Analysis
-
max time kernel
71s -
max time network
71s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
29-11-2024 15:33
General
-
Target
https://drive.google.com/drive/u/0/folders/1ypIR9V2IgH0E4bxaoJe2w7YX8nUS1deM
Score
9/10
Malware Config
Signatures
-
Modifies boot configuration data using bcdedit 1 TTPs 3 IoCs
-
Event Triggered Execution: Image File Execution Options Injection 1 TTPs 6 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Using powershell.exe command.
-
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Delays execution with timeout.exe 2 IoCs
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies registry class 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 26 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs
-
Suspicious use of AdjustPrivilegeToken 59 IoCs
-
Suspicious use of FindShellTrayWindow 33 IoCs
-
Suspicious use of SendNotifyMessage 24 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://drive.google.com/drive/u/0/folders/1ypIR9V2IgH0E4bxaoJe2w7YX8nUS1deM1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb315846f8,0x7ffb31584708,0x7ffb315847182⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2100,1685706502680024362,13364655344971097638,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2104 /prefetch:22⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2100,1685706502680024362,13364655344971097638,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2156 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2100,1685706502680024362,13364655344971097638,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2888 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,1685706502680024362,13364655344971097638,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3280 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,1685706502680024362,13364655344971097638,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3296 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,1685706502680024362,13364655344971097638,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4752 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2100,1685706502680024362,13364655344971097638,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5324 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2100,1685706502680024362,13364655344971097638,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5324 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2100,1685706502680024362,13364655344971097638,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=3900 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,1685706502680024362,13364655344971097638,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4608 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2100,1685706502680024362,13364655344971097638,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5236 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,1685706502680024362,13364655344971097638,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5800 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,1685706502680024362,13364655344971097638,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5704 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,1685706502680024362,13364655344971097638,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6368 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,1685706502680024362,13364655344971097638,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6336 /prefetch:12⤵
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Temp1_EXM Free Tweaking Utility V6.1.zip\EXM Free Tweaking Utility V6.1.cmd" "1⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\CONSOLE" /v "VirtualTerminalLevel" /t REG_DWORD /d "1" /f2⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wmic path Win32_UserAccount where name="Admin" get sid | findstr "S-"2⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic path Win32_UserAccount where name="Admin" get sid3⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\findstr.exefindstr "S-"3⤵
-
-
-
C:\Windows\system32\chcp.comchcp 650012⤵
-
-
C:\Windows\system32\timeout.exetimeout /t 1 /nobreak2⤵
- Delays execution with timeout.exe
-
-
C:\Windows\system32\timeout.exetimeout /t 1 /nobreak2⤵
- Delays execution with timeout.exe
-
-
C:\Windows\system32\chcp.comchcp 650012⤵
-
-
C:\Windows\system32\chcp.comchcp 4372⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -NoProfile Enable-ComputerRestore -Drive 'C:\'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\reg.exeReg.exe delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore" /v "RPSessionInterval" /f2⤵
-
-
C:\Windows\system32\reg.exeReg.exe delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore" /v "DisableConfig" /f2⤵
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\SystemRestore" /v "SystemRestorePointCreationFrequency" /t REG_DWORD /d 0 /f2⤵
-
-
C:\Windows\system32\chcp.comchcp 650012⤵
-
-
C:\Windows\system32\chcp.comchcp 4372⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell "Checkpoint-Computer -Description 'EXM Tweaks Restore Point'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell "& {Add-Type -AssemblyName System.Windows.Forms; [System.Windows.Forms.MessageBox]::Show('Restore point completed successfully, press "OK" to continue', 'Exm Tweaking Utility', 'Ok', [System.Windows.Forms.MessageBoxIcon]::Information);}"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\chcp.comchcp 650012⤵
-
-
C:\Windows\system32\chcp.comchcp 4372⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell "& {Add-Type -AssemblyName System.Windows.Forms; [System.Windows.Forms.MessageBox]::Show('Downloading resources (power plan, Nvidia profile inspector & more, Press "OK" To continue)', 'Exm Tweaking Utility', 'Ok', [System.Windows.Forms.MessageBoxIcon]::Information);}"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\chcp.comchcp 650012⤵
-
-
C:\Windows\system32\chcp.comchcp 4372⤵
-
-
C:\Windows\system32\curl.execurl -g -k -L -# -o "C:\Users\Admin\AppData\Local\Temp\exm.zip" "https://exmapi.onrender.com/static/free/v5.0/v5.0_free_resources.zip"2⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowershell -NoProfile Expand-Archive 'C:\Users\Admin\AppData\Local\Temp\exm.zip' -DestinationPath 'C:\exm'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell "& {Add-Type -AssemblyName System.Windows.Forms; [System.Windows.Forms.MessageBox]::Show('Downloaded resources successfully, Press "OK" To continue to the menu:Information);}"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\chcp.comchcp 650012⤵
-
-
C:\Windows\system32\chcp.comchcp 650012⤵
-
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\SOFTWARE\Microsoft\Games" /v "FpsAll" /t REG_DWORD /d "1" /f2⤵
-
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\SOFTWARE\Microsoft\Games" /v "FpsStatusGames" /t REG_DWORD /d "10" /f2⤵
-
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\SOFTWARE\Microsoft\Games" /v "FpsStatusGamesAll" /t REG_DWORD /d "4" /f2⤵
-
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\SOFTWARE\Microsoft\Games" /v "GameFluidity" /t REG_DWORD /d "1" /f2⤵
-
-
C:\Windows\system32\bcdedit.exebcdedit /set Disabledynamictick yes2⤵
- Modifies boot configuration data using bcdedit
-
-
C:\Windows\system32\bcdedit.exebcdedit /deletevalue useplatformclock2⤵
- Modifies boot configuration data using bcdedit
-
-
C:\Windows\system32\bcdedit.exebcdedit /set useplatformtick yes2⤵
- Modifies boot configuration data using bcdedit
-
-
C:\Windows\system32\fsutil.exefsutil behavior set memoryusage 22⤵
-
-
C:\Windows\system32\fsutil.exefsutil behavior set mftzone 42⤵
-
-
C:\Windows\system32\fsutil.exefsutil behavior set Disablinglastaccess 12⤵
-
-
C:\Windows\system32\fsutil.exefsutil behavior set Disabledeletenotify 02⤵
-
-
C:\Windows\system32\fsutil.exefsutil behavior set encryptpagingfile 02⤵
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Low Latency" /v "Affinity" /t REG_DWORD /d "0" /f2⤵
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Low Latency" /v "Background Only" /t REG_SZ /d "False" /f2⤵
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Low Latency" /v "BackgroundPriority" /t REG_DWORD /d "0" /f2⤵
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Low Latency" /v "Clock Rate" /t REG_DWORD /d "10000" /f2⤵
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Low Latency" /v "GPU Priority" /t REG_DWORD /d "8" /f2⤵
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Low Latency" /v "Priority" /t REG_DWORD /d "2" /f2⤵
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Low Latency" /v "Scheduling Category" /t REG_SZ /d "Medium" /f2⤵
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Low Latency" /v "SFIO Priority" /t REG_SZ /d "High" /f2⤵
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Low Latency" /v "Latency Sensitive" /t REG_SZ /d "True" /f2⤵
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v "Affinity" /t REG_DWORD /d "0" /f2⤵
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v "Background Only" /t REG_SZ /d "False" /f2⤵
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v "BackgroundPriority" /t REG_DWORD /d "0" /f2⤵
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v "Clock Rate" /t REG_DWORD /d "10000" /f2⤵
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v "GPU Priority" /t REG_DWORD /d "8" /f2⤵
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v "Priority" /t REG_DWORD /d "2" /f2⤵
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v "Scheduling Category" /t REG_SZ /d "High" /f2⤵
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v "SFIO Priority" /t REG_SZ /d "High" /f2⤵
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v "Latency Sensitive" /t REG_SZ /d "True" /f2⤵
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\PriorityControl" /v "Win32PrioritySeparation" /t REG_DWORD /d "38" /f2⤵
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\PriorityControl" /v "IRQ8Priority" /t REG_DWORD /d "1" /f2⤵
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\ControlSet001\Control\PriorityControl" /v "IRQ8Priority" /t REG_DWORD /d "1" /f2⤵
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\PriorityControl" /v "IRQ16Priority" /t REG_DWORD /d "2" /f2⤵
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\ControlSet001\Control\PriorityControl" /v "IRQ16Priority" /t REG_DWORD /d "2" /f2⤵
-
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\Control Panel\Desktop" /v "AutoEndTasks" /t REG_SZ /d "1" /f2⤵
-
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\Control Panel\Desktop" /v "HungAppTimeout" /t REG_SZ /d "1000" /f2⤵
-
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\Control Panel\Desktop" /v "WaitToKillAppTimeout" /t REG_SZ /d "1000" /f2⤵
-
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\Control Panel\Desktop" /v "LowLevelHooksTimeout" /t REG_SZ /d "1000" /f2⤵
-
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\Control Panel\Desktop" /v "MenuShowDelay" /t REG_SZ /d "0" /f2⤵
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control" /v "WaitToKillServiceTimeout" /t REG_SZ /d "1000" /f2⤵
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Reliability" /v "TimeStampInterval" /t REG_DWORD /d "1" /f2⤵
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Reliability" /v "IoPriority" /t REG_DWORD /d "3" /f2⤵
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\csrss.exe\PerfOptions" /v "CpuPriorityClass" /t REG_DWORD /d "4" /f2⤵
- Event Triggered Execution: Image File Execution Options Injection
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\csrss.exe\PerfOptions" /v "IoPriority" /t REG_DWORD /d "3" /f2⤵
- Event Triggered Execution: Image File Execution Options Injection
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\DXGKrnl" /v "MonitorLatencyTolerance" /t REG_DWORD /d "1" /f2⤵
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\DXGKrnl" /v "MonitorRefreshLatencyTolerance" /t REG_DWORD /d "1" /f2⤵
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "ExitLatency" /t REG_DWORD /d "1" /f2⤵
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "ExitLatencyCheckEnabled" /t REG_DWORD /d "1" /f2⤵
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "Latency" /t REG_DWORD /d "1" /f2⤵
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "LatencyToleranceDefault" /t REG_DWORD /d "1" /f2⤵
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "LatencyToleranceFSVP" /t REG_DWORD /d "1" /f2⤵
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "LatencyTolerancePerfOverride" /t REG_DWORD /d "1" /f2⤵
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "LatencyToleranceScreenOffIR" /t REG_DWORD /d "1" /f2⤵
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "LatencyToleranceVSyncEnabled" /t REG_DWORD /d "1" /f2⤵
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "RtlCapabilityCheckLatency" /t REG_DWORD /d "1" /f2⤵
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Power" /v "DefaultD3TransitionLatencyActivelyUsed" /t REG_DWORD /d "1" /f2⤵
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Power" /v "DefaultD3TransitionLatencyIdleLongTime" /t REG_DWORD /d "1" /f2⤵
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Power" /v "DefaultD3TransitionLatencyIdleMonitorOff" /t REG_DWORD /d "1" /f2⤵
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Power" /v "DefaultD3TransitionLatencyIdleNoContext" /t REG_DWORD /d "1" /f2⤵
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Power" /v "DefaultD3TransitionLatencyIdleShortTime" /t REG_DWORD /d "1" /f2⤵
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Power" /v "DefaultD3TransitionLatencyIdleVeryLongTime" /t REG_DWORD /d "1" /f2⤵
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Power" /v "DefaultLatencyToleranceIdle0" /t REG_DWORD /d "1" /f2⤵
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Power" /v "DefaultLatencyToleranceIdle0MonitorOff" /t REG_DWORD /d "1" /f2⤵
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Power" /v "DefaultLatencyToleranceIdle1" /t REG_DWORD /d "1" /f2⤵
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Power" /v "DefaultLatencyToleranceIdle1MonitorOff" /t REG_DWORD /d "1" /f2⤵
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Power" /v "DefaultLatencyToleranceMemory" /t REG_DWORD /d "1" /f2⤵
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Power" /v "DefaultLatencyToleranceNoContext" /t REG_DWORD /d "1" /f2⤵
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Power" /v "DefaultLatencyToleranceNoContextMonitorOff" /t REG_DWORD /d "1" /f2⤵
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Power" /v "DefaultLatencyToleranceOther" /t REG_DWORD /d "1" /f2⤵
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Power" /v "DefaultLatencyToleranceTimerPeriod" /t REG_DWORD /d "1" /f2⤵
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Power" /v "DefaultMemoryRefreshLatencyToleranceActivelyUsed" /t REG_DWORD /d "1" /f2⤵
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Power" /v "DefaultMemoryRefreshLatencyToleranceMonitorOff" /t REG_DWORD /d "1" /f2⤵
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Power" /v "DefaultMemoryRefreshLatencyToleranceNoContext" /t REG_DWORD /d "1" /f2⤵
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Power" /v "Latency" /t REG_DWORD /d "1" /f2⤵
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Power" /v "MaxIAverageGraphicsLatencyInOneBucket" /t REG_DWORD /d "1" /f2⤵
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Power" /v "MiracastPerfTrackGraphicsLatency" /t REG_DWORD /d "1" /f2⤵
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Power" /v "MonitorLatencyTolerance" /t REG_DWORD /d "1" /f2⤵
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Power" /v "MonitorRefreshLatencyTolerance" /t REG_DWORD /d "1" /f2⤵
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Power" /v "TransitionLatency" /t REG_DWORD /d "1" /f2⤵
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile" /v "SystemResponsiveness" /t REG_DWORD /d "0" /f2⤵
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:21⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD56cf293cb4d80be23433eecf74ddb5503
SHA124fe4752df102c2ef492954d6b046cb5512ad408
SHA256b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8
SHA5120f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00
-
Filesize
152B
MD599afa4934d1e3c56bbce114b356e8a99
SHA13f0e7a1a28d9d9c06b6663df5d83a65c84d52581
SHA25608e098bb97fd91d815469cdfd5568607a3feca61f18b6b5b9c11b531fde206c8
SHA51276686f30ed68144cf943b80ac10b52c74eee84f197cee3c24ef7845ef44bdb5586b6e530824543deeed59417205ac0e2559808bcb46450504106ac8f4c95b9da
-
Filesize
152B
MD5443a627d539ca4eab732bad0cbe7332b
SHA186b18b906a1acd2a22f4b2c78ac3564c394a9569
SHA2561e1ad9dce141f5f17ea07c7e9c2a65e707c9943f172b9134b0daf9eef25f0dc9
SHA512923b86d75a565c91250110162ce13dd3ef3f6bdde1a83f7af235ed302d4a96b8c9ed722e2152781e699dfcb26bb98afc73f5adb298f8fd673f14c9f28b5f764d
-
Filesize
1KB
MD52d189a31d9ae9cb595f94f68109517db
SHA19cf14831ce9f0ed813ff850995fa6c3ea7bbbe3c
SHA256290d02e4e673f765896c0d47a6ccec31d4469a038c1bad2ebfc5953179f0db25
SHA512030c53b308d7161483e8460f17fd1f18030eae323adeddce9b88e1316d8ed6238ddf31ad6914f6c0cbd9f3d675f8f484121dd78f75e46e596e55a2f5e47feebe
-
Filesize
3KB
MD5d52b8b82ff26db480ff97544d9f13ba5
SHA175551a4ba345042f7be4bd6ee4dc298c5832e8ad
SHA256d27ee431aa2e1e74529f35fa527fbb8f2c7e03b20fb295f19dbde9ef5e43d569
SHA512d2be7094ef8f01fc874f4c1e88e92e1da38e0f3c1ff3350eaa33f63302b449fbbe1a3a880e489a55046eae1106997657f113b88d369413ca917a95d6af3a31e7
-
Filesize
6KB
MD54394913bcb2a053c5192287c0986dcad
SHA17c17618c4865237e4513c160a6142c5c6df14775
SHA25614ccbe6f9a9fb38463fb9032c2acbd582265ba3763aa8fc06df4c2015601ef34
SHA512ad00a3b08cf0c4affe5f2b84b6bcac765d267e92392a92534373acc9e1b199a40acef5030a658b6ede24494c4af883ef0ca3fdb99b50b035a52871140d37e2fa
-
Filesize
5KB
MD59c3f9f89f5dc6fd5e424a1692ad2f0fe
SHA18bac8b91586e42f5e78da4e03e302763bb497582
SHA256d2a770a76c0fa7938bda318dc806003ae18d0b110d34db29946f118dda275006
SHA5126f12b8c6a519782e0ebad5f6a96e5a17304343f3601f9e85b4c089fdbc1bc74677fc38d59db880aac2d74fe5c685f90d94a4d16cb4233d3925093f4e58cadb1e
-
Filesize
6KB
MD5b7a9cdc2dbb83400e94c88144a941f0d
SHA1a145d015d3e018b64b616e11169e7546a8dc1c8f
SHA256763e621d2e7cdaccfc6bc9768214b2c0b74e7522c8ad7b6eec5d596bc7528747
SHA512996c2c8c80c9770197e3585238b864504d15a6872b2e0329788efec566e1a741299704f8a66e41d01fa81d0dd41078205731493fb832963b6bc425b3cb9ef9a7
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
10KB
MD50d595b88bcf1f3b9202472b2e3571bcb
SHA15fb7c420f93c5181aae2347f06a775deb035cee7
SHA256d7ea7e611ae11e1a0627e78caaaf0025abb728185546003c5e39267a6fa0e8d5
SHA512d44fb73d85e46afa2cfc11809887f0a745caf2fb6b9e7e0135c2e0726a22e4640f6628815d2a176b7d7d5b3686910bf028ac66c0b52f1c47f99dc969f57289bf
-
Filesize
10KB
MD52cdbc44a9ef8825de63bc2e3561aa2b0
SHA18c36fd0fbda81ddac3be7a53b70f43d37f2c37d4
SHA256148f95331dff6d068b807db917fa9c37224404048601c6ee742fd005b901d7b6
SHA512f0436db3d2e7641bf6425e0e4c0bfd1d2383bbdd6435aa500a6e3b5aa43aa3fa1caba6f772392dac2778e1f7e79a5e42adac907e058f24a3b8fab3275d5c3a39
-
Filesize
64B
MD50ff7e1af4cc86e108eef582452b35523
SHA1c2ccf2811d56c3a3a58dced2b07f95076c6b5b96
SHA25662ed8ef2250f9f744852cb67df0286c80f94e26aed646989b76e5b78f2f1f0d0
SHA512374675fd36cd8bc38acaec44d4cc855b85feece548d99616496d498e61e943fd695fec7c57550a58a32455e8b21b41bafa18cd1dadac69676fff1de1a56da937
-
Filesize
64B
MD5446dd1cf97eaba21cf14d03aebc79f27
SHA136e4cc7367e0c7b40f4a8ace272941ea46373799
SHA256a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf
SHA512a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7
-
Filesize
1KB
MD5224dcf4c17389871fa59fe45c7acd94a
SHA1d02998277a18745bc5a5209d80a4d5c5077772ff
SHA256c10c307786cba93488fb258b288490207e01024028a4340eab17f0c0b23dbb0e
SHA5128e30a4a06f9a06dd2556ee9125e9dc9effcc1cbb3ce6ff9fabee383db8e4fdbe7f638ea71d5a42d6722748543c8f2a4399baefdd2a2cc20e531c966b29f32e10
-
Filesize
1KB
MD5c2e5182620ddf7530dcd82f3f46b9c9b
SHA1cfa70d35abb1c47ed3910f1c87fbe3618bdefa52
SHA256af73fa184dfb48664c3aaaf26a60877d6e590a82ea3013ce09681ab9d791b8ce
SHA5121d5e2360c9058808f5c7ef6c8f22ab91a608380abb0a2889324fb6279edf7688f4100b00176d7ae32b0bc9d1d7c5e4e5e67311bfaf7a3b5c3145976a4733f3f9
-
Filesize
1KB
MD5991588f85d41fec40a05cc39368bda99
SHA1b483d50826878f1462c77247355fd062ab512d18
SHA2568b23dc92dca8732e1752e3b66b831c3bacb5ea843cce3e9be9adfcdacdc6e48c
SHA512d8a456e3c4cf10603c2ed797da366ec3eb78da1422339c1643ab5f6d915cf2ca7e03bcd2e436a7fbf716c39cdb416badc461d261016aac5b40ee8403a00ac8c9
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
1.2MB
MD5db0e9e1953431cc977c3e95bd3d36ab6
SHA14f34027bfd24a54e269721e07f3fedceb7841e70
SHA256c4e798355111c34ae3424a1c102758335a5e24f714831b15a5bf2a1303df9097
SHA5120874095e38b8c5ab0e2f68fddb77ea2283ef6515349417446aef12e6b9e4456c429b156423858830264cbbe9cacc4a32d9cc2325135432bebc0c5b38720fff9a
-
Filesize
36KB
MD59fb407c6b0890549256c5f3a3ecb6cbd
SHA1337e04b26691d932a3b365072a0a94e417006b7a
SHA2562b274828909181281f74f7c52e3782060d61b1b61bed5e5a34ea40b7265f5f7f
SHA5122d81e5b338d9ad036f8febeb2330be8c9cd682dabc8893833faab25d329449630fe8ff56be3e176036ab9ed93188be56ed2cb4bd3914d2673ee7cdee7f6c4c99
-
Filesize
72KB
-
Filesize
40KB
-
Filesize
136KB