21839f4ec2923aa633308b200c09274ae2c95eefbe299773465b2c166d0a86d8

Analysis

max time kernel
147s
max time network
151s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
28/12/2024, 07:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ToDesktop.cmd
Size

684KB
MD5

52b5501b026b03fe4fc4533cb6f7cd3a
SHA1

b177e20cfbc5e076b5c310b8b084fe948c30868b
SHA256

21839f4ec2923aa633308b200c09274ae2c95eefbe299773465b2c166d0a86d8
SHA512

c7c4212ff30adfc86ebfb0deca1d75cf0699cc8f6f35f02f04cc864b96ce81fe7fc6e5e242bef93204ac13f354595ca24389cfc67334dde50dd8da5b5eb4173e
SSDEEP

768:D6bmSOwlbi8bI9DEAUBovpoNw0MI9m9JVSPyqKvPBdM6MZchEwyiLNM7DEE3Qjzg:XSIW

Score

9^/10

evasion persistence privilege_escalation ransomware

Malware Config

Signatures

Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs

ransomware evasion

Inhibit System Recovery

T1490

pid	Process
4872	bcdedit.exe
2468	bcdedit.exe

Modifies Windows Firewall 2 TTPs 2 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
1548	netsh.exe
796	netsh.exe

Power Settings 1 TTPs 47 IoCs

powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

persistence

Power Settings

T1653

pid	Process
3476	powercfg.exe
3088	powercfg.exe
4344	powercfg.exe
2128	powercfg.exe
572	powercfg.exe
3360	powercfg.exe
2408	powercfg.exe
960	powercfg.exe
4424	powercfg.exe
1596	powercfg.exe
4516	powercfg.exe
1208	powercfg.exe
3528	powercfg.exe
4468	powercfg.exe
3016	powercfg.exe
5080	powercfg.exe
1196	powercfg.exe
3156	powercfg.exe
4064	powercfg.exe
1316	powercfg.exe
1096	powercfg.exe
4476	powercfg.exe
3804	powercfg.exe
1468	powercfg.exe
4884	powercfg.exe
2136	powercfg.exe
1872	powercfg.exe
768	powercfg.exe
3388	powercfg.exe
4628	powercfg.exe
492	powercfg.exe
1296	powercfg.exe
2804	powercfg.exe
3196	powercfg.exe
1956	powercfg.exe
4536	powercfg.exe
3724	powercfg.exe
4772	powercfg.exe
3628	powercfg.exe
4080	powercfg.exe
3748	powercfg.exe
2196	powercfg.exe
3520	powercfg.exe
3120	powercfg.exe
4416	powercfg.exe
4932	powercfg.exe
4624	powercfg.exe

Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

Modifies registry class 4 IoCs

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\MuiCache	MiniSearchHost.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\ShellEx\ContextMenuHandlers\Library Location	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\Sharing	reg.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	960	powercfg.exe
Token: SeCreatePagefilePrivilege	960	powercfg.exe
Token: SeShutdownPrivilege	960	powercfg.exe
Token: SeCreatePagefilePrivilege	960	powercfg.exe
Token: SeShutdownPrivilege	2128	powercfg.exe
Token: SeCreatePagefilePrivilege	2128	powercfg.exe
Token: SeShutdownPrivilege	4476	powercfg.exe
Token: SeCreatePagefilePrivilege	4476	powercfg.exe
Token: SeShutdownPrivilege	4772	powercfg.exe
Token: SeCreatePagefilePrivilege	4772	powercfg.exe
Token: SeShutdownPrivilege	4628	powercfg.exe
Token: SeCreatePagefilePrivilege	4628	powercfg.exe
Token: SeShutdownPrivilege	4932	powercfg.exe
Token: SeCreatePagefilePrivilege	4932	powercfg.exe
Token: SeShutdownPrivilege	3476	powercfg.exe
Token: SeCreatePagefilePrivilege	3476	powercfg.exe
Token: SeShutdownPrivilege	3628	powercfg.exe
Token: SeCreatePagefilePrivilege	3628	powercfg.exe
Token: SeShutdownPrivilege	3016	powercfg.exe
Token: SeCreatePagefilePrivilege	3016	powercfg.exe
Token: SeShutdownPrivilege	4424	powercfg.exe
Token: SeCreatePagefilePrivilege	4424	powercfg.exe
Token: SeShutdownPrivilege	4468	powercfg.exe
Token: SeCreatePagefilePrivilege	4468	powercfg.exe
Token: SeShutdownPrivilege	1468	powercfg.exe
Token: SeCreatePagefilePrivilege	1468	powercfg.exe
Token: SeShutdownPrivilege	4080	powercfg.exe
Token: SeCreatePagefilePrivilege	4080	powercfg.exe
Token: SeShutdownPrivilege	1596	powercfg.exe
Token: SeCreatePagefilePrivilege	1596	powercfg.exe
Token: SeShutdownPrivilege	3088	powercfg.exe
Token: SeCreatePagefilePrivilege	3088	powercfg.exe
Token: SeShutdownPrivilege	4884	powercfg.exe
Token: SeCreatePagefilePrivilege	4884	powercfg.exe
Token: SeShutdownPrivilege	3748	powercfg.exe
Token: SeCreatePagefilePrivilege	3748	powercfg.exe
Token: SeShutdownPrivilege	2136	powercfg.exe
Token: SeCreatePagefilePrivilege	2136	powercfg.exe
Token: SeShutdownPrivilege	2196	powercfg.exe
Token: SeCreatePagefilePrivilege	2196	powercfg.exe
Token: SeShutdownPrivilege	492	powercfg.exe
Token: SeCreatePagefilePrivilege	492	powercfg.exe
Token: SeShutdownPrivilege	5080	powercfg.exe
Token: SeCreatePagefilePrivilege	5080	powercfg.exe
Token: SeShutdownPrivilege	4516	powercfg.exe
Token: SeCreatePagefilePrivilege	4516	powercfg.exe
Token: SeShutdownPrivilege	1296	powercfg.exe
Token: SeCreatePagefilePrivilege	1296	powercfg.exe
Token: SeShutdownPrivilege	1208	powercfg.exe
Token: SeCreatePagefilePrivilege	1208	powercfg.exe
Token: SeShutdownPrivilege	1872	powercfg.exe
Token: SeCreatePagefilePrivilege	1872	powercfg.exe
Token: SeShutdownPrivilege	3520	powercfg.exe
Token: SeCreatePagefilePrivilege	3520	powercfg.exe
Token: SeShutdownPrivilege	768	powercfg.exe
Token: SeCreatePagefilePrivilege	768	powercfg.exe
Token: SeShutdownPrivilege	1196	powercfg.exe
Token: SeCreatePagefilePrivilege	1196	powercfg.exe
Token: SeShutdownPrivilege	2804	powercfg.exe
Token: SeCreatePagefilePrivilege	2804	powercfg.exe
Token: SeShutdownPrivilege	3120	powercfg.exe
Token: SeCreatePagefilePrivilege	3120	powercfg.exe
Token: SeShutdownPrivilege	3156	powercfg.exe
Token: SeCreatePagefilePrivilege	3156	powercfg.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1984	MiniSearchHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4092 wrote to memory of 1548	4092	cmd.exe	80
PID 4092 wrote to memory of 1548	4092	cmd.exe	80
PID 4092 wrote to memory of 796	4092	cmd.exe	81
PID 4092 wrote to memory of 796	4092	cmd.exe	81
PID 4092 wrote to memory of 340	4092	cmd.exe	82
PID 4092 wrote to memory of 340	4092	cmd.exe	82
PID 4092 wrote to memory of 4876	4092	cmd.exe	83
PID 4092 wrote to memory of 4876	4092	cmd.exe	83
PID 4092 wrote to memory of 1896	4092	cmd.exe	84
PID 4092 wrote to memory of 1896	4092	cmd.exe	84
PID 4092 wrote to memory of 332	4092	cmd.exe	85
PID 4092 wrote to memory of 332	4092	cmd.exe	85
PID 4092 wrote to memory of 3744	4092	cmd.exe	86
PID 4092 wrote to memory of 3744	4092	cmd.exe	86
PID 4092 wrote to memory of 124	4092	cmd.exe	87
PID 4092 wrote to memory of 124	4092	cmd.exe	87
PID 4092 wrote to memory of 1116	4092	cmd.exe	88
PID 4092 wrote to memory of 1116	4092	cmd.exe	88
PID 4092 wrote to memory of 1588	4092	cmd.exe	89
PID 4092 wrote to memory of 1588	4092	cmd.exe	89
PID 4092 wrote to memory of 3948	4092	cmd.exe	90
PID 4092 wrote to memory of 3948	4092	cmd.exe	90
PID 4092 wrote to memory of 1608	4092	cmd.exe	91
PID 4092 wrote to memory of 1608	4092	cmd.exe	91
PID 4092 wrote to memory of 2032	4092	cmd.exe	92
PID 4092 wrote to memory of 2032	4092	cmd.exe	92
PID 4092 wrote to memory of 3996	4092	cmd.exe	93
PID 4092 wrote to memory of 3996	4092	cmd.exe	93
PID 4092 wrote to memory of 4408	4092	cmd.exe	94
PID 4092 wrote to memory of 4408	4092	cmd.exe	94
PID 4092 wrote to memory of 5068	4092	cmd.exe	95
PID 4092 wrote to memory of 5068	4092	cmd.exe	95
PID 4092 wrote to memory of 3676	4092	cmd.exe	96
PID 4092 wrote to memory of 3676	4092	cmd.exe	96
PID 4092 wrote to memory of 440	4092	cmd.exe	97
PID 4092 wrote to memory of 440	4092	cmd.exe	97
PID 4092 wrote to memory of 5036	4092	cmd.exe	98
PID 4092 wrote to memory of 5036	4092	cmd.exe	98
PID 4092 wrote to memory of 4564	4092	cmd.exe	99
PID 4092 wrote to memory of 4564	4092	cmd.exe	99
PID 4092 wrote to memory of 4024	4092	cmd.exe	100
PID 4092 wrote to memory of 4024	4092	cmd.exe	100
PID 4092 wrote to memory of 576	4092	cmd.exe	101
PID 4092 wrote to memory of 576	4092	cmd.exe	101
PID 4092 wrote to memory of 4828	4092	cmd.exe	102
PID 4092 wrote to memory of 4828	4092	cmd.exe	102
PID 4092 wrote to memory of 544	4092	cmd.exe	103
PID 4092 wrote to memory of 544	4092	cmd.exe	103
PID 4092 wrote to memory of 1804	4092	cmd.exe	104
PID 4092 wrote to memory of 1804	4092	cmd.exe	104
PID 4092 wrote to memory of 2380	4092	cmd.exe	105
PID 4092 wrote to memory of 2380	4092	cmd.exe	105
PID 4092 wrote to memory of 2452	4092	cmd.exe	106
PID 4092 wrote to memory of 2452	4092	cmd.exe	106
PID 4092 wrote to memory of 416	4092	cmd.exe	107
PID 4092 wrote to memory of 416	4092	cmd.exe	107
PID 4092 wrote to memory of 2080	4092	cmd.exe	108
PID 4092 wrote to memory of 2080	4092	cmd.exe	108
PID 4092 wrote to memory of 3608	4092	cmd.exe	109
PID 4092 wrote to memory of 3608	4092	cmd.exe	109
PID 4092 wrote to memory of 1592	4092	cmd.exe	110
PID 4092 wrote to memory of 1592	4092	cmd.exe	110
PID 4092 wrote to memory of 3376	4092	cmd.exe	111
PID 4092 wrote to memory of 3376	4092	cmd.exe	111

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ToDesktop.cmd"
1⤵
- Suspicious use of WriteProcessMemory
PID:4092
- C:\Windows\system32\netsh.exe
  Netsh AdvFirewall Set AllProfiles State Off
  2⤵
  - Modifies Windows Firewall
  - Event Triggered Execution: Netsh Helper DLL
  PID:1548
- C:\Windows\system32\netsh.exe
  Netsh AdvFirewall Set AllProfiles Settings InboundUserNotification Disable
  2⤵
  - Modifies Windows Firewall
  - Event Triggered Execution: Netsh Helper DLL
  PID:796
- C:\Windows\system32\schtasks.exe
  SCHTASKS /Change /DISABLE /TN "\Microsoft\Windows\.NET Framework\.NET Framework NGEN v4.0.30319"
  2⤵
  PID:340
- C:\Windows\system32\schtasks.exe
  SCHTASKS /Change /DISABLE /TN "\Microsoft\Windows\.NET Framework\.NET Framework NGEN v4.0.30319 64"
  2⤵
  PID:4876
- C:\Windows\system32\schtasks.exe
  SCHTASKS /Change /DISABLE /TN "\Microsoft\Windows\.NET Framework\.NET Framework NGEN v4.0.30319 64 Critical"
  2⤵
  PID:1896
- C:\Windows\system32\schtasks.exe
  SCHTASKS /Change /DISABLE /TN "\Microsoft\Windows\.NET Framework\.NET Framework NGEN v4.0.30319 Critical"
  2⤵
  PID:332
- C:\Windows\system32\schtasks.exe
  SCHTASKS /Change /DISABLE /TN "\Microsoft\Windows\AppListBackup\Backup"
  2⤵
  PID:3744
- C:\Windows\system32\schtasks.exe
  SCHTASKS /Change /DISABLE /TN "\Microsoft\Windows\DiskDiagnostic\Microsoft-Windows-DiskDiagnosticResolver"
  2⤵
  PID:124
- C:\Windows\system32\schtasks.exe
  SCHTASKS /Change /DISABLE /TN "\Microsoft\Windows\DiskDiagnostic\Microsoft-Windows-DiskDiagnosticDataCollector"
  2⤵
  PID:1116
- C:\Windows\system32\schtasks.exe
  SCHTASKS /Change /DISABLE /TN "\Microsoft\Windows\FileHistory\File History (maintenance mode)"
  2⤵
  PID:1588
- C:\Windows\system32\schtasks.exe
  SCHTASKS /Change /DISABLE /TN "\Microsoft\Windows\WindowsColorSystem\Calibration Loader"
  2⤵
  PID:3948
- C:\Windows\system32\schtasks.exe
  SCHTASKS /delete /TN "\Microsoft\Windows\RecoveryEnvironment\VerifyWinRE" /F
  2⤵
  PID:1608
- C:\Windows\system32\schtasks.exe
  SCHTASKS /Change /DISABLE /TN "\Microsoft\Windows\Registry\RegIdleBackup"
  2⤵
  PID:2032
- C:\Windows\system32\schtasks.exe
  SCHTASKS /Change /DISABLE /TN "\Microsoft\Windows\LanguageComponentsInstaller\Installation"
  2⤵
  PID:3996
- C:\Windows\system32\schtasks.exe
  SCHTASKS /Change /DISABLE /TN "\Microsoft\Windows\LanguageComponentsInstaller\ReconcileLanguageResources"
  2⤵
  PID:4408
- C:\Windows\system32\schtasks.exe
  SCHTASKS /Change /DISABLE /TN "\Microsoft\Windows\LanguageComponentsInstaller\Uninstallation"
  2⤵
  PID:5068
- C:\Windows\system32\schtasks.exe
  SCHTASKS /Change /DISABLE /TN "\Microsoft\Windows\Location\Notifications"
  2⤵
  PID:3676
- C:\Windows\system32\schtasks.exe
  SCHTASKS /Change /DISABLE /TN "\Microsoft\Windows\Location\WindowsActionDialog"
  2⤵
  PID:440
- C:\Windows\system32\schtasks.exe
  SCHTASKS /Change /DISABLE /TN "\Microsoft\Windows\MemoryDiagnostic\ProcessMemoryDiagnosticEvents"
  2⤵
  PID:5036
- C:\Windows\system32\schtasks.exe
  SCHTASKS /Change /DISABLE /TN "\Microsoft\Windows\MemoryDiagnostic\RunFullMemoryDiagnostic"
  2⤵
  PID:4564
- C:\Windows\system32\schtasks.exe
  SCHTASKS /Change /DISABLE /TN "\Microsoft\Windows\MemoryDiagnostic\DirectXDatabaseUpdater"
  2⤵
  PID:4024
- C:\Windows\system32\schtasks.exe
  SCHTASKS /Change /DISABLE /TN "\Microsoft\Windows\AppListBackup\Backup"
  2⤵
  PID:576
- C:\Windows\system32\schtasks.exe
  SCHTASKS /Change /DISABLE /TN "\Microsoft\Windows\AppListBackup\BackupNonMaintenance"
  2⤵
  PID:4828
- C:\Windows\system32\schtasks.exe
  SCHTASKS /Change /DISABLE /TN "\Microsoft\Windows\Diagnosis\RecommendedTroubleshootingScanner"
  2⤵
  PID:544
- C:\Windows\system32\schtasks.exe
  SCHTASKS /Change /DISABLE /TN "\Microsoft\Windows\Diagnosis\Scheduled"
  2⤵
  PID:1804
- C:\Windows\system32\schtasks.exe
  SCHTASKS /Change /DISABLE /TN "\Microsoft\Windows\Application Experience\StartupAppTask"
  2⤵
  PID:2380
- C:\Windows\system32\schtasks.exe
  SCHTASKS /Change /DISABLE /TN "\Microsoft\XblGameSave\XblGameSaveTask"
  2⤵
  PID:2452
- C:\Windows\system32\schtasks.exe
  SCHTASKS /Change /DISABLE /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start"
  2⤵
  PID:416
- C:\Windows\system32\schtasks.exe
  SCHTASKS /Change /DISABLE /TN "\Microsoft\Windows\WindowsUpdate\Refresh Group Policy Cache"
  2⤵
  PID:2080
- C:\Windows\system32\schtasks.exe
  SCHTASKS /Change /DISABLE /TN "\Microsoft\Windows\UPnP\UPnPHostConfig"
  2⤵
  PID:3608
- C:\Windows\system32\schtasks.exe
  SCHTASKS /Change /DISABLE /TN "\Microsoft\Windows\UpdateOrchestrator\Report policies"
  2⤵
  PID:1592
- C:\Windows\system32\schtasks.exe
  SCHTASKS /Change /DISABLE /TN "\Microsoft\Windows\UpdateOrchestrator\Schedule Scan"
  2⤵
  PID:3376
- C:\Windows\system32\schtasks.exe
  SCHTASKS /Change /DISABLE /TN "\Microsoft\Windows\UpdateOrchestrator\Schedule Scan Static Task"
  2⤵
  PID:1772
- C:\Windows\system32\schtasks.exe
  SCHTASKS /Change /DISABLE /TN "\Microsoft\Windows\UpdateOrchestrator\Schedule Work"
  2⤵
  PID:4044
- C:\Windows\system32\schtasks.exe
  SCHTASKS /Change /DISABLE /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateModelTask"
  2⤵
  PID:3136
- C:\Windows\system32\schtasks.exe
  SCHTASKS /Change /DISABLE /TN "\Microsoft\Windows\UpdateOrchestrator\USO_UxBroker"
  2⤵
  PID:3972
- C:\Windows\system32\schtasks.exe
  SCHTASKS /Change /DISABLE /TN "\Microsoft\Windows\Application Experience\SdbinstMergeDbTask"
  2⤵
  PID:4832
- C:\Windows\system32\reg.exe
  reg delete "HKEY_CLASSES_ROOT\Folder\shellex\ContextMenuHandlers\Library Location" /f
  2⤵
  - Modifies registry class
  PID:4988
- C:\Windows\system32\reg.exe
  reg delete "HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Sharing" /f
  2⤵
  - Modifies registry class
  PID:4780
- C:\Windows\system32\reg.exe
  reg delete "HKEY_CLASSES_ROOT\Directory\shellex\ContextMenuHandlers\Sharing" /f
  2⤵
  - Modifies registry class
  PID:4020
- C:\Windows\system32\reg.exe
  Reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\OneDrive" /v "DisableFileSyncNGSC" /t REG_DWORD /d "0" /f
  2⤵
  PID:1408
- C:\Windows\system32\bcdedit.exe
  bcdedit /set disabledynamictick yes
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:4872
- C:\Windows\system32\bcdedit.exe
  bcdedit /set bootmenupolicy legacy
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:2468
- C:\Windows\system32\powercfg.exe
  powercfg /hibernate off
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:960
- C:\Windows\system32\powercfg.exe
  powercfg -x -standby-timeout-ac 0
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:2128
- C:\Windows\system32\powercfg.exe
  powercfg -x -standby-timeout-dc 0
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:4476
- C:\Windows\system32\powercfg.exe
  powercfg /SETDCVALUEINDEX SCHEME_CURRENT 2a737441-1930-4402-8d77-b2bebba308a3 48e6b7a6-50f5-4782-a5d4-53bb8f07e226 0
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:4772
- C:\Windows\system32\powercfg.exe
  powercfg /SETACVALUEINDEX SCHEME_CURRENT 2a737441-1930-4402-8d77-b2bebba308a3 48e6b7a6-50f5-4782-a5d4-53bb8f07e226 0
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:4628
- C:\Windows\system32\powercfg.exe
  powercfg -attributes 54533251-82be-4824-96c1-47b60b740d00 45bcc044-d885-43e2-8605-ee0ec6e96b59 -ATTRIB_HIDE
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:4932
- C:\Windows\system32\powercfg.exe
  powercfg -attributes 54533251-82be-4824-96c1-47b60b740d00 36687f9e-e3a5-4dbf-b1dc-15eb381c6863 -ATTRIB_HIDE
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:3476
- C:\Windows\system32\powercfg.exe
  powercfg -attributes 2E601130-5351-4d9d-8E04-252966BAD054 d502f7ee-1dc7-4efd-a55d-f04b6f5c0545 -ATTRIB_HIDE
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:3628
- C:\Windows\system32\powercfg.exe
  powercfg -attributes 54533251-82be-4824-96c1-47b60b740d00 4e4450b3-6179-4e91-b8f1-5bb9938f81a1 -ATTRIB_HIDE
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:3016
- C:\Windows\system32\powercfg.exe
  powercfg -attributes 54533251-82be-4824-96c1-47b60b740d00 3b04d4fd-1cc7-4f23-ab1c-d1337819c4bb -ATTRIB_HIDE
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:4424
- C:\Windows\system32\powercfg.exe
  powercfg -attributes 54533251-82be-4824-96c1-47b60b740d00 0cc5b647-c1df-4637-891a-dec35c318583 -ATTRIB_HIDE
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:4468
- C:\Windows\system32\powercfg.exe
  powercfg -attributes 0012ee47-9041-4b5d-9b77-535fba8b1442 d639518a-e56d-4345-8af2-b9f32fb26109 -ATTRIB_HIDE
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:1468
- C:\Windows\system32\powercfg.exe
  powercfg -attributes 0012ee47-9041-4b5d-9b77-535fba8b1442 d3d55efd-c1ff-424e-9dc3-441be7833010 -ATTRIB_HIDE
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:4080
- C:\Windows\system32\powercfg.exe
  powercfg -attributes 2a737441-1930-4402-8d77-b2bebba308a3 d4e98f31-5ffe-4ce1-be31-1b38b384c009 -ATTRIB_HIDE
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:1596
- C:\Windows\system32\powercfg.exe
  powercfg -attributes 7516b95f-f776-4464-8c53-06167f40cc99 2a737441-1930-4402-8d77-b2bebba308a3 -ATTRIB_HIDE
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:3088
- C:\Windows\system32\powercfg.exe
  powercfg -attributes 4faab71a-92e5-4726-b531-224559672d19 4faab71a-92e5-4726-b531-224559672d19 -ATTRIB_HIDE
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:4884
- C:\Windows\system32\powercfg.exe
  powercfg -attributes 0012ee47-9041-4b5d-9b77-535fba8b1442 0b2d69d7-a2a1-449c-9680-f91c70521c60 -ATTRIB_HIDE
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:3748
- C:\Windows\system32\powercfg.exe
  powercfg -attributes 0012ee47-9041-4b5d-9b77-535fba8b1442 dab60367-53fe-4fbc-825e-521d069d2456 -ATTRIB_HIDE
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:2136
- C:\Windows\system32\powercfg.exe
  powercfg -attributes 48672F38-7A9A-4bb2-8BF8-3D85BE19DE4E 2bfc24f9-5ea2-4801-8213-3dbae01aa39d -ATTRIB_HIDE
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:2196
- C:\Windows\system32\powercfg.exe
  powercfg -attributes 54533251-82be-4824-96c1-47b60b740d00 5d76a2ca-e8c0-402f-a133-2158492d58ad -ATTRIB_HIDE
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:492
- C:\Windows\system32\powercfg.exe
  powercfg -attributes 54533251-82be-4824-96c1-47b60b740d00 8baa4a8a-14c6-4451-8e8b-14bdbd197537 -ATTRIB_HIDE
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:5080
- C:\Windows\system32\powercfg.exe
  powercfg -attributes 5FB4938D-1EE8-4b0f-9A3C-5036B0AB995C dd848b2a-8a5d-4451-9ae2-39cd41658f6c -ATTRIB_HIDE
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:4516
- C:\Windows\system32\powercfg.exe
  powercfg -attributes DE830923-A562-41AF-A086-E3A2C6BAD2DA 5c5bb349-ad29-4ee2-9d0b-2b25270f7a81 -ATTRIB_HIDE
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:1296
- C:\Windows\system32\powercfg.exe
  powercfg -attributes 7516b95f-f776-4464-8c53-06167f40cc99 8ec4b3a5-6868-48c2-be75-4f3044be88a7 -ATTRIB_HIDE
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:1208
- C:\Windows\system32\powercfg.exe
  powercfg -attributes DE830923-A562-41AF-A086-E3A2C6BAD2DA 5C5BB349-AD29-4ee2-9D0B-2B25270F7A81 -ATTRIB_HIDE
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:1872
- C:\Windows\system32\powercfg.exe
  powercfg -attributes 9596FB26-9850-41fd-AC3E-F7C3C00AFD4B 34C7B99F-9A6D-4b3c-8DC7-B6693B78CEF4 -ATTRIB_HIDE
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:3520
- C:\Windows\system32\powercfg.exe
  powercfg -attributes 9596FB26-9850-41fd-AC3E-F7C3C00AFD4B 10778347-1370-4ee0-8bbd-33bdacaade49 -ATTRIB_HIDE
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:768
- C:\Windows\system32\powercfg.exe
  powercfg -attributes 8619B916-E004-4dd8-9B66-DAE86F806698 82011705-FB95-4D46-8D35-4042B1D20DEF -ATTRIB_HIDE
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:1196
- C:\Windows\system32\powercfg.exe
  powercfg -attributes 7516b95f-f776-4464-8c53-06167f40cc99 684C3E69-A4F7-4014-8754-D45179A56167 -ATTRIB_HIDE
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:2804
- C:\Windows\system32\powercfg.exe
  powercfg -attributes 54533251-82be-4824-96c1-47b60b740d00 cfeda3d0-7697-4566-a922-a9086cd49dfa -ATTRIB_HIDE
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:3120
- C:\Windows\system32\powercfg.exe
  powercfg -attributes 54533251-82be-4824-96c1-47b60b740d00 be337238-0d82-4146-a960-4f3749d470c7 -ATTRIB_HIDE
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:3156
- C:\Windows\system32\powercfg.exe
  powercfg -attributes 54533251-82be-4824-96c1-47b60b740d00 bae08b81-2d5e-4688-ad6a-13243356654b -ATTRIB_HIDE
  2⤵
  - Power Settings
  PID:3196
- C:\Windows\system32\powercfg.exe
  powercfg -attributes 54533251-82be-4824-96c1-47b60b740d00 984cf492-3bed-4488-a8f9-4286c97bf5aa -ATTRIB_HIDE
  2⤵
  - Power Settings
  PID:4064
- C:\Windows\system32\powercfg.exe
  powercfg -attributes 54533251-82be-4824-96c1-47b60b740d00 93b8b6dc-0698-4d1c-9ee4-0644e900c85d -ATTRIB_HIDE
  2⤵
  - Power Settings
  PID:4344
- C:\Windows\system32\powercfg.exe
  powercfg -attributes 54533251-82be-4824-96c1-47b60b740d00 4d2b0152-7d5c-498b-88e2-34345392a2c5 -ATTRIB_HIDE
  2⤵
  - Power Settings
  PID:4416
- C:\Windows\system32\powercfg.exe
  powercfg -attributes 54533251-82be-4824-96c1-47b60b740d00 465e1f50-b610-473a-ab58-00d1077dc418 -ATTRIB_HIDE
  2⤵
  - Power Settings
  PID:1316
- C:\Windows\system32\powercfg.exe
  powercfg -attributes 2E601130-5351-4d9d-8E04-252966BAD054 C42B79AA-AA3A-484b-A98F-2CF32AA90A28 -ATTRIB_HIDE
  2⤵
  - Power Settings
  PID:572
- C:\Windows\system32\powercfg.exe
  powercfg -attributes 2a737441-1930-4402-8d77-b2bebba308a3 0853a681-27c8-4100-a2fd-82013e970683 -ATTRIB_HIDE
  2⤵
  - Power Settings
  PID:1956
- C:\Windows\system32\powercfg.exe
  powercfg -attributes 0012ee47-9041-4b5d-9b77-535fba8b1442 51dea550-bb38-4bc4-991b-eacf37be5ec8 -ATTRIB_HIDE
  2⤵
  - Power Settings
  PID:4536
- C:\Windows\system32\powercfg.exe
  powercfg -attributes 238C9FA8-0AAD-41ED-83F4-97BE242C8F20 25DFA149-5DD1-4736-B5AB-E8A37B5B8187 -ATTRIB_HIDE
  2⤵
  - Power Settings
  PID:4624
- C:\Windows\system32\powercfg.exe
  powercfg -attributes 238C9FA8-0AAD-41ED-83F4-97BE242C8F20 94AC6D29-73CE-41A6-809F-6363BA21B47E -ATTRIB_HIDE
  2⤵
  - Power Settings
  PID:3360
- C:\Windows\system32\powercfg.exe
  powercfg -attributes 238C9FA8-0AAD-41ED-83F4-97BE242C8F20 7bc4a2f9-d8fc-4469-b07b-33eb785aaca0 -ATTRIB_HIDE
  2⤵
  - Power Settings
  PID:3724
- C:\Windows\system32\powercfg.exe
  powercfg -attributes 238C9FA8-0AAD-41ED-83F4-97BE242C8F20 25DFA149-5DD1-4736-B5AB-E8A37B5B8187 -ATTRIB_HIDE
  2⤵
  - Power Settings
  PID:1096
- C:\Windows\system32\powercfg.exe
  powercfg -attributes 0012ee47-9041-4b5d-9b77-535fba8b1442 51dea550-bb38-4bc4-991b-eacf37be5ec8 -ATTRIB_HIDE
  2⤵
  - Power Settings
  PID:3388
- C:\Windows\system32\powercfg.exe
  powercfg -attributes 4faab71a-92e5-4726-b531-224559672d19 4faab71a-92e5-4726-b531-224559672d19 -ATTRIB_HIDE
  2⤵
  - Power Settings
  PID:2408
- C:\Windows\system32\powercfg.exe
  powercfg -attributes 54533251-82be-4824-96c1-47b60b740d00 5d76a2ca-e8c0-402f-a133-2158492d58ad -ATTRIB_HIDE
  2⤵
  - Power Settings
  PID:3804
- C:\Windows\system32\powercfg.exe
  powercfg -duplicatescheme e9a42b02-d5df-448d-aa00-03f14749eb61
  2⤵
  - Power Settings
  PID:3528
- C:\Windows\system32\compact.exe
  Compact.exe /CompactOS:always
  2⤵
  PID:1496

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1984

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Power Settings

T1653

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

Filesize
10KB

MD5
1e7dd00b69af4d51fb747a9f42c6cffa

SHA1
496cdb3187d75b73c0cd72c69cd8d42d3b97bca2

SHA256
bc7aec43a9afb0d07ef7e3b84b5d23a907b6baff367ecd4235a15432748f1771

SHA512
d5227d3df5513d7d0d7fb196eef014e54094c5ed8c5d31207b319e12480433f1424d49df759a7a2aefc6a69cef6bf2a0cc45d05660e618dc2ec9a2b082b7b5f7

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

Filesize
10KB

MD5
b5ec1c651d538125bbad8ae7b5878883

SHA1
fc51a9862cd962c1dcf92da77deca73aa79f0c04

SHA256
7e4836c483ec272727cb1e69f6d1769be0f8ea3783dab5fc6846bea18f8c5114

SHA512
ce915256b7339ce5ae8c12864b66f8c83c4ef31185e46d5877776a4fb21ae18a58c742af77312d54ca77f42d33c63e9b6ff868c078d11d423dac4b72cb599f2e

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads