b38f572ee0579f3f94e9f04a8040ed15ae6db151714ececfa0092ad2d524a97d

Resubmissions

26/02/2024, 22:46

240226-2qdfesag6w 8

20/02/2024, 23:03

240220-217f9agf65 8

20/02/2024, 22:49

240220-2rnmsaga51 9

Analysis

max time kernel
258s
max time network
273s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
26/02/2024, 22:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

CARTI_TWEAKS.bat
Size

59KB
MD5

ce77350d95772ad65718ecc8962b5517
SHA1

cf39eea9b027b8eafc99ee4de7a550c098927483
SHA256

b38f572ee0579f3f94e9f04a8040ed15ae6db151714ececfa0092ad2d524a97d
SHA512

a03c9209c26ee463ee685c24984ebbc3730079182e72009a2a54f92a8adf21e5d48afe2f1083dd99cca404f369acfc7e55e02386278c4acba7727f18d61e0ed5
SSDEEP

768:7RUPTtGiZQVr6+6Pk6PpXDrRDPqoYC7C6Wgm:7Wugm

Score

8^/10

evasion

Malware Config

Signatures

Disables taskbar notifications via registry modification
evasion

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\LocationInformation	reg.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\ClassGUID	reg.exe
Key value enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	reg.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Device Parameters	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	reg.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ClassGUID	reg.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache	reg.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM	reg.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	reg.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK	reg.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	reg.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	reg.exe
Key value enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Device Parameters\Storport	reg.exe
Key value enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Device Parameters	reg.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	reg.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Mfg	reg.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\LocationInformation	reg.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\ContainerID	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Device Parameters	reg.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	reg.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Device Parameters\Storport\PowerCycleCount	reg.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Service	reg.exe
Key value enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	reg.exe
Key value enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Device Parameters\Storport	reg.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\DeviceDesc	reg.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\ConfigFlags	reg.exe
Key value enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Device Parameters	reg.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	reg.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\Attributes	reg.exe
Key value enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Device Parameters\Storport	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK	reg.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Driver	reg.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs	reg.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	reg.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Address	reg.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Capabilities	reg.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags	reg.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	reg.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Device Parameters\Storport\InitialTimestamp	reg.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Device Parameters\Storport\InitialTimestamp	reg.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Mfg	reg.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	reg.exe
Key value enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Device Parameters\Storport	reg.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\LocationInformation	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM	reg.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Device Parameters\Storport	reg.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	reg.exe
Key value enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Device Parameters	reg.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Device Parameters	reg.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Storport	reg.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ContainerID	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties	reg.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	reg.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Service	reg.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK	reg.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Device Parameters	reg.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Device Parameters\Storport\PowerCycleCount	reg.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs	reg.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\AttributesTableCache	reg.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	reg.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\ContainerID	reg.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\DiskId	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	reg.exe

Delays execution with timeout.exe 3 IoCs

evasion

pid	Process
4620	timeout.exe
4208	timeout.exe
4108	timeout.exe

Modifies data under HKEY_USERS 4 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Settings\DownloadMode = "0"	reg.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Settings	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Settings\DownloadMode = "0"	reg.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Settings	reg.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2636	msedge.exe
2636	msedge.exe

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	4692	WMIC.exe
Token: SeSecurityPrivilege	4692	WMIC.exe
Token: SeTakeOwnershipPrivilege	4692	WMIC.exe
Token: SeLoadDriverPrivilege	4692	WMIC.exe
Token: SeSystemProfilePrivilege	4692	WMIC.exe
Token: SeSystemtimePrivilege	4692	WMIC.exe
Token: SeProfSingleProcessPrivilege	4692	WMIC.exe
Token: SeIncBasePriorityPrivilege	4692	WMIC.exe
Token: SeCreatePagefilePrivilege	4692	WMIC.exe
Token: SeBackupPrivilege	4692	WMIC.exe
Token: SeRestorePrivilege	4692	WMIC.exe
Token: SeShutdownPrivilege	4692	WMIC.exe
Token: SeDebugPrivilege	4692	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4692	WMIC.exe
Token: SeRemoteShutdownPrivilege	4692	WMIC.exe
Token: SeUndockPrivilege	4692	WMIC.exe
Token: SeManageVolumePrivilege	4692	WMIC.exe
Token: 33	4692	WMIC.exe
Token: 34	4692	WMIC.exe
Token: 35	4692	WMIC.exe
Token: 36	4692	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4692	WMIC.exe
Token: SeSecurityPrivilege	4692	WMIC.exe
Token: SeTakeOwnershipPrivilege	4692	WMIC.exe
Token: SeLoadDriverPrivilege	4692	WMIC.exe
Token: SeSystemProfilePrivilege	4692	WMIC.exe
Token: SeSystemtimePrivilege	4692	WMIC.exe
Token: SeProfSingleProcessPrivilege	4692	WMIC.exe
Token: SeIncBasePriorityPrivilege	4692	WMIC.exe
Token: SeCreatePagefilePrivilege	4692	WMIC.exe
Token: SeBackupPrivilege	4692	WMIC.exe
Token: SeRestorePrivilege	4692	WMIC.exe
Token: SeShutdownPrivilege	4692	WMIC.exe
Token: SeDebugPrivilege	4692	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4692	WMIC.exe
Token: SeRemoteShutdownPrivilege	4692	WMIC.exe
Token: SeUndockPrivilege	4692	WMIC.exe
Token: SeManageVolumePrivilege	4692	WMIC.exe
Token: 33	4692	WMIC.exe
Token: 34	4692	WMIC.exe
Token: 35	4692	WMIC.exe
Token: 36	4692	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4912 wrote to memory of 2764	4912	cmd.exe	85
PID 4912 wrote to memory of 2764	4912	cmd.exe	85
PID 4912 wrote to memory of 2464	4912	cmd.exe	92
PID 4912 wrote to memory of 2464	4912	cmd.exe	92
PID 2464 wrote to memory of 4976	2464	cmd.exe	93
PID 2464 wrote to memory of 4976	2464	cmd.exe	93
PID 2464 wrote to memory of 1428	2464	cmd.exe	94
PID 2464 wrote to memory of 1428	2464	cmd.exe	94
PID 4912 wrote to memory of 3508	4912	cmd.exe	95
PID 4912 wrote to memory of 3508	4912	cmd.exe	95
PID 4912 wrote to memory of 4780	4912	cmd.exe	96
PID 4912 wrote to memory of 4780	4912	cmd.exe	96
PID 4912 wrote to memory of 416	4912	cmd.exe	97
PID 4912 wrote to memory of 416	4912	cmd.exe	97
PID 4912 wrote to memory of 4768	4912	cmd.exe	99
PID 4912 wrote to memory of 4768	4912	cmd.exe	99
PID 4912 wrote to memory of 1704	4912	cmd.exe	100
PID 4912 wrote to memory of 1704	4912	cmd.exe	100
PID 4912 wrote to memory of 4620	4912	cmd.exe	101
PID 4912 wrote to memory of 4620	4912	cmd.exe	101
PID 4912 wrote to memory of 4176	4912	cmd.exe	102
PID 4912 wrote to memory of 4176	4912	cmd.exe	102
PID 4176 wrote to memory of 4692	4176	cmd.exe	103
PID 4176 wrote to memory of 4692	4176	cmd.exe	103
PID 4912 wrote to memory of 1432	4912	cmd.exe	105
PID 4912 wrote to memory of 1432	4912	cmd.exe	105
PID 4912 wrote to memory of 4208	4912	cmd.exe	106
PID 4912 wrote to memory of 4208	4912	cmd.exe	106
PID 4912 wrote to memory of 1100	4912	cmd.exe	107
PID 4912 wrote to memory of 1100	4912	cmd.exe	107
PID 4912 wrote to memory of 3088	4912	cmd.exe	108
PID 4912 wrote to memory of 3088	4912	cmd.exe	108
PID 4912 wrote to memory of 4108	4912	cmd.exe	109
PID 4912 wrote to memory of 4108	4912	cmd.exe	109
PID 4912 wrote to memory of 1904	4912	cmd.exe	110
PID 4912 wrote to memory of 1904	4912	cmd.exe	110
PID 4912 wrote to memory of 1312	4912	cmd.exe	111
PID 4912 wrote to memory of 1312	4912	cmd.exe	111
PID 4912 wrote to memory of 2580	4912	cmd.exe	112
PID 4912 wrote to memory of 2580	4912	cmd.exe	112
PID 4912 wrote to memory of 2012	4912	cmd.exe	113
PID 4912 wrote to memory of 2012	4912	cmd.exe	113
PID 4912 wrote to memory of 2476	4912	cmd.exe	114
PID 4912 wrote to memory of 2476	4912	cmd.exe	114
PID 4912 wrote to memory of 3240	4912	cmd.exe	115
PID 4912 wrote to memory of 3240	4912	cmd.exe	115
PID 4912 wrote to memory of 1644	4912	cmd.exe	116
PID 4912 wrote to memory of 1644	4912	cmd.exe	116
PID 4912 wrote to memory of 3588	4912	cmd.exe	117
PID 4912 wrote to memory of 3588	4912	cmd.exe	117
PID 4912 wrote to memory of 4428	4912	cmd.exe	118
PID 4912 wrote to memory of 4428	4912	cmd.exe	118
PID 4912 wrote to memory of 3904	4912	cmd.exe	119
PID 4912 wrote to memory of 3904	4912	cmd.exe	119
PID 4912 wrote to memory of 4744	4912	cmd.exe	120
PID 4912 wrote to memory of 4744	4912	cmd.exe	120
PID 4912 wrote to memory of 4924	4912	cmd.exe	121
PID 4912 wrote to memory of 4924	4912	cmd.exe	121
PID 4912 wrote to memory of 3668	4912	cmd.exe	122
PID 4912 wrote to memory of 3668	4912	cmd.exe	122
PID 4912 wrote to memory of 3684	4912	cmd.exe	123
PID 4912 wrote to memory of 3684	4912	cmd.exe	123
PID 4912 wrote to memory of 3456	4912	cmd.exe	124
PID 4912 wrote to memory of 3456	4912	cmd.exe	124

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\CARTI_TWEAKS.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:4912
- C:\Windows\system32\chcp.com
  chcp 65001
  2⤵
  PID:2764
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg query "HKLM\System\CurrentControlSet\Enum" /S /F "StorPort" | findstr /e "StorPort"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2464
- - C:\Windows\system32\reg.exe
    reg query "HKLM\System\CurrentControlSet\Enum" /S /F "StorPort"
    3⤵
    - Checks SCSI registry key(s)
    PID:4976
- - C:\Windows\system32\findstr.exe
    findstr /e "StorPort"
    3⤵
    PID:1428
- C:\Windows\system32\reg.exe
  Reg add "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Enum\PCI\VEN_8086&DEV_2922&SUBSYS_11001AF4&REV_02\3&11583659&0&10\Device Parameters\StorPort" /v "EnableIdlePowerManagement" /t REG_DWORD /d "0" /f
  2⤵
  PID:3508
- C:\Windows\system32\reg.exe
  Reg add "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Enum\PCI\VEN_8086&DEV_2922&SUBSYS_11001AF4&REV_02\3&11583659&0&FA\Device Parameters\StorPort" /v "EnableIdlePowerManagement" /t REG_DWORD /d "0" /f
  2⤵
  PID:4780
- C:\Windows\system32\reg.exe
  Reg add "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Enum\{8e7bd593-6e6c-4c52-86a6-77175494dd8e}\MsVhdHba\1&3030e83&0&01\Device Parameters\StorPort" /v "EnableIdlePowerManagement" /t REG_DWORD /d "0" /f
  2⤵
  PID:416
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v "DisablePagingExecutive" /t REG_DWORD /d "1" /f
  2⤵
  PID:4768
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers" /v "DpiMapIommuContiguous" /t REG_DWORD /d "1" /f
  2⤵
  PID:1704
- C:\Windows\system32\timeout.exe
  timeout /t 1 /nobreak
  2⤵
  - Delays execution with timeout.exe
  PID:4620
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic os get TotalVisibleMemorySize
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4176
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic os get TotalVisibleMemorySize
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4692
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control" /v "SvcHostSplitThresholdInKB" /t REG_DWORD /d "!SVCHOST!" /f
  2⤵
  PID:1432
- C:\Windows\system32\timeout.exe
  timeout /t 1 /nobreak
  2⤵
  - Delays execution with timeout.exe
  PID:4208
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters" /v "EnablePrefetcher" /t REG_DWORD /d "0" /f
  2⤵
  PID:1100
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters" /v "EnableSuperfetch" /t REG_DWORD /d "0" /f
  2⤵
  PID:3088
- C:\Windows\system32\timeout.exe
  timeout /t 1 /nobreak
  2⤵
  - Delays execution with timeout.exe
  PID:4108
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v "ClearPageFileAtShutdown" /t REG_DWORD /d "0" /f
  2⤵
  PID:1904
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v "DisablePagingExecutive" /t REG_DWORD /d "1" /f
  2⤵
  PID:1312
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v "LargeSystemCache" /t REG_DWORD /d "0" /f
  2⤵
  PID:2580
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v "NonPagedPoolQuota" /t REG_DWORD /d "0" /f
  2⤵
  PID:2012
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v "NonPagedPoolSize" /t REG_DWORD /d "0" /f
  2⤵
  PID:2476
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v "PagedPoolQuota" /t REG_DWORD /d "0" /f
  2⤵
  PID:3240
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v "PagedPoolSize" /t REG_DWORD /d "192" /f
  2⤵
  PID:1644
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v "SecondLevelDataCache" /t REG_DWORD /d "1024" /f
  2⤵
  PID:3588
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v "SessionPoolSize" /t REG_DWORD /d "192" /f
  2⤵
  PID:4428
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v "SessionViewSize" /t REG_DWORD /d "192" /f
  2⤵
  PID:3904
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v "SystemPages" /t REG_DWORD /d "4294967295" /f
  2⤵
  PID:4744
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v "PhysicalAddressExtension" /t REG_DWORD /d "1" /f
  2⤵
  PID:4924
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v "FeatureSettings" /t REG_DWORD /d "1" /f
  2⤵
  PID:3668
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v "FeatureSettingsOverride" /t REG_DWORD /d "3" /f
  2⤵
  PID:3684
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v "FeatureSettingsOverrideMask" /t REG_DWORD /d "3" /f
  2⤵
  PID:3456
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v "IoPageLockLimit" /t REG_DWORD /d "16710656" /f
  2⤵
  PID:4880
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v "PoolUsageMaximum" /t REG_DWORD /d "96" /f
  2⤵
  PID:4852
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:3256
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\Software\Policies\Microsoft\Windows\DataCollection" /v "AllowTelemetry" /t REG_DWORD /d "0" /f
  2⤵
  PID:1464
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\DataCollection" /v "AllowTelemetry" /t REG_DWORD /d "0" /f
  2⤵
  PID:2860
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\DataCollection" /v "AllowDeviceNameInTelemetry" /t REG_DWORD /d "0" /f
  2⤵
  PID:4804
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\Software\Policies\Microsoft\Windows\safer\codeidentifiers" /v "authenticodeenabled" /t REG_DWORD /d "0" /f
  2⤵
  PID:4932
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\DataCollection" /v "AllowTelemetry" /t REG_DWORD /d "0" /f
  2⤵
  PID:4920
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\Software\Policies\Microsoft\Windows\Windows Error Reporting" /v "DontSendAdditionalData" /t REG_DWORD /d "1" /f
  2⤵
  PID:3616
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\SOFTWARE\Microsoft\Speech_OneCore\Settings\OnlineSpeechPrivacy" /v "HasAccepted" /t REG_DWORD /d "0" /f
  2⤵
  PID:3332
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\SOFTWARE\Microsoft\Personalization\Settings" /v "AcceptedPrivacyPolicy" /t REG_DWORD /d "0" /f
  2⤵
  PID:3204
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\SOFTWARE\Microsoft\InputPersonalization" /v "RestrictImplicitInkCollection" /t REG_DWORD /d "1" /f
  2⤵
  PID:1196
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\SOFTWARE\Microsoft\InputPersonalization" /v "RestrictImplicitTextCollection" /t REG_DWORD /d "1" /f
  2⤵
  PID:2892
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\SOFTWARE\Microsoft\InputPersonalization\TrainedDataStore" /v "HarvestContacts" /t REG_DWORD /d "0" /f
  2⤵
  PID:4996
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics\DiagTrack" /v "ShowedToastAtLevel" /t REG_DWORD /d "1" /f
  2⤵
  PID:1616
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\DataCollection" /v "AllowTelemetry" /t REG_DWORD /d "0" /f
  2⤵
  PID:4320
- C:\Windows\system32\reg.exe
  Reg.exe add "HKU\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Settings" /v "DownloadMode" /t REG_DWORD /d "0" /f
  2⤵
  - Modifies data under HKEY_USERS
  PID:4196
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Privacy" /v "TailoredExperiencesWithDiagnosticDataEnabled" /t REG_DWORD /d "0" /f
  2⤵
  PID:4632
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\Control Panel\International\User Profile" /v "HttpAcceptLanguageOptOut" /t REG_DWORD /d "1" /f
  2⤵
  PID:2904
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\DriverSearching" /v "SearchOrderConfig" /t REG_DWORD /d "0" /f
  2⤵
  PID:2064
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Device Metadata" /v "PreventDeviceMetadataFromNetwork" /t REG_DWORD /d "1" /f
  2⤵
  PID:3756
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v "NoAutoUpdate" /t REG_DWORD /d "1" /f
  2⤵
  PID:4672
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\Software\Microsoft\Windows\DWM" /v "EnableAeroPeek" /t REG_DWORD /d "0" /f
  2⤵
  PID:3024
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\location" /v "Value" /t REG_SZ /d "Deny" /f
  2⤵
  PID:5104
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\appDiagnostics" /v "Value" /t REG_SZ /d "Deny" /f
  2⤵
  PID:4284
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\userAccountInformation" /v "Value" /t REG_SZ /d "Deny" /f
  2⤵
  PID:1448
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SilentInstalledAppsEnabled" /t REG_DWORD /d "0" /f
  2⤵
  PID:752
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SystemPaneSuggestionsEnabled" /t REG_DWORD /d "0" /f
  2⤵
  PID:972
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SoftLandingEnabled" /t REG_DWORD /d "0" /f
  2⤵
  PID:5036
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "RotatingLockScreenEnabled" /t REG_DWORD /d "0" /f
  2⤵
  PID:3064
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v "PublishUserActivities" /t REG_DWORD /d "0" /f
  2⤵
  PID:4844
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v "UploadUserActivities" /t REG_DWORD /d "0" /f
  2⤵
  PID:2056
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\BackgroundAccessApplications" /v "GlobalUserDisabled" /t REG_DWORD /d "1" /f
  2⤵
  PID:2596
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Search" /v "BackgroundAppGlobalToggle" /t REG_DWORD /d "0" /f
  2⤵
  PID:852
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\Maintenance" /v "MaintenanceDisabled" /t REG_DWORD /d "1" /f
  2⤵
  PID:548
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\Software\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config" /v "DownloadMode" /t REG_DWORD /d "0" /f
  2⤵
  PID:3148
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\Software\Policies\Microsoft\Windows\DataCollection" /v "AllowTelemetry" /t REG_DWORD /d "0" /f
  2⤵
  PID:3636
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\DataCollection" /v "AllowTelemetry" /t REG_DWORD /d "0" /f
  2⤵
  PID:2956
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\DataCollection" /v "AllowDeviceNameInTelemetry" /t REG_DWORD /d "0" /f
  2⤵
  PID:4676
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\Software\Policies\Microsoft\Windows\safer\codeidentifiers" /v "authenticodeenabled" /t REG_DWORD /d "0" /f
  2⤵
  PID:4872
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\Software\Policies\Microsoft\Windows\Windows Error Reporting" /v "DontSendAdditionalData" /t REG_DWORD /d "1" /f
  2⤵
  PID:4772
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\DataCollection" /v "AllowTelemetry" /t REG_DWORD /d "0" /f
  2⤵
  PID:3344
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\SOFTWARE\Microsoft\Speech_OneCore\Settings\OnlineSpeechPrivacy" /v "HasAccepted" /t REG_DWORD /d "0" /f
  2⤵
  PID:3620
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\SOFTWARE\Microsoft\Personalization\Settings" /v "AcceptedPrivacyPolicy" /t REG_DWORD /d "0" /f
  2⤵
  PID:2144
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\SOFTWARE\Microsoft\InputPersonalization" /v "RestrictImplicitInkCollection" /t REG_DWORD /d "1" /f
  2⤵
  PID:4080
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\SOFTWARE\Microsoft\InputPersonalization" /v "RestrictImplicitTextCollection" /t REG_DWORD /d "1" /f
  2⤵
  PID:4256
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\SOFTWARE\Microsoft\InputPersonalization\TrainedDataStore" /v "HarvestContacts" /t REG_DWORD /d "0" /f
  2⤵
  PID:2940
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics\DiagTrack" /v "ShowedToastAtLevel" /t REG_DWORD /d "1" /f
  2⤵
  PID:2880
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\DataCollection" /v "AllowTelemetry" /t REG_DWORD /d "0" /f
  2⤵
  PID:2072
- C:\Windows\system32\reg.exe
  Reg.exe add "HKU\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Settings" /v "DownloadMode" /t REG_DWORD /d "0" /f
  2⤵
  - Modifies data under HKEY_USERS
  PID:2084
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Privacy" /v "TailoredExperiencesWithDiagnosticDataEnabled" /t REG_DWORD /d "0" /f
  2⤵
  PID:5088
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\Control Panel\International\User Profile" /v "HttpAcceptLanguageOptOut" /t REG_DWORD /d "1" /f
  2⤵
  PID:2464
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\DriverSearching" /v "SearchOrderConfig" /t REG_DWORD /d "0" /f
  2⤵
  PID:2372
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Device Metadata" /v "PreventDeviceMetadataFromNetwork" /t REG_DWORD /d "1" /f
  2⤵
  PID:1832
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v "NoAutoUpdate" /t REG_DWORD /d "1" /f
  2⤵
  PID:5064
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\Software\Microsoft\Windows\DWM" /v "EnableAeroPeek" /t REG_DWORD /d "0" /f
  2⤵
  PID:1356
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\location" /v "Value" /t REG_SZ /d "Deny" /f
  2⤵
  PID:1920
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\appDiagnostics" /v "Value" /t REG_SZ /d "Deny" /f
  2⤵
  PID:4956
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\userAccountInformation" /v "Value" /t REG_SZ /d "Deny" /f
  2⤵
  PID:3732
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SilentInstalledAppsEnabled" /t REG_DWORD /d "0" /f
  2⤵
  PID:4992
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SystemPaneSuggestionsEnabled" /t REG_DWORD /d "0" /f
  2⤵
  PID:4128
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SoftLandingEnabled" /t REG_DWORD /d "0" /f
  2⤵
  PID:2824
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "RotatingLockScreenEnabled" /t REG_DWORD /d "0" /f
  2⤵
  PID:4656
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v "PublishUserActivities" /t REG_DWORD /d "0" /f
  2⤵
  PID:1452
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v "UploadUserActivities" /t REG_DWORD /d "0" /f
  2⤵
  PID:1612
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\BackgroundAccessApplications" /v "GlobalUserDisabled" /t REG_DWORD /d "1" /f
  2⤵
  PID:1088
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Search" /v "BackgroundAppGlobalToggle" /t REG_DWORD /d "0" /f
  2⤵
  PID:1324
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\Maintenance" /v "MaintenanceDisabled" /t REG_DWORD /d "1" /f
  2⤵
  PID:4820
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\Software\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config" /v "DownloadMode" /t REG_DWORD /d "0" /f
  2⤵
  PID:1600
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft" /v "AllowNewsAndInterests" /t REG_DWORD /d "0" /f
  2⤵
  PID:2924
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v "EnableActivityFeed" /t REG_DWORD /d "0" /f
  2⤵
  PID:1440
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\Control Panel\International\User Profile" /v "HttpAcceptLanguageOptOut" /t REG_DWORD /d "1" /f
  2⤵
  PID:3200
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\AdvertisingInfo" /v "Enabled" /t REG_DWORD /d "0" /f
  2⤵
  PID:3244
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\Software\Policies\Microsoft\Windows\System" /v "EnableActivityFeed" /t REG_DWORD /d "0" /f
  2⤵
  PID:4064
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "DisallowShaking" /t REG_DWORD /d "1" /f
  2⤵
  PID:1092
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "EnableBalloonTips" /t REG_DWORD /d "0" /f
  2⤵
  PID:4716
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "ShowSyncProviderNotifications" /t REG_DWORD /d "0" /f
  2⤵
  PID:4220
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\userNotificationListener" /v "Value" /t REG_SZ /d "Deny" /f
  2⤵
  PID:2868
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\Software\Policies\Microsoft\Windows\AdvertisingInfo" /v "DisabledByGroupPolicy" /t REG_DWORD /d "1" /f
  2⤵
  PID:3520
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\services\LanmanServer\Parameters" /v "autodisconnect" /t REG_DWORD /d "4294967295" /f
  2⤵
  PID:1840
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\services\LanmanServer\Parameters" /v "Size" /t REG_DWORD /d "3" /f
  2⤵
  PID:1700
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\services\LanmanServer\Parameters" /v "EnableOplocks" /t REG_DWORD /d "0" /f
  2⤵
  PID:224
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\services\LanmanServer\Parameters" /v "IRPStackSize" /t REG_DWORD /d "32" /f
  2⤵
  PID:3568
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\services\LanmanServer\Parameters" /v "SharingViolationDelay" /t REG_DWORD /d "0" /f
  2⤵
  PID:1656
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\services\LanmanServer\Parameters" /v "SharingViolationRetries" /t REG_DWORD /d "0" /f
  2⤵
  PID:4944
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile" /v "NoLazyMode" /t REG_DWORD /d "1" /f
  2⤵
  PID:3552
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile" /v "AlwaysOn" /t REG_DWORD /d "1" /f
  2⤵
  PID:1340
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContent-338393Enabled" /t REG_DWORD /d "0" /f
  2⤵
  PID:700
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContent-353694Enabled" /t REG_DWORD /d "0" /f
  2⤵
  PID:4648
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\SettingSync\Groups\Personalization" /v "Enabled" /t REG_DWORD /d "0" /f
  2⤵
  PID:1124
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContent-353696Enabled" /t REG_DWORD /d "0" /f
  2⤵
  PID:3564
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\SettingSync\Groups\BrowserSettings" /v "Enabled" /t REG_DWORD /d "0" /f
  2⤵
  PID:3780
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\SettingSync\Groups\Credentials" /v "Enabled" /t REG_DWORD /d "0" /f
  2⤵
  PID:4740
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\SettingSync\Groups\Accessibility" /v "Enabled" /t REG_DWORD /d "0" /f
  2⤵
  PID:4492
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\SettingSync\Groups\Windows" /v "Enabled" /t REG_DWORD /d "0" /f
  2⤵
  PID:4596
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\SettingSync" /v "SyncPolicy" /t REG_DWORD /d "5" /f
  2⤵
  PID:1360
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContent-338393Enabled" /t REG_DWORD /d "0" /f
  2⤵
  PID:3160
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContent-353694Enabled" /t REG_DWORD /d "0" /f
  2⤵
  PID:4788
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContent-353696Enabled" /t REG_DWORD /d "0" /f
  2⤵
  PID:2668
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\Control Panel\Desktop" /v "FontSmoothing" /t REG_SZ /d "2" /f
  2⤵
  PID:1908
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\Control Panel\Desktop" /v "FontSmoothingType" /t REG_DWORD /d "2" /f
  2⤵
  PID:2288
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MultitaskingView\AllUpView" /v "AllUpView" /t REG_DWORD /d "0" /f
  2⤵
  PID:2700
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MultitaskingView\AllUpView" /v "Remove TaskView" /t REG_DWORD /d "1" /f
  2⤵
  PID:4248
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "Start_TrackProgs" /t REG_DWORD /d "0" /f
  2⤵
  PID:4408
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "HideSCAHealth" /t REG_DWORD /d "1" /f
  2⤵
  PID:1464
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "ExtendedUIHoverTime" /t REG_DWORD /d "196608" /f
  2⤵
  PID:2860
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "DontPrettyPath" /t REG_DWORD /d "1" /f
  2⤵
  PID:4804
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "ListviewShadow" /t REG_DWORD /d "0" /f
  2⤵
  PID:4972
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "TaskbarAnimations" /t REG_DWORD /d "0" /f
  2⤵
  PID:4932
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "HideSCAHealth" /t REG_DWORD /d "1" /f
  2⤵
  PID:4920
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoLowDiskSpaceChecks" /t REG_DWORD /d "1" /f
  2⤵
  PID:3332
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "LinkResolveIgnoreLinkInfo" /t REG_DWORD /d "1" /f
  2⤵
  PID:3204
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoResolveSearch" /t REG_DWORD /d "1" /f
  2⤵
  PID:1196
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoResolveTrack" /t REG_DWORD /d "1" /f
  2⤵
  PID:2892
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoInternetOpenWith" /t REG_DWORD /d "1" /f
  2⤵
  PID:4996
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoInstrumentation" /t REG_DWORD /d "1" /f
  2⤵
  PID:1616
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\Psched" /v "Start" /t REG_DWORD /d "1" /f
  2⤵
  PID:4196
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile" /v "NetworkThrottlingIndex" /t REG_DWORD /d "4294967295" /f
  2⤵
  PID:4632
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile" /v "SystemResponsiveness" /t REG_DWORD /d "0" /f
  2⤵
  PID:2904
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces" /v "TCPDelAckTicks" /t REG_DWORD /d "1" /f
  2⤵
  PID:2064
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v "TCPDelAckTicks" /t REG_DWORD /d "1" /f
  2⤵
  PID:3756
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces" /v "TCPNoDelay" /t REG_DWORD /d "1" /f
  2⤵
  PID:3024
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v "TCPNoDelay" /t REG_DWORD /d "1" /f
  2⤵
  PID:4672
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SOFTWARE\Microsoft\MSMQ\Parameters" /v "TCPNoDelay" /t REG_DWORD /d "1" /f
  2⤵
  PID:5104
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v "TcpAckFrequency" /t REG_DWORD /d "1" /f
  2⤵
  PID:3396
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces" /v "TcpAckFrequency" /t REG_DWORD /d "1" /f
  2⤵
  PID:4284
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\ServiceProvider" /v "LocalPriority" /t REG_DWORD /d "4" /f
  2⤵
  PID:752
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\ServiceProvider" /v "HostsPriority" /t REG_DWORD /d "5" /f
  2⤵
  PID:972
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\ServiceProvider" /v "DnsPriority" /t REG_DWORD /d "6" /f
  2⤵
  PID:5036
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\ServiceProvider" /v "NetbtPriority" /t REG_DWORD /d "7" /f
  2⤵
  PID:3064
- C:\Windows\system32\sfc.exe
  SFC /scannow
  2⤵
  PID:1916

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefault0f211795h0d65h4622hb518hc79b87280ca4
1⤵
PID:1992
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ffcae4546f8,0x7ffcae454708,0x7ffcae454718
  2⤵
  PID:5004
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2292,1706747362291312295,16570939371688078856,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2300 /prefetch:2
  2⤵
  PID:2392
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2292,1706747362291312295,16570939371688078856,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2332 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2636
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2292,1706747362291312295,16570939371688078856,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2720 /prefetch:8
  2⤵
  PID:4252

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
1⤵
PID:1500

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
1e3dc6a82a2cb341f7c9feeaf53f466f

SHA1
915decb72e1f86e14114f14ac9bfd9ba198fdfce

SHA256
a56135007f4dadf6606bc237cb75ff5ff77326ba093dff30d6881ce9a04a114c

SHA512
0a5223e8cecce77613b1c02535c79b3795e5ad89fc0a934e9795e488712e02b527413109ad1f94bbd4eb35dd07b86dd6e9f4b57d4d7c8a0a57ec3f7f76c7890a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
30a8815eb4e057dcef515f579d02e651

SHA1
f55e608b91832660801c2ca03dd2365e27ec489c

SHA256
139965948103949c621944d730cc392a2b5f3e817c12268e3fe28b52deec47bc

SHA512
bc8c8282973e331e3969dc0c74d1fb8d9bf5081ab6dd91b5b31bd395e5275bd274c9734954bb90dbc0cf2effe7123399ae65259ba2243c109d8cb840b44d7704

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
d97cb2eb34d248e6fad6997ed6f145ff

SHA1
da909559a7075f8c384f9a244d5b24166cbe2617

SHA256
18cb7adce76abe2dba13a918689e55ce06c00fcbdbda1e9d271e4347fe8a4c50

SHA512
fba662d427bbeea8fe10f450acb1240792e0fabce5111ededdf907e771684ee050bd07bc191cb89ce4652de09a601323f09fa8d5e547bb8f6fba7ab21b47fe37

Download Submit