sectoprat | fa0b3328dda7aa7e953780fc8b6be127f747fc778f0bd3f0a2e885402c1c481e

Analysis

max time kernel
269s
max time network
311s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
17-05-2024 13:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

164/setup164.exe
Size

32KB
MD5

2b8b61308a4482526a259ccab970bfd6
SHA1

b41513afc20d492b556eb2f0ed2bd3af9e7b496c
SHA256

09ad227263cf701b1ee840b6744be44e1bf2478073c20b5dfc8dd29fecade71b
SHA512

b88a63c46062d3c6a608bc650d82a4b7e69e284a72655de6e5249060acba9a566287256b80afd0197ed6f903a9bf19c6e5c4565bb5bdb1bb4cfd64281bdb6324
SSDEEP

384:7oI1gYZw33FUWUcC6TBhdsDgZH4o5NEvdlcn0ScPmPn0Avsl9EPg/s4Xsn+KvHKj:j7Zw33FNUf6Nhd/fQ1l+0vM0iT9

Score

10^/10

sectoprat execution rat spyware trojan

Malware Config

Signatures

SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1308-419-0x0000000000400000-0x00000000004C6000-memory.dmp	family_sectoprat
behavioral1/memory/940-607-0x0000000000170000-0x0000000000236000-memory.dmp	family_sectoprat

Command and Scripting Interpreter: PowerShell 1 TTPs 35 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

Processes:

Powershell.exePowershell.exePowershell.exePowershell.exePowershell.exePowershell.exePowershell.exePowershell.exePowershell.exePowershell.exePowershell.exePowershell.exePowershell.exePowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
2468	Powershell.exe
2160	Powershell.exe
3056	Powershell.exe
2956	Powershell.exe
2928	Powershell.exe
1196	Powershell.exe
3028	Powershell.exe
1752	Powershell.exe
2076	Powershell.exe
1500	Powershell.exe
2292	Powershell.exe
2608	Powershell.exe
2112	Powershell.exe
2864	Powershell.exe
1752	Powershell.exe
2624	powershell.exe
3064	powershell.exe
2928	powershell.exe
2832	powershell.exe
2112	Powershell.exe
3028	Powershell.exe
2660	powershell.exe
2864	Powershell.exe
2204	powershell.exe
2468	Powershell.exe
1500	Powershell.exe
1580	powershell.exe
2608	Powershell.exe
2096	powershell.exe
2208	powershell.exe
2952	powershell.exe
2688	powershell.exe
1816	powershell.exe
2512	powershell.exe
2972	powershell.exe

Downloads MZ/PE file

Executes dropped EXE 18 IoCs

Processes:

NDdiMjBjYjMyNjgyNWM2NDI0YTdiMGYzMWEyNzY0OTQ.exeUniversalInstaller.exeUniversalInstaller.exeYjRjYzk1MzljMzYzMjlkYjlmMzhlMDAzNmU0YzY0YzY.exeUniversalInstaller.exeUniversalInstaller.exeNGE2MDVmZTE5YjY4ZGM4ODYxZTkzYjAwNjdiNjU2N2E.exeUniversalInstaller.exeUniversalInstaller.exeMTA3Zjc0MmM4ZjZkN2E4ODhhNDczYzQxZDNjYzRmZGU.exeUniversalInstaller.exeUniversalInstaller.exeMzllY2ExNjE3YmUzMjNkZmVhYzdhYzJjMjVkZDYzOTk.exeUniversalInstaller.exeUniversalInstaller.exeNzI1ZTk0NDk0MmJkMzg1MzVjYTRkZTg4MjQ2MDU0ODY.exeUniversalInstaller.exeUniversalInstaller.exe

pid	process
2576	NDdiMjBjYjMyNjgyNWM2NDI0YTdiMGYzMWEyNzY0OTQ.exe
1348	UniversalInstaller.exe
1228	UniversalInstaller.exe
1520	YjRjYzk1MzljMzYzMjlkYjlmMzhlMDAzNmU0YzY0YzY.exe
628	UniversalInstaller.exe
752	UniversalInstaller.exe
560	NGE2MDVmZTE5YjY4ZGM4ODYxZTkzYjAwNjdiNjU2N2E.exe
2680	UniversalInstaller.exe
928	UniversalInstaller.exe
3008	MTA3Zjc0MmM4ZjZkN2E4ODhhNDczYzQxZDNjYzRmZGU.exe
2584	UniversalInstaller.exe
2776	UniversalInstaller.exe
1804	MzllY2ExNjE3YmUzMjNkZmVhYzdhYzJjMjVkZDYzOTk.exe
2472	UniversalInstaller.exe
2060	UniversalInstaller.exe
2320	NzI1ZTk0NDk0MmJkMzg1MzVjYTRkZTg4MjQ2MDU0ODY.exe
1544	UniversalInstaller.exe
1660	UniversalInstaller.exe

Loads dropped DLL 25 IoCs

Processes:

NDdiMjBjYjMyNjgyNWM2NDI0YTdiMGYzMWEyNzY0OTQ.exeUniversalInstaller.exeUniversalInstaller.execmd.exeYjRjYzk1MzljMzYzMjlkYjlmMzhlMDAzNmU0YzY0YzY.exeUniversalInstaller.exeUniversalInstaller.exeNGE2MDVmZTE5YjY4ZGM4ODYxZTkzYjAwNjdiNjU2N2E.exeUniversalInstaller.exeUniversalInstaller.exeMTA3Zjc0MmM4ZjZkN2E4ODhhNDczYzQxZDNjYzRmZGU.exeUniversalInstaller.exeUniversalInstaller.exeMzllY2ExNjE3YmUzMjNkZmVhYzdhYzJjMjVkZDYzOTk.exeUniversalInstaller.exeUniversalInstaller.exeNzI1ZTk0NDk0MmJkMzg1MzVjYTRkZTg4MjQ2MDU0ODY.exeUniversalInstaller.exeUniversalInstaller.exe

pid	process
2576	NDdiMjBjYjMyNjgyNWM2NDI0YTdiMGYzMWEyNzY0OTQ.exe
1348	UniversalInstaller.exe
1348	UniversalInstaller.exe
1228	UniversalInstaller.exe
2152	cmd.exe
1520	YjRjYzk1MzljMzYzMjlkYjlmMzhlMDAzNmU0YzY0YzY.exe
628	UniversalInstaller.exe
628	UniversalInstaller.exe
752	UniversalInstaller.exe
560	NGE2MDVmZTE5YjY4ZGM4ODYxZTkzYjAwNjdiNjU2N2E.exe
2680	UniversalInstaller.exe
2680	UniversalInstaller.exe
928	UniversalInstaller.exe
3008	MTA3Zjc0MmM4ZjZkN2E4ODhhNDczYzQxZDNjYzRmZGU.exe
2584	UniversalInstaller.exe
2584	UniversalInstaller.exe
2776	UniversalInstaller.exe
1804	MzllY2ExNjE3YmUzMjNkZmVhYzdhYzJjMjVkZDYzOTk.exe
2472	UniversalInstaller.exe
2472	UniversalInstaller.exe
2060	UniversalInstaller.exe
2320	NzI1ZTk0NDk0MmJkMzg1MzVjYTRkZTg4MjQ2MDU0ODY.exe
1544	UniversalInstaller.exe
1544	UniversalInstaller.exe
1660	UniversalInstaller.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Legitimate hosting services abused for malware hosting/C2 1 TTPs 7 IoCs

Web Service
T1102

Processes:

flow ioc

43 pastebin.com
3 pastebin.com
4 pastebin.com
11 pastebin.com
22 pastebin.com
29 pastebin.com
36 pastebin.com

flow	ioc
43	pastebin.com
3	pastebin.com
4	pastebin.com
11	pastebin.com
22	pastebin.com
29	pastebin.com
36	pastebin.com

Suspicious use of SetThreadContext 11 IoCs

Processes:

UniversalInstaller.execmd.exeUniversalInstaller.execmd.exeUniversalInstaller.execmd.exeUniversalInstaller.execmd.exeUniversalInstaller.execmd.exeUniversalInstaller.exe

description	pid	process	target process
PID 1228 set thread context of 2152	1228	UniversalInstaller.exe	cmd.exe
PID 2152 set thread context of 1308	2152	cmd.exe	MSBuild.exe
PID 752 set thread context of 1132	752	UniversalInstaller.exe	cmd.exe
PID 1132 set thread context of 944	1132	cmd.exe	MSBuild.exe
PID 928 set thread context of 804	928	UniversalInstaller.exe	cmd.exe
PID 804 set thread context of 940	804	cmd.exe	MSBuild.exe
PID 2776 set thread context of 912	2776	UniversalInstaller.exe	cmd.exe
PID 912 set thread context of 1692	912	cmd.exe	MSBuild.exe
PID 2060 set thread context of 748	2060	UniversalInstaller.exe	cmd.exe
PID 748 set thread context of 1620	748	cmd.exe	MSBuild.exe
PID 1660 set thread context of 1076	1660	UniversalInstaller.exe	cmd.exe

Drops file in Program Files directory 6 IoCs

Processes:

javaw.exe

description	ioc	process
File opened for modification	C:\Program Files\Windows NT\NDdiMjBjYjMyNjgyNWM2NDI0YTdiMGYzMWEyNzY0OTQ.exe	javaw.exe
File opened for modification	C:\Program Files\Windows NT\YjRjYzk1MzljMzYzMjlkYjlmMzhlMDAzNmU0YzY0YzY.exe	javaw.exe
File opened for modification	C:\Program Files\Windows NT\NGE2MDVmZTE5YjY4ZGM4ODYxZTkzYjAwNjdiNjU2N2E.exe	javaw.exe
File opened for modification	C:\Program Files\Windows NT\MTA3Zjc0MmM4ZjZkN2E4ODhhNDczYzQxZDNjYzRmZGU.exe	javaw.exe
File opened for modification	C:\Program Files\Windows NT\MzllY2ExNjE3YmUzMjNkZmVhYzdhYzJjMjVkZDYzOTk.exe	javaw.exe
File opened for modification	C:\Program Files\Windows NT\NzI1ZTk0NDk0MmJkMzg1MzVjYTRkZTg4MjQ2MDU0ODY.exe	javaw.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

Powershell.exePowershell.exepowershell.exepowershell.exePowershell.exePowershell.exepowershell.exepowershell.exeNDdiMjBjYjMyNjgyNWM2NDI0YTdiMGYzMWEyNzY0OTQ.exeUniversalInstaller.exeUniversalInstaller.execmd.exePowershell.exePowershell.exeYjRjYzk1MzljMzYzMjlkYjlmMzhlMDAzNmU0YzY0YzY.exepowershell.exeUniversalInstaller.exeUniversalInstaller.exeMSBuild.execmd.exeNGE2MDVmZTE5YjY4ZGM4ODYxZTkzYjAwNjdiNjU2N2E.exePowershell.exePowershell.exepowershell.exepowershell.exeUniversalInstaller.exeUniversalInstaller.execmd.exePowershell.exePowershell.exeMTA3Zjc0MmM4ZjZkN2E4ODhhNDczYzQxZDNjYzRmZGU.exepowershell.exepowershell.exe

pid	process
1752	Powershell.exe
2076	Powershell.exe
1752	Powershell.exe
1752	Powershell.exe
2076	Powershell.exe
2076	Powershell.exe
2928	powershell.exe
2208	powershell.exe
2468	Powershell.exe
2160	Powershell.exe
2468	Powershell.exe
2468	Powershell.exe
2832	powershell.exe
2160	Powershell.exe
2160	Powershell.exe
2952	powershell.exe
2576	NDdiMjBjYjMyNjgyNWM2NDI0YTdiMGYzMWEyNzY0OTQ.exe
2576	NDdiMjBjYjMyNjgyNWM2NDI0YTdiMGYzMWEyNzY0OTQ.exe
1348	UniversalInstaller.exe
1228	UniversalInstaller.exe
1228	UniversalInstaller.exe
2152	cmd.exe
2152	cmd.exe
1500	Powershell.exe
2292	Powershell.exe
1500	Powershell.exe
1500	Powershell.exe
1520	YjRjYzk1MzljMzYzMjlkYjlmMzhlMDAzNmU0YzY0YzY.exe
2292	Powershell.exe
2292	Powershell.exe
2688	powershell.exe
1520	YjRjYzk1MzljMzYzMjlkYjlmMzhlMDAzNmU0YzY0YzY.exe
628	UniversalInstaller.exe
752	UniversalInstaller.exe
752	UniversalInstaller.exe
1308	MSBuild.exe
1308	MSBuild.exe
1132	cmd.exe
1132	cmd.exe
1308	MSBuild.exe
560	NGE2MDVmZTE5YjY4ZGM4ODYxZTkzYjAwNjdiNjU2N2E.exe
2608	Powershell.exe
3056	Powershell.exe
2608	Powershell.exe
2608	Powershell.exe
3056	Powershell.exe
3056	Powershell.exe
2624	powershell.exe
1816	powershell.exe
560	NGE2MDVmZTE5YjY4ZGM4ODYxZTkzYjAwNjdiNjU2N2E.exe
2680	UniversalInstaller.exe
928	UniversalInstaller.exe
928	UniversalInstaller.exe
804	cmd.exe
804	cmd.exe
2928	Powershell.exe
2112	Powershell.exe
2928	Powershell.exe
2928	Powershell.exe
2112	Powershell.exe
2112	Powershell.exe
3008	MTA3Zjc0MmM4ZjZkN2E4ODhhNDczYzQxZDNjYzRmZGU.exe
2660	powershell.exe
2512	powershell.exe

Suspicious behavior: MapViewOfSection 16 IoCs

Processes:

UniversalInstaller.execmd.exeUniversalInstaller.execmd.exeUniversalInstaller.execmd.exeUniversalInstaller.execmd.exeUniversalInstaller.execmd.exeUniversalInstaller.exe

pid	process
1228	UniversalInstaller.exe
2152	cmd.exe
2152	cmd.exe
752	UniversalInstaller.exe
1132	cmd.exe
1132	cmd.exe
928	UniversalInstaller.exe
804	cmd.exe
804	cmd.exe
2776	UniversalInstaller.exe
912	cmd.exe
912	cmd.exe
2060	UniversalInstaller.exe
748	cmd.exe
748	cmd.exe
1660	UniversalInstaller.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

Powershell.exePowershell.exepowershell.exepowershell.exeNDdiMjBjYjMyNjgyNWM2NDI0YTdiMGYzMWEyNzY0OTQ.exe

description	pid	process
Token: SeDebugPrivilege	2076	Powershell.exe
Token: SeDebugPrivilege	1752	Powershell.exe
Token: SeDebugPrivilege	2928	powershell.exe
Token: SeDebugPrivilege	2208	powershell.exe
Token: SeBackupPrivilege	2576	NDdiMjBjYjMyNjgyNWM2NDI0YTdiMGYzMWEyNzY0OTQ.exe
Token: SeRestorePrivilege	2576	NDdiMjBjYjMyNjgyNWM2NDI0YTdiMGYzMWEyNzY0OTQ.exe
Token: SeChangeNotifyPrivilege	2576	NDdiMjBjYjMyNjgyNWM2NDI0YTdiMGYzMWEyNzY0OTQ.exe
Token: SeBackupPrivilege	2576	NDdiMjBjYjMyNjgyNWM2NDI0YTdiMGYzMWEyNzY0OTQ.exe
Token: SeRestorePrivilege	2576	NDdiMjBjYjMyNjgyNWM2NDI0YTdiMGYzMWEyNzY0OTQ.exe
Token: SeChangeNotifyPrivilege	2576	NDdiMjBjYjMyNjgyNWM2NDI0YTdiMGYzMWEyNzY0OTQ.exe
Token: SeBackupPrivilege	2576	NDdiMjBjYjMyNjgyNWM2NDI0YTdiMGYzMWEyNzY0OTQ.exe
Token: SeRestorePrivilege	2576	NDdiMjBjYjMyNjgyNWM2NDI0YTdiMGYzMWEyNzY0OTQ.exe
Token: SeChangeNotifyPrivilege	2576	NDdiMjBjYjMyNjgyNWM2NDI0YTdiMGYzMWEyNzY0OTQ.exe
Token: SeBackupPrivilege	2576	NDdiMjBjYjMyNjgyNWM2NDI0YTdiMGYzMWEyNzY0OTQ.exe
Token: SeRestorePrivilege	2576	NDdiMjBjYjMyNjgyNWM2NDI0YTdiMGYzMWEyNzY0OTQ.exe
Token: SeChangeNotifyPrivilege	2576	NDdiMjBjYjMyNjgyNWM2NDI0YTdiMGYzMWEyNzY0OTQ.exe
Token: SeBackupPrivilege	2576	NDdiMjBjYjMyNjgyNWM2NDI0YTdiMGYzMWEyNzY0OTQ.exe
Token: SeRestorePrivilege	2576	NDdiMjBjYjMyNjgyNWM2NDI0YTdiMGYzMWEyNzY0OTQ.exe
Token: SeChangeNotifyPrivilege	2576	NDdiMjBjYjMyNjgyNWM2NDI0YTdiMGYzMWEyNzY0OTQ.exe
Token: SeBackupPrivilege	2576	NDdiMjBjYjMyNjgyNWM2NDI0YTdiMGYzMWEyNzY0OTQ.exe
Token: SeRestorePrivilege	2576	NDdiMjBjYjMyNjgyNWM2NDI0YTdiMGYzMWEyNzY0OTQ.exe
Token: SeChangeNotifyPrivilege	2576	NDdiMjBjYjMyNjgyNWM2NDI0YTdiMGYzMWEyNzY0OTQ.exe
Token: SeBackupPrivilege	2576	NDdiMjBjYjMyNjgyNWM2NDI0YTdiMGYzMWEyNzY0OTQ.exe
Token: SeRestorePrivilege	2576	NDdiMjBjYjMyNjgyNWM2NDI0YTdiMGYzMWEyNzY0OTQ.exe
Token: SeChangeNotifyPrivilege	2576	NDdiMjBjYjMyNjgyNWM2NDI0YTdiMGYzMWEyNzY0OTQ.exe
Token: SeBackupPrivilege	2576	NDdiMjBjYjMyNjgyNWM2NDI0YTdiMGYzMWEyNzY0OTQ.exe
Token: SeRestorePrivilege	2576	NDdiMjBjYjMyNjgyNWM2NDI0YTdiMGYzMWEyNzY0OTQ.exe
Token: SeChangeNotifyPrivilege	2576	NDdiMjBjYjMyNjgyNWM2NDI0YTdiMGYzMWEyNzY0OTQ.exe
Token: SeBackupPrivilege	2576	NDdiMjBjYjMyNjgyNWM2NDI0YTdiMGYzMWEyNzY0OTQ.exe
Token: SeRestorePrivilege	2576	NDdiMjBjYjMyNjgyNWM2NDI0YTdiMGYzMWEyNzY0OTQ.exe
Token: SeChangeNotifyPrivilege	2576	NDdiMjBjYjMyNjgyNWM2NDI0YTdiMGYzMWEyNzY0OTQ.exe
Token: SeBackupPrivilege	2576	NDdiMjBjYjMyNjgyNWM2NDI0YTdiMGYzMWEyNzY0OTQ.exe
Token: SeRestorePrivilege	2576	NDdiMjBjYjMyNjgyNWM2NDI0YTdiMGYzMWEyNzY0OTQ.exe
Token: SeChangeNotifyPrivilege	2576	NDdiMjBjYjMyNjgyNWM2NDI0YTdiMGYzMWEyNzY0OTQ.exe
Token: SeBackupPrivilege	2576	NDdiMjBjYjMyNjgyNWM2NDI0YTdiMGYzMWEyNzY0OTQ.exe
Token: SeRestorePrivilege	2576	NDdiMjBjYjMyNjgyNWM2NDI0YTdiMGYzMWEyNzY0OTQ.exe
Token: SeChangeNotifyPrivilege	2576	NDdiMjBjYjMyNjgyNWM2NDI0YTdiMGYzMWEyNzY0OTQ.exe
Token: SeBackupPrivilege	2576	NDdiMjBjYjMyNjgyNWM2NDI0YTdiMGYzMWEyNzY0OTQ.exe
Token: SeRestorePrivilege	2576	NDdiMjBjYjMyNjgyNWM2NDI0YTdiMGYzMWEyNzY0OTQ.exe
Token: SeChangeNotifyPrivilege	2576	NDdiMjBjYjMyNjgyNWM2NDI0YTdiMGYzMWEyNzY0OTQ.exe
Token: SeBackupPrivilege	2576	NDdiMjBjYjMyNjgyNWM2NDI0YTdiMGYzMWEyNzY0OTQ.exe
Token: SeRestorePrivilege	2576	NDdiMjBjYjMyNjgyNWM2NDI0YTdiMGYzMWEyNzY0OTQ.exe
Token: SeChangeNotifyPrivilege	2576	NDdiMjBjYjMyNjgyNWM2NDI0YTdiMGYzMWEyNzY0OTQ.exe
Token: SeBackupPrivilege	2576	NDdiMjBjYjMyNjgyNWM2NDI0YTdiMGYzMWEyNzY0OTQ.exe
Token: SeRestorePrivilege	2576	NDdiMjBjYjMyNjgyNWM2NDI0YTdiMGYzMWEyNzY0OTQ.exe
Token: SeChangeNotifyPrivilege	2576	NDdiMjBjYjMyNjgyNWM2NDI0YTdiMGYzMWEyNzY0OTQ.exe
Token: SeBackupPrivilege	2576	NDdiMjBjYjMyNjgyNWM2NDI0YTdiMGYzMWEyNzY0OTQ.exe
Token: SeRestorePrivilege	2576	NDdiMjBjYjMyNjgyNWM2NDI0YTdiMGYzMWEyNzY0OTQ.exe
Token: SeChangeNotifyPrivilege	2576	NDdiMjBjYjMyNjgyNWM2NDI0YTdiMGYzMWEyNzY0OTQ.exe
Token: SeBackupPrivilege	2576	NDdiMjBjYjMyNjgyNWM2NDI0YTdiMGYzMWEyNzY0OTQ.exe
Token: SeRestorePrivilege	2576	NDdiMjBjYjMyNjgyNWM2NDI0YTdiMGYzMWEyNzY0OTQ.exe
Token: SeChangeNotifyPrivilege	2576	NDdiMjBjYjMyNjgyNWM2NDI0YTdiMGYzMWEyNzY0OTQ.exe
Token: SeBackupPrivilege	2576	NDdiMjBjYjMyNjgyNWM2NDI0YTdiMGYzMWEyNzY0OTQ.exe
Token: SeRestorePrivilege	2576	NDdiMjBjYjMyNjgyNWM2NDI0YTdiMGYzMWEyNzY0OTQ.exe
Token: SeChangeNotifyPrivilege	2576	NDdiMjBjYjMyNjgyNWM2NDI0YTdiMGYzMWEyNzY0OTQ.exe
Token: SeBackupPrivilege	2576	NDdiMjBjYjMyNjgyNWM2NDI0YTdiMGYzMWEyNzY0OTQ.exe
Token: SeRestorePrivilege	2576	NDdiMjBjYjMyNjgyNWM2NDI0YTdiMGYzMWEyNzY0OTQ.exe
Token: SeChangeNotifyPrivilege	2576	NDdiMjBjYjMyNjgyNWM2NDI0YTdiMGYzMWEyNzY0OTQ.exe
Token: SeBackupPrivilege	2576	NDdiMjBjYjMyNjgyNWM2NDI0YTdiMGYzMWEyNzY0OTQ.exe
Token: SeRestorePrivilege	2576	NDdiMjBjYjMyNjgyNWM2NDI0YTdiMGYzMWEyNzY0OTQ.exe
Token: SeChangeNotifyPrivilege	2576	NDdiMjBjYjMyNjgyNWM2NDI0YTdiMGYzMWEyNzY0OTQ.exe
Token: SeBackupPrivilege	2576	NDdiMjBjYjMyNjgyNWM2NDI0YTdiMGYzMWEyNzY0OTQ.exe
Token: SeRestorePrivilege	2576	NDdiMjBjYjMyNjgyNWM2NDI0YTdiMGYzMWEyNzY0OTQ.exe
Token: SeChangeNotifyPrivilege	2576	NDdiMjBjYjMyNjgyNWM2NDI0YTdiMGYzMWEyNzY0OTQ.exe

Suspicious use of SetWindowsHookEx 27 IoCs

Processes:

javaw.exeUniversalInstaller.exeUniversalInstaller.exeUniversalInstaller.exeUniversalInstaller.exeMSBuild.exeUniversalInstaller.exeUniversalInstaller.exeUniversalInstaller.exeUniversalInstaller.exeUniversalInstaller.exeUniversalInstaller.exeUniversalInstaller.exeUniversalInstaller.exe

pid	process
2432	javaw.exe
2432	javaw.exe
1348	UniversalInstaller.exe
1348	UniversalInstaller.exe
1228	UniversalInstaller.exe
1228	UniversalInstaller.exe
628	UniversalInstaller.exe
628	UniversalInstaller.exe
752	UniversalInstaller.exe
752	UniversalInstaller.exe
1308	MSBuild.exe
2680	UniversalInstaller.exe
2680	UniversalInstaller.exe
928	UniversalInstaller.exe
928	UniversalInstaller.exe
2584	UniversalInstaller.exe
2584	UniversalInstaller.exe
2776	UniversalInstaller.exe
2776	UniversalInstaller.exe
2472	UniversalInstaller.exe
2472	UniversalInstaller.exe
2060	UniversalInstaller.exe
2060	UniversalInstaller.exe
1544	UniversalInstaller.exe
1544	UniversalInstaller.exe
1660	UniversalInstaller.exe
1660	UniversalInstaller.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

setup164.exejavaw.exePowershell.exePowershell.exeexplorer.exePowershell.exe

description	pid	process	target process
PID 2204 wrote to memory of 2432	2204	setup164.exe	javaw.exe
PID 2204 wrote to memory of 2432	2204	setup164.exe	javaw.exe
PID 2204 wrote to memory of 2432	2204	setup164.exe	javaw.exe
PID 2204 wrote to memory of 2432	2204	setup164.exe	javaw.exe
PID 2204 wrote to memory of 2432	2204	setup164.exe	javaw.exe
PID 2204 wrote to memory of 2432	2204	setup164.exe	javaw.exe
PID 2204 wrote to memory of 2432	2204	setup164.exe	javaw.exe
PID 2432 wrote to memory of 1752	2432	javaw.exe	Powershell.exe
PID 2432 wrote to memory of 1752	2432	javaw.exe	Powershell.exe
PID 2432 wrote to memory of 1752	2432	javaw.exe	Powershell.exe
PID 2432 wrote to memory of 1752	2432	javaw.exe	Powershell.exe
PID 2432 wrote to memory of 1752	2432	javaw.exe	Powershell.exe
PID 2432 wrote to memory of 1752	2432	javaw.exe	Powershell.exe
PID 2432 wrote to memory of 1752	2432	javaw.exe	Powershell.exe
PID 2432 wrote to memory of 2076	2432	javaw.exe	Powershell.exe
PID 2432 wrote to memory of 2076	2432	javaw.exe	Powershell.exe
PID 2432 wrote to memory of 2076	2432	javaw.exe	Powershell.exe
PID 2432 wrote to memory of 2076	2432	javaw.exe	Powershell.exe
PID 2432 wrote to memory of 2076	2432	javaw.exe	Powershell.exe
PID 2432 wrote to memory of 2076	2432	javaw.exe	Powershell.exe
PID 2432 wrote to memory of 2076	2432	javaw.exe	Powershell.exe
PID 1752 wrote to memory of 2928	1752	Powershell.exe	powershell.exe
PID 1752 wrote to memory of 2928	1752	Powershell.exe	powershell.exe
PID 1752 wrote to memory of 2928	1752	Powershell.exe	powershell.exe
PID 1752 wrote to memory of 2928	1752	Powershell.exe	powershell.exe
PID 1752 wrote to memory of 2928	1752	Powershell.exe	powershell.exe
PID 1752 wrote to memory of 2928	1752	Powershell.exe	powershell.exe
PID 1752 wrote to memory of 2928	1752	Powershell.exe	powershell.exe
PID 2076 wrote to memory of 2208	2076	Powershell.exe	powershell.exe
PID 2076 wrote to memory of 2208	2076	Powershell.exe	powershell.exe
PID 2076 wrote to memory of 2208	2076	Powershell.exe	powershell.exe
PID 2076 wrote to memory of 2208	2076	Powershell.exe	powershell.exe
PID 2076 wrote to memory of 2208	2076	Powershell.exe	powershell.exe
PID 2076 wrote to memory of 2208	2076	Powershell.exe	powershell.exe
PID 2076 wrote to memory of 2208	2076	Powershell.exe	powershell.exe
PID 2432 wrote to memory of 2480	2432	javaw.exe	explorer.exe
PID 2432 wrote to memory of 2480	2432	javaw.exe	explorer.exe
PID 2432 wrote to memory of 2480	2432	javaw.exe	explorer.exe
PID 2432 wrote to memory of 2480	2432	javaw.exe	explorer.exe
PID 2432 wrote to memory of 2480	2432	javaw.exe	explorer.exe
PID 2432 wrote to memory of 2480	2432	javaw.exe	explorer.exe
PID 2432 wrote to memory of 2480	2432	javaw.exe	explorer.exe
PID 2612 wrote to memory of 2576	2612	explorer.exe	NDdiMjBjYjMyNjgyNWM2NDI0YTdiMGYzMWEyNzY0OTQ.exe
PID 2612 wrote to memory of 2576	2612	explorer.exe	NDdiMjBjYjMyNjgyNWM2NDI0YTdiMGYzMWEyNzY0OTQ.exe
PID 2612 wrote to memory of 2576	2612	explorer.exe	NDdiMjBjYjMyNjgyNWM2NDI0YTdiMGYzMWEyNzY0OTQ.exe
PID 2612 wrote to memory of 2576	2612	explorer.exe	NDdiMjBjYjMyNjgyNWM2NDI0YTdiMGYzMWEyNzY0OTQ.exe
PID 2432 wrote to memory of 2468	2432	javaw.exe	Powershell.exe
PID 2432 wrote to memory of 2468	2432	javaw.exe	Powershell.exe
PID 2432 wrote to memory of 2468	2432	javaw.exe	Powershell.exe
PID 2432 wrote to memory of 2468	2432	javaw.exe	Powershell.exe
PID 2432 wrote to memory of 2468	2432	javaw.exe	Powershell.exe
PID 2432 wrote to memory of 2468	2432	javaw.exe	Powershell.exe
PID 2432 wrote to memory of 2468	2432	javaw.exe	Powershell.exe
PID 2432 wrote to memory of 2160	2432	javaw.exe	Powershell.exe
PID 2432 wrote to memory of 2160	2432	javaw.exe	Powershell.exe
PID 2432 wrote to memory of 2160	2432	javaw.exe	Powershell.exe
PID 2432 wrote to memory of 2160	2432	javaw.exe	Powershell.exe
PID 2432 wrote to memory of 2160	2432	javaw.exe	Powershell.exe
PID 2432 wrote to memory of 2160	2432	javaw.exe	Powershell.exe
PID 2432 wrote to memory of 2160	2432	javaw.exe	Powershell.exe
PID 2468 wrote to memory of 2832	2468	Powershell.exe	powershell.exe
PID 2468 wrote to memory of 2832	2468	Powershell.exe	powershell.exe
PID 2468 wrote to memory of 2832	2468	Powershell.exe	powershell.exe
PID 2468 wrote to memory of 2832	2468	Powershell.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\164\setup164.exe
"C:\Users\Admin\AppData\Local\Temp\164\setup164.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2204

C:\Users\Admin\AppData\Local\Temp\164\jre\bin\javaw.exe
"C:\Users\Admin\AppData\Local\Temp\164\jre\bin\javaw.exe" -Dfile.encoding=UTF-8 -classpath "lib\.;lib\..;lib\activation.jar;lib\asm-all.jar;lib\commons-email.jar;lib\dn-compiled-module.jar;lib\dn-php-sdk.jar;lib\gson.jar;lib\jfoenix.jar;lib\jkeymaster.jar;lib\jna.jar;lib\jphp-app-framework.jar;lib\jphp-core.jar;lib\jphp-desktop-ext.jar;lib\jphp-desktop-hotkey-ext.jar;lib\jphp-gui-ext.jar;lib\jphp-gui-jfoenix-ext.jar;lib\jphp-json-ext.jar;lib\jphp-jsoup-ext.jar;lib\jphp-mail-ext.jar;lib\jphp-runtime.jar;lib\jphp-systemtray-ext.jar;lib\jphp-xml-ext.jar;lib\jphp-zend-ext.jar;lib\jphp-zip-ext.jar;lib\jsoup.jar;lib\mail.jar;lib\slf4j-api.jar;lib\slf4j-simple.jar;lib\zt-zip.jar" org.develnext.jphp.ext.javafx.FXLauncher
2⤵
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2432

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe
Powershell.exe -Command "& {Start-Process Powershell.exe -WindowStyle hidden -ArgumentList '-Command "Add-MpPreference -Force -ExclusionPath "C:\""' -Verb RunAs}"
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1752

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -Force -ExclusionPath C:"
4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2928

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe
Powershell.exe -Command "& {Start-Process Powershell.exe -WindowStyle hidden -ArgumentList '-Command "Set-MpPreference -Force -DisableBehaviorMonitoring "' -Verb RunAs}"
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2076

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Set-MpPreference -Force -DisableBehaviorMonitoring
4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2208

C:\Windows\SysWOW64\explorer.exe
explorer "C:\Program Files\Windows NT\NDdiMjBjYjMyNjgyNWM2NDI0YTdiMGYzMWEyNzY0OTQ.exe"
3⤵
PID:2480

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe
Powershell.exe -Command "& {Start-Process Powershell.exe -WindowStyle hidden -ArgumentList '-Command "Add-MpPreference -Force -ExclusionPath "C:\""' -Verb RunAs}"
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2468

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -Force -ExclusionPath C:"
4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:2832

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe
Powershell.exe -Command "& {Start-Process Powershell.exe -WindowStyle hidden -ArgumentList '-Command "Set-MpPreference -Force -DisableBehaviorMonitoring "' -Verb RunAs}"
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:2160

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Set-MpPreference -Force -DisableBehaviorMonitoring
4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:2952

C:\Windows\SysWOW64\explorer.exe
explorer "C:\Program Files\Windows NT\YjRjYzk1MzljMzYzMjlkYjlmMzhlMDAzNmU0YzY0YzY.exe"
3⤵
PID:920

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe
Powershell.exe -Command "& {Start-Process Powershell.exe -WindowStyle hidden -ArgumentList '-Command "Add-MpPreference -Force -ExclusionPath "C:\""' -Verb RunAs}"
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:1500

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -Force -ExclusionPath C:"
4⤵
- Command and Scripting Interpreter: PowerShell
PID:1580

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe
Powershell.exe -Command "& {Start-Process Powershell.exe -WindowStyle hidden -ArgumentList '-Command "Set-MpPreference -Force -DisableBehaviorMonitoring "' -Verb RunAs}"
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:2292

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Set-MpPreference -Force -DisableBehaviorMonitoring
4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:2688

C:\Windows\SysWOW64\explorer.exe
explorer "C:\Program Files\Windows NT\NGE2MDVmZTE5YjY4ZGM4ODYxZTkzYjAwNjdiNjU2N2E.exe"
3⤵
PID:2592

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe
Powershell.exe -Command "& {Start-Process Powershell.exe -WindowStyle hidden -ArgumentList '-Command "Add-MpPreference -Force -ExclusionPath "C:\""' -Verb RunAs}"
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:2608

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -Force -ExclusionPath C:"
4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:2624

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe
Powershell.exe -Command "& {Start-Process Powershell.exe -WindowStyle hidden -ArgumentList '-Command "Set-MpPreference -Force -DisableBehaviorMonitoring "' -Verb RunAs}"
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:3056

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Set-MpPreference -Force -DisableBehaviorMonitoring
4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:1816

C:\Windows\SysWOW64\explorer.exe
explorer "C:\Program Files\Windows NT\MTA3Zjc0MmM4ZjZkN2E4ODhhNDczYzQxZDNjYzRmZGU.exe"
3⤵
PID:1132

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe
Powershell.exe -Command "& {Start-Process Powershell.exe -WindowStyle hidden -ArgumentList '-Command "Add-MpPreference -Force -ExclusionPath "C:\""' -Verb RunAs}"
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:2112

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -Force -ExclusionPath C:"
4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:2660

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe
Powershell.exe -Command "& {Start-Process Powershell.exe -WindowStyle hidden -ArgumentList '-Command "Set-MpPreference -Force -DisableBehaviorMonitoring "' -Verb RunAs}"
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:2928

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Set-MpPreference -Force -DisableBehaviorMonitoring
4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:2512

C:\Windows\SysWOW64\explorer.exe
explorer "C:\Program Files\Windows NT\MzllY2ExNjE3YmUzMjNkZmVhYzdhYzJjMjVkZDYzOTk.exe"
3⤵
PID:3048

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe
Powershell.exe -Command "& {Start-Process Powershell.exe -WindowStyle hidden -ArgumentList '-Command "Add-MpPreference -Force -ExclusionPath "C:\""' -Verb RunAs}"
3⤵
- Command and Scripting Interpreter: PowerShell
PID:2864

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -Force -ExclusionPath C:"
4⤵
- Command and Scripting Interpreter: PowerShell
PID:3064

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe
Powershell.exe -Command "& {Start-Process Powershell.exe -WindowStyle hidden -ArgumentList '-Command "Set-MpPreference -Force -DisableBehaviorMonitoring "' -Verb RunAs}"
3⤵
- Command and Scripting Interpreter: PowerShell
PID:2956

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Set-MpPreference -Force -DisableBehaviorMonitoring
4⤵
- Command and Scripting Interpreter: PowerShell
PID:2972

C:\Windows\SysWOW64\explorer.exe
explorer "C:\Program Files\Windows NT\NzI1ZTk0NDk0MmJkMzg1MzVjYTRkZTg4MjQ2MDU0ODY.exe"
3⤵
PID:3008

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe
Powershell.exe -Command "& {Start-Process Powershell.exe -WindowStyle hidden -ArgumentList '-Command "Add-MpPreference -Force -ExclusionPath "C:\""' -Verb RunAs}"
3⤵
- Command and Scripting Interpreter: PowerShell
PID:3028

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -Force -ExclusionPath C:"
4⤵
- Command and Scripting Interpreter: PowerShell
PID:2204

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe
Powershell.exe -Command "& {Start-Process Powershell.exe -WindowStyle hidden -ArgumentList '-Command "Set-MpPreference -Force -DisableBehaviorMonitoring "' -Verb RunAs}"
3⤵
- Command and Scripting Interpreter: PowerShell
PID:1196

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Set-MpPreference -Force -DisableBehaviorMonitoring
4⤵
- Command and Scripting Interpreter: PowerShell
PID:2096

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Suspicious use of WriteProcessMemory
PID:2612

C:\Program Files\Windows NT\NDdiMjBjYjMyNjgyNWM2NDI0YTdiMGYzMWEyNzY0OTQ.exe
"C:\Program Files\Windows NT\NDdiMjBjYjMyNjgyNWM2NDI0YTdiMGYzMWEyNzY0OTQ.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2576

C:\Users\Admin\AppData\Local\Temp\ChannelStream\UniversalInstaller.exe
C:\Users\Admin\AppData\Local\Temp\ChannelStream\UniversalInstaller.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1348

C:\Users\Admin\AppData\Roaming\ChannelStream\UniversalInstaller.exe
C:\Users\Admin\AppData\Roaming\ChannelStream\UniversalInstaller.exe
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
PID:1228

C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cmd.exe
5⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2152

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1308

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:3048

C:\Program Files\Windows NT\YjRjYzk1MzljMzYzMjlkYjlmMzhlMDAzNmU0YzY0YzY.exe
"C:\Program Files\Windows NT\YjRjYzk1MzljMzYzMjlkYjlmMzhlMDAzNmU0YzY0YzY.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:1520

C:\Users\Admin\AppData\Local\Temp\ChannelStream\UniversalInstaller.exe
C:\Users\Admin\AppData\Local\Temp\ChannelStream\UniversalInstaller.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:628

C:\Users\Admin\AppData\Roaming\ChannelStream\UniversalInstaller.exe
C:\Users\Admin\AppData\Roaming\ChannelStream\UniversalInstaller.exe
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
PID:752

C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cmd.exe
5⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1132

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
6⤵
PID:944

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:2208

C:\Program Files\Windows NT\NGE2MDVmZTE5YjY4ZGM4ODYxZTkzYjAwNjdiNjU2N2E.exe
"C:\Program Files\Windows NT\NGE2MDVmZTE5YjY4ZGM4ODYxZTkzYjAwNjdiNjU2N2E.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:560

C:\Users\Admin\AppData\Local\Temp\ChannelStream\UniversalInstaller.exe
C:\Users\Admin\AppData\Local\Temp\ChannelStream\UniversalInstaller.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2680

C:\Users\Admin\AppData\Roaming\ChannelStream\UniversalInstaller.exe
C:\Users\Admin\AppData\Roaming\ChannelStream\UniversalInstaller.exe
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
PID:928

C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cmd.exe
5⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:804

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
6⤵
PID:940

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:1872

C:\Program Files\Windows NT\MTA3Zjc0MmM4ZjZkN2E4ODhhNDczYzQxZDNjYzRmZGU.exe
"C:\Program Files\Windows NT\MTA3Zjc0MmM4ZjZkN2E4ODhhNDczYzQxZDNjYzRmZGU.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:3008

C:\Users\Admin\AppData\Local\Temp\ChannelStream\UniversalInstaller.exe
C:\Users\Admin\AppData\Local\Temp\ChannelStream\UniversalInstaller.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:2584

C:\Users\Admin\AppData\Roaming\ChannelStream\UniversalInstaller.exe
C:\Users\Admin\AppData\Roaming\ChannelStream\UniversalInstaller.exe
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
PID:2776

C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cmd.exe
5⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:912

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
6⤵
PID:1692

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:372

C:\Program Files\Windows NT\MzllY2ExNjE3YmUzMjNkZmVhYzdhYzJjMjVkZDYzOTk.exe
"C:\Program Files\Windows NT\MzllY2ExNjE3YmUzMjNkZmVhYzdhYzJjMjVkZDYzOTk.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1804

C:\Users\Admin\AppData\Local\Temp\ChannelStream\UniversalInstaller.exe
C:\Users\Admin\AppData\Local\Temp\ChannelStream\UniversalInstaller.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:2472

C:\Users\Admin\AppData\Roaming\ChannelStream\UniversalInstaller.exe
C:\Users\Admin\AppData\Roaming\ChannelStream\UniversalInstaller.exe
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
PID:2060

C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cmd.exe
5⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:748

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
6⤵
PID:1620

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:1108

C:\Program Files\Windows NT\NzI1ZTk0NDk0MmJkMzg1MzVjYTRkZTg4MjQ2MDU0ODY.exe
"C:\Program Files\Windows NT\NzI1ZTk0NDk0MmJkMzg1MzVjYTRkZTg4MjQ2MDU0ODY.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2320

C:\Users\Admin\AppData\Local\Temp\ChannelStream\UniversalInstaller.exe
C:\Users\Admin\AppData\Local\Temp\ChannelStream\UniversalInstaller.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:1544

C:\Users\Admin\AppData\Roaming\ChannelStream\UniversalInstaller.exe
C:\Users\Admin\AppData\Roaming\ChannelStream\UniversalInstaller.exe
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
PID:1660

C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cmd.exe
5⤵
PID:1076

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Windows NT\NDdiMjBjYjMyNjgyNWM2NDI0YTdiMGYzMWEyNzY0OTQ.exe
Filesize
6.5MB

MD5
680ffe6980363c348001cecf37c0b3c9

SHA1
aee40ae32edea2bf27649579780264ea4c82c376

SHA256
430548ce3a1ff4274119c3445988796606396a8026826c4dea631d89e3fd0d08

SHA512
84c9197267ea5ccf0508f76c43afec1eb5770add46f92500518092240428413b325582d29e9ef6b47d98d78603a9de791157bfe19e33548099db554115e7fcdf

Download Submit
C:\Users\Admin\AppData\Local\Temp\242505fd
Filesize
5.9MB

MD5
fa85f765b7af9dcca3be61f25a642918

SHA1
ba8740145c78ddf667a31d0ef5f53d6107523d60

SHA256
2d7c77b907b3a66f59942f82c04bbc36bfe4498b648021aaae8178c0732dc7bc

SHA512
9a333aad5242806656aa643b73e22b15b81851260c9a78ba82a7a2b06a8d8007ca596e60d02df8b4d58d2b3772eff289c86ff26f741cc18e7cb9a7b51eb6d9a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\24ee85bb
Filesize
1.4MB

MD5
f1079708dd3347f2ee136fcee1925201

SHA1
56f596942962018ea250b26110f1065c74c6117f

SHA256
5a13ed9887f2f50734b92eb0f41456e4a4385a11b39038625933b84337fa006f

SHA512
9be9c044c9cb63db5ed6e28a42fa45f33803eb844efa744a42829d8c25421be1a1b050d8039c78b7b41d04ba5f0483727c5d0fbfb1125c371302e07bf179ad57

Download Submit
C:\Users\Admin\AppData\Local\Temp\29b6f270
Filesize
1.4MB

MD5
7bfc435d6d5edbb5a8a0eb61d039fefb

SHA1
31d453c100614553d87b852e047d508fc0e6ee4b

SHA256
4d02e1d260f6a023a1c71cfe47b9ba236656994c710f6322fb289bac27a8eee9

SHA512
61c4b71c61a75ac084f3c02eeee458a9b81e98b1e3025d9e2b704865d59a9f4f89e6d69d0ccf0c441534f5bab6b38fc14162dac54698f862066571d51d3a4392

Download Submit
C:\Users\Admin\AppData\Local\Temp\ChannelStream\UIxMarketPlugin.dll
Filesize
1.6MB

MD5
d1ba9412e78bfc98074c5d724a1a87d6

SHA1
0572f98d78fb0b366b5a086c2a74cc68b771d368

SHA256
cbcea8f28d8916219d1e8b0a8ca2db17e338eb812431bc4ad0cb36c06fd67f15

SHA512
8765de36d3824b12c0a4478c31b985878d4811bd0e5b6fba4ea07f8c76340bd66a2da3490d4871b95d9a12f96efc25507dfd87f431de211664dbe9a9c914af6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ChannelStream\incurable.wmv
Filesize
1.3MB

MD5
5616178af97894358c3d01aeaf683ecf

SHA1
438f31828f091ff64e93f57ded65714dd0510465

SHA256
6e109d59070e53c408d698dbc77a7e2308dc708a7e109076332d16d27cf363cb

SHA512
a8e379b38298d8c565832ffdaaabd20c8a70fa94a5f36f6e9026048367cbc7c9d8c58b25f1760a6247f204de4de8e03c8ae62c02015547fd8339fd7013c7a785

Download Submit
C:\Users\Admin\AppData\Local\Temp\ChannelStream\relay.dll
Filesize
1.5MB

MD5
fe637ff7a6aae4a74306bae07c561b11

SHA1
22e50d0b680ef4110cd156d0da8b965be3b31968

SHA256
6122b4ceb394e4a441b4f7ac92745b1aa64b6c83a4101d6d326e130efa5a5d10

SHA512
97a68dfae7e387684a6f6bb00b68688f91e2135f4b60b6bd551291518f77b48b718b72bca8cca1dbf6f2c8721e5ee1b2bb6fbe68989c931ddbc8b19c741cd64d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ChannelStream\storiette.psd
Filesize
15KB

MD5
e130d08bc94db4675e7883f1643ed6de

SHA1
3b292178565112dc8361c1aca1a170a2158c7f0c

SHA256
97abec36adc375fb4f1588d31bba8c7bbbcc994b683ded4740716a5e91f8dfcf

SHA512
7575364958befe5866d7a2476c590bbf920880eab3e48410fd47142fe7168455404d8c13e270d435db1416151115fae0c85e656974d78682c1447ae4384eb467

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpEA80.tmp
Filesize
20KB

MD5
c9ff7748d8fcef4cf84a5501e996a641

SHA1
02867e5010f62f97ebb0cfb32cb3ede9449fe0c9

SHA256
4d3f3194cb1133437aa69bb880c8cbb55ddf06ff61a88ca6c3f1bbfbfd35d988

SHA512
d36054499869a8f56ac8547ccd5455f1252c24e17d2b185955390b32da7e2a732ace4e0f30f9493fcc61425a2e31ed623465f998f41af69423ee0e3ed1483a73

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
70aacc9eb12e8063a41b8e00cba532c4

SHA1
b9bb2f95acad0df251d7374e090ef9588f8aa3d2

SHA256
84672dc85871366a72f9e79e87fe246e0718a0c6e7a31d0f534cd3c73747a775

SHA512
db9024d44c6733899275928049c06b373e5098905f5d719274a2bab4668c30ec4f65a1d27fa5ad44a84aedcbd426fa39c07c6bc83cabdcab271bf6b51063d4ad

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
bd2b94126914530f5239b3f51bdbcbc2

SHA1
108a3ca27883eabed3d014da13e53b4170de64fa

SHA256
682eefe7294458e0f4ce5605723d083af4954330d87f150f20df3fe607fb3eb4

SHA512
c9ee3d3ea9c09d051112500b7c888aaf1c97d9059a84dae3881462328b42de019f92312e99e9658e833a129ba8ed706d8caf01910a117f5aa18ccf8f15e6d525

Download Submit
\??\PIPE\srvsvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Users\Admin\AppData\Local\Temp\ChannelStream\UniversalInstaller.exe
Filesize
2.4MB

MD5
9fb4770ced09aae3b437c1c6eb6d7334

SHA1
fe54b31b0db8665aa5b22bed147e8295afc88a03

SHA256
a05b592a971fe5011554013bcfe9a4aaf9cfc633bdd1fe3a8197f213d557b8d3

SHA512
140fee6daf23fe8b7e441b3b4de83554af804f00ecedc421907a385ac79a63164bd9f28b4be061c2ea2262755d85e14d3a8e7dc910547837b664d78d93667256

Download Submit
memory/940-607-0x0000000000170000-0x0000000000236000-memory.dmp

Filesize
792KB

Download
memory/1308-419-0x0000000000400000-0x00000000004C6000-memory.dmp

Filesize
792KB

Download
memory/2204-0-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2432-87-0x0000000002758000-0x0000000002760000-memory.dmp

Filesize
32KB

Download
memory/2432-135-0x0000000000180000-0x000000000018A000-memory.dmp

Filesize
40KB

Download
memory/2432-43-0x0000000002758000-0x0000000002760000-memory.dmp

Filesize
32KB

Download
memory/2432-46-0x0000000002760000-0x0000000002768000-memory.dmp

Filesize
32KB

Download
memory/2432-45-0x0000000002690000-0x00000000026B8000-memory.dmp

Filesize
160KB

Download
memory/2432-51-0x0000000002768000-0x0000000002770000-memory.dmp

Filesize
32KB

Download
memory/2432-50-0x00000000026D8000-0x00000000026E0000-memory.dmp

Filesize
32KB

Download
memory/2432-55-0x0000000002770000-0x0000000002778000-memory.dmp

Filesize
32KB

Download
memory/2432-54-0x00000000026E0000-0x00000000026E8000-memory.dmp

Filesize
32KB

Download
memory/2432-59-0x0000000002778000-0x0000000002780000-memory.dmp

Filesize
32KB

Download
memory/2432-58-0x0000000002728000-0x0000000002730000-memory.dmp

Filesize
32KB

Download
memory/2432-63-0x00000000026C8000-0x00000000026D0000-memory.dmp

Filesize
32KB

Download
memory/2432-64-0x0000000002780000-0x0000000002788000-memory.dmp

Filesize
32KB

Download
memory/2432-62-0x0000000002730000-0x0000000002738000-memory.dmp

Filesize
32KB

Download
memory/2432-66-0x0000000002738000-0x0000000002740000-memory.dmp

Filesize
32KB

Download
memory/2432-68-0x0000000002788000-0x0000000002790000-memory.dmp

Filesize
32KB

Download
memory/2432-72-0x0000000002790000-0x0000000002798000-memory.dmp

Filesize
32KB

Download
memory/2432-71-0x0000000002740000-0x0000000002748000-memory.dmp

Filesize
32KB

Download
memory/2432-75-0x0000000002798000-0x00000000027A0000-memory.dmp

Filesize
32KB

Download
memory/2432-74-0x0000000002748000-0x0000000002750000-memory.dmp

Filesize
32KB

Download
memory/2432-79-0x00000000027A0000-0x00000000027A8000-memory.dmp

Filesize
32KB

Download
memory/2432-78-0x0000000002750000-0x0000000002758000-memory.dmp

Filesize
32KB

Download
memory/2432-85-0x0000000000150000-0x0000000000151000-memory.dmp

Filesize
4KB

Download
memory/2432-88-0x00000000027A8000-0x00000000027B0000-memory.dmp

Filesize
32KB

Download
memory/2432-40-0x0000000002750000-0x0000000002758000-memory.dmp

Filesize
32KB

Download
memory/2432-93-0x00000000027B0000-0x00000000027B8000-memory.dmp

Filesize
32KB

Download
memory/2432-92-0x0000000002760000-0x0000000002768000-memory.dmp

Filesize
32KB

Download
memory/2432-96-0x00000000027B8000-0x00000000027C0000-memory.dmp

Filesize
32KB

Download
memory/2432-95-0x0000000002768000-0x0000000002770000-memory.dmp

Filesize
32KB

Download
memory/2432-100-0x00000000027C0000-0x00000000027C8000-memory.dmp

Filesize
32KB

Download
memory/2432-99-0x0000000002770000-0x0000000002778000-memory.dmp

Filesize
32KB

Download
memory/2432-104-0x0000000000150000-0x0000000000151000-memory.dmp

Filesize
4KB

Download
memory/2432-132-0x0000000000150000-0x0000000000151000-memory.dmp

Filesize
4KB

Download
memory/2432-41-0x0000000000150000-0x0000000000151000-memory.dmp

Filesize
4KB

Download
memory/2432-134-0x0000000000180000-0x000000000018A000-memory.dmp

Filesize
40KB

Download
memory/2432-140-0x0000000002780000-0x0000000002788000-memory.dmp

Filesize
32KB

Download
memory/2432-142-0x0000000000180000-0x000000000018A000-memory.dmp

Filesize
40KB

Download
memory/2432-141-0x0000000000180000-0x000000000018A000-memory.dmp

Filesize
40KB

Download
memory/2432-137-0x0000000000150000-0x0000000000151000-memory.dmp

Filesize
4KB

Download
memory/2432-133-0x0000000002778000-0x0000000002780000-memory.dmp

Filesize
32KB

Download
memory/2432-143-0x0000000000150000-0x0000000000151000-memory.dmp

Filesize
4KB

Download
memory/2432-149-0x0000000000150000-0x0000000000151000-memory.dmp

Filesize
4KB

Download
memory/2432-148-0x0000000000150000-0x0000000000151000-memory.dmp

Filesize
4KB

Download
memory/2432-159-0x0000000000150000-0x0000000000151000-memory.dmp

Filesize
4KB

Download
memory/2432-160-0x0000000000150000-0x0000000000151000-memory.dmp

Filesize
4KB

Download
memory/2432-168-0x0000000002788000-0x0000000002790000-memory.dmp

Filesize
32KB

Download
memory/2432-187-0x0000000002790000-0x0000000002798000-memory.dmp

Filesize
32KB

Download
memory/2432-207-0x0000000002798000-0x00000000027A0000-memory.dmp

Filesize
32KB

Download
memory/2432-208-0x00000000027A0000-0x00000000027A8000-memory.dmp

Filesize
32KB

Download
memory/2432-209-0x00000000027A8000-0x00000000027B0000-memory.dmp

Filesize
32KB

Download
memory/2432-220-0x00000000027B0000-0x00000000027B8000-memory.dmp

Filesize
32KB

Download
memory/2432-221-0x00000000027B8000-0x00000000027C0000-memory.dmp

Filesize
32KB

Download
memory/2432-222-0x00000000027C0000-0x00000000027C8000-memory.dmp

Filesize
32KB

Download
memory/2432-38-0x0000000002748000-0x0000000002750000-memory.dmp

Filesize
32KB

Download
memory/2432-36-0x0000000002740000-0x0000000002748000-memory.dmp

Filesize
32KB

Download
memory/2432-34-0x0000000002738000-0x0000000002740000-memory.dmp

Filesize
32KB

Download
memory/2432-30-0x00000000026D0000-0x00000000026D8000-memory.dmp

Filesize
32KB

Download
memory/2432-31-0x0000000002730000-0x0000000002738000-memory.dmp

Filesize
32KB

Download
memory/2432-32-0x00000000026C8000-0x00000000026D0000-memory.dmp

Filesize
32KB

Download
memory/2432-27-0x0000000002728000-0x0000000002730000-memory.dmp

Filesize
32KB

Download
memory/2432-13-0x00000000026E0000-0x00000000026E8000-memory.dmp

Filesize
32KB

Download
memory/2432-10-0x00000000026D8000-0x00000000026E0000-memory.dmp

Filesize
32KB

Download
memory/2432-4-0x0000000002690000-0x00000000026B8000-memory.dmp

Filesize
160KB

Download
memory/2432-228-0x0000000000180000-0x000000000018A000-memory.dmp

Filesize
40KB

Download
memory/2432-227-0x0000000000180000-0x000000000018A000-memory.dmp

Filesize
40KB

Download
memory/2432-230-0x0000000000180000-0x000000000018A000-memory.dmp

Filesize
40KB

Download
memory/2432-229-0x0000000000180000-0x000000000018A000-memory.dmp

Filesize
40KB

Download