Analysis Overview
SHA256
bd035666f01df67518bf6a7976e58d019fe4281b7cc959bc623b5bbc8cb6aa31
Threat Level: Shows suspicious behavior
The file Octo Free Tweaking Utility V1.0.bat was found to be: Shows suspicious behavior.
Malicious Activity Summary
Modifies system executable filetype association
Event Triggered Execution: Component Object Model Hijacking
Power Settings
Command and Scripting Interpreter: PowerShell
Drops desktop.ini file(s)
System Location Discovery: System Language Discovery
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Modifies Internet Explorer settings
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Modifies registry class
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-09 21:38
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-09 21:38
Reported
2024-11-09 21:39
Platform
win7-20240903-en
Max time kernel
55s
Max time network
16s
Command Line
Signatures
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Power Settings
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main | C:\Windows\helppane.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\helppane.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\helppane.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\helppane.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\helppane.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\powercfg.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\powercfg.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\powercfg.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\powercfg.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\powercfg.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\powercfg.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\powercfg.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\powercfg.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\powercfg.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\powercfg.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\powercfg.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\powercfg.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\powercfg.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\powercfg.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\powercfg.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\powercfg.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\powercfg.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\powercfg.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\powercfg.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\powercfg.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\powercfg.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\powercfg.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\powercfg.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\powercfg.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\powercfg.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\powercfg.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\powercfg.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\powercfg.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\powercfg.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\powercfg.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\powercfg.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\powercfg.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\powercfg.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\powercfg.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\powercfg.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\powercfg.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\powercfg.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\powercfg.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\powercfg.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\powercfg.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\powercfg.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\powercfg.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\powercfg.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\powercfg.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\powercfg.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\powercfg.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\powercfg.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\powercfg.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\powercfg.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\powercfg.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\powercfg.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\powercfg.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\powercfg.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\powercfg.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\powercfg.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\powercfg.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\powercfg.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\powercfg.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\powercfg.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\powercfg.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\helppane.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\helppane.exe | N/A |
| N/A | N/A | C:\Windows\helppane.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\Octo Free Tweaking Utility V1.0.bat"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c findstr /b ::: "C:\Users\Admin\AppData\Local\Temp\Octo Free Tweaking Utility V1.0.bat"
C:\Windows\system32\findstr.exe
findstr /b ::: "C:\Users\Admin\AppData\Local\Temp\Octo Free Tweaking Utility V1.0.bat"
C:\Windows\helppane.exe
C:\Windows\helppane.exe -Embedding
C:\Windows\system32\powercfg.exe
powercfg -change -monitor-timeout-ac 0
C:\Windows\system32\powercfg.exe
powercfg -change -monitor-timeout-dc 0
C:\Windows\system32\powercfg.exe
powercfg -change -standby-timeout-ac 0
C:\Windows\system32\powercfg.exe
powercfg -change -standby-timeout-dc 0
C:\Windows\system32\powercfg.exe
powercfg -setactive scheme_max
C:\Windows\system32\powercfg.exe
powercfg /setacvalueindex scheme_max sub_processor PROCTHROTTLEMAX 100
C:\Windows\system32\powercfg.exe
powercfg /setdcvalueindex scheme_max sub_processor PROCTHROTTLEMAX 100
C:\Windows\system32\powercfg.exe
powercfg /setacvalueindex scheme_max sub_processor PROCTHROTTLEMIN 100
C:\Windows\system32\powercfg.exe
powercfg /setdcvalueindex scheme_max sub_processor PROCTHROTTLEMIN 100
C:\Windows\system32\powercfg.exe
powercfg /setacvalueindex scheme_max sub_display brightness 100
C:\Windows\system32\powercfg.exe
powercfg /setdcvalueindex scheme_max sub_display brightness 100
C:\Windows\system32\powercfg.exe
powercfg /setacvalueindex scheme_max sub_disk disk_idle 0
C:\Windows\system32\powercfg.exe
powercfg /setdcvalueindex scheme_max sub_disk disk_idle 0
C:\Windows\system32\powercfg.exe
powercfg /setacvalueindex scheme_max sub_disk idle_time 0
C:\Windows\system32\powercfg.exe
powercfg /setdcvalueindex scheme_max sub_disk idle_time 0
C:\Windows\system32\powercfg.exe
powercfg /setacvalueindex scheme_max sub_usb selective_suspend 0
C:\Windows\system32\powercfg.exe
powercfg /setdcvalueindex scheme_max sub_usb selective_suspend 0
C:\Windows\system32\powercfg.exe
powercfg /setacvalueindex scheme_max sub_video adaptive_display 0
C:\Windows\system32\powercfg.exe
powercfg /setdcvalueindex scheme_max sub_video adaptive_display 0
C:\Windows\system32\powercfg.exe
powercfg /setacvalueindex scheme_max sub_display brightness 100
C:\Windows\system32\powercfg.exe
powercfg /setdcvalueindex scheme_max sub_display brightness 100
C:\Windows\system32\powercfg.exe
powercfg /setacvalueindex scheme_max sub_cpu idle_timeout 0
C:\Windows\system32\powercfg.exe
powercfg /setdcvalueindex scheme_max sub_cpu idle_timeout 0
C:\Windows\system32\powercfg.exe
powercfg /setacvalueindex scheme_max sub_hybrid sleep 0
C:\Windows\system32\powercfg.exe
powercfg /setdcvalueindex scheme_max sub_hybrid sleep 0
C:\Windows\system32\powercfg.exe
powercfg /setacvalueindex scheme_max sub_graphics adaptive_graphics 0
C:\Windows\system32\powercfg.exe
powercfg /setdcvalueindex scheme_max sub_graphics adaptive_graphics 0
C:\Windows\system32\powercfg.exe
powercfg /setacvalueindex scheme_max sub_processor PERFDISPLAY 0
C:\Windows\system32\powercfg.exe
powercfg /setdcvalueindex scheme_max sub_processor PERFDISPLAY 0
C:\Windows\system32\powercfg.exe
powercfg /setacvalueindex scheme_max sub_processor PROCFREQUENCY 100
C:\Windows\system32\powercfg.exe
powercfg /setdcvalueindex scheme_max sub_processor PROCFREQUENCY 100
C:\Windows\system32\powercfg.exe
powercfg /setacvalueindex scheme_max sub_video dynamic_contrast 0
C:\Windows\system32\powercfg.exe
powercfg /setdcvalueindex scheme_max sub_video dynamic_contrast 0
C:\Windows\system32\powercfg.exe
powercfg /setacvalueindex scheme_max sub_dvd video_speed 100
C:\Windows\system32\powercfg.exe
powercfg /setdcvalueindex scheme_max sub_dvd video_speed 100
C:\Windows\system32\powercfg.exe
powercfg /setacvalueindex scheme_max sub_system cooling_policy 1
C:\Windows\system32\powercfg.exe
powercfg /setdcvalueindex scheme_max sub_system cooling_policy 1
C:\Windows\system32\powercfg.exe
powercfg /setacvalueindex scheme_max sub_system processor_power_policy 1
C:\Windows\system32\powercfg.exe
powercfg /setdcvalueindex scheme_max sub_system processor_power_policy 1
C:\Windows\system32\powercfg.exe
powercfg /setacvalueindex scheme_max sub_memory standby_policy 1
C:\Windows\system32\powercfg.exe
powercfg /setdcvalueindex scheme_max sub_memory standby_policy 1
C:\Windows\system32\powercfg.exe
powercfg /setacvalueindex scheme_max sub_system cpu_core 100
C:\Windows\system32\powercfg.exe
powercfg /setdcvalueindex scheme_max sub_system cpu_core 100
C:\Windows\system32\powercfg.exe
powercfg /setacvalueindex scheme_max sub_processor clock_speed 100
C:\Windows\system32\powercfg.exe
powercfg /setdcvalueindex scheme_max sub_processor clock_speed 100
C:\Windows\system32\powercfg.exe
powercfg -h off
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c findstr /b ::: "C:\Users\Admin\AppData\Local\Temp\Octo Free Tweaking Utility V1.0.bat"
C:\Windows\system32\findstr.exe
findstr /b ::: "C:\Users\Admin\AppData\Local\Temp\Octo Free Tweaking Utility V1.0.bat"
C:\Windows\system32\powercfg.exe
powercfg -change -monitor-timeout-ac 0
C:\Windows\system32\powercfg.exe
powercfg -change -monitor-timeout-dc 0
C:\Windows\system32\powercfg.exe
powercfg -change -standby-timeout-ac 0
C:\Windows\system32\powercfg.exe
powercfg -change -standby-timeout-dc 0
C:\Windows\system32\powercfg.exe
powercfg -setactive scheme_max
C:\Windows\system32\powercfg.exe
powercfg /setacvalueindex scheme_max sub_processor PROCTHROTTLEMAX 100
C:\Windows\system32\powercfg.exe
powercfg /setdcvalueindex scheme_max sub_processor PROCTHROTTLEMAX 100
C:\Windows\system32\powercfg.exe
powercfg /setacvalueindex scheme_max sub_processor PROCTHROTTLEMIN 100
C:\Windows\system32\powercfg.exe
powercfg /setdcvalueindex scheme_max sub_processor PROCTHROTTLEMIN 100
C:\Windows\system32\powercfg.exe
powercfg /setacvalueindex scheme_max sub_display brightness 100
C:\Windows\system32\powercfg.exe
powercfg /setdcvalueindex scheme_max sub_display brightness 100
C:\Windows\system32\powercfg.exe
powercfg /setacvalueindex scheme_max sub_disk disk_idle 0
C:\Windows\system32\powercfg.exe
powercfg /setdcvalueindex scheme_max sub_disk disk_idle 0
C:\Windows\system32\powercfg.exe
powercfg /setacvalueindex scheme_max sub_disk idle_time 0
C:\Windows\system32\powercfg.exe
powercfg /setdcvalueindex scheme_max sub_disk idle_time 0
C:\Windows\system32\powercfg.exe
powercfg /setacvalueindex scheme_max sub_usb selective_suspend 0
C:\Windows\system32\powercfg.exe
powercfg /setdcvalueindex scheme_max sub_usb selective_suspend 0
C:\Windows\system32\powercfg.exe
powercfg /setacvalueindex scheme_max sub_video adaptive_display 0
C:\Windows\system32\powercfg.exe
powercfg /setdcvalueindex scheme_max sub_video adaptive_display 0
C:\Windows\system32\powercfg.exe
powercfg /setacvalueindex scheme_max sub_display brightness 100
C:\Windows\system32\powercfg.exe
powercfg /setdcvalueindex scheme_max sub_display brightness 100
C:\Windows\system32\powercfg.exe
powercfg /setacvalueindex scheme_max sub_cpu idle_timeout 0
C:\Windows\system32\powercfg.exe
powercfg /setdcvalueindex scheme_max sub_cpu idle_timeout 0
C:\Windows\system32\powercfg.exe
powercfg /setacvalueindex scheme_max sub_hybrid sleep 0
C:\Windows\system32\powercfg.exe
powercfg /setdcvalueindex scheme_max sub_hybrid sleep 0
C:\Windows\system32\powercfg.exe
powercfg /setacvalueindex scheme_max sub_graphics adaptive_graphics 0
C:\Windows\system32\powercfg.exe
powercfg /setdcvalueindex scheme_max sub_graphics adaptive_graphics 0
C:\Windows\system32\powercfg.exe
powercfg /setacvalueindex scheme_max sub_processor PERFDISPLAY 0
C:\Windows\system32\powercfg.exe
powercfg /setdcvalueindex scheme_max sub_processor PERFDISPLAY 0
C:\Windows\system32\powercfg.exe
powercfg /setacvalueindex scheme_max sub_processor PROCFREQUENCY 100
C:\Windows\system32\powercfg.exe
powercfg /setdcvalueindex scheme_max sub_processor PROCFREQUENCY 100
C:\Windows\system32\powercfg.exe
powercfg /setacvalueindex scheme_max sub_video dynamic_contrast 0
C:\Windows\system32\powercfg.exe
powercfg /setdcvalueindex scheme_max sub_video dynamic_contrast 0
C:\Windows\system32\powercfg.exe
powercfg /setacvalueindex scheme_max sub_dvd video_speed 100
C:\Windows\system32\powercfg.exe
powercfg /setdcvalueindex scheme_max sub_dvd video_speed 100
C:\Windows\system32\powercfg.exe
powercfg /setacvalueindex scheme_max sub_system cooling_policy 1
C:\Windows\system32\powercfg.exe
powercfg /setdcvalueindex scheme_max sub_system cooling_policy 1
C:\Windows\system32\powercfg.exe
powercfg /setacvalueindex scheme_max sub_system processor_power_policy 1
C:\Windows\system32\powercfg.exe
powercfg /setdcvalueindex scheme_max sub_system processor_power_policy 1
C:\Windows\system32\powercfg.exe
powercfg /setacvalueindex scheme_max sub_memory standby_policy 1
C:\Windows\system32\powercfg.exe
powercfg /setdcvalueindex scheme_max sub_memory standby_policy 1
C:\Windows\system32\powercfg.exe
powercfg /setacvalueindex scheme_max sub_system cpu_core 100
C:\Windows\system32\powercfg.exe
powercfg /setdcvalueindex scheme_max sub_system cpu_core 100
C:\Windows\system32\powercfg.exe
powercfg /setacvalueindex scheme_max sub_processor clock_speed 100
C:\Windows\system32\powercfg.exe
powercfg /setdcvalueindex scheme_max sub_processor clock_speed 100
C:\Windows\system32\powercfg.exe
powercfg -h off
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c findstr /b ::: "C:\Users\Admin\AppData\Local\Temp\Octo Free Tweaking Utility V1.0.bat"
C:\Windows\system32\findstr.exe
findstr /b ::: "C:\Users\Admin\AppData\Local\Temp\Octo Free Tweaking Utility V1.0.bat"
C:\Windows\system32\powercfg.exe
powercfg -change -monitor-timeout-ac 0
C:\Windows\system32\powercfg.exe
powercfg -change -monitor-timeout-dc 0
C:\Windows\system32\powercfg.exe
powercfg -change -standby-timeout-ac 0
C:\Windows\system32\powercfg.exe
powercfg -change -standby-timeout-dc 0
C:\Windows\system32\powercfg.exe
powercfg -setactive scheme_max
C:\Windows\system32\powercfg.exe
powercfg /setacvalueindex scheme_max sub_processor PROCTHROTTLEMAX 100
C:\Windows\system32\powercfg.exe
powercfg /setdcvalueindex scheme_max sub_processor PROCTHROTTLEMAX 100
C:\Windows\system32\powercfg.exe
powercfg /setacvalueindex scheme_max sub_processor PROCTHROTTLEMIN 100
C:\Windows\system32\powercfg.exe
powercfg /setdcvalueindex scheme_max sub_processor PROCTHROTTLEMIN 100
C:\Windows\system32\powercfg.exe
powercfg /setacvalueindex scheme_max sub_display brightness 100
C:\Windows\system32\powercfg.exe
powercfg /setdcvalueindex scheme_max sub_display brightness 100
C:\Windows\system32\powercfg.exe
powercfg /setacvalueindex scheme_max sub_disk disk_idle 0
C:\Windows\system32\powercfg.exe
powercfg /setdcvalueindex scheme_max sub_disk disk_idle 0
C:\Windows\system32\powercfg.exe
powercfg /setacvalueindex scheme_max sub_disk idle_time 0
C:\Windows\system32\powercfg.exe
powercfg /setdcvalueindex scheme_max sub_disk idle_time 0
C:\Windows\system32\powercfg.exe
powercfg /setacvalueindex scheme_max sub_usb selective_suspend 0
C:\Windows\system32\powercfg.exe
powercfg /setdcvalueindex scheme_max sub_usb selective_suspend 0
C:\Windows\system32\powercfg.exe
powercfg /setacvalueindex scheme_max sub_video adaptive_display 0
C:\Windows\system32\powercfg.exe
powercfg /setdcvalueindex scheme_max sub_video adaptive_display 0
C:\Windows\system32\powercfg.exe
powercfg /setacvalueindex scheme_max sub_display brightness 100
C:\Windows\system32\powercfg.exe
powercfg /setdcvalueindex scheme_max sub_display brightness 100
C:\Windows\system32\powercfg.exe
powercfg /setacvalueindex scheme_max sub_cpu idle_timeout 0
C:\Windows\system32\powercfg.exe
powercfg /setdcvalueindex scheme_max sub_cpu idle_timeout 0
C:\Windows\system32\powercfg.exe
powercfg /setacvalueindex scheme_max sub_hybrid sleep 0
C:\Windows\system32\powercfg.exe
powercfg /setdcvalueindex scheme_max sub_hybrid sleep 0
C:\Windows\system32\powercfg.exe
powercfg /setacvalueindex scheme_max sub_graphics adaptive_graphics 0
C:\Windows\system32\powercfg.exe
powercfg /setdcvalueindex scheme_max sub_graphics adaptive_graphics 0
C:\Windows\system32\powercfg.exe
powercfg /setacvalueindex scheme_max sub_processor PERFDISPLAY 0
C:\Windows\system32\powercfg.exe
powercfg /setdcvalueindex scheme_max sub_processor PERFDISPLAY 0
C:\Windows\system32\powercfg.exe
powercfg /setacvalueindex scheme_max sub_processor PROCFREQUENCY 100
C:\Windows\system32\powercfg.exe
powercfg /setdcvalueindex scheme_max sub_processor PROCFREQUENCY 100
C:\Windows\system32\powercfg.exe
powercfg /setacvalueindex scheme_max sub_video dynamic_contrast 0
C:\Windows\system32\powercfg.exe
powercfg /setdcvalueindex scheme_max sub_video dynamic_contrast 0
C:\Windows\system32\powercfg.exe
powercfg /setacvalueindex scheme_max sub_dvd video_speed 100
C:\Windows\system32\powercfg.exe
powercfg /setdcvalueindex scheme_max sub_dvd video_speed 100
C:\Windows\system32\powercfg.exe
powercfg /setacvalueindex scheme_max sub_system cooling_policy 1
C:\Windows\system32\powercfg.exe
powercfg /setdcvalueindex scheme_max sub_system cooling_policy 1
C:\Windows\system32\powercfg.exe
powercfg /setacvalueindex scheme_max sub_system processor_power_policy 1
C:\Windows\system32\powercfg.exe
powercfg /setdcvalueindex scheme_max sub_system processor_power_policy 1
C:\Windows\system32\powercfg.exe
powercfg /setacvalueindex scheme_max sub_memory standby_policy 1
C:\Windows\system32\powercfg.exe
powercfg /setdcvalueindex scheme_max sub_memory standby_policy 1
C:\Windows\system32\powercfg.exe
powercfg /setacvalueindex scheme_max sub_system cpu_core 100
C:\Windows\system32\powercfg.exe
powercfg /setdcvalueindex scheme_max sub_system cpu_core 100
C:\Windows\system32\powercfg.exe
powercfg /setacvalueindex scheme_max sub_processor clock_speed 100
C:\Windows\system32\powercfg.exe
powercfg /setdcvalueindex scheme_max sub_processor clock_speed 100
C:\Windows\system32\powercfg.exe
powercfg -h off
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c findstr /b ::: "C:\Users\Admin\AppData\Local\Temp\Octo Free Tweaking Utility V1.0.bat"
C:\Windows\system32\findstr.exe
findstr /b ::: "C:\Users\Admin\AppData\Local\Temp\Octo Free Tweaking Utility V1.0.bat"
C:\Windows\system32\powercfg.exe
powercfg -change -monitor-timeout-ac 0
C:\Windows\system32\powercfg.exe
powercfg -change -monitor-timeout-dc 0
C:\Windows\system32\powercfg.exe
powercfg -change -standby-timeout-ac 0
C:\Windows\system32\powercfg.exe
powercfg -change -standby-timeout-dc 0
C:\Windows\system32\powercfg.exe
powercfg -setactive scheme_max
C:\Windows\system32\powercfg.exe
powercfg /setacvalueindex scheme_max sub_processor PROCTHROTTLEMAX 100
C:\Windows\system32\powercfg.exe
powercfg /setdcvalueindex scheme_max sub_processor PROCTHROTTLEMAX 100
C:\Windows\system32\powercfg.exe
powercfg /setacvalueindex scheme_max sub_processor PROCTHROTTLEMIN 100
C:\Windows\system32\powercfg.exe
powercfg /setdcvalueindex scheme_max sub_processor PROCTHROTTLEMIN 100
C:\Windows\system32\powercfg.exe
powercfg /setacvalueindex scheme_max sub_display brightness 100
C:\Windows\system32\powercfg.exe
powercfg /setdcvalueindex scheme_max sub_display brightness 100
C:\Windows\system32\powercfg.exe
powercfg /setacvalueindex scheme_max sub_disk disk_idle 0
C:\Windows\system32\powercfg.exe
powercfg /setdcvalueindex scheme_max sub_disk disk_idle 0
C:\Windows\system32\powercfg.exe
powercfg /setacvalueindex scheme_max sub_disk idle_time 0
C:\Windows\system32\powercfg.exe
powercfg /setdcvalueindex scheme_max sub_disk idle_time 0
C:\Windows\system32\powercfg.exe
powercfg /setacvalueindex scheme_max sub_usb selective_suspend 0
C:\Windows\system32\powercfg.exe
powercfg /setdcvalueindex scheme_max sub_usb selective_suspend 0
C:\Windows\system32\powercfg.exe
powercfg /setacvalueindex scheme_max sub_video adaptive_display 0
C:\Windows\system32\powercfg.exe
powercfg /setdcvalueindex scheme_max sub_video adaptive_display 0
C:\Windows\system32\powercfg.exe
powercfg /setacvalueindex scheme_max sub_display brightness 100
C:\Windows\system32\powercfg.exe
powercfg /setdcvalueindex scheme_max sub_display brightness 100
C:\Windows\system32\powercfg.exe
powercfg /setacvalueindex scheme_max sub_cpu idle_timeout 0
C:\Windows\system32\powercfg.exe
powercfg /setdcvalueindex scheme_max sub_cpu idle_timeout 0
C:\Windows\system32\powercfg.exe
powercfg /setacvalueindex scheme_max sub_hybrid sleep 0
C:\Windows\system32\powercfg.exe
powercfg /setdcvalueindex scheme_max sub_hybrid sleep 0
C:\Windows\system32\powercfg.exe
powercfg /setacvalueindex scheme_max sub_graphics adaptive_graphics 0
C:\Windows\system32\powercfg.exe
powercfg /setdcvalueindex scheme_max sub_graphics adaptive_graphics 0
C:\Windows\system32\powercfg.exe
powercfg /setacvalueindex scheme_max sub_processor PERFDISPLAY 0
C:\Windows\system32\powercfg.exe
powercfg /setdcvalueindex scheme_max sub_processor PERFDISPLAY 0
C:\Windows\system32\powercfg.exe
powercfg /setacvalueindex scheme_max sub_processor PROCFREQUENCY 100
C:\Windows\system32\powercfg.exe
powercfg /setdcvalueindex scheme_max sub_processor PROCFREQUENCY 100
C:\Windows\system32\powercfg.exe
powercfg /setacvalueindex scheme_max sub_video dynamic_contrast 0
C:\Windows\system32\powercfg.exe
powercfg /setdcvalueindex scheme_max sub_video dynamic_contrast 0
C:\Windows\system32\powercfg.exe
powercfg /setacvalueindex scheme_max sub_dvd video_speed 100
C:\Windows\system32\powercfg.exe
powercfg /setdcvalueindex scheme_max sub_dvd video_speed 100
C:\Windows\system32\powercfg.exe
powercfg /setacvalueindex scheme_max sub_system cooling_policy 1
C:\Windows\system32\powercfg.exe
powercfg /setdcvalueindex scheme_max sub_system cooling_policy 1
C:\Windows\system32\powercfg.exe
powercfg /setacvalueindex scheme_max sub_system processor_power_policy 1
C:\Windows\system32\powercfg.exe
powercfg /setdcvalueindex scheme_max sub_system processor_power_policy 1
C:\Windows\system32\powercfg.exe
powercfg /setacvalueindex scheme_max sub_memory standby_policy 1
C:\Windows\system32\powercfg.exe
powercfg /setdcvalueindex scheme_max sub_memory standby_policy 1
C:\Windows\system32\powercfg.exe
powercfg /setacvalueindex scheme_max sub_system cpu_core 100
C:\Windows\system32\powercfg.exe
powercfg /setdcvalueindex scheme_max sub_system cpu_core 100
C:\Windows\system32\powercfg.exe
powercfg /setacvalueindex scheme_max sub_processor clock_speed 100
C:\Windows\system32\powercfg.exe
powercfg /setdcvalueindex scheme_max sub_processor clock_speed 100
C:\Windows\system32\powercfg.exe
powercfg -h off
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c findstr /b ::: "C:\Users\Admin\AppData\Local\Temp\Octo Free Tweaking Utility V1.0.bat"
C:\Windows\system32\findstr.exe
findstr /b ::: "C:\Users\Admin\AppData\Local\Temp\Octo Free Tweaking Utility V1.0.bat"
C:\Windows\system32\powercfg.exe
powercfg -change -monitor-timeout-ac 0
C:\Windows\system32\powercfg.exe
powercfg -change -monitor-timeout-dc 0
C:\Windows\system32\powercfg.exe
powercfg -change -standby-timeout-ac 0
C:\Windows\system32\powercfg.exe
powercfg -change -standby-timeout-dc 0
C:\Windows\system32\powercfg.exe
powercfg -setactive scheme_max
C:\Windows\system32\powercfg.exe
powercfg /setacvalueindex scheme_max sub_processor PROCTHROTTLEMAX 100
C:\Windows\system32\powercfg.exe
powercfg /setdcvalueindex scheme_max sub_processor PROCTHROTTLEMAX 100
C:\Windows\system32\powercfg.exe
powercfg /setacvalueindex scheme_max sub_processor PROCTHROTTLEMIN 100
C:\Windows\system32\powercfg.exe
powercfg /setdcvalueindex scheme_max sub_processor PROCTHROTTLEMIN 100
C:\Windows\system32\powercfg.exe
powercfg /setacvalueindex scheme_max sub_display brightness 100
C:\Windows\system32\powercfg.exe
powercfg /setdcvalueindex scheme_max sub_display brightness 100
C:\Windows\system32\powercfg.exe
powercfg /setacvalueindex scheme_max sub_disk disk_idle 0
C:\Windows\system32\powercfg.exe
powercfg /setdcvalueindex scheme_max sub_disk disk_idle 0
C:\Windows\system32\powercfg.exe
powercfg /setacvalueindex scheme_max sub_disk idle_time 0
C:\Windows\system32\powercfg.exe
powercfg /setdcvalueindex scheme_max sub_disk idle_time 0
C:\Windows\system32\powercfg.exe
powercfg /setacvalueindex scheme_max sub_usb selective_suspend 0
C:\Windows\system32\powercfg.exe
powercfg /setdcvalueindex scheme_max sub_usb selective_suspend 0
C:\Windows\system32\powercfg.exe
powercfg /setacvalueindex scheme_max sub_video adaptive_display 0
C:\Windows\system32\powercfg.exe
powercfg /setdcvalueindex scheme_max sub_video adaptive_display 0
C:\Windows\system32\powercfg.exe
powercfg /setacvalueindex scheme_max sub_display brightness 100
C:\Windows\system32\powercfg.exe
powercfg /setdcvalueindex scheme_max sub_display brightness 100
C:\Windows\system32\powercfg.exe
powercfg /setacvalueindex scheme_max sub_cpu idle_timeout 0
C:\Windows\system32\powercfg.exe
powercfg /setdcvalueindex scheme_max sub_cpu idle_timeout 0
C:\Windows\system32\powercfg.exe
powercfg /setacvalueindex scheme_max sub_hybrid sleep 0
C:\Windows\system32\powercfg.exe
powercfg /setdcvalueindex scheme_max sub_hybrid sleep 0
C:\Windows\system32\powercfg.exe
powercfg /setacvalueindex scheme_max sub_graphics adaptive_graphics 0
C:\Windows\system32\powercfg.exe
powercfg /setdcvalueindex scheme_max sub_graphics adaptive_graphics 0
C:\Windows\system32\powercfg.exe
powercfg /setacvalueindex scheme_max sub_processor PERFDISPLAY 0
C:\Windows\system32\powercfg.exe
powercfg /setdcvalueindex scheme_max sub_processor PERFDISPLAY 0
C:\Windows\system32\powercfg.exe
powercfg /setacvalueindex scheme_max sub_processor PROCFREQUENCY 100
C:\Windows\system32\powercfg.exe
powercfg /setdcvalueindex scheme_max sub_processor PROCFREQUENCY 100
C:\Windows\system32\powercfg.exe
powercfg /setacvalueindex scheme_max sub_video dynamic_contrast 0
C:\Windows\system32\powercfg.exe
powercfg /setdcvalueindex scheme_max sub_video dynamic_contrast 0
C:\Windows\system32\powercfg.exe
powercfg /setacvalueindex scheme_max sub_dvd video_speed 100
C:\Windows\system32\powercfg.exe
powercfg /setdcvalueindex scheme_max sub_dvd video_speed 100
C:\Windows\system32\powercfg.exe
powercfg /setacvalueindex scheme_max sub_system cooling_policy 1
C:\Windows\system32\powercfg.exe
powercfg /setdcvalueindex scheme_max sub_system cooling_policy 1
C:\Windows\system32\powercfg.exe
powercfg /setacvalueindex scheme_max sub_system processor_power_policy 1
C:\Windows\system32\powercfg.exe
powercfg /setdcvalueindex scheme_max sub_system processor_power_policy 1
C:\Windows\system32\powercfg.exe
powercfg /setacvalueindex scheme_max sub_memory standby_policy 1
C:\Windows\system32\powercfg.exe
powercfg /setdcvalueindex scheme_max sub_memory standby_policy 1
C:\Windows\system32\powercfg.exe
powercfg /setacvalueindex scheme_max sub_system cpu_core 100
C:\Windows\system32\powercfg.exe
powercfg /setdcvalueindex scheme_max sub_system cpu_core 100
C:\Windows\system32\powercfg.exe
powercfg /setacvalueindex scheme_max sub_processor clock_speed 100
C:\Windows\system32\powercfg.exe
powercfg /setdcvalueindex scheme_max sub_processor clock_speed 100
C:\Windows\system32\powercfg.exe
powercfg -h off
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c findstr /b ::: "C:\Users\Admin\AppData\Local\Temp\Octo Free Tweaking Utility V1.0.bat"
C:\Windows\system32\findstr.exe
findstr /b ::: "C:\Users\Admin\AppData\Local\Temp\Octo Free Tweaking Utility V1.0.bat"
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContent-310093Enabled" /t REG_DWORD /d 0 /f
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Get-CimInstance -ClassName Win32_StartupCommand | Remove-CimInstance"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Set-Service -Name "wuauserv" -StartupType Disabled # Windows Update Service"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Set-Service -Name "Spooler" -StartupType Disabled # Print Spooler"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Set-Service -Name "RemoteRegistry" -StartupType Disabled"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Set-Service -Name "Superfetch" -StartupType Disabled "
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Set-Service -Name "WMPNetworkSvc" -StartupType Disabled Set-MpPreference -DisableRealtimeMonitoring $true"
Network
Files
memory/2332-0-0x0000000000140000-0x0000000000141000-memory.dmp
memory/2332-14-0x0000000000140000-0x0000000000141000-memory.dmp
memory/1880-19-0x000000001B5A0000-0x000000001B882000-memory.dmp
memory/1880-20-0x0000000002000000-0x0000000002008000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | ce36a2f713da848eaba3779dfe6b489c |
| SHA1 | 795bf16651611f67950dcf917b321cd452ac7392 |
| SHA256 | 9db989accc8b0431f074bf6147a091662518d882ca4871f40dd2176de4362caf |
| SHA512 | ed51ac72fe95e8719dbbd8f4ee4f3cf66ce8ac33c9133e134c4563eba27f6b36dbd4de162632210f4654d3897742935bf02fa2f1b84d6a3a8410906b96d32bd3 |
memory/2996-26-0x000000001B590000-0x000000001B872000-memory.dmp
memory/2996-27-0x0000000001F00000-0x0000000001F08000-memory.dmp
\??\PIPE\srvsvc
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-09 21:38
Reported
2024-11-09 21:39
Platform
win10v2004-20241007-en
Max time kernel
71s
Max time network
80s
Command Line
Signatures
Event Triggered Execution: Component Object Model Hijacking
Modifies system executable filetype association
| Description | Indicator | Process | Target |
| Key deleted | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx | C:\Windows\SysWOW64\OneDriveSetup.exe | N/A |
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\OneDrive\desktop.ini | C:\Windows\SysWOW64\OneDriveSetup.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\OneDriveSetup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\OneDriveSetup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\OneDriveSetup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\DllHost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileSyncConfig.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key deleted | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Interface\{a7126d4c-f492-4eb9-8a2a-f673dbdd3334} | C:\Windows\SysWOW64\OneDriveSetup.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_CLASSES\WOW6432NODE\CLSID\{71DCE5D6-4B57-496B-AC21-CD5B54EB93FD}\TYPELIB | C:\Windows\SysWOW64\OneDriveSetup.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_CLASSES\WOW6432NODE\INTERFACE\{869BDA08-7ACF-42B8-91AE-4D8D597C0B33}\TYPELIB | C:\Windows\SysWOW64\OneDriveSetup.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\OneDrive.exe,0" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileSyncConfig.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\TypeLib\{082D3FEC-D0D0-4DF6-A988-053FECE7B884} | C:\Windows\SysWOW64\OneDriveSetup.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\SortOrderIndex = "66" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileSyncConfig.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\SyncEngineCOMServer.SyncEngineCOMServer.1 | C:\Windows\SysWOW64\OneDriveSetup.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Interface\{f0440f4e-4884-4a8F-8a45-ba89c00f96f2} | C:\Windows\SysWOW64\OneDriveSetup.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_CLASSES\WOW6432NODE\INTERFACE\{D8C80EBB-099C-4208-AFA3-FBC4D11F8A3C}\TYPELIB | C:\Windows\SysWOW64\OneDriveSetup.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_CLASSES\CLSID\{71DCE5D6-4B57-496B-AC21-CD5B54EB93FD}\TYPELIB | C:\Windows\SysWOW64\OneDriveSetup.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_CLASSES\BANNERNOTIFICATIONHANDLER.BANNERNOTIFICATIONHANDLER\CLSID | C:\Windows\SysWOW64\OneDriveSetup.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\WOW6432Node\Interface\{da82e55e-fa2f-45b3-aec3-e7294106ef52} | C:\Windows\SysWOW64\OneDriveSetup.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_CLASSES\WOW6432NODE\INTERFACE\{1B7AED4F-FCAF-4DA4-8795-C03E635D8EDC}\TYPELIB | C:\Windows\SysWOW64\OneDriveSetup.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_CLASSES\INTERFACE\{31508CC7-9BC7-494B-9D0F-7B1C7F144182}\TYPELIB | C:\Windows\SysWOW64\OneDriveSetup.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\InitPropertyBag | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileSyncConfig.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_CLASSES\FILESYNCCLIENT.AUTOPLAYHANDLER\CURVER | C:\Windows\SysWOW64\OneDriveSetup.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\CLSID\{021E4F06-9DCC-49AD-88CF-ECC2DA314C8A} | C:\Windows\SysWOW64\OneDriveSetup.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_CLASSES\CLSID\{71DCE5D6-4B57-496B-AC21-CD5B54EB93FD}\PROGID | C:\Windows\SysWOW64\OneDriveSetup.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Interface\{1B71F23B-E61F-45C9-83BA-235D55F50CF9} | C:\Windows\SysWOW64\OneDriveSetup.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_CLASSES\TYPELIB\{BAE13F6C-0E2A-4DEB-AA46-B8F55319347C}\1.0\FLAGS | C:\Windows\SysWOW64\OneDriveSetup.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_CLASSES\WOW6432NODE\INTERFACE\{0D4E4444-CB20-4C2B-B8B2-94E5656ECAE8}\TYPELIB | C:\Windows\SysWOW64\OneDriveSetup.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_CLASSES\INTERFACE\{02C98E2C-6C9F-49F8-9B57-3A6E1AA09A67}\TYPELIB | C:\Windows\SysWOW64\OneDriveSetup.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\WOW6432Node\CLSID\{021E4F06-9DCC-49AD-88CF-ECC2DA314C8A} | C:\Windows\SysWOW64\OneDriveSetup.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileSyncConfig.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_CLASSES\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\SHELLFOLDER | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileSyncConfig.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_CLASSES\WOW6432NODE\CLSID\{2E7C0A19-0438-41E9-81E3-3AD3D64F55BA}\LOCALSERVER32 | C:\Windows\SysWOW64\OneDriveSetup.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_CLASSES\WOW6432NODE\INTERFACE\{9D613F8A-B30E-4938-8490-CB5677701EBF}\PROXYSTUBCLSID32 | C:\Windows\SysWOW64\OneDriveSetup.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\WOW6432Node\Interface\{a7126d4c-f492-4eb9-8a2a-f673dbdd3334} | C:\Windows\SysWOW64\OneDriveSetup.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_CLASSES\INTERFACE\{869BDA08-7ACF-42B8-91AE-4D8D597C0B33}\PROXYSTUBCLSID32 | C:\Windows\SysWOW64\OneDriveSetup.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_CLASSES\CLSID\{389510B7-9E58-40D7-98BF-60B911CB0EA9}\VERSIONINDEPENDENTPROGID | C:\Windows\SysWOW64\OneDriveSetup.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\WOW6432Node\Interface\{4410DC33-BC7C-496B-AA84-4AEA3EEE75F7} | C:\Windows\SysWOW64\OneDriveSetup.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\System.IsPinnedToNameSpaceTree = "1" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileSyncConfig.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\FileSyncClient.FileSyncClient | C:\Windows\SysWOW64\OneDriveSetup.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Interface\{9D613F8A-B30E-4938-8490-CB5677701EBF} | C:\Windows\SysWOW64\OneDriveSetup.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_CLASSES\WOW6432NODE\INTERFACE\{2692D1F2-2C7C-4AE0-8E73-8F37736C912D}\PROXYSTUBCLSID32 | C:\Windows\SysWOW64\OneDriveSetup.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_CLASSES\INTERFACE\{F0AF7C30-EAE4-4644-961D-54E6E28708D6}\PROXYSTUBCLSID32 | C:\Windows\SysWOW64\OneDriveSetup.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_CLASSES\WOW6432NODE\INTERFACE\{22A68885-0FD9-42F6-9DED-4FB174DC7344}\PROXYSTUBCLSID32 | C:\Windows\SysWOW64\OneDriveSetup.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\WOW6432Node\Interface\{869BDA08-7ACF-42B8-91AE-4D8D597C0B33} | C:\Windows\SysWOW64\OneDriveSetup.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\TypeLib\{638805C3-4BA3-4AC8-8AAC-71A0BA2BC284}\1.0 | C:\Windows\SysWOW64\OneDriveSetup.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\CLSID\{5AB7172C-9C11-405C-8DD5-AF20F3606282} | C:\Windows\SysWOW64\OneDriveSetup.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_CLASSES\TYPELIB\{C9F3F6BB-3172-4CD8-9EB7-37C9BE601C87}\1.0\0\WIN32 | C:\Windows\SysWOW64\OneDriveSetup.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_CLASSES\WOW6432NODE\CLSID\{A3CA1CF4-5F3E-4AC0-91B9-0D3716E1EAC3}\PROGID | C:\Windows\SysWOW64\OneDriveSetup.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\WOW6432Node\Interface\{2692D1F2-2C7C-4AE0-8E73-8F37736C912D} | C:\Windows\SysWOW64\OneDriveSetup.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_CLASSES\INTERFACE\{3A4E62AE-45D9-41D5-85F5-A45B77AB44E5}\PROXYSTUBCLSID32 | C:\Windows\SysWOW64\OneDriveSetup.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_CLASSES\INTERFACE\{B54E7079-90C9-4C62-A6B8-B2834C33A04A}\TYPELIB | C:\Windows\SysWOW64\OneDriveSetup.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_CLASSES\INTERFACE\{1196AE48-D92B-4BC7-85DE-664EC3F761F1}\PROXYSTUBCLSID32 | C:\Windows\SysWOW64\OneDriveSetup.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_CLASSES\INTERFACE\{B5C25645-7426-433F-8A5F-42B7FF27A7B2}\PROXYSTUBCLSID32 | C:\Windows\SysWOW64\OneDriveSetup.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\CLSID\{A926714B-7BFC-4D08-A035-80021395FFA8} | C:\Windows\SysWOW64\OneDriveSetup.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_CLASSES\ODOPEN\DEFAULTICON | C:\Windows\SysWOW64\OneDriveSetup.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_CLASSES\WOW6432NODE\INTERFACE\{AF60000F-661D-472A-9588-F062F6DB7A0E}\PROXYSTUBCLSID32 | C:\Windows\SysWOW64\OneDriveSetup.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_CLASSES\INTERFACE\{2F12C599-7AA5-407A-B898-09E6E4ED2D1E}\TYPELIB | C:\Windows\SysWOW64\OneDriveSetup.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_CLASSES\CLSID\{A78ED123-AB77-406B-9962-2A5D9D2F7F30}\INPROCSERVER32 | C:\Windows\SysWOW64\OneDriveSetup.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_CLASSES\CLSID\{C5FF006E-2AE9-408C-B85B-2DFDD5449D9C}\INPROCSERVER32 | C:\Windows\SysWOW64\OneDriveSetup.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_CLASSES\FILESYNCCLIENT.AUTOPLAYHANDLER\CLSID | C:\Windows\SysWOW64\OneDriveSetup.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\WOW6432Node\Interface\{8D3F8F15-1DE1-4662-BF93-762EABE988B2} | C:\Windows\SysWOW64\OneDriveSetup.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_CLASSES\INTERFACE\{3A4E62AE-45D9-41D5-85F5-A45B77AB44E5}\TYPELIB | C:\Windows\SysWOW64\OneDriveSetup.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_CLASSES\WOW6432NODE\INTERFACE\{390AF5A7-1390-4255-9BC9-935BFCFA5D57}\PROXYSTUBCLSID32 | C:\Windows\SysWOW64\OneDriveSetup.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\WOW6432Node\Interface\{2387C6BD-9A36-41A2-88ED-FF731E529384} | C:\Windows\SysWOW64\OneDriveSetup.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_CLASSES\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\DEFAULTICON | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileSyncConfig.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\ = "OneDrive" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileSyncConfig.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_CLASSES\INTERFACE\{DA82E55E-FA2F-45B3-AEC3-E7294106EF52}\PROXYSTUBCLSID32 | C:\Windows\SysWOW64\OneDriveSetup.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_CLASSES\WOW6432NODE\INTERFACE\{ACDB5DB0-C9D5-461C-BAAA-5DCE0B980E40}\TYPELIB | C:\Windows\SysWOW64\OneDriveSetup.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\FileSyncClient.AutoPlayHandler | C:\Windows\SysWOW64\OneDriveSetup.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\CLSID\{A78ED123-AB77-406B-9962-2A5D9D2F7F30} | C:\Windows\SysWOW64\OneDriveSetup.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\OneDriveSetup.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\OneDriveSetup.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\OneDriveSetup.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\OneDriveSetup.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\OneDriveSetup.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\OneDriveSetup.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\OneDriveSetup.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\OneDriveSetup.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\OneDriveSetup.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\OneDriveSetup.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\OneDriveSetup.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Octo Free Tweaking Utility V1.0.bat"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c findstr /b ::: "C:\Users\Admin\AppData\Local\Temp\Octo Free Tweaking Utility V1.0.bat"
C:\Windows\system32\findstr.exe
findstr /b ::: "C:\Users\Admin\AppData\Local\Temp\Octo Free Tweaking Utility V1.0.bat"
C:\Windows\SysWOW64\OneDriveSetup.exe
C:\Windows\SysWOW64\OneDriveSetup.exe /uninstall
C:\Windows\SysWOW64\OneDriveSetup.exe
"C:\Windows\SysWOW64\OneDriveSetup.exe" C:\Windows\SysWOW64\OneDriveSetup.exe /uninstall /permachine /childprocess /silent /cusid:S-1-5-21-3227495264-2217614367-4027411560-1000
C:\Windows\SysWOW64\OneDriveSetup.exe
C:\Windows\SysWOW64\OneDriveSetup.exe /uninstall /peruser /childprocess
C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{E2B3C97F-6AE1-41AC-817A-F6F92166D7DD}
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileSyncConfig.exe
"C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileSyncConfig.exe" /uninstall
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContent-310093Enabled" /t REG_DWORD /d 0 /f
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 92.129.74.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.197.219.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 98.117.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 101.210.23.2.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\tmp1B05.tmp
| MD5 | bd2866356868563bd9d92d902cf9cc5a |
| SHA1 | c677a0ad58ba694891ef33b54bb4f1fe4e7ce69b |
| SHA256 | 6676ba3d4bf3e5418865922b8ea8bddb31660f299dd3da8955f3f37961334ecb |
| SHA512 | 5eccf7be791fd76ee01aafc88300b2b1a0a0fb778f100cbc37504dfc2611d86bf3b4c5d663d2b87f17383ef09bd7710adbe4ece148ec12a8cfd2195542db6f27 |