8195a6bc151cff05fa45062d140cf304f86fc8f33f64efa9a6c6dff24673ada3

Analysis

max time kernel
120s
max time network
119s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
04/10/2024, 01:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8195a6bc151cff05fa45062d140cf304f86fc8f33f64efa9a6c6dff24673ada3N.exe
Size

349KB
MD5

869164c334d4375d7eb568102c6513f0
SHA1

fb0a446791a8c4c3e8853f37593963d13b037f8e
SHA256

8195a6bc151cff05fa45062d140cf304f86fc8f33f64efa9a6c6dff24673ada3
SHA512

413f22e45bda3c875e90ba0bada65f35b0682f737325afb3f80e84ccd670c17f7a0fe274806eb743447057146a4991723c981efb509f571f2857e73c57387542
SSDEEP

6144:YeC4EwZFoobUk8qp0qpgogZfpjkNYL7RI:8fhuLwflks7RI

Score

10^/10

evasion execution trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 7 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	kt2uhctm.bat
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	kt2uhctm.bat
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	kt2uhctm.bat
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	8195a6bc151cff05fa45062d140cf304f86fc8f33f64efa9a6c6dff24673ada3N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	8195a6bc151cff05fa45062d140cf304f86fc8f33f64efa9a6c6dff24673ada3N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	8195a6bc151cff05fa45062d140cf304f86fc8f33f64efa9a6c6dff24673ada3N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	8195a6bc151cff05fa45062d140cf304f86fc8f33f64efa9a6c6dff24673ada3N.exe

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Deletes itself 1 IoCs

pid	Process
1908	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
1124	kt2uhctm.bat

Loads dropped DLL 1 IoCs

pid	Process
2524	8195a6bc151cff05fa45062d140cf304f86fc8f33f64efa9a6c6dff24673ada3N.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features	8195a6bc151cff05fa45062d140cf304f86fc8f33f64efa9a6c6dff24673ada3N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features	kt2uhctm.bat

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
8	api.ipify.org
9	api.ipify.org

Launches sc.exe 22 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1652	sc.exe
2836	sc.exe
1404	sc.exe
2112	sc.exe
1616	sc.exe
484	sc.exe
3016	sc.exe
1532	sc.exe
1524	sc.exe
2916	sc.exe
2884	sc.exe
1160	sc.exe
1180	sc.exe
2776	sc.exe
2152	sc.exe
2356	sc.exe
280	sc.exe
2792	sc.exe
2740	sc.exe
2952	sc.exe
1708	sc.exe
2604	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
1452	timeout.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2524	8195a6bc151cff05fa45062d140cf304f86fc8f33f64efa9a6c6dff24673ada3N.exe
2524	8195a6bc151cff05fa45062d140cf304f86fc8f33f64efa9a6c6dff24673ada3N.exe
2524	8195a6bc151cff05fa45062d140cf304f86fc8f33f64efa9a6c6dff24673ada3N.exe
2524	8195a6bc151cff05fa45062d140cf304f86fc8f33f64efa9a6c6dff24673ada3N.exe
2524	8195a6bc151cff05fa45062d140cf304f86fc8f33f64efa9a6c6dff24673ada3N.exe
1124	kt2uhctm.bat
1124	kt2uhctm.bat
1124	kt2uhctm.bat
1124	kt2uhctm.bat
1124	kt2uhctm.bat
1124	kt2uhctm.bat
1124	kt2uhctm.bat
1124	kt2uhctm.bat
1124	kt2uhctm.bat
1124	kt2uhctm.bat
1124	kt2uhctm.bat
1124	kt2uhctm.bat
1124	kt2uhctm.bat
1124	kt2uhctm.bat
1124	kt2uhctm.bat
1124	kt2uhctm.bat
1124	kt2uhctm.bat
1124	kt2uhctm.bat
1124	kt2uhctm.bat
1124	kt2uhctm.bat
1124	kt2uhctm.bat
1124	kt2uhctm.bat
1124	kt2uhctm.bat
1124	kt2uhctm.bat
1124	kt2uhctm.bat
1124	kt2uhctm.bat
1124	kt2uhctm.bat
1124	kt2uhctm.bat
1124	kt2uhctm.bat
1124	kt2uhctm.bat
1124	kt2uhctm.bat
1124	kt2uhctm.bat
1124	kt2uhctm.bat
1124	kt2uhctm.bat
1124	kt2uhctm.bat
1124	kt2uhctm.bat
936	powershell.exe
1124	kt2uhctm.bat
1124	kt2uhctm.bat
1124	kt2uhctm.bat
1124	kt2uhctm.bat
1124	kt2uhctm.bat
1124	kt2uhctm.bat
1124	kt2uhctm.bat
1124	kt2uhctm.bat
2480	powershell.exe
1124	kt2uhctm.bat
1124	kt2uhctm.bat
1124	kt2uhctm.bat
1124	kt2uhctm.bat
1124	kt2uhctm.bat
1124	kt2uhctm.bat
1124	kt2uhctm.bat
1124	kt2uhctm.bat
1124	kt2uhctm.bat
1124	kt2uhctm.bat
1124	kt2uhctm.bat
1124	kt2uhctm.bat
1124	kt2uhctm.bat

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	2524	8195a6bc151cff05fa45062d140cf304f86fc8f33f64efa9a6c6dff24673ada3N.exe
Token: SeDebugPrivilege	1124	kt2uhctm.bat
Token: SeSecurityPrivilege	2972	wevtutil.exe
Token: SeBackupPrivilege	2972	wevtutil.exe
Token: SeDebugPrivilege	936	powershell.exe
Token: SeDebugPrivilege	2480	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2524 wrote to memory of 1652	2524	8195a6bc151cff05fa45062d140cf304f86fc8f33f64efa9a6c6dff24673ada3N.exe	31
PID 2524 wrote to memory of 1652	2524	8195a6bc151cff05fa45062d140cf304f86fc8f33f64efa9a6c6dff24673ada3N.exe	31
PID 2524 wrote to memory of 1652	2524	8195a6bc151cff05fa45062d140cf304f86fc8f33f64efa9a6c6dff24673ada3N.exe	31
PID 2524 wrote to memory of 1180	2524	8195a6bc151cff05fa45062d140cf304f86fc8f33f64efa9a6c6dff24673ada3N.exe	30
PID 2524 wrote to memory of 1180	2524	8195a6bc151cff05fa45062d140cf304f86fc8f33f64efa9a6c6dff24673ada3N.exe	30
PID 2524 wrote to memory of 1180	2524	8195a6bc151cff05fa45062d140cf304f86fc8f33f64efa9a6c6dff24673ada3N.exe	30
PID 2524 wrote to memory of 2728	2524	8195a6bc151cff05fa45062d140cf304f86fc8f33f64efa9a6c6dff24673ada3N.exe	34
PID 2524 wrote to memory of 2728	2524	8195a6bc151cff05fa45062d140cf304f86fc8f33f64efa9a6c6dff24673ada3N.exe	34
PID 2524 wrote to memory of 2728	2524	8195a6bc151cff05fa45062d140cf304f86fc8f33f64efa9a6c6dff24673ada3N.exe	34
PID 2524 wrote to memory of 2836	2524	8195a6bc151cff05fa45062d140cf304f86fc8f33f64efa9a6c6dff24673ada3N.exe	36
PID 2524 wrote to memory of 2836	2524	8195a6bc151cff05fa45062d140cf304f86fc8f33f64efa9a6c6dff24673ada3N.exe	36
PID 2524 wrote to memory of 2836	2524	8195a6bc151cff05fa45062d140cf304f86fc8f33f64efa9a6c6dff24673ada3N.exe	36
PID 2728 wrote to memory of 2776	2728	cmd.exe	38
PID 2728 wrote to memory of 2776	2728	cmd.exe	38
PID 2728 wrote to memory of 2776	2728	cmd.exe	38
PID 2524 wrote to memory of 2912	2524	8195a6bc151cff05fa45062d140cf304f86fc8f33f64efa9a6c6dff24673ada3N.exe	39
PID 2524 wrote to memory of 2912	2524	8195a6bc151cff05fa45062d140cf304f86fc8f33f64efa9a6c6dff24673ada3N.exe	39
PID 2524 wrote to memory of 2912	2524	8195a6bc151cff05fa45062d140cf304f86fc8f33f64efa9a6c6dff24673ada3N.exe	39
PID 2524 wrote to memory of 2916	2524	8195a6bc151cff05fa45062d140cf304f86fc8f33f64efa9a6c6dff24673ada3N.exe	41
PID 2524 wrote to memory of 2916	2524	8195a6bc151cff05fa45062d140cf304f86fc8f33f64efa9a6c6dff24673ada3N.exe	41
PID 2524 wrote to memory of 2916	2524	8195a6bc151cff05fa45062d140cf304f86fc8f33f64efa9a6c6dff24673ada3N.exe	41
PID 2912 wrote to memory of 2884	2912	cmd.exe	43
PID 2912 wrote to memory of 2884	2912	cmd.exe	43
PID 2912 wrote to memory of 2884	2912	cmd.exe	43
PID 2524 wrote to memory of 2784	2524	8195a6bc151cff05fa45062d140cf304f86fc8f33f64efa9a6c6dff24673ada3N.exe	44
PID 2524 wrote to memory of 2784	2524	8195a6bc151cff05fa45062d140cf304f86fc8f33f64efa9a6c6dff24673ada3N.exe	44
PID 2524 wrote to memory of 2784	2524	8195a6bc151cff05fa45062d140cf304f86fc8f33f64efa9a6c6dff24673ada3N.exe	44
PID 2524 wrote to memory of 2792	2524	8195a6bc151cff05fa45062d140cf304f86fc8f33f64efa9a6c6dff24673ada3N.exe	46
PID 2524 wrote to memory of 2792	2524	8195a6bc151cff05fa45062d140cf304f86fc8f33f64efa9a6c6dff24673ada3N.exe	46
PID 2524 wrote to memory of 2792	2524	8195a6bc151cff05fa45062d140cf304f86fc8f33f64efa9a6c6dff24673ada3N.exe	46
PID 2524 wrote to memory of 2664	2524	8195a6bc151cff05fa45062d140cf304f86fc8f33f64efa9a6c6dff24673ada3N.exe	48
PID 2524 wrote to memory of 2664	2524	8195a6bc151cff05fa45062d140cf304f86fc8f33f64efa9a6c6dff24673ada3N.exe	48
PID 2524 wrote to memory of 2664	2524	8195a6bc151cff05fa45062d140cf304f86fc8f33f64efa9a6c6dff24673ada3N.exe	48
PID 2784 wrote to memory of 2740	2784	cmd.exe	50
PID 2784 wrote to memory of 2740	2784	cmd.exe	50
PID 2784 wrote to memory of 2740	2784	cmd.exe	50
PID 2664 wrote to memory of 2152	2664	cmd.exe	51
PID 2664 wrote to memory of 2152	2664	cmd.exe	51
PID 2664 wrote to memory of 2152	2664	cmd.exe	51
PID 2524 wrote to memory of 2072	2524	8195a6bc151cff05fa45062d140cf304f86fc8f33f64efa9a6c6dff24673ada3N.exe	52
PID 2524 wrote to memory of 2072	2524	8195a6bc151cff05fa45062d140cf304f86fc8f33f64efa9a6c6dff24673ada3N.exe	52
PID 2524 wrote to memory of 2072	2524	8195a6bc151cff05fa45062d140cf304f86fc8f33f64efa9a6c6dff24673ada3N.exe	52
PID 2072 wrote to memory of 2356	2072	cmd.exe	54
PID 2072 wrote to memory of 2356	2072	cmd.exe	54
PID 2072 wrote to memory of 2356	2072	cmd.exe	54
PID 2524 wrote to memory of 1124	2524	8195a6bc151cff05fa45062d140cf304f86fc8f33f64efa9a6c6dff24673ada3N.exe	55
PID 2524 wrote to memory of 1124	2524	8195a6bc151cff05fa45062d140cf304f86fc8f33f64efa9a6c6dff24673ada3N.exe	55
PID 2524 wrote to memory of 1124	2524	8195a6bc151cff05fa45062d140cf304f86fc8f33f64efa9a6c6dff24673ada3N.exe	55
PID 2524 wrote to memory of 1908	2524	8195a6bc151cff05fa45062d140cf304f86fc8f33f64efa9a6c6dff24673ada3N.exe	56
PID 2524 wrote to memory of 1908	2524	8195a6bc151cff05fa45062d140cf304f86fc8f33f64efa9a6c6dff24673ada3N.exe	56
PID 2524 wrote to memory of 1908	2524	8195a6bc151cff05fa45062d140cf304f86fc8f33f64efa9a6c6dff24673ada3N.exe	56
PID 1124 wrote to memory of 2952	1124	kt2uhctm.bat	58
PID 1124 wrote to memory of 2952	1124	kt2uhctm.bat	58
PID 1124 wrote to memory of 2952	1124	kt2uhctm.bat	58
PID 1124 wrote to memory of 1708	1124	kt2uhctm.bat	59
PID 1124 wrote to memory of 1708	1124	kt2uhctm.bat	59
PID 1124 wrote to memory of 1708	1124	kt2uhctm.bat	59
PID 1908 wrote to memory of 2504	1908	cmd.exe	62
PID 1908 wrote to memory of 2504	1908	cmd.exe	62
PID 1908 wrote to memory of 2504	1908	cmd.exe	62
PID 1908 wrote to memory of 352	1908	cmd.exe	63
PID 1908 wrote to memory of 352	1908	cmd.exe	63
PID 1908 wrote to memory of 352	1908	cmd.exe	63
PID 1908 wrote to memory of 1452	1908	cmd.exe	64

Views/modifies file attributes 1 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
2504	attrib.exe
564	attrib.exe
1540	attrib.exe

C:\Users\Admin\AppData\Local\Temp\8195a6bc151cff05fa45062d140cf304f86fc8f33f64efa9a6c6dff24673ada3N.exe
"C:\Users\Admin\AppData\Local\Temp\8195a6bc151cff05fa45062d140cf304f86fc8f33f64efa9a6c6dff24673ada3N.exe"
1⤵
- Modifies Windows Defender Real-time Protection settings
- Loads dropped DLL
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2524
- C:\Windows\System32\sc.exe
  "C:\Windows\System32\sc.exe" config WerSvc start=disabled
  2⤵
  - Launches sc.exe
  PID:1180
- C:\Windows\System32\sc.exe
  "C:\Windows\System32\sc.exe" config wdfilter start=disabled
  2⤵
  - Launches sc.exe
  PID:1652
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c sc stop wdfilter
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2728
- - C:\Windows\system32\sc.exe
    sc stop wdfilter
    3⤵
    - Launches sc.exe
    PID:2776
- C:\Windows\System32\sc.exe
  "C:\Windows\System32\sc.exe" config WinDefend start=disabled
  2⤵
  - Launches sc.exe
  PID:2836
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c sc stop WerSvc
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2912
- - C:\Windows\system32\sc.exe
    sc stop WerSvc
    3⤵
    - Launches sc.exe
    PID:2884
- C:\Windows\System32\sc.exe
  "C:\Windows\System32\sc.exe" config WdNisSvc start=disabled
  2⤵
  - Launches sc.exe
  PID:2916
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c sc stop WdNisSvc
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2784
- - C:\Windows\system32\sc.exe
    sc stop WdNisSvc
    3⤵
    - Launches sc.exe
    PID:2740
- C:\Windows\System32\sc.exe
  "C:\Windows\System32\sc.exe" config XblGameSave start=disabled
  2⤵
  - Launches sc.exe
  PID:2792
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c sc stop WinDefend
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2664
- - C:\Windows\system32\sc.exe
    sc stop WinDefend
    3⤵
    - Launches sc.exe
    PID:2152
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c sc stop XblGameSave
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2072
- - C:\Windows\system32\sc.exe
    sc stop XblGameSave
    3⤵
    - Launches sc.exe
    PID:2356
- C:\Users\Admin\AppData\Local\Temp\kt2uhctm.bat
  "C:\Users\Admin\AppData\Local\Temp\kt2uhctm.bat" ok
  2⤵
  - Modifies Windows Defender Real-time Protection settings
  - Executes dropped EXE
  - Windows security modification
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1124
- - C:\Windows\System32\sc.exe
    "C:\Windows\System32\sc.exe" config wdfilter start=disabled
    3⤵
    - Launches sc.exe
    PID:2952
- - C:\Windows\System32\sc.exe
    "C:\Windows\System32\sc.exe" config WerSvc start=disabled
    3⤵
    - Launches sc.exe
    PID:1708
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c sc stop wdfilter
    3⤵
    PID:2716
  - - C:\Windows\system32\sc.exe
      sc stop wdfilter
      4⤵
      Launches sc.exe
      PID:2112
- - C:\Windows\System32\sc.exe
    "C:\Windows\System32\sc.exe" config WinDefend start=disabled
    3⤵
    - Launches sc.exe
    PID:1404
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c sc stop WerSvc
    3⤵
    PID:2104
  - - C:\Windows\system32\sc.exe
      sc stop WerSvc
      4⤵
      Launches sc.exe
      PID:484
- - C:\Windows\System32\sc.exe
    "C:\Windows\System32\sc.exe" config WdNisSvc start=disabled
    3⤵
    - Launches sc.exe
    PID:1616
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c sc stop WdNisSvc
    3⤵
    PID:264
  - - C:\Windows\system32\sc.exe
      sc stop WdNisSvc
      4⤵
      Launches sc.exe
      PID:3016
- - C:\Windows\System32\sc.exe
    "C:\Windows\System32\sc.exe" config XblGameSave start=disabled
    3⤵
    - Launches sc.exe
    PID:2604
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c sc stop WinDefend
    3⤵
    PID:708
  - - C:\Windows\system32\sc.exe
      sc stop WinDefend
      4⤵
      Launches sc.exe
      PID:1160
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c sc stop XblGameSave
    3⤵
    PID:1096
  - - C:\Windows\system32\sc.exe
      sc stop XblGameSave
      4⤵
      Launches sc.exe
      PID:280
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" New-NetQosPolicy -Name "XXXXX" -AppPathNameMatchCondition "C:\Program Files (x86)\EasyAntiCheat\EasyAntiCheat.exe" -ThrottleRateActionBitsPerSecond 8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:936
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" New-NetQosPolicy -Name "YYYYY" -AppPathNameMatchCondition "C:\Program Files (x86)\Common Files\BattlEye\BEService.exe" -ThrottleRateActionBitsPerSecond 8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2480
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c sc stop wdfilter
    3⤵
    PID:1536
  - - C:\Windows\system32\sc.exe
      sc stop wdfilter
      4⤵
      Launches sc.exe
      PID:1532
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c sc stop faceit
    3⤵
    PID:2204
  - - C:\Windows\system32\sc.exe
      sc stop faceit
      4⤵
      Launches sc.exe
      PID:1524
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\fd2542da-9e37-4135-ae7d-465615e60e99.bat"
  2⤵
  - Deletes itself
  - Suspicious use of WriteProcessMemory
  PID:1908
- - C:\Windows\system32\attrib.exe
    attrib -r -s -h "C:\Users\Admin\AppData\Local\Temp\8195a6bc151cff05fa45062d140cf304f86fc8f33f64efa9a6c6dff24673ada3N.exe"
    3⤵
    - Views/modifies file attributes
    PID:2504
- - C:\Windows\system32\reg.exe
    REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v "HiberbootEnabled" /t REG_DWORD /d 0 /f
    3⤵
    PID:352
- - C:\Windows\system32\timeout.exe
    timeout /T 1
    3⤵
    - Delays execution with timeout.exe
    PID:1452
- - C:\Windows\system32\attrib.exe
    attrib -r -s -h "C:\Users\Admin\AppData\Local\Temp\8195a6bc151cff05fa45062d140cf304f86fc8f33f64efa9a6c6dff24673ada3N.exe"
    3⤵
    - Views/modifies file attributes
    PID:564
- - C:\Windows\system32\wevtutil.exe
    wevtutil el
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2972
- - C:\Windows\system32\attrib.exe
    attrib -r -s -h "C:\Users\Admin\AppData\Local\Temp\fd2542da-9e37-4135-ae7d-465615e60e99.bat"
    3⤵
    - Views/modifies file attributes
    PID:1540

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\fd2542da-9e37-4135-ae7d-465615e60e99.bat

Filesize
780B

MD5
bd46ae050d7e66311b37a4484a327066

SHA1
543b3e6aa7fd3cc33d956f66dafb41b83e7e65d5

SHA256
4b978e259b9219c239044a8d810d2525bef63501e6dfd8a883eed5c8e80d4a00

SHA512
045abc1601591a6659a45692a6bb785a8589f90fc6d12c3ee67ac3289cedf8c745e8e41fd213ef3bdd0f411ee7636705440fe1db2af2c4a04955a9866a207b88

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\RRGYL73DTXJGAVKLQE48.temp

Filesize
7KB

MD5
89edcee60b6018b55223831ad5b97653

SHA1
6c61c18b9fbf1ca97c4e3993029e326b3806fe61

SHA256
fa4589b0d6df9fc368cc4693b39e3f8aee4e2acca03a224ba0642e7b9ea28559

SHA512
e92f0b5247c9a83f30fc0ec794a1e1e460507afb6b7fd914000b1e1fc6f22d5647728fda32e38c1874069736a4442f2567bab0f600b4b29011df9e6dafc2f563

Download Submit
C:\Users\Admin\AppData\Roaming\spf\unknown.log

Filesize
190B

MD5
b0dce94b7cc11fe305cf25475b709844

SHA1
f4fa3c9a7a7efa8e60de732da522057c3946bd85

SHA256
83b9fadce7361d8b70862c32fd931ab296705b3c18969be1111ae980217a43be

SHA512
70aa1ade56b29da6340664adca20154fd95712df770f8d7687c92567ebe9627a8a68122fb95250b3d97c2e7987ba4b827234773bdd2c413c250c602538bbf82e

Download Submit
\Users\Admin\AppData\Local\Temp\kt2uhctm.bat

Filesize
350KB

MD5
9a835a8f8ad4bcb6dfea77be4dd07692

SHA1
e9e4191fb9f37645be7f92039714cc10591056e3

SHA256
51158d7da1a4539275d42a3a4495ff906b1a3423969eb0c1f1de5ca7f1bd8066

SHA512
6b39ec08b1dab5d41ef48bf5b7df6db46427bc04456b9ac87223508805f84d8abc48297db2c546d223198cfd9bd8fadb79f3849bdfa65a8c4d0216fe8154e421

Download Submit
memory/936-29-0x0000000002920000-0x0000000002928000-memory.dmp

Filesize
32KB

Download
memory/936-28-0x000000001B6F0000-0x000000001B9D2000-memory.dmp

Filesize
2.9MB

Download
memory/1124-14-0x000000013EE30000-0x000000013EE6E000-memory.dmp

Filesize
248KB

Download
memory/2480-35-0x000000001B6C0000-0x000000001B9A2000-memory.dmp

Filesize
2.9MB

Download
memory/2480-36-0x0000000002350000-0x0000000002358000-memory.dmp

Filesize
32KB

Download
memory/2524-18-0x000007FEF5DA0000-0x000007FEF678C000-memory.dmp

Filesize
9.9MB

Download
memory/2524-2-0x000007FEF5DA0000-0x000007FEF678C000-memory.dmp

Filesize
9.9MB

Download
memory/2524-0-0x000007FEF5DA3000-0x000007FEF5DA4000-memory.dmp

Filesize
4KB

Download
memory/2524-1-0x000000013E1B0000-0x000000013E1EE000-memory.dmp

Filesize
248KB

Download