4f9d429ed849e93b656b9f685df3dfd47f4f2d26c595b655291f44385326bc65

Analysis

max time kernel
101s
max time network
90s
platform
windows10-2004_x64
resource
win10v2004-20230824-en
resource tags

arch:x64arch:x86image:win10v2004-20230824-enlocale:en-usos:windows10-2004-x64system
submitted
24/08/2023, 22:00

Sharing

Copy URL Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

file.exe
Size

5.8MB
MD5

b7a9151e93495fb1be4e5651ca4aded4
SHA1

a32ba62db166c58e58a719c1e29f1832c575b0c0
SHA256

4f9d429ed849e93b656b9f685df3dfd47f4f2d26c595b655291f44385326bc65
SHA512

9b850930302dc7d15dd2baa2e8a7a04a49ae1f9f2536fb214df74f482070ba50ac85cce0461f07236a85b29e65325776e4c2c0663fb29860b476f22734fb1440
SSDEEP

98304:bFh/waeNxH65kE0ytCp1arbct9ytSgF9WRD03nRMGdQ:bXHkdkct9ytSW9AS3m

Score

10^/10

evasion

Malware Config

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 7 IoCs

description	pid	Process	procid_target
PID 1344 created 3132	1344	file.exe	56
PID 1344 created 3132	1344	file.exe	56
PID 1344 created 3132	1344	file.exe	56
PID 1344 created 3132	1344	file.exe	56
PID 1344 created 3132	1344	file.exe	56
PID 1344 created 3132	1344	file.exe	56
PID 4580 created 5032	4580	svchost.exe	41

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File created	C:\Windows\System32\drivers\etc\hosts	file.exe

Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Drops file in System32 directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4KernelMode.evtx	svchost.exe
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4UserMode.evtx	svchost.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	smss.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1344 set thread context of 764	1344	file.exe	96

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files\Google\Chrome\updater.exe	file.exe

Launches sc.exe 5 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
5000	sc.exe
3532	sc.exe
3112	sc.exe
4304	sc.exe
384	sc.exe

Program crash 4 IoCs

pid	pid_target	Process	procid_target
1932	624	WerFault.exe	5
4260	696	WerFault.exe	3
2444	3516	WerFault.exe	31
4804	5032	WerFault.exe	41

Modifies data under HKEY_USERS 11 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\OFFICE\16.0\COMMON\CLIENTTELEMETRY\RULESMETADATA\OFFICECLICKTORUN.EXE\ULSMONITOR	OfficeClickToRun.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities = "1329 50,1329 10,1329 15,1329 100,1329 6"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,7202269,17110992,41484365,39965824,7153487,17110988,508368333,17962391,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617"	OfficeClickToRun.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1344	file.exe
1344	file.exe
1952	powershell.exe
1952	powershell.exe
1344	file.exe
1344	file.exe
1344	file.exe
1344	file.exe
1344	file.exe
1344	file.exe
1344	file.exe
1344	file.exe
764	dialer.exe
764	dialer.exe
2624	powershell.exe
2624	powershell.exe
764	dialer.exe
764	dialer.exe
1344	file.exe
1344	file.exe
764	dialer.exe
764	dialer.exe
4804	WerFault.exe
4804	WerFault.exe
764	dialer.exe
764	dialer.exe
764	dialer.exe
764	dialer.exe
4580	svchost.exe
4580	svchost.exe
764	dialer.exe
764	dialer.exe
764	dialer.exe
764	dialer.exe
764	dialer.exe
764	dialer.exe
764	dialer.exe
764	dialer.exe
764	dialer.exe
764	dialer.exe
764	dialer.exe
764	dialer.exe
764	dialer.exe
764	dialer.exe
764	dialer.exe
764	dialer.exe
2624	smss.exe
764	dialer.exe
764	dialer.exe
764	dialer.exe
764	dialer.exe
764	dialer.exe
764	dialer.exe
764	dialer.exe
764	dialer.exe
764	dialer.exe
764	dialer.exe
764	dialer.exe
764	dialer.exe
764	dialer.exe
764	dialer.exe
764	dialer.exe
764	dialer.exe
764	dialer.exe

Suspicious behavior: LoadsDriver 64 IoCs

pid	Process
3884	Process not Found
4600	Process not Found
4720	Process not Found
4596	Process not Found
4244	Process not Found
3832	Process not Found
4728	Process not Found
1888	Process not Found
832	Process not Found
2024	Process not Found
3736	Process not Found
4256	Process not Found
1952	Process not Found
4116	Process not Found
2848	Process not Found
3004	Process not Found
2520	Process not Found
692	Process not Found
2660	Process not Found
1820	Process not Found
2600	Process not Found
4080	Process not Found
4348	Process not Found
4772	Process not Found
4316	Process not Found
1936	Process not Found
3124	Process not Found
2948	smss.exe
1520	Process not Found
4552	Process not Found
2500	Process not Found
3012	Process not Found
3020	Process not Found
5052	Process not Found
4468	Process not Found
1052	Process not Found
3380	Process not Found
1876	Process not Found
1176	Process not Found
1204	Process not Found
2572	Process not Found
820	Process not Found
4472	Process not Found
1588	Process not Found
1132	Process not Found
3232	Process not Found
1524	Process not Found
1168	Process not Found
1536	Process not Found
1316	Process not Found
876	Process not Found
1240	Process not Found
3544	Process not Found
872	Process not Found
3564	Process not Found
4704	Process not Found
4372	Process not Found
2052	Process not Found
3708	Process not Found
2368	Process not Found
2992	Process not Found
1268	Process not Found
1564	Process not Found
2676	Process not Found

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1952	powershell.exe
Token: SeDebugPrivilege	764	dialer.exe
Token: SeShutdownPrivilege	3400	powercfg.exe
Token: SeCreatePagefilePrivilege	3400	powercfg.exe
Token: SeDebugPrivilege	2624	powershell.exe
Token: SeShutdownPrivilege	4512	powercfg.exe
Token: SeCreatePagefilePrivilege	4512	powercfg.exe
Token: SeShutdownPrivilege	1028	powercfg.exe
Token: SeCreatePagefilePrivilege	1028	powercfg.exe
Token: SeShutdownPrivilege	2448	powercfg.exe
Token: SeCreatePagefilePrivilege	2448	powercfg.exe
Token: SeIncreaseQuotaPrivilege	2624	powershell.exe
Token: SeSecurityPrivilege	2624	powershell.exe
Token: SeTakeOwnershipPrivilege	2624	powershell.exe
Token: SeLoadDriverPrivilege	2624	powershell.exe
Token: SeSystemProfilePrivilege	2624	powershell.exe
Token: SeSystemtimePrivilege	2624	powershell.exe
Token: SeProfSingleProcessPrivilege	2624	powershell.exe
Token: SeIncBasePriorityPrivilege	2624	powershell.exe
Token: SeCreatePagefilePrivilege	2624	powershell.exe
Token: SeBackupPrivilege	2624	powershell.exe
Token: SeRestorePrivilege	2624	powershell.exe
Token: SeShutdownPrivilege	2624	powershell.exe
Token: SeDebugPrivilege	2624	powershell.exe
Token: SeSystemEnvironmentPrivilege	2624	powershell.exe
Token: SeRemoteShutdownPrivilege	2624	powershell.exe
Token: SeUndockPrivilege	2624	powershell.exe
Token: SeManageVolumePrivilege	2624	powershell.exe
Token: 33	2624	powershell.exe
Token: 34	2624	powershell.exe
Token: 35	2624	powershell.exe
Token: 36	2624	powershell.exe
Token: SeShutdownPrivilege	408	dwm.exe
Token: SeCreatePagefilePrivilege	408	dwm.exe
Token: SeIncreaseQuotaPrivilege	2624	smss.exe
Token: SeSecurityPrivilege	2624	smss.exe
Token: SeTakeOwnershipPrivilege	2624	smss.exe
Token: SeLoadDriverPrivilege	2624	smss.exe
Token: SeSystemProfilePrivilege	2624	smss.exe
Token: SeSystemtimePrivilege	2624	smss.exe
Token: SeProfSingleProcessPrivilege	2624	smss.exe
Token: SeIncBasePriorityPrivilege	2624	smss.exe
Token: SeCreatePagefilePrivilege	2624	smss.exe
Token: SeBackupPrivilege	2624	smss.exe
Token: SeRestorePrivilege	2624	smss.exe
Token: SeShutdownPrivilege	2624	smss.exe
Token: SeDebugPrivilege	2624	smss.exe
Token: SeSystemEnvironmentPrivilege	2624	smss.exe
Token: SeRemoteShutdownPrivilege	2624	smss.exe
Token: SeUndockPrivilege	2624	smss.exe
Token: SeManageVolumePrivilege	2624	smss.exe
Token: 33	2624	smss.exe
Token: 34	2624	smss.exe
Token: 35	2624	smss.exe
Token: 36	2624	smss.exe
Token: SeIncreaseQuotaPrivilege	2624	smss.exe
Token: SeSecurityPrivilege	2624	smss.exe
Token: SeTakeOwnershipPrivilege	2624	smss.exe
Token: SeLoadDriverPrivilege	2624	smss.exe
Token: SeSystemProfilePrivilege	2624	smss.exe
Token: SeSystemtimePrivilege	2624	smss.exe
Token: SeProfSingleProcessPrivilege	2624	smss.exe
Token: SeIncBasePriorityPrivilege	2624	smss.exe
Token: SeCreatePagefilePrivilege	2624	smss.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4116 wrote to memory of 3112	4116	cmd.exe	89
PID 4116 wrote to memory of 3112	4116	cmd.exe	89
PID 4116 wrote to memory of 4304	4116	cmd.exe	90
PID 4116 wrote to memory of 4304	4116	cmd.exe	90
PID 4116 wrote to memory of 384	4116	cmd.exe	91
PID 4116 wrote to memory of 384	4116	cmd.exe	91
PID 4116 wrote to memory of 5000	4116	cmd.exe	92
PID 4116 wrote to memory of 5000	4116	cmd.exe	92
PID 4116 wrote to memory of 3532	4116	cmd.exe	93
PID 4116 wrote to memory of 3532	4116	cmd.exe	93
PID 1344 wrote to memory of 764	1344	file.exe	96
PID 2848 wrote to memory of 3400	2848	cmd.exe	99
PID 2848 wrote to memory of 3400	2848	cmd.exe	99
PID 2848 wrote to memory of 4512	2848	cmd.exe	100
PID 2848 wrote to memory of 4512	2848	cmd.exe	100
PID 2848 wrote to memory of 1028	2848	cmd.exe	101
PID 2848 wrote to memory of 1028	2848	cmd.exe	101
PID 2848 wrote to memory of 2448	2848	cmd.exe	102
PID 2848 wrote to memory of 2448	2848	cmd.exe	102
PID 764 wrote to memory of 624	764	dialer.exe	5
PID 764 wrote to memory of 696	764	dialer.exe	3
PID 764 wrote to memory of 976	764	dialer.exe	78
PID 764 wrote to memory of 408	764	dialer.exe	9
PID 696 wrote to memory of 2588	696	lsass.exe	26
PID 696 wrote to memory of 2588	696	lsass.exe	26
PID 764 wrote to memory of 756	764	dialer.exe	10
PID 764 wrote to memory of 648	764	dialer.exe	16
PID 696 wrote to memory of 2588	696	lsass.exe	26
PID 764 wrote to memory of 1016	764	dialer.exe	11
PID 696 wrote to memory of 2588	696	lsass.exe	26
PID 764 wrote to memory of 1032	764	dialer.exe	15
PID 764 wrote to memory of 1160	764	dialer.exe	13
PID 764 wrote to memory of 1184	764	dialer.exe	12
PID 764 wrote to memory of 1276	764	dialer.exe	77
PID 764 wrote to memory of 1324	764	dialer.exe	76
PID 764 wrote to memory of 1332	764	dialer.exe	75
PID 764 wrote to memory of 1348	764	dialer.exe	17
PID 764 wrote to memory of 1368	764	dialer.exe	74
PID 696 wrote to memory of 2588	696	lsass.exe	26
PID 764 wrote to memory of 1496	764	dialer.exe	73
PID 764 wrote to memory of 1512	764	dialer.exe	72
PID 764 wrote to memory of 1544	764	dialer.exe	71
PID 764 wrote to memory of 1592	764	dialer.exe	70
PID 764 wrote to memory of 1700	764	dialer.exe	69
PID 764 wrote to memory of 1772	764	dialer.exe	68
PID 764 wrote to memory of 1788	764	dialer.exe	67
PID 764 wrote to memory of 1900	764	dialer.exe	66
PID 764 wrote to memory of 1908	764	dialer.exe	65
PID 764 wrote to memory of 1984	764	dialer.exe	24
PID 764 wrote to memory of 2000	764	dialer.exe	23
PID 764 wrote to memory of 1720	764	dialer.exe	22
PID 764 wrote to memory of 2096	764	dialer.exe	20
PID 764 wrote to memory of 2124	764	dialer.exe	19
PID 764 wrote to memory of 2328	764	dialer.exe	18
PID 696 wrote to memory of 2588	696	lsass.exe	26
PID 1496 wrote to memory of 1140	1496	svchost.exe	108
PID 1496 wrote to memory of 1140	1496	svchost.exe	108
PID 764 wrote to memory of 1140	764	dialer.exe	108
PID 764 wrote to memory of 2344	764	dialer.exe	64
PID 764 wrote to memory of 2416	764	dialer.exe	63
PID 764 wrote to memory of 2428	764	dialer.exe	62
PID 764 wrote to memory of 2480	764	dialer.exe	61
PID 764 wrote to memory of 2488	764	dialer.exe	60
PID 1496 wrote to memory of 4608	1496	svchost.exe	109

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:696
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 696 -s 4140
  2⤵
  - Program crash
  PID:4260

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:624
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:408
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 624 -s 832
  2⤵
  - Program crash
  PID:1932

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:756

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:1016

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
- Drops file in System32 directory
PID:1184

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
PID:1160
- C:\Windows\system32\taskhostw.exe
  taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
  2⤵
  PID:2480

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:1032

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:648

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1348

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2328

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
PID:2124

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:2096

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:1720

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:2000

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:1984

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:2604

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2588

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
PID:2556

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3804

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3516
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3516 -s 388
  2⤵
  - Program crash
  PID:2444

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p
1⤵
PID:4168

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s camsvc
1⤵
PID:1020

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo
1⤵
PID:1812

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:5032
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 5032 -s 372
  2⤵
  - Program crash
  - Suspicious behavior: EnumeratesProcesses
  PID:4804

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
PID:4432

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
- Modifies data under HKEY_USERS
PID:4632

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
- Modifies data under HKEY_USERS
PID:3812

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:4556

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:4788

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:880

C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
1⤵
PID:4460

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4560

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4060

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3256

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3132
- C:\Users\Admin\AppData\Local\Temp\file.exe
  "C:\Users\Admin\AppData\Local\Temp\file.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Drops file in Drivers directory
  - Suspicious use of SetThreadContext
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1344
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1952
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4116
- - C:\Windows\System32\sc.exe
    sc stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:3112
- - C:\Windows\System32\sc.exe
    sc stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:4304
- - C:\Windows\System32\sc.exe
    sc stop wuauserv
    3⤵
    - Launches sc.exe
    PID:384
- - C:\Windows\System32\sc.exe
    sc stop bits
    3⤵
    - Launches sc.exe
    PID:5000
- - C:\Windows\System32\sc.exe
    sc stop dosvc
    3⤵
    - Launches sc.exe
    PID:3532
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2848
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-ac 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3400
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-dc 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4512
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-ac 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1028
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-dc 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2448
- C:\Windows\System32\dialer.exe
  C:\Windows\System32\dialer.exe
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:764
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#llrrhwq#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2624
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:4300
- C:\Windows\System32\schtasks.exe
  C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"
  2⤵
  PID:936

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:2384

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
PID:2636

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:2628

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
1⤵
PID:2488

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2428

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2416

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2344

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1908

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
1⤵
PID:1900

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1788

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
1⤵
PID:1772

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
1⤵
PID:1700

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1592

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1544

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1512

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
- Suspicious use of WriteProcessMemory
PID:1496
- C:\Windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:1140
- C:\Windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:4608
- C:\Windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:3600
- C:\Windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:2388
- C:\Windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:2948
- C:\Windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:4368

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1368

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1332

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1324

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1276

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:976

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious behavior: EnumeratesProcesses
PID:4580
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -pss -s 184 -p 624 -ip 624
  2⤵
  PID:1956
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -pss -s 500 -p 696 -ip 696
  2⤵
  PID:4360
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -pss -s 464 -p 3516 -ip 3516
  2⤵
  PID:3540
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -pss -s 508 -p 5032 -ip 5032
  2⤵
  PID:2132

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 000000e0 00000084
1⤵
- Suspicious behavior: LoadsDriver
PID:2948

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 000000f0 00000084
1⤵
PID:60

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 000000e4 00000084
1⤵
PID:4184

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 00000104 00000084
1⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Windows\WER\Temp\WERBD48.tmp.csv

Filesize
35KB

MD5
28a153d6cab49c481773bfe12e040996

SHA1
58f7dcd29d891c2dddaa2925fdd0288c34cecb0f

SHA256
0cb888b8840547c15135cc2a0d4c475c157a7746c443dd73f47008a0efcba019

SHA512
95acad76e8e7794be4506ddbae04a3e72d4ff8f32eda8088096580dda4d95bdc8c315ec7d89957c91c8c660a808150d98a239c1c6058ded32924842df1b3da6c

Download Submit
C:\ProgramData\Microsoft\Windows\WER\Temp\WERBDB7.tmp.txt

Filesize
13KB

MD5
220bbef0d29c5b507ca476d3b7952363

SHA1
6b2da17e4ee835eb65d46e58dc6e15ad0046c3fa

SHA256
c9406b600c60f2343d241583735b22194e25e6e07c84cba7089bb491b7dccf78

SHA512
685dc238b0e7c38b4db8e3ca29f6a82cc2182b58d48d2d45385dc4ef41e55b03a57a5418979f0cc1a2408fe939f411f5f359e6d3b4128d4f8db019cb72e046eb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3a6bad9528f8e23fb5c77fbd81fa28e8

SHA1
f127317c3bc6407f536c0f0600dcbcf1aabfba36

SHA256
986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05

SHA512
846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4glktcza.qii.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Windows\system32\drivers\etc\hosts

Filesize
3KB

MD5
2d29fd3ae57f422e2b2121141dc82253

SHA1
c2464c857779c0ab4f5e766f5028fcc651a6c6b7

SHA256
80a60d7ec533d820de20bcedeb41319e7b1def548b6ea73ddbd69455bac4e7a4

SHA512
077a5c554663be7b71f181d961f5c98c732bc296dc015ffee30768a648bee3aad62c39c352cf2947432be19519906aeac7dfaf2557d309bb460732abb7fdbc68

Download Submit
memory/408-50-0x00007FFBC0130000-0x00007FFBC0140000-memory.dmp

Filesize
64KB

Download
memory/408-61-0x0000017746B20000-0x0000017746B47000-memory.dmp

Filesize
156KB

Download
memory/408-46-0x0000017746B20000-0x0000017746B47000-memory.dmp

Filesize
156KB

Download
memory/624-40-0x00007FFC0014D000-0x00007FFC0014E000-memory.dmp

Filesize
4KB

Download
memory/624-43-0x00007FFC0014F000-0x00007FFC00150000-memory.dmp

Filesize
4KB

Download
memory/624-110-0x000001D4B3450000-0x000001D4B3477000-memory.dmp

Filesize
156KB

Download
memory/624-37-0x000001D4B3450000-0x000001D4B3477000-memory.dmp

Filesize
156KB

Download
memory/624-34-0x000001D4B3420000-0x000001D4B3441000-memory.dmp

Filesize
132KB

Download
memory/648-66-0x000001C6E4190000-0x000001C6E41B7000-memory.dmp

Filesize
156KB

Download
memory/648-69-0x00007FFBC0130000-0x00007FFBC0140000-memory.dmp

Filesize
64KB

Download
memory/648-116-0x000001C6E4190000-0x000001C6E41B7000-memory.dmp

Filesize
156KB

Download
memory/696-41-0x00007FFBC0130000-0x00007FFBC0140000-memory.dmp

Filesize
64KB

Download
memory/696-38-0x0000027EC9D60000-0x0000027EC9D87000-memory.dmp

Filesize
156KB

Download
memory/696-58-0x00007FFC0014D000-0x00007FFC0014E000-memory.dmp

Filesize
4KB

Download
memory/696-56-0x0000027EC9D60000-0x0000027EC9D87000-memory.dmp

Filesize
156KB

Download
memory/756-64-0x000001C29EF10000-0x000001C29EF37000-memory.dmp

Filesize
156KB

Download
memory/756-53-0x000001C29EF10000-0x000001C29EF37000-memory.dmp

Filesize
156KB

Download
memory/756-55-0x00007FFBC0130000-0x00007FFBC0140000-memory.dmp

Filesize
64KB

Download
memory/764-19-0x00007FFC000B0000-0x00007FFC002A5000-memory.dmp

Filesize
2.0MB

Download
memory/764-54-0x00007FF661850000-0x00007FF661879000-memory.dmp

Filesize
164KB

Download
memory/764-20-0x00007FFBFF180000-0x00007FFBFF23E000-memory.dmp

Filesize
760KB

Download
memory/976-59-0x000001B3F6BA0000-0x000001B3F6BC7000-memory.dmp

Filesize
156KB

Download
memory/976-63-0x00007FFC0014C000-0x00007FFC0014D000-memory.dmp

Filesize
4KB

Download
memory/976-45-0x000001B3F6BA0000-0x000001B3F6BC7000-memory.dmp

Filesize
156KB

Download
memory/976-49-0x00007FFBC0130000-0x00007FFBC0140000-memory.dmp

Filesize
64KB

Download
memory/1016-67-0x0000023A79970000-0x0000023A79997000-memory.dmp

Filesize
156KB

Download
memory/1016-111-0x0000023A79970000-0x0000023A79997000-memory.dmp

Filesize
156KB

Download
memory/1016-68-0x00007FFBC0130000-0x00007FFBC0140000-memory.dmp

Filesize
64KB

Download
memory/1032-76-0x000001DA8E770000-0x000001DA8E797000-memory.dmp

Filesize
156KB

Download
memory/1032-77-0x00007FFBC0130000-0x00007FFBC0140000-memory.dmp

Filesize
64KB

Download
memory/1032-195-0x000001DA8E770000-0x000001DA8E797000-memory.dmp

Filesize
156KB

Download
memory/1140-209-0x000002739B650000-0x000002739B677000-memory.dmp

Filesize
156KB

Download
memory/1140-201-0x00007FFC000B0000-0x00007FFC002A5000-memory.dmp

Filesize
2.0MB

Download
memory/1140-197-0x000002739B650000-0x000002739B677000-memory.dmp

Filesize
156KB

Download
memory/1140-202-0x00007FFC000B0000-0x00007FFC002A5000-memory.dmp

Filesize
2.0MB

Download
memory/1140-205-0x00007FFC000B0000-0x00007FFC002A5000-memory.dmp

Filesize
2.0MB

Download
memory/1160-78-0x00000192DDB60000-0x00000192DDB87000-memory.dmp

Filesize
156KB

Download
memory/1160-81-0x00007FFBC0130000-0x00007FFBC0140000-memory.dmp

Filesize
64KB

Download
memory/1160-87-0x00000192DDB60000-0x00000192DDB87000-memory.dmp

Filesize
156KB

Download
memory/1184-82-0x00007FFBC0130000-0x00007FFBC0140000-memory.dmp

Filesize
64KB

Download
memory/1184-79-0x000001F15A3D0000-0x000001F15A3F7000-memory.dmp

Filesize
156KB

Download
memory/1184-86-0x000001F15A3D0000-0x000001F15A3F7000-memory.dmp

Filesize
156KB

Download
memory/1276-94-0x00007FFBC0130000-0x00007FFBC0140000-memory.dmp

Filesize
64KB

Download
memory/1276-214-0x000001B939FD0000-0x000001B939FF7000-memory.dmp

Filesize
156KB

Download
memory/1276-92-0x000001B939FD0000-0x000001B939FF7000-memory.dmp

Filesize
156KB

Download
memory/1324-97-0x00007FFBC0130000-0x00007FFBC0140000-memory.dmp

Filesize
64KB

Download
memory/1324-210-0x0000019ABF5C0000-0x0000019ABF5E7000-memory.dmp

Filesize
156KB

Download
memory/1324-96-0x0000019ABF5C0000-0x0000019ABF5E7000-memory.dmp

Filesize
156KB

Download
memory/1332-104-0x00007FFBC0130000-0x00007FFBC0140000-memory.dmp

Filesize
64KB

Download
memory/1332-101-0x000001753F990000-0x000001753F9B7000-memory.dmp

Filesize
156KB

Download
memory/1332-107-0x000001753F990000-0x000001753F9B7000-memory.dmp

Filesize
156KB

Download
memory/1344-0-0x00007FF71DAF0000-0x00007FF71E0B6000-memory.dmp

Filesize
5.8MB

Download
memory/1344-48-0x00007FF71DAF0000-0x00007FF71E0B6000-memory.dmp

Filesize
5.8MB

Download
memory/1348-103-0x000001FDFB160000-0x000001FDFB187000-memory.dmp

Filesize
156KB

Download
memory/1348-105-0x00007FFBC0130000-0x00007FFBC0140000-memory.dmp

Filesize
64KB

Download
memory/1368-120-0x0000025AE6560000-0x0000025AE6587000-memory.dmp

Filesize
156KB

Download
memory/1368-114-0x0000025AE6560000-0x0000025AE6587000-memory.dmp

Filesize
156KB

Download
memory/1496-117-0x000001851FF00000-0x000001851FF27000-memory.dmp

Filesize
156KB

Download
memory/1496-125-0x000001851FF00000-0x000001851FF27000-memory.dmp

Filesize
156KB

Download
memory/1512-129-0x000001D26B660000-0x000001D26B687000-memory.dmp

Filesize
156KB

Download
memory/1544-134-0x000002161A770000-0x000002161A797000-memory.dmp

Filesize
156KB

Download
memory/1592-140-0x0000026AE38B0000-0x0000026AE38D7000-memory.dmp

Filesize
156KB

Download
memory/1700-145-0x0000026716D60000-0x0000026716D87000-memory.dmp

Filesize
156KB

Download
memory/1720-171-0x00000000015E0000-0x0000000001607000-memory.dmp

Filesize
156KB

Download
memory/1772-150-0x000001AEE9F70000-0x000001AEE9F97000-memory.dmp

Filesize
156KB

Download
memory/1788-155-0x0000021754B70000-0x0000021754B97000-memory.dmp

Filesize
156KB

Download
memory/1900-159-0x00000273F5290000-0x00000273F52B7000-memory.dmp

Filesize
156KB

Download
memory/1908-166-0x000001E2865D0000-0x000001E2865F7000-memory.dmp

Filesize
156KB

Download
memory/1952-13-0x0000012C9A1F0000-0x0000012C9A200000-memory.dmp

Filesize
64KB

Download
memory/1952-14-0x0000012C9A1F0000-0x0000012C9A200000-memory.dmp

Filesize
64KB

Download
memory/1952-16-0x00007FFBE1920000-0x00007FFBE23E1000-memory.dmp

Filesize
10.8MB

Download
memory/1952-12-0x0000012C9A1F0000-0x0000012C9A200000-memory.dmp

Filesize
64KB

Download
memory/1952-11-0x00007FFBE1920000-0x00007FFBE23E1000-memory.dmp

Filesize
10.8MB

Download
memory/1952-6-0x0000012C9A460000-0x0000012C9A482000-memory.dmp

Filesize
136KB

Download
memory/1984-164-0x00000244A4180000-0x00000244A41A7000-memory.dmp

Filesize
156KB

Download
memory/2000-188-0x000001FA2DD00000-0x000001FA2DD27000-memory.dmp

Filesize
156KB

Download
memory/2096-190-0x0000020A0A060000-0x0000020A0A087000-memory.dmp

Filesize
156KB

Download
memory/2124-193-0x000002C10F640000-0x000002C10F667000-memory.dmp

Filesize
156KB

Download
memory/2344-219-0x000002740DFD0000-0x000002740DFF7000-memory.dmp

Filesize
156KB

Download
memory/2416-225-0x000001E79EFD0000-0x000001E79EFF7000-memory.dmp

Filesize
156KB

Download
memory/2480-231-0x00000158EC640000-0x00000158EC667000-memory.dmp

Filesize
156KB

Download
memory/2488-238-0x000002A2C0720000-0x000002A2C0747000-memory.dmp

Filesize
156KB

Download
memory/2556-249-0x0000025A059D0000-0x0000025A059F7000-memory.dmp

Filesize
156KB

Download
memory/2588-254-0x0000020300030000-0x0000020300057000-memory.dmp

Filesize
156KB

Download
memory/2604-255-0x00000287A23D0000-0x00000287A23F7000-memory.dmp

Filesize
156KB

Download
memory/2624-83-0x00007FFBE1920000-0x00007FFBE23E1000-memory.dmp

Filesize
10.8MB

Download
memory/2624-99-0x000001A4483F0000-0x000001A448400000-memory.dmp

Filesize
64KB

Download
memory/2624-109-0x000001A4483F0000-0x000001A448400000-memory.dmp

Filesize
64KB

Download
memory/2624-21-0x00007FFBE1920000-0x00007FFBE23E1000-memory.dmp

Filesize
10.8MB

Download
memory/2624-22-0x000001A4483F0000-0x000001A448400000-memory.dmp

Filesize
64KB

Download
memory/2624-23-0x000001A4483F0000-0x000001A448400000-memory.dmp

Filesize
64KB

Download
memory/4608-244-0x0000016EF77B0000-0x0000016EF77D7000-memory.dmp

Filesize
156KB

Download
memory/4608-252-0x00007FFC000B0000-0x00007FFC002A5000-memory.dmp

Filesize
2.0MB

Download