laplas | 2edc1e4c2f16055a14d96f056e976c3bd06230272138259c7cdf50cf6dba07b0

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	ntlhost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	31216519167704260764.exe

XMRig Miner payload 3 IoCs

miner

resource	yara_rule
behavioral1/memory/1888-266-0x000000013F960000-0x0000000140345000-memory.dmp	xmrig
behavioral1/memory/1752-270-0x0000000140000000-0x00000001407EF000-memory.dmp	xmrig
behavioral1/memory/1752-274-0x0000000140000000-0x00000001407EF000-memory.dmp	xmrig

Downloads MZ/PE file

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File created	C:\Windows\System32\drivers\etc\hosts	updater.exe
File created	C:\Windows\System32\drivers\etc\hosts	68932182267870953260.exe

Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	ntlhost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	31216519167704260764.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	31216519167704260764.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	ntlhost.exe

Executes dropped EXE 5 IoCs

pid	Process
1740	31216519167704260764.exe
1460	68932182267870953260.exe
1824	23853730528723312731.exe
1888	updater.exe
944	ntlhost.exe

Loads dropped DLL 8 IoCs

pid	Process
1768	AddInProcess32.exe
1768	AddInProcess32.exe
1768	AddInProcess32.exe
1768	AddInProcess32.exe
1768	AddInProcess32.exe
1768	AddInProcess32.exe
1952	taskeng.exe
1740	31216519167704260764.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses 2FA software files, possible credential harvesting 2 TTPs
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Windows\CurrentVersion\Run\NTSystem = "C:\\Users\\Admin\\AppData\\Roaming\\NTSystem\\ntlhost.exe"	31216519167704260764.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	31216519167704260764.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ntlhost.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
1740	31216519167704260764.exe
944	ntlhost.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 1244 set thread context of 1768	1244	Setup.exe	28
PID 1888 set thread context of 676	1888	updater.exe	83
PID 1888 set thread context of 1752	1888	updater.exe	82

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files\Google\Chrome\updater.exe	68932182267870953260.exe
File created	C:\Program Files\Google\Libs\WR64.sys	updater.exe

Launches sc.exe 10 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1640	sc.exe
952	sc.exe
1868	sc.exe
1524	sc.exe
1164	sc.exe
1764	sc.exe
1728	sc.exe
1376	sc.exe
1720	sc.exe
2008	sc.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AddInProcess32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AddInProcess32.exe

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

pid	Process
908	schtasks.exe
700	schtasks.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
1748	timeout.exe

GoLang User-Agent 1 IoCs

Uses default user-agent string defined by GoLang HTTP packages.

description	flow	ioc
HTTP User-Agent header	20	Go-http-client/1.1

Modifies data under HKEY_USERS 6 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = 607276590a7dd901	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\ROOT	conhost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates	conhost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\ROOT\CRLs	conhost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\ROOT\CTLs	conhost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage	powershell.exe

Suspicious behavior: EnumeratesProcesses 59 IoCs

pid	Process
1768	AddInProcess32.exe
1460	68932182267870953260.exe
1460	68932182267870953260.exe
1576	powershell.exe
1460	68932182267870953260.exe
1460	68932182267870953260.exe
1460	68932182267870953260.exe
1460	68932182267870953260.exe
1460	68932182267870953260.exe
1460	68932182267870953260.exe
1104	powershell.exe
1460	68932182267870953260.exe
1460	68932182267870953260.exe
1888	updater.exe
1888	updater.exe
1540	powershell.exe
1888	updater.exe
1888	updater.exe
1888	updater.exe
1888	updater.exe
1888	updater.exe
1888	updater.exe
596	powershell.exe
1888	updater.exe
1888	updater.exe
1888	updater.exe
1888	updater.exe
1752	conhost.exe
1752	conhost.exe
1752	conhost.exe
1752	conhost.exe
1752	conhost.exe
1752	conhost.exe
1752	conhost.exe
1752	conhost.exe
1752	conhost.exe
1752	conhost.exe
1752	conhost.exe
1752	conhost.exe
1752	conhost.exe
1752	conhost.exe
1752	conhost.exe
1752	conhost.exe
1752	conhost.exe
1752	conhost.exe
1752	conhost.exe
1752	conhost.exe
1752	conhost.exe
1752	conhost.exe
1752	conhost.exe
1752	conhost.exe
1752	conhost.exe
1752	conhost.exe
1752	conhost.exe
1752	conhost.exe
1752	conhost.exe
1752	conhost.exe
1752	conhost.exe
1752	conhost.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
464	Process not Found

Suspicious use of AdjustPrivilegeToken 14 IoCs

description	pid	Process
Token: SeDebugPrivilege	1576	powershell.exe
Token: SeShutdownPrivilege	1624	powercfg.exe
Token: SeDebugPrivilege	1104	powershell.exe
Token: SeShutdownPrivilege	1524	powercfg.exe
Token: SeShutdownPrivilege	1400	powercfg.exe
Token: SeShutdownPrivilege	1720	powercfg.exe
Token: SeDebugPrivilege	1540	powershell.exe
Token: SeShutdownPrivilege	1572	powercfg.exe
Token: SeShutdownPrivilege	1096	powercfg.exe
Token: SeDebugPrivilege	596	powershell.exe
Token: SeShutdownPrivilege	1620	powercfg.exe
Token: SeShutdownPrivilege	1824	powercfg.exe
Token: SeDebugPrivilege	1888	updater.exe
Token: SeLockMemoryPrivilege	1752	conhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1244 wrote to memory of 1768	1244	Setup.exe	28
PID 1244 wrote to memory of 1768	1244	Setup.exe	28
PID 1244 wrote to memory of 1768	1244	Setup.exe	28
PID 1244 wrote to memory of 1768	1244	Setup.exe	28
PID 1244 wrote to memory of 1768	1244	Setup.exe	28
PID 1244 wrote to memory of 1768	1244	Setup.exe	28
PID 1244 wrote to memory of 1768	1244	Setup.exe	28
PID 1244 wrote to memory of 1768	1244	Setup.exe	28
PID 1244 wrote to memory of 1768	1244	Setup.exe	28
PID 1244 wrote to memory of 1768	1244	Setup.exe	28
PID 1244 wrote to memory of 1768	1244	Setup.exe	28
PID 1768 wrote to memory of 1740	1768	AddInProcess32.exe	32
PID 1768 wrote to memory of 1740	1768	AddInProcess32.exe	32
PID 1768 wrote to memory of 1740	1768	AddInProcess32.exe	32
PID 1768 wrote to memory of 1740	1768	AddInProcess32.exe	32
PID 1768 wrote to memory of 1460	1768	AddInProcess32.exe	33
PID 1768 wrote to memory of 1460	1768	AddInProcess32.exe	33
PID 1768 wrote to memory of 1460	1768	AddInProcess32.exe	33
PID 1768 wrote to memory of 1460	1768	AddInProcess32.exe	33
PID 1768 wrote to memory of 1824	1768	AddInProcess32.exe	34
PID 1768 wrote to memory of 1824	1768	AddInProcess32.exe	34
PID 1768 wrote to memory of 1824	1768	AddInProcess32.exe	34
PID 1768 wrote to memory of 1824	1768	AddInProcess32.exe	34
PID 1824 wrote to memory of 1356	1824	23853730528723312731.exe	36
PID 1824 wrote to memory of 1356	1824	23853730528723312731.exe	36
PID 1824 wrote to memory of 1356	1824	23853730528723312731.exe	36
PID 1768 wrote to memory of 836	1768	AddInProcess32.exe	35
PID 1768 wrote to memory of 836	1768	AddInProcess32.exe	35
PID 1768 wrote to memory of 836	1768	AddInProcess32.exe	35
PID 1768 wrote to memory of 836	1768	AddInProcess32.exe	35
PID 836 wrote to memory of 1748	836	cmd.exe	39
PID 836 wrote to memory of 1748	836	cmd.exe	39
PID 836 wrote to memory of 1748	836	cmd.exe	39
PID 836 wrote to memory of 1748	836	cmd.exe	39
PID 1356 wrote to memory of 1688	1356	cmd.exe	40
PID 1356 wrote to memory of 1688	1356	cmd.exe	40
PID 1356 wrote to memory of 1688	1356	cmd.exe	40
PID 1876 wrote to memory of 1728	1876	cmd.exe	45
PID 1876 wrote to memory of 1728	1876	cmd.exe	45
PID 1876 wrote to memory of 1728	1876	cmd.exe	45
PID 1876 wrote to memory of 1376	1876	cmd.exe	46
PID 1876 wrote to memory of 1376	1876	cmd.exe	46
PID 1876 wrote to memory of 1376	1876	cmd.exe	46
PID 1876 wrote to memory of 1640	1876	cmd.exe	47
PID 1876 wrote to memory of 1640	1876	cmd.exe	47
PID 1876 wrote to memory of 1640	1876	cmd.exe	47
PID 1876 wrote to memory of 952	1876	cmd.exe	48
PID 1876 wrote to memory of 952	1876	cmd.exe	48
PID 1876 wrote to memory of 952	1876	cmd.exe	48
PID 1876 wrote to memory of 1868	1876	cmd.exe	49
PID 1876 wrote to memory of 1868	1876	cmd.exe	49
PID 1876 wrote to memory of 1868	1876	cmd.exe	49
PID 1200 wrote to memory of 1624	1200	cmd.exe	54
PID 1200 wrote to memory of 1624	1200	cmd.exe	54
PID 1200 wrote to memory of 1624	1200	cmd.exe	54
PID 1200 wrote to memory of 1524	1200	cmd.exe	55
PID 1200 wrote to memory of 1524	1200	cmd.exe	55
PID 1200 wrote to memory of 1524	1200	cmd.exe	55
PID 1200 wrote to memory of 1400	1200	cmd.exe	56
PID 1200 wrote to memory of 1400	1200	cmd.exe	56
PID 1200 wrote to memory of 1400	1200	cmd.exe	56
PID 1200 wrote to memory of 1720	1200	cmd.exe	57
PID 1200 wrote to memory of 1720	1200	cmd.exe	57
PID 1200 wrote to memory of 1720	1200	cmd.exe	57

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1220
- C:\Users\Admin\AppData\Local\Temp\Setup.exe
  "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:1244
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe"
    3⤵
    - Loads dropped DLL
    - Checks processor information in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1768
  - - C:\ProgramData\31216519167704260764.exe
      "C:\ProgramData\31216519167704260764.exe"
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Checks whether UAC is enabled
      Suspicious use of NtSetInformationThreadHideFromDebugger
      PID:1740
    - - C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
        
        C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
        5⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:944
  - - C:\ProgramData\68932182267870953260.exe
      "C:\ProgramData\68932182267870953260.exe"
      4⤵
      Suspicious use of NtCreateUserProcessOtherParentProcess
      Drops file in Drivers directory
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      PID:1460
  - - C:\ProgramData\23853730528723312731.exe
      "C:\ProgramData\23853730528723312731.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:1824
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /C choice /C Y /N /D Y /T 0 &Del C:\ProgramData\23853730528723312731.exe
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1356
      - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 0
        6⤵
        
        PID:1688
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe" & exit
      4⤵
      Suspicious use of WriteProcessMemory
      PID:836
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 6
        5⤵
        Delays execution with timeout.exe
        
        PID:1748
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1576
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1876
- - C:\Windows\System32\sc.exe
    sc stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:1728
- - C:\Windows\System32\sc.exe
    sc stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:1376
- - C:\Windows\System32\sc.exe
    sc stop wuauserv
    3⤵
    - Launches sc.exe
    PID:1640
- - C:\Windows\System32\sc.exe
    sc stop bits
    3⤵
    - Launches sc.exe
    PID:952
- - C:\Windows\System32\sc.exe
    sc stop dosvc
    3⤵
    - Launches sc.exe
    PID:1868
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1200
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-ac 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1624
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-dc 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1524
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-ac 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1400
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-dc 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1720
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#ipspm#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1104
- - C:\Windows\system32\schtasks.exe
    "C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn GoogleUpdateTaskMachineQC /tr "'C:\Program Files\Google\Chrome\updater.exe'"
    3⤵
    - Creates scheduled task(s)
    PID:908
- C:\Windows\System32\schtasks.exe
  C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"
  2⤵
  PID:956
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1540
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
  2⤵
  PID:1152
- - C:\Windows\System32\sc.exe
    sc stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:1524
- - C:\Windows\System32\sc.exe
    sc stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:1720
- - C:\Windows\System32\sc.exe
    sc stop wuauserv
    3⤵
    - Launches sc.exe
    PID:1164
- - C:\Windows\System32\sc.exe
    sc stop bits
    3⤵
    - Launches sc.exe
    PID:2008
- - C:\Windows\System32\sc.exe
    sc stop dosvc
    3⤵
    - Launches sc.exe
    PID:1764
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#ipspm#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:596
- - C:\Windows\system32\schtasks.exe
    "C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn GoogleUpdateTaskMachineQC /tr "'C:\Program Files\Google\Chrome\updater.exe'"
    3⤵
    - Creates scheduled task(s)
    PID:700
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
  2⤵
  PID:768
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-dc 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1096
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-ac 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1572
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-dc 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1824
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-ac 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1620
- C:\Windows\System32\conhost.exe
  C:\Windows\System32\conhost.exe
  2⤵
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1752
- C:\Windows\System32\conhost.exe
  C:\Windows\System32\conhost.exe
  2⤵
  PID:676

C:\Windows\system32\taskeng.exe
taskeng.exe {107313AA-8836-4648-B4C9-6323B4E4D3A4} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Loads dropped DLL
PID:1952
- C:\Program Files\Google\Chrome\updater.exe
  "C:\Program Files\Google\Chrome\updater.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1888

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Impair Defenses

T1562

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

System Information Discovery