d3d70689f088078f80fa0910bef888cac841d63bb08183b1dc7f761102f76d3b

Analysis

max time kernel
149s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
04/12/2022, 10:40

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

d3d70689f088078f80fa0910bef888cac841d63bb08183b1dc7f761102f76d3b.exe
Size

724KB
MD5

dd0edb94137c8530ff4d36d4e77fba81
SHA1

eb48f3a335919eaa309affadd0106078a3ad8beb
SHA256

d3d70689f088078f80fa0910bef888cac841d63bb08183b1dc7f761102f76d3b
SHA512

1d44422f40576a3af2279b393b71bb53e0e9184d97156a810377cb44f66ec74616425848f3ffa2cf9b5e4e53a8411e0a8362173250acab65a85c3d7211bc1b19
SSDEEP

12288:P+ezwR1kYsk0MgehaYX3XOb09/nhdPoYZIeSWx2oBRUoR:P1Oem0tet3+YxZIeSWx/H

Score

10^/10

bootkit persistence upx

Malware Config

Signatures

Suspicious use of NtCreateProcessOtherParentProcess 2 IoCs

description	pid	Process	procid_target
PID 2500 created 1272	2500	RkRealTech.exe	17
PID 4760 created 1272	4760	RkRealTech.exe	17

Nirsoft 3 IoCs

resource	yara_rule
behavioral2/memory/1244-151-0x0000000000400000-0x0000000000415000-memory.dmp	Nirsoft
behavioral2/memory/4408-155-0x0000000000400000-0x0000000000415000-memory.dmp	Nirsoft
behavioral2/memory/2024-160-0x0000000000400000-0x0000000000415000-memory.dmp	Nirsoft

Executes dropped EXE 10 IoCs

pid	Process
2500	RkRealTech.exe
4760	RkRealTech.exe
1244	RtkSYUdp.exe
4408	RtkSYUdp.exe
4036	RtkSYUdp.exe
2024	RtkSYUdp.exe
4592	RtkSYUdp.exe
4864	RtkSYUdp.exe
2676	RtkSYUdp.exe
4580	RtkSYUdp.exe

UPX packed file 16 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4464-132-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/files/0x00030000000006fb-149.dat	upx
behavioral2/files/0x00030000000006fb-150.dat	upx
behavioral2/memory/1244-151-0x0000000000400000-0x0000000000415000-memory.dmp	upx
behavioral2/files/0x00030000000006fb-153.dat	upx
behavioral2/memory/4408-154-0x0000000000400000-0x0000000000415000-memory.dmp	upx
behavioral2/memory/4408-155-0x0000000000400000-0x0000000000415000-memory.dmp	upx
behavioral2/files/0x00030000000006fb-157.dat	upx
behavioral2/files/0x00030000000006fb-159.dat	upx
behavioral2/memory/2024-160-0x0000000000400000-0x0000000000415000-memory.dmp	upx
behavioral2/files/0x00030000000006fb-162.dat	upx
behavioral2/files/0x00030000000006fb-164.dat	upx
behavioral2/files/0x00030000000006fb-166.dat	upx
behavioral2/files/0x00030000000006fb-168.dat	upx
behavioral2/memory/4464-172-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/4464-173-0x0000000000400000-0x00000000004B7000-memory.dmp	upx

Drops desktop.ini file(s) 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\MICROS~1\INTERN~1\QUICKL~1\desktop.ini	RtkSYUdp.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1067

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	d3d70689f088078f80fa0910bef888cac841d63bb08183b1dc7f761102f76d3b.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Common Files\TaoBao\ÌÔ±¦.ico	d3d70689f088078f80fa0910bef888cac841d63bb08183b1dc7f761102f76d3b.exe
File created	C:\Program Files (x86)\Common Files\TaoBao\ÌÔ±¦.tmp	d3d70689f088078f80fa0910bef888cac841d63bb08183b1dc7f761102f76d3b.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\RkRealTech.exe	d3d70689f088078f80fa0910bef888cac841d63bb08183b1dc7f761102f76d3b.exe
File created	C:\Windows\RtkSYUdp.exe	d3d70689f088078f80fa0910bef888cac841d63bb08183b1dc7f761102f76d3b.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
5096	4136	WerFault.exe	87
5116	4336	WerFault.exe	93

Modifies Internet Explorer settings 1 TTPs 5 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\IESettingSync	d3d70689f088078f80fa0910bef888cac841d63bb08183b1dc7f761102f76d3b.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	d3d70689f088078f80fa0910bef888cac841d63bb08183b1dc7f761102f76d3b.exe
Key created	\REGISTRY\MACHINE\software\WOW6432Node\microsoft\internet explorer\version Vector	d3d70689f088078f80fa0910bef888cac841d63bb08183b1dc7f761102f76d3b.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	d3d70689f088078f80fa0910bef888cac841d63bb08183b1dc7f761102f76d3b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	d3d70689f088078f80fa0910bef888cac841d63bb08183b1dc7f761102f76d3b.exe

Modifies registry class 28 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.ur1\PersistentHandler\ = "{5e941d80-bf96-11cd-b579-08002b30bfeb}"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.1nk\ = "lnkfile"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.1nk\ShellEx\{000214EE-0000-0000-C000-000000000046}	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.1nk\ShellNew	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.ur1\PersistentHandler	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.ur1\ShellEx	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.ur1\ShellEx\{000214F9-0000-0000-C000-000000000046}\ = "{FBF23B40-E3F0-101B-8488-00AA003E56F8}"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.ur1\ShellEx\{CABB0DA0-DA57-11CF-9974-0020AFD79762}	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.ur1\ShellEx\{CABB0DA0-DA57-11CF-9974-0020AFD79762}\ = "{FBF23B40-E3F0-101B-8488-00AA003E56F8}"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.ur1\ShellEx\{FBF23B80-E3F0-101B-8488-00AA003E56F8}	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.1nk\ShellEx\{000214F9-0000-0000-C000-000000000046}\ = "{00021401-0000-0000-C000-000000000046}"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.ur1\ShellEx\{000214EE-0000-0000-C000-000000000046}\ = "{FBF23B40-E3F0-101B-8488-00AA003E56F8}"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.1nk	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.ur1\ShellEx\{000214F9-0000-0000-C000-000000000046}	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.ur1\ShellEx\{00021500-0000-0000-C000-000000000046}	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.1nk\ShellEx\{000214F9-0000-0000-C000-000000000046}	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.1nk\ShellEx\{00021500-0000-0000-C000-000000000046}\ = "{00021401-0000-0000-C000-000000000046}"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.1nk\ShellEx\{BB2E617C-0920-11d1-9A0B-00C04FC2D6C1}	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.ur1\ShellEx\{000214EE-0000-0000-C000-000000000046}	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.1nk\ShellEx\{00021500-0000-0000-C000-000000000046}	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.ur1	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.ur1\ = "InternetShortcut"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.1nk\ShellEx	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.1nk\ShellEx\{000214EE-0000-0000-C000-000000000046}\ = "{00021401-0000-0000-C000-000000000046}"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.ur1\ShellEx\{00021500-0000-0000-C000-000000000046}\ = "{FBF23B40-E3F0-101B-8488-00AA003E56F8}"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.ur1\ShellEx\{FBF23B80-E3F0-101B-8488-00AA003E56F8}\ = "{FBF23B40-E3F0-101B-8488-00AA003E56F8}"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.1nk\ShellEx\{BB2E617C-0920-11d1-9A0B-00C04FC2D6C1}\ = "{00021401-0000-0000-C000-000000000046}"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.1nk\ShellNew\Command = "rundll32.exe appwiz.cpl,NewLinkHere %1"	regedit.exe

Runs regedit.exe 3 IoCs

pid	Process
4136	regedit.exe
4336	regedit.exe
4440	regedit.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
4464	d3d70689f088078f80fa0910bef888cac841d63bb08183b1dc7f761102f76d3b.exe
4464	d3d70689f088078f80fa0910bef888cac841d63bb08183b1dc7f761102f76d3b.exe
4464	d3d70689f088078f80fa0910bef888cac841d63bb08183b1dc7f761102f76d3b.exe
4464	d3d70689f088078f80fa0910bef888cac841d63bb08183b1dc7f761102f76d3b.exe
4464	d3d70689f088078f80fa0910bef888cac841d63bb08183b1dc7f761102f76d3b.exe
4464	d3d70689f088078f80fa0910bef888cac841d63bb08183b1dc7f761102f76d3b.exe
4464	d3d70689f088078f80fa0910bef888cac841d63bb08183b1dc7f761102f76d3b.exe
4464	d3d70689f088078f80fa0910bef888cac841d63bb08183b1dc7f761102f76d3b.exe
2500	RkRealTech.exe
2500	RkRealTech.exe
4760	RkRealTech.exe
4760	RkRealTech.exe
4464	d3d70689f088078f80fa0910bef888cac841d63bb08183b1dc7f761102f76d3b.exe
4464	d3d70689f088078f80fa0910bef888cac841d63bb08183b1dc7f761102f76d3b.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4464	d3d70689f088078f80fa0910bef888cac841d63bb08183b1dc7f761102f76d3b.exe
4464	d3d70689f088078f80fa0910bef888cac841d63bb08183b1dc7f761102f76d3b.exe

Suspicious use of WriteProcessMemory 54 IoCs

description	pid	Process	procid_target
PID 4464 wrote to memory of 4440	4464	d3d70689f088078f80fa0910bef888cac841d63bb08183b1dc7f761102f76d3b.exe	80
PID 4464 wrote to memory of 4440	4464	d3d70689f088078f80fa0910bef888cac841d63bb08183b1dc7f761102f76d3b.exe	80
PID 4464 wrote to memory of 4440	4464	d3d70689f088078f80fa0910bef888cac841d63bb08183b1dc7f761102f76d3b.exe	80
PID 4464 wrote to memory of 3472	4464	d3d70689f088078f80fa0910bef888cac841d63bb08183b1dc7f761102f76d3b.exe	81
PID 4464 wrote to memory of 3472	4464	d3d70689f088078f80fa0910bef888cac841d63bb08183b1dc7f761102f76d3b.exe	81
PID 4464 wrote to memory of 3472	4464	d3d70689f088078f80fa0910bef888cac841d63bb08183b1dc7f761102f76d3b.exe	81
PID 4464 wrote to memory of 2500	4464	d3d70689f088078f80fa0910bef888cac841d63bb08183b1dc7f761102f76d3b.exe	83
PID 4464 wrote to memory of 2500	4464	d3d70689f088078f80fa0910bef888cac841d63bb08183b1dc7f761102f76d3b.exe	83
PID 4464 wrote to memory of 2500	4464	d3d70689f088078f80fa0910bef888cac841d63bb08183b1dc7f761102f76d3b.exe	83
PID 4464 wrote to memory of 2512	4464	d3d70689f088078f80fa0910bef888cac841d63bb08183b1dc7f761102f76d3b.exe	84
PID 4464 wrote to memory of 2512	4464	d3d70689f088078f80fa0910bef888cac841d63bb08183b1dc7f761102f76d3b.exe	84
PID 4464 wrote to memory of 2512	4464	d3d70689f088078f80fa0910bef888cac841d63bb08183b1dc7f761102f76d3b.exe	84
PID 2500 wrote to memory of 4136	2500	RkRealTech.exe	87
PID 2500 wrote to memory of 4136	2500	RkRealTech.exe	87
PID 2500 wrote to memory of 4136	2500	RkRealTech.exe	87
PID 4464 wrote to memory of 4132	4464	d3d70689f088078f80fa0910bef888cac841d63bb08183b1dc7f761102f76d3b.exe	89
PID 4464 wrote to memory of 4132	4464	d3d70689f088078f80fa0910bef888cac841d63bb08183b1dc7f761102f76d3b.exe	89
PID 4464 wrote to memory of 4132	4464	d3d70689f088078f80fa0910bef888cac841d63bb08183b1dc7f761102f76d3b.exe	89
PID 4464 wrote to memory of 4760	4464	d3d70689f088078f80fa0910bef888cac841d63bb08183b1dc7f761102f76d3b.exe	90
PID 4464 wrote to memory of 4760	4464	d3d70689f088078f80fa0910bef888cac841d63bb08183b1dc7f761102f76d3b.exe	90
PID 4464 wrote to memory of 4760	4464	d3d70689f088078f80fa0910bef888cac841d63bb08183b1dc7f761102f76d3b.exe	90
PID 4760 wrote to memory of 4336	4760	RkRealTech.exe	93
PID 4760 wrote to memory of 4336	4760	RkRealTech.exe	93
PID 4760 wrote to memory of 4336	4760	RkRealTech.exe	93
PID 4132 wrote to memory of 1244	4132	cmd.exe	98
PID 4132 wrote to memory of 1244	4132	cmd.exe	98
PID 4132 wrote to memory of 1244	4132	cmd.exe	98
PID 4132 wrote to memory of 4408	4132	cmd.exe	99
PID 4132 wrote to memory of 4408	4132	cmd.exe	99
PID 4132 wrote to memory of 4408	4132	cmd.exe	99
PID 4132 wrote to memory of 4036	4132	cmd.exe	100
PID 4132 wrote to memory of 4036	4132	cmd.exe	100
PID 4132 wrote to memory of 4036	4132	cmd.exe	100
PID 4132 wrote to memory of 2024	4132	cmd.exe	101
PID 4132 wrote to memory of 2024	4132	cmd.exe	101
PID 4132 wrote to memory of 2024	4132	cmd.exe	101
PID 4132 wrote to memory of 4592	4132	cmd.exe	102
PID 4132 wrote to memory of 4592	4132	cmd.exe	102
PID 4132 wrote to memory of 4592	4132	cmd.exe	102
PID 4132 wrote to memory of 4864	4132	cmd.exe	103
PID 4132 wrote to memory of 4864	4132	cmd.exe	103
PID 4132 wrote to memory of 4864	4132	cmd.exe	103
PID 4132 wrote to memory of 2676	4132	cmd.exe	104
PID 4132 wrote to memory of 2676	4132	cmd.exe	104
PID 4132 wrote to memory of 2676	4132	cmd.exe	104
PID 4132 wrote to memory of 4580	4132	cmd.exe	105
PID 4132 wrote to memory of 4580	4132	cmd.exe	105
PID 4132 wrote to memory of 4580	4132	cmd.exe	105
PID 4464 wrote to memory of 4372	4464	d3d70689f088078f80fa0910bef888cac841d63bb08183b1dc7f761102f76d3b.exe	109
PID 4464 wrote to memory of 4372	4464	d3d70689f088078f80fa0910bef888cac841d63bb08183b1dc7f761102f76d3b.exe	109
PID 4464 wrote to memory of 4372	4464	d3d70689f088078f80fa0910bef888cac841d63bb08183b1dc7f761102f76d3b.exe	109
PID 4372 wrote to memory of 4300	4372	cmd.exe	111
PID 4372 wrote to memory of 4300	4372	cmd.exe	111
PID 4372 wrote to memory of 4300	4372	cmd.exe	111

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1272
- C:\Users\Admin\AppData\Local\Temp\d3d70689f088078f80fa0910bef888cac841d63bb08183b1dc7f761102f76d3b.exe
  "C:\Users\Admin\AppData\Local\Temp\d3d70689f088078f80fa0910bef888cac841d63bb08183b1dc7f761102f76d3b.exe"
  2⤵
  - Writes to the Master Boot Record (MBR)
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4464
- - C:\Windows\SysWOW64\regedit.exe
    regedit /s C:\Users\Admin\AppData\Local\Temp\$rar10987.tmp
    3⤵
    - Modifies registry class
    - Runs regedit.exe
    PID:4440
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$RAVSING.bat
    3⤵
    PID:3472
- - C:\Windows\RkRealTech.exe
    C:\Windows\RkRealTech.exe \??\C:\Windows\regedit.exe 1272 C:\Users\Admin\AppData\Local\Temp\okhhhik.tmp
    3⤵
    - Suspicious use of NtCreateProcessOtherParentProcess
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2500
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$edbs.bat
    3⤵
    PID:2512
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$rcqi.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4132
  - - C:\Windows\RtkSYUdp.exe
      C:\Windows\RtkSYUdp.exe filldelete "C:\Users\Admin\AppData\Roaming\MICROS~1\INTERN~1\QUICKL~1\."
      4⤵
      Executes dropped EXE
      PID:1244
  - - C:\Windows\RtkSYUdp.exe
      C:\Windows\RtkSYUdp.exe filldelete "C:\Users\Admin\AppData\Roaming\MICROS~1\INTERN~1\QUICKL~1\.."
      4⤵
      Executes dropped EXE
      PID:4408
  - - C:\Windows\RtkSYUdp.exe
      C:\Windows\RtkSYUdp.exe filldelete "C:\Users\Admin\AppData\Roaming\MICROS~1\INTERN~1\QUICKL~1\desktop.ini"
      4⤵
      Executes dropped EXE
      Drops desktop.ini file(s)
      PID:4036
  - - C:\Windows\RtkSYUdp.exe
      C:\Windows\RtkSYUdp.exe filldelete "C:\Users\Admin\AppData\Roaming\MICROS~1\INTERN~1\QUICKL~1\GOOGLE~1.LNK"
      4⤵
      Executes dropped EXE
      PID:2024
  - - C:\Windows\RtkSYUdp.exe
      C:\Windows\RtkSYUdp.exe filldelete "C:\Users\Admin\AppData\Roaming\MICROS~1\INTERN~1\QUICKL~1\MICROS~1.LNK"
      4⤵
      Executes dropped EXE
      PID:4592
  - - C:\Windows\RtkSYUdp.exe
      C:\Windows\RtkSYUdp.exe filldelete "C:\Users\Admin\AppData\Roaming\MICROS~1\INTERN~1\QUICKL~1\SHOWSD~1.LNK"
      4⤵
      Executes dropped EXE
      PID:4864
  - - C:\Windows\RtkSYUdp.exe
      C:\Windows\RtkSYUdp.exe filldelete "C:\Users\Admin\AppData\Roaming\MICROS~1\INTERN~1\QUICKL~1\USERPI~1"
      4⤵
      Executes dropped EXE
      PID:2676
  - - C:\Windows\RtkSYUdp.exe
      C:\Windows\RtkSYUdp.exe filldelete "C:\Users\Admin\AppData\Roaming\MICROS~1\INTERN~1\QUICKL~1\WINDOW~1.LNK"
      4⤵
      Executes dropped EXE
      PID:4580
- - C:\Windows\RkRealTech.exe
    C:\Windows\RkRealTech.exe \??\C:\Windows\regedit.exe 1272 C:\Users\Admin\AppData\Local\Temp\$rar10943.tmp
    3⤵
    - Suspicious use of NtCreateProcessOtherParentProcess
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:4760
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$dmsf.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4372
  - - C:\Windows\SysWOW64\reg.exe
      reg delete HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU /f
      4⤵
      PID:4300
- \Windows\SysWOW64\regedit.exe
  2⤵
  - Runs regedit.exe
  PID:4136
- - C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -u -p 4136 -s 8
    3⤵
    - Program crash
    PID:5096
- \Windows\SysWOW64\regedit.exe
  2⤵
  - Runs regedit.exe
  PID:4336
- - C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -u -p 4336 -s 8
    3⤵
    - Program crash
    PID:5116

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 440 -p 4136 -ip 4136
1⤵
PID:532

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 480 -p 4336 -ip 4336
1⤵
PID:5088

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Bootkit

T1067

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\$$RAVSING.bat

Filesize
253B

MD5
cb350b29233b3440633123bb77692140

SHA1
52793f1ba4c7925d41c6e79a109080c3d12b69e6

SHA256
7031fcb0fa967101e4d4894e9ebbac7e0ed00cc3ba57777afa02f521356530d3

SHA512
0e5d3b34262260b807179d6a51e2c62524d3b0a132c05c4425830d376d1002d150aa0fd8e747a67d96b8ae8145ab903892ce3eaa8245084832eefd02b31c09b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$dmsf.bat

Filesize
638B

MD5
9451e2ef74fb31fd8643defc16c7da52

SHA1
be6d1fe1d8e9ebda00b6dfe331483dba9be0e48e

SHA256
b211802b1ff3b74b539b1f74e55d2e90de3ed5f9037df7249f4730e3a55ac73b

SHA512
33ca3e2c70c50a2082340a6dccedfcf2677c72bfb1aa97e18f937819e5164466de94d2abaf6b48b1f24037e0d7b1bc9265c8abcda033f18006b18a27f77eff16

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$edbs.bat

Filesize
59B

MD5
0cf180f20e716094bef34db0f1a39a04

SHA1
f8e9da5d8eaf347b240a77c6a9c4f494d4fc351b

SHA256
2a72298ec1d957d1d225aec50a4e6e32c5dec2f2645f25e580304e5c7ae5bb26

SHA512
a471fee35dfc685effb46fcc37d47d7210fad3fdba7cb5342b13e11f95ae7690e4053b3399bca6da7546015a479ce55a301c6934be8bab7ec9eae5aece8bdb3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$rcqi.bat

Filesize
1KB

MD5
95457d5629ea8e2e826c36393a3479a6

SHA1
0190011fc3613e735179a9501e72d732cb92ac3c

SHA256
ec3b4324057e9bd22e0542473afbdcd45f1077f91c862d208e8b3a4e1ced6c45

SHA512
9c4c7340307412863dfece7847532b6976cb7096c47fd3e8a557c8d3413a642a26a1645f460db4bcbda009bd322b082df80c0786bbf14a968038b19324d6d4a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\$rar10987.tmp

Filesize
1KB

MD5
185038ec1cc9a69a109726c8989e4cf5

SHA1
bfb62037297e8533e5f3940a32fb9505acf4fe26

SHA256
48ccff6cd96445619998a70fad77f5e655a9d146b93d0d160656619728c4e727

SHA512
bb0065a36a9bc48199943b21f3c3f10916fd15aa54201513f344464d962b5e6339e1df1b932043a914a662631f842a2f3b7a2c6e8c4e414567c5ea8ac9950391

Download Submit
C:\Users\Admin\AppData\Local\Temp\IEXPLORE.tmp

Filesize
1KB

MD5
4452ba3137984ace6ed5d36c599f9ab9

SHA1
ffce45b53d3a52cdb1a2bbc84868953397dc574e

SHA256
1591ea118c048049ac5c6de26bb47e239b5b93bcd450e3b42cdc365020e60bab

SHA512
4b1fbff1fb0037460bd448df29679e3209e9406c87d7aac579404fd066b59a9c8222cb05e4b02258841ef7a12061a6e4d1d73f51199b98b67cacd91c7fa34f80

Download Submit
C:\Users\Admin\AppData\Local\Temp\okhhhik.tmp

Filesize
4KB

MD5
ab1c59ed8830fc1670c48b2180367e67

SHA1
62380a15482a56772e814e668a7aedefcd3205ab

SHA256
101dd36df6fbe3de891652744694b22e4c6c32d496358372775ac203697e8cda

SHA512
5c47140938a208fc9e4d86d481a27c0e9f24a2c2f1281a2890753100cb8a44d7790040d015f912bcae3f454ac01d81b11c257877a3aa128b50b31d78ac7513b1

Download Submit
C:\Windows\RkRealTech.exe

Filesize
92KB

MD5
3350569bad492f3cf54e6da064a7d5cc

SHA1
7ec1de0bdccc409d2193d9827128580e9d53e458

SHA256
ba48989d9c5fb3320ded14ab48a372950948c0ba136893e564e3fe0fb3ce7d95

SHA512
044187e1e6ac4740689faca5e4f70ad274711f8610a60dcb01c711e5727892da994e458a79d2a6ae80ac1042367cb081553ab83c142f48d4f99996d288ac909b

Download Submit
C:\Windows\RkRealTech.exe

Filesize
92KB

MD5
3350569bad492f3cf54e6da064a7d5cc

SHA1
7ec1de0bdccc409d2193d9827128580e9d53e458

SHA256
ba48989d9c5fb3320ded14ab48a372950948c0ba136893e564e3fe0fb3ce7d95

SHA512
044187e1e6ac4740689faca5e4f70ad274711f8610a60dcb01c711e5727892da994e458a79d2a6ae80ac1042367cb081553ab83c142f48d4f99996d288ac909b

Download Submit
C:\Windows\RkRealTech.exe

Filesize
92KB

MD5
3350569bad492f3cf54e6da064a7d5cc

SHA1
7ec1de0bdccc409d2193d9827128580e9d53e458

SHA256
ba48989d9c5fb3320ded14ab48a372950948c0ba136893e564e3fe0fb3ce7d95

SHA512
044187e1e6ac4740689faca5e4f70ad274711f8610a60dcb01c711e5727892da994e458a79d2a6ae80ac1042367cb081553ab83c142f48d4f99996d288ac909b

Download Submit
C:\Windows\RtkSYUdp.exe

Filesize
30KB

MD5
d0cd586c5c857850a188e778b971f25a

SHA1
3f584fd89e41151c389b4701d876d2bdd2885fc2

SHA256
2f6cd2ed9806a09fecce1f96cd5b3f77fc0339ddbbb4c31aab25e85fd3f268eb

SHA512
995f539c7163e0e49c7cc4687dd29dac4ac88501410d8c9935f99d993b14bf5fe349cdcdc9f61d4f308c280536b54f54ae7d041565c73a2340881f68e7b2c41c

Download Submit
C:\Windows\RtkSYUdp.exe

Filesize
30KB

MD5
d0cd586c5c857850a188e778b971f25a

SHA1
3f584fd89e41151c389b4701d876d2bdd2885fc2

SHA256
2f6cd2ed9806a09fecce1f96cd5b3f77fc0339ddbbb4c31aab25e85fd3f268eb

SHA512
995f539c7163e0e49c7cc4687dd29dac4ac88501410d8c9935f99d993b14bf5fe349cdcdc9f61d4f308c280536b54f54ae7d041565c73a2340881f68e7b2c41c

Download Submit
C:\Windows\RtkSYUdp.exe

Filesize
30KB

MD5
d0cd586c5c857850a188e778b971f25a

SHA1
3f584fd89e41151c389b4701d876d2bdd2885fc2

SHA256
2f6cd2ed9806a09fecce1f96cd5b3f77fc0339ddbbb4c31aab25e85fd3f268eb

SHA512
995f539c7163e0e49c7cc4687dd29dac4ac88501410d8c9935f99d993b14bf5fe349cdcdc9f61d4f308c280536b54f54ae7d041565c73a2340881f68e7b2c41c

Download Submit
C:\Windows\RtkSYUdp.exe

Filesize
30KB

MD5
d0cd586c5c857850a188e778b971f25a

SHA1
3f584fd89e41151c389b4701d876d2bdd2885fc2

SHA256
2f6cd2ed9806a09fecce1f96cd5b3f77fc0339ddbbb4c31aab25e85fd3f268eb

SHA512
995f539c7163e0e49c7cc4687dd29dac4ac88501410d8c9935f99d993b14bf5fe349cdcdc9f61d4f308c280536b54f54ae7d041565c73a2340881f68e7b2c41c

Download Submit
C:\Windows\RtkSYUdp.exe

Filesize
30KB

MD5
d0cd586c5c857850a188e778b971f25a

SHA1
3f584fd89e41151c389b4701d876d2bdd2885fc2

SHA256
2f6cd2ed9806a09fecce1f96cd5b3f77fc0339ddbbb4c31aab25e85fd3f268eb

SHA512
995f539c7163e0e49c7cc4687dd29dac4ac88501410d8c9935f99d993b14bf5fe349cdcdc9f61d4f308c280536b54f54ae7d041565c73a2340881f68e7b2c41c

Download Submit
C:\Windows\RtkSYUdp.exe

Filesize
30KB

MD5
d0cd586c5c857850a188e778b971f25a

SHA1
3f584fd89e41151c389b4701d876d2bdd2885fc2

SHA256
2f6cd2ed9806a09fecce1f96cd5b3f77fc0339ddbbb4c31aab25e85fd3f268eb

SHA512
995f539c7163e0e49c7cc4687dd29dac4ac88501410d8c9935f99d993b14bf5fe349cdcdc9f61d4f308c280536b54f54ae7d041565c73a2340881f68e7b2c41c

Download Submit
C:\Windows\RtkSYUdp.exe

Filesize
30KB

MD5
d0cd586c5c857850a188e778b971f25a

SHA1
3f584fd89e41151c389b4701d876d2bdd2885fc2

SHA256
2f6cd2ed9806a09fecce1f96cd5b3f77fc0339ddbbb4c31aab25e85fd3f268eb

SHA512
995f539c7163e0e49c7cc4687dd29dac4ac88501410d8c9935f99d993b14bf5fe349cdcdc9f61d4f308c280536b54f54ae7d041565c73a2340881f68e7b2c41c

Download Submit
C:\Windows\RtkSYUdp.exe

Filesize
30KB

MD5
d0cd586c5c857850a188e778b971f25a

SHA1
3f584fd89e41151c389b4701d876d2bdd2885fc2

SHA256
2f6cd2ed9806a09fecce1f96cd5b3f77fc0339ddbbb4c31aab25e85fd3f268eb

SHA512
995f539c7163e0e49c7cc4687dd29dac4ac88501410d8c9935f99d993b14bf5fe349cdcdc9f61d4f308c280536b54f54ae7d041565c73a2340881f68e7b2c41c

Download Submit
C:\Windows\RtkSYUdp.exe

Filesize
30KB

MD5
d0cd586c5c857850a188e778b971f25a

SHA1
3f584fd89e41151c389b4701d876d2bdd2885fc2

SHA256
2f6cd2ed9806a09fecce1f96cd5b3f77fc0339ddbbb4c31aab25e85fd3f268eb

SHA512
995f539c7163e0e49c7cc4687dd29dac4ac88501410d8c9935f99d993b14bf5fe349cdcdc9f61d4f308c280536b54f54ae7d041565c73a2340881f68e7b2c41c

Download Submit
memory/1244-151-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2024-160-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/4408-154-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/4408-155-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/4464-132-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/4464-172-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/4464-173-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download