xmrig | hxxps://github[.]com/imperiska/lekers/blob/main/uthjasjedf[.]exe

Resubmissions

25-01-2025 13:26

250125-qp1zjswmhj 10

25-01-2025 13:25

250125-qn4ztawmdr 3

24-01-2025 18:46

250124-xepxvstpdk 10

Analysis

max time kernel
110s
max time network
108s
platform
windows11-21h2_x64
resource
win11-20241023-en
resource tags

arch:x64arch:x86image:win11-20241023-enlocale:en-usos:windows11-21h2-x64system
submitted
25-01-2025 13:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/imperiska/lekers/blob/main/uthjasjedf.exe

Score

10^/10

xmrig defense_evasion discovery execution miner persistence upx

Malware Config

Signatures

Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 9 IoCs

miner

resource	yara_rule
behavioral2/memory/1640-306-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/1640-307-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/1640-309-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/1640-313-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/1640-312-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/1640-311-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/1640-310-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/1640-378-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/1640-379-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
3468	powershell.exe
4688	powershell.exe
2236	powershell.exe
2820	powershell.exe

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002

Downloads MZ/PE file 1 IoCs

flow	pid	Process
34	2032	msedge.exe

Drops file in Drivers directory 4 IoCs

description	ioc	Process
File created	C:\Windows\system32\drivers\etc\hosts	Updater.exe
File created	C:\Windows\system32\drivers\etc\hosts	uthjasjedf.exe
File created	C:\Windows\system32\drivers\etc\hosts	Updater.exe
File created	C:\Windows\system32\drivers\etc\hosts	uthjasjedf.exe

Stops running service(s) 4 TTPs
defense_evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Executes dropped EXE 4 IoCs

pid	Process
2508	uthjasjedf.exe
4800	Updater.exe
1552	uthjasjedf.exe
472	Updater.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
34	raw.githubusercontent.com
40	pastebin.com
20	raw.githubusercontent.com
20	pastebin.com

Power Settings 1 TTPs 16 IoCs

powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

persistence

Power Settings

T1653

pid	Process
1612	powercfg.exe
4676	powercfg.exe
3468	powercfg.exe
3000	powercfg.exe
4796	powercfg.exe
3924	powercfg.exe
3168	powercfg.exe
3680	powercfg.exe
4984	powercfg.exe
3364	powercfg.exe
4840	powercfg.exe
2756	powercfg.exe
2140	powercfg.exe
2488	powercfg.exe
2108	powercfg.exe
2496	powercfg.exe

Drops file in System32 directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\MRT.exe	uthjasjedf.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\MRT.exe	Updater.exe
File opened for modification	C:\Windows\system32\MRT.exe	uthjasjedf.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\system32\MRT.exe	Updater.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 4800 set thread context of 1372	4800	Updater.exe	149
PID 4800 set thread context of 1640	4800	Updater.exe	150

UPX packed file 14 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1640-301-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/1640-306-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/1640-307-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/1640-309-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/1640-313-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/1640-312-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/1640-311-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/1640-310-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/1640-305-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/1640-304-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/1640-303-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/1640-302-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/1640-378-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/1640-379-0x0000000140000000-0x0000000140848000-memory.dmp	upx

Launches sc.exe 26 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
4812	sc.exe
5012	sc.exe
920	sc.exe
3536	sc.exe
4460	sc.exe
1240	sc.exe
4116	sc.exe
2876	sc.exe
5084	sc.exe
1776	sc.exe
2964	sc.exe
3960	sc.exe
3168	sc.exe
4772	sc.exe
4964	sc.exe
4700	sc.exe
3652	sc.exe
2188	sc.exe
3660	sc.exe
3996	sc.exe
1236	sc.exe
1584	sc.exe
4344	sc.exe
4396	sc.exe
2976	sc.exe
1800	sc.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\uthjasjedf.exe:Zone.Identifier	msedge.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\ROOT	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe

NTFS ADS 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 584878.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\uthjasjedf.exe:Zone.Identifier	msedge.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2032	msedge.exe
2032	msedge.exe
2936	msedge.exe
2936	msedge.exe
4052	msedge.exe
4052	msedge.exe
2780	identity_helper.exe
2780	identity_helper.exe
2184	msedge.exe
2184	msedge.exe
2508	uthjasjedf.exe
3468	powershell.exe
3468	powershell.exe
2508	uthjasjedf.exe
2508	uthjasjedf.exe
2508	uthjasjedf.exe
2508	uthjasjedf.exe
2508	uthjasjedf.exe
2508	uthjasjedf.exe
2508	uthjasjedf.exe
2508	uthjasjedf.exe
2508	uthjasjedf.exe
2508	uthjasjedf.exe
2508	uthjasjedf.exe
2508	uthjasjedf.exe
2508	uthjasjedf.exe
2508	uthjasjedf.exe
4800	Updater.exe
4688	powershell.exe
4688	powershell.exe
4800	Updater.exe
4800	Updater.exe
4800	Updater.exe
4800	Updater.exe
4800	Updater.exe
4800	Updater.exe
4800	Updater.exe
4800	Updater.exe
4800	Updater.exe
4800	Updater.exe
4800	Updater.exe
4800	Updater.exe
1640	explorer.exe
1640	explorer.exe
1640	explorer.exe
1640	explorer.exe
1640	explorer.exe
1640	explorer.exe
1640	explorer.exe
1640	explorer.exe
1640	explorer.exe
1640	explorer.exe
1640	explorer.exe
1640	explorer.exe
1640	explorer.exe
1640	explorer.exe
1640	explorer.exe
1640	explorer.exe
1640	explorer.exe
1640	explorer.exe
1552	uthjasjedf.exe
1640	explorer.exe
1640	explorer.exe
2236	powershell.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
2936	msedge.exe
2936	msedge.exe
2936	msedge.exe
2936	msedge.exe
2936	msedge.exe
2936	msedge.exe
2936	msedge.exe

Suspicious use of AdjustPrivilegeToken 37 IoCs

description	pid	Process
Token: SeDebugPrivilege	3468	powershell.exe
Token: SeShutdownPrivilege	2108	powercfg.exe
Token: SeCreatePagefilePrivilege	2108	powercfg.exe
Token: SeShutdownPrivilege	4796	powercfg.exe
Token: SeCreatePagefilePrivilege	4796	powercfg.exe
Token: SeShutdownPrivilege	2488	powercfg.exe
Token: SeCreatePagefilePrivilege	2488	powercfg.exe
Token: SeShutdownPrivilege	3924	powercfg.exe
Token: SeCreatePagefilePrivilege	3924	powercfg.exe
Token: SeDebugPrivilege	4688	powershell.exe
Token: SeLockMemoryPrivilege	1640	explorer.exe
Token: SeShutdownPrivilege	4676	powercfg.exe
Token: SeCreatePagefilePrivilege	4676	powercfg.exe
Token: SeShutdownPrivilege	3468	powercfg.exe
Token: SeCreatePagefilePrivilege	3468	powercfg.exe
Token: SeShutdownPrivilege	2496	powercfg.exe
Token: SeCreatePagefilePrivilege	2496	powercfg.exe
Token: SeShutdownPrivilege	3680	powercfg.exe
Token: SeCreatePagefilePrivilege	3680	powercfg.exe
Token: SeDebugPrivilege	2236	powershell.exe
Token: SeShutdownPrivilege	4840	powercfg.exe
Token: SeCreatePagefilePrivilege	4840	powercfg.exe
Token: SeShutdownPrivilege	4984	powercfg.exe
Token: SeCreatePagefilePrivilege	4984	powercfg.exe
Token: SeShutdownPrivilege	2756	powercfg.exe
Token: SeCreatePagefilePrivilege	2756	powercfg.exe
Token: SeShutdownPrivilege	3364	powercfg.exe
Token: SeCreatePagefilePrivilege	3364	powercfg.exe
Token: SeDebugPrivilege	2820	powershell.exe
Token: SeShutdownPrivilege	2140	powercfg.exe
Token: SeCreatePagefilePrivilege	2140	powercfg.exe
Token: SeShutdownPrivilege	3000	powercfg.exe
Token: SeCreatePagefilePrivilege	3000	powercfg.exe
Token: SeShutdownPrivilege	3168	powercfg.exe
Token: SeCreatePagefilePrivilege	3168	powercfg.exe
Token: SeShutdownPrivilege	1612	powercfg.exe
Token: SeCreatePagefilePrivilege	1612	powercfg.exe

Suspicious use of FindShellTrayWindow 35 IoCs

pid	Process
2936	msedge.exe
2936	msedge.exe
2936	msedge.exe
2936	msedge.exe
2936	msedge.exe
2936	msedge.exe
2936	msedge.exe
2936	msedge.exe
2936	msedge.exe
2936	msedge.exe
2936	msedge.exe
2936	msedge.exe
2936	msedge.exe
2936	msedge.exe
2936	msedge.exe
2936	msedge.exe
2936	msedge.exe
2936	msedge.exe
2936	msedge.exe
2936	msedge.exe
2936	msedge.exe
2936	msedge.exe
2936	msedge.exe
2936	msedge.exe
2936	msedge.exe
2936	msedge.exe
2936	msedge.exe
2936	msedge.exe
2936	msedge.exe
2936	msedge.exe
2936	msedge.exe
2936	msedge.exe
2936	msedge.exe
2936	msedge.exe
2936	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
2936	msedge.exe
2936	msedge.exe
2936	msedge.exe
2936	msedge.exe
2936	msedge.exe
2936	msedge.exe
2936	msedge.exe
2936	msedge.exe
2936	msedge.exe
2936	msedge.exe
2936	msedge.exe
2936	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2936 wrote to memory of 5104	2936	msedge.exe	77
PID 2936 wrote to memory of 5104	2936	msedge.exe	77
PID 2936 wrote to memory of 552	2936	msedge.exe	78
PID 2936 wrote to memory of 552	2936	msedge.exe	78
PID 2936 wrote to memory of 552	2936	msedge.exe	78
PID 2936 wrote to memory of 552	2936	msedge.exe	78
PID 2936 wrote to memory of 552	2936	msedge.exe	78
PID 2936 wrote to memory of 552	2936	msedge.exe	78
PID 2936 wrote to memory of 552	2936	msedge.exe	78
PID 2936 wrote to memory of 552	2936	msedge.exe	78
PID 2936 wrote to memory of 552	2936	msedge.exe	78
PID 2936 wrote to memory of 552	2936	msedge.exe	78
PID 2936 wrote to memory of 552	2936	msedge.exe	78
PID 2936 wrote to memory of 552	2936	msedge.exe	78
PID 2936 wrote to memory of 552	2936	msedge.exe	78
PID 2936 wrote to memory of 552	2936	msedge.exe	78
PID 2936 wrote to memory of 552	2936	msedge.exe	78
PID 2936 wrote to memory of 552	2936	msedge.exe	78
PID 2936 wrote to memory of 552	2936	msedge.exe	78
PID 2936 wrote to memory of 552	2936	msedge.exe	78
PID 2936 wrote to memory of 552	2936	msedge.exe	78
PID 2936 wrote to memory of 552	2936	msedge.exe	78
PID 2936 wrote to memory of 552	2936	msedge.exe	78
PID 2936 wrote to memory of 552	2936	msedge.exe	78
PID 2936 wrote to memory of 552	2936	msedge.exe	78
PID 2936 wrote to memory of 552	2936	msedge.exe	78
PID 2936 wrote to memory of 552	2936	msedge.exe	78
PID 2936 wrote to memory of 552	2936	msedge.exe	78
PID 2936 wrote to memory of 552	2936	msedge.exe	78
PID 2936 wrote to memory of 552	2936	msedge.exe	78
PID 2936 wrote to memory of 552	2936	msedge.exe	78
PID 2936 wrote to memory of 552	2936	msedge.exe	78
PID 2936 wrote to memory of 552	2936	msedge.exe	78
PID 2936 wrote to memory of 552	2936	msedge.exe	78
PID 2936 wrote to memory of 552	2936	msedge.exe	78
PID 2936 wrote to memory of 552	2936	msedge.exe	78
PID 2936 wrote to memory of 552	2936	msedge.exe	78
PID 2936 wrote to memory of 552	2936	msedge.exe	78
PID 2936 wrote to memory of 552	2936	msedge.exe	78
PID 2936 wrote to memory of 552	2936	msedge.exe	78
PID 2936 wrote to memory of 552	2936	msedge.exe	78
PID 2936 wrote to memory of 552	2936	msedge.exe	78
PID 2936 wrote to memory of 2032	2936	msedge.exe	79
PID 2936 wrote to memory of 2032	2936	msedge.exe	79
PID 2936 wrote to memory of 4924	2936	msedge.exe	80
PID 2936 wrote to memory of 4924	2936	msedge.exe	80
PID 2936 wrote to memory of 4924	2936	msedge.exe	80
PID 2936 wrote to memory of 4924	2936	msedge.exe	80
PID 2936 wrote to memory of 4924	2936	msedge.exe	80
PID 2936 wrote to memory of 4924	2936	msedge.exe	80
PID 2936 wrote to memory of 4924	2936	msedge.exe	80
PID 2936 wrote to memory of 4924	2936	msedge.exe	80
PID 2936 wrote to memory of 4924	2936	msedge.exe	80
PID 2936 wrote to memory of 4924	2936	msedge.exe	80
PID 2936 wrote to memory of 4924	2936	msedge.exe	80
PID 2936 wrote to memory of 4924	2936	msedge.exe	80
PID 2936 wrote to memory of 4924	2936	msedge.exe	80
PID 2936 wrote to memory of 4924	2936	msedge.exe	80
PID 2936 wrote to memory of 4924	2936	msedge.exe	80
PID 2936 wrote to memory of 4924	2936	msedge.exe	80
PID 2936 wrote to memory of 4924	2936	msedge.exe	80
PID 2936 wrote to memory of 4924	2936	msedge.exe	80
PID 2936 wrote to memory of 4924	2936	msedge.exe	80
PID 2936 wrote to memory of 4924	2936	msedge.exe	80

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://github.com/imperiska/lekers/blob/main/uthjasjedf.exe
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2936
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffab87c3cb8,0x7ffab87c3cc8,0x7ffab87c3cd8
  2⤵
  PID:5104
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1936,4724405193515643355,10762090674585097956,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1948 /prefetch:2
  2⤵
  PID:552
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1936,4724405193515643355,10762090674585097956,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2268 /prefetch:3
  2⤵
  - Downloads MZ/PE file
  - Suspicious behavior: EnumeratesProcesses
  PID:2032
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1936,4724405193515643355,10762090674585097956,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2648 /prefetch:8
  2⤵
  PID:4924
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,4724405193515643355,10762090674585097956,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3292 /prefetch:1
  2⤵
  PID:3108
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,4724405193515643355,10762090674585097956,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:1
  2⤵
  PID:3432
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1936,4724405193515643355,10762090674585097956,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4620 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4052
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1936,4724405193515643355,10762090674585097956,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5720 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2780
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,4724405193515643355,10762090674585097956,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3904 /prefetch:1
  2⤵
  PID:2424
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1936,4724405193515643355,10762090674585097956,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6116 /prefetch:8
  2⤵
  PID:1200
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,4724405193515643355,10762090674585097956,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5992 /prefetch:1
  2⤵
  PID:3512
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,4724405193515643355,10762090674585097956,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6180 /prefetch:1
  2⤵
  PID:2548
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,4724405193515643355,10762090674585097956,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1932 /prefetch:1
  2⤵
  PID:4132
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,4724405193515643355,10762090674585097956,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5820 /prefetch:1
  2⤵
  PID:4200
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1936,4724405193515643355,10762090674585097956,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1644 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:2184
- C:\Users\Admin\Downloads\uthjasjedf.exe
  "C:\Users\Admin\Downloads\uthjasjedf.exe"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  PID:2508
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3468
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    PID:4884
  - - C:\Windows\system32\wusa.exe
      wusa /uninstall /kb:890830 /quiet /norestart
      4⤵
      PID:3708
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:3536
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:3652
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop wuauserv
    3⤵
    - Launches sc.exe
    PID:2964
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop bits
    3⤵
    - Launches sc.exe
    PID:2188
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop dosvc
    3⤵
    - Launches sc.exe
    PID:3960
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:4796
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:2108
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:2488
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:3924
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe delete "GoogleUpdateTaskMachineK"
    3⤵
    - Launches sc.exe
    PID:3660
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe create "GoogleUpdateTaskMachineK" binpath= "C:\ProgramData\GoogleUP\Chrome\Updater.exe" start= "auto"
    3⤵
    - Launches sc.exe
    PID:4460
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop eventlog
    3⤵
    - Launches sc.exe
    PID:3168
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe start "GoogleUpdateTaskMachineK"
    3⤵
    - Launches sc.exe
    PID:3996
- C:\Users\Admin\Downloads\uthjasjedf.exe
  "C:\Users\Admin\Downloads\uthjasjedf.exe"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  PID:1552
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2236
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    PID:4260
  - - C:\Windows\system32\wusa.exe
      wusa /uninstall /kb:890830 /quiet /norestart
      4⤵
      PID:724
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:5084
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:4812
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop wuauserv
    3⤵
    - Launches sc.exe
    PID:1776
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop bits
    3⤵
    - Launches sc.exe
    PID:920
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop dosvc
    3⤵
    - Launches sc.exe
    PID:4344
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:2756
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:3364
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:4984
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:4840
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop eventlog
    3⤵
    - Launches sc.exe
    PID:5012
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe start "GoogleUpdateTaskMachineK"
    3⤵
    - Launches sc.exe
    PID:4700

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2872

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4620

C:\ProgramData\GoogleUP\Chrome\Updater.exe
C:\ProgramData\GoogleUP\Chrome\Updater.exe
1⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:4800
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4688
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
  2⤵
  PID:3364
- - C:\Windows\system32\wusa.exe
    wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    PID:1072
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop UsoSvc
  2⤵
  - Launches sc.exe
  PID:1236
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop WaaSMedicSvc
  2⤵
  - Launches sc.exe
  PID:1240
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop wuauserv
  2⤵
  - Launches sc.exe
  PID:1584
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop bits
  2⤵
  - Launches sc.exe
  PID:4116
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop dosvc
  2⤵
  - Launches sc.exe
  PID:2876
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:4676
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:3680
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:3468
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:2496
- C:\Windows\system32\conhost.exe
  C:\Windows\system32\conhost.exe
  2⤵
  PID:1372
- C:\Windows\explorer.exe
  explorer.exe
  2⤵
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1640

C:\ProgramData\GoogleUP\Chrome\Updater.exe
C:\ProgramData\GoogleUP\Chrome\Updater.exe
1⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Drops file in System32 directory
PID:472
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:2820
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
  2⤵
  PID:1604
- - C:\Windows\system32\wusa.exe
    wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    PID:3932
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop UsoSvc
  2⤵
  - Launches sc.exe
  PID:4396
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop WaaSMedicSvc
  2⤵
  - Launches sc.exe
  PID:4772
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop wuauserv
  2⤵
  - Launches sc.exe
  PID:4964
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop bits
  2⤵
  - Launches sc.exe
  PID:2976
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop dosvc
  2⤵
  - Launches sc.exe
  PID:1800
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:2140
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:3168
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:1612
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:3000

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Power Settings

T1653

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
5ba388a6597d5e09191c2c88d2fdf598

SHA1
13516f8ec5a99298f6952438055c39330feae5d8

SHA256
e6b6223094e8fc598ad12b3849e49f03a141ccd21e0eaa336f81791ad8443eca

SHA512
ead2a2b5a1c2fad70c1cf570b2c9bfcb7364dd9f257a834eb819e55b8fee78e3f191f93044f07d51c259ca77a90ee8530f9204cbae080fba1d5705e1209f5b19

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
5431d6602455a6db6e087223dd47f600

SHA1
27255756dfecd4e0afe4f1185e7708a3d07dea6e

SHA256
7502d9453168c86631fb40ec90567bf80404615d387afc7ec2beb7a075bcc763

SHA512
868f6dcf32ef80459f3ea122b0d2c79191193b5885c86934a97bfec7e64250e10c23e4d00f34c6c2387a04a15f3f266af96e571bbe37077fb374d6d30f35b829

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
7bed1eca5620a49f52232fd55246d09a

SHA1
e429d9d401099a1917a6fb31ab2cf65fcee22030

SHA256
49c484f08c5e22ee6bec6d23681b26b0426ee37b54020f823a2908ab7d0d805e

SHA512
afc8f0b5b95d593f863ad32186d1af4ca333710bcfba86416800e79528616e7b15f8813a20c2cfa9d13688c151bf8c85db454a9eb5c956d6e49db84b4b222ee8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
524cbb9f835f59e0b0a25faf3e8cd870

SHA1
fcb7e25e4631609e8ee06631b9cdba3d5efa3f65

SHA256
a496311397281fcceeaf313ac04ed1fb151c8043073206353dee037335281518

SHA512
ff77ae6632cbdf4bcce0b0ef1484538107ad102822c17b33ff7b21cbf006be20162a37d2df2ceefff626f9a39b980e45cfeda997533e3faecd525efed8c3ff5d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
579B

MD5
b1636618b5d4f2013f58f44ffa46972c

SHA1
f72b64cbe58d62819580600f7daefd3d0d69cfe7

SHA256
75e8b4982ebf6efd224017b0ff269ee852518b7d0c747fa06acb8d59825275d7

SHA512
199fa5891de04f9450d095811705323e8e57b2e21585ac61c92a52f283ed0abaf929dd72461cbcf3e6860605d7d1468d63d6a3ae612a60fdaa018c1fe9bc33dd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
34e77aa85180c1f4fbdf118de3da033d

SHA1
660edea5702cf3f968a9afb258e2cacefc07dfb8

SHA256
c222db39782a5945603d660eeb296612b13546223511069bb39807ffe1a60c90

SHA512
32c267729a5b2cb01fea6fe402ec01d487334ae6e8e49323866a795b480b5a403eaff68a9a00f9bbc087fc8b654609b39f91ab13e19327ae8328ca2a1ce26210

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
d8174865a8d3033a6e64c4ea0820a292

SHA1
8b4919bfd46a65768e60a9b0f41a0119d12bcc5b

SHA256
8d0696eed69c4f2a19c6fe1d7181fce8776ac4949fe8a5217a78de56c8d73cb7

SHA512
aa8577b6b33ba0141f42c07b3fb98437317285d7ef9a7f9809631d1ed3de101308706ffa16bd641811145f16d53a469b4c94bf8556dcfb04309a31e01e82c6f5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
82b89aaf32a9f94c67920bd5f99a1393

SHA1
29d54491ba33620948afb9bebed4f143c1bd9115

SHA256
b3f39ac7ecf154ea52da05d00be24157e16d710c8e4a3853058828cc90068b2d

SHA512
36c3386046d70f18826f41dad26ee87b5b6e4f3eca6adc59bcbb940f0ab0045b274e3f6963c52c262f9d82d61381ed1dd240ee1bfaacd18f9d9322d218e261a8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
7abe614d801d7ffe9ca6dce91639457d

SHA1
5b996fa5bf25c7c16952d4a06f94ad503cf99f97

SHA256
bca363f251ca901f35b27d27bfe1e1a2555488027eab31a9d217672d18a768d8

SHA512
f72b55d4d89811fda99de54b9505e6f08ddd8f60f3b7eb93dfa82ba65ddd59c4f1a353c72ec014cf8f715f89b1353ec0fabf20bdb0b1f27f928b73521493681d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
5915564f1f4089d5dfe6052694eb3946

SHA1
3724e566ec9e69e862a6c971472622e005985ab6

SHA256
5b4a0d8df27d51ce412bbe939cf55900405b7d772fcd4bcb6e3534d6d82f17f5

SHA512
a122ebb5b3fe3e422ce42b54832f6bea31b891c2c91c38d7bbfc67b8e6c5129cf845cd76bab8a88fca3b365c8d456e8da4e2bb01140deb0b6e80fa883013be91

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
891f710ea13f7ec258138c177865cd23

SHA1
4178c4fa14d32938f887e999740e155b40551554

SHA256
e68d0ddb94699610b96be753f451bdd5bed6b76e3d82550f5c1f34327e906ed5

SHA512
c0897b78e143f359cc3253a5eef7039f6cb84675f99df763d4c9a22596e5369ef82eb9f36bdb2f4b76804eb6b748dae5c1bbc78a6dc221e88a4468a71e721bd1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
979db644c2cade95abc261f491bf3b6c

SHA1
251e5cde0a34f14694f95c681dc7cfe63bd60844

SHA256
3781dd13cdbb9b2639aafb7e49da7e37ef6e3bb03151240764819a46b7a13cb9

SHA512
7114c56e51c5212d951093d72c98ef7a31055693b1de7b1709347c4af27ed5eadf758e1b0d0faafdbf54252da2ddba571118d9f11dd9bf480bd7fe17e71c5464

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_pywium4s.lti.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 584878.crdownload

Filesize
5.2MB

MD5
6f163d9cd94d4a58ad722301cf9847d0

SHA1
ffcf6d1a5956dfb60a0fd7267039e30fbe2fd981

SHA256
827642649f28e190ac328f026c6c1a332d45b2be4af76bd8f6c8e85838c90b11

SHA512
5503fefd77a87f8030dbd468168abeb3b778857bd770720942f3f1b41cf498f79a3f9138bb1cb7b24b52f55d67724de31aeb42225ee21c8712719323d45e7d67

Download Submit
C:\Users\Admin\Downloads\uthjasjedf.exe:Zone.Identifier

Filesize
55B

MD5
0f98a5550abe0fb880568b1480c96a1c

SHA1
d2ce9f7057b201d31f79f3aee2225d89f36be07d

SHA256
2dfb5f4b33e4cf8237b732c02b1f2b1192ffe4b83114bcf821f489bbf48c6aa1

SHA512
dbc1150d831950684ab37407defac0177b7583da0fe13ee8f8eeb65e8b05d23b357722246888189b4681b97507a4262ece96a1c458c4427a9a41d8ea8d11a2f6

Download Submit
C:\Windows\TEMP\mfmmhcqgqlts.sys

Filesize
14KB

MD5
0c0195c48b6b8582fa6f6373032118da

SHA1
d25340ae8e92a6d29f599fef426a2bc1b5217299

SHA256
11bd2c9f9e2397c9a16e0990e4ed2cf0679498fe0fd418a3dfdac60b5c160ee5

SHA512
ab28e99659f219fec553155a0810de90f0c5b07dc9b66bda86d7686499fb0ec5fddeb7cd7a3c5b77dccb5e865f2715c2d81f4d40df4431c92ac7860c7e01720d

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
4KB

MD5
dbbd2d4458d7e8094846420da595dfc3

SHA1
267cb47b904f14a519d2bd73abfdb30e1a06e1a6

SHA256
e27390d57580e3dfba07bec3d8e430203bbc91e90f6937079b3fd52abc721bd4

SHA512
480e7ca865b811f79f35fcfe7a9ac0280b48d1f9459873d18f000db55c72d53345cf3a10075c1ac407439545f699ce2a7bef38b00b4e19439edf384b00045531

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
f2dd68ab8e611f0143c6ad176f223ae9

SHA1
30f580175773f251a9572fe757de6eaef6844abc

SHA256
f935809085e90f8fc2c003afb46e81de28f3312ec097cf46f2bdc2488cb893e7

SHA512
f664b850c2fc6773e48171be5c180d8bc5c3a27945f5e6604605006a3c93e0bf3a516b647d6411a4d6b75bdf0a5e15b4f3621bf5702bbc3c46f9b517cb69dd04

Download Submit
C:\Windows\system32\drivers\etc\hosts

Filesize
3KB

MD5
00930b40cba79465b7a38ed0449d1449

SHA1
4b25a89ee28b20ba162f23772ddaf017669092a5

SHA256
eda1aae2c8fce700e3bdbe0186cf3db88400cf0ac13ec736e84dacba61628a01

SHA512
cbe4760ec041e7da7ab86474d5c82969cfccb8ccc5dbdac9436862d5b1b86210ab90754d3c8da5724176570d8842e57a716a281acba8719e90098a6f61a17c62

Download Submit
memory/1372-295-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/1372-293-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/1372-297-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/1372-296-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/1372-300-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/1372-294-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/1640-310-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1640-302-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1640-306-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1640-308-0x0000000000EC0000-0x0000000000EE0000-memory.dmp

Filesize
128KB

Download
memory/1640-307-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1640-309-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1640-313-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1640-312-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1640-311-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1640-379-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1640-305-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1640-304-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1640-303-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1640-301-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1640-378-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/3468-250-0x000001CD56310000-0x000001CD56332000-memory.dmp

Filesize
136KB

Download
memory/4688-286-0x000002736E560000-0x000002736E568000-memory.dmp

Filesize
32KB

Download
memory/4688-280-0x000002736E5B0000-0x000002736E5CA000-memory.dmp

Filesize
104KB

Download
memory/4688-279-0x000002736E550000-0x000002736E55A000-memory.dmp

Filesize
40KB

Download
memory/4688-277-0x000002736E570000-0x000002736E58C000-memory.dmp

Filesize
112KB

Download
memory/4688-276-0x000002736E440000-0x000002736E44A000-memory.dmp

Filesize
40KB

Download
memory/4688-275-0x000002736E380000-0x000002736E433000-memory.dmp

Filesize
716KB

Download
memory/4688-274-0x000002736E360000-0x000002736E37C000-memory.dmp

Filesize
112KB

Download
memory/4688-287-0x000002736E590000-0x000002736E596000-memory.dmp

Filesize
24KB

Download
memory/4688-288-0x000002736E5A0000-0x000002736E5AA000-memory.dmp

Filesize
40KB

Download