Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10/11/2024, 21:39
Static task
static1
Behavioral task
behavioral1
Sample
test.bat
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
test.bat
Resource
win10v2004-20241007-en
General
-
Target
test.bat
-
Size
13KB
-
MD5
4e1bfb90ff49f5b906bf32f8bdf9dd5b
-
SHA1
20e6e98eaca5c078b5a6d8723086ad0f9fadb80f
-
SHA256
b70ad72e118cc0537a38dba5b2fac5e152aad20dd0ada21999d9c2a3e4dbd5ed
-
SHA512
d2932061ec70fc80bdfc354fac70e082e4fd11684b82aa89f20e4445af78cb9cf0c33c06660b9ad49222a30ce53a275efec042d85153cfc51c7dd91a5e18f250
-
SSDEEP
384:xU/HI3uEDHsUXUXDn6CfFmBd1seQfDNqhFD36yXpwL:uouEDHsUXUXDn6CfFmBd1seQfDNqhFD2
Malware Config
Signatures
-
pid Process 924 powershell.exe 316 powershell.exe -
Modifies data under HKEY_USERS 4 IoCs
description ioc Process Key created \REGISTRY\USER\!USER_SID!\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost reg.exe Key created \REGISTRY\USER\!USER_SID! reg.exe Key created \REGISTRY\USER\!USER_SID!\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost reg.exe Key created \REGISTRY\USER\!USER_SID! reg.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 316 powershell.exe 316 powershell.exe 924 powershell.exe 924 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 316 powershell.exe Token: SeDebugPrivilege 924 powershell.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3896 wrote to memory of 2556 3896 cmd.exe 90 PID 3896 wrote to memory of 2556 3896 cmd.exe 90 PID 3896 wrote to memory of 1780 3896 cmd.exe 91 PID 3896 wrote to memory of 1780 3896 cmd.exe 91 PID 3896 wrote to memory of 4992 3896 cmd.exe 92 PID 3896 wrote to memory of 4992 3896 cmd.exe 92 PID 3896 wrote to memory of 1224 3896 cmd.exe 93 PID 3896 wrote to memory of 1224 3896 cmd.exe 93 PID 3896 wrote to memory of 5108 3896 cmd.exe 94 PID 3896 wrote to memory of 5108 3896 cmd.exe 94 PID 3896 wrote to memory of 1764 3896 cmd.exe 95 PID 3896 wrote to memory of 1764 3896 cmd.exe 95 PID 3896 wrote to memory of 1936 3896 cmd.exe 96 PID 3896 wrote to memory of 1936 3896 cmd.exe 96 PID 3896 wrote to memory of 720 3896 cmd.exe 97 PID 3896 wrote to memory of 720 3896 cmd.exe 97 PID 3896 wrote to memory of 2356 3896 cmd.exe 98 PID 3896 wrote to memory of 2356 3896 cmd.exe 98 PID 3896 wrote to memory of 5104 3896 cmd.exe 99 PID 3896 wrote to memory of 5104 3896 cmd.exe 99 PID 3896 wrote to memory of 3960 3896 cmd.exe 100 PID 3896 wrote to memory of 3960 3896 cmd.exe 100 PID 3896 wrote to memory of 1736 3896 cmd.exe 101 PID 3896 wrote to memory of 1736 3896 cmd.exe 101 PID 3896 wrote to memory of 1332 3896 cmd.exe 102 PID 3896 wrote to memory of 1332 3896 cmd.exe 102 PID 3896 wrote to memory of 5016 3896 cmd.exe 103 PID 3896 wrote to memory of 5016 3896 cmd.exe 103 PID 3896 wrote to memory of 4208 3896 cmd.exe 104 PID 3896 wrote to memory of 4208 3896 cmd.exe 104 PID 3896 wrote to memory of 1668 3896 cmd.exe 105 PID 3896 wrote to memory of 1668 3896 cmd.exe 105 PID 3896 wrote to memory of 3332 3896 cmd.exe 106 PID 3896 wrote to memory of 3332 3896 cmd.exe 106 PID 3896 wrote to memory of 3892 3896 cmd.exe 107 PID 3896 wrote to memory of 3892 3896 cmd.exe 107 PID 3896 wrote to memory of 448 3896 cmd.exe 108 PID 3896 wrote to memory of 448 3896 cmd.exe 108 PID 3896 wrote to memory of 4688 3896 cmd.exe 109 PID 3896 wrote to memory of 4688 3896 cmd.exe 109 PID 3896 wrote to memory of 3408 3896 cmd.exe 110 PID 3896 wrote to memory of 3408 3896 cmd.exe 110 PID 3896 wrote to memory of 1776 3896 cmd.exe 111 PID 3896 wrote to memory of 1776 3896 cmd.exe 111 PID 3896 wrote to memory of 2580 3896 cmd.exe 112 PID 3896 wrote to memory of 2580 3896 cmd.exe 112 PID 3896 wrote to memory of 552 3896 cmd.exe 113 PID 3896 wrote to memory of 552 3896 cmd.exe 113 PID 3896 wrote to memory of 1244 3896 cmd.exe 114 PID 3896 wrote to memory of 1244 3896 cmd.exe 114 PID 3896 wrote to memory of 4220 3896 cmd.exe 115 PID 3896 wrote to memory of 4220 3896 cmd.exe 115 PID 3896 wrote to memory of 860 3896 cmd.exe 116 PID 3896 wrote to memory of 860 3896 cmd.exe 116 PID 3896 wrote to memory of 1028 3896 cmd.exe 117 PID 3896 wrote to memory of 1028 3896 cmd.exe 117 PID 3896 wrote to memory of 4548 3896 cmd.exe 118 PID 3896 wrote to memory of 4548 3896 cmd.exe 118 PID 3896 wrote to memory of 544 3896 cmd.exe 119 PID 3896 wrote to memory of 544 3896 cmd.exe 119 PID 3896 wrote to memory of 540 3896 cmd.exe 120 PID 3896 wrote to memory of 540 3896 cmd.exe 120 PID 3896 wrote to memory of 2880 3896 cmd.exe 121 PID 3896 wrote to memory of 2880 3896 cmd.exe 121 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:3896 -
C:\Windows\system32\reg.exeReg.exe add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Privacy" /v "TailoredExperiencesWithDiagnosticDataEnabled" /t REG_DWORD /d "0" /f2⤵PID:2556
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Diagnostics\DiagTrack" /v "ShowedToastAtLevel" /t REG_DWORD /d "1" /f2⤵PID:1780
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_CURRENT_USER\Software\Microsoft\Input\TIPC" /v "Enabled" /t REG_DWORD /d "0" /f2⤵PID:4992
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System" /v "UploadUserActivities" /t REG_DWORD /d "0" /f2⤵PID:1224
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System" /v "PublishUserActivities" /t REG_DWORD /d "0" /f2⤵PID:5108
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_CURRENT_USER\Control Panel\International\User Profile" /v "HttpAcceptLanguageOptOut" /t REG_DWORD /d "1" /f2⤵PID:1764
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments" /v "SaveZoneInformation" /t REG_DWORD /d "1" /f2⤵PID:1936
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Diagnostics\Performance" /v "DisablediagnosticTracing" /t REG_DWORD /d "1" /f2⤵PID:720
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WDI\{9c5a40da-b965-4fc3-8781-88dd50a6299d}" /v "ScenarioExecutionEnabled" /t REG_DWORD /d "0" /f2⤵PID:2356
-
-
C:\Windows\system32\schtasks.exeschtasks /change /tn "\Microsoft\Windows\Application Experience\StartupAppTask" /Disabling2⤵PID:5104
-
-
C:\Windows\system32\schtasks.exeschtasks /end /tn "\Microsoft\Windows\DiskDiagnostic\Microsoft-Windows-DiskDiagnosticDataCollector"2⤵PID:3960
-
-
C:\Windows\system32\schtasks.exeschtasks /change /tn "\Microsoft\Windows\DiskDiagnostic\Microsoft-Windows-DiskDiagnosticDataCollector" /Disabling2⤵PID:1736
-
-
C:\Windows\system32\schtasks.exeschtasks /end /tn "\Microsoft\Windows\DiskDiagnostic\Microsoft-Windows-DiskDiagnosticResolver"2⤵PID:1332
-
-
C:\Windows\system32\schtasks.exeschtasks /change /tn "\Microsoft\Windows\DiskDiagnostic\Microsoft-Windows-DiskDiagnosticResolver" /Disabling2⤵PID:5016
-
-
C:\Windows\system32\schtasks.exeschtasks /end /tn "\Microsoft\Windows\Power Efficiency Diagnostics\AnalyzeSystem"2⤵PID:4208
-
-
C:\Windows\system32\schtasks.exeschtasks /change /tn "\Microsoft\Windows\Power Efficiency Diagnostics\AnalyzeSystem" /Disabling2⤵PID:1668
-
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\SOFTWARE\Microsoft\GameBar" /v "AllowAutoGameMode" /t REG_DWORD /d "1" /f2⤵PID:3332
-
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\SOFTWARE\Microsoft\GameBar" /v "AutoGameModeEnabled" /t REG_DWORD /d "1" /f2⤵PID:3892
-
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\Personalize" /v "EnablingTransparency" /t REG_DWORD /d "0" /f2⤵PID:448
-
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\BackgroundAccessApplications" /v "GlobalUserDisabled" /t REG_DWORD /d "1" /f2⤵PID:4688
-
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "PreInstalledAppsEnabled" /t REG_DWORD /d "0" /f2⤵PID:3408
-
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SilentInstalledAppsEnabled" /t REG_DWORD /d "0" /f2⤵PID:1776
-
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "OemPreInstalledAppsEnabled" /t REG_DWORD /d "0" /f2⤵PID:2580
-
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "ContentDeliveryAllowed" /t REG_DWORD /d "0" /f2⤵PID:552
-
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContentEnabled" /t REG_DWORD /d "0" /f2⤵PID:1244
-
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "PreInstalledAppsEverEnabled" /t REG_DWORD /d "0" /f2⤵PID:4220
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v "EnablingSmartScreen" /t REG_DWORD /d "0" /f2⤵PID:860
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer" /v "SmartScreenEnabled" /t REG_SZ /d "Off" /f2⤵PID:1028
-
-
C:\Windows\system32\reg.exeReg.exe add "HKU\!USER_SID!\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost" /v "EnablingWebContentEvaluation" /t REG_DWORD /d "0" /f2⤵
- Modifies data under HKEY_USERS
PID:4548
-
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\CDP" /v "CdpSessionUserAuthzPolicy" /t REG_DWORD /d "0" /f2⤵PID:544
-
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\CDP" /v "NearShareChannelUserAuthzPolicy" /t REG_DWORD /d "0" /f2⤵PID:540
-
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search" /v "BingSearchEnabled" /t REG_DWORD /d "0" /f2⤵PID:2880
-
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\Software\Microsoft\InputPersonalization" /v "RestrictImplicitInkCollection" /t REG_DWORD /d "1" /f2⤵PID:4864
-
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\Software\Microsoft\InputPersonalization" /v "RestrictImplicitTextCollection" /t REG_DWORD /d "1" /f2⤵PID:4908
-
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\Software\Microsoft\Personalization\Settings" /v "AcceptedPrivacyPolicy" /t REG_DWORD /d "0" /f2⤵PID:1212
-
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Search" /v "CortanaCapabilities" /t REG_SZ /d "" /f2⤵PID:5056
-
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Search" /v "IsAssignedAccess" /t REG_DWORD /d "0" /f2⤵PID:4876
-
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Search" /v "IsWindowsHelloActive" /t REG_DWORD /d "0" /f2⤵PID:2824
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v "AllowSearchToUseLocation" /t REG_DWORD /d 0 /f2⤵PID:828
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v "ConnectedSearchPrivacy" /t REG_DWORD /d 3 /f2⤵PID:4704
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v "ConnectedSearchSafeSearch" /t REG_DWORD /d 3 /f2⤵PID:4824
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v "ConnectedSearchUseWeb" /t REG_DWORD /d 0 /f2⤵PID:4472
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v "ConnectedSearchUseWebOverMeteredConnections" /t REG_DWORD /d 0 /f2⤵PID:3124
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\Software\Microsoft\PolicyManager\default\Experience\AllowCortana" /v "value" /t REG_DWORD /d "0" /f2⤵PID:1420
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\Software\Policies\Microsoft\SearchCompanion" /v "DisablingContentFileUpdates" /t REG_DWORD /d "1" /f2⤵PID:4272
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\Software\Policies\Microsoft\Windows\Windows Search" /v "AllowCloudSearch" /t REG_DWORD /d "0" /f2⤵PID:4852
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\Software\Policies\Microsoft\Windows\Windows Search" /v "AllowCortanaAboveLock" /t REG_DWORD /d "0" /f2⤵PID:2992
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\Software\Policies\Microsoft\Windows\Windows Search" /v "AllowSearchToUseLocation" /t REG_DWORD /d "0" /f2⤵PID:1948
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\Software\Policies\Microsoft\Windows\Windows Search" /v "ConnectedSearchPrivacy" /t REG_DWORD /d "3" /f2⤵PID:3808
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\Software\Policies\Microsoft\Windows\Windows Search" /v "ConnectedSearchUseWeb" /t REG_DWORD /d "0" /f2⤵PID:4080
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\Software\Policies\Microsoft\Windows\Windows Search" /v "ConnectedSearchUseWebOverMeteredConnections" /t REG_DWORD /d "0" /f2⤵PID:3640
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\Software\Policies\Microsoft\Windows\Windows Search" /v "DisablingWebSearch" /t REG_DWORD /d "1" /f2⤵PID:1056
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\Software\Policies\Microsoft\Windows\Windows Search" /v "DoNotUseWebResults" /t REG_DWORD /d "1" /f2⤵PID:4484
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Microsoft\PolicyManager\current\device\System" /v "AllowExperimentation" /t REG_DWORD /d "0" /f2⤵PID:4140
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Microsoft\PolicyManager\default\System\AllowExperimentation" /v "value" /t REG_DWORD /d "0" /f2⤵PID:3092
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Feeds" /v "EnablingFeeds" /t REG_DWORD /d "0" /f2⤵PID:4912
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Policies\Microsoft" /v "AllowNewsAndInterests" /t REG_DWORD /d "0" /f2⤵PID:3288
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v "EnablingActivityFeed" /t REG_DWORD /d "0" /f2⤵PID:2860
-
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\Control Panel\International\User Profile" /v "HttpAcceptLanguageOptOut" /t REG_DWORD /d "1" /f2⤵PID:2324
-
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\AdvertisingInfo" /v "Enabled" /t REG_DWORD /d "0" /f2⤵PID:2584
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\Software\Policies\Microsoft\Windows\System" /v "EnablingActivityFeed" /t REG_DWORD /d "0" /f2⤵PID:3756
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\Maintenance" /v "MaintenanceDisabled" /t REG_DWORD /d "1" /f2⤵PID:2088
-
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\PushNotifications" /v "ToastEnabled" /t REG_DWORD /d "0" /f2⤵PID:2556
-
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Notifications\Settings" /v "NOC_GLOBAL_SETTING_ALLOW_NOTIFICATION_SOUND" /t REG_DWORD /d "0" /f2⤵PID:1780
-
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Notifications\Settings" /v "NOC_GLOBAL_SETTING_ALLOW_CRITICAL_TOASTS_ABOVE_LOCK" /t REG_DWORD /d "0" /f2⤵PID:4992
-
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Notifications\Settings\QuietHours" /v "Enabled" /t REG_DWORD /d "0" /f2⤵PID:4596
-
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Notifications\Settings\windows.immersivecontrolpanel_cw5n1h2txyewy!microsoft.windows.immersivecontrolpanel" /v "Enabled" /t REG_DWORD /d "0" /f2⤵PID:4304
-
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Notifications\Settings\Windows.SystemToast.AutoPlay" /v "Enabled" /t REG_DWORD /d "0" /f2⤵PID:4184
-
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Notifications\Settings\Windows.SystemToast.LowDisk" /v "Enabled" /t REG_DWORD /d "0" /f2⤵PID:968
-
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Notifications\Settings\Windows.SystemToast.Print.Notification" /v "Enabled" /t REG_DWORD /d "0" /f2⤵PID:3556
-
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Notifications\Settings\Windows.SystemToast.SecurityAndMaintenance" /v "Enabled" /t REG_DWORD /d "0" /f2⤵PID:2356
-
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Notifications\Settings\Windows.SystemToast.WiFiNetworkManager" /v "Enabled" /t REG_DWORD /d "0" /f2⤵PID:2760
-
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\SOFTWARE\Policies\Microsoft\Windows\Explorer" /v "DisablingNotificationCenter" /t REG_DWORD /d "1" /f2⤵PID:628
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\BTAGService" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:3676
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\bthserv" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:3236
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\BthAvctpSvc" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:816
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\BluetoothUserService" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:4416
-
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\CDP" /v "CdpSessionUserAuthzPolicy" /t REG_DWORD /d "0" /f2⤵PID:4920
-
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\CDP" /v "NearShareChannelUserAuthzPolicy" /t REG_DWORD /d "0" /f2⤵PID:5020
-
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\SettingSync\Groups\Accessibility" /v "Enabled" /t REG_DWORD /d "0" /f2⤵PID:512
-
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\SettingSync\Groups\AppSync" /v "Enabled" /t REG_DWORD /d "0" /f2⤵PID:4520
-
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\SettingSync\Groups\BrowserSettings" /v "Enabled" /t REG_DWORD /d "0" /f2⤵PID:2184
-
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\SettingSync\Groups\Credentials" /v "Enabled" /t REG_DWORD /d "0" /f2⤵PID:2720
-
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\SettingSync\Groups\DesktopTheme" /v "Enabled" /t REG_DWORD /d "0" /f2⤵PID:1236
-
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\SettingSync\Groups\Language" /v "Enabled" /t REG_DWORD /d "0" /f2⤵PID:1732
-
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\SettingSync\Groups\PackageState" /v "Enabled" /t REG_DWORD /d "0" /f2⤵PID:2384
-
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\SettingSync\Groups\Personalization" /v "Enabled" /t REG_DWORD /d "0" /f2⤵PID:2252
-
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\SettingSync\Groups\StartLayout" /v "Enabled" /t REG_DWORD /d "0" /f2⤵PID:2600
-
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\SettingSync\Groups\Windows" /v "Enabled" /t REG_DWORD /d "0" /f2⤵PID:3084
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v "EnablingSmartScreen" /t REG_DWORD /d "0" /f2⤵PID:4740
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer" /v "SmartScreenEnabled" /t REG_SZ /d "Off" /f2⤵PID:1900
-
-
C:\Windows\system32\reg.exeReg.exe add "HKU\!USER_SID!\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost" /v "EnablingWebContentEvaluation" /t REG_DWORD /d "0" /f2⤵
- Modifies data under HKEY_USERS
PID:4932
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-ExecutionPolicy Unrestricted -Scope Process -Force"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:316
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Get-AppxPackage -AllUsers | Where-Object { $_.Name -notmatch 'Microsoft.WindowsStore' } | Remove-AppxPackage"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:924
-
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoReinstallApps" /t REG_DWORD /d "1" /f2⤵PID:4412
-
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\Personalize" /v "EnablingTransparency" /t REG_DWORD /d "0" /f2⤵PID:4304
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5d136d3411d4aa688242c53cafb993aa6
SHA11a81cc78e3ca445d5a5193e49ddce26d5e25179f
SHA25600ae5433c0107cc164516c7849b4cff7b6faeb52e5afa65c01dbd8c7a5efe397
SHA512282ea53f8093c00e8c64d253782068211f8c4187391d5078755f55dedb8825c0042173d82f489d7b6c06e88184b70e83c1e92dadb80f57bd96c95855ac6b3da1
-
Filesize
64B
MD55caad758326454b5788ec35315c4c304
SHA13aef8dba8042662a7fcf97e51047dc636b4d4724
SHA25683e613b6dc8d70e3bb67c58535e014f58f3e8b2921e93b55137d799fc8c56391
SHA5124e0d443cf81e2f49829b0a458a08294bf1bdc0e38d3a938fb8274eeb637d9a688b14c7999dd6b86a31fcec839a9e8c1a9611ed0bbae8bd59caa9dba1e8253693
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82