Analysis
-
max time kernel
66s -
max time network
67s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
01-12-2024 02:19
Static task
static1
Behavioral task
behavioral1
Sample
AUNova.rar
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
AUNova.rar
Resource
win10v2004-20241007-en
General
-
Target
AUNova.rar
-
Size
2.1MB
-
MD5
90dd7f74a902efa9b2a18d4f5c8a99b0
-
SHA1
303dc3b169794f804e0c2f793c4ba87d17fc332c
-
SHA256
d527b83bd8a873e5087fc2ddb34ebaa5128ff02d418d75448a59b87cbe1f4e13
-
SHA512
1abd3a572ea784f25f2a3224177c9660da25784b3cf53561a6549009aae19c4977cc8e097a44ff0405962a63df2ea7f47a63418c69f585a6a84cf68694bd9e6b
-
SSDEEP
49152:S/j/Elbkphy1iCPIziZNQ8Hq3B9kjm+Qz1gV9:Ej/Sz1xwziZC8KRWV9
Malware Config
Extracted
asyncrat
Venom RAT + HVNC + Stealer + Grabber v6.0.3
Default
193.161.193.99:53757
hsaurcrgqwhjimnkbht
-
delay
1
-
install
true
-
install_file
Load.exe
-
install_folder
%AppData%
Signatures
-
Asyncrat family
-
Xmrig family
-
Async RAT payload 1 IoCs
Processes:
resource yara_rule behavioral1/files/0x0007000000016ca0-23.dat family_asyncrat -
XMRig Miner payload 7 IoCs
Processes:
resource yara_rule behavioral1/memory/2432-90-0x0000000140000000-0x0000000140835000-memory.dmp xmrig behavioral1/memory/2432-89-0x0000000140000000-0x0000000140835000-memory.dmp xmrig behavioral1/memory/2432-92-0x0000000140000000-0x0000000140835000-memory.dmp xmrig behavioral1/memory/2432-94-0x0000000140000000-0x0000000140835000-memory.dmp xmrig behavioral1/memory/2432-97-0x0000000140000000-0x0000000140835000-memory.dmp xmrig behavioral1/memory/2432-96-0x0000000140000000-0x0000000140835000-memory.dmp xmrig behavioral1/memory/2432-95-0x0000000140000000-0x0000000140835000-memory.dmp xmrig -
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepid Process 1480 powershell.exe 2684 powershell.exe -
Creates new service(s) 2 TTPs
-
Executes dropped EXE 9 IoCs
Processes:
AUNova.exeAU.exeLoad.exeLoad.exeAUNova.exeAU.exeLoad.exeiyjrynjkzgum.exepid Process 2692 AUNova.exe 2612 AU.exe 2752 Load.exe 2000 Load.exe 1792 AUNova.exe 2036 AU.exe 1628 Load.exe 472 1848 iyjrynjkzgum.exe -
Loads dropped DLL 5 IoCs
Processes:
AUNova.exeAUNova.exepid Process 2692 AUNova.exe 2692 AUNova.exe 1792 AUNova.exe 1792 AUNova.exe 472 -
Power Settings 1 TTPs 8 IoCs
powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
Processes:
powercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepid Process 3016 powercfg.exe 2416 powercfg.exe 2184 powercfg.exe 2388 powercfg.exe 1916 powercfg.exe 1312 powercfg.exe 3004 powercfg.exe 2664 powercfg.exe -
Drops file in System32 directory 4 IoCs
Processes:
AU.exepowershell.exeiyjrynjkzgum.exepowershell.exedescription ioc Process File opened for modification C:\Windows\system32\MRT.exe AU.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\system32\MRT.exe iyjrynjkzgum.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
iyjrynjkzgum.exedescription pid Process procid_target PID 1848 set thread context of 1476 1848 iyjrynjkzgum.exe 95 PID 1848 set thread context of 2432 1848 iyjrynjkzgum.exe 99 -
Processes:
resource yara_rule behavioral1/memory/2432-87-0x0000000140000000-0x0000000140835000-memory.dmp upx behavioral1/memory/2432-85-0x0000000140000000-0x0000000140835000-memory.dmp upx behavioral1/memory/2432-84-0x0000000140000000-0x0000000140835000-memory.dmp upx behavioral1/memory/2432-90-0x0000000140000000-0x0000000140835000-memory.dmp upx behavioral1/memory/2432-89-0x0000000140000000-0x0000000140835000-memory.dmp upx behavioral1/memory/2432-88-0x0000000140000000-0x0000000140835000-memory.dmp upx behavioral1/memory/2432-86-0x0000000140000000-0x0000000140835000-memory.dmp upx behavioral1/memory/2432-92-0x0000000140000000-0x0000000140835000-memory.dmp upx behavioral1/memory/2432-94-0x0000000140000000-0x0000000140835000-memory.dmp upx behavioral1/memory/2432-97-0x0000000140000000-0x0000000140835000-memory.dmp upx behavioral1/memory/2432-96-0x0000000140000000-0x0000000140835000-memory.dmp upx behavioral1/memory/2432-95-0x0000000140000000-0x0000000140835000-memory.dmp upx -
Drops file in Windows directory 2 IoCs
Processes:
wusa.exewusa.exedescription ioc Process File created C:\Windows\wusa.lock wusa.exe File created C:\Windows\wusa.lock wusa.exe -
Launches sc.exe 14 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exepid Process 1824 sc.exe 828 sc.exe 1468 sc.exe 2332 sc.exe 2040 sc.exe 532 sc.exe 680 sc.exe 1756 sc.exe 2392 sc.exe 1984 sc.exe 1776 sc.exe 1560 sc.exe 1348 sc.exe 2024 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid Process 1188 timeout.exe -
Modifies data under HKEY_USERS 2 IoCs
Processes:
powershell.exedescription ioc Process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage powershell.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = d0b61dad9743db01 powershell.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 54 IoCs
Processes:
7zFM.exeLoad.exeLoad.exeAU.exepowershell.exeiyjrynjkzgum.exepowershell.exeexplorer.exepid Process 2192 7zFM.exe 2752 Load.exe 2752 Load.exe 2752 Load.exe 2192 7zFM.exe 2192 7zFM.exe 2192 7zFM.exe 2192 7zFM.exe 2192 7zFM.exe 2000 Load.exe 2000 Load.exe 2000 Load.exe 2000 Load.exe 2612 AU.exe 2192 7zFM.exe 2192 7zFM.exe 2000 Load.exe 1480 powershell.exe 2612 AU.exe 2612 AU.exe 2612 AU.exe 2612 AU.exe 2612 AU.exe 2612 AU.exe 2612 AU.exe 2612 AU.exe 2612 AU.exe 2612 AU.exe 2612 AU.exe 2612 AU.exe 2612 AU.exe 2612 AU.exe 2192 7zFM.exe 2192 7zFM.exe 1848 iyjrynjkzgum.exe 2684 powershell.exe 1848 iyjrynjkzgum.exe 1848 iyjrynjkzgum.exe 1848 iyjrynjkzgum.exe 1848 iyjrynjkzgum.exe 1848 iyjrynjkzgum.exe 1848 iyjrynjkzgum.exe 1848 iyjrynjkzgum.exe 1848 iyjrynjkzgum.exe 1848 iyjrynjkzgum.exe 1848 iyjrynjkzgum.exe 1848 iyjrynjkzgum.exe 1848 iyjrynjkzgum.exe 2192 7zFM.exe 2000 Load.exe 2432 explorer.exe 2432 explorer.exe 2000 Load.exe 2432 explorer.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
7zFM.exepid Process 2192 7zFM.exe -
Suspicious use of AdjustPrivilegeToken 18 IoCs
Processes:
7zFM.exeLoad.exeLoad.exeLoad.exepowershell.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowershell.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exeexplorer.exedescription pid Process Token: SeRestorePrivilege 2192 7zFM.exe Token: 35 2192 7zFM.exe Token: SeSecurityPrivilege 2192 7zFM.exe Token: SeDebugPrivilege 2752 Load.exe Token: SeDebugPrivilege 2000 Load.exe Token: SeSecurityPrivilege 2192 7zFM.exe Token: SeDebugPrivilege 1628 Load.exe Token: SeDebugPrivilege 1480 powershell.exe Token: SeShutdownPrivilege 1312 powercfg.exe Token: SeShutdownPrivilege 2184 powercfg.exe Token: SeShutdownPrivilege 1916 powercfg.exe Token: SeShutdownPrivilege 2388 powercfg.exe Token: SeDebugPrivilege 2684 powershell.exe Token: SeShutdownPrivilege 2664 powercfg.exe Token: SeShutdownPrivilege 2416 powercfg.exe Token: SeShutdownPrivilege 3016 powercfg.exe Token: SeShutdownPrivilege 3004 powercfg.exe Token: SeLockMemoryPrivilege 2432 explorer.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
Processes:
7zFM.exepid Process 2192 7zFM.exe 2192 7zFM.exe 2192 7zFM.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
Load.exepid Process 2000 Load.exe -
Suspicious use of WriteProcessMemory 53 IoCs
Processes:
7zFM.exeAUNova.exeLoad.execmd.execmd.exeAUNova.execmd.execmd.exeiyjrynjkzgum.exedescription pid Process procid_target PID 2192 wrote to memory of 2692 2192 7zFM.exe 30 PID 2192 wrote to memory of 2692 2192 7zFM.exe 30 PID 2192 wrote to memory of 2692 2192 7zFM.exe 30 PID 2692 wrote to memory of 2612 2692 AUNova.exe 31 PID 2692 wrote to memory of 2612 2692 AUNova.exe 31 PID 2692 wrote to memory of 2612 2692 AUNova.exe 31 PID 2692 wrote to memory of 2752 2692 AUNova.exe 32 PID 2692 wrote to memory of 2752 2692 AUNova.exe 32 PID 2692 wrote to memory of 2752 2692 AUNova.exe 32 PID 2752 wrote to memory of 3060 2752 Load.exe 33 PID 2752 wrote to memory of 3060 2752 Load.exe 33 PID 2752 wrote to memory of 3060 2752 Load.exe 33 PID 2752 wrote to memory of 1532 2752 Load.exe 35 PID 2752 wrote to memory of 1532 2752 Load.exe 35 PID 2752 wrote to memory of 1532 2752 Load.exe 35 PID 3060 wrote to memory of 2140 3060 cmd.exe 37 PID 3060 wrote to memory of 2140 3060 cmd.exe 37 PID 3060 wrote to memory of 2140 3060 cmd.exe 37 PID 1532 wrote to memory of 1188 1532 cmd.exe 38 PID 1532 wrote to memory of 1188 1532 cmd.exe 38 PID 1532 wrote to memory of 1188 1532 cmd.exe 38 PID 1532 wrote to memory of 2000 1532 cmd.exe 39 PID 1532 wrote to memory of 2000 1532 cmd.exe 39 PID 1532 wrote to memory of 2000 1532 cmd.exe 39 PID 2192 wrote to memory of 1792 2192 7zFM.exe 40 PID 2192 wrote to memory of 1792 2192 7zFM.exe 40 PID 2192 wrote to memory of 1792 2192 7zFM.exe 40 PID 1792 wrote to memory of 2036 1792 AUNova.exe 43 PID 1792 wrote to memory of 2036 1792 AUNova.exe 43 PID 1792 wrote to memory of 2036 1792 AUNova.exe 43 PID 1792 wrote to memory of 1628 1792 AUNova.exe 44 PID 1792 wrote to memory of 1628 1792 AUNova.exe 44 PID 1792 wrote to memory of 1628 1792 AUNova.exe 44 PID 1908 wrote to memory of 1372 1908 cmd.exe 51 PID 1908 wrote to memory of 1372 1908 cmd.exe 51 PID 1908 wrote to memory of 1372 1908 cmd.exe 51 PID 1760 wrote to memory of 552 1760 cmd.exe 81 PID 1760 wrote to memory of 552 1760 cmd.exe 81 PID 1760 wrote to memory of 552 1760 cmd.exe 81 PID 1848 wrote to memory of 1476 1848 iyjrynjkzgum.exe 95 PID 1848 wrote to memory of 1476 1848 iyjrynjkzgum.exe 95 PID 1848 wrote to memory of 1476 1848 iyjrynjkzgum.exe 95 PID 1848 wrote to memory of 1476 1848 iyjrynjkzgum.exe 95 PID 1848 wrote to memory of 1476 1848 iyjrynjkzgum.exe 95 PID 1848 wrote to memory of 1476 1848 iyjrynjkzgum.exe 95 PID 1848 wrote to memory of 1476 1848 iyjrynjkzgum.exe 95 PID 1848 wrote to memory of 1476 1848 iyjrynjkzgum.exe 95 PID 1848 wrote to memory of 1476 1848 iyjrynjkzgum.exe 95 PID 1848 wrote to memory of 2432 1848 iyjrynjkzgum.exe 99 PID 1848 wrote to memory of 2432 1848 iyjrynjkzgum.exe 99 PID 1848 wrote to memory of 2432 1848 iyjrynjkzgum.exe 99 PID 1848 wrote to memory of 2432 1848 iyjrynjkzgum.exe 99 PID 1848 wrote to memory of 2432 1848 iyjrynjkzgum.exe 99 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\AUNova.rar"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2192 -
C:\Users\Admin\AppData\Local\Temp\7zO098D2437\AUNova.exe"C:\Users\Admin\AppData\Local\Temp\7zO098D2437\AUNova.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2692 -
C:\Users\Admin\AppData\Local\Temp\AU.exe"C:\Users\Admin\AppData\Local\Temp\AU.exe"3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:2612 -
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force4⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1480
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart4⤵
- Suspicious use of WriteProcessMemory
PID:1908 -
C:\Windows\system32\wusa.exewusa /uninstall /kb:890830 /quiet /norestart5⤵
- Drops file in Windows directory
PID:1372
-
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop UsoSvc4⤵
- Launches sc.exe
PID:532
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop WaaSMedicSvc4⤵
- Launches sc.exe
PID:1824
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop wuauserv4⤵
- Launches sc.exe
PID:828
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop bits4⤵
- Launches sc.exe
PID:2392
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop dosvc4⤵
- Launches sc.exe
PID:1984
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 04⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:2184
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 04⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:1312
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-ac 04⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:2388
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-dc 04⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:1916
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe delete "svchost.exe"4⤵
- Launches sc.exe
PID:1468
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe create "svchost.exe" binpath= "C:\ProgramData\qfunhtryjkwt\iyjrynjkzgum.exe" start= "auto"4⤵
- Launches sc.exe
PID:1560
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop eventlog4⤵
- Launches sc.exe
PID:680
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start "svchost.exe"4⤵
- Launches sc.exe
PID:1776
-
-
-
C:\Users\Admin\AppData\Local\Temp\Load.exe"C:\Users\Admin\AppData\Local\Temp\Load.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2752 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit4⤵
- Suspicious use of WriteProcessMemory
PID:3060 -
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'5⤵
- Scheduled Task/Job: Scheduled Task
PID:2140
-
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpB490.tmp.bat""4⤵
- Suspicious use of WriteProcessMemory
PID:1532 -
C:\Windows\system32\timeout.exetimeout 35⤵
- Delays execution with timeout.exe
PID:1188
-
-
C:\Users\Admin\AppData\Roaming\Load.exe"C:\Users\Admin\AppData\Roaming\Load.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2000
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\7zO098970F7\AUNova.exe"C:\Users\Admin\AppData\Local\Temp\7zO098970F7\AUNova.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1792 -
C:\Users\Admin\AppData\Local\Temp\AU.exe"C:\Users\Admin\AppData\Local\Temp\AU.exe"3⤵
- Executes dropped EXE
PID:2036
-
-
C:\Users\Admin\AppData\Local\Temp\Load.exe"C:\Users\Admin\AppData\Local\Temp\Load.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1628
-
-
-
C:\ProgramData\qfunhtryjkwt\iyjrynjkzgum.exeC:\ProgramData\qfunhtryjkwt\iyjrynjkzgum.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1848 -
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2684
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart2⤵
- Suspicious use of WriteProcessMemory
PID:1760 -
C:\Windows\system32\wusa.exewusa /uninstall /kb:890830 /quiet /norestart3⤵
- Drops file in Windows directory
PID:552
-
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop UsoSvc2⤵
- Launches sc.exe
PID:1756
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop WaaSMedicSvc2⤵
- Launches sc.exe
PID:1348
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop wuauserv2⤵
- Launches sc.exe
PID:2024
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop bits2⤵
- Launches sc.exe
PID:2332
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop dosvc2⤵
- Launches sc.exe
PID:2040
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 02⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:3004
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 02⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:2416
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-ac 02⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:3016
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-dc 02⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:2664
-
-
C:\Windows\system32\conhost.exeC:\Windows\system32\conhost.exe2⤵PID:1476
-
-
C:\Windows\explorer.exeexplorer.exe2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2432
-
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1System Services
2Service Execution
2Persistence
Create or Modify System Process
2Windows Service
2Power Settings
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.1MB
MD53d37da85a895fc9dc6abb3885041d9ef
SHA1a80e01133d9a0fe9f4675bd127d46c9a283cdab3
SHA256fc5945aa217c7a8eca8d501693d491f5efdf88c629ab5758369db1ee6967517a
SHA51227e9f0c5da0f3fa05219d607de1816b3e4193f7a742e8ec41b9633653de4f020000ea1e97d000458694c82e9c58bd4583c495c4ec513b1a483b2c64b623ca413
-
Filesize
74KB
MD54fc5086bcb8939429aea99f7322e619b
SHA18d3bd7d005710a8ae0bd0143d18b437be20018d7
SHA256e31d6dc4d6f89573321f389c5b3f12838545ff8d2f1380cfba1782d39853e9fd
SHA51204e230f5b39356aecf4732ac9a2f4fea96e51018907e2f22c7e3f22e51188b64cdb3e202fe324f5e3500761fae43f898bf9489aa8faa34eff3566e1119a786d2
-
Filesize
148B
MD55c1f0bc2a48e438a9d9b86a1d4344386
SHA127619fcb451062b9307659cdc0521d888966abbb
SHA256a0400938956f5eb0dcdf90b4f5dea08f800429b02c1ac3ec04f5e31e1946dc83
SHA512848fffa00d88a0e9594f70d84e99e9336db03a310f43a0490fa7e565507223c277892289681bfe1feb8f0ee1249785c8ae0b051b3ad17bf636448e50aa7a34de
-
Filesize
8B
MD5cf759e4c5f14fe3eec41b87ed756cea8
SHA1c27c796bb3c2fac929359563676f4ba1ffada1f5
SHA256c9f9f193409217f73cc976ad078c6f8bf65d3aabcf5fad3e5a47536d47aa6761
SHA512c7f832aee13a5eb36d145f35d4464374a9e12fa2017f3c2257442d67483b35a55eccae7f7729243350125b37033e075efbc2303839fd86b81b9b4dca3626953b
-
Filesize
2.5MB
MD5f81ff7313709cb4a94d7063aebe28410
SHA1e85f7f1c21ad801d04dadaa3a52c3dae0120838a
SHA25655b9842f81f3d83e47e72cff32f4ec903c9a06bd60ea631be3d6c463fcb457f8
SHA512dc65acc20940e57799546a5e55ebec6ca8f57a1dc0033a4ef892a13991516e5cebe307bc73e3c98d7060eb352d043764fe5c2a6b94ea71b2d0c55d4e97930474