Analysis
-
max time kernel
105s -
max time network
203s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
-
submitted
20-09-2024 20:56
General
-
Target
https://cdn.discordapp.com/attachments/1231953046066434059/1286793157824090213/main.bat?ex=66ef3304&is=66ede184&hm=7babf26fea84a56a0cf2cd70610c8efe98bdfb40730dedebf56387826b5e8230&
Score
10/10
Malware Config
Signatures
-
Disables service(s) 3 TTPs
-
Modifies boot configuration data using bcdedit 1 TTPs 4 IoCs
-
Stops running service(s) 4 TTPs
-
Power Settings 1 TTPs 58 IoCs
powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
-
Launches sc.exe 20 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Delays execution with timeout.exe 4 IoCs
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies registry key 1 TTPs 2 IoCs
-
NTFS ADS 1 IoCs
-
Opens file in notepad (likely ransom note) 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 37 IoCs
-
Suspicious use of SendNotifyMessage 24 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://cdn.discordapp.com/attachments/1231953046066434059/1286793157824090213/main.bat?ex=66ef3304&is=66ede184&hm=7babf26fea84a56a0cf2cd70610c8efe98bdfb40730dedebf56387826b5e8230&1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffcb34c46f8,0x7ffcb34c4708,0x7ffcb34c47182⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2168,6080564502940451447,5659719070382853213,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2184 /prefetch:22⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2168,6080564502940451447,5659719070382853213,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2332 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2168,6080564502940451447,5659719070382853213,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2768 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,6080564502940451447,5659719070382853213,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3328 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,6080564502940451447,5659719070382853213,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3348 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2168,6080564502940451447,5659719070382853213,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5280 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2168,6080564502940451447,5659719070382853213,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5280 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,6080564502940451447,5659719070382853213,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4984 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,6080564502940451447,5659719070382853213,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5348 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2168,6080564502940451447,5659719070382853213,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5556 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,6080564502940451447,5659719070382853213,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5564 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,6080564502940451447,5659719070382853213,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5948 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,6080564502940451447,5659719070382853213,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5920 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2168,6080564502940451447,5659719070382853213,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5772 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\Downloads\main.bat"1⤵
-
C:\Windows\system32\chcp.comchcp 650012⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "prompt $H &echo on &for %B in (1) do rem"2⤵
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\ControlSet001\Control\Power\PowerSettings\54533251-82be-4824-96c1-47b60b740d00\0cc5b647-c1df-4637-891a-dec35c318583" /v "ValueMax" /t REG_DWORD /d "0" /f2⤵
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\ControlSet001\Control\Power\PowerSettings\54533251-82be-4824-96c1-47b60b740d00\0cc5b647-c1df-4637-891a-dec35c318583" /v "ValueMin" /t REG_DWORD /d "0" /f2⤵
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\ControlSet002\Control\Power\PowerSettings\54533251-82be-4824-96c1-47b60b740d00\0cc5b647-c1df-4637-891a-dec35c318583" /v "ValueMax" /t REG_DWORD /d "0" /f2⤵
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\ControlSet002\Control\Power\PowerSettings\54533251-82be-4824-96c1-47b60b740d00\0cc5b647-c1df-4637-891a-dec35c318583" /v "ValueMin" /t REG_DWORD /d "0" /f2⤵
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\54533251-82be-4824-96c1-47b60b740d00\0cc5b647-c1df-4637-891a-dec35c318583" /v "ValueMax" /t REG_DWORD /d "0" /f2⤵
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\54533251-82be-4824-96c1-47b60b740d00\0cc5b647-c1df-4637-891a-dec35c318583" /v "ValueMin" /t REG_DWORD /d "0" /f2⤵
-
-
C:\Windows\system32\reg.exeReg.exe add HKLM\SYSTEM\CurrentControlSet\Control\Power /v CoreParkingDisabled /t REG_DWORD /d 0 /f2⤵
- Modifies registry key
-
-
C:\Windows\system32\powercfg.exepowercfg -setacvalueindex scheme_current sub_processor CPMINCORES 1002⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\powercfg.exepowercfg /setactive SCHEME_CURRENT2⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\bcdedit.exebcdedit /set allowedinmemorysettings 0x02⤵
- Modifies boot configuration data using bcdedit
-
-
C:\Windows\system32\bcdedit.exebcdedit /set isolatedcontext No2⤵
- Modifies boot configuration data using bcdedit
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\kernel" /v "DistributeTimers" /t REG_DWORD /d "1" /f2⤵
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\kernel" /v "DisableTsx" /t REG_DWORD /d "0" /f2⤵
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "EventProcessorEnabled" /t REG_DWORD /d "0" /f2⤵
-
-
C:\Windows\system32\powercfg.exepowercfg -setacvalueindex scheme_current SUB_SLEEP AWAYMODE 02⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\powercfg.exepowercfg /setactive SCHEME_CURRENT2⤵
- Power Settings
-
-
C:\Windows\system32\powercfg.exepowercfg -setacvalueindex scheme_current SUB_SLEEP ALLOWSTANDBY 02⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\powercfg.exepowercfg /setactive SCHEME_CURRENT2⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\powercfg.exepowercfg -setacvalueindex scheme_current SUB_SLEEP HYBRIDSLEEP 02⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\powercfg.exepowercfg /setactive SCHEME_CURRENT2⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\powercfg.exepowercfg -setacvalueindex scheme_current sub_processor PROCTHROTTLEMIN 1002⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\powercfg.exepowercfg /setactive SCHEME_CURRENT2⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\timeout.exetimeout /t 1 /nobreak2⤵
- Delays execution with timeout.exe
-
-
C:\Windows\system32\powercfg.exepowercfg -setacvalueindex scheme_current sub_processor IDLESCALING 12⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\powercfg.exepowercfg /setactive SCHEME_CURRENT2⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\powercfg.exepowercfg -setacvalueindex scheme_current sub_processor THROTTLING 02⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\54533251-82be-4824-96c1-47b60b740d00\0cc5b647-c1df-4637-891a-dec35c318583" /v "ValueMin" /t REG_DWORD /d "0" /f2⤵
-
-
C:\Windows\system32\powercfg.exepowercfg /setACvalueindex scheme_current SUB_PROCESSOR SYSCOOLPOL 12⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\powercfg.exepowercfg /setDCvalueindex scheme_current SUB_PROCESSOR SYSCOOLPOL 12⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\powercfg.exepowercfg /setactive SCHEME_CURRENT2⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\powercfg.exepowercfg -setacvalueindex scheme_current sub_processor PROCTHROTTLEMAX 1002⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\powercfg.exepowercfg -setdcvalueindex scheme_current sub_processor PROCTHROTTLEMAX 1002⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\powercfg.exepowercfg -setacvalueindex scheme_current sub_processor PROCTHROTTLEMIN 1002⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\powercfg.exepowercfg -setdcvalueindex scheme_current sub_processor PROCTHROTTLEMIN 1002⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\powercfg.exepowercfg -setactive scheme_current2⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\powercfg.exepowercfg -setacvalueindex scheme_current sub_processor CPMAXCORES 1002⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\powercfg.exepowercfg -setdcvalueindex scheme_current sub_processor CPMAXCORES 1002⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\powercfg.exepowercfg -setacvalueindex scheme_current sub_processor CPMINCORES 1002⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\powercfg.exepowercfg -setdcvalueindex scheme_current sub_processor CPMINCORES 1002⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\powercfg.exepowercfg -setactive scheme_current2⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\54533251-82be-4824-96c1-47b60b740d00\be337238-0d82-4146-a960-4f3749d470c7" /v "Attributes" /t REG_DWORD /d 2 /f2⤵
-
-
C:\Windows\system32\powercfg.exepowercfg -setacvalueindex scheme_current sub_processor PERFBOOSTMODE 02⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\powercfg.exepowercfg -setdcvalueindex scheme_current sub_processor PERFBOOSTMODE 02⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\powercfg.exepowercfg -setactive scheme_current2⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\Control Panel\Desktop" /v "MenuShowDelay" /t REG_SZ /d "0" /f2⤵
-
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\Control Panel\Mouse" /v "MouseHoverTime" /t REG_SZ /d "0" /f2⤵
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v "LargeSystemCache" /t REG_DWORD /d 1 /f2⤵
-
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\VisualEffects" /v "VisualFXSetting" /t REG_DWORD /d 2 /f2⤵
-
-
C:\Windows\system32\sc.exesc config "DiagTrack" start= disabled2⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exesc config "SysMain" start= disabled2⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exesc config "WSearch" start= disabled2⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exesc config "Fax" start= disabled2⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exesc config "TabletInputService" start= disabled2⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exesc stop "DiagTrack"2⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exesc stop "SysMain"2⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exesc stop "WSearch"2⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exesc stop "Fax"2⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exesc stop "TabletInputService"2⤵
- Launches sc.exe
-
-
C:\Windows\system32\fsutil.exefsutil behavior set DisableDeleteNotify 02⤵
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\FileSystem" /v "NtfsDisable8dot3NameCreation" /t REG_DWORD /d 1 /f2⤵
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\FileSystem" /v "NtfsMemoryUsage" /t REG_DWORD /d 2 /f2⤵
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v "ClearPageFileAtShutdown" /t REG_DWORD /d 1 /f2⤵
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v "DisablePagingExecutive" /t REG_DWORD /d 1 /f2⤵
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v "LargeSystemCache" /t REG_DWORD /d 1 /f2⤵
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v "SecondLevelDataCache" /t REG_DWORD /d 512 /f2⤵
-
-
C:\Windows\system32\timeout.exetimeout /t 1 /nobreak2⤵
- Delays execution with timeout.exe
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "prompt $H &echo on &for %B in (1) do rem"2⤵
-
-
C:\Windows\System32\NOTEPAD.EXE"C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\Downloads\main.bat1⤵
- Opens file in notepad (likely ransom note)
- Suspicious use of FindShellTrayWindow
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\Downloads\main.bat"1⤵
-
C:\Windows\system32\chcp.comchcp 650012⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "prompt $H &echo on &for %B in (1) do rem"2⤵
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\ControlSet001\Control\Power\PowerSettings\54533251-82be-4824-96c1-47b60b740d00\0cc5b647-c1df-4637-891a-dec35c318583" /v "ValueMax" /t REG_DWORD /d "0" /f2⤵
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\ControlSet001\Control\Power\PowerSettings\54533251-82be-4824-96c1-47b60b740d00\0cc5b647-c1df-4637-891a-dec35c318583" /v "ValueMin" /t REG_DWORD /d "0" /f2⤵
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\ControlSet002\Control\Power\PowerSettings\54533251-82be-4824-96c1-47b60b740d00\0cc5b647-c1df-4637-891a-dec35c318583" /v "ValueMax" /t REG_DWORD /d "0" /f2⤵
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\ControlSet002\Control\Power\PowerSettings\54533251-82be-4824-96c1-47b60b740d00\0cc5b647-c1df-4637-891a-dec35c318583" /v "ValueMin" /t REG_DWORD /d "0" /f2⤵
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\54533251-82be-4824-96c1-47b60b740d00\0cc5b647-c1df-4637-891a-dec35c318583" /v "ValueMax" /t REG_DWORD /d "0" /f2⤵
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\54533251-82be-4824-96c1-47b60b740d00\0cc5b647-c1df-4637-891a-dec35c318583" /v "ValueMin" /t REG_DWORD /d "0" /f2⤵
-
-
C:\Windows\system32\reg.exeReg.exe add HKLM\SYSTEM\CurrentControlSet\Control\Power /v CoreParkingDisabled /t REG_DWORD /d 0 /f2⤵
- Modifies registry key
-
-
C:\Windows\system32\powercfg.exepowercfg -setacvalueindex scheme_current sub_processor CPMINCORES 1002⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\powercfg.exepowercfg /setactive SCHEME_CURRENT2⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\bcdedit.exebcdedit /set allowedinmemorysettings 0x02⤵
- Modifies boot configuration data using bcdedit
-
-
C:\Windows\system32\bcdedit.exebcdedit /set isolatedcontext No2⤵
- Modifies boot configuration data using bcdedit
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\kernel" /v "DistributeTimers" /t REG_DWORD /d "1" /f2⤵
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\kernel" /v "DisableTsx" /t REG_DWORD /d "0" /f2⤵
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "EventProcessorEnabled" /t REG_DWORD /d "0" /f2⤵
-
-
C:\Windows\system32\powercfg.exepowercfg -setacvalueindex scheme_current SUB_SLEEP AWAYMODE 02⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\powercfg.exepowercfg /setactive SCHEME_CURRENT2⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\powercfg.exepowercfg -setacvalueindex scheme_current SUB_SLEEP ALLOWSTANDBY 02⤵
- Power Settings
-
-
C:\Windows\system32\powercfg.exepowercfg /setactive SCHEME_CURRENT2⤵
- Power Settings
-
-
C:\Windows\system32\powercfg.exepowercfg -setacvalueindex scheme_current SUB_SLEEP HYBRIDSLEEP 02⤵
- Power Settings
-
-
C:\Windows\system32\powercfg.exepowercfg /setactive SCHEME_CURRENT2⤵
- Power Settings
-
-
C:\Windows\system32\powercfg.exepowercfg -setacvalueindex scheme_current sub_processor PROCTHROTTLEMIN 1002⤵
- Power Settings
-
-
C:\Windows\system32\powercfg.exepowercfg /setactive SCHEME_CURRENT2⤵
- Power Settings
-
-
C:\Windows\system32\timeout.exetimeout /t 1 /nobreak2⤵
- Delays execution with timeout.exe
-
-
C:\Windows\system32\powercfg.exepowercfg -setacvalueindex scheme_current sub_processor IDLESCALING 12⤵
- Power Settings
-
-
C:\Windows\system32\powercfg.exepowercfg /setactive SCHEME_CURRENT2⤵
- Power Settings
-
-
C:\Windows\system32\powercfg.exepowercfg -setacvalueindex scheme_current sub_processor THROTTLING 02⤵
- Power Settings
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\54533251-82be-4824-96c1-47b60b740d00\0cc5b647-c1df-4637-891a-dec35c318583" /v "ValueMin" /t REG_DWORD /d "0" /f2⤵
-
-
C:\Windows\system32\powercfg.exepowercfg /setACvalueindex scheme_current SUB_PROCESSOR SYSCOOLPOL 12⤵
- Power Settings
-
-
C:\Windows\system32\powercfg.exepowercfg /setDCvalueindex scheme_current SUB_PROCESSOR SYSCOOLPOL 12⤵
- Power Settings
-
-
C:\Windows\system32\powercfg.exepowercfg /setactive SCHEME_CURRENT2⤵
- Power Settings
-
-
C:\Windows\system32\powercfg.exepowercfg -setacvalueindex scheme_current sub_processor PROCTHROTTLEMAX 1002⤵
- Power Settings
-
-
C:\Windows\system32\powercfg.exepowercfg -setdcvalueindex scheme_current sub_processor PROCTHROTTLEMAX 1002⤵
- Power Settings
-
-
C:\Windows\system32\powercfg.exepowercfg -setacvalueindex scheme_current sub_processor PROCTHROTTLEMIN 1002⤵
- Power Settings
-
-
C:\Windows\system32\powercfg.exepowercfg -setdcvalueindex scheme_current sub_processor PROCTHROTTLEMIN 1002⤵
- Power Settings
-
-
C:\Windows\system32\powercfg.exepowercfg -setactive scheme_current2⤵
- Power Settings
-
-
C:\Windows\system32\powercfg.exepowercfg -setacvalueindex scheme_current sub_processor CPMAXCORES 1002⤵
- Power Settings
-
-
C:\Windows\system32\powercfg.exepowercfg -setdcvalueindex scheme_current sub_processor CPMAXCORES 1002⤵
- Power Settings
-
-
C:\Windows\system32\powercfg.exepowercfg -setacvalueindex scheme_current sub_processor CPMINCORES 1002⤵
- Power Settings
-
-
C:\Windows\system32\powercfg.exepowercfg -setdcvalueindex scheme_current sub_processor CPMINCORES 1002⤵
- Power Settings
-
-
C:\Windows\system32\powercfg.exepowercfg -setactive scheme_current2⤵
- Power Settings
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\54533251-82be-4824-96c1-47b60b740d00\be337238-0d82-4146-a960-4f3749d470c7" /v "Attributes" /t REG_DWORD /d 2 /f2⤵
-
-
C:\Windows\system32\powercfg.exepowercfg -setacvalueindex scheme_current sub_processor PERFBOOSTMODE 02⤵
- Power Settings
-
-
C:\Windows\system32\powercfg.exepowercfg -setdcvalueindex scheme_current sub_processor PERFBOOSTMODE 02⤵
- Power Settings
-
-
C:\Windows\system32\powercfg.exepowercfg -setactive scheme_current2⤵
- Power Settings
-
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\Control Panel\Desktop" /v "MenuShowDelay" /t REG_SZ /d "0" /f2⤵
-
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\Control Panel\Mouse" /v "MouseHoverTime" /t REG_SZ /d "0" /f2⤵
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v "LargeSystemCache" /t REG_DWORD /d 1 /f2⤵
-
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\VisualEffects" /v "VisualFXSetting" /t REG_DWORD /d 2 /f2⤵
-
-
C:\Windows\system32\sc.exesc config "DiagTrack" start= disabled2⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exesc config "SysMain" start= disabled2⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exesc config "WSearch" start= disabled2⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exesc config "Fax" start= disabled2⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exesc config "TabletInputService" start= disabled2⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exesc stop "DiagTrack"2⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exesc stop "SysMain"2⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exesc stop "WSearch"2⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exesc stop "Fax"2⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exesc stop "TabletInputService"2⤵
- Launches sc.exe
-
-
C:\Windows\system32\fsutil.exefsutil behavior set DisableDeleteNotify 02⤵
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\FileSystem" /v "NtfsDisable8dot3NameCreation" /t REG_DWORD /d 1 /f2⤵
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\FileSystem" /v "NtfsMemoryUsage" /t REG_DWORD /d 2 /f2⤵
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v "ClearPageFileAtShutdown" /t REG_DWORD /d 1 /f2⤵
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v "DisablePagingExecutive" /t REG_DWORD /d 1 /f2⤵
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v "LargeSystemCache" /t REG_DWORD /d 1 /f2⤵
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v "SecondLevelDataCache" /t REG_DWORD /d 512 /f2⤵
-
-
C:\Windows\system32\timeout.exetimeout /t 1 /nobreak2⤵
- Delays execution with timeout.exe
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "prompt $H &echo on &for %B in (1) do rem"2⤵
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD59e3fc58a8fb86c93d19e1500b873ef6f
SHA1c6aae5f4e26f5570db5e14bba8d5061867a33b56
SHA256828f4eacac1c40b790fd70dbb6fa6ba03dcc681171d9b2a6579626d27837b1c4
SHA512e5e245b56fa82075e060f468a3224cf2ef43f1b6d87f0351a2102d85c7c897e559be4caeaecfdc4059af29fdc674681b61229319dda95cb2ee649b2eb98d313e
-
Filesize
152B
MD527304926d60324abe74d7a4b571c35ea
SHA178b8f92fcaf4a09eaa786bbe33fd1b0222ef29c1
SHA2567039ad5c2b40f4d97c8c2269f4942be13436d739b2e1f8feb7a0c9f9fdb931de
SHA512f5b6181d3f432238c7365f64fc8a373299e23ba8178bcc419471916ef8b23e909787c7c0617ab22e4eb90909c02bd7b84f1386fbc61e2bdb5a0eb474175da4bd
-
Filesize
186B
MD5094ab275342c45551894b7940ae9ad0d
SHA12e7ce26fe2eb9be641ae929d0c9cc0dfa26c018e
SHA256ef1739b833a1048ee1bd55dcbac5b1397396faca1ad771f4d6c2fe58899495a3
SHA51219d0c688dc1121569247111e45de732b2ab86c71aecdde34b157cfd1b25c53473ed3ade49a97f8cb2ddc4711be78fa26c9330887094e031e9a71bb5c29080b0d
-
Filesize
5KB
MD5139ad2b17b6458eabacd269ab5646386
SHA12e87f670fd9a18d300db207ab055a2f9f3c96156
SHA256d37e3702568ea0e48c3d973b44dcb2d31993ebe96c8bd7a64156af4223833c2c
SHA512551726b9279f976d390fb39fe140371e831d8c29d081607d4a8e8d835d7003e23b9dfc7d5e265a7dc0249fe628b918a49281b39bdff244b0511fb86061a1a0a7
-
Filesize
6KB
MD5a300c074cf295c60a0f259dc279e24df
SHA13af9ca6880bfae751cc9fe6489234974e5b73cf6
SHA256811aeb32f0e8db3ed6ab16823922f69f7f1fa1683887dfe47f117d537316147b
SHA5124cf950059640da76e5d7cefdb1b28a4eee3a85c783b3698db5563d3aeb7201ed5e3a6700c273a15d1fa861e2850e8b1b71c53d7e7908836e109b62327d8596b9
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
10KB
MD5197718c9dbc3e0372213530d5fa187a0
SHA1af5f1fa1a7c271e94554dc6a983af089ef13c377
SHA25638484256d2eb581832c4098d66efc40dc4ef5bf9774d51e8af4c51ed9bca0b34
SHA512eb425066393b72d6199595c79cb5092f0220852f52691a3b9fa0e5ae1b9e5d46bacd12c28a598c8824caa31768d82216dd7da9a58ae42b2b74830574761e044e
-
Filesize
72KB
MD59f14d8dad3856dfa4e9de47c35384059
SHA1df9fc4c4ef86d9652495b80f8b78043692cd41db
SHA25616ed4d228a5113fce098e69d4471b0e5829797882ac3bb5b19c61277fda25b02
SHA512b2fb7562cc0819fe2bd0c4fbe16d10b44f112a11b7a0a7f097f4f0d61c5c1770b2ddb2ffa08fdc5b14a7603c0e2f10fa2dd445b7e23eeb55a98d8bd535f53d4d
-
Filesize
72KB
MD5e95ae3fc44a5c7eba6148507ef0a4525
SHA146c88937c907435c3cf6087a63ddd798c163664e
SHA256b45939520fbdc3afa4a7b253cc43f5739641c2b47c613ccbf76fe6e2b260cc9e
SHA512e7b7dd55cb6b4722b849776b6ab1349601656111f7c30be6a941704bd37f1ea1a9016e364bc9460fd58d8249d84b2227a92a224be97b8719dbb7e95b8a3b9045