d261cc4cc40165817ae64ca19140e5c574f36d97c703165256e92e1df02becd0

Resubmissions

25/04/2023, 20:18

230425-y3j7yscg23 10

Analysis

max time kernel
478s
max time network
482s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
25/04/2023, 20:18

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

Executables/POWER.cmd
Size

6KB
MD5

bfbb809dea0ad939fa9af484ba27f6e7
SHA1

189e7b5f5fa10e3722797bd034250674b32c75e4
SHA256

71cedd088351abdc9c230b3bd70a1f991d126ead5e4140b4936c535352ac64d6
SHA512

eea305245079f6790851060edd06a9c465d7b1916fdd42ae2597bef585edf0f78ba66dbc94dd522b6490a72f046b3409b3ed7fc91abada42580af7d124c12d3b
SSDEEP

192:/e+zEifjkzn0ClwyTf5JuT+P8hvLzp83qkOh:GZlnffuSPy

Score

1^/10

Malware Config

Signatures

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\DeviceDesc	reg.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\LocationInformation	reg.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\UINumber	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	reg.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Address	reg.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Device Parameters	reg.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM	reg.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\ContainerID	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Device Parameters\Storport	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Device Parameters	reg.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ContainerID	reg.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Driver	reg.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	reg.exe
Key value enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Device Parameters\Storport	reg.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	reg.exe
Key value enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Device Parameters	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Device Parameters\Storport	reg.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Capabilities	reg.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Device Parameters	reg.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Device Parameters	reg.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Mfg	reg.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK	reg.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	reg.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Capabilities	reg.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Device Parameters\Storport	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	reg.exe
Key value enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	reg.exe
Key value enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Device Parameters\Storport	reg.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	reg.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs	reg.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Driver	reg.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ClassGUID	reg.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Device Parameters\Storport\InitialTimestamp	reg.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\DeviceDesc	reg.exe
Key value enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Device Parameters	reg.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Device Parameters\Storport\InitialTimestamp	reg.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM	reg.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\ClassGUID	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM	reg.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	reg.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\LocationInformation	reg.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	reg.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\ClassGUID	reg.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Device Parameters\Storport\InitialTimestamp	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Device Parameters	reg.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\LocationInformation	reg.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\UINumber	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Device Parameters\Storport	reg.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	reg.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	reg.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Device Parameters	reg.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Storport	reg.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Service	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM	reg.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Mfg	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties	reg.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	reg.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Device Parameters\Storport\MinimumIdleTimeoutInMS	reg.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	reg.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2512	powershell.exe
2512	powershell.exe
4184	powershell.exe
4184	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2468	WMIC.exe
Token: SeSecurityPrivilege	2468	WMIC.exe
Token: SeTakeOwnershipPrivilege	2468	WMIC.exe
Token: SeLoadDriverPrivilege	2468	WMIC.exe
Token: SeSystemProfilePrivilege	2468	WMIC.exe
Token: SeSystemtimePrivilege	2468	WMIC.exe
Token: SeProfSingleProcessPrivilege	2468	WMIC.exe
Token: SeIncBasePriorityPrivilege	2468	WMIC.exe
Token: SeCreatePagefilePrivilege	2468	WMIC.exe
Token: SeBackupPrivilege	2468	WMIC.exe
Token: SeRestorePrivilege	2468	WMIC.exe
Token: SeShutdownPrivilege	2468	WMIC.exe
Token: SeDebugPrivilege	2468	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2468	WMIC.exe
Token: SeRemoteShutdownPrivilege	2468	WMIC.exe
Token: SeUndockPrivilege	2468	WMIC.exe
Token: SeManageVolumePrivilege	2468	WMIC.exe
Token: 33	2468	WMIC.exe
Token: 34	2468	WMIC.exe
Token: 35	2468	WMIC.exe
Token: 36	2468	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2468	WMIC.exe
Token: SeSecurityPrivilege	2468	WMIC.exe
Token: SeTakeOwnershipPrivilege	2468	WMIC.exe
Token: SeLoadDriverPrivilege	2468	WMIC.exe
Token: SeSystemProfilePrivilege	2468	WMIC.exe
Token: SeSystemtimePrivilege	2468	WMIC.exe
Token: SeProfSingleProcessPrivilege	2468	WMIC.exe
Token: SeIncBasePriorityPrivilege	2468	WMIC.exe
Token: SeCreatePagefilePrivilege	2468	WMIC.exe
Token: SeBackupPrivilege	2468	WMIC.exe
Token: SeRestorePrivilege	2468	WMIC.exe
Token: SeShutdownPrivilege	2468	WMIC.exe
Token: SeDebugPrivilege	2468	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2468	WMIC.exe
Token: SeRemoteShutdownPrivilege	2468	WMIC.exe
Token: SeUndockPrivilege	2468	WMIC.exe
Token: SeManageVolumePrivilege	2468	WMIC.exe
Token: 33	2468	WMIC.exe
Token: 34	2468	WMIC.exe
Token: 35	2468	WMIC.exe
Token: 36	2468	WMIC.exe
Token: SeShutdownPrivilege	1572	powercfg.exe
Token: SeCreatePagefilePrivilege	1572	powercfg.exe
Token: SeShutdownPrivilege	1572	powercfg.exe
Token: SeCreatePagefilePrivilege	1572	powercfg.exe
Token: SeSecurityPrivilege	1944	wevtutil.exe
Token: SeBackupPrivilege	1944	wevtutil.exe
Token: SeSecurityPrivilege	1432	wevtutil.exe
Token: SeBackupPrivilege	1432	wevtutil.exe
Token: SeSecurityPrivilege	1304	wevtutil.exe
Token: SeBackupPrivilege	1304	wevtutil.exe
Token: SeShutdownPrivilege	32	powercfg.exe
Token: SeCreatePagefilePrivilege	32	powercfg.exe
Token: SeShutdownPrivilege	216	powercfg.exe
Token: SeCreatePagefilePrivilege	216	powercfg.exe
Token: SeShutdownPrivilege	1340	powercfg.exe
Token: SeCreatePagefilePrivilege	1340	powercfg.exe
Token: SeShutdownPrivilege	2832	powercfg.exe
Token: SeCreatePagefilePrivilege	2832	powercfg.exe
Token: SeShutdownPrivilege	3736	powercfg.exe
Token: SeCreatePagefilePrivilege	3736	powercfg.exe
Token: SeShutdownPrivilege	4028	powercfg.exe
Token: SeCreatePagefilePrivilege	4028	powercfg.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 544 wrote to memory of 2652	544	cmd.exe	83
PID 544 wrote to memory of 2652	544	cmd.exe	83
PID 2652 wrote to memory of 2468	2652	cmd.exe	84
PID 2652 wrote to memory of 2468	2652	cmd.exe	84
PID 2652 wrote to memory of 2704	2652	cmd.exe	85
PID 2652 wrote to memory of 2704	2652	cmd.exe	85
PID 544 wrote to memory of 1572	544	cmd.exe	86
PID 544 wrote to memory of 1572	544	cmd.exe	86
PID 544 wrote to memory of 1944	544	cmd.exe	87
PID 544 wrote to memory of 1944	544	cmd.exe	87
PID 544 wrote to memory of 1432	544	cmd.exe	88
PID 544 wrote to memory of 1432	544	cmd.exe	88
PID 544 wrote to memory of 1304	544	cmd.exe	89
PID 544 wrote to memory of 1304	544	cmd.exe	89
PID 544 wrote to memory of 32	544	cmd.exe	90
PID 544 wrote to memory of 32	544	cmd.exe	90
PID 544 wrote to memory of 216	544	cmd.exe	91
PID 544 wrote to memory of 216	544	cmd.exe	91
PID 544 wrote to memory of 1340	544	cmd.exe	92
PID 544 wrote to memory of 1340	544	cmd.exe	92
PID 544 wrote to memory of 2832	544	cmd.exe	93
PID 544 wrote to memory of 2832	544	cmd.exe	93
PID 544 wrote to memory of 3736	544	cmd.exe	94
PID 544 wrote to memory of 3736	544	cmd.exe	94
PID 544 wrote to memory of 4028	544	cmd.exe	95
PID 544 wrote to memory of 4028	544	cmd.exe	95
PID 544 wrote to memory of 4004	544	cmd.exe	96
PID 544 wrote to memory of 4004	544	cmd.exe	96
PID 544 wrote to memory of 2272	544	cmd.exe	97
PID 544 wrote to memory of 2272	544	cmd.exe	97
PID 544 wrote to memory of 3120	544	cmd.exe	98
PID 544 wrote to memory of 3120	544	cmd.exe	98
PID 544 wrote to memory of 2580	544	cmd.exe	99
PID 544 wrote to memory of 2580	544	cmd.exe	99
PID 544 wrote to memory of 4740	544	cmd.exe	100
PID 544 wrote to memory of 4740	544	cmd.exe	100
PID 544 wrote to memory of 2728	544	cmd.exe	101
PID 544 wrote to memory of 2728	544	cmd.exe	101
PID 544 wrote to memory of 2960	544	cmd.exe	102
PID 544 wrote to memory of 2960	544	cmd.exe	102
PID 544 wrote to memory of 1876	544	cmd.exe	103
PID 544 wrote to memory of 1876	544	cmd.exe	103
PID 544 wrote to memory of 3332	544	cmd.exe	104
PID 544 wrote to memory of 3332	544	cmd.exe	104
PID 544 wrote to memory of 4624	544	cmd.exe	105
PID 544 wrote to memory of 4624	544	cmd.exe	105
PID 544 wrote to memory of 436	544	cmd.exe	106
PID 544 wrote to memory of 436	544	cmd.exe	106
PID 544 wrote to memory of 2256	544	cmd.exe	107
PID 544 wrote to memory of 2256	544	cmd.exe	107
PID 544 wrote to memory of 1904	544	cmd.exe	108
PID 544 wrote to memory of 1904	544	cmd.exe	108
PID 544 wrote to memory of 2512	544	cmd.exe	109
PID 544 wrote to memory of 2512	544	cmd.exe	109
PID 544 wrote to memory of 2312	544	cmd.exe	110
PID 544 wrote to memory of 2312	544	cmd.exe	110
PID 544 wrote to memory of 4184	544	cmd.exe	111
PID 544 wrote to memory of 4184	544	cmd.exe	111
PID 544 wrote to memory of 1280	544	cmd.exe	113
PID 544 wrote to memory of 1280	544	cmd.exe	113
PID 1280 wrote to memory of 4356	1280	cmd.exe	114
PID 1280 wrote to memory of 4356	1280	cmd.exe	114
PID 1280 wrote to memory of 1792	1280	cmd.exe	115
PID 1280 wrote to memory of 1792	1280	cmd.exe	115

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Executables\POWER.cmd"
1⤵
- Suspicious use of WriteProcessMemory
PID:544
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic path Win32_SystemEnclosure get ChassisTypes | findstr [0-9]
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2652
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path Win32_SystemEnclosure get ChassisTypes
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2468
- - C:\Windows\system32\findstr.exe
    findstr [0-9]
    3⤵
    PID:2704
- C:\Windows\system32\powercfg.exe
  powercfg -h off
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1572
- C:\Windows\system32\wevtutil.exe
  wevtutil set-log "Microsoft-Windows-SleepStudy/Diagnostic" /e:false
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1944
- C:\Windows\system32\wevtutil.exe
  wevtutil set-log "Microsoft-Windows-Kernel-Processor-Power/Diagnostic" /e:false
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1432
- C:\Windows\system32\wevtutil.exe
  wevtutil set-log "Microsoft-Windows-UserModePowerService/Diagnostic" /e:false
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1304
- C:\Windows\system32\powercfg.exe
  powercfg -duplicatescheme e9a42b02-d5df-448d-aa00-03f14749eb61 11111111-1111-1111-1111-111111111111
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:32
- C:\Windows\system32\powercfg.exe
  powercfg -setactive 11111111-1111-1111-1111-111111111111
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:216
- C:\Windows\system32\powercfg.exe
  powercfg -changename scheme_current "Atlas Power Scheme" "Power scheme optimized for optimal latency and performance."
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1340
- C:\Windows\system32\powercfg.exe
  powercfg -setacvalueindex scheme_current 0012ee47-9041-4b5d-9b77-535fba8b1442 d3d55efd-c1ff-424e-9dc3-441be7833010 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2832
- C:\Windows\system32\powercfg.exe
  powercfg -setacvalueindex scheme_current 0012ee47-9041-4b5d-9b77-535fba8b1442 d639518a-e56d-4345-8af2-b9f32fb26109 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3736
- C:\Windows\system32\powercfg.exe
  powercfg -setacvalueindex scheme_current 0012ee47-9041-4b5d-9b77-535fba8b1442 fc7372b6-ab2d-43ee-8797-15e9841f2cca 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4028
- C:\Windows\system32\powercfg.exe
  powercfg -setacvalueindex scheme_current 0d7dbae2-4294-402a-ba8e-26777e8488cd 309dce9b-bef4-4119-9921-a851fb12f0f4 1
  2⤵
  PID:4004
- C:\Windows\system32\powercfg.exe
  powercfg -setacvalueindex scheme_current 238c9fa8-0aad-41ed-83f4-97be242c8f20 25dfa149-5dd1-4736-b5ab-e8a37b5b8187 0
  2⤵
  PID:2272
- C:\Windows\system32\powercfg.exe
  powercfg -setacvalueindex scheme_current 238c9fa8-0aad-41ed-83f4-97be242c8f20 7bc4a2f9-d8fc-4469-b07b-33eb785aaca0 0
  2⤵
  PID:3120
- C:\Windows\system32\powercfg.exe
  powercfg -setacvalueindex scheme_current 238c9fa8-0aad-41ed-83f4-97be242c8f20 94ac6d29-73ce-41a6-809f-6363ba21b47e 0
  2⤵
  PID:2580
- C:\Windows\system32\powercfg.exe
  powercfg -setacvalueindex scheme_current 238c9fa8-0aad-41ed-83f4-97be242c8f20 abfc2519-3608-4c2a-94ea-171b0ed546ab 0
  2⤵
  PID:4740
- C:\Windows\system32\powercfg.exe
  powercfg -setacvalueindex scheme_current 238c9fa8-0aad-41ed-83f4-97be242c8f20 bd3b718a-0680-4d9d-8ab2-e1d2b4ac806d 0
  2⤵
  PID:2728
- C:\Windows\system32\powercfg.exe
  powercfg -setacvalueindex scheme_current 2a737441-1930-4402-8d77-b2bebba308a3 0853a681-27c8-4100-a2fd-82013e970683 0
  2⤵
  PID:2960
- C:\Windows\system32\powercfg.exe
  powercfg -setacvalueindex scheme_current 2a737441-1930-4402-8d77-b2bebba308a3 48e6b7a6-50f5-4782-a5d4-53bb8f07e226 0
  2⤵
  PID:1876
- C:\Windows\system32\powercfg.exe
  powercfg -setacvalueindex scheme_current 2a737441-1930-4402-8d77-b2bebba308a3 d4e98f31-5ffe-4ce1-be31-1b38b384c009 0
  2⤵
  PID:3332
- C:\Windows\system32\powercfg.exe
  powercfg -setacvalueindex scheme_current 2e601130-5351-4d9d-8e04-252966bad054 d502f7ee-1dc7-4efd-a55d-f04b6f5c0545 0
  2⤵
  PID:4624
- C:\Windows\system32\powercfg.exe
  powercfg -setacvalueindex scheme_current 54533251-82be-4824-96c1-47b60b740d00 3b04d4fd-1cc7-4f23-ab1c-d1337819c4bb 0
  2⤵
  PID:436
- C:\Windows\system32\powercfg.exe
  powercfg -setacvalueindex scheme_current 7516b95f-f776-4464-8c53-06167f40cc99 17aaa29b-8b43-4b94-aafe-35f64daaf1ee 0
  2⤵
  PID:2256
- C:\Windows\system32\powercfg.exe
  powercfg -setacvalueindex scheme_current 7516b95f-f776-4464-8c53-06167f40cc99 3c0bc021-c8a8-4e07-a973-6b14cbcb2b7e 0
  2⤵
  PID:1904
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  PowerShell -NoP -C "$cpu = Get-CimInstance Win32_Processor; $cpuName = $cpu.Name; $cpuGen = [int]($cpuName.Substring(0, 2)); if ($cpuGen -gt 11) { powercfg -setacvalueindex scheme_current sub_processor HETEROPOLICY 0; powercfg -setacvalueindex scheme_current sub_processor SCHEDPOLICY 2; }"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2512
- C:\Windows\system32\powercfg.exe
  powercfg -setactive scheme_current
  2⤵
  PID:2312
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  PowerShell -NoP -C "$usb_devices = @('Win32_USBController', 'Win32_USBControllerDevice', 'Win32_USBHub'); $power_device_enable = Get-WmiObject MSPower_DeviceEnable -Namespace root\wmi; foreach ($power_device in $power_device_enable){$instance_name = $power_device.InstanceName.ToUpper(); foreach ($device in $usb_devices){foreach ($hub in Get-WmiObject $device){$pnp_id = $hub.PNPDeviceID; if ($instance_name -like \"*$pnp_id*\"){$power_device.enable = $False; $power_device.psbase.put()}}}}"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4184
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Enum" /s /f "AllowIdleIrpInD3" | findstr "HKEY"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1280
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SYSTEM\CurrentControlSet\Enum" /s /f "AllowIdleIrpInD3"
    3⤵
    - Checks SCSI registry key(s)
    PID:4356
- - C:\Windows\system32\findstr.exe
    findstr "HKEY"
    3⤵
    PID:1792
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USB\VID_0627&PID_0001\28754-0000:00:04.0-1\Device Parameters" /v "AllowIdleIrpInD3" /t REG_DWORD /d "0" /f
  2⤵
  PID:4476
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Enum" /s /f "D3ColdSupported" | findstr "HKEY"
  2⤵
  PID:4228
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SYSTEM\CurrentControlSet\Enum" /s /f "D3ColdSupported"
    3⤵
    - Checks SCSI registry key(s)
    PID:3188
- - C:\Windows\system32\findstr.exe
    findstr "HKEY"
    3⤵
    PID:460
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Enum" /s /f "DeviceSelectiveSuspended" | findstr "HKEY"
  2⤵
  PID:4256
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SYSTEM\CurrentControlSet\Enum" /s /f "DeviceSelectiveSuspended"
    3⤵
    - Checks SCSI registry key(s)
    PID:1744
- - C:\Windows\system32\findstr.exe
    findstr "HKEY"
    3⤵
    PID:3940
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USB\VID_0627&PID_0001\28754-0000:00:04.0-1\Device Parameters" /v "DeviceSelectiveSuspended" /t REG_DWORD /d "0" /f
  2⤵
  PID:4044
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Enum" /s /f "EnableIdlePowerManagement" | findstr "HKEY"
  2⤵
  PID:3968
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SYSTEM\CurrentControlSet\Enum" /s /f "EnableIdlePowerManagement"
    3⤵
    - Checks SCSI registry key(s)
    PID:4396
- - C:\Windows\system32\findstr.exe
    findstr "HKEY"
    3⤵
    PID:3856
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\PCI\VEN_8086&DEV_2922&SUBSYS_11001AF4&REV_02\3&11583659&0&10\Device Parameters\StorPort" /v "EnableIdlePowerManagement" /t REG_DWORD /d "0" /f
  2⤵
  PID:4040
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\PCI\VEN_8086&DEV_2922&SUBSYS_11001AF4&REV_02\3&11583659&0&FA\Device Parameters\StorPort" /v "EnableIdlePowerManagement" /t REG_DWORD /d "0" /f
  2⤵
  PID:5028
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Enum" /s /f "EnableSelectiveSuspend" | findstr "HKEY"
  2⤵
  PID:4128
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SYSTEM\CurrentControlSet\Enum" /s /f "EnableSelectiveSuspend"
    3⤵
    - Checks SCSI registry key(s)
    PID:2080
- - C:\Windows\system32\findstr.exe
    findstr "HKEY"
    3⤵
    PID:1652
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USB\ROOT_HUB20\4&3104efd0&0\Device Parameters" /v "EnableSelectiveSuspend" /t REG_DWORD /d "0" /f
  2⤵
  PID:3208
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Enum" /s /f "EnhancedPowerManagementEnabled" | findstr "HKEY"
  2⤵
  PID:3920
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SYSTEM\CurrentControlSet\Enum" /s /f "EnhancedPowerManagementEnabled"
    3⤵
    - Checks SCSI registry key(s)
    PID:2184
- - C:\Windows\system32\findstr.exe
    findstr "HKEY"
    3⤵
    PID:4000
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USB\VID_0627&PID_0001\28754-0000:00:04.0-1\Device Parameters" /v "EnhancedPowerManagementEnabled" /t REG_DWORD /d "0" /f
  2⤵
  PID:2220
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Enum" /s /f "IdleInWorkingState" | findstr "HKEY"
  2⤵
  PID:4608
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SYSTEM\CurrentControlSet\Enum" /s /f "IdleInWorkingState"
    3⤵
    - Checks SCSI registry key(s)
    PID:3308
- - C:\Windows\system32\findstr.exe
    findstr "HKEY"
    3⤵
    PID:1764
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Enum" /s /f "SelectiveSuspendEnabled" | findstr "HKEY"
  2⤵
  PID:4408
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SYSTEM\CurrentControlSet\Enum" /s /f "SelectiveSuspendEnabled"
    3⤵
    - Checks SCSI registry key(s)
    PID:3404
- - C:\Windows\system32\findstr.exe
    findstr "HKEY"
    3⤵
    PID:2148
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USB\VID_0627&PID_0001\28754-0000:00:04.0-1\Device Parameters" /v "SelectiveSuspendEnabled" /t REG_DWORD /d "0" /f
  2⤵
  PID:4156
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Enum" /s /f "SelectiveSuspendOn" | findstr "HKEY"
  2⤵
  PID:3616
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SYSTEM\CurrentControlSet\Enum" /s /f "SelectiveSuspendOn"
    3⤵
    - Checks SCSI registry key(s)
    PID:3916
- - C:\Windows\system32\findstr.exe
    findstr "HKEY"
    3⤵
    PID:4868
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USB\VID_0627&PID_0001\28754-0000:00:04.0-1\Device Parameters" /v "SelectiveSuspendOn" /t REG_DWORD /d "0" /f
  2⤵
  PID:4788
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Enum" /s /f "WaitWakeEnabled" | findstr "HKEY"
  2⤵
  PID:2348
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SYSTEM\CurrentControlSet\Enum" /s /f "WaitWakeEnabled"
    3⤵
    - Checks SCSI registry key(s)
    PID:3408
- - C:\Windows\system32\findstr.exe
    findstr "HKEY"
    3⤵
    PID:4628
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Enum" /s /f "WakeEnabled" | findstr "HKEY"
  2⤵
  PID:4744
- - C:\Windows\system32\findstr.exe
    findstr "HKEY"
    3⤵
    PID:1428
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SYSTEM\CurrentControlSet\Enum" /s /f "WakeEnabled"
    3⤵
    - Checks SCSI registry key(s)
    PID:5104
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Enum" /s /f "WdfDirectedPowerTransitionEnable" | findstr "HKEY"
  2⤵
  PID:2448
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SYSTEM\CurrentControlSet\Enum" /s /f "WdfDirectedPowerTransitionEnable"
    3⤵
    - Checks SCSI registry key(s)
    PID:2784
- - C:\Windows\system32\findstr.exe
    findstr "HKEY"
    3⤵
    PID:4288
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\PCI\VEN_8086&DEV_2668&SUBSYS_11001AF4&REV_01\3&11583659&0&28\Device Parameters\WDF" /v "WdfDirectedPowerTransitionEnable" /t REG_DWORD /d "0" /f
  2⤵
  PID:3460
- C:\Windows\system32\reg.exe
  reg add "HKLM\SYSTEM\CurrentControlSet\Control\Storage" /v "StorageD3InModernStandby" /t REG_DWORD /d "0" /f
  2⤵
  PID:1028
- C:\Windows\system32\reg.exe
  reg add "HKLM\SYSTEM\CurrentControlSet\Services\stornvme\Parameters\Device" /v "IdlePowerMode" /t REG_DWORD /d "0" /f
  2⤵
  PID:4860
- C:\Windows\system32\reg.exe
  reg add "HKLM\SYSTEM\CurrentControlSet\Control\Power\PowerThrottling" /v "PowerThrottlingOff" /t REG_DWORD /d "1" /f
  2⤵
  PID:2108

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
3bfc414667e1ebc31e9259fa1db290fa

SHA1
9bff989429779efef334e5524a362e7b6ff266cb

SHA256
b58f994c644f7b4a831e889630bfd7ca0860aeb1e0920dc0f5d4928585a9dbab

SHA512
e6cb000e8f900132f7dc661f943b8e91e945d171157ff3289b91e9d79f70230e363ed65b7ec97f451b376cf4706a14de9a86193e72dcea8fe3aa8c86c6117d13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
7b570d4690855f1ce5fdc16b2806abe6

SHA1
69c1e90764d32d9b5fb8835eaf076dbdf3cb6690

SHA256
ae08d7c4339cdf96ab5f9d839f33ea37a8151efa5a7370acfd6e432fc8a1926e

SHA512
4dcf0f8972336fc125f6410b2b1b77c0f51a4218a5c84961158fb44a1e1d011821b4fd04e3ee95e111449b86b6794963a2b80305cf98205d6b64befece0f72a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4t5g5jab.5qy.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/2512-138-0x000001654BB00000-0x000001654BB22000-memory.dmp

Filesize
136KB

Download
memory/2512-143-0x000001654BBD0000-0x000001654BBE0000-memory.dmp

Filesize
64KB

Download
memory/2512-144-0x000001654BBD0000-0x000001654BBE0000-memory.dmp

Filesize
64KB

Download
memory/2512-145-0x000001654BBD0000-0x000001654BBE0000-memory.dmp

Filesize
64KB

Download
memory/2512-146-0x000001654BB90000-0x000001654BBBA000-memory.dmp

Filesize
168KB

Download
memory/2512-147-0x000001654BB90000-0x000001654BBB4000-memory.dmp

Filesize
144KB

Download
memory/4184-160-0x000001BF5F290000-0x000001BF5F2A0000-memory.dmp

Filesize
64KB

Download
memory/4184-161-0x000001BF5F290000-0x000001BF5F2A0000-memory.dmp

Filesize
64KB

Download
memory/4184-163-0x000001BF5F290000-0x000001BF5F2A0000-memory.dmp

Filesize
64KB

Download