Analysis
-
max time kernel
213s -
max time network
264s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
-
submitted
27/07/2024, 06:33
General
-
Target
priv pallet lock.bat
-
Size
5KB
-
MD5
28aa4fdc961537cbe5f1049512b2f5e2
-
SHA1
e14dafcfa5eeee6809df73d92c376da9f16c0464
-
SHA256
a32ac8894917da3ea40a4b544b7d0e67b0aaec406589ad0060bfacfbb8099b63
-
SHA512
70bfced1aa6327cbd90214ad0d40870b4870f45db1a0dee4a30ffdddd48448477432f9733bca9eae5536b3ba551e2f82bc9b99d60dae526776633684debb4270
-
SSDEEP
96:BhHJjdoSELCunlubho+A+FQTYtfbs5xeq3:BhHNunlubho+A+FQTM4xeq3
Score
7/10
Malware Config
Signatures
-
Indirect Command Execution 1 TTPs 3 IoCs
Adversaries may abuse utilities that allow for command execution to bypass security restrictions that limit the use of command-line interpreters.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Using powershell.exe command.
-
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Power Settings 1 TTPs 3 IoCs
powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
-
Hide Artifacts: Ignore Process Interrupts 1 TTPs 4 IoCs
Command interpreters often include specific commands/flags that ignore errors and other hangups.
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 60 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
-
System Time Discovery 1 TTPs 1 IoCs
Adversary may gather the system time and/or time zone settings from a local or remote system.
-
Delays execution with timeout.exe 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\priv pallet lock.bat"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\timeout.exetimeout 22⤵
- Delays execution with timeout.exe
-
-
C:\Windows\system32\netsh.exenetsh int tcp set global autotuninglevel=normal2⤵
- Event Triggered Execution: Netsh Helper DLL
-
-
C:\Windows\system32\netsh.exenetsh interface 6to4 set state disabled2⤵
- Event Triggered Execution: Netsh Helper DLL
-
-
C:\Windows\system32\netsh.exenetsh int tcp set global timestamps=disabled2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Time Discovery
-
-
C:\Windows\system32\netsh.exenetsh int tcp set heuristics disabled2⤵
- Event Triggered Execution: Netsh Helper DLL
-
-
C:\Windows\system32\netsh.exenetsh int tcp set global chimney=disabled2⤵
- Event Triggered Execution: Netsh Helper DLL
-
-
C:\Windows\system32\netsh.exenetsh int tcp set global ecncapability=disabled2⤵
- Event Triggered Execution: Netsh Helper DLL
-
-
C:\Windows\system32\netsh.exenetsh int tcp set global rsc=disabled2⤵
- Event Triggered Execution: Netsh Helper DLL
-
-
C:\Windows\system32\netsh.exenetsh int tcp set global nonsackrttresiliency=disabled2⤵
- Event Triggered Execution: Netsh Helper DLL
-
-
C:\Windows\system32\netsh.exenetsh int tcp set security mpp=disabled2⤵
- Event Triggered Execution: Netsh Helper DLL
-
-
C:\Windows\system32\netsh.exenetsh int tcp set security profiles=disabled2⤵
- Event Triggered Execution: Netsh Helper DLL
-
-
C:\Windows\system32\netsh.exenetsh int ip set global icmpredirects=disabled2⤵
- Event Triggered Execution: Netsh Helper DLL
-
-
C:\Windows\system32\netsh.exenetsh int tcp set security mpp=disabled profiles=disabled2⤵
- Event Triggered Execution: Netsh Helper DLL
-
-
C:\Windows\system32\netsh.exenetsh int tcp set supplemental internet congestionprovider=ctcp2⤵
- Event Triggered Execution: Netsh Helper DLL
-
-
C:\Windows\system32\netsh.exenetsh interface teredo set state disabled2⤵
- Event Triggered Execution: Netsh Helper DLL
-
-
C:\Windows\system32\netsh.exenetsh winsock set autotuning on2⤵
- Event Triggered Execution: Netsh Helper DLL
-
-
C:\Windows\system32\netsh.exenetsh int isatap set state disable2⤵
- Event Triggered Execution: Netsh Helper DLL
-
-
C:\Windows\system32\netsh.exenetsh int ip set global taskoffload=disabled2⤵
- Event Triggered Execution: Netsh Helper DLL
-
-
C:\Windows\system32\netsh.exenetsh int ip set global neighborcachelimit=40962⤵
- Event Triggered Execution: Netsh Helper DLL
-
-
C:\Windows\system32\netsh.exenetsh int ip set global routecachelimit=40962⤵
- Event Triggered Execution: Netsh Helper DLL
-
-
C:\Windows\system32\netsh.exenetsh int ip set global sourceroutingbehavior=drop2⤵
- Event Triggered Execution: Netsh Helper DLL
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell Disable-NetAdapterLso -Name "*"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell "ForEach($adapter In Get-NetAdapter){Disable-NetAdapterPowerManagement -Name $adapter.Name -ErrorAction SilentlyContinue}"2⤵
- Hide Artifacts: Ignore Process Interrupts
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell "ForEach($adapter In Get-NetAdapter){Disable-NetAdapterLso -Name $adapter.Name -ErrorAction SilentlyContinue}"2⤵
- Hide Artifacts: Ignore Process Interrupts
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v "Tcp1323Opts" /t REG_DWORD /d "0" /f2⤵
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v "TcpMaxDupAcks" /t REG_DWORD /d "2" /f2⤵
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v "TcpTimedWaitDelay" /t REG_DWORD /d "32" /f2⤵
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v "GlobalMaxTcpWindowSize" /t REG_DWORD /d "8760" /f2⤵
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v "TcpWindowSize" /t REG_DWORD /d "8760" /f2⤵
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v "MaxConnectionsPerServer" /t REG_DWORD /d "0" /f2⤵
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v "MaxUserPort" /t REG_DWORD /d "65534" /f2⤵
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v "SackOpts" /t REG_DWORD /d "0" /f2⤵
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v "DefaultTTL" /t REG_DWORD /d "64" /f2⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wmic path win32_networkadapter get GUID | findstr "{"2⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_networkadapter get GUID3⤵
-
-
C:\Windows\system32\findstr.exefindstr "{"3⤵
-
-
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\services\Tcpip\Parameters\Interfaces\{AB1848B7-436A-497A-AE43-DB91F91E6C8E}" /v "TcpAckFrequency" /t REG_DWORD /d "1" /f2⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wmic path win32_networkadapter get GUID | findstr "{"2⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_networkadapter get GUID3⤵
-
-
C:\Windows\system32\findstr.exefindstr "{"3⤵
-
-
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\services\Tcpip\Parameters\Interfaces\{AB1848B7-436A-497A-AE43-DB91F91E6C8E}" /v "TcpDelAckTicks" /t REG_DWORD /d "0" /f2⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wmic path win32_networkadapter get GUID | findstr "{"2⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_networkadapter get GUID3⤵
-
-
C:\Windows\system32\findstr.exefindstr "{"3⤵
-
-
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\services\Tcpip\Parameters\Interfaces\{AB1848B7-436A-497A-AE43-DB91F91E6C8E}" /v "TCPNoDelay" /t REG_DWORD /d "1" /f2⤵
-
-
C:\Windows\system32\powercfg.exepowercfg import "C:\ExcusesFN"2⤵
- Power Settings
-
-
C:\Windows\system32\forfiles.exeforfiles -p "C:\Windows\prefetch" -s -m *.* /C "cmd /c del @path"2⤵
- Indirect Command Execution
-
C:\Windows\system32\cmd.exe/c del "C:\Windows\prefetch\AgAppLaunch.db"3⤵
-
-
C:\Windows\system32\cmd.exe/c del "C:\Windows\prefetch\AgGlFaultHistory.db"3⤵
-
-
C:\Windows\system32\cmd.exe/c del "C:\Windows\prefetch\AgGlFgAppHistory.db"3⤵
-
-
C:\Windows\system32\cmd.exe/c del "C:\Windows\prefetch\AgGlGlobalHistory.db"3⤵
-
-
C:\Windows\system32\cmd.exe/c del "C:\Windows\prefetch\AgRobust.db"3⤵
-
-
C:\Windows\system32\cmd.exe/c del "C:\Windows\prefetch\APPLICATIONFRAMEHOST.EXE-CCEEF759.pf"3⤵
-
-
C:\Windows\system32\cmd.exe/c del "C:\Windows\prefetch\ASPNET_REGIIS.EXE-945CDB73.pf"3⤵
-
-
C:\Windows\system32\cmd.exe/c del "C:\Windows\prefetch\ASPNET_REGIIS.EXE-A5891C91.pf"3⤵
-
-
C:\Windows\system32\cmd.exe/c del "C:\Windows\prefetch\AUDIODG.EXE-BDFD3029.pf"3⤵
-
-
C:\Windows\system32\cmd.exe/c del "C:\Windows\prefetch\BACKGROUNDTASKHOST.EXE-ACEF2FA2.pf"3⤵
-
-
C:\Windows\system32\cmd.exe/c del "C:\Windows\prefetch\BACKGROUNDTRANSFERHOST.EXE-CF5B50C1.pf"3⤵
-
-
C:\Windows\system32\cmd.exe/c del "C:\Windows\prefetch\BYTECODEGENERATOR.EXE-C1E9BCE6.pf"3⤵
-
-
C:\Windows\system32\cmd.exe/c del "C:\Windows\prefetch\CONHOST.EXE-1F3E9D7E.pf"3⤵
-
-
C:\Windows\system32\cmd.exe/c del "C:\Windows\prefetch\DISM.EXE-DE199F71.pf"3⤵
-
-
C:\Windows\system32\cmd.exe/c del "C:\Windows\prefetch\DISMHOST.EXE-8F2B04FD.pf"3⤵
-
-
C:\Windows\system32\cmd.exe/c del "C:\Windows\prefetch\DLLHOST.EXE-504C779A.pf"3⤵
-
-
C:\Windows\system32\cmd.exe/c del "C:\Windows\prefetch\DLLHOST.EXE-5E46FA0D.pf"3⤵
-
-
C:\Windows\system32\cmd.exe/c del "C:\Windows\prefetch\DLLHOST.EXE-A73FB9CB.pf"3⤵
-
-
C:\Windows\system32\cmd.exe/c del "C:\Windows\prefetch\DLLHOST.EXE-FC981FFE.pf"3⤵
-
-
C:\Windows\system32\cmd.exe/c del "C:\Windows\prefetch\FILESYNCCONFIG.EXE-33763EB7.pf"3⤵
-
-
C:\Windows\system32\cmd.exe/c del "C:\Windows\prefetch\FSQUIRT.EXE-BBD9646E.pf"3⤵
-
-
C:\Windows\system32\cmd.exe/c del "C:\Windows\prefetch\LINQWEBCONFIG.EXE-0FDCD1CB.pf"3⤵
-
-
C:\Windows\system32\cmd.exe/c del "C:\Windows\prefetch\LINQWEBCONFIG.EXE-4A3DBBF6.pf"3⤵
-
-
C:\Windows\system32\cmd.exe/c del "C:\Windows\prefetch\MOUSOCOREWORKER.EXE-681A8FEE.pf"3⤵
-
-
C:\Windows\system32\cmd.exe/c del "C:\Windows\prefetch\NGEN.EXE-AE594A6B.pf"3⤵
-
-
C:\Windows\system32\cmd.exe/c del "C:\Windows\prefetch\NGEN.EXE-EC3F9239.pf"3⤵
-
-
C:\Windows\system32\cmd.exe/c del "C:\Windows\prefetch\ONEDRIVE.EXE-96969DDA.pf"3⤵
-
-
C:\Windows\system32\cmd.exe/c del "C:\Windows\prefetch\ONEDRIVESETUP.EXE-8CE5A462.pf"3⤵
-
-
C:\Windows\system32\cmd.exe/c del "C:\Windows\prefetch\ONEDRIVESETUP.EXE-ADFC0EFD.pf"3⤵
-
-
C:\Windows\system32\cmd.exe/c del "C:\Windows\prefetch\PfPre_5f3b4030.mkd"3⤵
-
-
C:\Windows\system32\cmd.exe/c del "C:\Windows\prefetch\PfSvPerfStats.bin"3⤵
-
-
C:\Windows\system32\cmd.exe/c del "C:\Windows\prefetch\POWERSHELL.EXE-920BBA2A.pf"3⤵
-
-
C:\Windows\system32\cmd.exe/c del "C:\Windows\prefetch\REG.EXE-E7E8BD26.pf"3⤵
-
-
C:\Windows\system32\cmd.exe/c del "C:\Windows\prefetch\ResPriHMStaticDb.ebd"3⤵
-
-
C:\Windows\system32\cmd.exe/c del "C:\Windows\prefetch\RUNDLL32.EXE-002D6F84.pf"3⤵
-
-
C:\Windows\system32\cmd.exe/c del "C:\Windows\prefetch\RUNDLL32.EXE-01E21A55.pf"3⤵
-
-
C:\Windows\system32\cmd.exe/c del "C:\Windows\prefetch\RUNDLL32.EXE-0521102C.pf"3⤵
-
-
C:\Windows\system32\cmd.exe/c del "C:\Windows\prefetch\RUNDLL32.EXE-08AF006C.pf"3⤵
-
-
C:\Windows\system32\cmd.exe/c del "C:\Windows\prefetch\RUNDLL32.EXE-0A03C9B5.pf"3⤵
-
-
C:\Windows\system32\cmd.exe/c del "C:\Windows\prefetch\RUNDLL32.EXE-0C84305E.pf"3⤵
-
-
C:\Windows\system32\cmd.exe/c del "C:\Windows\prefetch\RUNDLL32.EXE-1463E66D.pf"3⤵
-
-
C:\Windows\system32\cmd.exe/c del "C:\Windows\prefetch\RUNDLL32.EXE-156D43F1.pf"3⤵
-
-
C:\Windows\system32\cmd.exe/c del "C:\Windows\prefetch\RUNDLL32.EXE-1589E4C3.pf"3⤵
-
-
C:\Windows\system32\cmd.exe/c del "C:\Windows\prefetch\RUNDLL32.EXE-16AF9B6E.pf"3⤵
-
-
C:\Windows\system32\cmd.exe/c del "C:\Windows\prefetch\RUNDLL32.EXE-18665B15.pf"3⤵
-
-
C:\Windows\system32\cmd.exe/c del "C:\Windows\prefetch\RUNDLL32.EXE-23EA2E5B.pf"3⤵
-
-
C:\Windows\system32\cmd.exe/c del "C:\Windows\prefetch\RUNDLL32.EXE-2C52326A.pf"3⤵
-
-
C:\Windows\system32\cmd.exe/c del "C:\Windows\prefetch\RUNDLL32.EXE-32DA767E.pf"3⤵
-
-
C:\Windows\system32\cmd.exe/c del "C:\Windows\prefetch\RUNDLL32.EXE-373C0EED.pf"3⤵
-
-
C:\Windows\system32\cmd.exe/c del "C:\Windows\prefetch\RUNDLL32.EXE-4DC9A20E.pf"3⤵
-
-
C:\Windows\system32\cmd.exe/c del "C:\Windows\prefetch\RUNDLL32.EXE-4EFE6110.pf"3⤵
-
-
C:\Windows\system32\cmd.exe/c del "C:\Windows\prefetch\RUNDLL32.EXE-56E309E9.pf"3⤵
-
-
C:\Windows\system32\cmd.exe/c del "C:\Windows\prefetch\RUNDLL32.EXE-5B70F332.pf"3⤵
-
-
C:\Windows\system32\cmd.exe/c del "C:\Windows\prefetch\RUNDLL32.EXE-61696F68.pf"3⤵
-
-
C:\Windows\system32\cmd.exe/c del "C:\Windows\prefetch\RUNDLL32.EXE-641DCE1C.pf"3⤵
-
-
C:\Windows\system32\cmd.exe/c del "C:\Windows\prefetch\RUNDLL32.EXE-6F2A95AF.pf"3⤵
-
-
C:\Windows\system32\cmd.exe/c del "C:\Windows\prefetch\RUNDLL32.EXE-7194EF5E.pf"3⤵
-
-
C:\Windows\system32\cmd.exe/c del "C:\Windows\prefetch\RUNDLL32.EXE-7BB97BF6.pf"3⤵
-
-
C:\Windows\system32\cmd.exe/c del "C:\Windows\prefetch\RUNDLL32.EXE-7BCB4814.pf"3⤵
-
-
C:\Windows\system32\cmd.exe/c del "C:\Windows\prefetch\RUNDLL32.EXE-7C77C512.pf"3⤵
-
-
C:\Windows\system32\cmd.exe/c del "C:\Windows\prefetch\RUNDLL32.EXE-7CB48DE8.pf"3⤵
-
-
C:\Windows\system32\cmd.exe/c del "C:\Windows\prefetch\RUNDLL32.EXE-7E8D1C35.pf"3⤵
-
-
C:\Windows\system32\cmd.exe/c del "C:\Windows\prefetch\RUNDLL32.EXE-7EF4A0DD.pf"3⤵
-
-
C:\Windows\system32\cmd.exe/c del "C:\Windows\prefetch\RUNDLL32.EXE-7F337F0A.pf"3⤵
-
-
C:\Windows\system32\cmd.exe/c del "C:\Windows\prefetch\RUNDLL32.EXE-894C9E34.pf"3⤵
-
-
C:\Windows\system32\cmd.exe/c del "C:\Windows\prefetch\RUNDLL32.EXE-8AFD300C.pf"3⤵
-
-
C:\Windows\system32\cmd.exe/c del "C:\Windows\prefetch\RUNDLL32.EXE-976DB280.pf"3⤵
-
-
C:\Windows\system32\cmd.exe/c del "C:\Windows\prefetch\RUNDLL32.EXE-97BCF638.pf"3⤵
-
-
C:\Windows\system32\cmd.exe/c del "C:\Windows\prefetch\RUNDLL32.EXE-99F89D15.pf"3⤵
-
-
C:\Windows\system32\cmd.exe/c del "C:\Windows\prefetch\RUNDLL32.EXE-AE5EC6E9.pf"3⤵
-
-
C:\Windows\system32\cmd.exe/c del "C:\Windows\prefetch\RUNDLL32.EXE-AED2006F.pf"3⤵
-
-
C:\Windows\system32\cmd.exe/c del "C:\Windows\prefetch\RUNDLL32.EXE-B2C296EF.pf"3⤵
-
-
C:\Windows\system32\cmd.exe/c del "C:\Windows\prefetch\RUNDLL32.EXE-C5BE1C43.pf"3⤵
-
-
C:\Windows\system32\cmd.exe/c del "C:\Windows\prefetch\RUNDLL32.EXE-C8D69DC6.pf"3⤵
-
-
C:\Windows\system32\cmd.exe/c del "C:\Windows\prefetch\RUNDLL32.EXE-D2B15AE2.pf"3⤵
-
-
C:\Windows\system32\cmd.exe/c del "C:\Windows\prefetch\RUNDLL32.EXE-D71F3FEA.pf"3⤵
-
-
C:\Windows\system32\cmd.exe/c del "C:\Windows\prefetch\RUNDLL32.EXE-DB926CB0.pf"3⤵
-
-
C:\Windows\system32\cmd.exe/c del "C:\Windows\prefetch\RUNDLL32.EXE-E66A223C.pf"3⤵
-
-
C:\Windows\system32\cmd.exe/c del "C:\Windows\prefetch\RUNDLL32.EXE-E8196656.pf"3⤵
-
-
C:\Windows\system32\cmd.exe/c del "C:\Windows\prefetch\RUNDLL32.EXE-FCAF5656.pf"3⤵
-
-
C:\Windows\system32\cmd.exe/c del "C:\Windows\prefetch\RUNDLL32.EXE-FDF50724.pf"3⤵
-
-
C:\Windows\system32\cmd.exe/c del "C:\Windows\prefetch\RUNDLL32.EXE-FFCC5BB3.pf"3⤵
-
-
C:\Windows\system32\cmd.exe/c del "C:\Windows\prefetch\RUNTIMEBROKER.EXE-005D3145.pf"3⤵
-
-
C:\Windows\system32\cmd.exe/c del "C:\Windows\prefetch\RUNTIMEBROKER.EXE-06226CEB.pf"3⤵
-
-
C:\Windows\system32\cmd.exe/c del "C:\Windows\prefetch\RUNTIMEBROKER.EXE-3ED30A86.pf"3⤵
-
-
C:\Windows\system32\cmd.exe/c del "C:\Windows\prefetch\RUNTIMEBROKER.EXE-4DE02988.pf"3⤵
-
-
C:\Windows\system32\cmd.exe/c del "C:\Windows\prefetch\RUNTIMEBROKER.EXE-94A02D86.pf"3⤵
-
-
C:\Windows\system32\cmd.exe/c del "C:\Windows\prefetch\RUNTIMEBROKER.EXE-98C67737.pf"3⤵
-
-
C:\Windows\system32\cmd.exe/c del "C:\Windows\prefetch\RUNTIMEBROKER.EXE-B1A87C0F.pf"3⤵
-
-
C:\Windows\system32\cmd.exe/c del "C:\Windows\prefetch\RUNTIMEBROKER.EXE-BC366267.pf"3⤵
-
-
C:\Windows\system32\cmd.exe/c del "C:\Windows\prefetch\RUNTIMEBROKER.EXE-C4B5739C.pf"3⤵
-
-
C:\Windows\system32\cmd.exe/c del "C:\Windows\prefetch\RUNTIMEBROKER.EXE-D9106866.pf"3⤵
-
-
C:\Windows\system32\cmd.exe/c del "C:\Windows\prefetch\SETTINGSYNCHOST.EXE-2521C7ED.pf"3⤵
-
-
C:\Windows\system32\cmd.exe/c del "C:\Windows\prefetch\SGRMBROKER.EXE-0CA31CC6.pf"3⤵
-
-
C:\Windows\system32\cmd.exe/c del "C:\Windows\prefetch\SHELLEXPERIENCEHOST.EXE-A3608B1E.pf"3⤵
-
-
C:\Windows\system32\cmd.exe/c del "C:\Windows\prefetch\SHUTDOWN.EXE-E7D5C9CC.pf"3⤵
-
-
C:\Windows\system32\cmd.exe/c del "C:\Windows\prefetch\SLUI.EXE-724E99D9.pf"3⤵
-
-
C:\Windows\system32\cmd.exe/c del "C:\Windows\prefetch\SMCONFIGINSTALLER.EXE-039D5D2E.pf"3⤵
-
-
C:\Windows\system32\cmd.exe/c del "C:\Windows\prefetch\SMCONFIGINSTALLER.EXE-EC979AE0.pf"3⤵
-
-
C:\Windows\system32\cmd.exe/c del "C:\Windows\prefetch\SOBQL9.EXE-62BA7442.pf"3⤵
-
-
C:\Windows\system32\cmd.exe/c del "C:\Windows\prefetch\SVCHOST.EXE-033BBABB.pf"3⤵
-
-
C:\Windows\system32\cmd.exe/c del "C:\Windows\prefetch\SVCHOST.EXE-342BD74A.pf"3⤵
-
-
C:\Windows\system32\cmd.exe/c del "C:\Windows\prefetch\SVCHOST.EXE-4BA0E729.pf"3⤵
-
-
C:\Windows\system32\cmd.exe/c del "C:\Windows\prefetch\SVCHOST.EXE-5AC380EC.pf"3⤵
-
-
C:\Windows\system32\cmd.exe/c del "C:\Windows\prefetch\SVCHOST.EXE-7CFEDEA3.pf"3⤵
-
-
C:\Windows\system32\cmd.exe/c del "C:\Windows\prefetch\SVCHOST.EXE-8102A33C.pf"3⤵
-
-
C:\Windows\system32\cmd.exe/c del "C:\Windows\prefetch\SVCHOST.EXE-C49E779A.pf"3⤵
-
-
C:\Windows\system32\cmd.exe/c del "C:\Windows\prefetch\SVCHOST.EXE-CABA5DBC.pf"3⤵
-
-
C:\Windows\system32\cmd.exe/c del "C:\Windows\prefetch\SVCHOST.EXE-DF3D779F.pf"3⤵
-
-
C:\Windows\system32\cmd.exe/c del "C:\Windows\prefetch\SVCHOST.EXE-E45D8788.pf"3⤵
-
-
C:\Windows\system32\cmd.exe/c del "C:\Windows\prefetch\SVCHOST.EXE-F027B880.pf"3⤵
-
-
C:\Windows\system32\cmd.exe/c del "C:\Windows\prefetch\SVCHOST.EXE-FF8EBD82.pf"3⤵
-
-
C:\Windows\system32\cmd.exe/c del "C:\Windows\prefetch\TAKEOWN.EXE-A80759AD.pf"3⤵
-
-
C:\Windows\system32\cmd.exe/c del "C:\Windows\prefetch\TASKHOSTW.EXE-3E0B74C8.pf"3⤵
-
-
C:\Windows\system32\cmd.exe/c del "C:\Windows\prefetch\TASKKILL.EXE-8F5B2253.pf"3⤵
-
-
C:\Windows\system32\cmd.exe/c del "C:\Windows\prefetch\TIWORKER.EXE-C101ABCD.pf"3⤵
-
-
C:\Windows\system32\cmd.exe/c del "C:\Windows\prefetch\TRUSTEDINSTALLER.EXE-3CC531E5.pf"3⤵
-
-
C:\Windows\system32\cmd.exe/c del "C:\Windows\prefetch\VSSVC.EXE-B8AFC319.pf"3⤵
-
-
C:\Windows\system32\cmd.exe/c del "C:\Windows\prefetch\WFSERVICESREG.EXE-3EE82250.pf"3⤵
-
-
C:\Windows\system32\cmd.exe/c del "C:\Windows\prefetch\WFSERVICESREG.EXE-766D3C5B.pf"3⤵
-
-
C:\Windows\system32\cmd.exe/c del "C:\Windows\prefetch\WLRMDR.EXE-C2B47318.pf"3⤵
-
-
C:\Windows\system32\cmd.exe/c del "C:\Windows\prefetch\WMIADAP.EXE-F8DFDFA2.pf"3⤵
-
-
C:\Windows\system32\cmd.exe/c del "C:\Windows\prefetch\WMIPRVSE.EXE-1628051C.pf"3⤵
-
-
C:\Windows\system32\cmd.exe/c del "C:\Windows\prefetch\ReadyBoot\rblayout.xin"3⤵
-
-
C:\Windows\system32\cmd.exe/c del "C:\Windows\prefetch\ReadyBoot\ReadyBoot.etl"3⤵
-
-
C:\Windows\system32\cmd.exe/c del "C:\Windows\prefetch\ReadyBoot\Trace1.fx"3⤵
-
-
-
C:\Windows\system32\forfiles.exeforfiles -p "C:\Users\justin\AppData\Local\Temp" -s -m *.* /C "cmd /c del @path"2⤵
- Indirect Command Execution
-
-
C:\Windows\system32\forfiles.exeforfiles -p "C:\Windows\Temp" -s -m *.* /C "cmd /c del @path"2⤵
- Indirect Command Execution
-
C:\Windows\system32\cmd.exe/c del "C:\Windows\Temp\amc34FA.tmp"3⤵
-
-
C:\Windows\system32\cmd.exe/c del "C:\Windows\Temp\amc34FA.tmp.LOG1"3⤵
-
-
C:\Windows\system32\cmd.exe/c del "C:\Windows\Temp\amc34FA.tmp.LOG2"3⤵
-
-
C:\Windows\system32\cmd.exe/c del "C:\Windows\Temp\amc34FB.tmp"3⤵
-
-
C:\Windows\system32\cmd.exe/c del "C:\Windows\Temp\amc34FB.tmp.LOG1"3⤵
-
-
C:\Windows\system32\cmd.exe/c del "C:\Windows\Temp\amc34FB.tmp.LOG2"3⤵
-
-
C:\Windows\system32\cmd.exe/c del "C:\Windows\Temp\amc3A69.tmp"3⤵
-
-
C:\Windows\system32\cmd.exe/c del "C:\Windows\Temp\amc3A69.tmp.LOG1"3⤵
-
-
C:\Windows\system32\cmd.exe/c del "C:\Windows\Temp\amc3A69.tmp.LOG2"3⤵
-
-
C:\Windows\system32\cmd.exe/c del "C:\Windows\Temp\ASPNETSetup_00000.log"3⤵
-
-
C:\Windows\system32\cmd.exe/c del "C:\Windows\Temp\ASPNETSetup_00001.log"3⤵
-
-
C:\Windows\system32\cmd.exe/c del "C:\Windows\Temp\FXSAPIDebugLogFile.txt"3⤵
-
-
C:\Windows\system32\cmd.exe/c del "C:\Windows\Temp\FXSTIFFDebugLogFile.txt"3⤵
-
-
C:\Windows\system32\cmd.exe/c del "C:\Windows\Temp\msedge_installer.log"3⤵
-
-
C:\Windows\system32\cmd.exe/c del "C:\Windows\Temp\officeclicktorun.exe_streamserver(20240709142536870).log"3⤵
-
-
C:\Windows\system32\cmd.exe/c del "C:\Windows\Temp\officeclicktorun.exe_streamserver(20240709142656948).log"3⤵
-
-
C:\Windows\system32\cmd.exe/c del "C:\Windows\Temp\officeclicktorun.exe_streamserver(202407091428169B4).log"3⤵
-
-
C:\Windows\system32\cmd.exe/c del "C:\Windows\Temp\officeclicktorun.exe_streamserver(202407091429399FC).log"3⤵
-
-
C:\Windows\system32\cmd.exe/c del "C:\Windows\Temp\officeclicktorun.exe_streamserver(202407091432049C4).log"3⤵
-
-
C:\Windows\system32\cmd.exe/c del "C:\Windows\Temp\officeclicktorun.exe_streamserver(20240709143451A04).log"3⤵
-
-
C:\Windows\system32\cmd.exe/c del "C:\Windows\Temp\officeclicktorun.exe_streamserver(20240709151318720).log"3⤵
-
-
C:\Windows\system32\cmd.exe/c del "C:\Windows\Temp\VOCYMMGW-20240709-1419.log"3⤵
-
-
C:\Windows\system32\cmd.exe/c del "C:\Windows\Temp\VOCYMMGW-20240709-1420.log"3⤵
-
-
C:\Windows\system32\cmd.exe/c del "C:\Windows\Temp\VOCYMMGW-20240709-1420a.log"3⤵
-
-
C:\Windows\system32\cmd.exe/c del "C:\Windows\Temp\VOCYMMGW-20240709-1420b.log"3⤵
-
-
C:\Windows\system32\cmd.exe/c del "C:\Windows\Temp\VOCYMMGW-20240709-1420c.log"3⤵
-
-
C:\Windows\system32\cmd.exe/c del "C:\Windows\Temp\VOCYMMGW-20240709-1420d.log"3⤵
-
-
C:\Windows\system32\cmd.exe/c del "C:\Windows\Temp\VOCYMMGW-20240709-1425.log"3⤵
-
-
C:\Windows\system32\cmd.exe/c del "C:\Windows\Temp\VOCYMMGW-20240709-1427.log"3⤵
-
-
C:\Windows\system32\cmd.exe/c del "C:\Windows\Temp\VOCYMMGW-20240709-1428.log"3⤵
-
-
C:\Windows\system32\cmd.exe/c del "C:\Windows\Temp\VOCYMMGW-20240709-1429.log"3⤵
-
-
C:\Windows\system32\cmd.exe/c del "C:\Windows\Temp\VOCYMMGW-20240709-1431.log"3⤵
-
-
C:\Windows\system32\cmd.exe/c del "C:\Windows\Temp\VOCYMMGW-20240709-1432.log"3⤵
-
-
C:\Windows\system32\cmd.exe/c del "C:\Windows\Temp\VOCYMMGW-20240709-1434.log"3⤵
-
-
C:\Windows\system32\cmd.exe/c del "C:\Windows\Temp\VOCYMMGW-20240709-1508.log"3⤵
-
-
C:\Windows\system32\cmd.exe/c del "C:\Windows\Temp\VOCYMMGW-20240709-1513.log"3⤵
-
-
C:\Windows\system32\cmd.exe/c del "C:\Windows\Temp\MsEdgeCrashpad\settings.dat"3⤵
-
-
C:\Windows\system32\cmd.exe/c del "C:\Windows\Temp\MsEdgeCrashpad\throttle_store.dat"3⤵
-
-
C:\Windows\system32\cmd.exe/c del "C:\Windows\Temp\_6F581920-6408-4221-81CD-ED6B4EED22E6\WindowsUpdate.20240709.140645.275.1.etl"3⤵
-
-
C:\Windows\system32\cmd.exe/c del "C:\Windows\Temp\_6F581920-6408-4221-81CD-ED6B4EED22E6\WindowsUpdate.20240709.140645.275.2.etl"3⤵
-
-
C:\Windows\system32\cmd.exe/c del "C:\Windows\Temp\_6F581920-6408-4221-81CD-ED6B4EED22E6\WindowsUpdate.20240709.140645.275.3.etl"3⤵
-
-
C:\Windows\system32\cmd.exe/c del "C:\Windows\Temp\_6F581920-6408-4221-81CD-ED6B4EED22E6\WindowsUpdate.20240727.063418.297.1.etl"3⤵
-
-
-
C:\Windows\system32\powercfg.exepowercfg -setacvalueindex scheme_current sub_processor 5d76a2ca-e8c0-402f-a133-2158492d58ad 12⤵
- Power Settings
-
-
C:\Windows\system32\powercfg.exepowercfg -setactive scheme_current2⤵
- Power Settings
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell "ForEach($v in (Get-Command -Name \"Set-ProcessMitigation\").Parameters[\"Disable\"].Attributes.ValidValues){Set-ProcessMitigation -System -Disable $v.ToString() -ErrorAction SilentlyContinue}"2⤵
- Command and Scripting Interpreter: PowerShell
- Hide Artifacts: Ignore Process Interrupts
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell "Remove-Item -Path \"HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\*\" -Recurse -ErrorAction SilentlyContinue"2⤵
- Hide Artifacts: Ignore Process Interrupts
-
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 3 /f2⤵
-
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f2⤵
-
-
C:\Windows\system32\timeout.exetimeout 22⤵
- Delays execution with timeout.exe
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\DXGKrnl" /v "MonitorLatencyTolerance" /t REG_DWORD /d "0" /f2⤵
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\DXGKrnl" /v "MonitorRefreshLatencyTolerance" /t REG_DWORD /d "0" /f2⤵
-
-
C:\Windows\system32\fsutil.exefsutil behavior set DisableDeleteNotify 12⤵
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD5661739d384d9dfd807a089721202900b
SHA15b2c5d6a7122b4ce849dc98e79a7713038feac55
SHA25670c3ecbaa6df88e88df4efc70968502955e890a2248269641c4e2d4668ef61bf
SHA51281b48ae5c4064c4d9597303d913e32d3954954ba1c8123731d503d1653a0d848856812d2ee6951efe06b1db2b91a50e5d54098f60c26f36bc8390203f4c8a2d8
-
Filesize
1KB
MD58b37d4c4212937039cb6791f34cd1991
SHA1be4cddde010d16bf472a8211995efc7187d2a605
SHA2566e567f8348eb87a4e470219b08edbb14d6ec13652e676cc17dff7f39282450a6
SHA51298dfef5ec121056c7fc42662c3b5d9159740753451308a466def95425c3fbf411a9fc2e597de2e3e17ea50710b28d4c3a3641a6bfceab31c812d108c068825f7
-
Filesize
1KB
MD5997eb28e4024d22ccc41b134788d416e
SHA1779082f7b7341c45102bc0afab193318af67a4ff
SHA256c8af4c89e7f8cc49a7baf6deed09a84e30c263febab26fd31d2ff070d0019835
SHA512cc300708cf96e249d00dc7a4994dc934e6049f4aebcd726cf32b69b48a22ea46a341affe2f7ea68c0f29860f1561ee2d38c471af3a8a5003e94d19c9dd4d7708
-
Filesize
1KB
MD517aec4af6739c0b2edfc3032deefda35
SHA1ebf6c712b33c4763eafb35ee8328d1e0e8077992
SHA256be1676aa247ca3205e8accdb86575e81513c34de86d33072fa499d685dc602a9
SHA512ca01a1cf606a37596902ce145221f351f3c206c20bb0c0942ae36c831bad582b8b15a373f096ae0c0457d06b4edcc4812bf00a5f97d5bdae21ec3b9bf3e4309a
-
Filesize
1KB
MD52488d3bd582fc500b6e3a79cba25cf76
SHA1123e41b8c12c60648eda8c5aebb85c82693439dc
SHA256ddc9246c3f222e7e09302e90cd51ad09eb3a5e9e3c766061e61c2af348d4a037
SHA51254a99b725677af943e548a42148666a0e2057b6816effb954d4dcc7eb87f476eaf4e17813a9903ef7c77c6ffb3f59db48127d7572491f545bccfcd26cc25d226
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
136KB
-
Filesize
120KB