Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
38s -
platform
windows11-21h2_x64 -
resource
win11-20240221-en -
resource tags
arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system -
submitted
28/03/2024, 21:52
Static task
static1
Behavioral task
behavioral1
Sample
RET4KE 0 DELAY V2.exe
Resource
win11-20240221-en
General
-
Target
RET4KE 0 DELAY V2.exe
-
Size
168KB
-
MD5
3d9ec553e881f47ab6e2bdbb3be0305d
-
SHA1
adff63693eaa56c79b04040f26460f01b248e6c9
-
SHA256
bcc3f3f1a8a28528e1b4975e2bb9b017ef0fc420ed8eeb15c56e488ec5c5f96d
-
SHA512
bdf5dcdb7bd5e698cc73fd8785f00281e6401e46fdded45fc102ac44b1432260616af04f9017dbc0c6e41c1690407bb07403d4e2f4d4f6aa702e32d9ff0f84d9
-
SSDEEP
3072:cahKyd2n31l5GWp1icKAArDZz4N9GhbkrNEkBNJAQ8lwzhALaN:cahOZp0yN90QEu
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" RET4KE 0 DELAY V2.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 3216 powershell.exe 3216 powershell.exe 1572 powershell.exe 1572 powershell.exe 3488 powershell.exe 3488 powershell.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 2420 WMIC.exe Token: SeSecurityPrivilege 2420 WMIC.exe Token: SeTakeOwnershipPrivilege 2420 WMIC.exe Token: SeLoadDriverPrivilege 2420 WMIC.exe Token: SeSystemProfilePrivilege 2420 WMIC.exe Token: SeSystemtimePrivilege 2420 WMIC.exe Token: SeProfSingleProcessPrivilege 2420 WMIC.exe Token: SeIncBasePriorityPrivilege 2420 WMIC.exe Token: SeCreatePagefilePrivilege 2420 WMIC.exe Token: SeBackupPrivilege 2420 WMIC.exe Token: SeRestorePrivilege 2420 WMIC.exe Token: SeShutdownPrivilege 2420 WMIC.exe Token: SeDebugPrivilege 2420 WMIC.exe Token: SeSystemEnvironmentPrivilege 2420 WMIC.exe Token: SeRemoteShutdownPrivilege 2420 WMIC.exe Token: SeUndockPrivilege 2420 WMIC.exe Token: SeManageVolumePrivilege 2420 WMIC.exe Token: 33 2420 WMIC.exe Token: 34 2420 WMIC.exe Token: 35 2420 WMIC.exe Token: 36 2420 WMIC.exe Token: SeIncreaseQuotaPrivilege 2420 WMIC.exe Token: SeSecurityPrivilege 2420 WMIC.exe Token: SeTakeOwnershipPrivilege 2420 WMIC.exe Token: SeLoadDriverPrivilege 2420 WMIC.exe Token: SeSystemProfilePrivilege 2420 WMIC.exe Token: SeSystemtimePrivilege 2420 WMIC.exe Token: SeProfSingleProcessPrivilege 2420 WMIC.exe Token: SeIncBasePriorityPrivilege 2420 WMIC.exe Token: SeCreatePagefilePrivilege 2420 WMIC.exe Token: SeBackupPrivilege 2420 WMIC.exe Token: SeRestorePrivilege 2420 WMIC.exe Token: SeShutdownPrivilege 2420 WMIC.exe Token: SeDebugPrivilege 2420 WMIC.exe Token: SeSystemEnvironmentPrivilege 2420 WMIC.exe Token: SeRemoteShutdownPrivilege 2420 WMIC.exe Token: SeUndockPrivilege 2420 WMIC.exe Token: SeManageVolumePrivilege 2420 WMIC.exe Token: 33 2420 WMIC.exe Token: 34 2420 WMIC.exe Token: 35 2420 WMIC.exe Token: 36 2420 WMIC.exe Token: SeIncreaseQuotaPrivilege 4872 WMIC.exe Token: SeSecurityPrivilege 4872 WMIC.exe Token: SeTakeOwnershipPrivilege 4872 WMIC.exe Token: SeLoadDriverPrivilege 4872 WMIC.exe Token: SeSystemProfilePrivilege 4872 WMIC.exe Token: SeSystemtimePrivilege 4872 WMIC.exe Token: SeProfSingleProcessPrivilege 4872 WMIC.exe Token: SeIncBasePriorityPrivilege 4872 WMIC.exe Token: SeCreatePagefilePrivilege 4872 WMIC.exe Token: SeBackupPrivilege 4872 WMIC.exe Token: SeRestorePrivilege 4872 WMIC.exe Token: SeShutdownPrivilege 4872 WMIC.exe Token: SeDebugPrivilege 4872 WMIC.exe Token: SeSystemEnvironmentPrivilege 4872 WMIC.exe Token: SeRemoteShutdownPrivilege 4872 WMIC.exe Token: SeUndockPrivilege 4872 WMIC.exe Token: SeManageVolumePrivilege 4872 WMIC.exe Token: 33 4872 WMIC.exe Token: 34 4872 WMIC.exe Token: 35 4872 WMIC.exe Token: 36 4872 WMIC.exe Token: SeIncreaseQuotaPrivilege 4872 WMIC.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2148 wrote to memory of 1112 2148 RET4KE 0 DELAY V2.exe 80 PID 2148 wrote to memory of 1112 2148 RET4KE 0 DELAY V2.exe 80 PID 1112 wrote to memory of 3032 1112 cmd.exe 82 PID 1112 wrote to memory of 3032 1112 cmd.exe 82 PID 1112 wrote to memory of 2140 1112 cmd.exe 83 PID 1112 wrote to memory of 2140 1112 cmd.exe 83 PID 1112 wrote to memory of 2460 1112 cmd.exe 84 PID 1112 wrote to memory of 2460 1112 cmd.exe 84 PID 1112 wrote to memory of 2712 1112 cmd.exe 85 PID 1112 wrote to memory of 2712 1112 cmd.exe 85 PID 1112 wrote to memory of 1644 1112 cmd.exe 86 PID 1112 wrote to memory of 1644 1112 cmd.exe 86 PID 1112 wrote to memory of 2004 1112 cmd.exe 87 PID 1112 wrote to memory of 2004 1112 cmd.exe 87 PID 1112 wrote to memory of 1624 1112 cmd.exe 88 PID 1112 wrote to memory of 1624 1112 cmd.exe 88 PID 1112 wrote to memory of 1240 1112 cmd.exe 89 PID 1112 wrote to memory of 1240 1112 cmd.exe 89 PID 1112 wrote to memory of 3544 1112 cmd.exe 90 PID 1112 wrote to memory of 3544 1112 cmd.exe 90 PID 1112 wrote to memory of 676 1112 cmd.exe 91 PID 1112 wrote to memory of 676 1112 cmd.exe 91 PID 1112 wrote to memory of 3280 1112 cmd.exe 92 PID 1112 wrote to memory of 3280 1112 cmd.exe 92 PID 1112 wrote to memory of 4948 1112 cmd.exe 93 PID 1112 wrote to memory of 4948 1112 cmd.exe 93 PID 1112 wrote to memory of 4204 1112 cmd.exe 94 PID 1112 wrote to memory of 4204 1112 cmd.exe 94 PID 1112 wrote to memory of 4852 1112 cmd.exe 95 PID 1112 wrote to memory of 4852 1112 cmd.exe 95 PID 1112 wrote to memory of 2624 1112 cmd.exe 96 PID 1112 wrote to memory of 2624 1112 cmd.exe 96 PID 1112 wrote to memory of 2904 1112 cmd.exe 97 PID 1112 wrote to memory of 2904 1112 cmd.exe 97 PID 1112 wrote to memory of 1260 1112 cmd.exe 98 PID 1112 wrote to memory of 1260 1112 cmd.exe 98 PID 1112 wrote to memory of 1132 1112 cmd.exe 99 PID 1112 wrote to memory of 1132 1112 cmd.exe 99 PID 1112 wrote to memory of 1696 1112 cmd.exe 100 PID 1112 wrote to memory of 1696 1112 cmd.exe 100 PID 1112 wrote to memory of 984 1112 cmd.exe 101 PID 1112 wrote to memory of 984 1112 cmd.exe 101 PID 1112 wrote to memory of 1416 1112 cmd.exe 102 PID 1112 wrote to memory of 1416 1112 cmd.exe 102 PID 1112 wrote to memory of 5032 1112 cmd.exe 103 PID 1112 wrote to memory of 5032 1112 cmd.exe 103 PID 1112 wrote to memory of 2056 1112 cmd.exe 104 PID 1112 wrote to memory of 2056 1112 cmd.exe 104 PID 1112 wrote to memory of 1740 1112 cmd.exe 105 PID 1112 wrote to memory of 1740 1112 cmd.exe 105 PID 1112 wrote to memory of 3904 1112 cmd.exe 106 PID 1112 wrote to memory of 3904 1112 cmd.exe 106 PID 1112 wrote to memory of 1460 1112 cmd.exe 107 PID 1112 wrote to memory of 1460 1112 cmd.exe 107 PID 1112 wrote to memory of 1036 1112 cmd.exe 108 PID 1112 wrote to memory of 1036 1112 cmd.exe 108 PID 1112 wrote to memory of 912 1112 cmd.exe 109 PID 1112 wrote to memory of 912 1112 cmd.exe 109 PID 1112 wrote to memory of 4856 1112 cmd.exe 110 PID 1112 wrote to memory of 4856 1112 cmd.exe 110 PID 1112 wrote to memory of 2276 1112 cmd.exe 111 PID 1112 wrote to memory of 2276 1112 cmd.exe 111 PID 1112 wrote to memory of 2876 1112 cmd.exe 112 PID 1112 wrote to memory of 2876 1112 cmd.exe 112
Processes
-
C:\Users\Admin\AppData\Local\Temp\RET4KE 0 DELAY V2.exe"C:\Users\Admin\AppData\Local\Temp\RET4KE 0 DELAY V2.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2148 -
C:\Windows\SYSTEM32\cmd.execmd /c "RET4KE 0 DELAY V2.bat"2⤵
- Suspicious use of WriteProcessMemory
PID:1112 -
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\QoS" /v "Tcp Autotuning Level" /t REG_SZ /d "Off" /f3⤵PID:3032
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\QoS" /v "Tcp Autotuning Level" /t REG_SZ /d "Highly Restricted" /f3⤵PID:2140
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\QoS" /v "Tcp Autotuning Level" /t REG_SZ /d "Restricted" /f3⤵PID:2460
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\QoS" /v "Tcp Autotuning Level" /t REG_SZ /d "Normal" /f3⤵PID:2712
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\QoS" /v "Application DSCP Marking Request" /t REG_SZ /d "Ignored" /f3⤵PID:1644
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\QoS" /v "Application DSCP Marking Request" /t REG_SZ /d "Allowed" /f3⤵PID:2004
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\services\Tcpip\QoS" /v "Do not use NLA" /t REG_SZ /d "1" /f3⤵PID:1624
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v "DisableUserTOSSetting" /t REG_DWORD /d "0" /f3⤵PID:1240
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\services\NlaSvc\Parameters\Internet" /v "CorpLocationProbeTimeout" /t REG_DWORD /d "30" /f3⤵PID:3544
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\services\NlaSvc\Parameters\Internet" /v "LdapTimeoutMs" /t REG_DWORD /d "5000" /f3⤵PID:676
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\services\NlaSvc\Parameters\Internet" /v "ShowDomainEndpointInterfaces" /t REG_DWORD /d "1" /f3⤵PID:3280
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\services\NlaSvc\Parameters\Internet" /v "EnableNoGatewayLocationDetection" /t REG_DWORD /d "1" /f3⤵PID:4948
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\services\NlaSvc\Parameters\Internet" /v "MinimumInternetHopCount" /t REG_DWORD /d "2" /f3⤵PID:4204
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers" /v "RmGpsPsEnablePerCpuCoreDpc" /t REG_DWORD /d "1" /f3⤵PID:4852
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Power" /v "RmGpsPsEnablePerCpuCoreDpc" /t REG_DWORD /d "1" /f3⤵PID:2624
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\nvlddmkm" /v "RmGpsPsEnablePerCpuCoreDpc" /t REG_DWORD /d "1" /f3⤵PID:2904
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\nvlddmkm\NVAPI" /v "RmGpsPsEnablePerCpuCoreDpc" /t REG_DWORD /d "1" /f3⤵PID:1260
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\nvlddmkm\Global\NVTweak" /v "RmGpsPsEnablePerCpuCoreDpc" /t REG_DWORD /d "1" /f3⤵PID:1132
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Reliability" /v "TimeStampInterval" /t REG_DWORD /d "0" /f3⤵PID:1696
-
-
C:\Windows\system32\reg.exeREG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Diagnostics\Performance" /F /V "DisableDiagnosticTracing" /T REG_DWORD /d 13⤵PID:984
-
-
C:\Windows\system32\reg.exeREG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power" /F /V "EventProcessorEnabled" /T REG_DWORD /d 03⤵PID:1416
-
-
C:\Windows\system32\reg.exeREG ADD "HKLM\SYSTEM\CurrentControlSet\Services\DXGKrnl" /F /V "MonitorLatencyTolerance" /T REG_DWORD /d 03⤵PID:5032
-
-
C:\Windows\system32\reg.exeREG ADD "HKLM\SYSTEM\CurrentControlSet\Services\DXGKrnl" /F /V "MonitorRefreshLatencyTolerance" /T REG_DWORD /d 03⤵PID:2056
-
-
C:\Windows\system32\reg.exeREG ADD "HKEY_CURRENT_USER\Control Panel\Desktop" /F /V "MenuShowDelay" /T REG_SZ /d 03⤵PID:1740
-
-
C:\Windows\system32\reg.exeREG ADD "HKEY_CURRENT_USER\Control Panel\Mouse" /F /V "MouseSensitivity" /T REG_SZ /d 03⤵PID:3904
-
-
C:\Windows\system32\reg.exeREG ADD "HKEY_CURRENT_USER\Control Panel\Mouse" /F /V "SmoothMouseXCurve" /T REG_BINARY /d 0000000000000000C0CC0C00000000008099190000000000406626000000000000333300000000003⤵PID:1460
-
-
C:\Windows\system32\reg.exeREG ADD "HKEY_CURRENT_USER\Control Panel\Mouse" /F /V "SmoothMouseYCurve" /T REG_BINARY /d 0000000000000000000038000000000000007000000000000000A800000000000000E000000000003⤵PID:1036
-
-
C:\Windows\system32\reg.exeREG ADD "HKEY_CURRENT_USER\Control Panel\Mouse" /F /V "MouseSpeed" /T REG_SZ /d 03⤵PID:912
-
-
C:\Windows\system32\reg.exeREG ADD "HKEY_CURRENT_USER\Control Panel\Mouse" /F /V "MouseThreshold1" /T REG_SZ /d 03⤵PID:4856
-
-
C:\Windows\system32\reg.exeREG ADD "HKEY_CURRENT_USER\Control Panel\Mouse" /F /V "MouseThreshold2" /T REG_SZ /d 03⤵PID:2276
-
-
C:\Windows\system32\reg.exeREG ADD "HKLM\SYSTEM\CurrentControlSet\Control\PriorityControl" /v "ConvertibleSlateMode" /t REG_DWORD /d "0" /f3⤵PID:2876
-
-
C:\Windows\system32\reg.exeREG ADD "HKLM\SYSTEM\CurrentControlSet\Control\PriorityControl" /v "Win32PrioritySeparation" /t REG_DWORD /d "40" /f3⤵PID:1004
-
-
C:\Windows\system32\reg.exeREG ADD "HKLM\SOFTWARE\Microsoft\PolicyManager\current\device\Update" /v "ExcludeWUDriversInQualityUpdate" /t REG_DWORD /d "1" /f3⤵PID:1768
-
-
C:\Windows\system32\reg.exeREG ADD "HKLM\SOFTWARE\Microsoft\PolicyManager\default\Update" /v "ExcludeWUDriversInQualityUpdate" /t REG_DWORD /d "1" /f3⤵PID:4028
-
-
C:\Windows\system32\reg.exeREG ADD "HKLM\SOFTWARE\Microsoft\PolicyManager\default\Update\ExcludeWUDriversInQualityUpdate" /v "value" /t REG_DWORD /d "1" /f3⤵PID:2932
-
-
C:\Windows\system32\reg.exeREG ADD "HKLM\SOFTWARE\Microsoft\WindowsUpdate\UX\Settings" /v "ExcludeWUDriversInQualityUpdate" /t REG_DWORD /d "1" /f3⤵PID:4652
-
-
C:\Windows\system32\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v "ExcludeWUDriversInQualityUpdate" /t REG_DWORD /d "1" /f3⤵PID:4636
-
-
C:\Windows\system32\reg.exereg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\VisualEffects" /v "VisualFXSetting" /t REG_DWORD /d "3" /f3⤵PID:1600
-
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Desktop" /v "DragFullWindows" /t REG_SZ /d "0" /f reg add "HKCU\Control Panel\Desktop" /v "FontSmoothing" /t REG_SZ /d "2" /f3⤵PID:4972
-
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Desktop" /v "UserPreferencesMask" /t REG_BINARY /d "9012038010020000" /f3⤵PID:4624
-
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Desktop\WindowMetrics" /v "MinAnimate" /t REG_SZ /d "0" /f3⤵PID:232
-
-
C:\Windows\system32\reg.exereg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer" /v "ShellState" /t REG_BINARY /d "240000003E28000000000000000000000000000001000000130000000000000072000000" /f3⤵PID:2340
-
-
C:\Windows\system32\reg.exereg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "IconsOnly" /t REG_DWORD /d "1" /f3⤵PID:844
-
-
C:\Windows\system32\reg.exereg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "ListviewAlphaSelect" /t REG_DWORD /d "0" /f3⤵PID:1772
-
-
C:\Windows\system32\reg.exereg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "ListviewShadow" /t REG_DWORD /d "0" /f3⤵PID:2900
-
-
C:\Windows\system32\reg.exereg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "TaskbarAnimations" /t REG_DWORD /d "0" /f3⤵PID:464
-
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\CloudContent" /v "DisableWindowsConsumerFeatures" /t REG_DWORD /d "1" /f3⤵PID:1656
-
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WUDF" /v "LogEnable" /t REG_DWORD /d "0" /f reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WUDF" /v "LogLevel" /t REG_DWORD /d "0" /f3⤵PID:2780
-
-
C:\Windows\system32\reg.exereg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContent-338389Enabled" /t REG_DWORD /d "0" /f3⤵PID:1380
-
-
C:\Windows\system32\reg.exereg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Privacy" /v "TailoredExperiencesWithDiagnosticDataEnabled" /t REG_DWORD /d "0" /f3⤵PID:3240
-
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Control\WMI\AutoLogger\AutoLogger-Diagtrack-Listener" /v "Start" /t REG_DWORD /d "0" /f3⤵PID:4584
-
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Control\WMI\AutoLogger\SQMLogger" /v "Start" /t REG_DWORD /d "0" /f3⤵PID:2332
-
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\SQMClient\Windows" /v "CEIPEnable" /t REG_DWORD /d "0" /f3⤵PID:544
-
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\SQMClient" /v "CorporateSQMURL" /t REG_SZ /d "0.0.0.0" /f3⤵PID:3556
-
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Services\kbdclass\Parameters" /v "KeyboardDataQueueSize" /t REG_DWORD /d "16" /f reg add "HKLM\SYSTEM\CurrentControlSet\Services\mouclass\Parameters" /v "MouseDataQueueSize" /t REG_DWORD /d "16" /f3⤵PID:4364
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Settings" /v "DownloadMode" /t REG_DWORD /d "0" /f3⤵PID:2264
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wmic PATH Win32_PnPEntity GET DeviceID | findstr /l "USB\VID_"3⤵PID:2980
-
C:\Windows\System32\Wbem\WMIC.exewmic PATH Win32_PnPEntity GET DeviceID4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2420
-
-
C:\Windows\system32\findstr.exefindstr /l "USB\VID_"4⤵PID:224
-
-
-
C:\Windows\system32\reg.exereg.exe add "HKLM\SYSTEM\ControlSet001\Enum\USB\VID_0627&PID_0001\28754-0000:00:04.0-1\Device Parameters" /v SelectiveSuspendOn /t REG_DWORD /d 00000000 /f3⤵PID:788
-
-
C:\Windows\system32\reg.exereg.exe add "HKLM\SYSTEM\ControlSet001\Enum\USB\VID_0627&PID_0001\28754-0000:00:04.0-1\Device Parameters" /v SelectiveSuspendEnabled /t REG_BINARY /d 00 /f3⤵PID:1828
-
-
C:\Windows\system32\reg.exereg.exe add "HKLM\SYSTEM\ControlSet001\Enum\USB\VID_0627&PID_0001\28754-0000:00:04.0-1\Device Parameters" /v EnhancedPowerManagementEnabled /t REG_DWORD /d 00000000 /f3⤵PID:1328
-
-
C:\Windows\system32\reg.exereg.exe add "HKLM\SYSTEM\ControlSet001\Enum\USB\VID_0627&PID_0001\28754-0000:00:04.0-1\Device Parameters" /v AllowIdleIrpInD3 /t REG_DWORD /d 00000000 /f3⤵PID:1960
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wmic PATH Win32_USBHub GET DeviceID | findstr /l "USB\ROOT_HUB"3⤵PID:1944
-
C:\Windows\System32\Wbem\WMIC.exewmic PATH Win32_USBHub GET DeviceID4⤵
- Suspicious use of AdjustPrivilegeToken
PID:4872
-
-
C:\Windows\system32\findstr.exefindstr /l "USB\ROOT_HUB"4⤵PID:3816
-
-
-
C:\Windows\system32\reg.exereg.exe add "HKLM\SYSTEM\ControlSet001\Enum\USB\ROOT_HUB20\4&3104EFD0&0\Device Parameters\WDF" /v IdleInWorkingState /t REG_DWORD /d 00000000 /f3⤵PID:4924
-
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 3 /f reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f3⤵PID:4184
-
-
C:\Windows\system32\netsh.exenetsh interface teredo set state disabled3⤵PID:3844
-
-
C:\Windows\system32\netsh.exenetsh interface 6to4 set state disabled3⤵PID:4772
-
-
C:\Windows\system32\netsh.exenetsh winsock reset3⤵PID:692
-
-
C:\Windows\system32\netsh.exenetsh int isatap set state disable3⤵PID:1624
-
-
C:\Windows\system32\netsh.exenetsh int ip set global taskoffload=disabled3⤵PID:776
-
-
C:\Windows\system32\netsh.exenetsh int ip set global neighborcachelimit=40963⤵PID:3260
-
-
C:\Windows\system32\netsh.exenetsh int tcp set global timestamps=disabled3⤵PID:1804
-
-
C:\Windows\system32\netsh.exenetsh int tcp set heuristics disabled3⤵PID:280
-
-
C:\Windows\system32\netsh.exenetsh int tcp set global autotuninglevel=disable3⤵PID:5064
-
-
C:\Windows\system32\netsh.exenetsh int tcp set global chimney=disabled3⤵PID:1876
-
-
C:\Windows\system32\netsh.exenetsh int tcp set global ecncapability=disabled3⤵PID:1872
-
-
C:\Windows\system32\netsh.exenetsh int tcp set global rss=enabled3⤵PID:4856
-
-
C:\Windows\system32\netsh.exenetsh int tcp set global rsc=disabled3⤵PID:2400
-
-
C:\Windows\system32\netsh.exenetsh int tcp set global dca=enabled3⤵PID:1768
-
-
C:\Windows\system32\netsh.exenetsh int tcp set global netdma=enabled3⤵PID:4652
-
-
C:\Windows\system32\netsh.exenetsh int tcp set global nonsackrttresiliency=disabled3⤵PID:1940
-
-
C:\Windows\system32\netsh.exenetsh int tcp set security mpp=disabled3⤵PID:2312
-
-
C:\Windows\system32\netsh.exenetsh int tcp set security profiles=disabled3⤵PID:1420
-
-
C:\Windows\system32\netsh.exenetsh int ip set global icmpredirects=disabled3⤵PID:2488
-
-
C:\Windows\system32\netsh.exenetsh int tcp set security mpp=disabled profiles=disabled3⤵PID:956
-
-
C:\Windows\system32\netsh.exenetsh int ip set global multicastforwarding=disabled3⤵PID:1380
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell Disable-NetAdapterLso -Name "*"3⤵
- Suspicious behavior: EnumeratesProcesses
PID:3216
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell "ForEach($adapter In Get-NetAdapter){Disable-NetAdapterPowerManagement -Name $adapter.Name -ErrorAction SilentlyContinue}"3⤵
- Suspicious behavior: EnumeratesProcesses
PID:1572
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell "ForEach($adapter In Get-NetAdapter){Disable-NetAdapterLso -Name $adapter.Name -ErrorAction SilentlyContinue}"3⤵
- Suspicious behavior: EnumeratesProcesses
PID:3488
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v "EnableICMPRedirect" /t REG_DWORD /d "1" /f3⤵PID:3844
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v "EnablePMTUDiscovery" /t REG_DWORD /d "1" /f3⤵PID:824
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v "Tcp1323Opts" /t REG_DWORD /d "0" /f3⤵PID:2232
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v "TcpMaxDupAcks" /t REG_DWORD /d "2" /f3⤵PID:1492
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v "TcpTimedWaitDelay" /t REG_DWORD /d "32" /f3⤵PID:2636
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v "GlobalMaxTcpWindowSize" /t REG_DWORD /d "8760" /f3⤵PID:780
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v "TcpWindowSize" /t REG_DWORD /d "8760" /f3⤵PID:668
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v "MaxConnectionsPerServer" /t REG_DWORD /d "0" /f3⤵PID:2712
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v "MaxUserPort" /t REG_DWORD /d "65534" /f3⤵PID:2068
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v "SackOpts" /t REG_DWORD /d "0" /f3⤵PID:692
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v "DefaultTTL" /t REG_DWORD /d "64" /f3⤵PID:3544
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile" /v "NetworkThrottlingIndex" /t REG_SZ /d "ffffffff" /f3⤵PID:3144
-
-
C:\Windows\system32\reg.exeREG ADD "HKEY_LOCAL_MACHINE\SOftWARE\Policies\Microsoft\Windows\QoS\fortnite" /v "Application Name" /t REG_SZ /d "fortniteclient-win64-shipping.exe" /f3⤵PID:5108
-
-
C:\Windows\system32\reg.exeREG ADD "HKEY_LOCAL_MACHINE\SOftWARE\Policies\Microsoft\Windows\QoS\fortnite" /v "DSCP value" /t REG_SZ /d "46" /f3⤵PID:4360
-
-
C:\Windows\system32\reg.exeREG ADD "HKEY_LOCAL_MACHINE\SOftWARE\Policies\Microsoft\Windows\QoS\fortnite" /v "Local IP" /t REG_SZ /d "*" /f3⤵PID:1048
-
-
C:\Windows\system32\reg.exeREG ADD "HKEY_LOCAL_MACHINE\SOftWARE\Policies\Microsoft\Windows\QoS\fortnite" /v "Local IP Prefix Length" /t REG_SZ /d "*" /f3⤵PID:2840
-
-
C:\Windows\system32\reg.exeREG ADD "HKEY_LOCAL_MACHINE\SOftWARE\Policies\Microsoft\Windows\QoS\fortnite" /v "Local Port" /t REG_SZ /d "*" /f3⤵PID:4876
-
-
C:\Windows\system32\reg.exeREG ADD "HKEY_LOCAL_MACHINE\SOftWARE\Policies\Microsoft\Windows\QoS\fortnite" /v "Protocol" /t REG_SZ /d "UDP" /f3⤵PID:1728
-
-
C:\Windows\system32\reg.exeREG ADD "HKEY_LOCAL_MACHINE\SOftWARE\Policies\Microsoft\Windows\QoS\fortnite" /v "Remote IP" /t REG_SZ /d "*" /f3⤵PID:872
-
-
C:\Windows\system32\reg.exeREG ADD "HKEY_LOCAL_MACHINE\SOftWARE\Policies\Microsoft\Windows\QoS\fortnite" /v "Remote IP Prefix Length" /t REG_SZ /d "*" /f3⤵PID:3260
-
-
C:\Windows\system32\reg.exeREG ADD "HKEY_LOCAL_MACHINE\SOftWARE\Policies\Microsoft\Windows\QoS\fortnite" /v "Remote Port" /t REG_SZ /d "*" /f3⤵PID:2864
-
-
C:\Windows\system32\reg.exeREG ADD "HKEY_LOCAL_MACHINE\SOftWARE\Policies\Microsoft\Windows\QoS\fortnite" /v "throttle Rate" /t REG_SZ /d "-1" /f3⤵PID:3988
-
-
C:\Windows\system32\reg.exeREG ADD "HKEY_LOCAL_MACHINE\SOftWARE\Policies\Microsoft\Windows\QoS\fortnite" /v "version" /t REG_SZ /d "1.0" /f3⤵PID:2868
-
-
C:\Windows\system32\reg.exeREG ADD "HKLM\SYSTEM\CurrentControlSet\Services\pci\Parameters" /v "DmaRemappingCompatible" /t REG_DWORD /d "0" /f3⤵PID:248
-
-
C:\Windows\system32\reg.exeREG ADD "HKLM\SYSTEM\CurrentControlSet\Services\rt640x64\Parameters" /v "DmaRemappingCompatible" /t REG_DWORD /d "0" /f3⤵PID:2936
-
-
C:\Windows\system32\reg.exeREG ADD "HKLM\SYSTEM\CurrentControlSet\Services\storahci\Parameters" /v "DmaRemappingCompatible" /t REG_DWORD /d "0" /f3⤵PID:280
-
-
C:\Windows\system32\reg.exeREG ADD "HKLM\SYSTEM\CurrentControlSet\Services\stornvme\Parameters" /v "DmaRemappingCompatible" /t REG_DWORD /d "0" /f3⤵PID:4844
-
-
C:\Windows\system32\reg.exeREG ADD "HKLM\SYSTEM\CurrentControlSet\Services\USBXHCI\Parameters" /v "DmaRemappingCompatible" /t REG_DWORD /d "0" /f3⤵PID:244
-
-
C:\Windows\system32\reg.exeREG ADD "HKLM\SYSTEM\CurrentControlSet\Services\pci\Parameters" /v "DmaRemappingCompatible" /t REG_DWORD /d "0" /f3⤵PID:5064
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD5df472dcddb36aa24247f8c8d8a517bd7
SHA16f54967355e507294cbc86662a6fbeedac9d7030
SHA256e4e0fbc974e6946d20ddfaf22c543fccc4662d28e30530ec710fec149958f9b6
SHA51206383259258a8c32f676ddaf7ea1fec3de7318ff1338f022e03c6b33458f2ce708e073ceb1aa26e3cf37f82dac37c8163b8ebd2de56b8530dffe177845c7adca
-
Filesize
1KB
MD5d0a3aced4b267e373c90b61888b5c4e0
SHA131cc397554a0f13bf4f8229f69d631e7567c0512
SHA2560a5933c24625dc4ebed39d480380eb8e44a0ec81f39d7fed760f2096ca4f61e1
SHA512d5c9c62572cc9abdf04fb078595610bd26b7ef8f94e9d31489f1e33f5f5240a172a04826f609e40d5939aec50f1da174767a8e2a50a2fafa83ae46668481b04b
-
Filesize
1KB
MD56b574c5b963102f20b379b063db79c65
SHA11805071d3c15449ff5cb3534dee57e5b01e119d3
SHA25638d2022c735f9306a9b528e827f992812f3fcb66e6f054487689296daec7f4e5
SHA512c65de5ed6c0b7e301510bc2d71a6b2dd89fcbc15f909d54ba65e14c4a610fc6b3e164710a5944d9325ea920eb59aea6cdb464c86215a2cf7ffc6aad1d260f24e
-
Filesize
12KB
MD51a36935400c13dac396075a0d95ddaa6
SHA128d99b06b1b301ed3425e2287904d858a850283a
SHA256b107e6239ae4ca42b2eb89c6647d577c10e88e5b3e5fd8f6d4890b6157e338b2
SHA5126818bbe8701ce484750f67fdc253eef2553e106d7ac5811346b19c6d6e6081aeb0d0eed1834295e86c32901892c389fa735ceec09827fc6cc021e9476287b1c5
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82