Analysis
-
max time kernel
94s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10/11/2024, 21:40
Static task
static1
Behavioral task
behavioral1
Sample
test.bat
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
test.bat
Resource
win10v2004-20241007-en
General
-
Target
test.bat
-
Size
13KB
-
MD5
6276f3f0e1c4d6e9a6b3811f0c66ce3c
-
SHA1
186b9ead2e38f786545df62273a1e1ab83098574
-
SHA256
9106a68018966c7715a358016c6d711331dd1b33911c74b5c2f935fa4ad327fa
-
SHA512
ff86e963994579ade9a26abac896cb7939335bfb581408640b194cc0159ce82f064f6277e7c8d3b536d7aadc2f71bd1f6e42cf7ae8a0b159e93eab1ec7fae58c
-
SSDEEP
384:xU/HI3uEDHsUXUXDn6CfFmBd1seQfDNqhFD36yXJL:uouEDHsUXUXDn6CfFmBd1seQfDNqhFDH
Malware Config
Signatures
-
pid Process 664 powershell.exe 2596 powershell.exe -
Modifies data under HKEY_USERS 4 IoCs
description ioc Process Key created \REGISTRY\USER\!USER_SID!\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost reg.exe Key created \REGISTRY\USER\!USER_SID! reg.exe Key created \REGISTRY\USER\!USER_SID!\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost reg.exe Key created \REGISTRY\USER\!USER_SID! reg.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 664 powershell.exe 664 powershell.exe 2596 powershell.exe 2596 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 664 powershell.exe Token: SeDebugPrivilege 2596 powershell.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4728 wrote to memory of 1472 4728 cmd.exe 88 PID 4728 wrote to memory of 1472 4728 cmd.exe 88 PID 4728 wrote to memory of 2524 4728 cmd.exe 89 PID 4728 wrote to memory of 2524 4728 cmd.exe 89 PID 4728 wrote to memory of 1304 4728 cmd.exe 90 PID 4728 wrote to memory of 1304 4728 cmd.exe 90 PID 4728 wrote to memory of 3928 4728 cmd.exe 91 PID 4728 wrote to memory of 3928 4728 cmd.exe 91 PID 4728 wrote to memory of 232 4728 cmd.exe 92 PID 4728 wrote to memory of 232 4728 cmd.exe 92 PID 4728 wrote to memory of 4472 4728 cmd.exe 93 PID 4728 wrote to memory of 4472 4728 cmd.exe 93 PID 4728 wrote to memory of 320 4728 cmd.exe 94 PID 4728 wrote to memory of 320 4728 cmd.exe 94 PID 4728 wrote to memory of 620 4728 cmd.exe 95 PID 4728 wrote to memory of 620 4728 cmd.exe 95 PID 4728 wrote to memory of 2072 4728 cmd.exe 96 PID 4728 wrote to memory of 2072 4728 cmd.exe 96 PID 4728 wrote to memory of 2484 4728 cmd.exe 97 PID 4728 wrote to memory of 2484 4728 cmd.exe 97 PID 4728 wrote to memory of 3000 4728 cmd.exe 98 PID 4728 wrote to memory of 3000 4728 cmd.exe 98 PID 4728 wrote to memory of 3188 4728 cmd.exe 99 PID 4728 wrote to memory of 3188 4728 cmd.exe 99 PID 4728 wrote to memory of 3872 4728 cmd.exe 100 PID 4728 wrote to memory of 3872 4728 cmd.exe 100 PID 4728 wrote to memory of 3448 4728 cmd.exe 101 PID 4728 wrote to memory of 3448 4728 cmd.exe 101 PID 4728 wrote to memory of 4424 4728 cmd.exe 102 PID 4728 wrote to memory of 4424 4728 cmd.exe 102 PID 4728 wrote to memory of 664 4728 cmd.exe 103 PID 4728 wrote to memory of 664 4728 cmd.exe 103 PID 4728 wrote to memory of 956 4728 cmd.exe 104 PID 4728 wrote to memory of 956 4728 cmd.exe 104 PID 4728 wrote to memory of 2120 4728 cmd.exe 105 PID 4728 wrote to memory of 2120 4728 cmd.exe 105 PID 4728 wrote to memory of 3068 4728 cmd.exe 106 PID 4728 wrote to memory of 3068 4728 cmd.exe 106 PID 4728 wrote to memory of 1368 4728 cmd.exe 107 PID 4728 wrote to memory of 1368 4728 cmd.exe 107 PID 4728 wrote to memory of 2820 4728 cmd.exe 108 PID 4728 wrote to memory of 2820 4728 cmd.exe 108 PID 4728 wrote to memory of 748 4728 cmd.exe 109 PID 4728 wrote to memory of 748 4728 cmd.exe 109 PID 4728 wrote to memory of 1188 4728 cmd.exe 110 PID 4728 wrote to memory of 1188 4728 cmd.exe 110 PID 4728 wrote to memory of 2596 4728 cmd.exe 111 PID 4728 wrote to memory of 2596 4728 cmd.exe 111 PID 4728 wrote to memory of 4224 4728 cmd.exe 112 PID 4728 wrote to memory of 4224 4728 cmd.exe 112 PID 4728 wrote to memory of 3680 4728 cmd.exe 113 PID 4728 wrote to memory of 3680 4728 cmd.exe 113 PID 4728 wrote to memory of 4428 4728 cmd.exe 114 PID 4728 wrote to memory of 4428 4728 cmd.exe 114 PID 4728 wrote to memory of 880 4728 cmd.exe 115 PID 4728 wrote to memory of 880 4728 cmd.exe 115 PID 4728 wrote to memory of 4788 4728 cmd.exe 116 PID 4728 wrote to memory of 4788 4728 cmd.exe 116 PID 4728 wrote to memory of 3832 4728 cmd.exe 117 PID 4728 wrote to memory of 3832 4728 cmd.exe 117 PID 4728 wrote to memory of 3432 4728 cmd.exe 118 PID 4728 wrote to memory of 3432 4728 cmd.exe 118 PID 4728 wrote to memory of 3008 4728 cmd.exe 119 PID 4728 wrote to memory of 3008 4728 cmd.exe 119 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:4728 -
C:\Windows\system32\reg.exeReg.exe add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Privacy" /v "TailoredExperiencesWithDiagnosticDataEnabled" /t REG_DWORD /d "0" /f2⤵PID:1472
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Diagnostics\DiagTrack" /v "ShowedToastAtLevel" /t REG_DWORD /d "1" /f2⤵PID:2524
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_CURRENT_USER\Software\Microsoft\Input\TIPC" /v "Enabled" /t REG_DWORD /d "0" /f2⤵PID:1304
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System" /v "UploadUserActivities" /t REG_DWORD /d "0" /f2⤵PID:3928
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System" /v "PublishUserActivities" /t REG_DWORD /d "0" /f2⤵PID:232
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_CURRENT_USER\Control Panel\International\User Profile" /v "HttpAcceptLanguageOptOut" /t REG_DWORD /d "1" /f2⤵PID:4472
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments" /v "SaveZoneInformation" /t REG_DWORD /d "1" /f2⤵PID:320
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Diagnostics\Performance" /v "DisablediagnosticTracing" /t REG_DWORD /d "1" /f2⤵PID:620
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WDI\{9c5a40da-b965-4fc3-8781-88dd50a6299d}" /v "ScenarioExecutionEnabled" /t REG_DWORD /d "0" /f2⤵PID:2072
-
-
C:\Windows\system32\schtasks.exeschtasks /change /tn "\Microsoft\Windows\Application Experience\StartupAppTask" /Disabling2⤵PID:2484
-
-
C:\Windows\system32\schtasks.exeschtasks /end /tn "\Microsoft\Windows\DiskDiagnostic\Microsoft-Windows-DiskDiagnosticDataCollector"2⤵PID:3000
-
-
C:\Windows\system32\schtasks.exeschtasks /change /tn "\Microsoft\Windows\DiskDiagnostic\Microsoft-Windows-DiskDiagnosticDataCollector" /Disabling2⤵PID:3188
-
-
C:\Windows\system32\schtasks.exeschtasks /end /tn "\Microsoft\Windows\DiskDiagnostic\Microsoft-Windows-DiskDiagnosticResolver"2⤵PID:3872
-
-
C:\Windows\system32\schtasks.exeschtasks /change /tn "\Microsoft\Windows\DiskDiagnostic\Microsoft-Windows-DiskDiagnosticResolver" /Disabling2⤵PID:3448
-
-
C:\Windows\system32\schtasks.exeschtasks /end /tn "\Microsoft\Windows\Power Efficiency Diagnostics\AnalyzeSystem"2⤵PID:4424
-
-
C:\Windows\system32\schtasks.exeschtasks /change /tn "\Microsoft\Windows\Power Efficiency Diagnostics\AnalyzeSystem" /Disabling2⤵PID:664
-
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\SOFTWARE\Microsoft\GameBar" /v "AllowAutoGameMode" /t REG_DWORD /d "1" /f2⤵PID:956
-
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\SOFTWARE\Microsoft\GameBar" /v "AutoGameModeEnabled" /t REG_DWORD /d "1" /f2⤵PID:2120
-
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\Personalize" /v "EnablingTransparency" /t REG_DWORD /d "0" /f2⤵PID:3068
-
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\BackgroundAccessApplications" /v "GlobalUserDisabled" /t REG_DWORD /d "1" /f2⤵PID:1368
-
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "PreInstalledAppsEnabled" /t REG_DWORD /d "0" /f2⤵PID:2820
-
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SilentInstalledAppsEnabled" /t REG_DWORD /d "0" /f2⤵PID:748
-
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "OemPreInstalledAppsEnabled" /t REG_DWORD /d "0" /f2⤵PID:1188
-
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "ContentDeliveryAllowed" /t REG_DWORD /d "0" /f2⤵PID:2596
-
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContentEnabled" /t REG_DWORD /d "0" /f2⤵PID:4224
-
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "PreInstalledAppsEverEnabled" /t REG_DWORD /d "0" /f2⤵PID:3680
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v "EnablingSmartScreen" /t REG_DWORD /d "0" /f2⤵PID:4428
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer" /v "SmartScreenEnabled" /t REG_SZ /d "Off" /f2⤵PID:880
-
-
C:\Windows\system32\reg.exeReg.exe add "HKU\!USER_SID!\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost" /v "EnablingWebContentEvaluation" /t REG_DWORD /d "0" /f2⤵
- Modifies data under HKEY_USERS
PID:4788
-
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\CDP" /v "CdpSessionUserAuthzPolicy" /t REG_DWORD /d "0" /f2⤵PID:3832
-
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\CDP" /v "NearShareChannelUserAuthzPolicy" /t REG_DWORD /d "0" /f2⤵PID:3432
-
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search" /v "BingSearchEnabled" /t REG_DWORD /d "0" /f2⤵PID:3008
-
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\Software\Microsoft\InputPersonalization" /v "RestrictImplicitInkCollection" /t REG_DWORD /d "1" /f2⤵PID:4504
-
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\Software\Microsoft\InputPersonalization" /v "RestrictImplicitTextCollection" /t REG_DWORD /d "1" /f2⤵PID:3476
-
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\Software\Microsoft\Personalization\Settings" /v "AcceptedPrivacyPolicy" /t REG_DWORD /d "0" /f2⤵PID:3564
-
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Search" /v "CortanaCapabilities" /t REG_SZ /d "" /f2⤵PID:3544
-
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Search" /v "IsAssignedAccess" /t REG_DWORD /d "0" /f2⤵PID:2412
-
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Search" /v "IsWindowsHelloActive" /t REG_DWORD /d "0" /f2⤵PID:1396
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v "AllowSearchToUseLocation" /t REG_DWORD /d 0 /f2⤵PID:4956
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v "ConnectedSearchPrivacy" /t REG_DWORD /d 3 /f2⤵PID:1708
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v "ConnectedSearchSafeSearch" /t REG_DWORD /d 3 /f2⤵PID:432
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v "ConnectedSearchUseWeb" /t REG_DWORD /d 0 /f2⤵PID:3136
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v "ConnectedSearchUseWebOverMeteredConnections" /t REG_DWORD /d 0 /f2⤵PID:3492
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\Software\Microsoft\PolicyManager\default\Experience\AllowCortana" /v "value" /t REG_DWORD /d "0" /f2⤵PID:3588
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\Software\Policies\Microsoft\SearchCompanion" /v "DisablingContentFileUpdates" /t REG_DWORD /d "1" /f2⤵PID:2844
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\Software\Policies\Microsoft\Windows\Windows Search" /v "AllowCloudSearch" /t REG_DWORD /d "0" /f2⤵PID:1796
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\Software\Policies\Microsoft\Windows\Windows Search" /v "AllowCortanaAboveLock" /t REG_DWORD /d "0" /f2⤵PID:1976
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\Software\Policies\Microsoft\Windows\Windows Search" /v "AllowSearchToUseLocation" /t REG_DWORD /d "0" /f2⤵PID:4292
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\Software\Policies\Microsoft\Windows\Windows Search" /v "ConnectedSearchPrivacy" /t REG_DWORD /d "3" /f2⤵PID:3140
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\Software\Policies\Microsoft\Windows\Windows Search" /v "ConnectedSearchUseWeb" /t REG_DWORD /d "0" /f2⤵PID:316
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\Software\Policies\Microsoft\Windows\Windows Search" /v "ConnectedSearchUseWebOverMeteredConnections" /t REG_DWORD /d "0" /f2⤵PID:1848
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\Software\Policies\Microsoft\Windows\Windows Search" /v "DisablingWebSearch" /t REG_DWORD /d "1" /f2⤵PID:4072
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\Software\Policies\Microsoft\Windows\Windows Search" /v "DoNotUseWebResults" /t REG_DWORD /d "1" /f2⤵PID:4848
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Microsoft\PolicyManager\current\device\System" /v "AllowExperimentation" /t REG_DWORD /d "0" /f2⤵PID:2196
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Microsoft\PolicyManager\default\System\AllowExperimentation" /v "value" /t REG_DWORD /d "0" /f2⤵PID:4732
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Feeds" /v "EnablingFeeds" /t REG_DWORD /d "0" /f2⤵PID:2856
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Policies\Microsoft" /v "AllowNewsAndInterests" /t REG_DWORD /d "0" /f2⤵PID:1752
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v "EnablingActivityFeed" /t REG_DWORD /d "0" /f2⤵PID:4812
-
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\Control Panel\International\User Profile" /v "HttpAcceptLanguageOptOut" /t REG_DWORD /d "1" /f2⤵PID:2908
-
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\AdvertisingInfo" /v "Enabled" /t REG_DWORD /d "0" /f2⤵PID:4824
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\Software\Policies\Microsoft\Windows\System" /v "EnablingActivityFeed" /t REG_DWORD /d "0" /f2⤵PID:1764
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\Maintenance" /v "MaintenanceDisabled" /t REG_DWORD /d "1" /f2⤵PID:868
-
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\PushNotifications" /v "ToastEnabled" /t REG_DWORD /d "0" /f2⤵PID:2960
-
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Notifications\Settings" /v "NOC_GLOBAL_SETTING_ALLOW_NOTIFICATION_SOUND" /t REG_DWORD /d "0" /f2⤵PID:1244
-
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Notifications\Settings" /v "NOC_GLOBAL_SETTING_ALLOW_CRITICAL_TOASTS_ABOVE_LOCK" /t REG_DWORD /d "0" /f2⤵PID:1356
-
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Notifications\Settings\QuietHours" /v "Enabled" /t REG_DWORD /d "0" /f2⤵PID:4304
-
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Notifications\Settings\windows.immersivecontrolpanel_cw5n1h2txyewy!microsoft.windows.immersivecontrolpanel" /v "Enabled" /t REG_DWORD /d "0" /f2⤵PID:4420
-
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Notifications\Settings\Windows.SystemToast.AutoPlay" /v "Enabled" /t REG_DWORD /d "0" /f2⤵PID:3340
-
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Notifications\Settings\Windows.SystemToast.LowDisk" /v "Enabled" /t REG_DWORD /d "0" /f2⤵PID:460
-
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Notifications\Settings\Windows.SystemToast.Print.Notification" /v "Enabled" /t REG_DWORD /d "0" /f2⤵PID:1828
-
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Notifications\Settings\Windows.SystemToast.SecurityAndMaintenance" /v "Enabled" /t REG_DWORD /d "0" /f2⤵PID:1424
-
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Notifications\Settings\Windows.SystemToast.WiFiNetworkManager" /v "Enabled" /t REG_DWORD /d "0" /f2⤵PID:2124
-
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\SOFTWARE\Policies\Microsoft\Windows\Explorer" /v "DisablingNotificationCenter" /t REG_DWORD /d "1" /f2⤵PID:4536
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\BTAGService" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:2864
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\bthserv" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:220
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\BthAvctpSvc" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:224
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\BluetoothUserService" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:2792
-
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\CDP" /v "CdpSessionUserAuthzPolicy" /t REG_DWORD /d "0" /f2⤵PID:1724
-
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\CDP" /v "NearShareChannelUserAuthzPolicy" /t REG_DWORD /d "0" /f2⤵PID:4908
-
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\SettingSync\Groups\Accessibility" /v "Enabled" /t REG_DWORD /d "0" /f2⤵PID:372
-
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\SettingSync\Groups\AppSync" /v "Enabled" /t REG_DWORD /d "0" /f2⤵PID:2524
-
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\SettingSync\Groups\BrowserSettings" /v "Enabled" /t REG_DWORD /d "0" /f2⤵PID:232
-
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\SettingSync\Groups\Credentials" /v "Enabled" /t REG_DWORD /d "0" /f2⤵PID:4472
-
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\SettingSync\Groups\DesktopTheme" /v "Enabled" /t REG_DWORD /d "0" /f2⤵PID:320
-
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\SettingSync\Groups\Language" /v "Enabled" /t REG_DWORD /d "0" /f2⤵PID:2476
-
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\SettingSync\Groups\PackageState" /v "Enabled" /t REG_DWORD /d "0" /f2⤵PID:620
-
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\SettingSync\Groups\Personalization" /v "Enabled" /t REG_DWORD /d "0" /f2⤵PID:1536
-
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\SettingSync\Groups\StartLayout" /v "Enabled" /t REG_DWORD /d "0" /f2⤵PID:4836
-
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\SettingSync\Groups\Windows" /v "Enabled" /t REG_DWORD /d "0" /f2⤵PID:2484
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v "EnablingSmartScreen" /t REG_DWORD /d "0" /f2⤵PID:3872
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer" /v "SmartScreenEnabled" /t REG_SZ /d "Off" /f2⤵PID:3448
-
-
C:\Windows\system32\reg.exeReg.exe add "HKU\!USER_SID!\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost" /v "EnablingWebContentEvaluation" /t REG_DWORD /d "0" /f2⤵
- Modifies data under HKEY_USERS
PID:4424
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-ExecutionPolicy Unrestricted -Scope Process -Force"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:664
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Get-AppxPackage -AllUsers | Where-Object { $_.Name -notmatch 'Microsoft.WindowsStore' } | Remove-AppxPackage"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2596
-
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoReinstallApps" /t REG_DWORD /d "1" /f2⤵PID:3372
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5d136d3411d4aa688242c53cafb993aa6
SHA11a81cc78e3ca445d5a5193e49ddce26d5e25179f
SHA25600ae5433c0107cc164516c7849b4cff7b6faeb52e5afa65c01dbd8c7a5efe397
SHA512282ea53f8093c00e8c64d253782068211f8c4187391d5078755f55dedb8825c0042173d82f489d7b6c06e88184b70e83c1e92dadb80f57bd96c95855ac6b3da1
-
Filesize
64B
MD51a11402783a8686e08f8fa987dd07bca
SHA1580df3865059f4e2d8be10644590317336d146ce
SHA2569b1d1b468932a2d88548dc18504ac3066f8248079ecb083e919460bdb88398c0
SHA5125f7f9f76d9d12a25fdc5b8d193391fb42c37515c657250fe01a9bfd9fe4cc4eab9d5ec254b2596ac1b9005f12511905f19fdae41f057062261d75bd83254b510
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82