darkcomet | f5d3a3fe964d364b810ed1d6cbad6ee89da1b0586e80f2794b55d102d8536168

Analysis

max time kernel
52s
max time network
81s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
21-02-2024 19:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

TronMiner-2024/TronMiner-2024.exe
Size

2.0MB
MD5

15307910d7c9a3a1215e4e4e4f500895
SHA1

49a7df2a0ebfb6556c1e17cc8baf8cd5756eded9
SHA256

514caaa6fbcdf64af8cbb24487ba1f89d1219ac25988c51a34fc850f6bf0b8e5
SHA512

9b9f339a4c7bbf1b824e2efcad3c8fb84bd47b153d29f459a9e50624a83481a81441db0aaf9fb2eae0842aa5c3358e103bad28a7a5b45f152ebe28fccbeb4453
SSDEEP

49152:qoUM9eEZyfky3a7B9L787fYIdLVYZcl+:/UMHyR3sB9q7CKA

Score

10^/10

darkcomet warzonerat new-july-july4-02 infostealer persistence rat trojan upx

Malware Config

Extracted

Family

darkcomet

Botnet

New-July-July4-02

dgorijan20785.hopto.org:35800

Mutex

DC_MUTEX-JFYU2BC

Attributes

gencode
UkVkDi2EZxxn
install
false
offline_keylogger
true
password
hhhhhh
persistence
false

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

Warzone RAT payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/2604-253-0x0000000000400000-0x0000000000559000-memory.dmp	warzonerat
behavioral1/memory/2604-267-0x0000000000400000-0x0000000000559000-memory.dmp	warzonerat

Drops file in Drivers directory 1 IoCs

Processes:

InstallUtil.exe

description ioc process

File opened for modification C:\Windows\system32\drivers\etc\hosts InstallUtil.exe

description	ioc	process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	InstallUtil.exe

Executes dropped EXE 12 IoCs

Processes:

ADOBESERV.EXEAUDIOPT.EXEDRVVIDEO.EXEWINCPUL.EXEWINLOGONL.EXEWINPLAY.EXEADOBESERV.EXEDRVVIDEO.EXEWINLOGONL.EXEAUDIOPT.EXEWINCPUL.EXEWINPLAY.EXE

pid	process
2460	ADOBESERV.EXE
1872	AUDIOPT.EXE
2972	DRVVIDEO.EXE
2036	WINCPUL.EXE
2804	WINLOGONL.EXE
864	WINPLAY.EXE
1480	ADOBESERV.EXE
1476	DRVVIDEO.EXE
836	WINLOGONL.EXE
1104	AUDIOPT.EXE
592	WINCPUL.EXE
1800	WINPLAY.EXE

Loads dropped DLL 12 IoCs

Processes:

InstallUtil.exe

pid	process
2692	InstallUtil.exe
2692	InstallUtil.exe
2692	InstallUtil.exe
2692	InstallUtil.exe
2692	InstallUtil.exe
2692	InstallUtil.exe
2692	InstallUtil.exe
2692	InstallUtil.exe
2692	InstallUtil.exe
2692	InstallUtil.exe
2692	InstallUtil.exe
2692	InstallUtil.exe

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2692-17-0x0000000000400000-0x0000000000853000-memory.dmp	upx
behavioral1/memory/2692-19-0x0000000000400000-0x0000000000853000-memory.dmp	upx
behavioral1/memory/2692-22-0x0000000000400000-0x0000000000853000-memory.dmp	upx
behavioral1/memory/2692-25-0x0000000000400000-0x0000000000853000-memory.dmp	upx
behavioral1/memory/2692-26-0x0000000000400000-0x0000000000853000-memory.dmp	upx
behavioral1/memory/2692-28-0x0000000000400000-0x0000000000853000-memory.dmp	upx
behavioral1/memory/2692-134-0x0000000000400000-0x0000000000853000-memory.dmp	upx
behavioral1/memory/2692-199-0x0000000000400000-0x0000000000853000-memory.dmp	upx
behavioral1/memory/2692-127-0x0000000000400000-0x0000000000853000-memory.dmp	upx
behavioral1/memory/1736-265-0x0000000000400000-0x00000000004C9000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

TronMiner-2024.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\Lfczxnkd = "\"C:\\Users\\Admin\\AppData\\Roaming\\Uyhtq\\Lfczxnkd.exe\""	TronMiner-2024.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

TronMiner-2024.exe

description pid process target process

PID 2352 set thread context of 2692 2352 TronMiner-2024.exe InstallUtil.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2724 3020 WerFault.exe powershell.exe

description	pid	process	target process
PID 2352 set thread context of 2692	2352	TronMiner-2024.exe	InstallUtil.exe

pid	pid_target	process	target process
2724	3020	WerFault.exe	powershell.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

powershell.exeTronMiner-2024.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
3020	powershell.exe
2352	TronMiner-2024.exe
3008	powershell.exe
1192	powershell.exe
1816	powershell.exe
2884	powershell.exe
604	powershell.exe
1672	powershell.exe
2044	powershell.exe
2400	powershell.exe
1828	powershell.exe
1620	powershell.exe
2620	powershell.exe
560	powershell.exe

Suspicious use of AdjustPrivilegeToken 38 IoCs

Processes:

powershell.exeTronMiner-2024.exeInstallUtil.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeAUDIOPT.EXE

description	pid	process
Token: SeDebugPrivilege	3020	powershell.exe
Token: SeDebugPrivilege	2352	TronMiner-2024.exe
Token: SeIncreaseQuotaPrivilege	2692	InstallUtil.exe
Token: SeSecurityPrivilege	2692	InstallUtil.exe
Token: SeTakeOwnershipPrivilege	2692	InstallUtil.exe
Token: SeLoadDriverPrivilege	2692	InstallUtil.exe
Token: SeSystemProfilePrivilege	2692	InstallUtil.exe
Token: SeSystemtimePrivilege	2692	InstallUtil.exe
Token: SeProfSingleProcessPrivilege	2692	InstallUtil.exe
Token: SeIncBasePriorityPrivilege	2692	InstallUtil.exe
Token: SeCreatePagefilePrivilege	2692	InstallUtil.exe
Token: SeBackupPrivilege	2692	InstallUtil.exe
Token: SeRestorePrivilege	2692	InstallUtil.exe
Token: SeShutdownPrivilege	2692	InstallUtil.exe
Token: SeDebugPrivilege	2692	InstallUtil.exe
Token: SeSystemEnvironmentPrivilege	2692	InstallUtil.exe
Token: SeChangeNotifyPrivilege	2692	InstallUtil.exe
Token: SeRemoteShutdownPrivilege	2692	InstallUtil.exe
Token: SeUndockPrivilege	2692	InstallUtil.exe
Token: SeManageVolumePrivilege	2692	InstallUtil.exe
Token: SeImpersonatePrivilege	2692	InstallUtil.exe
Token: SeCreateGlobalPrivilege	2692	InstallUtil.exe
Token: 33	2692	InstallUtil.exe
Token: 34	2692	InstallUtil.exe
Token: 35	2692	InstallUtil.exe
Token: SeDebugPrivilege	3008	powershell.exe
Token: SeDebugPrivilege	1192	powershell.exe
Token: SeDebugPrivilege	1816	powershell.exe
Token: SeDebugPrivilege	2884	powershell.exe
Token: SeDebugPrivilege	604	powershell.exe
Token: SeDebugPrivilege	1672	powershell.exe
Token: SeDebugPrivilege	2044	powershell.exe
Token: SeDebugPrivilege	2400	powershell.exe
Token: SeDebugPrivilege	1828	powershell.exe
Token: SeDebugPrivilege	1620	powershell.exe
Token: SeDebugPrivilege	2620	powershell.exe
Token: SeDebugPrivilege	560	powershell.exe
Token: SeDebugPrivilege	1872	AUDIOPT.EXE

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

InstallUtil.exe

pid process

2692 InstallUtil.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

TronMiner-2024.exeInstallUtil.exeDRVVIDEO.EXEAUDIOPT.EXEWINCPUL.EXEADOBESERV.EXEWINLOGONL.EXE

description	pid	process	target process
PID 2352 wrote to memory of 3020	2352	TronMiner-2024.exe	powershell.exe
PID 2352 wrote to memory of 3020	2352	TronMiner-2024.exe	powershell.exe
PID 2352 wrote to memory of 3020	2352	TronMiner-2024.exe	powershell.exe
PID 2352 wrote to memory of 3020	2352	TronMiner-2024.exe	powershell.exe
PID 2352 wrote to memory of 2692	2352	TronMiner-2024.exe	InstallUtil.exe
PID 2352 wrote to memory of 2692	2352	TronMiner-2024.exe	InstallUtil.exe
PID 2352 wrote to memory of 2692	2352	TronMiner-2024.exe	InstallUtil.exe
PID 2352 wrote to memory of 2692	2352	TronMiner-2024.exe	InstallUtil.exe
PID 2352 wrote to memory of 2692	2352	TronMiner-2024.exe	InstallUtil.exe
PID 2352 wrote to memory of 2692	2352	TronMiner-2024.exe	InstallUtil.exe
PID 2352 wrote to memory of 2692	2352	TronMiner-2024.exe	InstallUtil.exe
PID 2352 wrote to memory of 2692	2352	TronMiner-2024.exe	InstallUtil.exe
PID 2352 wrote to memory of 2692	2352	TronMiner-2024.exe	InstallUtil.exe
PID 2352 wrote to memory of 2692	2352	TronMiner-2024.exe	InstallUtil.exe
PID 2352 wrote to memory of 2692	2352	TronMiner-2024.exe	InstallUtil.exe
PID 2692 wrote to memory of 2460	2692	InstallUtil.exe	ADOBESERV.EXE
PID 2692 wrote to memory of 2460	2692	InstallUtil.exe	ADOBESERV.EXE
PID 2692 wrote to memory of 2460	2692	InstallUtil.exe	ADOBESERV.EXE
PID 2692 wrote to memory of 2460	2692	InstallUtil.exe	ADOBESERV.EXE
PID 2692 wrote to memory of 1872	2692	InstallUtil.exe	AUDIOPT.EXE
PID 2692 wrote to memory of 1872	2692	InstallUtil.exe	AUDIOPT.EXE
PID 2692 wrote to memory of 1872	2692	InstallUtil.exe	AUDIOPT.EXE
PID 2692 wrote to memory of 1872	2692	InstallUtil.exe	AUDIOPT.EXE
PID 2692 wrote to memory of 2972	2692	InstallUtil.exe	DRVVIDEO.EXE
PID 2692 wrote to memory of 2972	2692	InstallUtil.exe	DRVVIDEO.EXE
PID 2692 wrote to memory of 2972	2692	InstallUtil.exe	DRVVIDEO.EXE
PID 2692 wrote to memory of 2972	2692	InstallUtil.exe	DRVVIDEO.EXE
PID 2692 wrote to memory of 2036	2692	InstallUtil.exe	WINCPUL.EXE
PID 2692 wrote to memory of 2036	2692	InstallUtil.exe	WINCPUL.EXE
PID 2692 wrote to memory of 2036	2692	InstallUtil.exe	WINCPUL.EXE
PID 2692 wrote to memory of 2036	2692	InstallUtil.exe	WINCPUL.EXE
PID 2972 wrote to memory of 1192	2972	DRVVIDEO.EXE	powershell.exe
PID 2972 wrote to memory of 1192	2972	DRVVIDEO.EXE	powershell.exe
PID 2972 wrote to memory of 1192	2972	DRVVIDEO.EXE	powershell.exe
PID 2972 wrote to memory of 1192	2972	DRVVIDEO.EXE	powershell.exe
PID 1872 wrote to memory of 3008	1872	AUDIOPT.EXE	powershell.exe
PID 1872 wrote to memory of 3008	1872	AUDIOPT.EXE	powershell.exe
PID 1872 wrote to memory of 3008	1872	AUDIOPT.EXE	powershell.exe
PID 1872 wrote to memory of 3008	1872	AUDIOPT.EXE	powershell.exe
PID 2692 wrote to memory of 2804	2692	InstallUtil.exe	WINLOGONL.EXE
PID 2692 wrote to memory of 2804	2692	InstallUtil.exe	WINLOGONL.EXE
PID 2692 wrote to memory of 2804	2692	InstallUtil.exe	WINLOGONL.EXE
PID 2692 wrote to memory of 2804	2692	InstallUtil.exe	WINLOGONL.EXE
PID 2692 wrote to memory of 864	2692	InstallUtil.exe	WINPLAY.EXE
PID 2692 wrote to memory of 864	2692	InstallUtil.exe	WINPLAY.EXE
PID 2692 wrote to memory of 864	2692	InstallUtil.exe	WINPLAY.EXE
PID 2692 wrote to memory of 864	2692	InstallUtil.exe	WINPLAY.EXE
PID 2036 wrote to memory of 1816	2036	WINCPUL.EXE	powershell.exe
PID 2036 wrote to memory of 1816	2036	WINCPUL.EXE	powershell.exe
PID 2036 wrote to memory of 1816	2036	WINCPUL.EXE	powershell.exe
PID 2036 wrote to memory of 1816	2036	WINCPUL.EXE	powershell.exe
PID 2460 wrote to memory of 2884	2460	ADOBESERV.EXE	powershell.exe
PID 2460 wrote to memory of 2884	2460	ADOBESERV.EXE	powershell.exe
PID 2460 wrote to memory of 2884	2460	ADOBESERV.EXE	powershell.exe
PID 2460 wrote to memory of 2884	2460	ADOBESERV.EXE	powershell.exe
PID 2692 wrote to memory of 1480	2692	InstallUtil.exe	ADOBESERV.EXE
PID 2692 wrote to memory of 1480	2692	InstallUtil.exe	ADOBESERV.EXE
PID 2692 wrote to memory of 1480	2692	InstallUtil.exe	ADOBESERV.EXE
PID 2692 wrote to memory of 1480	2692	InstallUtil.exe	ADOBESERV.EXE
PID 2804 wrote to memory of 604	2804	WINLOGONL.EXE	powershell.exe
PID 2804 wrote to memory of 604	2804	WINLOGONL.EXE	powershell.exe
PID 2804 wrote to memory of 604	2804	WINLOGONL.EXE	powershell.exe
PID 2804 wrote to memory of 604	2804	WINLOGONL.EXE	powershell.exe
PID 2692 wrote to memory of 1104	2692	InstallUtil.exe	AUDIOPT.EXE

C:\Users\Admin\AppData\Local\Temp\TronMiner-2024\TronMiner-2024.exe
"C:\Users\Admin\AppData\Local\Temp\TronMiner-2024\TronMiner-2024.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2352

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3020

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3020 -s 200
3⤵
- Program crash
PID:2724

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
2⤵
- Drops file in Drivers directory
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2692

C:\Users\Admin\AppData\Local\Temp\ADOBESERV.EXE
"C:\Users\Admin\AppData\Local\Temp\ADOBESERV.EXE"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2460

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2884

C:\Users\Admin\AppData\Local\Temp\AUDIOPT.EXE
"C:\Users\Admin\AppData\Local\Temp\AUDIOPT.EXE"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1872

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3008

C:\Users\Admin\AppData\Local\Temp\DRVVIDEO.EXE
"C:\Users\Admin\AppData\Local\Temp\DRVVIDEO.EXE"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2972

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1192

C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE
"C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2036

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1816

C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE
C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE
4⤵
PID:2604

C:\Users\Admin\AppData\Local\Temp\WINLOGONL.EXE
"C:\Users\Admin\AppData\Local\Temp\WINLOGONL.EXE"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2804

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:604

C:\Users\Admin\AppData\Local\Temp\WINLOGONL.EXE
C:\Users\Admin\AppData\Local\Temp\WINLOGONL.EXE
4⤵
PID:2548

C:\Users\Admin\AppData\Local\Temp\WINPLAY.EXE
"C:\Users\Admin\AppData\Local\Temp\WINPLAY.EXE"
3⤵
- Executes dropped EXE
PID:864

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1672

C:\Users\Admin\AppData\Local\Temp\WINPLAY.EXE
C:\Users\Admin\AppData\Local\Temp\WINPLAY.EXE
4⤵
PID:852

C:\Users\Admin\AppData\Local\Temp\WINPLAY.EXE
"C:\Users\Admin\AppData\Local\Temp\WINPLAY.EXE"
3⤵
- Executes dropped EXE
PID:1800

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:560

C:\Users\Admin\AppData\Local\Temp\WINPLAY.EXE
C:\Users\Admin\AppData\Local\Temp\WINPLAY.EXE
4⤵
PID:2252

C:\Users\Admin\AppData\Local\Temp\WINLOGONL.EXE
"C:\Users\Admin\AppData\Local\Temp\WINLOGONL.EXE"
3⤵
- Executes dropped EXE
PID:836

C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE
"C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE"
3⤵
- Executes dropped EXE
PID:592

C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE
C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE
4⤵
PID:1644

C:\Users\Admin\AppData\Local\Temp\DRVVIDEO.EXE
"C:\Users\Admin\AppData\Local\Temp\DRVVIDEO.EXE"
3⤵
- Executes dropped EXE
PID:1476

C:\Users\Admin\AppData\Local\Temp\AUDIOPT.EXE
"C:\Users\Admin\AppData\Local\Temp\AUDIOPT.EXE"
3⤵
- Executes dropped EXE
PID:1104

C:\Users\Admin\AppData\Local\Temp\ADOBESERV.EXE
"C:\Users\Admin\AppData\Local\Temp\ADOBESERV.EXE"
3⤵
- Executes dropped EXE
PID:1480

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
4⤵
PID:2544

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
4⤵
PID:2140

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2044

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1828

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2400

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2620

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1620

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE
Filesize
320KB

MD5
e698a97e38703821d33102c4906638f8

SHA1
9deb81671a89913bbdbefd65b5b5f35ba0570ae3

SHA256
268c6a9e6efa55ca7494143852421ff13a41643d2d82c2aa0c2a4cf7a6bd2464

SHA512
cfcbf3d03677831e30246519946bdead8d23b90cd98b2a07524861f4b20bfa9573799c9af23fa7327628cc12c3275422338486094b8a5ea7c5d874866cf3bad7

Download Submit
C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE
Filesize
519KB

MD5
601292d6c082d283f03c18d7544b191b

SHA1
695ad657e5bbc51c2b02bf674982a788dea95dbc

SHA256
8e8475a545e6850a43356f98c1f0699a80f36fe39fd929fbb38b69f6b9702d13

SHA512
bd0cf0580c1f2d167a49acc1f30ea456dff93503eb646e53eca5ff105c8d3e0981ee5a2b4411f7bbdac2d884f021bf564fa6e24e2af5a4aed2c55afdb4784d8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\WINPLAY.EXE
Filesize
471KB

MD5
caa8b858c6b22d263c3b3029461191fc

SHA1
89922c2d98a35d3eb00acea5e7563a63e237265f

SHA256
d6517902ff7db5bf743cdadc20ca9d7f0dde0ed473400671a7245aac7156cee1

SHA512
9f39093c954bf2d4a92f4c73d67b45863eeee4bbfcb657510aeda96337a0627259fb4b40b5779521f454e03710df558843385d8899c1ee5c965f46fa57f998fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\WINPLAY.EXE
Filesize
256KB

MD5
e91feda632c4ff264ef7ac776ef879bf

SHA1
38c95e7d7844fa21ddb1baa75f0df93ec052bf81

SHA256
66027c8d1d6f55408738abba1a7ab9d1474d8d29b714145df78e33c6029a7874

SHA512
eab660ea7935c47869018033c81e3de05efee2e9849244936fcb6ad97b34dfad64126f7bdb2068cf5df93507796350c76bf85ce4b0e5faf53661ca6eaedfd671

Download Submit
C:\Users\Admin\AppData\Roaming\Eubdk\Mpkly.exe
Filesize
320KB

MD5
37478e7f6f8e25e2843796e35b401113

SHA1
cbff5c3a935758c3343bb54e1bc04bf48bbccaa7

SHA256
9b48687d74295c732ae990c82dd6201c7c9d0a5dbc4737fee8fcae54aa4e8ca8

SHA512
fda91407c709e84c4b2a4efe63ba58058b0dfa8dedce23e7850ebd2e900b2171b346fd48e6b9425fc8a89b43eb1458ffd8e776a715c635d274bf8e578dbffbcc

Download Submit
C:\Users\Admin\AppData\Roaming\Gctkfrz\Lsqbtn.exe
Filesize
576KB

MD5
4ca8e22c377579d0214fdbdcd6432081

SHA1
3b5f2a9c474aee2bfe2ca7a76e19fc1e2775472a

SHA256
5d91ccfd6200b19a51aab829c8363105e0914b018657ef31d7709ca2d30f1f0c

SHA512
9ec5592cb09ccbb953e32bc2dc05c827cd733f6ae018fe4cf4735f8d7f447ddbaf11f9699957e74b2891a68de07e381737d2db100c6f00fcb3dd62aeeb115e85

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
9866f4df29c8205814fc986f3d1ac3de

SHA1
ce0a5c0d020a42bbc58ad5b131c31e7284df64d3

SHA256
1172dd264fd33e726102af88d4f04c311d037458a7a4117f06dffbdaf723ff23

SHA512
480ac446294c806fb90ca55414e1400fec85040447d485de1daa61b5ea6f2a26dca5bc3be63e9313e99e2b79781c70006bf0e1689c97b7768ebebeddf02243d8

Download Submit
\??\PIPE\srvsvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Users\Admin\AppData\Local\Temp\ADOBESERV.EXE
Filesize
971KB

MD5
b9627469e7f554de40844bb210bafc1b

SHA1
a9e0647c640bb4e7a5a432e984e294842d03455d

SHA256
5074bd7fda57cb8d31c248aedbaf2a3f922a11140c7cf14e63cfba3f99b8dac6

SHA512
86db7b6c6c77f5c828483a2d50029734d0dc36e7c0b50358958d6374257a5b3b6adde148372fa6a2a666e22b03b2bc29e61821d69baaca872c5594f7f0666f7b

Download Submit
\Users\Admin\AppData\Local\Temp\AUDIOPT.EXE
Filesize
706KB

MD5
ec686b4055ed2cb7c2cad70b4d16d129

SHA1
07fa122ac1ab4451cf9fa239652faa867a29540e

SHA256
59baafdc73a69084baa1dd9ee4eaf50c85e2c6dadb7d1ed874db261c63a6416a

SHA512
86e9c5fe00bb550603c988f91d5c44b6692c77eeeaabb7771f23d82cd73d9189abdf35520d5694237b06bc08da8cdccbe274fc3f64862e5f99d417c338d41c21

Download Submit
\Users\Admin\AppData\Local\Temp\DRVVIDEO.EXE
Filesize
514KB

MD5
08e6dc43a44c34efb81e328b03652f3d

SHA1
e1359be06649ec0ff40d7b0ba39148afc5ff7855

SHA256
da66e7cf52d4cddb2f366b98e2e2bac4743bfaa88527b14672431cbefd8797fd

SHA512
e5a1409fc3cf73458ccee11e290b76a4434da5cc093d359ed497638f327e6fe003977594749fa18657e3612a5cbb35ed603b5a5303a1e8ec7baccea0849c511c

Download Submit
\Users\Admin\AppData\Local\Temp\WINLOGONL.EXE
Filesize
512KB

MD5
2f679de5443dac203b91769a4c1c909d

SHA1
0c6abb07446d0bc0656b7304411de78f65d2e809

SHA256
cd73963224e868c6240b66d110da419dfff6af9c411c6df4dbcb8d14b330719e

SHA512
03b8360952f710c378ab2a13587a04ef3520f9fe7ed23be0ec744a039ee1ee36db4e2e8f47336faa0fdd8e064aa4b9b34d410765f19d8f525fc19596804402e0

Download Submit
memory/592-163-0x0000000074100000-0x00000000747EE000-memory.dmp

Filesize
6.9MB

Download
memory/836-164-0x0000000004CC0000-0x0000000004D00000-memory.dmp

Filesize
256KB

Download
memory/836-160-0x0000000074100000-0x00000000747EE000-memory.dmp

Filesize
6.9MB

Download
memory/852-306-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/864-107-0x00000000006A0000-0x00000000006F0000-memory.dmp

Filesize
320KB

Download
memory/864-92-0x0000000074100000-0x00000000747EE000-memory.dmp

Filesize
6.9MB

Download
memory/864-96-0x0000000000EA0000-0x0000000000F1C000-memory.dmp

Filesize
496KB

Download
memory/1104-162-0x0000000074100000-0x00000000747EE000-memory.dmp

Filesize
6.9MB

Download
memory/1104-166-0x0000000004CD0000-0x0000000004D10000-memory.dmp

Filesize
256KB

Download
memory/1192-153-0x000000006F300000-0x000000006F8AB000-memory.dmp

Filesize
5.7MB

Download
memory/1192-138-0x000000006F300000-0x000000006F8AB000-memory.dmp

Filesize
5.7MB

Download
memory/1476-155-0x0000000074100000-0x00000000747EE000-memory.dmp

Filesize
6.9MB

Download
memory/1480-154-0x0000000074100000-0x00000000747EE000-memory.dmp

Filesize
6.9MB

Download
memory/1736-265-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/1800-178-0x0000000004B20000-0x0000000004B60000-memory.dmp

Filesize
256KB

Download
memory/1800-165-0x0000000074100000-0x00000000747EE000-memory.dmp

Filesize
6.9MB

Download
memory/1816-173-0x0000000002900000-0x0000000002940000-memory.dmp

Filesize
256KB

Download
memory/1816-177-0x0000000002900000-0x0000000002940000-memory.dmp

Filesize
256KB

Download
memory/1816-172-0x000000006F300000-0x000000006F8AB000-memory.dmp

Filesize
5.7MB

Download
memory/1816-175-0x000000006F300000-0x000000006F8AB000-memory.dmp

Filesize
5.7MB

Download
memory/1816-176-0x0000000002900000-0x0000000002940000-memory.dmp

Filesize
256KB

Download
memory/1872-59-0x0000000004710000-0x0000000004798000-memory.dmp

Filesize
544KB

Download
memory/1872-68-0x0000000004810000-0x0000000004850000-memory.dmp

Filesize
256KB

Download
memory/1872-58-0x0000000074100000-0x00000000747EE000-memory.dmp

Filesize
6.9MB

Download
memory/1872-57-0x0000000000060000-0x0000000000118000-memory.dmp

Filesize
736KB

Download
memory/2036-75-0x00000000005A0000-0x00000000005FC000-memory.dmp

Filesize
368KB

Download
memory/2036-73-0x00000000012F0000-0x0000000001378000-memory.dmp

Filesize
544KB

Download
memory/2036-76-0x0000000004D10000-0x0000000004D50000-memory.dmp

Filesize
256KB

Download
memory/2036-74-0x0000000074100000-0x00000000747EE000-memory.dmp

Filesize
6.9MB

Download
memory/2352-2-0x0000000004D00000-0x0000000004D40000-memory.dmp

Filesize
256KB

Download
memory/2352-3-0x0000000005360000-0x000000000554C000-memory.dmp

Filesize
1.9MB

Download
memory/2352-12-0x0000000004D00000-0x0000000004D40000-memory.dmp

Filesize
256KB

Download
memory/2352-0-0x0000000000DD0000-0x0000000000FD6000-memory.dmp

Filesize
2.0MB

Download
memory/2352-4-0x00000000005C0000-0x000000000060C000-memory.dmp

Filesize
304KB

Download
memory/2352-1-0x00000000744D0000-0x0000000074BBE000-memory.dmp

Filesize
6.9MB

Download
memory/2352-11-0x00000000744D0000-0x0000000074BBE000-memory.dmp

Filesize
6.9MB

Download
memory/2352-24-0x00000000744D0000-0x0000000074BBE000-memory.dmp

Filesize
6.9MB

Download
memory/2460-54-0x0000000074100000-0x00000000747EE000-memory.dmp

Filesize
6.9MB

Download
memory/2460-55-0x00000000008D0000-0x00000000009CA000-memory.dmp

Filesize
1000KB

Download
memory/2460-71-0x0000000000280000-0x0000000000286000-memory.dmp

Filesize
24KB

Download
memory/2460-72-0x0000000004930000-0x0000000004970000-memory.dmp

Filesize
256KB

Download
memory/2460-85-0x0000000005290000-0x0000000005332000-memory.dmp

Filesize
648KB

Download
memory/2592-255-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2604-247-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/2604-253-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/2604-267-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/2604-241-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/2604-235-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/2604-300-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2692-127-0x0000000000400000-0x0000000000853000-memory.dmp

Filesize
4.3MB

Download
memory/2692-20-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2692-28-0x0000000000400000-0x0000000000853000-memory.dmp

Filesize
4.3MB

Download
memory/2692-26-0x0000000000400000-0x0000000000853000-memory.dmp

Filesize
4.3MB

Download
memory/2692-134-0x0000000000400000-0x0000000000853000-memory.dmp

Filesize
4.3MB

Download
memory/2692-199-0x0000000000400000-0x0000000000853000-memory.dmp

Filesize
4.3MB

Download
memory/2692-16-0x0000000000400000-0x0000000000853000-memory.dmp

Filesize
4.3MB

Download
memory/2692-17-0x0000000000400000-0x0000000000853000-memory.dmp

Filesize
4.3MB

Download
memory/2692-19-0x0000000000400000-0x0000000000853000-memory.dmp

Filesize
4.3MB

Download
memory/2692-29-0x0000000000860000-0x0000000000861000-memory.dmp

Filesize
4KB

Download
memory/2692-22-0x0000000000400000-0x0000000000853000-memory.dmp

Filesize
4.3MB

Download
memory/2692-25-0x0000000000400000-0x0000000000853000-memory.dmp

Filesize
4.3MB

Download
memory/2804-86-0x0000000000FF0000-0x0000000001076000-memory.dmp

Filesize
536KB

Download
memory/2804-93-0x0000000004E50000-0x0000000004E90000-memory.dmp

Filesize
256KB

Download
memory/2804-84-0x0000000074100000-0x00000000747EE000-memory.dmp

Filesize
6.9MB

Download
memory/2804-94-0x0000000000AC0000-0x0000000000B1A000-memory.dmp

Filesize
360KB

Download
memory/2884-188-0x0000000002AA0000-0x0000000002AE0000-memory.dmp

Filesize
256KB

Download
memory/2884-194-0x000000006F300000-0x000000006F8AB000-memory.dmp

Filesize
5.7MB

Download
memory/2884-195-0x0000000002AA0000-0x0000000002AE0000-memory.dmp

Filesize
256KB

Download
memory/2972-56-0x0000000001000000-0x0000000001086000-memory.dmp

Filesize
536KB

Download
memory/2972-66-0x0000000074100000-0x00000000747EE000-memory.dmp

Filesize
6.9MB

Download
memory/2972-60-0x00000000007C0000-0x000000000081C000-memory.dmp

Filesize
368KB

Download
memory/2972-61-0x0000000004F60000-0x0000000004FA0000-memory.dmp

Filesize
256KB

Download
memory/3008-114-0x000000006F300000-0x000000006F8AB000-memory.dmp

Filesize
5.7MB

Download
memory/3008-122-0x0000000002D40000-0x0000000002D80000-memory.dmp

Filesize
256KB

Download
memory/3008-133-0x000000006F300000-0x000000006F8AB000-memory.dmp

Filesize
5.7MB

Download
memory/3008-135-0x0000000002D40000-0x0000000002D80000-memory.dmp

Filesize
256KB

Download
memory/3008-136-0x0000000002D40000-0x0000000002D80000-memory.dmp

Filesize
256KB

Download
memory/3020-14-0x000000006F720000-0x000000006FCCB000-memory.dmp

Filesize
5.7MB

Download
memory/3020-13-0x000000006F720000-0x000000006FCCB000-memory.dmp

Filesize
5.7MB

Download
memory/3020-10-0x0000000001EF0000-0x0000000001F30000-memory.dmp

Filesize
256KB

Download
memory/3020-9-0x000000006F720000-0x000000006FCCB000-memory.dmp

Filesize
5.7MB

Download
memory/3020-8-0x0000000001EF0000-0x0000000001F30000-memory.dmp

Filesize
256KB

Download
memory/3020-7-0x000000006F720000-0x000000006FCCB000-memory.dmp

Filesize
5.7MB

Download