral task
behavioral4
Sample
build.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral5
Sample
build.exe
Resource
win11-20240802-en
General
-
Target
build.exe
-
Size
7.1MB
-
MD5
03b4a7f20fdad6d69d148a3426b499af
-
SHA1
29c2f0d4a32776ba00c8dd882d35fdbfaec343ad
-
SHA256
54ec62ac33637ed3bf49e914bfb9e5245e12fbebfb91e44705cd08b29e05b59c
-
SHA512
a2ba94f54a34a6e40d312ad63d71dec427ee3a80f300e97381f9541a6ac3fb67bc7095df38e045d088c893e92cc24058a93e02d9087c963cfbf1f6baf02c0b78
-
SSDEEP
196608:B/4iA3qoIyI47/Q3D+h6Pkvct9GcemuYX:B/3AaZDQ/Q3D+hEkUacxX
Malware Config
Signatures
-
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 4980 powershell.exe 3436 powershell.exe -
Creates new service(s) 2 TTPs
-
Executes dropped EXE 1 IoCs
pid Process 3204 yrzhndhoiexf.exe -
Drops file in System32 directory 10 IoCs
description ioc Process File opened for modification C:\Windows\system32\MRT.exe yrzhndhoiexf.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules.xml OfficeClickToRun.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 OfficeClickToRun.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A OfficeClickToRun.exe File opened for modification C:\Windows\system32\MRT.exe build.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log powershell.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A OfficeClickToRun.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\WebCache\V01.chk DllHost.exe -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 4160 set thread context of 4120 4160 build.exe 97 PID 3204 set thread context of 1444 3204 yrzhndhoiexf.exe 122 PID 3204 set thread context of 2420 3204 yrzhndhoiexf.exe 123 PID 3204 set thread context of 3208 3204 yrzhndhoiexf.exe 124 -
Launches sc.exe 14 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 4248 sc.exe 3340 sc.exe 3848 sc.exe 3948 sc.exe 3436 sc.exe 1608 sc.exe 2616 sc.exe 2824 sc.exe 2656 sc.exe 2040 sc.exe 2572 sc.exe 388 sc.exe 780 sc.exe 4656 sc.exe -
Checks processor information in registry 2 TTPs 14 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key security queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 wmiprvse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString wmiprvse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 wmiprvse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier wmiprvse.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 wmiprvse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information wmiprvse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0 OfficeClickToRun.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@%SystemRoot%\system32\NgcRecovery.dll,-100 = "Windows Hello Recovery Key Encryption" svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "7202265,41816131,39965824,7153487,17110988,5804129,7202269,17110992,41484365,24262478,9179409,17962391,508368333,17962392,25036127,24262477,3462423,3702920,3700754,3965062,24262474,4297094,7153421,3462365,18716193,7153435,24262473,9179410,20502174,6308191,18407617,39125643,539756558,6104718,9179411,51475283,41185282,39389248,539756557,528570079" OfficeClickToRun.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@%SystemRoot%\System32\fveui.dll,-844 = "BitLocker Data Recovery Agent" svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\RulesEndpoint = "https://nexusrules.officeapps.live.com/nexus/rules?Application=officeclicktorun.exe&Version=16.0.12527.20470&ClientId={042CA9F3-58AA-4D87-B856-C4825BD2F4B9}&OSEnvironment=10&MsoAppId=37&AudienceName=Production&AudienceGroup=Production&AppVersion=16.0.12527.20470&" OfficeClickToRun.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@%SystemRoot%\System32\ci.dll,-101 = "Enclave" svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\OFFICE\16.0\COMMON\CLIENTTELEMETRY\RULESMETADATA\OFFICECLICKTORUN.EXE\ULSMONITOR OfficeClickToRun.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@%SystemRoot%\System32\ci.dll,-100 = "Isolated User Mode (IUM)" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe,-124 = "Document Encryption" svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe = "Tue, 20 Aug 2024 07:21:44 GMT" OfficeClickToRun.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry OfficeClickToRun.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@%SystemRoot%\System32\fveui.dll,-843 = "BitLocker Drive Encryption" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@%SystemRoot%\System32\wuaueng.dll,-400 = "Windows Update" svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe_queried = "1724138503" OfficeClickToRun.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@%SystemRoot%\system32\dnsapi.dll,-103 = "Domain Name System (DNS) Server Trust" svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities = "1329 10,940 10,941 10,942 10,940 15,943 10,944 50,940 6,1329 15,944 10,941 15,942 15,940 50,943 15,944 6,944 15,943 6,1329 50,1329 100,1329 6,941 6,942 6,944 100,940 100" OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.exe -
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings firefox.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4160 build.exe 4980 powershell.exe 4980 powershell.exe 4160 build.exe 4160 build.exe 4160 build.exe 4160 build.exe 4160 build.exe 4160 build.exe 4160 build.exe 4160 build.exe 4120 dialer.exe 4120 dialer.exe 4160 build.exe 4160 build.exe 4160 build.exe 4120 dialer.exe 4120 dialer.exe 3204 yrzhndhoiexf.exe 3436 powershell.exe 4120 dialer.exe 4120 dialer.exe 4120 dialer.exe 3436 powershell.exe 4120 dialer.exe 4120 dialer.exe 4120 dialer.exe 4120 dialer.exe 4120 dialer.exe 4120 dialer.exe 4120 dialer.exe 4120 dialer.exe 3436 powershell.exe 4120 dialer.exe 4120 dialer.exe 4120 dialer.exe 4120 dialer.exe 4120 dialer.exe 4120 dialer.exe 4120 dialer.exe 4120 dialer.exe 3436 powershell.exe 4120 dialer.exe 4120 dialer.exe 4120 dialer.exe 4120 dialer.exe 3204 yrzhndhoiexf.exe 3204 yrzhndhoiexf.exe 4120 dialer.exe 4120 dialer.exe 3204 yrzhndhoiexf.exe 3204 yrzhndhoiexf.exe 3204 yrzhndhoiexf.exe 4120 dialer.exe 4120 dialer.exe 3204 yrzhndhoiexf.exe 3204 yrzhndhoiexf.exe 3204 yrzhndhoiexf.exe 1444 dialer.exe 1444 dialer.exe 3204 yrzhndhoiexf.exe 4120 dialer.exe 4120 dialer.exe 4120 dialer.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3408 Explorer.EXE -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 4980 powershell.exe Token: SeDebugPrivilege 4160 build.exe Token: SeDebugPrivilege 4120 dialer.exe Token: SeDebugPrivilege 3436 powershell.exe Token: SeDebugPrivilege 3204 yrzhndhoiexf.exe Token: SeDebugPrivilege 1444 dialer.exe Token: SeLockMemoryPrivilege 3208 dialer.exe Token: SeAssignPrimaryTokenPrivilege 2628 svchost.exe Token: SeIncreaseQuotaPrivilege 2628 svchost.exe Token: SeSecurityPrivilege 2628 svchost.exe Token: SeTakeOwnershipPrivilege 2628 svchost.exe Token: SeLoadDriverPrivilege 2628 svchost.exe Token: SeSystemtimePrivilege 2628 svchost.exe Token: SeBackupPrivilege 2628 svchost.exe Token: SeRestorePrivilege 2628 svchost.exe Token: SeShutdownPrivilege 2628 svchost.exe Token: SeSystemEnvironmentPrivilege 2628 svchost.exe Token: SeUndockPrivilege 2628 svchost.exe Token: SeManageVolumePrivilege 2628 svchost.exe Token: SeAssignPrimaryTokenPrivilege 2628 svchost.exe Token: SeIncreaseQuotaPrivilege 2628 svchost.exe Token: SeSecurityPrivilege 2628 svchost.exe Token: SeTakeOwnershipPrivilege 2628 svchost.exe Token: SeLoadDriverPrivilege 2628 svchost.exe Token: SeSystemtimePrivilege 2628 svchost.exe Token: SeBackupPrivilege 2628 svchost.exe Token: SeRestorePrivilege 2628 svchost.exe Token: SeShutdownPrivilege 2628 svchost.exe Token: SeSystemEnvironmentPrivilege 2628 svchost.exe Token: SeUndockPrivilege 2628 svchost.exe Token: SeManageVolumePrivilege 2628 svchost.exe Token: SeAssignPrimaryTokenPrivilege 2628 svchost.exe Token: SeIncreaseQuotaPrivilege 2628 svchost.exe Token: SeSecurityPrivilege 2628 svchost.exe Token: SeTakeOwnershipPrivilege 2628 svchost.exe Token: SeLoadDriverPrivilege 2628 svchost.exe Token: SeSystemtimePrivilege 2628 svchost.exe Token: SeBackupPrivilege 2628 svchost.exe Token: SeRestorePrivilege 2628 svchost.exe Token: SeShutdownPrivilege 2628 svchost.exe Token: SeSystemEnvironmentPrivilege 2628 svchost.exe Token: SeUndockPrivilege 2628 svchost.exe Token: SeManageVolumePrivilege 2628 svchost.exe Token: SeAssignPrimaryTokenPrivilege 2628 svchost.exe Token: SeIncreaseQuotaPrivilege 2628 svchost.exe Token: SeSecurityPrivilege 2628 svchost.exe Token: SeTakeOwnershipPrivilege 2628 svchost.exe Token: SeLoadDriverPrivilege 2628 svchost.exe Token: SeSystemtimePrivilege 2628 svchost.exe Token: SeBackupPrivilege 2628 svchost.exe Token: SeRestorePrivilege 2628 svchost.exe Token: SeShutdownPrivilege 2628 svchost.exe Token: SeSystemEnvironmentPrivilege 2628 svchost.exe Token: SeUndockPrivilege 2628 svchost.exe Token: SeManageVolumePrivilege 2628 svchost.exe Token: SeAssignPrimaryTokenPrivilege 2628 svchost.exe Token: SeIncreaseQuotaPrivilege 2628 svchost.exe Token: SeSecurityPrivilege 2628 svchost.exe Token: SeTakeOwnershipPrivilege 2628 svchost.exe Token: SeLoadDriverPrivilege 2628 svchost.exe Token: SeSystemtimePrivilege 2628 svchost.exe Token: SeBackupPrivilege 2628 svchost.exe Token: SeRestorePrivilege 2628 svchost.exe Token: SeShutdownPrivilege 2628 svchost.exe -
Suspicious use of FindShellTrayWindow 21 IoCs
pid Process 1600 firefox.exe 1600 firefox.exe 1600 firefox.exe 1600 firefox.exe 1600 firefox.exe 1600 firefox.exe 1600 firefox.exe 1600 firefox.exe 1600 firefox.exe 1600 firefox.exe 1600 firefox.exe 1600 firefox.exe 1600 firefox.exe 1600 firefox.exe 1600 firefox.exe 1600 firefox.exe 1600 firefox.exe 1600 firefox.exe 1600 firefox.exe 1600 firefox.exe 1600 firefox.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 1600 firefox.exe 1600 firefox.exe 1600 firefox.exe 1600 firefox.exe 1600 firefox.exe 1600 firefox.exe 1600 firefox.exe -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 3996 RuntimeBroker.exe 3408 Explorer.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2732 wrote to memory of 696 2732 cmd.exe 92 PID 2732 wrote to memory of 696 2732 cmd.exe 92 PID 4160 wrote to memory of 4120 4160 build.exe 97 PID 4160 wrote to memory of 4120 4160 build.exe 97 PID 4160 wrote to memory of 4120 4160 build.exe 97 PID 4160 wrote to memory of 4120 4160 build.exe 97 PID 4160 wrote to memory of 4120 4160 build.exe 97 PID 4160 wrote to memory of 4120 4160 build.exe 97 PID 4160 wrote to memory of 4120 4160 build.exe 97 PID 4120 wrote to memory of 632 4120 dialer.exe 5 PID 4120 wrote to memory of 688 4120 dialer.exe 7 PID 4120 wrote to memory of 992 4120 dialer.exe 12 PID 4120 wrote to memory of 552 4120 dialer.exe 13 PID 4120 wrote to memory of 432 4120 dialer.exe 14 PID 4120 wrote to memory of 700 4120 dialer.exe 15 PID 4120 wrote to memory of 1060 4120 dialer.exe 16 PID 4120 wrote to memory of 1108 4120 dialer.exe 17 PID 4120 wrote to memory of 1172 4120 dialer.exe 19 PID 4120 wrote to memory of 1180 4120 dialer.exe 20 PID 4120 wrote to memory of 1248 4120 dialer.exe 21 PID 4120 wrote to memory of 1284 4120 dialer.exe 22 PID 4120 wrote to memory of 1412 4120 dialer.exe 23 PID 4120 wrote to memory of 1448 4120 dialer.exe 24 PID 4120 wrote to memory of 1480 4120 dialer.exe 25 PID 4120 wrote to memory of 1492 4120 dialer.exe 26 PID 4120 wrote to memory of 1504 4120 dialer.exe 27 PID 4120 wrote to memory of 1656 4120 dialer.exe 28 PID 4120 wrote to memory of 1724 4120 dialer.exe 29 PID 4120 wrote to memory of 1744 4120 dialer.exe 30 PID 4120 wrote to memory of 1808 4120 dialer.exe 31 PID 4120 wrote to memory of 1876 4120 dialer.exe 32 PID 4120 wrote to memory of 1904 4120 dialer.exe 33 PID 4120 wrote to memory of 1916 4120 dialer.exe 34 PID 4120 wrote to memory of 2004 4120 dialer.exe 35 PID 4120 wrote to memory of 2024 4120 dialer.exe 36 PID 4120 wrote to memory of 2076 4120 dialer.exe 37 PID 4120 wrote to memory of 2216 4120 dialer.exe 39 PID 4120 wrote to memory of 2388 4120 dialer.exe 40 PID 4120 wrote to memory of 2396 4120 dialer.exe 41 PID 4120 wrote to memory of 2436 4120 dialer.exe 42 PID 4120 wrote to memory of 2512 4120 dialer.exe 43 PID 4120 wrote to memory of 2548 4120 dialer.exe 44 PID 4120 wrote to memory of 2556 4120 dialer.exe 45 PID 4120 wrote to memory of 2620 4120 dialer.exe 46 PID 4120 wrote to memory of 2628 4120 dialer.exe 47 PID 4120 wrote to memory of 2640 4120 dialer.exe 48 PID 4120 wrote to memory of 2844 4120 dialer.exe 49 PID 4120 wrote to memory of 460 4120 dialer.exe 50 PID 4120 wrote to memory of 680 4120 dialer.exe 51 PID 4120 wrote to memory of 3408 4120 dialer.exe 52 PID 4120 wrote to memory of 3536 4120 dialer.exe 53 PID 4120 wrote to memory of 3568 4120 dialer.exe 54 PID 4120 wrote to memory of 3908 4120 dialer.exe 57 PID 4120 wrote to memory of 3996 4120 dialer.exe 58 PID 4120 wrote to memory of 2768 4120 dialer.exe 59 PID 4120 wrote to memory of 3564 4120 dialer.exe 60 PID 4120 wrote to memory of 4364 4120 dialer.exe 61 PID 4120 wrote to memory of 4496 4120 dialer.exe 62 PID 4120 wrote to memory of 4184 4120 dialer.exe 65 PID 4120 wrote to memory of 876 4120 dialer.exe 66 PID 4120 wrote to memory of 1528 4120 dialer.exe 67 PID 4120 wrote to memory of 3108 4120 dialer.exe 69 PID 4120 wrote to memory of 1756 4120 dialer.exe 70 PID 4120 wrote to memory of 5076 4120 dialer.exe 71 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵PID:632
-
C:\Windows\system32\dwm.exe"dwm.exe"2⤵PID:552
-
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵PID:688
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM1⤵PID:992
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts1⤵PID:432
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc1⤵PID:700
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService1⤵PID:1060
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc1⤵PID:1108
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule1⤵PID:1172
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s nsi1⤵PID:1180
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netprofm -p -s netprofm1⤵PID:1248
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc1⤵PID:1284
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog1⤵PID:1412
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager1⤵PID:1448
-
C:\Windows\system32\sihost.exesihost.exe2⤵PID:2844
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem1⤵PID:1480
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s Themes1⤵PID:1492
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc1⤵PID:1504
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s SENS1⤵PID:1656
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder1⤵PID:1724
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p1⤵PID:1744
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵PID:1808
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp1⤵PID:1876
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵PID:1904
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵PID:1916
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection1⤵PID:2004
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository1⤵PID:2024
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe1⤵PID:2076
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation1⤵PID:2216
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent1⤵PID:2388
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT1⤵PID:2396
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2436
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc1⤵PID:2512
-
C:\Windows\sysmon.exeC:\Windows\sysmon.exe1⤵PID:2548
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer1⤵PID:2556
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks1⤵PID:2620
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2628
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService1⤵PID:2640
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵PID:460
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:680
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of UnmapMainImage
PID:3408 -
C:\Users\Admin\AppData\Local\Temp\build.exe"C:\Users\Admin\AppData\Local\Temp\build.exe"2⤵
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4160 -
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4980
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart3⤵
- Suspicious use of WriteProcessMemory
PID:2732 -
C:\Windows\system32\wusa.exewusa /uninstall /kb:890830 /quiet /norestart4⤵PID:696
-
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop UsoSvc3⤵
- Launches sc.exe
PID:3948
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop WaaSMedicSvc3⤵
- Launches sc.exe
PID:4656
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop wuauserv3⤵
- Launches sc.exe
PID:2572
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop bits3⤵
- Launches sc.exe
PID:388
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop dosvc3⤵
- Launches sc.exe
PID:3436
-
-
C:\Windows\system32\dialer.exeC:\Windows\system32\dialer.exe3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4120
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe delete "ZPGRVBPA"3⤵
- Launches sc.exe
PID:780
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe create "ZPGRVBPA" binpath= "C:\ProgramData\gauhbkggpybj\yrzhndhoiexf.exe" start= "auto"3⤵
- Launches sc.exe
PID:4248
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop eventlog3⤵
- Launches sc.exe
PID:2616
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start "ZPGRVBPA"3⤵
- Launches sc.exe
PID:1608 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵PID:464
-
-
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"2⤵PID:1536
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"3⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:1600 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1968 -parentBuildID 20240401114208 -prefsHandle 1900 -prefMapHandle 1892 -prefsLen 23678 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {7c19d571-fd7a-4686-8655-66e8165e5b19} 1600 "\\.\pipe\gecko-crash-server-pipe.1600" gpu4⤵PID:3340
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2416 -parentBuildID 20240401114208 -prefsHandle 2296 -prefMapHandle 2292 -prefsLen 23714 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c971befa-cf13-498d-a2c3-ec3737de85b5} 1600 "\\.\pipe\gecko-crash-server-pipe.1600" socket4⤵PID:3000
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1724 -childID 1 -isForBrowser -prefsHandle 3188 -prefMapHandle 2868 -prefsLen 23855 -prefMapSize 244658 -jsInitHandle 940 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9a7fd9db-86b9-4cb5-8a3e-cd36c745f1ff} 1600 "\\.\pipe\gecko-crash-server-pipe.1600" tab4⤵PID:1868
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3852 -childID 2 -isForBrowser -prefsHandle 3848 -prefMapHandle 3844 -prefsLen 29088 -prefMapSize 244658 -jsInitHandle 940 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6654ac32-1028-4d19-b465-c7ce0d4c5e22} 1600 "\\.\pipe\gecko-crash-server-pipe.1600" tab4⤵PID:1948
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4652 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4668 -prefMapHandle 4644 -prefsLen 29088 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4e22f2f6-4ad3-424e-8005-fbf5e1d95b76} 1600 "\\.\pipe\gecko-crash-server-pipe.1600" utility4⤵
- Checks processor information in registry
PID:2732
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4688 -childID 3 -isForBrowser -prefsHandle 5324 -prefMapHandle 5284 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 940 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {655f3fca-fcea-47b3-892d-59ff17cbb96e} 1600 "\\.\pipe\gecko-crash-server-pipe.1600" tab4⤵PID:1044
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5476 -childID 4 -isForBrowser -prefsHandle 5220 -prefMapHandle 5268 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 940 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c6577818-7fb9-48bd-999a-6e80ae417a9c} 1600 "\\.\pipe\gecko-crash-server-pipe.1600" tab4⤵PID:708
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5708 -childID 5 -isForBrowser -prefsHandle 5628 -prefMapHandle 5632 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 940 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {47ade1c0-30fd-48f2-a71b-d04040738c62} 1600 "\\.\pipe\gecko-crash-server-pipe.1600" tab4⤵PID:4424
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6184 -childID 6 -isForBrowser -prefsHandle 6176 -prefMapHandle 6172 -prefsLen 27211 -prefMapSize 244658 -jsInitHandle 940 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e7cf3ae2-603c-4a92-9f31-757ea18c78d4} 1600 "\\.\pipe\gecko-crash-server-pipe.1600" tab4⤵PID:5048
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3536
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo1⤵PID:3568
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3908
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
- Suspicious use of UnmapMainImage
PID:3996
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UdkSvcGroup -s UdkUserSvc1⤵PID:2768
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3564
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{973D20D7-562D-44B9-B70B-5A0F49CCDF3F}1⤵PID:4364
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k osprivacy -p -s camsvc1⤵PID:4496
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV1⤵PID:4184
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc1⤵PID:876
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc1⤵PID:1528
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc1⤵
- Modifies data under HKEY_USERS
PID:3108
-
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1756
-
C:\Windows\system32\SppExtComObj.exeC:\Windows\system32\SppExtComObj.exe -Embedding1⤵PID:5076
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager1⤵PID:2368
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
- Drops file in System32 directory
PID:4236
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc1⤵PID:3660
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:1992
-
C:\ProgramData\gauhbkggpybj\yrzhndhoiexf.exeC:\ProgramData\gauhbkggpybj\yrzhndhoiexf.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3204 -
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3436 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:780
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart2⤵PID:4284
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:3712
-
-
C:\Windows\system32\wusa.exewusa /uninstall /kb:890830 /quiet /norestart3⤵PID:1976
-
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop UsoSvc2⤵
- Launches sc.exe
PID:3340 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:3768
-
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop WaaSMedicSvc2⤵
- Launches sc.exe
PID:2824
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop wuauserv2⤵
- Launches sc.exe
PID:2656
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop bits2⤵
- Launches sc.exe
PID:2040 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:2152
-
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop dosvc2⤵
- Launches sc.exe
PID:3848
-
-
C:\Windows\system32\dialer.exeC:\Windows\system32\dialer.exe2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1444
-
-
C:\Windows\system32\dialer.exeC:\Windows\system32\dialer.exe2⤵PID:2420
-
-
C:\Windows\system32\dialer.exedialer.exe2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3208
-
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding1⤵
- Checks processor information in registry
PID:4300
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s PcaSvc1⤵PID:4940
-
C:\Windows\System32\pcaui.exeC:\Windows\System32\pcaui.exe -n 0 -a "" -v "" -g "" -x ""2⤵PID:4484
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
7.1MB
MD503b4a7f20fdad6d69d148a3426b499af
SHA129c2f0d4a32776ba00c8dd882d35fdbfaec343ad
SHA25654ec62ac33637ed3bf49e914bfb9e5245e12fbebfb91e44705cd08b29e05b59c
SHA512a2ba94f54a34a6e40d312ad63d71dec427ee3a80f300e97381f9541a6ac3fb67bc7095df38e045d088c893e92cc24058a93e02d9087c963cfbf1f6baf02c0b78
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
479KB
MD509372174e83dbbf696ee732fd2e875bb
SHA1ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1
-
Filesize
13.8MB
MD50a8747a2ac9ac08ae9508f36c6d75692
SHA1b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA25632d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA51259521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\511GEY9YJAKGF6HYBI8W.temp
Filesize7KB
MD52e4182d74b7cd6f75134ca7f3ed0b58b
SHA13b06b2cf78a847463608ccc3f0668f21138622e0
SHA256d3e62c1c29327cec0ac0d252790edd266c23c7fa4a7d5b570a9bed7498e0d116
SHA5127685a7f1d3ff27ca55ae464a97b2ecfd7fc39112cdffaf1b710dd8130e15e70de2fca35fcf2aa50a011bc83a26d80d89f2ebf43fa961e1d0c6fdd87f90173035
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rl5fa9qd.default-release\AlternateServices.bin
Filesize8KB
MD54f6c60b9de720218fa82ac1e5be2d16f
SHA1eb35d2929ef29ed708dbd5463702b6801f9cfa3a
SHA25621682ee5c76a5341a111e299702c4c525236174d02a57bec75a25c68a64faa79
SHA51249fef3d95cf353c1e8eebdafdbf823c51944bda520d4d662597ce65a6c8cbada01a4bd46a586051074e4116a53d4133931019b28e9f75513878513d11962040d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rl5fa9qd.default-release\AlternateServices.bin
Filesize10KB
MD5362a769600fc6999a113f327bdda67ad
SHA12864fd0647b6bb12d50b4d29735728acdc7843e1
SHA2569ebd000f0345127db67415af03c864d63b377c82ccf818c27b50a1608157ad69
SHA512a6911ca8f02fe736d1952fb296433331edaff4db76ee4d36a67c542ab970b74c4577f0e63860aefd318a2ede364c4272135f11b057ec6a3456216f0398b67934
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rl5fa9qd.default-release\bookmarkbackups\bookmarks-2024-08-20_11_HtaYMXlC9c97uWbeY2UD2A==.jsonlz4
Filesize1017B
MD5c02919f02635e8965b9b58f4e0c99e32
SHA11df56be91e9afc71153d4106fbf0e942c079f8ef
SHA256d0ca4df48846f42d0ead489c35dc411b58f049b18faeb9c1008382c1e19f1a20
SHA512bbba6fb437a2c30aad4580f991874b0000e14097be52666a6f42dd66e8efb35abe37dad5dd0397e641b3601870f99ac007471cd5b678bcb125665d3867564876
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rl5fa9qd.default-release\datareporting\glean\db\data.safe.tmp
Filesize5KB
MD554570c9eb9127117cd46d03c5db26f8a
SHA1bff926b755fc6a110a2baeb18a33977fd24d4e23
SHA25653854383137b0c067dc45e61736ec78ea04ff5d05af5845630681d24773f9143
SHA51240b1807e144f6770752f09cbb55c4027c5765c4750181b576411453e439d29d53e0a81eea49dda97499f17f6c4bb957c13ed9d7f76e333382e1eca32b958c609
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rl5fa9qd.default-release\datareporting\glean\db\data.safe.tmp
Filesize5KB
MD59bcadf48b6463aac24cba80b01816d32
SHA1712328a4a963993968840300d64845ca2f16bf53
SHA2560ddd27f893026a15d2e727470c9796a21714e058717d06e53128dca0b6d0b6cb
SHA512dc06a139ceff340705c74e57999323245f154ec23ab644464dedf5d000c2a96ed96f56b2c6887f6f918f8be21b203e0edf01dd64c80440557fc3d6b3f7fb4538
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rl5fa9qd.default-release\datareporting\glean\db\data.safe.tmp
Filesize6KB
MD5b3026d2a8b6ad4d181e26b2c3be33db8
SHA123d7f8735597a6358eb7f905db148f01bb4bc134
SHA256d886db9c63a28288a565f493e370b4f42edf443e8502f19f57ae325a8e5032bf
SHA5125f1ff6bd9703d0eb1d55d46fc4cf5e2945ba84a19ce36d926b4a47c525a2a801fbe06c70bb6483e71d08dd7e4a6c4c3be0692d235a052c8b473af79004d769a7
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rl5fa9qd.default-release\datareporting\glean\db\data.safe.tmp
Filesize6KB
MD5dba4b17fb4f5b78ecc5b7faf93bb063c
SHA10475be86e10211f70202ed6dcddcd9159f781e49
SHA256c502a2bd8239fe9badc7a0463b9bcb3174a157aeae9ca4b8b54a6041ef5bc572
SHA51230755ecbd95719750647f97ba20ce78dd932a4fad48402208df381815c3f3b6d81f2b9f152fcd806e39820d59daf9bc74a0463f971da2d31d63e4c61ecfe2b7b
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rl5fa9qd.default-release\datareporting\glean\db\data.safe.tmp
Filesize17KB
MD550b9e8e4dc55d2072af58dc2b42f7b39
SHA19ed3de7e76c4f9ea45a4bf5611047cf68753d736
SHA25689eed50df76ff09975774db63bc5367099e399e3429e8234f24fc10dac006724
SHA512337d90cc33f60b33e953903875b940a7bf2f28bfdfc074969848995990e4ed37d52c1730f52761fcdc989222653ed5321759f6d572110d12863e5f3928e878d3
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rl5fa9qd.default-release\datareporting\glean\pending_pings\437deac7-7bae-4d0d-a38a-db9efc9bea99
Filesize27KB
MD5f403760922d3d8641d3ed8262b7e25fe
SHA19ad2816270374d4a3c6c24548ecf171e04df95d9
SHA2568d79fdbf69092fa25d2a8f6723dd2e0ac7bdee67cc509014ea3885b7b478b917
SHA512c919f4bf55b679b5b3f00bf3e31cc054a86d13775f7d26045f297f0dc8af4a30a0756fe65515a891c12bb7c0280ccc7b852b4dc709daac9d734718e5a20e1805
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rl5fa9qd.default-release\datareporting\glean\pending_pings\b60bdd81-127d-43d1-aca5-9e1ffefb297b
Filesize671B
MD5e02c951674360569d8183dc7bcef0d9d
SHA1d85df7ba71da6970c777ed2b437e6d8f45a617cf
SHA256becbc484781c9e7f31589dbbe8177d3602f5a18534a07bc08991c6f34a41eca8
SHA512933dc5a19a23135e3e2239c7e2e07b9a59039d161109a344fcc8cc8de850729ae4e4be6774bd2910ac725817173223c6f388564ab58b9b36a99621666c48bb8b
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rl5fa9qd.default-release\datareporting\glean\pending_pings\b704687b-ba33-418b-b382-997cc9744a95
Filesize982B
MD58fa7f0ddb03b7855340aff27d30218af
SHA1e912c98f1bfa91cd9b0dcfbcba161b43716ebfdd
SHA25659f074c78cce71c921002f12eb7ef85b51b947206db5d0314264d12065332848
SHA512779a6d8d2b031434f8b08aee94ec8d0a4cfa6fad44c19a0b3b5efa7e9502dcac328f390e5930b3a3cfc9a6df5c0f8ce9337e759c45ffa551183d3af6ea21562a
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rl5fa9qd.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll
Filesize1.1MB
MD5842039753bf41fa5e11b3a1383061a87
SHA13e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rl5fa9qd.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info
Filesize116B
MD52a461e9eb87fd1955cea740a3444ee7a
SHA1b10755914c713f5a4677494dbe8a686ed458c3c5
SHA2564107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA51234f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rl5fa9qd.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json
Filesize372B
MD5bf957ad58b55f64219ab3f793e374316
SHA1a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA51279c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rl5fa9qd.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll
Filesize17.8MB
MD5daf7ef3acccab478aaa7d6dc1c60f865
SHA1f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA5125840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75
-
Filesize
12KB
MD5b02ed89230344c62848f8bce87cdf146
SHA196f9248973da0875cf1fb2326233a0c80151c701
SHA256d08229a88d01870e5bdbdb9b0dc209b37cd23df54ebc83857d1cc2c21e7b1a5e
SHA512d448ea3936290a2c7eeaf4c8f59514e3c4551c07be200e89e32a23b87584aa3d04fd4de4aa03a8d2b55ba90b0006c557ee2a6e212598817cd94697409af69de9
-
Filesize
13KB
MD54cad670409f2c2fca4d7ab1263818da4
SHA1c5a6b3002cbc37961047ac71a6e8f3d3c5505bba
SHA2561b50e62317707ba51206fce5528987185617a843037740336f34e944b6e5a235
SHA51243de6ebdebe29b49279040188d65e3eb784eb7cdb92f746817ed72c44a1f9b051bcce2c79c9093fe40d09826b3fc084ab32031a81d9909919aea6b933092a1fc
-
Filesize
11KB
MD5df01777e9fb2cd5ff3d6ac925f0bb0a7
SHA1a89a81a4d251d8e35deab4b1f8181e556df936b9
SHA25607a9e8c19ea2e6b283fe31bcad536a0ff2e160cb9a825429082b9d7a94749a2b
SHA5123b625915b4fe0599504965616512ec3f8dcd080a86c75f38fda31b601ce83e574de852c717c3fca902508d1c009e23ce66065776133b0161974eb3ca7dce0a64
-
Filesize
10KB
MD5bee6bc02187171e2ac583c49018b31c3
SHA1c546f1ec51541302eb403dc0cca3d9a3e4ac67a3
SHA256365791fe58cf0951eb256e2ed73260b92f5f85cd9b7c74ce86aa9637759bb674
SHA512ff8127ad8a590e5b78a94ec71778cdd665c815a78e1a8b981d512248af05bce8be10df44e4c789438eb69a142871e10738006163a0ea857c7e2d169b2ac315cf
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rl5fa9qd.default-release\sessionstore-backups\recovery.baklz4
Filesize4KB
MD57259bc56c7bf31b7564f5b91dd3ad544
SHA1de0aeb05d411724b3601e3fd5bbf0259fb6ef0ac
SHA256fc9bd98374130f8ff9e1e58416a8b77ac80b021f4576435118932dd2556e08c2
SHA5125752fcf416794680412615a9f9a04c906db66e6e506623624ae6261fcbeb34b21a3b8965283407f2a497e2826cd010c57886941e559f2622be1ccb72caf09bfb
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rl5fa9qd.default-release\sessionstore-backups\recovery.baklz4
Filesize1KB
MD54fc21f37adf64de0dcc6c6c81a611af8
SHA17b7b3964c3c886e206909e5e1d42b25f337ba88a
SHA2564d5e2fd1feff4269f153e622ed69ee06d7e9e1487d80f61a5de14d0d1ec9461a
SHA5127a24434954d3fd76a36ca7c55ca9aff39a54a8435b25fe2a4c7f5e2631636e7afbf77934767d365250c6d2d8921d7669f994bd9727413f1737ddfc7b3fcfc04d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rl5fa9qd.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
Filesize1.1MB
MD5e63267ce7a1d8019c557d23f0e51d050
SHA1c09d89217fe1b49b7b8a964a268bc0e1229cedc0
SHA2560d0fce49c4eb3239479aab1809b9992579dc9677a8b87b1da430abc393c33e0b
SHA512509fde2fa8809718837d2d4aca1092872de46a436add98bdff2ef1d333c73d726ef43c4abcf006234731eb8db66b8b28ef05164f9edb1af5d89eb9d245d0f24c
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rl5fa9qd.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
Filesize1.1MB
MD5cc6557baa025ec2e1f5925a35399581f
SHA13ed287b468d8236d2e00cb3cb543b991ebc84f82
SHA256e4fac2321a916d118b88d3a4fe1b825da8fc10ada39e2749826e8af1f41b12d5
SHA512429592af4cc0c0aec682e0a5c3f6c4b4766d251958ffbdfcea2fac1e0a7a6e6e348c04234a1f1ab0ab48d98ed5e3a29b958fa48eefe7f040ac1e3e889c62a033
-
C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157
Filesize338B
MD5694d0a6e5ca63ab01f42133f0371ea06
SHA1bed3ba00d8239861842ac00f9e003bbf770667dd
SHA256c344f0e7577920643c85020ebaecb26d28a060503c9aeb47993decc1794c995e
SHA5125d10e4553f77420318d1f261034c9fd12263323878cbdbc51917f43913bdde1a12a93444e92c3a969e1e92d6d34fa5df5377b5e38878cbbe2a6b5ac439bbe8d8
-
C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A
Filesize412B
MD5c71f72cf8d86448f760b054c6e5eecb6
SHA126f275418eb8e5e5b2457e03478d1ddf28a60045
SHA256ff44879790bd095c4af3f5a5a41a6bfab3cd23892ce93b40692b2975fa413ff5
SHA512ea60d3af7be394b061b2a8afcc79f562f489f982a7f7a10ac0c525f78a0b0a74ee7e9c100feb7993850412ed5865efaa047dbfff27e72557acaba26c36e39c88