Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
119s -
max time network
96s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
22/12/2024, 06:05
Static task
static1
Behavioral task
behavioral1
Sample
837e6ace8d5784aa949990fe0f5a9007ce28ad61c71edfdbbeaff01f9cc61299.exe
Resource
win7-20240903-en
General
-
Target
837e6ace8d5784aa949990fe0f5a9007ce28ad61c71edfdbbeaff01f9cc61299.exe
-
Size
5.6MB
-
MD5
f6ea2c58c222b7055773879d3a3e946b
-
SHA1
a6b6cc43cf7ad67b3d6430b820514bf3a61ddb21
-
SHA256
837e6ace8d5784aa949990fe0f5a9007ce28ad61c71edfdbbeaff01f9cc61299
-
SHA512
b800ef8e4df9b0484308c922e1b3abadbd7af961350863f1ed9bd9053b76b242d8fa0faa5a59cbda0c7cab3c8fd337d8a11f1f40553baa26430a19d6b9796d67
-
SSDEEP
98304:KggSZTFznDHwE8oohoIgNgx+r3P4jw4fn9E32RW0O2gT/gQGhP3oFL6p4kvDZ/HF:DgSZJznDHMo+JgNgx+r3P+e32BO2gjg5
Malware Config
Signatures
-
Xmrig family
-
XMRig Miner payload 11 IoCs
resource yara_rule behavioral2/memory/2020-62-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral2/memory/2020-67-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral2/memory/2020-68-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral2/memory/2020-66-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral2/memory/2020-65-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral2/memory/2020-64-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral2/memory/2020-61-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral2/memory/2020-69-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral2/memory/2020-71-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral2/memory/2020-73-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral2/memory/2020-72-0x0000000140000000-0x0000000140848000-memory.dmp xmrig -
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 764 powershell.exe 3280 powershell.exe -
Creates new service(s) 2 TTPs
-
Executes dropped EXE 1 IoCs
pid Process 2988 fqwofdtexigy.exe -
Power Settings 1 TTPs 8 IoCs
powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
pid Process 1228 powercfg.exe 1328 powercfg.exe 3604 powercfg.exe 1324 powercfg.exe 4380 powercfg.exe 5084 powercfg.exe 1256 powercfg.exe 3944 powercfg.exe -
Drops file in System32 directory 4 IoCs
description ioc Process File opened for modification C:\Windows\system32\MRT.exe fqwofdtexigy.exe File opened for modification C:\Windows\system32\MRT.exe 837e6ace8d5784aa949990fe0f5a9007ce28ad61c71edfdbbeaff01f9cc61299.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log powershell.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 2988 set thread context of 540 2988 fqwofdtexigy.exe 140 PID 2988 set thread context of 2020 2988 fqwofdtexigy.exe 143 -
resource yara_rule behavioral2/memory/2020-58-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral2/memory/2020-60-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral2/memory/2020-62-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral2/memory/2020-67-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral2/memory/2020-68-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral2/memory/2020-66-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral2/memory/2020-65-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral2/memory/2020-64-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral2/memory/2020-61-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral2/memory/2020-59-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral2/memory/2020-57-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral2/memory/2020-56-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral2/memory/2020-69-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral2/memory/2020-71-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral2/memory/2020-73-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral2/memory/2020-72-0x0000000140000000-0x0000000140848000-memory.dmp upx -
Launches sc.exe 14 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 4592 sc.exe 4304 sc.exe 2896 sc.exe 4464 sc.exe 4744 sc.exe 4332 sc.exe 4192 sc.exe 404 sc.exe 848 sc.exe 4856 sc.exe 3952 sc.exe 1496 sc.exe 628 sc.exe 3888 sc.exe -
Modifies data under HKEY_USERS 46 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1408 837e6ace8d5784aa949990fe0f5a9007ce28ad61c71edfdbbeaff01f9cc61299.exe 764 powershell.exe 764 powershell.exe 1408 837e6ace8d5784aa949990fe0f5a9007ce28ad61c71edfdbbeaff01f9cc61299.exe 1408 837e6ace8d5784aa949990fe0f5a9007ce28ad61c71edfdbbeaff01f9cc61299.exe 1408 837e6ace8d5784aa949990fe0f5a9007ce28ad61c71edfdbbeaff01f9cc61299.exe 1408 837e6ace8d5784aa949990fe0f5a9007ce28ad61c71edfdbbeaff01f9cc61299.exe 1408 837e6ace8d5784aa949990fe0f5a9007ce28ad61c71edfdbbeaff01f9cc61299.exe 1408 837e6ace8d5784aa949990fe0f5a9007ce28ad61c71edfdbbeaff01f9cc61299.exe 1408 837e6ace8d5784aa949990fe0f5a9007ce28ad61c71edfdbbeaff01f9cc61299.exe 1408 837e6ace8d5784aa949990fe0f5a9007ce28ad61c71edfdbbeaff01f9cc61299.exe 1408 837e6ace8d5784aa949990fe0f5a9007ce28ad61c71edfdbbeaff01f9cc61299.exe 1408 837e6ace8d5784aa949990fe0f5a9007ce28ad61c71edfdbbeaff01f9cc61299.exe 1408 837e6ace8d5784aa949990fe0f5a9007ce28ad61c71edfdbbeaff01f9cc61299.exe 1408 837e6ace8d5784aa949990fe0f5a9007ce28ad61c71edfdbbeaff01f9cc61299.exe 1408 837e6ace8d5784aa949990fe0f5a9007ce28ad61c71edfdbbeaff01f9cc61299.exe 1408 837e6ace8d5784aa949990fe0f5a9007ce28ad61c71edfdbbeaff01f9cc61299.exe 1408 837e6ace8d5784aa949990fe0f5a9007ce28ad61c71edfdbbeaff01f9cc61299.exe 2988 fqwofdtexigy.exe 3280 powershell.exe 3280 powershell.exe 2988 fqwofdtexigy.exe 2988 fqwofdtexigy.exe 2988 fqwofdtexigy.exe 2988 fqwofdtexigy.exe 2988 fqwofdtexigy.exe 2988 fqwofdtexigy.exe 2988 fqwofdtexigy.exe 2988 fqwofdtexigy.exe 2988 fqwofdtexigy.exe 2988 fqwofdtexigy.exe 2988 fqwofdtexigy.exe 2988 fqwofdtexigy.exe 2020 nslookup.exe 2020 nslookup.exe 2020 nslookup.exe 2020 nslookup.exe 2020 nslookup.exe 2020 nslookup.exe 2020 nslookup.exe 2020 nslookup.exe 2020 nslookup.exe 2020 nslookup.exe 2020 nslookup.exe 2020 nslookup.exe 2020 nslookup.exe 2020 nslookup.exe 2020 nslookup.exe 2020 nslookup.exe 2020 nslookup.exe 2020 nslookup.exe 2020 nslookup.exe 2020 nslookup.exe 2020 nslookup.exe 2020 nslookup.exe 2020 nslookup.exe 2020 nslookup.exe 2020 nslookup.exe 2020 nslookup.exe 2020 nslookup.exe 2020 nslookup.exe 2020 nslookup.exe 2020 nslookup.exe 2020 nslookup.exe -
Suspicious use of AdjustPrivilegeToken 19 IoCs
description pid Process Token: SeDebugPrivilege 764 powershell.exe Token: SeShutdownPrivilege 1256 powercfg.exe Token: SeCreatePagefilePrivilege 1256 powercfg.exe Token: SeShutdownPrivilege 1324 powercfg.exe Token: SeCreatePagefilePrivilege 1324 powercfg.exe Token: SeShutdownPrivilege 5084 powercfg.exe Token: SeCreatePagefilePrivilege 5084 powercfg.exe Token: SeShutdownPrivilege 4380 powercfg.exe Token: SeCreatePagefilePrivilege 4380 powercfg.exe Token: SeDebugPrivilege 3280 powershell.exe Token: SeShutdownPrivilege 1328 powercfg.exe Token: SeCreatePagefilePrivilege 1328 powercfg.exe Token: SeShutdownPrivilege 3944 powercfg.exe Token: SeCreatePagefilePrivilege 3944 powercfg.exe Token: SeShutdownPrivilege 1228 powercfg.exe Token: SeCreatePagefilePrivilege 1228 powercfg.exe Token: SeShutdownPrivilege 3604 powercfg.exe Token: SeCreatePagefilePrivilege 3604 powercfg.exe Token: SeLockMemoryPrivilege 2020 nslookup.exe -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 1988 wrote to memory of 812 1988 cmd.exe 94 PID 1988 wrote to memory of 812 1988 cmd.exe 94 PID 2984 wrote to memory of 2252 2984 cmd.exe 120 PID 2984 wrote to memory of 2252 2984 cmd.exe 120 PID 676 wrote to memory of 1464 676 cmd.exe 127 PID 676 wrote to memory of 1464 676 cmd.exe 127 PID 2988 wrote to memory of 540 2988 fqwofdtexigy.exe 140 PID 2988 wrote to memory of 540 2988 fqwofdtexigy.exe 140 PID 2988 wrote to memory of 540 2988 fqwofdtexigy.exe 140 PID 2988 wrote to memory of 540 2988 fqwofdtexigy.exe 140 PID 2988 wrote to memory of 540 2988 fqwofdtexigy.exe 140 PID 2988 wrote to memory of 540 2988 fqwofdtexigy.exe 140 PID 2988 wrote to memory of 540 2988 fqwofdtexigy.exe 140 PID 2988 wrote to memory of 540 2988 fqwofdtexigy.exe 140 PID 2988 wrote to memory of 540 2988 fqwofdtexigy.exe 140 PID 2988 wrote to memory of 2020 2988 fqwofdtexigy.exe 143 PID 2988 wrote to memory of 2020 2988 fqwofdtexigy.exe 143 PID 2988 wrote to memory of 2020 2988 fqwofdtexigy.exe 143 PID 2988 wrote to memory of 2020 2988 fqwofdtexigy.exe 143 PID 2988 wrote to memory of 2020 2988 fqwofdtexigy.exe 143
Processes
-
C:\Users\Admin\AppData\Local\Temp\837e6ace8d5784aa949990fe0f5a9007ce28ad61c71edfdbbeaff01f9cc61299.exe"C:\Users\Admin\AppData\Local\Temp\837e6ace8d5784aa949990fe0f5a9007ce28ad61c71edfdbbeaff01f9cc61299.exe"1⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:1408 -
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:764
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart2⤵
- Suspicious use of WriteProcessMemory
PID:1988 -
C:\Windows\system32\wusa.exewusa /uninstall /kb:890830 /quiet /norestart3⤵PID:812
-
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop UsoSvc2⤵
- Launches sc.exe
PID:2896
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop WaaSMedicSvc2⤵
- Launches sc.exe
PID:4464
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop wuauserv2⤵
- Launches sc.exe
PID:3952
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop bits2⤵
- Launches sc.exe
PID:4192
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop dosvc2⤵
- Launches sc.exe
PID:404
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 02⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:1324
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 02⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:1256
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-ac 02⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:5084
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-dc 02⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:4380
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe delete "JVNIRHNX"2⤵
- Launches sc.exe
PID:1496
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe create "JVNIRHNX" binpath= "C:\ProgramData\xhzmmmxzrrwn\fqwofdtexigy.exe" start= "auto"2⤵
- Launches sc.exe
PID:628
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop eventlog2⤵
- Launches sc.exe
PID:3888
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start "JVNIRHNX"2⤵
- Launches sc.exe
PID:4744
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\837e6ace8d5784aa949990fe0f5a9007ce28ad61c71edfdbbeaff01f9cc61299.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:2984 -
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 33⤵PID:2252
-
-
-
C:\ProgramData\xhzmmmxzrrwn\fqwofdtexigy.exeC:\ProgramData\xhzmmmxzrrwn\fqwofdtexigy.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2988 -
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3280
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart2⤵
- Suspicious use of WriteProcessMemory
PID:676 -
C:\Windows\system32\wusa.exewusa /uninstall /kb:890830 /quiet /norestart3⤵PID:1464
-
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop UsoSvc2⤵
- Launches sc.exe
PID:848
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop WaaSMedicSvc2⤵
- Launches sc.exe
PID:4592
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop wuauserv2⤵
- Launches sc.exe
PID:4856
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop bits2⤵
- Launches sc.exe
PID:4332
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop dosvc2⤵
- Launches sc.exe
PID:4304
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 02⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:3944
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 02⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:1228
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-ac 02⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:1328
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-dc 02⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:3604
-
-
C:\Windows\system32\conhost.exeC:\Windows\system32\conhost.exe2⤵PID:540
-
-
C:\Windows\system32\nslookup.exenslookup.exe2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2020
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5.6MB
MD5f6ea2c58c222b7055773879d3a3e946b
SHA1a6b6cc43cf7ad67b3d6430b820514bf3a61ddb21
SHA256837e6ace8d5784aa949990fe0f5a9007ce28ad61c71edfdbbeaff01f9cc61299
SHA512b800ef8e4df9b0484308c922e1b3abadbd7af961350863f1ed9bd9053b76b242d8fa0faa5a59cbda0c7cab3c8fd337d8a11f1f40553baa26430a19d6b9796d67
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82