Overview
overview
10Static
static
7SetTimerRe...on.exe
windows11-21h2-x64
1Windows Cl...es.bat
windows11-21h2-x64
9Windows Cl...up.lnk
windows11-21h2-x64
7Windows Cl...xe.lnk
windows11-21h2-x64
7Windows Cl...up.exe
windows11-21h2-x64
1Windows Cl...er.exe
windows11-21h2-x64
7[0] Create...nt.lnk
windows11-21h2-x64
3[1] PW Con...on.bat
windows11-21h2-x64
1[2] UnparkCPU.exe
windows11-21h2-x64
1[3] Window...er.bat
windows11-21h2-x64
8[4] S-Timer Setup.bat
windows11-21h2-x64
8[5] Input Delay.bat
windows11-21h2-x64
1[6] DTB.bat
windows11-21h2-x64
1[7] Wub.exe
windows11-21h2-x64
10Analysis
-
max time kernel
95s -
max time network
94s -
platform
windows11-21h2_x64 -
resource
win11-20240221-en -
resource tags
arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system -
submitted
03-03-2024 19:29
Behavioral task
behavioral1
Sample
SetTimerResolution.exe
Resource
win11-20240221-en
Behavioral task
behavioral2
Sample
Windows Cleanup/[1] Cleanup Windows Files.bat
Resource
win11-20240221-en
Behavioral task
behavioral3
Sample
Windows Cleanup/[2] Cleanmgr Setup.lnk
Resource
win11-20240221-en
Behavioral task
behavioral4
Sample
Windows Cleanup/[3] cleanmgr.exe.lnk
Resource
win11-20240221-en
Behavioral task
behavioral5
Sample
Windows Cleanup/[4] Device Cleanup.exe
Resource
win11-20240221-en
Behavioral task
behavioral6
Sample
Windows Cleanup/[5] adwcleaner.exe
Resource
win11-20240221-en
Behavioral task
behavioral7
Sample
[0] Create Restore Point.lnk
Resource
win11-20240221-en
Behavioral task
behavioral8
Sample
[1] PW Consumption.bat
Resource
win11-20240221-en
Behavioral task
behavioral9
Sample
[2] UnparkCPU.exe
Resource
win11-20240221-en
Behavioral task
behavioral10
Sample
[3] Windows Stability Installer.bat
Resource
win11-20240221-en
Behavioral task
behavioral11
Sample
[4] S-Timer Setup.bat
Resource
win11-20240221-en
Behavioral task
behavioral12
Sample
[5] Input Delay.bat
Resource
win11-20240221-en
Behavioral task
behavioral13
Sample
[6] DTB.bat
Resource
win11-20240221-en
Behavioral task
behavioral14
Sample
[7] Wub.exe
Resource
win11-20240221-en
General
-
Target
[6] DTB.bat
-
Size
128KB
-
MD5
a2f025e563de8260837ac8917f9f091c
-
SHA1
0b5b28b345b4029ffc95cec921ff701fdc69f595
-
SHA256
f83a9b47af2139a46e2a030313574f4c489d81119ce7aeaafd68d72e566a3954
-
SHA512
82ac6b16c601f942ee4f1b4e72ab9626d33c645ff2de4f7709f6a5183c29d25306cdb5d7308c8b3c7e0eca19ac955bfa20ea878c135b9cdfd0a48b5728325c57
-
SSDEEP
768:pl8Ey8Lp1H1ba2f4DUoqTsHaddjWpN1jy/CzYmOMwQ81jfiQWXtkbBZtXTxZLNdf:AEy85bIG6s5o7a
Malware Config
Signatures
-
Delays execution with timeout.exe 2 IoCs
Processes:
timeout.exetimeout.exepid process 2560 timeout.exe 3732 timeout.exe -
Modifies registry class 11 IoCs
Processes:
reg.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-627134735-902745853-4257352768-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\PhishingFilter reg.exe Key created \REGISTRY\USER\S-1-5-21-627134735-902745853-4257352768-1000_Classes\Local Settings\Software\Microsoft\Windows reg.exe Key created \REGISTRY\USER\S-1-5-21-627134735-902745853-4257352768-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer reg.exe Key created \REGISTRY\USER\S-1-5-21-627134735-902745853-4257352768-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage reg.exe Key created \REGISTRY\USER\S-1-5-21-627134735-902745853-4257352768-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-627134735-902745853-4257352768-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\PhishingFilter\EnabledV9 = "0" reg.exe Key created \REGISTRY\USER\S-1-5-21-627134735-902745853-4257352768-1000_Classes\Local Settings reg.exe Key created \REGISTRY\USER\S-1-5-21-627134735-902745853-4257352768-1000_Classes\Local Settings\Software reg.exe Key created \REGISTRY\USER\S-1-5-21-627134735-902745853-4257352768-1000_Classes\Local Settings\Software\Microsoft reg.exe Key created \REGISTRY\USER\S-1-5-21-627134735-902745853-4257352768-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion reg.exe Key created \REGISTRY\USER\S-1-5-21-627134735-902745853-4257352768-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe reg.exe -
Runs ping.exe 1 TTPs 64 IoCs
Processes:
PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEpid process 2216 PING.EXE 1572 PING.EXE 1936 PING.EXE 4268 PING.EXE 4508 PING.EXE 2328 PING.EXE 3528 PING.EXE 4296 PING.EXE 4224 PING.EXE 1504 PING.EXE 544 PING.EXE 4268 PING.EXE 3000 PING.EXE 1508 PING.EXE 3560 PING.EXE 4684 PING.EXE 668 PING.EXE 4772 PING.EXE 4652 PING.EXE 4332 PING.EXE 4856 PING.EXE 1788 PING.EXE 416 PING.EXE 4856 PING.EXE 2928 PING.EXE 1604 PING.EXE 1556 PING.EXE 3404 PING.EXE 3028 PING.EXE 2368 PING.EXE 2688 PING.EXE 1644 PING.EXE 4676 PING.EXE 4508 PING.EXE 2724 PING.EXE 2556 PING.EXE 2360 PING.EXE 4320 PING.EXE 2860 PING.EXE 360 PING.EXE 4068 PING.EXE 4552 PING.EXE 3696 PING.EXE 4528 PING.EXE 4976 PING.EXE 1948 PING.EXE 1656 PING.EXE 404 PING.EXE 2068 PING.EXE 712 PING.EXE 3024 PING.EXE 3864 PING.EXE 428 PING.EXE 4332 PING.EXE 1936 PING.EXE 3460 PING.EXE 1640 PING.EXE 1200 PING.EXE 2872 PING.EXE 1180 PING.EXE 3032 PING.EXE 4644 PING.EXE 1116 PING.EXE 1780 PING.EXE -
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepid process 1000 powershell.exe 1000 powershell.exe 3608 powershell.exe 3608 powershell.exe 4032 powershell.exe 4032 powershell.exe 4116 powershell.exe 4116 powershell.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 1000 powershell.exe Token: SeDebugPrivilege 3608 powershell.exe Token: SeDebugPrivilege 4032 powershell.exe Token: SeDebugPrivilege 4116 powershell.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
cmd.exedescription pid process target process PID 4036 wrote to memory of 2560 4036 cmd.exe timeout.exe PID 4036 wrote to memory of 2560 4036 cmd.exe timeout.exe PID 4036 wrote to memory of 1000 4036 cmd.exe powershell.exe PID 4036 wrote to memory of 1000 4036 cmd.exe powershell.exe PID 4036 wrote to memory of 4268 4036 cmd.exe PING.EXE PID 4036 wrote to memory of 4268 4036 cmd.exe PING.EXE PID 4036 wrote to memory of 3608 4036 cmd.exe powershell.exe PID 4036 wrote to memory of 3608 4036 cmd.exe powershell.exe PID 4036 wrote to memory of 1360 4036 cmd.exe PING.EXE PID 4036 wrote to memory of 1360 4036 cmd.exe PING.EXE PID 4036 wrote to memory of 4032 4036 cmd.exe powershell.exe PID 4036 wrote to memory of 4032 4036 cmd.exe powershell.exe PID 4036 wrote to memory of 1180 4036 cmd.exe PING.EXE PID 4036 wrote to memory of 1180 4036 cmd.exe PING.EXE PID 4036 wrote to memory of 4116 4036 cmd.exe powershell.exe PID 4036 wrote to memory of 4116 4036 cmd.exe powershell.exe PID 4036 wrote to memory of 4320 4036 cmd.exe PING.EXE PID 4036 wrote to memory of 4320 4036 cmd.exe PING.EXE PID 4036 wrote to memory of 812 4036 cmd.exe reg.exe PID 4036 wrote to memory of 812 4036 cmd.exe reg.exe PID 4036 wrote to memory of 4528 4036 cmd.exe PING.EXE PID 4036 wrote to memory of 4528 4036 cmd.exe PING.EXE PID 4036 wrote to memory of 428 4036 cmd.exe reg.exe PID 4036 wrote to memory of 428 4036 cmd.exe reg.exe PID 4036 wrote to memory of 3560 4036 cmd.exe PING.EXE PID 4036 wrote to memory of 3560 4036 cmd.exe PING.EXE PID 4036 wrote to memory of 2896 4036 cmd.exe reg.exe PID 4036 wrote to memory of 2896 4036 cmd.exe reg.exe PID 4036 wrote to memory of 2860 4036 cmd.exe PING.EXE PID 4036 wrote to memory of 2860 4036 cmd.exe PING.EXE PID 4036 wrote to memory of 2484 4036 cmd.exe reg.exe PID 4036 wrote to memory of 2484 4036 cmd.exe reg.exe PID 4036 wrote to memory of 360 4036 cmd.exe PING.EXE PID 4036 wrote to memory of 360 4036 cmd.exe PING.EXE PID 4036 wrote to memory of 1708 4036 cmd.exe reg.exe PID 4036 wrote to memory of 1708 4036 cmd.exe reg.exe PID 4036 wrote to memory of 4684 4036 cmd.exe PING.EXE PID 4036 wrote to memory of 4684 4036 cmd.exe PING.EXE PID 4036 wrote to memory of 720 4036 cmd.exe reg.exe PID 4036 wrote to memory of 720 4036 cmd.exe reg.exe PID 4036 wrote to memory of 2688 4036 cmd.exe PING.EXE PID 4036 wrote to memory of 2688 4036 cmd.exe PING.EXE PID 4036 wrote to memory of 764 4036 cmd.exe reg.exe PID 4036 wrote to memory of 764 4036 cmd.exe reg.exe PID 4036 wrote to memory of 3024 4036 cmd.exe PING.EXE PID 4036 wrote to memory of 3024 4036 cmd.exe PING.EXE PID 4036 wrote to memory of 4112 4036 cmd.exe reg.exe PID 4036 wrote to memory of 4112 4036 cmd.exe reg.exe PID 4036 wrote to memory of 4676 4036 cmd.exe PING.EXE PID 4036 wrote to memory of 4676 4036 cmd.exe PING.EXE PID 4036 wrote to memory of 1620 4036 cmd.exe reg.exe PID 4036 wrote to memory of 1620 4036 cmd.exe reg.exe PID 4036 wrote to memory of 4976 4036 cmd.exe PING.EXE PID 4036 wrote to memory of 4976 4036 cmd.exe PING.EXE PID 4036 wrote to memory of 4796 4036 cmd.exe reg.exe PID 4036 wrote to memory of 4796 4036 cmd.exe reg.exe PID 4036 wrote to memory of 4332 4036 cmd.exe PING.EXE PID 4036 wrote to memory of 4332 4036 cmd.exe PING.EXE PID 4036 wrote to memory of 5064 4036 cmd.exe reg.exe PID 4036 wrote to memory of 5064 4036 cmd.exe reg.exe PID 4036 wrote to memory of 4856 4036 cmd.exe PING.EXE PID 4036 wrote to memory of 4856 4036 cmd.exe PING.EXE PID 4036 wrote to memory of 3176 4036 cmd.exe reg.exe PID 4036 wrote to memory of 3176 4036 cmd.exe reg.exe
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\[6] DTB.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:4036 -
C:\Windows\system32\timeout.exetimeout /t 2 /nobreak2⤵
- Delays execution with timeout.exe
PID:2560 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -Command "Get-AppxPackage *Microsoft.549981C3F5F10* | Remove-AppxPackage"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1000 -
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 1 -w 1002⤵
- Runs ping.exe
PID:4268 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -Command "Get-AppxPackage *Feedback* | Remove-AppxPackage"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3608 -
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 1 -w 1002⤵PID:1360
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -Command "Get-AppxPackage -allusers Microsoft.GetHelp | Remove-AppxPackage"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4032 -
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 1 -w 1002⤵
- Runs ping.exe
PID:1180 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -Command "Get-AppxPackage -allusers Microsoft.SkypeApp | Remove-AppxPackage"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4116 -
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 1 -w 1002⤵
- Runs ping.exe
PID:4320 -
C:\Windows\system32\reg.exeReg add "HKLM\Software\Policies\Microsoft\FindMyDevice" /v "AllowFindMyDevice" /t REG_DWORD /d "0" /f2⤵PID:812
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 1 -w 1002⤵
- Runs ping.exe
PID:4528 -
C:\Windows\system32\reg.exeReg add "HKLM\Software\Policies\Microsoft\Windows\System" /v "EnableSmartScreen" /t REG_DWORD /d 0 /f2⤵PID:428
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 1 -w 1002⤵
- Runs ping.exe
PID:3560 -
C:\Windows\system32\reg.exeReg add "HKLM\Software\Policies\Microsoft\Windows Defender\UX Configuration" /v "Notification_Suppress" /t REG_DWORD /d 1 /f2⤵PID:2896
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 1 -w 1002⤵
- Runs ping.exe
PID:2860 -
C:\Windows\system32\reg.exeReg add "HKLM\Software\Policies\Microsoft\MicrosoftEdge\Main" /v "AllowPrelaunch" /t REG_DWORD /d "0" /f2⤵PID:2484
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 1 -w 1002⤵
- Runs ping.exe
PID:360 -
C:\Windows\system32\reg.exeReg add "HKLM\Software\Policies\Microsoft\MicrosoftEdge\TabPreloader" /v "AllowTabPreloading" /t REG_DWORD /d "0" /f2⤵PID:1708
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 1 -w 1002⤵
- Runs ping.exe
PID:4684 -
C:\Windows\system32\reg.exeReg add "HKLM\System\CurrentControlSet\Control\WMI\AutoLogger\AutoLogger-Diagtrack-Listener" /v "Start" /t REG_DWORD /d "0" /f2⤵PID:720
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 1 -w 1002⤵
- Runs ping.exe
PID:2688 -
C:\Windows\system32\reg.exeReg add "HKLM\Software\Microsoft\WindowsSelfHost\UI\Visibility" /v "DiagnosticErrorText" /t REG_DWORD /d "0" /f2⤵PID:764
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 1 -w 1002⤵
- Runs ping.exe
PID:3024 -
C:\Windows\system32\reg.exeReg add "HKLM\Software\Microsoft\WindowsSelfHost\UI\Strings" /v "DiagnosticErrorText" /t REG_SZ /d "" /f2⤵PID:4112
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 1 -w 1002⤵PID:4676
-
C:\Windows\system32\reg.exeReg add "HKLM\Software\Microsoft\WindowsSelfHost\UI\Strings" /v "DiagnosticLinkText" /t REG_SZ /d "" /f2⤵PID:1620
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 1 -w 1002⤵
- Runs ping.exe
PID:4976 -
C:\Windows\system32\reg.exeReg add "HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\PhishingFilter" /v "EnabledV9" /t REG_DWORD /d "0" /f2⤵
- Modifies registry class
PID:4796 -
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 1 -w 1002⤵
- Runs ping.exe
PID:4332 -
C:\Windows\system32\reg.exeReg add "HKLM\Software\Policies\Microsoft\Windows\TabletPC" /v "PreventHandwritingDataSharing" /t REG_DWORD /d "1" /f2⤵PID:5064
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 1 -w 1002⤵
- Runs ping.exe
PID:4856 -
C:\Windows\system32\reg.exeReg add "HKLM\Software\Policies\Microsoft\Windows\HandwritingErrorReports" /v "PreventHandwritingErrorReports" /t REG_DWORD /d "1" /f2⤵PID:3176
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 1 -w 1002⤵
- Runs ping.exe
PID:3032 -
C:\Windows\system32\reg.exeReg add "HKLM\Software\Policies\Microsoft\Windows\AppCompat" /v "AITEnable" /t REG_DWORD /d "0" /f2⤵PID:3048
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 1 -w 1002⤵
- Runs ping.exe
PID:4508 -
C:\Windows\system32\reg.exeReg add "HKLM\Software\Policies\Microsoft\Windows\AppCompat" /v "DisableInventory" /t REG_DWORD /d "1" /f2⤵PID:2116
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 1 -w 1002⤵PID:2516
-
C:\Windows\system32\reg.exeReg add "HKLM\Software\Policies\Microsoft\Windows\AppCompat" /v "DisableUAR" /t REG_DWORD /d "1" /f2⤵PID:2308
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 1 -w 1002⤵
- Runs ping.exe
PID:1936 -
C:\Windows\system32\reg.exeReg add "HKLM\Software\Policies\Microsoft\Windows\Personalization" /v "NoLockScreenCamera" /t REG_DWORD /d "1" /f2⤵PID:3980
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 1 -w 1002⤵
- Runs ping.exe
PID:4644 -
C:\Windows\system32\reg.exeReg add "HKLM\Software\Microsoft\Windows\CurrentVersion\AdvertisingInfo" /v "Enabled" /t REG_DWORD /d "0" /f2⤵PID:4708
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 1 -w 1002⤵
- Runs ping.exe
PID:1116 -
C:\Windows\system32\reg.exeReg add "HKCU\Software\Microsoft\Windows\CurrentVersion\AdvertisingInfo" /v "Enabled" /t REG_DWORD /d "0" /f2⤵PID:1716
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 1 -w 1002⤵
- Runs ping.exe
PID:668 -
C:\Windows\system32\reg.exeReg add "HKCU\Software\Microsoft\Input\TIPC" /v "Enabled" /t REG_DWORD /d "0" /f2⤵PID:5020
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 1 -w 1002⤵
- Runs ping.exe
PID:4068 -
C:\Windows\system32\reg.exeReg add "HKLM\Software\Microsoft\PolicyManager\current\device\System" /v "AllowExperimentation" /t REG_DWORD /d "0" /f2⤵PID:4808
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 1 -w 1002⤵
- Runs ping.exe
PID:544 -
C:\Windows\system32\reg.exeReg add "HKLM\Software\Microsoft\PolicyManager\current\device\Bluetooth" /v "AllowAdvertising" /t REG_DWORD /d "0" /f2⤵PID:876
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 1 -w 1002⤵
- Runs ping.exe
PID:4552 -
C:\Windows\system32\reg.exeReg add "HKLM\Software\Policies\Microsoft\Windows\Messaging" /v "AllowMessageSync" /t REG_DWORD /d "0" /f2⤵PID:3012
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 1 -w 1002⤵
- Runs ping.exe
PID:2724 -
C:\Windows\system32\reg.exeReg add "HKCU\ControlPanel\International\UserProfile" /v "HttpAcceptLanguageOptOut" /t REG_DWORD /d "1" /f2⤵PID:1924
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 1 -w 1002⤵
- Runs ping.exe
PID:1656 -
C:\Windows\system32\reg.exeReg add "HKCU\Software\Microsoft\Windows\CurrentVersion\AppHost" /v "EnableWebContentEvaluation" /t REG_DWORD /d "0" /f2⤵PID:700
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 1 -w 1002⤵
- Runs ping.exe
PID:1788 -
C:\Windows\system32\reg.exeReg add "HKCU\Software\Microsoft\Windows\CurrentVersion\DeviceAccess\Global\{C1D23ACC-752B-43E5-8448-8D0E519CD6D6}" /v "Value" /t REG_SZ /d "Deny" /f2⤵PID:3524
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 1 -w 1002⤵
- Runs ping.exe
PID:2328 -
C:\Windows\system32\reg.exeReg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "Start_TrackProgs" /t REG_DWORD /d "0" /f2⤵PID:4444
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 1 -w 1002⤵
- Runs ping.exe
PID:3528 -
C:\Windows\system32\reg.exeReg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "ShowSyncProviderNotifications" /t REG_DWORD /d "0" /f2⤵PID:2472
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 1 -w 1002⤵PID:4880
-
C:\Windows\system32\reg.exeReg add "HKCU\Software\Microsoft\Windows\CurrentVersion\BackgroundAccessApplications" /v "GlobalUserDisabled" /t REG_DWORD /d "1" /f2⤵PID:3768
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 1 -w 1002⤵
- Runs ping.exe
PID:1780 -
C:\Windows\system32\reg.exeReg add "HKLM\System\ControlSet\Control\WMI\Autologger\AutoLogger-Diagtrack-Listener" /v "Start" /t REG_DWORD /d "0" /f2⤵PID:1444
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 1 -w 1002⤵
- Runs ping.exe
PID:1604 -
C:\Windows\system32\reg.exeReg add "HKLM\Software\Policies\Microsoft\WMDRM" /v "DisableOnline" /t REG_DWORD /d "1" /f2⤵PID:4024
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 1 -w 1002⤵
- Runs ping.exe
PID:2556 -
C:\Windows\system32\reg.exeReg add "HKCU\Software\Microsoft\Windows\CurrentVersion\DeviceAccess\Global\{A8804298-2D5F-42E3-9531-9C8C39EB29CE}" /v "Value" /t REG_SZ /d "Deny" /f2⤵PID:4080
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 1 -w 1002⤵
- Runs ping.exe
PID:2360 -
C:\Windows\system32\reg.exeReg add "HKCU\Software\Microsoft\Windows\CurrentVersion\DeviceAccess\Global\LooselyCoupled" /v "Value" /t REG_SZ /d "Deny" /f2⤵PID:4456
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 1 -w 1002⤵
- Runs ping.exe
PID:4296 -
C:\Windows\system32\reg.exeReg add "HKLM\Software\Policies\Microsoft\Windows\CredUI" /v "DisablePasswordReveal" /t REG_DWORD /d "1" /f2⤵PID:4952
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 1 -w 1002⤵
- Runs ping.exe
PID:1640 -
C:\Windows\system32\reg.exeReg add "HKLM\Software\Microsoft\PolicyManager\current\device\Browser" /v "AllowAddressBarDropdown" /t REG_DWORD /d "0" /f2⤵PID:3320
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 1 -w 1002⤵
- Runs ping.exe
PID:3864 -
C:\Windows\system32\reg.exeReg add "HKCU\Software\Microsoft\Windows\CurrentVersion\SettingSync" /v "SyncPolicy" /t REG_DWORD /d "5" /f2⤵PID:2040
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 1 -w 1002⤵
- Runs ping.exe
PID:4224 -
C:\Windows\system32\reg.exeReg add "HKCU\Software\Microsoft\Windows\CurrentVersion\SettingSync\Groups\Personalization" /v "Enabled" /t REG_DWORD /d "0" /f2⤵PID:1048
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 1 -w 1002⤵
- Runs ping.exe
PID:1200 -
C:\Windows\system32\reg.exeReg add "HKCU\Software\Microsoft\Windows\CurrentVersion\SettingSync\Groups\BrowserSettings" /v "Enabled" /t REG_DWORD /d "0" /f2⤵PID:4220
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 1 -w 1002⤵
- Runs ping.exe
PID:4268 -
C:\Windows\system32\reg.exeReg add "HKCU\Software\Microsoft\Windows\CurrentVersion\SettingSync\Groups\Credentials" /v "Enabled" /t REG_DWORD /d "0" /f2⤵PID:3736
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 1 -w 1002⤵
- Runs ping.exe
PID:1556 -
C:\Windows\system32\reg.exeReg add "HKCU\Software\Microsoft\Windows\CurrentVersion\SettingSync\Groups\Language" /v "Enabled" /t REG_DWORD /d "0" /f2⤵PID:3616
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 1 -w 1002⤵
- Runs ping.exe
PID:1644 -
C:\Windows\system32\reg.exeReg add "HKCU\Software\Microsoft\Windows\CurrentVersion\SettingSync\Groups\Accessibility" /v "Enabled" /t REG_DWORD /d "0" /f2⤵PID:2740
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 1 -w 1002⤵
- Runs ping.exe
PID:404 -
C:\Windows\system32\reg.exeReg add "HKCU\Software\Microsoft\Windows\CurrentVersion\SettingSync\Groups\Windows" /v "Enabled" /t REG_DWORD /d "0" /f2⤵PID:2292
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 1 -w 1002⤵
- Runs ping.exe
PID:3000 -
C:\Windows\system32\reg.exeReg add "HKLM\Software\Policies\Microsoft\Windows\Windows Search" /v "AllowSearchToUseLocation" /t REG_DWORD /d "0" /f2⤵PID:4784
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 1 -w 1002⤵
- Runs ping.exe
PID:2872 -
C:\Windows\system32\reg.exeReg add "HKLM\Software\Policies\Microsoft\Windows\Windows Search" /v "AllowCortana" /t REG_DWORD /d "0" /f2⤵PID:952
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 1 -w 1002⤵
- Runs ping.exe
PID:3404 -
C:\Windows\system32\reg.exeReg add "HKLM\Software\Microsoft\Speech_OneCore\Preferences" /v "ModelDownloadAllowed" /t REG_DWORD /d "0" /f2⤵PID:796
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 1 -w 1002⤵
- Runs ping.exe
PID:1508 -
C:\Windows\system32\reg.exeReg add "HKLM\Software\Policies\Microsoft\Speech" /v "AllowSpeechModelUpdate" /t REG_DWORD /d "0" /f2⤵PID:548
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 1 -w 1002⤵
- Runs ping.exe
PID:3028 -
C:\Windows\system32\reg.exeReg add "HKCU\Software\Microsoft\InputPersonalization\TrainedDataStore" /v "HarvestContacts" /t REG_DWORD /d "0" /f2⤵PID:4032
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 1 -w 1002⤵
- Runs ping.exe
PID:2368 -
C:\Windows\system32\reg.exeReg add "HKCU\Software\Microsoft\InputPersonalization" /v "RestrictImplicitTextCollection" /t REG_DWORD /d "1" /f2⤵PID:4492
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 1 -w 1002⤵
- Runs ping.exe
PID:2928 -
C:\Windows\system32\reg.exeReg add "HKCU\Software\Microsoft\InputPersonalization" /v "RestrictImplicitInkCollection" /t REG_DWORD /d "1" /f2⤵PID:976
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 1 -w 1002⤵
- Runs ping.exe
PID:2216 -
C:\Windows\system32\reg.exeReg add "HKCU\Software\Microsoft\Personalization\Settings" /v "AcceptedPrivacyPolicy" /t REG_DWORD /d "0" /f2⤵PID:2408
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 1 -w 1002⤵
- Runs ping.exe
PID:3696 -
C:\Windows\system32\reg.exeReg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\location" /v "Value" /t REG_SZ /d "Deny" /f2⤵PID:2324
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 1 -w 1002⤵
- Runs ping.exe
PID:1572 -
C:\Windows\system32\reg.exeReg add "HKLM\Software\Policies\Microsoft\Windows\LocationAndSensors" /v "DisableWindowsLocationProvider" /t REG_DWORD /d "1" /f2⤵PID:2488
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 1 -w 1002⤵
- Runs ping.exe
PID:3460 -
C:\Windows\system32\reg.exeReg add "HKLM\Software\Policies\Microsoft\Windows\LocationAndSensors" /v "DisableLocationScripting" /t REG_DWORD /d "1" /f2⤵PID:4528
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 1 -w 1002⤵
- Runs ping.exe
PID:428 -
C:\Windows\system32\reg.exeReg add "HKLM\Software\Policies\Microsoft\Windows\DataCollection" /v "AllowTelemetry" /t REG_DWORD /d "0" /f2⤵PID:4200
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 1 -w 1002⤵
- Runs ping.exe
PID:2068 -
C:\Windows\system32\reg.exeReg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\DataCollection" /v "AllowTelemetry" /t REG_DWORD /d "0" /f2⤵PID:4936
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 1 -w 1002⤵
- Runs ping.exe
PID:416 -
C:\Windows\system32\reg.exeReg add "HKLM\Software\Policies\Microsoft\Windows\DeliveryOptimization" /v "DODownloadMode" /t REG_DWORD /d "0" /f2⤵PID:4012
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 1 -w 1002⤵
- Runs ping.exe
PID:712 -
C:\Windows\system32\reg.exeReg add "HKCU\Software\Microsoft\Windows\CurrentVersion\DeliveryOptimization" /v "SystemSettingsDownloadMode" /t REG_DWORD /d "0" /f2⤵PID:2956
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 1 -w 1002⤵
- Runs ping.exe
PID:4772 -
C:\Windows\system32\reg.exeReg add "HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate" /v "DeferUpgrade" /t REG_DWORD /d "1" /f2⤵PID:4992
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 1 -w 1002⤵
- Runs ping.exe
PID:1504 -
C:\Windows\system32\reg.exeReg add "HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate" /v "DeferUpgradePeriod" /t REG_DWORD /d "1" /f2⤵PID:2588
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 1 -w 1002⤵
- Runs ping.exe
PID:1948 -
C:\Windows\system32\reg.exeReg add "HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate" /v "DeferUpdatePeriod" /t REG_DWORD /d "0" /f2⤵PID:3444
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 1 -w 1002⤵
- Runs ping.exe
PID:4676 -
C:\Windows\system32\reg.exeReg add "HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU" /v "NoAutoUpdate" /t REG_DWORD /d "1" /f2⤵PID:4900
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 1 -w 1002⤵PID:4976
-
C:\Windows\system32\reg.exeReg add "HKLM\Software\Microsoft\Windows\CurrentVersion\WindowsStore\WindowsUpdate" /v "AutoDownload" /t REG_DWORD /d "2" /f2⤵PID:5076
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 1 -w 1002⤵
- Runs ping.exe
PID:4332 -
C:\Windows\system32\reg.exeReg add "HKLM\Software\Microsoft\Windows\CurrentVersion\DeviceMetadata" /v "PreventDeviceMetadataFromNetwork" /t REG_DWORD /d "1" /f2⤵PID:3448
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 1 -w 1002⤵
- Runs ping.exe
PID:4856 -
C:\Windows\system32\reg.exeReg add "HKLM\Software\Microsoft\OneDrive" /v "PreventNetworkTrafficPreUserSignIn" /t REG_DWORD /d "1" /f2⤵PID:2164
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 1 -w 1002⤵PID:3032
-
C:\Windows\system32\reg.exeReg add "HKLM\Software\Policies\Microsoft\MRT" /v "DontReportInfectionInformation" /t REG_DWORD /d "1" /f2⤵PID:1872
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 1 -w 1002⤵
- Runs ping.exe
PID:4508 -
C:\Windows\system32\reg.exeReg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Search" /v "BingSearchEnabled" /t REG_DWORD /d "0" /f2⤵PID:904
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 1 -w 1002⤵PID:2516
-
C:\Windows\system32\reg.exeReg add "HKLM\System\ControlSet\Services\DiagTrack" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:2904
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 1 -w 1002⤵
- Runs ping.exe
PID:1936 -
C:\Windows\system32\reg.exeReg add "HKLM\System\ControlSet\Services\lfsvc" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:4692
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 1 -w 1002⤵
- Runs ping.exe
PID:4652 -
C:\Windows\system32\timeout.exetimeout /t 2 /nobreak2⤵
- Delays execution with timeout.exe
PID:3732
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD54983df1361cea51996bb44b0feb66497
SHA14bd67ff9a385e12eb98ba8e0382956148cf5c82e
SHA256362ad9b315ff670d674b11b30f7843526d0e1f3e2ed1c6ff6174a17e73317721
SHA5123e3958df13e7de805edfa978d4af5f47250720e6817fe24645c3e8e2aad0784f29c98b57b4f101df7f2492a1308d6c288969b998789092c18bdfdb015932d44e
-
Filesize
1KB
MD573dc0121ae0b74e7676cbe7320f0f527
SHA1d55583afea4f6d7aba4c83f394808bd50c715566
SHA256e64f0c915de0eaf733f37a83cb47a14cb01b2abd0f012d946354375316dd457b
SHA512992f7067b75aac8afb25cc2dc0f6deb339689020a951c39e84839e3f57e5abfb5fe168b8161229927ce9da2c7c44a546ee23cbd7d8f840124b12919710858923
-
Filesize
1KB
MD5a7c904ca89f889032d541f477fdf244a
SHA1d9201cd9c1dd7eda5b1a6ca5f5ded33e4d7f7159
SHA256a67a3eec8f06c4a62145a972cba1b8214f0f292d7e83160ff855e446e602d541
SHA51214ed547c49e90d8cb694d9e60a4cf080da428db91001bf92f0e74635012ce683abc0a2255c016238a91dde4a3e8a748d6198bf8a318ca6f2988aa7d904064c6a
-
Filesize
1KB
MD55636be8dee639e463f2f75272c54e627
SHA14d5dbc00d4b7d99c9b5edbe0ddeed1b3df01f83b
SHA25643118a56ec13fbfa43eaa539a4f31b640ac04b1655e680dec2038c563c97e36e
SHA512f180ecc1322df4ebf40ad7c84f26cfdc7fecea52b858cd512bbb3a8f0cca9c6d70ba61a067830229fea8f852f10188ace9aeb5030b3f16c156c4d7666616f4cd
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82