0d4b8ffecfb9257cb67f67ffdbbe31e331676bf91dd2f24d0d3ead1d4e77da5a

Analysis

max time kernel
95s
max time network
94s
platform
windows11-21h2_x64
resource
win11-20240221-en
resource tags

arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system
submitted
03-03-2024 19:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

[6] DTB.bat
Size

128KB
MD5

a2f025e563de8260837ac8917f9f091c
SHA1

0b5b28b345b4029ffc95cec921ff701fdc69f595
SHA256

f83a9b47af2139a46e2a030313574f4c489d81119ce7aeaafd68d72e566a3954
SHA512

82ac6b16c601f942ee4f1b4e72ab9626d33c645ff2de4f7709f6a5183c29d25306cdb5d7308c8b3c7e0eca19ac955bfa20ea878c135b9cdfd0a48b5728325c57
SSDEEP

768:pl8Ey8Lp1H1ba2f4DUoqTsHaddjWpN1jy/CzYmOMwQ81jfiQWXtkbBZtXTxZLNdf:AEy85bIG6s5o7a

Score

1^/10

Malware Config

Signatures

Delays execution with timeout.exe 2 IoCs
evasion

Processes:

timeout.exetimeout.exe

pid process

2560 timeout.exe
3732 timeout.exe

pid	process
2560	timeout.exe
3732	timeout.exe

Modifies registry class 11 IoCs

Processes:

reg.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-627134735-902745853-4257352768-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\PhishingFilter	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-627134735-902745853-4257352768-1000_Classes\Local Settings\Software\Microsoft\Windows	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-627134735-902745853-4257352768-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-627134735-902745853-4257352768-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-627134735-902745853-4257352768-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-627134735-902745853-4257352768-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\PhishingFilter\EnabledV9 = "0"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-627134735-902745853-4257352768-1000_Classes\Local Settings	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-627134735-902745853-4257352768-1000_Classes\Local Settings\Software	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-627134735-902745853-4257352768-1000_Classes\Local Settings\Software\Microsoft	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-627134735-902745853-4257352768-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-627134735-902745853-4257352768-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe	reg.exe

Runs ping.exe 1 TTPs 64 IoCs

Remote System Discovery

T1018

Processes:

PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXE

pid	process
2216	PING.EXE
1572	PING.EXE
1936	PING.EXE
4268	PING.EXE
4508	PING.EXE
2328	PING.EXE
3528	PING.EXE
4296	PING.EXE
4224	PING.EXE
1504	PING.EXE
544	PING.EXE
4268	PING.EXE
3000	PING.EXE
1508	PING.EXE
3560	PING.EXE
4684	PING.EXE
668	PING.EXE
4772	PING.EXE
4652	PING.EXE
4332	PING.EXE
4856	PING.EXE
1788	PING.EXE
416	PING.EXE
4856	PING.EXE
2928	PING.EXE
1604	PING.EXE
1556	PING.EXE
3404	PING.EXE
3028	PING.EXE
2368	PING.EXE
2688	PING.EXE
1644	PING.EXE
4676	PING.EXE
4508	PING.EXE
2724	PING.EXE
2556	PING.EXE
2360	PING.EXE
4320	PING.EXE
2860	PING.EXE
360	PING.EXE
4068	PING.EXE
4552	PING.EXE
3696	PING.EXE
4528	PING.EXE
4976	PING.EXE
1948	PING.EXE
1656	PING.EXE
404	PING.EXE
2068	PING.EXE
712	PING.EXE
3024	PING.EXE
3864	PING.EXE
428	PING.EXE
4332	PING.EXE
1936	PING.EXE
3460	PING.EXE
1640	PING.EXE
1200	PING.EXE
2872	PING.EXE
1180	PING.EXE
3032	PING.EXE
4644	PING.EXE
1116	PING.EXE
1780	PING.EXE

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

pid	process
1000	powershell.exe
1000	powershell.exe
3608	powershell.exe
3608	powershell.exe
4032	powershell.exe
4032	powershell.exe
4116	powershell.exe
4116	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	1000	powershell.exe
Token: SeDebugPrivilege	3608	powershell.exe
Token: SeDebugPrivilege	4032	powershell.exe
Token: SeDebugPrivilege	4116	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

cmd.exe

description	pid	process	target process
PID 4036 wrote to memory of 2560	4036	cmd.exe	timeout.exe
PID 4036 wrote to memory of 2560	4036	cmd.exe	timeout.exe
PID 4036 wrote to memory of 1000	4036	cmd.exe	powershell.exe
PID 4036 wrote to memory of 1000	4036	cmd.exe	powershell.exe
PID 4036 wrote to memory of 4268	4036	cmd.exe	PING.EXE
PID 4036 wrote to memory of 4268	4036	cmd.exe	PING.EXE
PID 4036 wrote to memory of 3608	4036	cmd.exe	powershell.exe
PID 4036 wrote to memory of 3608	4036	cmd.exe	powershell.exe
PID 4036 wrote to memory of 1360	4036	cmd.exe	PING.EXE
PID 4036 wrote to memory of 1360	4036	cmd.exe	PING.EXE
PID 4036 wrote to memory of 4032	4036	cmd.exe	powershell.exe
PID 4036 wrote to memory of 4032	4036	cmd.exe	powershell.exe
PID 4036 wrote to memory of 1180	4036	cmd.exe	PING.EXE
PID 4036 wrote to memory of 1180	4036	cmd.exe	PING.EXE
PID 4036 wrote to memory of 4116	4036	cmd.exe	powershell.exe
PID 4036 wrote to memory of 4116	4036	cmd.exe	powershell.exe
PID 4036 wrote to memory of 4320	4036	cmd.exe	PING.EXE
PID 4036 wrote to memory of 4320	4036	cmd.exe	PING.EXE
PID 4036 wrote to memory of 812	4036	cmd.exe	reg.exe
PID 4036 wrote to memory of 812	4036	cmd.exe	reg.exe
PID 4036 wrote to memory of 4528	4036	cmd.exe	PING.EXE
PID 4036 wrote to memory of 4528	4036	cmd.exe	PING.EXE
PID 4036 wrote to memory of 428	4036	cmd.exe	reg.exe
PID 4036 wrote to memory of 428	4036	cmd.exe	reg.exe
PID 4036 wrote to memory of 3560	4036	cmd.exe	PING.EXE
PID 4036 wrote to memory of 3560	4036	cmd.exe	PING.EXE
PID 4036 wrote to memory of 2896	4036	cmd.exe	reg.exe
PID 4036 wrote to memory of 2896	4036	cmd.exe	reg.exe
PID 4036 wrote to memory of 2860	4036	cmd.exe	PING.EXE
PID 4036 wrote to memory of 2860	4036	cmd.exe	PING.EXE
PID 4036 wrote to memory of 2484	4036	cmd.exe	reg.exe
PID 4036 wrote to memory of 2484	4036	cmd.exe	reg.exe
PID 4036 wrote to memory of 360	4036	cmd.exe	PING.EXE
PID 4036 wrote to memory of 360	4036	cmd.exe	PING.EXE
PID 4036 wrote to memory of 1708	4036	cmd.exe	reg.exe
PID 4036 wrote to memory of 1708	4036	cmd.exe	reg.exe
PID 4036 wrote to memory of 4684	4036	cmd.exe	PING.EXE
PID 4036 wrote to memory of 4684	4036	cmd.exe	PING.EXE
PID 4036 wrote to memory of 720	4036	cmd.exe	reg.exe
PID 4036 wrote to memory of 720	4036	cmd.exe	reg.exe
PID 4036 wrote to memory of 2688	4036	cmd.exe	PING.EXE
PID 4036 wrote to memory of 2688	4036	cmd.exe	PING.EXE
PID 4036 wrote to memory of 764	4036	cmd.exe	reg.exe
PID 4036 wrote to memory of 764	4036	cmd.exe	reg.exe
PID 4036 wrote to memory of 3024	4036	cmd.exe	PING.EXE
PID 4036 wrote to memory of 3024	4036	cmd.exe	PING.EXE
PID 4036 wrote to memory of 4112	4036	cmd.exe	reg.exe
PID 4036 wrote to memory of 4112	4036	cmd.exe	reg.exe
PID 4036 wrote to memory of 4676	4036	cmd.exe	PING.EXE
PID 4036 wrote to memory of 4676	4036	cmd.exe	PING.EXE
PID 4036 wrote to memory of 1620	4036	cmd.exe	reg.exe
PID 4036 wrote to memory of 1620	4036	cmd.exe	reg.exe
PID 4036 wrote to memory of 4976	4036	cmd.exe	PING.EXE
PID 4036 wrote to memory of 4976	4036	cmd.exe	PING.EXE
PID 4036 wrote to memory of 4796	4036	cmd.exe	reg.exe
PID 4036 wrote to memory of 4796	4036	cmd.exe	reg.exe
PID 4036 wrote to memory of 4332	4036	cmd.exe	PING.EXE
PID 4036 wrote to memory of 4332	4036	cmd.exe	PING.EXE
PID 4036 wrote to memory of 5064	4036	cmd.exe	reg.exe
PID 4036 wrote to memory of 5064	4036	cmd.exe	reg.exe
PID 4036 wrote to memory of 4856	4036	cmd.exe	PING.EXE
PID 4036 wrote to memory of 4856	4036	cmd.exe	PING.EXE
PID 4036 wrote to memory of 3176	4036	cmd.exe	reg.exe
PID 4036 wrote to memory of 3176	4036	cmd.exe	reg.exe

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\[6] DTB.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:4036

C:\Windows\system32\timeout.exe
timeout /t 2 /nobreak
2⤵
- Delays execution with timeout.exe
PID:2560

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PowerShell -Command "Get-AppxPackage *Microsoft.549981C3F5F10* | Remove-AppxPackage"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1000

C:\Windows\system32\PING.EXE
ping 127.0.0.1 -n 1 -w 100
2⤵
- Runs ping.exe
PID:4268

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PowerShell -Command "Get-AppxPackage *Feedback* | Remove-AppxPackage"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3608

C:\Windows\system32\PING.EXE
ping 127.0.0.1 -n 1 -w 100
2⤵
PID:1360

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PowerShell -Command "Get-AppxPackage -allusers Microsoft.GetHelp | Remove-AppxPackage"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4032

C:\Windows\system32\PING.EXE
ping 127.0.0.1 -n 1 -w 100
2⤵
- Runs ping.exe
PID:1180

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PowerShell -Command "Get-AppxPackage -allusers Microsoft.SkypeApp | Remove-AppxPackage"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4116

C:\Windows\system32\PING.EXE
ping 127.0.0.1 -n 1 -w 100
2⤵
- Runs ping.exe
PID:4320

C:\Windows\system32\reg.exe
Reg add "HKLM\Software\Policies\Microsoft\FindMyDevice" /v "AllowFindMyDevice" /t REG_DWORD /d "0" /f
2⤵
PID:812

C:\Windows\system32\PING.EXE
ping 127.0.0.1 -n 1 -w 100
2⤵
- Runs ping.exe
PID:4528

C:\Windows\system32\reg.exe
Reg add "HKLM\Software\Policies\Microsoft\Windows\System" /v "EnableSmartScreen" /t REG_DWORD /d 0 /f
2⤵
PID:428

C:\Windows\system32\PING.EXE
ping 127.0.0.1 -n 1 -w 100
2⤵
- Runs ping.exe
PID:3560

C:\Windows\system32\reg.exe
Reg add "HKLM\Software\Policies\Microsoft\Windows Defender\UX Configuration" /v "Notification_Suppress" /t REG_DWORD /d 1 /f
2⤵
PID:2896

C:\Windows\system32\PING.EXE
ping 127.0.0.1 -n 1 -w 100
2⤵
- Runs ping.exe
PID:2860

C:\Windows\system32\reg.exe
Reg add "HKLM\Software\Policies\Microsoft\MicrosoftEdge\Main" /v "AllowPrelaunch" /t REG_DWORD /d "0" /f
2⤵
PID:2484

C:\Windows\system32\PING.EXE
ping 127.0.0.1 -n 1 -w 100
2⤵
- Runs ping.exe
PID:360

C:\Windows\system32\reg.exe
Reg add "HKLM\Software\Policies\Microsoft\MicrosoftEdge\TabPreloader" /v "AllowTabPreloading" /t REG_DWORD /d "0" /f
2⤵
PID:1708

C:\Windows\system32\PING.EXE
ping 127.0.0.1 -n 1 -w 100
2⤵
- Runs ping.exe
PID:4684

C:\Windows\system32\reg.exe
Reg add "HKLM\System\CurrentControlSet\Control\WMI\AutoLogger\AutoLogger-Diagtrack-Listener" /v "Start" /t REG_DWORD /d "0" /f
2⤵
PID:720

C:\Windows\system32\PING.EXE
ping 127.0.0.1 -n 1 -w 100
2⤵
- Runs ping.exe
PID:2688

C:\Windows\system32\reg.exe
Reg add "HKLM\Software\Microsoft\WindowsSelfHost\UI\Visibility" /v "DiagnosticErrorText" /t REG_DWORD /d "0" /f
2⤵
PID:764

C:\Windows\system32\PING.EXE
ping 127.0.0.1 -n 1 -w 100
2⤵
- Runs ping.exe
PID:3024

C:\Windows\system32\reg.exe
Reg add "HKLM\Software\Microsoft\WindowsSelfHost\UI\Strings" /v "DiagnosticErrorText" /t REG_SZ /d "" /f
2⤵
PID:4112

C:\Windows\system32\PING.EXE
ping 127.0.0.1 -n 1 -w 100
2⤵
PID:4676

C:\Windows\system32\reg.exe
Reg add "HKLM\Software\Microsoft\WindowsSelfHost\UI\Strings" /v "DiagnosticLinkText" /t REG_SZ /d "" /f
2⤵
PID:1620

C:\Windows\system32\PING.EXE
ping 127.0.0.1 -n 1 -w 100
2⤵
- Runs ping.exe
PID:4976

C:\Windows\system32\reg.exe
Reg add "HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\PhishingFilter" /v "EnabledV9" /t REG_DWORD /d "0" /f
2⤵
- Modifies registry class
PID:4796

C:\Windows\system32\PING.EXE
ping 127.0.0.1 -n 1 -w 100
2⤵
- Runs ping.exe
PID:4332

C:\Windows\system32\reg.exe
Reg add "HKLM\Software\Policies\Microsoft\Windows\TabletPC" /v "PreventHandwritingDataSharing" /t REG_DWORD /d "1" /f
2⤵
PID:5064

C:\Windows\system32\PING.EXE
ping 127.0.0.1 -n 1 -w 100
2⤵
- Runs ping.exe
PID:4856

C:\Windows\system32\reg.exe
Reg add "HKLM\Software\Policies\Microsoft\Windows\HandwritingErrorReports" /v "PreventHandwritingErrorReports" /t REG_DWORD /d "1" /f
2⤵
PID:3176

C:\Windows\system32\PING.EXE
ping 127.0.0.1 -n 1 -w 100
2⤵
- Runs ping.exe
PID:3032

C:\Windows\system32\reg.exe
Reg add "HKLM\Software\Policies\Microsoft\Windows\AppCompat" /v "AITEnable" /t REG_DWORD /d "0" /f
2⤵
PID:3048

C:\Windows\system32\PING.EXE
ping 127.0.0.1 -n 1 -w 100
2⤵
- Runs ping.exe
PID:4508

C:\Windows\system32\reg.exe
Reg add "HKLM\Software\Policies\Microsoft\Windows\AppCompat" /v "DisableInventory" /t REG_DWORD /d "1" /f
2⤵
PID:2116

C:\Windows\system32\PING.EXE
ping 127.0.0.1 -n 1 -w 100
2⤵
PID:2516

C:\Windows\system32\reg.exe
Reg add "HKLM\Software\Policies\Microsoft\Windows\AppCompat" /v "DisableUAR" /t REG_DWORD /d "1" /f
2⤵
PID:2308

C:\Windows\system32\PING.EXE
ping 127.0.0.1 -n 1 -w 100
2⤵
- Runs ping.exe
PID:1936

C:\Windows\system32\reg.exe
Reg add "HKLM\Software\Policies\Microsoft\Windows\Personalization" /v "NoLockScreenCamera" /t REG_DWORD /d "1" /f
2⤵
PID:3980

C:\Windows\system32\PING.EXE
ping 127.0.0.1 -n 1 -w 100
2⤵
- Runs ping.exe
PID:4644

C:\Windows\system32\reg.exe
Reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\AdvertisingInfo" /v "Enabled" /t REG_DWORD /d "0" /f
2⤵
PID:4708

C:\Windows\system32\PING.EXE
ping 127.0.0.1 -n 1 -w 100
2⤵
- Runs ping.exe
PID:1116

C:\Windows\system32\reg.exe
Reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\AdvertisingInfo" /v "Enabled" /t REG_DWORD /d "0" /f
2⤵
PID:1716

C:\Windows\system32\PING.EXE
ping 127.0.0.1 -n 1 -w 100
2⤵
- Runs ping.exe
PID:668

C:\Windows\system32\reg.exe
Reg add "HKCU\Software\Microsoft\Input\TIPC" /v "Enabled" /t REG_DWORD /d "0" /f
2⤵
PID:5020

C:\Windows\system32\PING.EXE
ping 127.0.0.1 -n 1 -w 100
2⤵
- Runs ping.exe
PID:4068

C:\Windows\system32\reg.exe
Reg add "HKLM\Software\Microsoft\PolicyManager\current\device\System" /v "AllowExperimentation" /t REG_DWORD /d "0" /f
2⤵
PID:4808

C:\Windows\system32\PING.EXE
ping 127.0.0.1 -n 1 -w 100
2⤵
- Runs ping.exe
PID:544

C:\Windows\system32\reg.exe
Reg add "HKLM\Software\Microsoft\PolicyManager\current\device\Bluetooth" /v "AllowAdvertising" /t REG_DWORD /d "0" /f
2⤵
PID:876

C:\Windows\system32\PING.EXE
ping 127.0.0.1 -n 1 -w 100
2⤵
- Runs ping.exe
PID:4552

C:\Windows\system32\reg.exe
Reg add "HKLM\Software\Policies\Microsoft\Windows\Messaging" /v "AllowMessageSync" /t REG_DWORD /d "0" /f
2⤵
PID:3012

C:\Windows\system32\PING.EXE
ping 127.0.0.1 -n 1 -w 100
2⤵
- Runs ping.exe
PID:2724

C:\Windows\system32\reg.exe
Reg add "HKCU\ControlPanel\International\UserProfile" /v "HttpAcceptLanguageOptOut" /t REG_DWORD /d "1" /f
2⤵
PID:1924

C:\Windows\system32\PING.EXE
ping 127.0.0.1 -n 1 -w 100
2⤵
- Runs ping.exe
PID:1656

C:\Windows\system32\reg.exe
Reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\AppHost" /v "EnableWebContentEvaluation" /t REG_DWORD /d "0" /f
2⤵
PID:700

C:\Windows\system32\PING.EXE
ping 127.0.0.1 -n 1 -w 100
2⤵
- Runs ping.exe
PID:1788

C:\Windows\system32\reg.exe
Reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\DeviceAccess\Global\{C1D23ACC-752B-43E5-8448-8D0E519CD6D6}" /v "Value" /t REG_SZ /d "Deny" /f
2⤵
PID:3524

C:\Windows\system32\PING.EXE
ping 127.0.0.1 -n 1 -w 100
2⤵
- Runs ping.exe
PID:2328

C:\Windows\system32\reg.exe
Reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "Start_TrackProgs" /t REG_DWORD /d "0" /f
2⤵
PID:4444

C:\Windows\system32\PING.EXE
ping 127.0.0.1 -n 1 -w 100
2⤵
- Runs ping.exe
PID:3528

C:\Windows\system32\reg.exe
Reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "ShowSyncProviderNotifications" /t REG_DWORD /d "0" /f
2⤵
PID:2472

C:\Windows\system32\PING.EXE
ping 127.0.0.1 -n 1 -w 100
2⤵
PID:4880

C:\Windows\system32\reg.exe
Reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\BackgroundAccessApplications" /v "GlobalUserDisabled" /t REG_DWORD /d "1" /f
2⤵
PID:3768

C:\Windows\system32\PING.EXE
ping 127.0.0.1 -n 1 -w 100
2⤵
- Runs ping.exe
PID:1780

C:\Windows\system32\reg.exe
Reg add "HKLM\System\ControlSet\Control\WMI\Autologger\AutoLogger-Diagtrack-Listener" /v "Start" /t REG_DWORD /d "0" /f
2⤵
PID:1444

C:\Windows\system32\PING.EXE
ping 127.0.0.1 -n 1 -w 100
2⤵
- Runs ping.exe
PID:1604

C:\Windows\system32\reg.exe
Reg add "HKLM\Software\Policies\Microsoft\WMDRM" /v "DisableOnline" /t REG_DWORD /d "1" /f
2⤵
PID:4024

C:\Windows\system32\PING.EXE
ping 127.0.0.1 -n 1 -w 100
2⤵
- Runs ping.exe
PID:2556

C:\Windows\system32\reg.exe
Reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\DeviceAccess\Global\{A8804298-2D5F-42E3-9531-9C8C39EB29CE}" /v "Value" /t REG_SZ /d "Deny" /f
2⤵
PID:4080

C:\Windows\system32\PING.EXE
ping 127.0.0.1 -n 1 -w 100
2⤵
- Runs ping.exe
PID:2360

C:\Windows\system32\reg.exe
Reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\DeviceAccess\Global\LooselyCoupled" /v "Value" /t REG_SZ /d "Deny" /f
2⤵
PID:4456

C:\Windows\system32\PING.EXE
ping 127.0.0.1 -n 1 -w 100
2⤵
- Runs ping.exe
PID:4296

C:\Windows\system32\reg.exe
Reg add "HKLM\Software\Policies\Microsoft\Windows\CredUI" /v "DisablePasswordReveal" /t REG_DWORD /d "1" /f
2⤵
PID:4952

C:\Windows\system32\PING.EXE
ping 127.0.0.1 -n 1 -w 100
2⤵
- Runs ping.exe
PID:1640

C:\Windows\system32\reg.exe
Reg add "HKLM\Software\Microsoft\PolicyManager\current\device\Browser" /v "AllowAddressBarDropdown" /t REG_DWORD /d "0" /f
2⤵
PID:3320

C:\Windows\system32\PING.EXE
ping 127.0.0.1 -n 1 -w 100
2⤵
- Runs ping.exe
PID:3864

C:\Windows\system32\reg.exe
Reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\SettingSync" /v "SyncPolicy" /t REG_DWORD /d "5" /f
2⤵
PID:2040

C:\Windows\system32\PING.EXE
ping 127.0.0.1 -n 1 -w 100
2⤵
- Runs ping.exe
PID:4224

C:\Windows\system32\reg.exe
Reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\SettingSync\Groups\Personalization" /v "Enabled" /t REG_DWORD /d "0" /f
2⤵
PID:1048

C:\Windows\system32\PING.EXE
ping 127.0.0.1 -n 1 -w 100
2⤵
- Runs ping.exe
PID:1200

C:\Windows\system32\reg.exe
Reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\SettingSync\Groups\BrowserSettings" /v "Enabled" /t REG_DWORD /d "0" /f
2⤵
PID:4220

C:\Windows\system32\PING.EXE
ping 127.0.0.1 -n 1 -w 100
2⤵
- Runs ping.exe
PID:4268

C:\Windows\system32\reg.exe
Reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\SettingSync\Groups\Credentials" /v "Enabled" /t REG_DWORD /d "0" /f
2⤵
PID:3736

C:\Windows\system32\PING.EXE
ping 127.0.0.1 -n 1 -w 100
2⤵
- Runs ping.exe
PID:1556

C:\Windows\system32\reg.exe
Reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\SettingSync\Groups\Language" /v "Enabled" /t REG_DWORD /d "0" /f
2⤵
PID:3616

C:\Windows\system32\PING.EXE
ping 127.0.0.1 -n 1 -w 100
2⤵
- Runs ping.exe
PID:1644

C:\Windows\system32\reg.exe
Reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\SettingSync\Groups\Accessibility" /v "Enabled" /t REG_DWORD /d "0" /f
2⤵
PID:2740

C:\Windows\system32\PING.EXE
ping 127.0.0.1 -n 1 -w 100
2⤵
- Runs ping.exe
PID:404

C:\Windows\system32\reg.exe
Reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\SettingSync\Groups\Windows" /v "Enabled" /t REG_DWORD /d "0" /f
2⤵
PID:2292

C:\Windows\system32\PING.EXE
ping 127.0.0.1 -n 1 -w 100
2⤵
- Runs ping.exe
PID:3000

C:\Windows\system32\reg.exe
Reg add "HKLM\Software\Policies\Microsoft\Windows\Windows Search" /v "AllowSearchToUseLocation" /t REG_DWORD /d "0" /f
2⤵
PID:4784

C:\Windows\system32\PING.EXE
ping 127.0.0.1 -n 1 -w 100
2⤵
- Runs ping.exe
PID:2872

C:\Windows\system32\reg.exe
Reg add "HKLM\Software\Policies\Microsoft\Windows\Windows Search" /v "AllowCortana" /t REG_DWORD /d "0" /f
2⤵
PID:952

C:\Windows\system32\PING.EXE
ping 127.0.0.1 -n 1 -w 100
2⤵
- Runs ping.exe
PID:3404

C:\Windows\system32\reg.exe
Reg add "HKLM\Software\Microsoft\Speech_OneCore\Preferences" /v "ModelDownloadAllowed" /t REG_DWORD /d "0" /f
2⤵
PID:796

C:\Windows\system32\PING.EXE
ping 127.0.0.1 -n 1 -w 100
2⤵
- Runs ping.exe
PID:1508

C:\Windows\system32\reg.exe
Reg add "HKLM\Software\Policies\Microsoft\Speech" /v "AllowSpeechModelUpdate" /t REG_DWORD /d "0" /f
2⤵
PID:548

C:\Windows\system32\PING.EXE
ping 127.0.0.1 -n 1 -w 100
2⤵
- Runs ping.exe
PID:3028

C:\Windows\system32\reg.exe
Reg add "HKCU\Software\Microsoft\InputPersonalization\TrainedDataStore" /v "HarvestContacts" /t REG_DWORD /d "0" /f
2⤵
PID:4032

C:\Windows\system32\PING.EXE
ping 127.0.0.1 -n 1 -w 100
2⤵
- Runs ping.exe
PID:2368

C:\Windows\system32\reg.exe
Reg add "HKCU\Software\Microsoft\InputPersonalization" /v "RestrictImplicitTextCollection" /t REG_DWORD /d "1" /f
2⤵
PID:4492

C:\Windows\system32\PING.EXE
ping 127.0.0.1 -n 1 -w 100
2⤵
- Runs ping.exe
PID:2928

C:\Windows\system32\reg.exe
Reg add "HKCU\Software\Microsoft\InputPersonalization" /v "RestrictImplicitInkCollection" /t REG_DWORD /d "1" /f
2⤵
PID:976

C:\Windows\system32\PING.EXE
ping 127.0.0.1 -n 1 -w 100
2⤵
- Runs ping.exe
PID:2216

C:\Windows\system32\reg.exe
Reg add "HKCU\Software\Microsoft\Personalization\Settings" /v "AcceptedPrivacyPolicy" /t REG_DWORD /d "0" /f
2⤵
PID:2408

C:\Windows\system32\PING.EXE
ping 127.0.0.1 -n 1 -w 100
2⤵
- Runs ping.exe
PID:3696

C:\Windows\system32\reg.exe
Reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\location" /v "Value" /t REG_SZ /d "Deny" /f
2⤵
PID:2324

C:\Windows\system32\PING.EXE
ping 127.0.0.1 -n 1 -w 100
2⤵
- Runs ping.exe
PID:1572

C:\Windows\system32\reg.exe
Reg add "HKLM\Software\Policies\Microsoft\Windows\LocationAndSensors" /v "DisableWindowsLocationProvider" /t REG_DWORD /d "1" /f
2⤵
PID:2488

C:\Windows\system32\PING.EXE
ping 127.0.0.1 -n 1 -w 100
2⤵
- Runs ping.exe
PID:3460

C:\Windows\system32\reg.exe
Reg add "HKLM\Software\Policies\Microsoft\Windows\LocationAndSensors" /v "DisableLocationScripting" /t REG_DWORD /d "1" /f
2⤵
PID:4528

C:\Windows\system32\PING.EXE
ping 127.0.0.1 -n 1 -w 100
2⤵
- Runs ping.exe
PID:428

C:\Windows\system32\reg.exe
Reg add "HKLM\Software\Policies\Microsoft\Windows\DataCollection" /v "AllowTelemetry" /t REG_DWORD /d "0" /f
2⤵
PID:4200

C:\Windows\system32\PING.EXE
ping 127.0.0.1 -n 1 -w 100
2⤵
- Runs ping.exe
PID:2068

C:\Windows\system32\reg.exe
Reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\DataCollection" /v "AllowTelemetry" /t REG_DWORD /d "0" /f
2⤵
PID:4936

C:\Windows\system32\PING.EXE
ping 127.0.0.1 -n 1 -w 100
2⤵
- Runs ping.exe
PID:416

C:\Windows\system32\reg.exe
Reg add "HKLM\Software\Policies\Microsoft\Windows\DeliveryOptimization" /v "DODownloadMode" /t REG_DWORD /d "0" /f
2⤵
PID:4012

C:\Windows\system32\PING.EXE
ping 127.0.0.1 -n 1 -w 100
2⤵
- Runs ping.exe
PID:712

C:\Windows\system32\reg.exe
Reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\DeliveryOptimization" /v "SystemSettingsDownloadMode" /t REG_DWORD /d "0" /f
2⤵
PID:2956

C:\Windows\system32\PING.EXE
ping 127.0.0.1 -n 1 -w 100
2⤵
- Runs ping.exe
PID:4772

C:\Windows\system32\reg.exe
Reg add "HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate" /v "DeferUpgrade" /t REG_DWORD /d "1" /f
2⤵
PID:4992

C:\Windows\system32\PING.EXE
ping 127.0.0.1 -n 1 -w 100
2⤵
- Runs ping.exe
PID:1504

C:\Windows\system32\reg.exe
Reg add "HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate" /v "DeferUpgradePeriod" /t REG_DWORD /d "1" /f
2⤵
PID:2588

C:\Windows\system32\PING.EXE
ping 127.0.0.1 -n 1 -w 100
2⤵
- Runs ping.exe
PID:1948

C:\Windows\system32\reg.exe
Reg add "HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate" /v "DeferUpdatePeriod" /t REG_DWORD /d "0" /f
2⤵
PID:3444

C:\Windows\system32\PING.EXE
ping 127.0.0.1 -n 1 -w 100
2⤵
- Runs ping.exe
PID:4676

C:\Windows\system32\reg.exe
Reg add "HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU" /v "NoAutoUpdate" /t REG_DWORD /d "1" /f
2⤵
PID:4900

C:\Windows\system32\PING.EXE
ping 127.0.0.1 -n 1 -w 100
2⤵
PID:4976

C:\Windows\system32\reg.exe
Reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\WindowsStore\WindowsUpdate" /v "AutoDownload" /t REG_DWORD /d "2" /f
2⤵
PID:5076

C:\Windows\system32\PING.EXE
ping 127.0.0.1 -n 1 -w 100
2⤵
- Runs ping.exe
PID:4332

C:\Windows\system32\reg.exe
Reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\DeviceMetadata" /v "PreventDeviceMetadataFromNetwork" /t REG_DWORD /d "1" /f
2⤵
PID:3448

C:\Windows\system32\PING.EXE
ping 127.0.0.1 -n 1 -w 100
2⤵
- Runs ping.exe
PID:4856

C:\Windows\system32\reg.exe
Reg add "HKLM\Software\Microsoft\OneDrive" /v "PreventNetworkTrafficPreUserSignIn" /t REG_DWORD /d "1" /f
2⤵
PID:2164

C:\Windows\system32\PING.EXE
ping 127.0.0.1 -n 1 -w 100
2⤵
PID:3032

C:\Windows\system32\reg.exe
Reg add "HKLM\Software\Policies\Microsoft\MRT" /v "DontReportInfectionInformation" /t REG_DWORD /d "1" /f
2⤵
PID:1872

C:\Windows\system32\PING.EXE
ping 127.0.0.1 -n 1 -w 100
2⤵
- Runs ping.exe
PID:4508

C:\Windows\system32\reg.exe
Reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Search" /v "BingSearchEnabled" /t REG_DWORD /d "0" /f
2⤵
PID:904

C:\Windows\system32\PING.EXE
ping 127.0.0.1 -n 1 -w 100
2⤵
PID:2516

C:\Windows\system32\reg.exe
Reg add "HKLM\System\ControlSet\Services\DiagTrack" /v "Start" /t REG_DWORD /d "4" /f
2⤵
PID:2904

C:\Windows\system32\PING.EXE
ping 127.0.0.1 -n 1 -w 100
2⤵
- Runs ping.exe
PID:1936

C:\Windows\system32\reg.exe
Reg add "HKLM\System\ControlSet\Services\lfsvc" /v "Start" /t REG_DWORD /d "4" /f
2⤵
PID:4692

C:\Windows\system32\PING.EXE
ping 127.0.0.1 -n 1 -w 100
2⤵
- Runs ping.exe
PID:4652

C:\Windows\system32\timeout.exe
timeout /t 2 /nobreak
2⤵
- Delays execution with timeout.exe
PID:3732

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
4983df1361cea51996bb44b0feb66497

SHA1
4bd67ff9a385e12eb98ba8e0382956148cf5c82e

SHA256
362ad9b315ff670d674b11b30f7843526d0e1f3e2ed1c6ff6174a17e73317721

SHA512
3e3958df13e7de805edfa978d4af5f47250720e6817fe24645c3e8e2aad0784f29c98b57b4f101df7f2492a1308d6c288969b998789092c18bdfdb015932d44e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
73dc0121ae0b74e7676cbe7320f0f527

SHA1
d55583afea4f6d7aba4c83f394808bd50c715566

SHA256
e64f0c915de0eaf733f37a83cb47a14cb01b2abd0f012d946354375316dd457b

SHA512
992f7067b75aac8afb25cc2dc0f6deb339689020a951c39e84839e3f57e5abfb5fe168b8161229927ce9da2c7c44a546ee23cbd7d8f840124b12919710858923

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
a7c904ca89f889032d541f477fdf244a

SHA1
d9201cd9c1dd7eda5b1a6ca5f5ded33e4d7f7159

SHA256
a67a3eec8f06c4a62145a972cba1b8214f0f292d7e83160ff855e446e602d541

SHA512
14ed547c49e90d8cb694d9e60a4cf080da428db91001bf92f0e74635012ce683abc0a2255c016238a91dde4a3e8a748d6198bf8a318ca6f2988aa7d904064c6a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
5636be8dee639e463f2f75272c54e627

SHA1
4d5dbc00d4b7d99c9b5edbe0ddeed1b3df01f83b

SHA256
43118a56ec13fbfa43eaa539a4f31b640ac04b1655e680dec2038c563c97e36e

SHA512
f180ecc1322df4ebf40ad7c84f26cfdc7fecea52b858cd512bbb3a8f0cca9c6d70ba61a067830229fea8f852f10188ace9aeb5030b3f16c156c4d7666616f4cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_551nuyt4.4gh.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/1000-13-0x000001B01B430000-0x000001B01B44C000-memory.dmp

Filesize
112KB

Download
memory/1000-10-0x000001B01B260000-0x000001B01B270000-memory.dmp

Filesize
64KB

Download
memory/1000-14-0x000001B01B320000-0x000001B01B32A000-memory.dmp

Filesize
40KB

Download
memory/1000-15-0x000001B01B840000-0x000001B01B866000-memory.dmp

Filesize
152KB

Download
memory/1000-18-0x00007FFBA6E40000-0x00007FFBA7902000-memory.dmp

Filesize
10.8MB

Download
memory/1000-12-0x000001B01B260000-0x000001B01B270000-memory.dmp

Filesize
64KB

Download
memory/1000-8-0x000001B01B2C0000-0x000001B01B2E2000-memory.dmp

Filesize
136KB

Download
memory/1000-9-0x00007FFBA6E40000-0x00007FFBA7902000-memory.dmp

Filesize
10.8MB

Download
memory/1000-11-0x000001B01B260000-0x000001B01B270000-memory.dmp

Filesize
64KB

Download
memory/3608-34-0x00007FFBA6E40000-0x00007FFBA7902000-memory.dmp

Filesize
10.8MB

Download
memory/3608-32-0x00000231D41E0000-0x00000231D41F0000-memory.dmp

Filesize
64KB

Download
memory/3608-30-0x00000231D41E0000-0x00000231D41F0000-memory.dmp

Filesize
64KB

Download
memory/3608-26-0x00000231D41E0000-0x00000231D41F0000-memory.dmp

Filesize
64KB

Download
memory/3608-20-0x00007FFBA6E40000-0x00007FFBA7902000-memory.dmp

Filesize
10.8MB

Download
memory/4032-43-0x00007FFBA6E40000-0x00007FFBA7902000-memory.dmp

Filesize
10.8MB

Download
memory/4032-45-0x0000016047010000-0x0000016047020000-memory.dmp

Filesize
64KB

Download
memory/4032-46-0x0000016047010000-0x0000016047020000-memory.dmp

Filesize
64KB

Download
memory/4032-48-0x00007FFBA6E40000-0x00007FFBA7902000-memory.dmp

Filesize
10.8MB

Download
memory/4116-57-0x00007FFBA6E40000-0x00007FFBA7902000-memory.dmp

Filesize
10.8MB

Download
memory/4116-59-0x0000023572360000-0x0000023572370000-memory.dmp

Filesize
64KB

Download
memory/4116-58-0x0000023572360000-0x0000023572370000-memory.dmp

Filesize
64KB

Download
memory/4116-62-0x00007FFBA6E40000-0x00007FFBA7902000-memory.dmp

Filesize
10.8MB

Download