0d4b8ffecfb9257cb67f67ffdbbe31e331676bf91dd2f24d0d3ead1d4e77da5a

Analysis

max time kernel
110s
max time network
118s
platform
windows11-21h2_x64
resource
win11-20240221-en
resource tags

arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system
submitted
03-03-2024 19:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

[5] Input Delay.bat
Size

95KB
MD5

bf7b1f5d7fb0ba2de507986076cf42ea
SHA1

5d3e992968693dd42b9346582da4a86098f1c490
SHA256

d4d74243d8af24bdcdd5675ed7f2c06271ba1422b63130a08a94937a7aaed5ae
SHA512

c1e48eb6c13291a1c9917139c7d774b4d415b0c49906cd326fb9dd7abba2bd4669260dd208f476d45579d82dcc65b385ca901743a6a29d3f8ae69d97fb3de8eb
SSDEEP

768:5/UqgNcx3d/t1ZvX10F1m7uqJnSAEYIkOvqFMdgyk/VNH:5UQx3z1I/m7uqJnSAEYIkUqFMdgyk7

Score

1^/10

Malware Config

Signatures

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

reg.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs	reg.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Driver	reg.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache	reg.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM	reg.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\LocationInformation	reg.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Device Parameters	reg.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Capabilities	reg.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Device Parameters\Storport	reg.exe
Key value enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	reg.exe
Key value enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Storport	reg.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\ContainerID	reg.exe
Key value enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	reg.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Driver	reg.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\ClassGUID	reg.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	reg.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	reg.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\DeviceDesc	reg.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	reg.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\AttributesTableCache	reg.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\UINumber	reg.exe
Key value enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Device Parameters	reg.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Capabilities	reg.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	reg.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	reg.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Device Parameters	reg.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID	reg.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Device Parameters	reg.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Address	reg.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\ConfigFlags	reg.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\DeviceDesc	reg.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Driver	reg.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Device Parameters\DefaultRequestFlags	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Device Parameters\Storport	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	reg.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Storport\InitialTimestamp	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties	reg.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	reg.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Device Parameters	reg.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	reg.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Service	reg.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Address	reg.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Device Parameters\Storport	reg.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	reg.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Device Parameters\Storport\InitialTimestamp	reg.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	reg.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK	reg.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags	reg.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ClassGUID	reg.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM	reg.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\LocationInformation	reg.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Device Parameters\Storport\InitialTimestamp	reg.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	reg.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	reg.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\ConfigFlags	reg.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Driver	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Device Parameters\Storport	reg.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	reg.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\DiskId	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	reg.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Capabilities	reg.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ContainerID	reg.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Device Parameters	reg.exe

Delays execution with timeout.exe 3 IoCs
evasion

Processes:

timeout.exetimeout.exetimeout.exe

pid process

5116 timeout.exe
2864 timeout.exe
4540 timeout.exe

pid	process
5116	timeout.exe
2864	timeout.exe
4540	timeout.exe

Modifies data under HKEY_USERS 4 IoCs

Processes:

reg.exereg.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Control Panel\Keyboard	reg.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Control Panel\Keyboard\KeyboardDelay = "0"	reg.exe
Key created	\REGISTRY\USER\.DEFAULT\Control Panel\Keyboard	reg.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Control Panel\Keyboard\KeyboardSpeed = "31"	reg.exe

Runs ping.exe 1 TTPs 39 IoCs

Remote System Discovery

T1018

Processes:

PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXE

pid	process
4804	PING.EXE
1304	PING.EXE
3280	PING.EXE
4132	PING.EXE
2540	PING.EXE
2164	PING.EXE
752	PING.EXE
4536	PING.EXE
3488	PING.EXE
1876	PING.EXE
1464	PING.EXE
4516	PING.EXE
2356	PING.EXE
1844	PING.EXE
3088	PING.EXE
3532	PING.EXE
2180	PING.EXE
4064	PING.EXE
2184	PING.EXE
1612	PING.EXE
3640	PING.EXE
3936	PING.EXE
4644	PING.EXE
4552	PING.EXE
1560	PING.EXE
1060	PING.EXE
1508	PING.EXE
2612	PING.EXE
5072	PING.EXE
3788	PING.EXE
4044	PING.EXE
2584	PING.EXE
2128	PING.EXE
1952	PING.EXE
3660	PING.EXE
4152	PING.EXE
3528	PING.EXE
1380	PING.EXE
464	PING.EXE

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

wevtutil.exewevtutil.exewevtutil.exe

description	pid	process
Token: SeSecurityPrivilege	2592	wevtutil.exe
Token: SeBackupPrivilege	2592	wevtutil.exe
Token: SeSecurityPrivilege	2320	wevtutil.exe
Token: SeBackupPrivilege	2320	wevtutil.exe
Token: SeSecurityPrivilege	4204	wevtutil.exe
Token: SeBackupPrivilege	4204	wevtutil.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

cmd.exe

description	pid	process	target process
PID 3996 wrote to memory of 5116	3996	cmd.exe	timeout.exe
PID 3996 wrote to memory of 5116	3996	cmd.exe	timeout.exe
PID 3996 wrote to memory of 4692	3996	cmd.exe	fsutil.exe
PID 3996 wrote to memory of 4692	3996	cmd.exe	fsutil.exe
PID 3996 wrote to memory of 2128	3996	cmd.exe	PING.EXE
PID 3996 wrote to memory of 2128	3996	cmd.exe	PING.EXE
PID 3996 wrote to memory of 4428	3996	cmd.exe	fsutil.exe
PID 3996 wrote to memory of 4428	3996	cmd.exe	fsutil.exe
PID 3996 wrote to memory of 1560	3996	cmd.exe	PING.EXE
PID 3996 wrote to memory of 1560	3996	cmd.exe	PING.EXE
PID 3996 wrote to memory of 948	3996	cmd.exe	reg.exe
PID 3996 wrote to memory of 948	3996	cmd.exe	reg.exe
PID 3996 wrote to memory of 1952	3996	cmd.exe	PING.EXE
PID 3996 wrote to memory of 1952	3996	cmd.exe	PING.EXE
PID 3996 wrote to memory of 1452	3996	cmd.exe	reg.exe
PID 3996 wrote to memory of 1452	3996	cmd.exe	reg.exe
PID 3996 wrote to memory of 3088	3996	cmd.exe	PING.EXE
PID 3996 wrote to memory of 3088	3996	cmd.exe	PING.EXE
PID 3996 wrote to memory of 2864	3996	cmd.exe	reg.exe
PID 3996 wrote to memory of 2864	3996	cmd.exe	reg.exe
PID 3996 wrote to memory of 1060	3996	cmd.exe	PING.EXE
PID 3996 wrote to memory of 1060	3996	cmd.exe	PING.EXE
PID 3996 wrote to memory of 1892	3996	cmd.exe	reg.exe
PID 3996 wrote to memory of 1892	3996	cmd.exe	reg.exe
PID 3996 wrote to memory of 3532	3996	cmd.exe	PING.EXE
PID 3996 wrote to memory of 3532	3996	cmd.exe	PING.EXE
PID 3996 wrote to memory of 4852	3996	cmd.exe	reg.exe
PID 3996 wrote to memory of 4852	3996	cmd.exe	reg.exe
PID 3996 wrote to memory of 1508	3996	cmd.exe	PING.EXE
PID 3996 wrote to memory of 1508	3996	cmd.exe	PING.EXE
PID 3996 wrote to memory of 1552	3996	cmd.exe	reg.exe
PID 3996 wrote to memory of 1552	3996	cmd.exe	reg.exe
PID 3996 wrote to memory of 4804	3996	cmd.exe	PING.EXE
PID 3996 wrote to memory of 4804	3996	cmd.exe	PING.EXE
PID 3996 wrote to memory of 2996	3996	cmd.exe	reg.exe
PID 3996 wrote to memory of 2996	3996	cmd.exe	reg.exe
PID 3996 wrote to memory of 1612	3996	cmd.exe	PING.EXE
PID 3996 wrote to memory of 1612	3996	cmd.exe	PING.EXE
PID 3996 wrote to memory of 4092	3996	cmd.exe	reg.exe
PID 3996 wrote to memory of 4092	3996	cmd.exe	reg.exe
PID 3996 wrote to memory of 1464	3996	cmd.exe	PING.EXE
PID 3996 wrote to memory of 1464	3996	cmd.exe	PING.EXE
PID 3996 wrote to memory of 1828	3996	cmd.exe	reg.exe
PID 3996 wrote to memory of 1828	3996	cmd.exe	reg.exe
PID 3996 wrote to memory of 2164	3996	cmd.exe	PING.EXE
PID 3996 wrote to memory of 2164	3996	cmd.exe	PING.EXE
PID 3996 wrote to memory of 2468	3996	cmd.exe	reg.exe
PID 3996 wrote to memory of 2468	3996	cmd.exe	reg.exe
PID 3996 wrote to memory of 2612	3996	cmd.exe	PING.EXE
PID 3996 wrote to memory of 2612	3996	cmd.exe	PING.EXE
PID 3996 wrote to memory of 2668	3996	cmd.exe	reg.exe
PID 3996 wrote to memory of 2668	3996	cmd.exe	reg.exe
PID 3996 wrote to memory of 3660	3996	cmd.exe	PING.EXE
PID 3996 wrote to memory of 3660	3996	cmd.exe	PING.EXE
PID 3996 wrote to memory of 1564	3996	cmd.exe	reg.exe
PID 3996 wrote to memory of 1564	3996	cmd.exe	reg.exe
PID 3996 wrote to memory of 752	3996	cmd.exe	PING.EXE
PID 3996 wrote to memory of 752	3996	cmd.exe	PING.EXE
PID 3996 wrote to memory of 4216	3996	cmd.exe	reg.exe
PID 3996 wrote to memory of 4216	3996	cmd.exe	reg.exe
PID 3996 wrote to memory of 5072	3996	cmd.exe	PING.EXE
PID 3996 wrote to memory of 5072	3996	cmd.exe	PING.EXE
PID 3996 wrote to memory of 4356	3996	cmd.exe	reg.exe
PID 3996 wrote to memory of 4356	3996	cmd.exe	reg.exe

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\[5] Input Delay.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:3996

C:\Windows\system32\timeout.exe
timeout /t 2 /nobreak
2⤵
- Delays execution with timeout.exe
PID:5116

C:\Windows\system32\fsutil.exe
fsutil behavior set disable8dot3 1
2⤵
PID:4692

C:\Windows\system32\PING.EXE
ping 127.0.0.1 -n 1 -w 100
2⤵
- Runs ping.exe
PID:2128

C:\Windows\system32\fsutil.exe
fsutil behavior set disablelastaccess 1
2⤵
PID:4428

C:\Windows\system32\PING.EXE
ping 127.0.0.1 -n 1 -w 100
2⤵
- Runs ping.exe
PID:1560

C:\Windows\system32\reg.exe
Reg add "HKCU\Control Panel\Desktop" /v "MenuShowDelay" /t REG_SZ /d "0" /f
2⤵
PID:948

C:\Windows\system32\PING.EXE
ping 127.0.0.1 -n 1 -w 100
2⤵
- Runs ping.exe
PID:1952

C:\Windows\system32\reg.exe
Reg add "HKCU\Control Panel\Mouse" /v "MouseSensitivity" /t REG_SZ /d "10" /f
2⤵
PID:1452

C:\Windows\system32\PING.EXE
ping 127.0.0.1 -n 1 -w 100
2⤵
- Runs ping.exe
PID:3088

C:\Windows\system32\reg.exe
Reg add "HKCU\Control Panel\Mouse" /v "MouseSpeed" /t REG_SZ /d "0" /f
2⤵
PID:2864

C:\Windows\system32\PING.EXE
ping 127.0.0.1 -n 1 -w 100
2⤵
- Runs ping.exe
PID:1060

C:\Windows\system32\reg.exe
Reg add "HKCU\Control Panel\Mouse" /v "MouseThreshold1" /t REG_SZ /d "0" /f
2⤵
PID:1892

C:\Windows\system32\PING.EXE
ping 127.0.0.1 -n 1 -w 100
2⤵
- Runs ping.exe
PID:3532

C:\Windows\system32\reg.exe
Reg add "HKCU\Control Panel\Mouse" /v "MouseThreshold2" /t REG_SZ /d "0" /f
2⤵
PID:4852

C:\Windows\system32\PING.EXE
ping 127.0.0.1 -n 1 -w 100
2⤵
- Runs ping.exe
PID:1508

C:\Windows\system32\reg.exe
Reg add "HKCU\Control Panel\Mouse" /v "SmoothMouseXCurve" /t REG_BINARY /d 0000000000000000C0CC0C0000000000809919000000000040662600000000000033330000000000 /f
2⤵
PID:1552

C:\Windows\system32\PING.EXE
ping 127.0.0.1 -n 1 -w 100
2⤵
- Runs ping.exe
PID:4804

C:\Windows\system32\reg.exe
Reg add "HKCU\Control Panel\Mouse" /v "SmoothMouseYCurve" /t REG_BINARY /d 0000000000000000000038000000000000007000000000000000A800000000000000E00000000000 /f
2⤵
PID:2996

C:\Windows\system32\PING.EXE
ping 127.0.0.1 -n 1 -w 100
2⤵
- Runs ping.exe
PID:1612

C:\Windows\system32\reg.exe
Reg add "HKU\.DEFAULT\Control Panel\Keyboard" /v "KeyboardDelay" /t REG_SZ /d "0" /f
2⤵
- Modifies data under HKEY_USERS
PID:4092

C:\Windows\system32\PING.EXE
ping 127.0.0.1 -n 1 -w 100
2⤵
- Runs ping.exe
PID:1464

C:\Windows\system32\reg.exe
Reg add "HKU\.DEFAULT\Control Panel\Keyboard" /v "KeyboardSpeed" /t REG_SZ /d "31" /f
2⤵
- Modifies data under HKEY_USERS
PID:1828

C:\Windows\system32\PING.EXE
ping 127.0.0.1 -n 1 -w 100
2⤵
- Runs ping.exe
PID:2164

C:\Windows\system32\reg.exe
Reg add "HKLM\SOFTWARE\Microsoft\Input\Settings\ControllerProcessor\CursorSpeed" /v "CursorSensitivity" /t REG_DWORD /d "10000" /f
2⤵
PID:2468

C:\Windows\system32\PING.EXE
ping 127.0.0.1 -n 1 -w 100
2⤵
- Runs ping.exe
PID:2612

C:\Windows\system32\reg.exe
Reg add "HKLM\SOFTWARE\Microsoft\Input\Settings\ControllerProcessor\CursorSpeed" /v "CursorUpdateInterval" /t REG_DWORD /d "1" /f
2⤵
PID:2668

C:\Windows\system32\PING.EXE
ping 127.0.0.1 -n 1 -w 100
2⤵
- Runs ping.exe
PID:3660

C:\Windows\system32\reg.exe
Reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\kernel" /v "GlobalTimerResolutionRequests" /t REG_DWORD /d "1" /f
2⤵
PID:1564

C:\Windows\system32\PING.EXE
ping 127.0.0.1 -n 1 -w 100
2⤵
- Runs ping.exe
PID:752

C:\Windows\system32\reg.exe
Reg add "HKLM\SYSTEM\CurrentControlSet\Control\PriorityControl" /v "Win32PrioritySeparation" /t Reg_DWORD /d "2" /f
2⤵
PID:4216

C:\Windows\system32\PING.EXE
ping 127.0.0.1 -n 1 -w 100
2⤵
- Runs ping.exe
PID:5072

C:\Windows\system32\reg.exe
Reg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile" /v "SystemResponsiveness" /t REG_DWORD /d "0" /f
2⤵
PID:4356

C:\Windows\system32\PING.EXE
ping 127.0.0.1 -n 1 -w 100
2⤵
- Runs ping.exe
PID:1304

C:\Windows\system32\reg.exe
Reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v "ExcludeWUDriversInQualityUpdate" /t Reg_DWORD /d "1" /f
2⤵
PID:1836

C:\Windows\system32\PING.EXE
ping 127.0.0.1 -n 1 -w 100
2⤵
- Runs ping.exe
PID:2180

C:\Windows\system32\reg.exe
Reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\Personalize" /v "ColorPrevalence" /t REG_DWORD /d "0" /f
2⤵
PID:4220

C:\Windows\system32\PING.EXE
ping 127.0.0.1 -n 1 -w 100
2⤵
- Runs ping.exe
PID:4536

C:\Windows\system32\reg.exe
Reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\Personalize" /v "EnableTransparency" /t REG_DWORD /d "0" /f
2⤵
PID:416

C:\Windows\system32\PING.EXE
ping 127.0.0.1 -n 1 -w 100
2⤵
- Runs ping.exe
PID:4644

C:\Windows\system32\reg.exe
Reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\Personalize" /v "AppsUseLightTheme" /t REG_DWORD /d "0" /f
2⤵
PID:1872

C:\Windows\system32\PING.EXE
ping 127.0.0.1 -n 1 -w 100
2⤵
- Runs ping.exe
PID:3640

C:\Windows\system32\reg.exe
Reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\Personalize" /v "SystemUsesLightTheme" /t REG_DWORD /d "0" /f
2⤵
PID:4288

C:\Windows\system32\PING.EXE
ping 127.0.0.1 -n 1 -w 100
2⤵
- Runs ping.exe
PID:3488

C:\Windows\system32\reg.exe
Reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\VisualEffects\AnimateMinMax" /v "DefaultApplied" /t REG_SZ /d "0" /f
2⤵
PID:4052

C:\Windows\system32\PING.EXE
ping 127.0.0.1 -n 1 -w 100
2⤵
- Runs ping.exe
PID:4552

C:\Windows\system32\reg.exe
Reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\VisualEffects\ComboBoxAnimation" /v "DefaultApplied" /t REG_SZ /d "0" /f
2⤵
PID:1280

C:\Windows\system32\PING.EXE
ping 127.0.0.1 -n 1 -w 100
2⤵
- Runs ping.exe
PID:4152

C:\Windows\system32\reg.exe
Reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\VisualEffects\ControlAnimations" /v "DefaultApplied" /t REG_SZ /d "0" /f
2⤵
PID:4660

C:\Windows\system32\PING.EXE
ping 127.0.0.1 -n 1 -w 100
2⤵
- Runs ping.exe
PID:4516

C:\Windows\system32\reg.exe
Reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\VisualEffects\CursorShadow" /v "DefaultApplied" /t Reg_SZ /d "0" /f
2⤵
PID:2276

C:\Windows\system32\PING.EXE
ping 127.0.0.1 -n 1 -w 100
2⤵
- Runs ping.exe
PID:4064

C:\Windows\system32\reg.exe
Reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\VisualEffects\DragFullWindows" /v "DefaultApplied" /t REG_SZ /d "1" /f
2⤵
PID:2296

C:\Windows\system32\PING.EXE
ping 127.0.0.1 -n 1 -w 100
2⤵
- Runs ping.exe
PID:3528

C:\Windows\system32\reg.exe
Reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\VisualEffects\DropShadow" /v "DefaultApplied" /t REG_SZ /d "0" /f
2⤵
PID:1252

C:\Windows\system32\PING.EXE
ping 127.0.0.1 -n 1 -w 100
2⤵
- Runs ping.exe
PID:3788

C:\Windows\system32\reg.exe
Reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\VisualEffects\DWMAeroPeekEnabled" /v "DefaultApplied" /t REG_SZ /d "0" /f
2⤵
PID:4496

C:\Windows\system32\PING.EXE
ping 127.0.0.1 -n 1 -w 100
2⤵
- Runs ping.exe
PID:3936

C:\Windows\system32\reg.exe
Reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\VisualEffects\DWMSaveThumbnailEnabled" /v "DefaultApplied" /t REG_SZ /d "0" /f
2⤵
PID:3316

C:\Windows\system32\PING.EXE
ping 127.0.0.1 -n 1 -w 100
2⤵
- Runs ping.exe
PID:1380

C:\Windows\system32\reg.exe
Reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\VisualEffects\FontSmoothing" /v "DefaultApplied" /t REG_SZ /d "2" /f
2⤵
PID:2032

C:\Windows\system32\PING.EXE
ping 127.0.0.1 -n 1 -w 100
2⤵
- Runs ping.exe
PID:3280

C:\Windows\system32\reg.exe
Reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\VisualEffects\ListBoxSmoothScrolling" /v "DefaultApplied" /t REG_SZ /d "0" /f
2⤵
PID:2140

C:\Windows\system32\PING.EXE
ping 127.0.0.1 -n 1 -w 100
2⤵
- Runs ping.exe
PID:1876

C:\Windows\system32\reg.exe
Reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\VisualEffects\ListviewAlphaSelect" /v "DefaultApplied" /t REG_SZ /d "0" /f
2⤵
PID:3500

C:\Windows\system32\PING.EXE
ping 127.0.0.1 -n 1 -w 100
2⤵
- Runs ping.exe
PID:464

C:\Windows\system32\reg.exe
Reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\VisualEffects\ListviewShadow" /v "DefaultApplied" /t REG_SZ /d "0" /f
2⤵
PID:2828

C:\Windows\system32\PING.EXE
ping 127.0.0.1 -n 1 -w 100
2⤵
- Runs ping.exe
PID:4044

C:\Windows\system32\reg.exe
Reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\VisualEffects\MenuAnimation" /v "DefaultApplied" /t REG_SZ /d "0" /f
2⤵
PID:3876

C:\Windows\system32\PING.EXE
ping 127.0.0.1 -n 1 -w 100
2⤵
- Runs ping.exe
PID:4132

C:\Windows\system32\reg.exe
Reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\VisualEffects\SelectionFade" /v "DefaultApplied" /t REG_SZ /d "0" /f
2⤵
PID:3764

C:\Windows\system32\PING.EXE
ping 127.0.0.1 -n 1 -w 100
2⤵
- Runs ping.exe
PID:2356

C:\Windows\system32\reg.exe
Reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\VisualEffects\TaskbarAnimations" /v "DefaultApplied" /t REG_SZ /d "0" /f
2⤵
PID:4720

C:\Windows\system32\PING.EXE
ping 127.0.0.1 -n 1 -w 100
2⤵
- Runs ping.exe
PID:1844

C:\Windows\system32\reg.exe
Reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\VisualEffects\ThumbnailsOrIcon" /v "DefaultApplied" /t REG_SZ /d "0" /f
2⤵
PID:1780

C:\Windows\system32\PING.EXE
ping 127.0.0.1 -n 1 -w 100
2⤵
- Runs ping.exe
PID:2184

C:\Windows\system32\reg.exe
Reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\VisualEffects\TooltipAnimation" /v "DefaultApplied" /t REG_SZ /d "0" /f
2⤵
PID:936

C:\Windows\system32\PING.EXE
ping 127.0.0.1 -n 1 -w 100
2⤵
- Runs ping.exe
PID:2540

C:\Windows\system32\wevtutil.exe
wevtutil sl Microsoft-Windows-SleepStudy/Diagnostic /e:false
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2592

C:\Windows\system32\wevtutil.exe
wevtutil sl Microsoft-Windows-Kernel-Processor-Power/Diagnostic /e:false
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2320

C:\Windows\system32\wevtutil.exe
wevtutil sl Microsoft-Windows-UserModePowerService/Diagnostic /e:false
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4204

C:\Windows\system32\PING.EXE
ping 127.0.0.1 -n 1 -w 100
2⤵
- Runs ping.exe
PID:2584

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg query "HKLM\System\CurrentControlSet\Enum" /S /F "StorPort" | findstr /e "StorPort"
2⤵
PID:4812

C:\Windows\system32\reg.exe
reg query "HKLM\System\CurrentControlSet\Enum" /S /F "StorPort"
3⤵
- Checks SCSI registry key(s)
PID:4004

C:\Windows\system32\findstr.exe
findstr /e "StorPort"
3⤵
PID:2376

C:\Windows\system32\reg.exe
Reg add "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Enum\PCI\VEN_8086&DEV_2922&SUBSYS_11001AF4&REV_02\3&11583659&0&10\Device Parameters\StorPort" /v "EnableIdlePowerManagement" /t REG_DWORD /d "0" /f
2⤵
PID:1956

C:\Windows\system32\reg.exe
Reg add "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Enum\PCI\VEN_8086&DEV_2922&SUBSYS_11001AF4&REV_02\3&11583659&0&FA\Device Parameters\StorPort" /v "EnableIdlePowerManagement" /t REG_DWORD /d "0" /f
2⤵
PID:240

C:\Windows\system32\reg.exe
Reg add "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Enum\{8e7bd593-6e6c-4c52-86a6-77175494dd8e}\MsVhdHba\1&3030e83&0&01\Device Parameters\StorPort" /v "EnableIdlePowerManagement" /t REG_DWORD /d "0" /f
2⤵
PID:3088

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:2864

C:\Windows\system32\timeout.exe
timeout /t 3 /nobreak
2⤵
- Delays execution with timeout.exe
PID:4540

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads